mirror of
				https://github.com/telekom-security/tpotce.git
				synced 2025-10-26 18:24:45 +00:00 
			
		
		
		
	
		
			
				
	
	
		
			166 lines
		
	
	
	
		
			9 KiB
		
	
	
	
		
			Text
		
	
	
	
	
	
			
		
		
	
	
			166 lines
		
	
	
	
		
			9 KiB
		
	
	
	
		
			Text
		
	
	
	
	
	
| # T-Pot config file. Do not remove.
 | |
| 
 | |
| ###############################################
 | |
| # T-Pot Base Settings - Adjust to your needs. #
 | |
| ###############################################
 | |
| 
 | |
| # Set Web usernames and passwords here. This section will be used to create / update the Nginx password file nginxpasswd.
 | |
| #  <empty>: This is the default
 | |
| #  <base64 encoded htpasswd usernames / passwords>:
 | |
| #   Use 'htpasswd -n -b "username" "password" | base64 -w0' to create the WEB_USER if you want to manually deploy T-Pot, run 'install.sh' to automatically add a user during installation, or 'genuser.sh' if you just want to add a web user.
 | |
| #   Example: 'htpasswd -n -b "tsec" "tsec" | base64 -w0' will print dHNlYzokYXByMSRYUnE2SC5rbiRVRjZQM1VVQmJVNWJUQmNmSGRuUFQxCgo=
 | |
| #   Copy the string and replace WEB_USER=dHNlYzokYXByMSRYUnE2SC5rbiRVRjZQM1VVQmJVNWJUQmNmSGRuUFQxCgo=
 | |
| #   Multiple users are possible:
 | |
| #   WEB_USER=dHNlYzokYXByMSRYUnE2SC5rbiRVRjZQM1VVQmJVNWJUQmNmSGRuUFQxCgo= dHNlYzokYXByMSR6VUFHVWdmOCRROXI3a09CTjFjY3lCeU1DTloyanEvCgo=
 | |
| WEB_USER=
 | |
| 
 | |
| # Set Logstash Web usernames and passwords here. This section will be used to create / update the Nginx password file lswebpasswd.
 | |
| # The Lostsash Web usernames are used for T-Pot log ingestion via Logstash, each sensor should have its own user.
 | |
| #  <empty>: This is empty by default.
 | |
| #  <'htpasswd encoded usernames / passwords'>:
 | |
| #   Use 'htpasswd -n -b "username" "password" | base64 -w0' to create the LS_WEB_USER if you want to manually deploy the sensor.
 | |
| #   Example: 'htpasswd -n -b "sensor" "sensor" | base64 -w0' will print c2Vuc29yOiRhcHIxJGVpMHdzUmdYJHNyWHF4UG53ZzZqWUc3aEFaUWxrWDEKCg==
 | |
| #   Copy the string and replace / add LS_WEB_USER=c2Vuc29yOiRhcHIxJGVpMHdzUmdYJHNyWHF4UG53ZzZqWUc3aEFaUWxrWDEKCg==
 | |
| #   Multiple users are possible:
 | |
| #   LS_WEB_USER=c2Vuc29yMTokYXByMSQ5aXhNRk5yMCR6d3F2dGFwQ2x0cFBhU1pqMm9ZemYxCgo= c2Vuc29yMjokYXByMSRtYTlOS1J2NCQvU3dsVVBMeW5RaVIyM3pyWVAzOUkwCgo=
 | |
| LS_WEB_USER=
 | |
| 
 | |
| # T-Pot Blackhole
 | |
| #  ENABLED: T-Pot will download a db of known mass scanners and nullroute them.
 | |
| #           Be aware, this will put T-Pot off the map for stealth reasons and
 | |
| #           you will get less traffic. Routes will be active until next reboot
 | |
| #           and will be re-added with every T-Pot start until disabled.
 | |
| #  DISABLED: This is the default and no stealth efforts are in place.
 | |
| TPOT_BLACKHOLE=DISABLED
 | |
| 
 | |
| # T-Pot Persistence
 | |
| #  on: This is the default. T-Pot will keep the honeypot logfiles and rotate
 | |
| #      with logrotate for 30 days.
 | |
| #  off: This is recommended for Raspberry Pi or setups with weaker CPUs or
 | |
| #       if you just do not need any of the logfiles.
 | |
| TPOT_PERSISTENCE=on
 | |
| 
 | |
| # T-Pot Type
 | |
| #  HIVE: This is the default and offers everything to connect T-Pot sensors.
 | |
| #  SENSOR: This needs to be used when running a sensor. Be aware to adjust all other
 | |
| #          settings as well.
 | |
| #          1. You will need to copy compose/sensor.yml to ./docker-comopose.yml
 | |
| #          2. From HIVE host you will need to copy ~/tpotce/data/nginx/cert/nginx.crt to
 | |
| #             your SENSOR host to ~/tpotce/data/hive.crt
 | |
| #          3. On HIVE: Create a web user per SENSOR on HIVE and provide credentials below
 | |
| #             Create credentials with 'htpasswd ~/tpotce/data/nginx/conf/lswebpasswd <username>'
 | |
| #          4. On SENSOR: Provide username / password from (3) for TPOT_HIVE_USER as base64 encoded string:
 | |
| #                        "echo -n 'username:password' | base64 -w0"
 | |
| #  MOBILE: This will set the correct type for T-Pot Mobile (https://github.com/telekom-security/tpotmobile)
 | |
| TPOT_TYPE=HIVE
 | |
| 
 | |
| # T-Pot Hive User (only relevant for SENSOR deployment)
 | |
| #  <empty>: This is empty by default.
 | |
| #  <base64 encoded string>: Provide a base64 encoded string "echo -n 'username:password' | base64 -w0"
 | |
| #                           i.e. TPOT_HIVE_USER='dXNlcm5hbWU6cGFzc3dvcmQ='
 | |
| TPOT_HIVE_USER=
 | |
| 
 | |
| # Logstash Sensor SSL verfication (only relevant on SENSOR hosts)
 | |
| # full: This is the default. Logstash, by default, verifies the complete certificate chain for ssl certificates.
 | |
| #       This also includes the FQDN and sANs. By default T-Pot will only generate a self-signed certificate which
 | |
| #       contains a sAN for the HIVE IP. In scenario where the HIVE needs to be accessed via Internet, maybe with
 | |
| #       a different NAT address, a new certificate needs to be generated before deployment that includes all the
 | |
| #       IPs and FQDNs as sANs for logstash successfully establishing a connection to the HIVE for transmitting
 | |
| #       logs. Details here: https://github.com/telekom-security/tpotce?tab=readme-ov-file#distributed-deployment
 | |
| # none: This setting will disable the ssl verification check of logstash and should only be used in a testing
 | |
| #       environment where IPs often change. It is not recommended for a production environment where trust between
 | |
| #       HIVE and SENSOR is only established through a self signed certificate. 
 | |
| LS_SSL_VERIFICATION=full
 | |
| 
 | |
| # T-Pot Hive IP (only relevant for SENSOR deployment)
 | |
| #  <empty>: This is empty by default.
 | |
| #  <IP, FQDN>: This can be either a IP (i.e. 192.168.1.1) or a FQDN (i.e. foo.bar.local)
 | |
| TPOT_HIVE_IP=
 | |
| 
 | |
| # T-Pot AttackMap Text Output
 | |
| #  ENABLED: This is the default and the docker container map_data will print events to the console.
 | |
| #  DISABLED: Printing events to the console is disabled.
 | |
| TPOT_ATTACKMAP_TEXT=ENABLED
 | |
| 
 | |
| # T-Pot AttackMap Text Output Timezone
 | |
| #  UTC: (T-Pot default) This is usually the best option.
 | |
| #  Continent/City: In Linux you can check our timezone with `readlink` /etc/localtime or
 | |
| #                  see the full list here: https://en.wikipedia.org/wiki/List_of_tz_database_time_zones
 | |
| #  Examples: America/New_York, Asia/Taipei, Australia/Melbourne, Europe/Athens, Europe/Berlin
 | |
| TPOT_ATTACKMAP_TEXT_TIMEZONE=UTC
 | |
| 
 | |
| ###################################################################################
 | |
| # Honeypots / Tools settings
 | |
| ###################################################################################
 | |
| # Some services / tools offer adjustments using ENVs which can be adjusted here.
 | |
| ###################################################################################
 | |
| 
 | |
| # Suricata ET Pro ruleset
 | |
| #  OPEN: This is the default and will the ET Open ruleset
 | |
| #  OINKCODE: Replace OPEN with your Oinkcode to use the ET Pro ruleset
 | |
| OINKCODE=OPEN
 | |
| 
 | |
| # Beelzebub Honeypot supports LLMs such as ChatGPT and the Ollama backend.
 | |
| # Beelzebub is not part of the standard edition, please follow the README regarding setup.
 | |
| # It is recommended to use the Ollama backend to keep costs at bay.
 | |
| # Remember to rate limit API usage / set budget alerts when using ChatGPT API.
 | |
| # BEELZEBUB_LLM_MODEL: Set to "ollama" or "gpt4-o".
 | |
| # BEELZEBUB_LLM_HOST: When using "ollama" set it to the URL of your Ollama backend.
 | |
| # BEELZEBUB_OLLAMA_MODEL: Set to the model you are serving on your Ollama backend, i.e. "openchat".
 | |
| # BEELZEBUB_LLM_MODEL: "gpt4-o"
 | |
| # BEELZEBUB_OPENAISECRETKEY: "sk-proj-123456"
 | |
| BEELZEBUB_LLM_MODEL: "ollama"
 | |
| BEELZEBUB_LLM_HOST: "http://ollama.local:11434/api/chat"
 | |
| BEELZEBUB_OLLAMA_MODEL: "openchat"
 | |
| 
 | |
| # Galah is a LLM-powered web honeypot supporting various LLM backends.
 | |
| # Galah is not part of the standard edition, please follow the README regarding setup.
 | |
| # It is recommended to use the Ollama backend to keep costs at bay.
 | |
| # Remember to rate limit API usage / set budget alerts when using ChatGPT API.
 | |
| # GALAH_LLM_PROVIDER: Set to "ollama" or "gpt4-o".
 | |
| # GALAH_LLM_SERVER_URL: When using "ollama" set it to the URL of your Ollama backend.
 | |
| # GALAH_LLM_MODEL: Set to the model you are serving on your Ollama backend, i.e. "llama3".
 | |
| # GALAH_LLM_TEMPERATURE: "1"
 | |
| # GALAH_LLM_API_KEY: "sk-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
 | |
| # GALAH_LLM_CLOUD_LOCATION: ""
 | |
| # GALAH_LLM_CLOUD_PROJECT: ""
 | |
| GALAH_LLM_PROVIDER: "ollama"
 | |
| GALAH_LLM_SERVER_URL: "http://ollama.local:11434"
 | |
| GALAH_LLM_MODEL: "llama3.1"
 | |
| 
 | |
| 
 | |
| ###################################################################################
 | |
| # NEVER MAKE CHANGES TO THIS SECTION UNLESS YOU REALLY KNOW WHAT YOU ARE DOING!!! #
 | |
| ###################################################################################
 | |
| 
 | |
| # docker.sock Path
 | |
| TPOT_DOCKER_SOCK=/var/run/docker.sock
 | |
| 
 | |
| # docker compose .env
 | |
| TPOT_DOCKER_ENV=./.env
 | |
| 
 | |
| # Docker-Compose file
 | |
| TPOT_DOCKER_COMPOSE=./docker-compose.yml
 | |
| 
 | |
| # T-Pot Docker Repo
 | |
| #  Depending on where you are located you may choose between DockerHub and GHCR
 | |
| #  dtagdevsec: This will use the DockerHub image registry
 | |
| #  ghcr.io/telekom-security: This will use the GitHub container registry
 | |
| TPOT_REPO=ghcr.io/telekom-security
 | |
| 
 | |
| # T-Pot Version Tag
 | |
| TPOT_VERSION=24.04.1
 | |
| 
 | |
| # T-Pot Pull Policy
 | |
| #  always: (T-Pot default) Compose implementations SHOULD always pull the image from the registry.
 | |
| #  never: Compose implementations SHOULD NOT pull the image from a registry and SHOULD rely on the platform cached image.
 | |
| #  missing: Compose implementations SHOULD pull the image only if it's not available in the platform cache.
 | |
| #  build: Compose implementations SHOULD build the image. Compose implementations SHOULD rebuild the image if already present.
 | |
| TPOT_PULL_POLICY=always
 | |
| 
 | |
| # T-Pot Data Path
 | |
| TPOT_DATA_PATH=./data
 | |
| 
 | |
| # OSType (linux, mac, win)
 | |
| #  Most docker features are available on linux
 | |
| TPOT_OSTYPE=linux
 | 
