mirror of
https://github.com/telekom-security/tpotce.git
synced 2025-05-05 14:48:53 +00:00
248 lines
7 KiB
Bash
Executable file
248 lines
7 KiB
Bash
Executable file
#!/bin/bash
|
|
|
|
COMPOSE="/tmp/tpot/docker-compose.yml"
|
|
|
|
# Function to check if a variable is set, not empty
|
|
check_var() {
|
|
local var_name="$1"
|
|
local var_value=$(eval echo \$$var_name)
|
|
|
|
# Check if variable is set and not empty
|
|
if [[ -z "$var_value" ]];
|
|
then
|
|
echo "# Error: $var_name is not set or empty."
|
|
echo
|
|
echo "# Aborting"
|
|
exit 1
|
|
fi
|
|
}
|
|
|
|
# Function to check for potentially unsafe characters in most variables
|
|
check_safety() {
|
|
local var_name="$1"
|
|
local var_value=$(eval echo \$$var_name)
|
|
|
|
# General safety check for most variables
|
|
if [[ $var_value =~ [^a-zA-Z0-9_/.:-] ]];
|
|
then
|
|
echo "# Error: Unsafe characters detected in $var_name."
|
|
echo
|
|
echo "# Aborting"
|
|
exit 1
|
|
fi
|
|
}
|
|
|
|
# Function to check the safety of the WEB_USER variable
|
|
check_web_user_safety() {
|
|
local web_user="$1"
|
|
|
|
# Allow alphanumeric, $, ., /, and : for WEB_USER (to accommodate htpasswd hash)
|
|
if [[ ! $web_user =~ ^[a-zA-Z0-9]+:\$apr1\$[a-zA-Z0-9./]+\$[a-zA-Z0-9./]+$ ]];
|
|
then
|
|
echo "# Error: Unsafe characters detected in WEB_USER."
|
|
echo
|
|
echo "# Aborting"
|
|
exit 1
|
|
fi
|
|
}
|
|
|
|
# Function to validate specific variable formats
|
|
validate_format() {
|
|
local var_name="$1"
|
|
local var_value=$(eval echo \$$var_name)
|
|
|
|
case "$var_name" in
|
|
TPOT_BLACKHOLE|TPOT_PERSISTENCE|TPOT_ATTACKMAP_TEXT|COCKPIT)
|
|
if ! [[ $var_value =~ ^(ENABLED|DISABLED|on|off|true|false)$ ]];
|
|
then
|
|
echo "# Error: Invalid value for $var_name. Expected ENABLED/DISABLED, on/off, true/false."
|
|
echo
|
|
echo "# Aborting"
|
|
exit 1
|
|
fi
|
|
;;
|
|
*)
|
|
# Add additional specific format checks here if necessary
|
|
;;
|
|
esac
|
|
}
|
|
|
|
# Validate environment variables
|
|
for var in TPOT_BLACKHOLE TPOT_PERSISTENCE TPOT_ATTACKMAP_TEXT TPOT_ATTACKMAP_TEXT_TIMEZONE TPOT_REPO TPOT_VERSION TPOT_PULL_POLICY TPOT_OSTYPE;
|
|
do
|
|
check_var "$var"
|
|
check_safety "$var"
|
|
validate_format "$var"
|
|
done
|
|
|
|
# Specific check for WEB_USER
|
|
check_var "WEB_USER"
|
|
check_web_user_safety "$WEB_USER"
|
|
|
|
echo "# All settings seem to be valid."
|
|
|
|
|
|
# Check for compatible OSType
|
|
echo
|
|
echo "# Checking if OSType is compatible."
|
|
echo
|
|
myOSTYPE=$(uname -a | grep -Eo "linuxkit")
|
|
if [ "${myOSTYPE}" == "linuxkit" ] && [ "${TPOT_OSTYPE}" == "linux" ];
|
|
then
|
|
echo "# Docker Desktop for macOS or Windows detected."
|
|
echo "# 1. You need to adjust the OSType in the hidden \".env\" file."
|
|
echo "# 2. You need to use the macos or win docker compose file."
|
|
echo
|
|
echo "# Aborting."
|
|
echo
|
|
exit 1
|
|
fi
|
|
|
|
# Data folder management
|
|
if [ -f "/data/uuid" ];
|
|
then
|
|
figlet "Initializing ..."
|
|
figlet "T-Pot: ${TPOT_VERSION}"
|
|
echo
|
|
echo "# Data folder is present, just cleaning up, please be patient ..."
|
|
echo
|
|
/opt/tpot/bin/clean.sh "${TPOT_PERSISTENCE}"
|
|
echo
|
|
else
|
|
figlet "Setting up ..."
|
|
figlet "T-Pot: ${TPOT_VERSION}"
|
|
echo
|
|
echo "# Checking for default user."
|
|
if [ "${WEB_USER}" == "change:me" ];
|
|
then
|
|
echo "# Please change WEB_USER in the hidden \".env\" file."
|
|
echo "# Aborting."
|
|
echo
|
|
exit 1
|
|
fi
|
|
echo
|
|
echo "# Setting up data folder structure ..."
|
|
echo
|
|
mkdir -vp /data/ews/conf \
|
|
/data/nginx/{cert,conf,log} \
|
|
/data/tpot/etc/compose/ \
|
|
/data/tpot/etc/logrotate/ \
|
|
/tmp/etc/
|
|
echo
|
|
echo "# Generating self signed certificate ..."
|
|
echo
|
|
myINTIP=$(/sbin/ip address show | awk '/inet .*brd/{split($2,a,"/"); print a[1]; exit}')
|
|
openssl req \
|
|
-nodes \
|
|
-x509 \
|
|
-sha512 \
|
|
-newkey rsa:8192 \
|
|
-keyout "/data/nginx/cert/nginx.key" \
|
|
-out "/data/nginx/cert/nginx.crt" \
|
|
-days 3650 \
|
|
-subj '/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd' \
|
|
-addext "subjectAltName = IP:${myINTIP}"
|
|
echo
|
|
echo "# Creating web user from tpot.env, make sure to erase the password from the .env ..."
|
|
echo
|
|
echo "${WEB_USER}" > /data/nginx/conf/nginxpasswd
|
|
touch /data/nginx/conf/lswebpasswd
|
|
echo
|
|
echo "# Extracting objects, final touches and permissions ..."
|
|
echo
|
|
tar xvfz /opt/tpot/etc/objects/elkbase.tgz -C /
|
|
/opt/tpot/bin/clean.sh off
|
|
uuidgen > /data/uuid
|
|
fi
|
|
|
|
# Check if TPOT_BLACKHOLE is enabled
|
|
if [ "${myOSTYPE}" == "linuxkit" ];
|
|
then
|
|
echo
|
|
echo "# Docker Desktop for macOS or Windows detected, Blackhole feature is not supported."
|
|
echo
|
|
else
|
|
if [ "${TPOT_BLACKHOLE}" == "ENABLED" ] && [ ! -f "/etc/blackhole/mass_scanner.txt" ];
|
|
then
|
|
echo "# Adding Blackhole routes."
|
|
/opt/tpot/bin/blackhole.sh add
|
|
echo
|
|
fi
|
|
if [ "${TPOT_BLACKHOLE}" == "DISABLED" ] && [ -f "/etc/blackhole/mass_scanner.txt" ];
|
|
then
|
|
echo "# Removing Blackhole routes."
|
|
/opt/tpot/bin/blackhole.sh del
|
|
echo
|
|
else
|
|
echo "# Blackhole is not active."
|
|
fi
|
|
fi
|
|
|
|
# Get IP
|
|
echo
|
|
echo "# Updating IP Info ..."
|
|
echo
|
|
/opt/tpot/bin/updateip.sh
|
|
|
|
# Update permissions
|
|
echo
|
|
echo "# Updating permissions ..."
|
|
echo
|
|
chown -R tpot:tpot /data
|
|
chmod -R 777 /data
|
|
#chmod 644 -R /data/nginx/conf
|
|
#chmod 644 -R /data/nginx/cert
|
|
|
|
# Update interface settings (p0f and Suricata) and setup iptables to support NFQ based honeypots (glutton, honeytrap)
|
|
### This is currently not supported on Docker for Desktop, only on Docker Engine for Linux
|
|
if [ "${myOSTYPE}" != "linuxkit" ] && [ "${TPOT_OSTYPE}" == "linux" ];
|
|
then
|
|
echo
|
|
echo "# Get IF, disable offloading, enable promiscious mode for p0f and suricata ..."
|
|
echo
|
|
ethtool --offload $(/sbin/ip address | grep "^2: " | awk '{ print $2 }' | tr -d [:punct:]) rx off tx off
|
|
ethtool -K $(/sbin/ip address | grep "^2: " | awk '{ print $2 }' | tr -d [:punct:]) gso off gro off
|
|
ip link set $(/sbin/ip address | grep "^2: " | awk '{ print $2 }' | tr -d [:punct:]) promisc on
|
|
echo
|
|
echo "# Adding firewall rules ..."
|
|
echo
|
|
/opt/tpot/bin/rules.sh ${COMPOSE} set
|
|
fi
|
|
|
|
# Display open ports
|
|
if [ "${myOSTYPE}" != "linuxkit" ];
|
|
then
|
|
echo
|
|
echo "# This is a list of open ports on the host (netstat -tulpen)."
|
|
echo "# Make sure there are no conflicting ports by checking the docker compose file."
|
|
echo "# Conflicting ports will prevent the startup of T-Pot."
|
|
echo
|
|
netstat -tulpen | grep -Eo ':([0-9]+)' | cut -d ":" -f 2 | uniq
|
|
echo
|
|
else
|
|
echo
|
|
echo "# Docker Desktop for macOS or Windows detected, cannot show open ports on the host."
|
|
echo
|
|
fi
|
|
|
|
|
|
# Done
|
|
echo
|
|
figlet "Starting ..."
|
|
figlet "T-Pot: ${TPOT_VERSION}"
|
|
echo
|
|
touch /tmp/success
|
|
|
|
# We want to see true source for UDP packets in container (https://github.com/moby/libnetwork/issues/1994)
|
|
if [ "${myOSTYPE}" != "linuxkit" ];
|
|
then
|
|
sleep 60
|
|
/usr/sbin/conntrack -D -p udp
|
|
else
|
|
echo
|
|
echo "# Docker Desktop for macOS or Windows detected, Conntrack feature is not supported."
|
|
echo
|
|
fi
|
|
|
|
# Keep the container running ...
|
|
sleep infinity
|