tpotce/etc/compose/industrial.yml

# T-Pot (Industrial)
# Do not erase ports sections, these are used by /opt/tpot/bin/rules.sh to setup iptables ACCEPT rules for NFQ (honeytrap / glutton)
version: '2.3'

networks:
  conpot_local_default:
  conpot_local_IEC104:
  conpot_local_guardian_ast:
  conpot_local_ipmi:
  conpot_local_kamstrup_382:
  cowrie_local:
  dicompot_local:
  heralding_local:
  honeysap_local:
  medpot_local:
  rdpy_local:
  ewsposter_local:
  spiderfoot_local:

services:

##################
#### Honeypots
##################

# Conpot default service
  conpot_default:
    container_name: conpot_default
    restart: always
    environment:
     - CONPOT_CONFIG=/etc/conpot/conpot.cfg
     - CONPOT_JSON_LOG=/var/log/conpot/conpot_default.json
     - CONPOT_LOG=/var/log/conpot/conpot_default.log
     - CONPOT_TEMPLATE=default
     - CONPOT_TMP=/tmp/conpot
    tmpfs:
     - /tmp/conpot:uid=2000,gid=2000
    networks:
     - conpot_local_default
    ports:
     - "69:69/udp"
     - "80:80"
     - "102:102"
     - "161:161/udp"
     - "502:502"
#     - "623:623/udp"
     - "21:21"
     - "44818:44818"
     - "47808:47808/udp"
    image: "dtagdevsec/conpot:2203"
    read_only: true
    volumes:
     - /data/conpot/log:/var/log/conpot

# Conpot IEC104 service
  conpot_IEC104:
    container_name: conpot_iec104
    restart: always
    environment:
     - CONPOT_CONFIG=/etc/conpot/conpot.cfg
     - CONPOT_JSON_LOG=/var/log/conpot/conpot_IEC104.json
     - CONPOT_LOG=/var/log/conpot/conpot_IEC104.log
     - CONPOT_TEMPLATE=IEC104
     - CONPOT_TMP=/tmp/conpot
    tmpfs:
     - /tmp/conpot:uid=2000,gid=2000
    networks:
     - conpot_local_IEC104
    ports:
#     - "161:161/udp"
     - "2404:2404"
    image: "dtagdevsec/conpot:2203"
    read_only: true
    volumes:
     - /data/conpot/log:/var/log/conpot

# Conpot guardian_ast service
  conpot_guardian_ast:
    container_name: conpot_guardian_ast
    restart: always
    environment:
     - CONPOT_CONFIG=/etc/conpot/conpot.cfg
     - CONPOT_JSON_LOG=/var/log/conpot/conpot_guardian_ast.json
     - CONPOT_LOG=/var/log/conpot/conpot_guardian_ast.log
     - CONPOT_TEMPLATE=guardian_ast
     - CONPOT_TMP=/tmp/conpot
    tmpfs:
     - /tmp/conpot:uid=2000,gid=2000
    networks:
     - conpot_local_guardian_ast
    ports:
     - "10001:10001"
    image: "dtagdevsec/conpot:2203"
    read_only: true
    volumes:
     - /data/conpot/log:/var/log/conpot

# Conpot ipmi
  conpot_ipmi:
    container_name: conpot_ipmi
    restart: always
    environment:
     - CONPOT_CONFIG=/etc/conpot/conpot.cfg
     - CONPOT_JSON_LOG=/var/log/conpot/conpot_ipmi.json
     - CONPOT_LOG=/var/log/conpot/conpot_ipmi.log
     - CONPOT_TEMPLATE=ipmi
     - CONPOT_TMP=/tmp/conpot
    tmpfs:
     - /tmp/conpot:uid=2000,gid=2000
    networks:
     - conpot_local_ipmi
    ports:
     - "623:623/udp"
    image: "dtagdevsec/conpot:2203"
    read_only: true
    volumes:
     - /data/conpot/log:/var/log/conpot

# Conpot kamstrup_382
  conpot_kamstrup_382:
    container_name: conpot_kamstrup_382
    restart: always
    environment:
     - CONPOT_CONFIG=/etc/conpot/conpot.cfg
     - CONPOT_JSON_LOG=/var/log/conpot/conpot_kamstrup_382.json
     - CONPOT_LOG=/var/log/conpot/conpot_kamstrup_382.log
     - CONPOT_TEMPLATE=kamstrup_382
     - CONPOT_TMP=/tmp/conpot
    tmpfs:
     - /tmp/conpot:uid=2000,gid=2000
    networks:
     - conpot_local_kamstrup_382
    ports:
     - "1025:1025"
     - "50100:50100"
    image: "dtagdevsec/conpot:2203"
    read_only: true
    volumes:
     - /data/conpot/log:/var/log/conpot

# Cowrie service
  cowrie:
    container_name: cowrie
    restart: always
    tmpfs:
     - /tmp/cowrie:uid=2000,gid=2000
     - /tmp/cowrie/data:uid=2000,gid=2000
    networks:
     - cowrie_local
    ports:
     - "22:22"
     - "23:23"
    image: "dtagdevsec/cowrie:2203"
    read_only: true
    volumes:
     - /data/cowrie/downloads:/home/cowrie/cowrie/dl
     - /data/cowrie/keys:/home/cowrie/cowrie/etc
     - /data/cowrie/log:/home/cowrie/cowrie/log
     - /data/cowrie/log/tty:/home/cowrie/cowrie/log/tty

# Dicompot service
# Get the Horos Client for testing: https://horosproject.org/
# Get Dicom images (CC BY 3.0): https://www.cancerimagingarchive.net/collections/
# Put images (which must be in Dicom DCM format or it will not work!) into /data/dicompot/images
  dicompot:
    container_name: dicompot
    restart: always
    networks:
     - dicompot_local
    ports:
     - "11112:11112"
    image: "dtagdevsec/dicompot:2203"
    read_only: true
    volumes:
     - /data/dicompot/log:/var/log/dicompot
#     - /data/dicompot/images:/opt/dicompot/images

# Heralding service
  heralding:
    container_name: heralding
    restart: always
    tmpfs:
     - /tmp/heralding:uid=2000,gid=2000
    networks:
     - heralding_local
    ports:
    # - "21:21"
    # - "22:22"
    # - "23:23"
    # - "25:25"
    # - "80:80"
    # - "110:110"
    # - "143:143"
    # - "443:443"
    # - "465:465"
    # - "993:993"
    # - "995:995"
    # - "3306:3306"
    # - "3389:3389"
    # - "5432:5432"
     - "5900:5900"
    image: "dtagdevsec/heralding:2203"
    read_only: true
    volumes:
     - /data/heralding/log:/var/log/heralding

# HoneySAP service
  honeysap:
    container_name: honeysap
    restart: always
    networks:
     - honeysap_local
    ports:
     - "3299:3299"
    image: "dtagdevsec/honeysap:2203"
    volumes:
     - /data/honeysap/log:/opt/honeysap/log

# Honeytrap service
  honeytrap:
    container_name: honeytrap
    restart: always
    tmpfs:
     - /tmp/honeytrap:uid=2000,gid=2000
    network_mode: "host"
    cap_add:
     - NET_ADMIN
    image: "dtagdevsec/honeytrap:2203"
    read_only: true
    volumes:
     - /data/honeytrap/attacks:/opt/honeytrap/var/attacks
     - /data/honeytrap/downloads:/opt/honeytrap/var/downloads
     - /data/honeytrap/log:/opt/honeytrap/var/log

# Medpot service
  medpot:
    container_name: medpot
    restart: always
    networks:
     - medpot_local
    ports:
     - "2575:2575"
    image: "dtagdevsec/medpot:2203"
    read_only: true
    volumes:
     - /data/medpot/log/:/var/log/medpot

# Rdpy service
  rdpy:
    container_name: rdpy
    extra_hosts:
     - hpfeeds.example.com:127.0.0.1
    restart: always
    environment:
     - HPFEEDS_SERVER=hpfeeds.example.com
     - HPFEEDS_IDENT=user
     - HPFEEDS_SECRET=pass
     - HPFEEDS_PORT=65000
     - SERVERID=id
    networks:
     - rdpy_local
    ports:
     - "3389:3389"
    image: "dtagdevsec/rdpy:2203"
    read_only: true
    volumes:
     - /data/rdpy/log:/var/log/rdpy


##################
#### NSM
##################

# Fatt service
  fatt:
    container_name: fatt
    restart: always
    network_mode: "host"
    cap_add:
     - NET_ADMIN
     - SYS_NICE
     - NET_RAW
    image: "dtagdevsec/fatt:2203"
    volumes:
     - /data/fatt/log:/opt/fatt/log

# P0f service
  p0f:
    container_name: p0f
    restart: always
    network_mode: "host"
    image: "dtagdevsec/p0f:2203"
    read_only: true
    volumes:
     - /data/p0f/log:/var/log/p0f

# Suricata service
  suricata:
    container_name: suricata
    restart: always
    environment:
    # For ET Pro ruleset replace "OPEN" with your OINKCODE
     - OINKCODE=OPEN
    # Loading externel Rules from URL 
    # - FROMURL="https://username:password@yoururl.com|https://username:password@otherurl.com"
    network_mode: "host"
    cap_add:
     - NET_ADMIN
     - SYS_NICE
     - NET_RAW
    image: "dtagdevsec/suricata:2203"
    volumes:
     - /data/suricata/log:/var/log/suricata


##################
#### Tools
##################

#### ELK
## Elasticsearch service
  elasticsearch:
    container_name: elasticsearch
    restart: always
    environment:
     - bootstrap.memory_lock=true
     - ES_JAVA_OPTS=-Xms2048m -Xmx2048m
     - ES_TMPDIR=/tmp
    cap_add:
     - IPC_LOCK
    ulimits:
      memlock:
        soft: -1
        hard: -1
      nofile:
        soft: 65536
        hard: 65536
    mem_limit: 4g
    ports:
     - "127.0.0.1:64298:9200"
    image: "dtagdevsec/elasticsearch:2203"
    volumes:
     - /data:/data

## Kibana service
  kibana:
    container_name: kibana
    restart: always
    depends_on:
      elasticsearch:
        condition: service_healthy
    mem_limit: 1g
    ports:
     - "127.0.0.1:64296:5601"
    image: "dtagdevsec/kibana:2203"

## Logstash service
  logstash:
    container_name: logstash
    restart: always
#    environment:
#     - LS_JAVA_OPTS=-Xms2048m -Xmx2048m
    depends_on:
      elasticsearch:
        condition: service_healthy
    env_file:
     - /opt/tpot/etc/compose/elk_environment
    mem_limit: 2g
    image: "dtagdevsec/logstash:2203"
    volumes:
     - /data:/data

# Ewsposter service
  ewsposter:
    container_name: ewsposter
    restart: always
    networks:
     - ewsposter_local
    environment:
     - EWS_HPFEEDS_ENABLE=false
     - EWS_HPFEEDS_HOST=host
     - EWS_HPFEEDS_PORT=port
     - EWS_HPFEEDS_CHANNELS=channels
     - EWS_HPFEEDS_IDENT=user
     - EWS_HPFEEDS_SECRET=secret
     - EWS_HPFEEDS_TLSCERT=false
     - EWS_HPFEEDS_FORMAT=json
    env_file:
     - /opt/tpot/etc/compose/elk_environment
    image: "dtagdevsec/ewsposter:2203"
    volumes:
     - /data:/data
     - /data/ews/conf/ews.ip:/opt/ewsposter/ews.ip

# Nginx service
  nginx:
    container_name: nginx
    restart: always
    tmpfs:
     - /var/tmp/nginx/client_body
     - /var/tmp/nginx/proxy
     - /var/tmp/nginx/fastcgi
     - /var/tmp/nginx/uwsgi
     - /var/tmp/nginx/scgi
     - /run
     - /var/lib/nginx/tmp:uid=100,gid=82
    network_mode: "host"
    ports:
     - "64297:64297"
     - "127.0.0.1:64304:64304"
    image: "dtagdevsec/nginx:2203"
    read_only: true
    volumes:
     - /data/nginx/cert/:/etc/nginx/cert/:ro
     - /data/nginx/conf/nginxpasswd:/etc/nginx/nginxpasswd:ro
     - /data/nginx/log/:/var/log/nginx/

# Spiderfoot service
  spiderfoot:
    container_name: spiderfoot
    restart: always
    networks:
     - spiderfoot_local
    ports:
     - "127.0.0.1:64303:8080"
    image: "dtagdevsec/spiderfoot:2203"
    volumes:
     - /data/spiderfoot/spiderfoot.db:/home/spiderfoot/.spiderfoot/spiderfoot.db