#!/bin/bash ######################################################## # T-Pot post install script # # Ubuntu server 16.04.0, x64 # # # # v17.06 by mo, DTAG, 2017-03-22 # ######################################################## # Set TERM, DIALOGRC export TERM=linux export DIALOGRC=/etc/dialogrc # Let's load dialog color theme cp /root/tpot/etc/dialogrc /etc/ # Some global vars myPROXYFILEPATH="/root/tpot/etc/proxy" myNTPCONFPATH="/root/tpot/etc/ntp" myPFXPATH="/root/tpot/keys/8021x.pfx" myPFXPWPATH="/root/tpot/keys/8021x.pw" myPFXHOSTIDPATH="/root/tpot/keys/8021x.id" myBACKTITLE="T-Pot-Installer" mySITES="https://index.docker.io https://ubuntu.com https://github.com http://nsanamegenerator.com" myPROGRESSBOXCONF=" --backtitle "$myBACKTITLE" --progressbox 24 80" fuRANDOMWORD () { local myWORDFILE=/usr/share/dict/names local myLINES=$(cat $myWORDFILE | wc -l) local myRANDOM=$((RANDOM % $myLINES)) local myNUM=$((myRANDOM * myRANDOM % $myLINES + 1)) echo -n $(sed -n "$myNUM p" $myWORDFILE | tr -d \' | tr A-Z a-z) } # Let's wait a few seconds to avoid interference with service messages dialog --no-ok --no-cancel --backtitle "$myBACKTITLE" --title "[ Wait to avoid interference with service messages ]" --pause "" 6 80 7 # Let's setup the proxy for env if [ -f $myPROXYFILEPATH ]; then dialog --title "[ Setting up the proxy ]" $myPROGRESSBOXCONF <&1>/dev/null <&1>/dev/null <&1>/dev/null <&1 | dialog --title "[ Stop docker service ]" $myPROGRESSBOXCONF systemctl start docker 2>&1 | dialog --title "[ Start docker service ]" $myPROGRESSBOXCONF fi # Let's test the internet connection mySITESCOUNT=$(echo $mySITES | wc -w) j=0 for i in $mySITES; do dialog --title "[ Testing the internet connection ]" --backtitle "$myBACKTITLE" \ --gauge "\n Now checking: $i\n" 8 80 $(expr 100 \* $j / $mySITESCOUNT) <&1>/dev/null if [ $? -ne 0 ]; then dialog --backtitle "$myBACKTITLE" --title "[ Continue? ]" --yesno "\nInternet connection test failed. This might indicate some problems with your connection. You can continue, but the installation might fail." 10 50 if [ $? = 1 ]; then dialog --backtitle "$myBACKTITLE" --title "[ Abort ]" --msgbox "\nInstallation aborted. Exiting the installer." 7 50 exit else break; fi; fi; let j+=1 dialog --title "[ Testing the internet connection ]" --backtitle "$myBACKTITLE" \ --gauge "\n Now checking: $i\n" 8 80 $(expr 100 \* $j / $mySITESCOUNT) <&1 | dialog --title "[ Removing NGINX default website. ]" $myPROGRESSBOXCONF; rm -rf /etc/nginx/sites-available/default 2>&1 | dialog --title "[ Removing NGINX default website. ]" $myPROGRESSBOXCONF; rm -rf /usr/share/nginx/html/index.html 2>&1 | dialog --title "[ Removing NGINX default website. ]" $myPROGRESSBOXCONF; # Let's ask user for install flavor # Install types are TPOT, HP, INDUSTRIAL, ALL myFLAVOR=$(dialog --no-cancel --backtitle "$myBACKTITLE" --title "[ Choose your edition ]" --no-tags --menu \ "\nRequired: 4GB RAM, 64GB disk\nRecommended: 8GB RAM, 128GB SSD" 14 60 4 \ "TPOT" "Standard Honeypots, Suricata & ELK" \ "HP" "Honeypots only, w/o Suricata & ELK" \ "INDUSTRIAL" "Conpot, eMobility, Suricata & ELK" \ "EVERYTHING" "Everything" 3>&1 1>&2 2>&3 3>&-) # Let's ask for a secure tsec password myUSER="tsec" myPASS1="pass1" myPASS2="pass2" mySECURE="0" while [ "$myPASS1" != "$myPASS2" ] && [ "$mySECURE" == "0" ] do while [ "$myPASS1" == "pass1" ] || [ "$myPASS1" == "" ] do myPASS1=$(dialog --insecure --backtitle "$myBACKTITLE" \ --title "[ Enter password for console user (tsec) ]" \ --passwordbox "\nPassword" 9 60 3>&1 1>&2 2>&3 3>&-) done myPASS2=$(dialog --insecure --backtitle "$myBACKTITLE" \ --title "[ Repeat password for console user (tsec) ]" \ --passwordbox "\nPassword" 9 60 3>&1 1>&2 2>&3 3>&-) if [ "$myPASS1" != "$myPASS2" ]; then dialog --backtitle "$myBACKTITLE" --title "[ Passwords do not match. ]" \ --msgbox "\nPlease re-enter your password." 7 60 myPASS1="pass1" myPASS2="pass2" fi mySECURE=$(printf "%s" "$myPASS1" | cracklib-check | grep -c "OK") if [ "$mySECURE" == "0" ] && [ "$myPASS1" == "$myPASS2" ]; then dialog --backtitle "$myBACKTITLE" --title "[ Password is not secure ]" --defaultno --yesno "\nKeep insecure password?" 7 50 myOK=$? if [ "$myOK" == "1" ]; then myPASS1="pass1" myPASS2="pass2" fi fi done printf "%s" "$myUSER:$myPASS1" | chpasswd # Let's ask for a web username with secure password myOK="1" myUSER="tsec" myPASS1="pass1" myPASS2="pass2" mySECURE="0" while [ 1 != 2 ] do myUSER=$(dialog --backtitle "$myBACKTITLE" --title "[ Enter your web user name ]" --inputbox "\nUsername (tsec not allowed)" 9 50 3>&1 1>&2 2>&3 3>&-) myUSER=$(echo $myUSER | tr -cd "[:alnum:]_.-") dialog --backtitle "$myBACKTITLE" --title "[ Your username is ]" --yesno "\n$myUSER" 7 50 myOK=$? if [ "$myOK" = "0" ] && [ "$myUSER" != "tsec" ] && [ "$myUSER" != "" ]; then break fi done while [ "$myPASS1" != "$myPASS2" ] && [ "$mySECURE" == "0" ] do while [ "$myPASS1" == "pass1" ] || [ "$myPASS1" == "" ] do myPASS1=$(dialog --insecure --backtitle "$myBACKTITLE" \ --title "[ Enter password for your web user ]" \ --passwordbox "\nPassword" 9 60 3>&1 1>&2 2>&3 3>&-) done myPASS2=$(dialog --insecure --backtitle "$myBACKTITLE" \ --title "[ Repeat password for your web user ]" \ --passwordbox "\nPassword" 9 60 3>&1 1>&2 2>&3 3>&-) if [ "$myPASS1" != "$myPASS2" ]; then dialog --backtitle "$myBACKTITLE" --title "[ Passwords do not match. ]" \ --msgbox "\nPlease re-enter your password." 7 60 myPASS1="pass1" myPASS2="pass2" fi mySECURE=$(printf "%s" "$myPASS1" | cracklib-check | grep -c "OK") if [ "$mySECURE" == "0" ] && [ "$myPASS1" == "$myPASS2" ]; then dialog --backtitle "$myBACKTITLE" --title "[ Password is not secure ]" --defaultno --yesno "\nKeep insecure password?" 7 50 myOK=$? if [ "$myOK" == "1" ]; then myPASS1="pass1" myPASS2="pass2" fi fi done htpasswd -b -c /etc/nginx/nginxpasswd "$myUSER" "$myPASS1" 2>&1 | dialog --title "[ Setting up user and password ]" $myPROGRESSBOXCONF; # Let's generate a SSL self-signed certificate without interaction (browsers will see it invalid anyway) mkdir -p /etc/nginx/ssl 2>&1 | dialog --title "[ Generating a self-signed-certificate for NGINX ]" $myPROGRESSBOXCONF; openssl req \ -nodes \ -x509 \ -sha512 \ -newkey rsa:8192 \ -keyout "/etc/nginx/ssl/nginx.key" \ -out "/etc/nginx/ssl/nginx.crt" \ -days 3650 \ -subj '/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd' 2>&1 | dialog --title "[ Generating a self-signed-certificate for NGINX ]" $myPROGRESSBOXCONF; # Let's setup the ntp server if [ -f $myNTPCONFPATH ]; then dialog --title "[ Setting up the ntp server ]" $myPROGRESSBOXCONF <&1 | dialog --title "[ Setting up the ntp server ]" $myPROGRESSBOXCONF fi # Let's setup 802.1x networking if [ -f $myPFXPATH ]; then dialog --title "[ Setting 802.1x networking ]" $myPROGRESSBOXCONF <&1 | dialog --title "[ Setting 802.1x networking ]" $myPROGRESSBOXCONF if [ -f $myPFXPWPATH ]; then dialog --title "[ Setting up 802.1x password ]" $myPROGRESSBOXCONF <&1>/dev/null <&1>/dev/null <&1>/dev/null <&1>/dev/null < # wpa-ap-scan 1 # wpa-proto RSN # wpa-pairwise CCMP # wpa-group CCMP # wpa-key-mgmt WPA-PSK # wpa-psk "" EOF # Let's modify the sources list sed -i '/cdrom/d' /etc/apt/sources.list # Let's make sure SSH roaming is turned off (CVE-2016-0777, CVE-2016-0778) fuECHO "### Let's make sure SSH roaming is turned off." tee -a /etc/ssh/ssh_config 2>&1>/dev/null <&1 | dialog --title "[ Pulling updates ]" $myPROGRESSBOXCONF apt-get upgrade -y 2>&1 | dialog --title "[ Pulling updates ]" $myPROGRESSBOXCONF # Let's clean up apt apt-get autoclean -y 2>&1 | dialog --title "[ Pulling updates ]" $myPROGRESSBOXCONF apt-get autoremove -y 2>&1 | dialog --title "[ Pulling updates ]" $myPROGRESSBOXCONF # Installing alerta-cli, wetty, ctop, elasticdump pip install --upgrade pip 2>&1 | dialog --title "[ Installing pip ]" $myPROGRESSBOXCONF pip install alerta 2>&1 | dialog --title "[ Installing alerta ]" $myPROGRESSBOXCONF ln -s /usr/bin/nodejs /usr/bin/node 2>&1 | dialog --title "[ Installing wetty ]" $myPROGRESSBOXCONF npm install https://github.com/t3chn0m4g3/wetty -g 2>&1 | dialog --title "[ Installing wetty ]" $myPROGRESSBOXCONF npm install https://github.com/t3chn0m4g3/elasticsearch-dump -g 2>&1 | dialog --title "[ Installing elasticsearch-dump ]" $myPROGRESSBOXCONF wget https://github.com/bcicen/ctop/releases/download/v0.4.1/ctop-0.4.1-linux-amd64 -O ctop 2>&1 | dialog --title "[ Installing ctop ]" $myPROGRESSBOXCONF mv ctop /usr/bin/ 2>&1 | dialog --title "[ Installing ctop ]" $myPROGRESSBOXCONF chmod +x /usr/bin/ctop 2>&1 | dialog --title "[ Installing ctop ]" $myPROGRESSBOXCONF # Let's add a new user addgroup --gid 2000 tpot 2>&1 | dialog --title "[ Adding new user ]" $myPROGRESSBOXCONF adduser --system --no-create-home --uid 2000 --disabled-password --disabled-login --gid 2000 tpot 2>&1 | dialog --title "[ Adding new user ]" $myPROGRESSBOXCONF # Let's set the hostname myHOST=$(curl -s -f www.nsanamegenerator.com | html2text | tr A-Z a-z | awk '{print $1}') if [ "$myHOST" = "" ]; then dialog --no-ok --no-cancel --backtitle "$myBACKTITLE" --title "[ Failed to fetch name from remote, using local cache ]" --pause "" 6 80 2 myHOST=$(fuRANDOMWORD) fi hostnamectl set-hostname $myHOST 2>&1 | dialog --title "[ Setting new hostname ]" $myPROGRESSBOXCONF sed -i 's#127.0.1.1.*#127.0.1.1\t'"$myHOST"'#g' /etc/hosts 2>&1 | dialog --title "[ Setting new hostname ]" $myPROGRESSBOXCONF # Let's patch sshd_config sed -i 's#Port 22#Port 64295#' /etc/ssh/sshd_config 2>&1 | dialog --title "[ SSH listen on tcp/64295 ]" $myPROGRESSBOXCONF sed -i 's#\#PasswordAuthentication yes#PasswordAuthentication no#' /etc/ssh/sshd_config 2>&1 | dialog --title "[ SSH password authentication only from RFC1918 networks ]" $myPROGRESSBOXCONF tee -a /etc/ssh/sshd_config 2>&1>/dev/null <&1>/dev/null ;; INDUSTRIAL) echo "### Preparing INDUSTRIAL flavor installation." cp /root/tpot/data/imgcfg/industrial_images.conf /root/tpot/data/images.conf 2>&1>/dev/null ;; TPOT) echo "### Preparing TPOT flavor installation." cp /root/tpot/data/imgcfg/tpot_images.conf /root/tpot/data/images.conf 2>&1>/dev/null ;; ALL) echo "### Preparing EVERYTHING flavor installation." cp /root/tpot/data/imgcfg/all_images.conf /root/tpot/data/images.conf 2>&1>/dev/null ;; esac # Let's load docker images myIMAGESCOUNT=$(cat /root/tpot/data/images.conf | wc -w) j=0 for name in $(cat /root/tpot/data/images.conf) do dialog --title "[ Downloading docker images, please be patient ]" --backtitle "$myBACKTITLE" \ --gauge "\n Now downloading: dtagdevsec/$name:1706\n" 8 80 $(expr 100 \* $j / $myIMAGESCOUNT) <&1>/dev/null let j+=1 dialog --title "[ Downloading docker images, please be patient ]" --backtitle "$myBACKTITLE" \ --gauge "\n Now downloading: dtagdevsec/$name:1706\n" 8 80 $(expr 100 \* $j / $myIMAGESCOUNT) <&1>/dev/null <&1>/dev/null <&1>/dev/null <:/api delete --filters resource= && alerta --endpoint-url http://:/api send -e IP -r -E Production -s ok -S T-Pot -t \$(cat /data/elk/logstash/mylocal.ip) --status open # Check if updated images are available and download them 27 1 * * * root for i in \$(cat /etc/tpot/images.conf); do docker pull dtagdevsec/\$i:1706; done # Restart docker service and containers 27 3 * * * root dcres.sh # Delete elastic indices older than 90 days (kibana index is omitted by default) 27 4 * * * root docker exec elk bash -c '/usr/local/bin/curator --host 127.0.0.1 delete indices --older-than 90 --time-unit days --timestring \%Y.\%m.\%d' # Update IP and erase check.lock if it exists 27 5 * * * root /etc/rc.local # Daily reboot 27 23 * * * root reboot # Check for updated packages every sunday, upgrade and reboot 27 16 * * 0 root apt-get autoclean -y && apt-get autoremove -y && apt-get update -y && apt-get upgrade -y && sleep 10 && reboot EOF # Let's create some files and folders mkdir -p /data/conpot/log \ /data/cowrie/log/tty/ /data/cowrie/downloads/ /data/cowrie/keys/ /data/cowrie/misc/ \ /data/dionaea/log /data/dionaea/bistreams /data/dionaea/binaries /data/dionaea/rtp /data/dionaea/roots/ftp /data/dionaea/roots/tftp /data/dionaea/roots/www /data/dionaea/roots/upnp \ /data/elasticpot/log \ /data/elk/data /data/elk/log /data/elk/logstash/conf \ /data/glastopf /data/honeytrap/log/ /data/honeytrap/attacks/ /data/honeytrap/downloads/ \ /data/emobility/log \ /data/ews/conf \ /data/suricata/log /home/tsec/.ssh/ \ /etc/tpot/elk /etc/tpot/imgcfg /etc/tpot/systemd \ /usr/share/tpot/bin 2>&1 | dialog --title "[ Creating some files and folders ]" $myPROGRESSBOXCONF # Let's take care of some files and permissions before copying chmod 500 /root/tpot/bin/* 2>&1 | dialog --title "[ Setting permissions ]" $myPROGRESSBOXCONF chmod 600 /root/tpot/data/* 2>&1 | dialog --title "[ Setting permissions ]" $myPROGRESSBOXCONF chmod 644 /root/tpot/etc/issue 2>&1 | dialog --title "[ Setting permissions ]" $myPROGRESSBOXCONF chmod 755 /root/tpot/etc/rc.local 2>&1 | dialog --title "[ Setting permissions ]" $myPROGRESSBOXCONF chmod 644 /root/tpot/data/systemd/* 2>&1 | dialog --title "[ Setting permissions ]" $myPROGRESSBOXCONF # Let's copy some files tar xvfz /root/tpot/data/elkbase.tgz -C / 2>&1 | dialog --title "[ Extracting elkbase.tgz ]" $myPROGRESSBOXCONF cp -R /root/tpot/bin/* /usr/share/tpot/bin/ 2>&1 | dialog --title "[ Copy configs ]" $myPROGRESSBOXCONF cp -R /root/tpot/data/* /etc/tpot/ 2>&1 | dialog --title "[ Copy configs ]" $myPROGRESSBOXCONF cp /root/tpot/data/systemd/* /etc/systemd/system/ 2>&1 | dialog --title "[ Copy configs ]" $myPROGRESSBOXCONF cp /root/tpot/etc/issue /etc/ 2>&1 | dialog --title "[ Copy configs ]" $myPROGRESSBOXCONF cp -R /root/tpot/etc/nginx/ssl /etc/nginx/ 2>&1 | dialog --title "[ Copy configs ]" $myPROGRESSBOXCONF cp /root/tpot/etc/nginx/tpotweb.conf /etc/nginx/sites-available/ 2>&1 | dialog --title "[ Copy configs ]" $myPROGRESSBOXCONF cp /root/tpot/etc/nginx/nginx.conf /etc/nginx/nginx.conf 2>&1 | dialog --title "[ Copy configs ]" $myPROGRESSBOXCONF cp /root/tpot/keys/authorized_keys /home/tsec/.ssh/authorized_keys 2>&1 | dialog --title "[ Copy configs ]" $myPROGRESSBOXCONF cp /root/tpot/usr/share/nginx/html/* /usr/share/nginx/html/ 2>&1 | dialog --title "[ Copy configs ]" $myPROGRESSBOXCONF for i in $(cat /etc/tpot/images.conf); do systemctl enable $i 2>&1 | dialog --title "[ Enabling service for $i ]" $myPROGRESSBOXCONF done systemctl enable wetty 2>&1 | dialog --title "[ Enabling service for wetty ]" $myPROGRESSBOXCONF # Let's enable T-Pot website ln -s /etc/nginx/sites-available/tpotweb.conf /etc/nginx/sites-enabled/tpotweb.conf 2>&1 | dialog --title "[ Enabling T-Pot website ]" $myPROGRESSBOXCONF # Let's take care of some files and permissions chmod 760 -R /data 2>&1 | dialog --title "[ Set permissions and ownerships ]" $myPROGRESSBOXCONF chown tpot:tpot -R /data 2>&1 | dialog --title "[ Set permissions and ownerships ]" $myPROGRESSBOXCONF chmod 600 /home/tsec/.ssh/authorized_keys 2>&1 | dialog --title "[ Set permissions and ownerships ]" $myPROGRESSBOXCONF chown tsec:tsec /home/tsec/.ssh /home/tsec/.ssh/authorized_keys 2>&1 | dialog --title "[ Set permissions and ownerships ]" $myPROGRESSBOXCONF # Let's replace "quiet splash" options, set a console font for more screen canvas and update grub sed -i 's#GRUB_CMDLINE_LINUX_DEFAULT="quiet splash"#GRUB_CMDLINE_LINUX_DEFAULT="consoleblank=0"#' /etc/default/grub 2>&1>/dev/null sed -i 's#GRUB_CMDLINE_LINUX=""#GRUB_CMDLINE_LINUX="cgroup_enable=memory swapaccount=1"#' /etc/default/grub 2>&1>/dev/null #sed -i 's#\#GRUB_GFXMODE=640x480#GRUB_GFXMODE=800x600x32#' /etc/default/grub #tee -a /etc/default/grub <&1 | dialog --title "[ Update grub ]" $myPROGRESSBOXCONF cp /usr/share/consolefonts/Uni2-Terminus12x6.psf.gz /etc/console-setup/ gunzip /etc/console-setup/Uni2-Terminus12x6.psf.gz sed -i 's#FONTFACE=".*#FONTFACE="Terminus"#' /etc/default/console-setup sed -i 's#FONTSIZE=".*#FONTSIZE="12x6"#' /etc/default/console-setup update-initramfs -u 2>&1 | dialog --title "[ Update initramfs ]" $myPROGRESSBOXCONF # Let's enable a color prompt and add /usr/share/tpot/bin to path myROOTPROMPT='PS1="\[\033[38;5;8m\][\[$(tput sgr0)\]\[\033[38;5;1m\]\u\[$(tput sgr0)\]\[\033[38;5;6m\]@\[$(tput sgr0)\]\[\033[38;5;4m\]\h\[$(tput sgr0)\]\[\033[38;5;6m\]:\[$(tput sgr0)\]\[\033[38;5;5m\]\w\[$(tput sgr0)\]\[\033[38;5;8m\]]\[$(tput sgr0)\]\[\033[38;5;1m\]\\$\[$(tput sgr0)\]\[\033[38;5;15m\] \[$(tput sgr0)\]"' myUSERPROMPT='PS1="\[\033[38;5;8m\][\[$(tput sgr0)\]\[\033[38;5;2m\]\u\[$(tput sgr0)\]\[\033[38;5;6m\]@\[$(tput sgr0)\]\[\033[38;5;4m\]\h\[$(tput sgr0)\]\[\033[38;5;6m\]:\[$(tput sgr0)\]\[\033[38;5;5m\]\w\[$(tput sgr0)\]\[\033[38;5;8m\]]\[$(tput sgr0)\]\[\033[38;5;2m\]\\$\[$(tput sgr0)\]\[\033[38;5;15m\] \[$(tput sgr0)\]"' tee -a /root/.bashrc 2>&1>/dev/null <&1>/dev/null <&1>/dev/null myLOCALIP=$(hostname -I | awk '{ print $1 }') myEXTIP=$(/usr/share/tpot/bin/myip.sh) sed -i "s#IP:.*#IP: $myLOCALIP ($myEXTIP)[0m#" /etc/issue 2>&1>/dev/null sed -i "s#SSH:.*#SSH: ssh -l tsec -p 64295 $myLOCALIP[0m#" /etc/issue 2>&1>/dev/null sed -i "s#WEB:.*#WEB: https://$myLOCALIP:64297[0m#" /etc/issue 2>&1>/dev/null tee /data/ews/conf/ews.ip 2>&1>/dev/null <&1>/dev/null < /data/elk/logstash/mylocal.ip 2>&1>/dev/null chown tpot:tpot /data/ews/conf/ews.ip 2>&1>/dev/null # Final steps mv /root/tpot/etc/rc.local /etc/rc.local 2>&1>/dev/null && \ rm -rf /root/tpot/ 2>&1>/dev/null && \ dialog --no-ok --no-cancel --backtitle "$myBACKTITLE" --title "[ Thanks for your patience. Now rebooting. ]" --pause "" 6 80 2 && \ reboot