modified: bin/install.sh

 - fixed missing ${TMPDIR}
 - adapted to work with newest cowrie
 - adapted to work in openSUSE with selinux
modified:   bin/makecert.sh
 - fixed issue with location of dshield.sslca
modified:   bin/status.sh
 - fixed egrep to grep -E
modified:   bin/update.sh
 - fixed egrep to grep -E
modified:   bin/updatehoneypotip.sh
 - fixed egrep to grep -E
 - fixed location of dshield.ini
modified:   docs/install-instructions/openSUSE.md
 - updated documentation for openSUSE
modified:   srv/dshield/DShield.patch
 - extra character, C,  used in line in dshield.log
new files needed for selinux in openSUSE and new version of cowrie
 - etc/cowrie.pp
 - etc/cowrie1.pp
 - srv/cowrie/bin/

Author: root

bin/install.sh

@@ -20,6 +20,11 @@ readonly myversion=98
 
 # Major Changes (for details, see Github):
 #
+# - V99 (Freek)
+#   - fixed some missing sudos
+#   - adapted to support newest openSUSE
+#   - added the https port 8443
+#
 # - V98 (Johannes)
 #   - new web hpot (Mark Baggett)
 #   - installer no longer requires root / better priv separation 
@@ -293,10 +298,11 @@ LOGFILE="${LOGDIR}/install_${INSTDATE}.log"
 SSHHONEYPORT=2222
 TELNETHONEYPORT=2223
 WEBHONEYPORT=8000
+HTTPSHONEYPORT=8443
 SSHREDIRECT="22"
 TELNETREDIRECT="23 2323"
 WEBREDIRECT="80 8080 7547 5555 9000"
-HONEYPORTS="${SSHHONEYPORT} ${TELNETHONEYPORT} ${WEBHONEYPORT}"
+HONEYPORTS="${SSHHONEYPORT} ${TELNETHONEYPORT} ${WEBHONEYPORT} ${HTTPSHONYPORT}"
 
 # create and setup log directory
 if [ ! -d ${LOGDIR} ]; then
@@ -771,10 +777,10 @@ if [ "$FAST" == "0" ]; then
     outlog "Updating your openSUSE Operating System will now be done."
     sudorun 'zypper --non-interactive dup --no-recommends'
     outlog "Installing additional packages"
-    sudorun 'zypper --non-interactive install --no-recommends cron gcc libffi-devel python311-devel libopenssl-devel rsyslog dialog'
+    sudorun 'zypper --non-interactive install --no-recommends cron gcc libffi-devel python3-devel libopenssl-devel rsyslog dialog'
     sudorun 'zypper --non-interactive install --no-recommends perl-libwww-perl perl-Switch perl-LWP-Protocol-https python3-requests'
-    sudorun 'zypper --non-interactive install --no-recommends python3-pycryptodome python3-virtualenv'
-    sudorun 'zypper --non-interactive install --no-recommends python311-pip rng-tools curl openssh unzip'
+    sudorun 'zypper --non-interactive install --no-recommends python3-pycryptodome python3-virtualenv python3-dateutils'
+    sudorun 'zypper --non-interactive install --no-recommends python3-pip rng-tools curl openssh unzip'
     sudorun 'zypper --non-interactive install --no-recommends net-tools-deprecated patch logrotate'
     sudorun 'zypper --non-interactive install --no-recommends system-user-mail mariadb libmariadb-devel python3-PyMySQL jq'
     sudorun 'zypper --non-interactive install --no-recommends python3-python-snappy snappy-devel gcc-c++'
@@ -886,7 +892,7 @@ if [ -x /etc/init.d/cowrie ]; then
 fi
 # in case systemd is used
 outlog "Stopping cowrie via systemd"
-sudo systemctl stop cowrie
+[ "$(sudo systemcl is-active cowrie.service)" = "active" ] && sudo systemctl stop cowrie
 
 if [ "$FAST" == "0" ]; then
 
@@ -980,16 +986,8 @@ EOF
   drun "cat /etc/modprobe.d/ipv6.conf.bak"
   drun "cat /etc/modprobe.d/ipv6.conf"
 else # in openSUSE
-  run "grep -q 'ipv6.conf' /etc/sysctl.d/70-yast.conf"
-  # shellcheck disable=SC2181
-  if [ ${?} -ne 0 ]; then
-    dlog "Disabling IPv6 in /etc/sysctl.d/70-yast.conf"
-    dsudorun 'echo "net.ipv4.ip_forward = 0" >> /etc/sysctl.d/70-yast.conf'
-    dsudorun 'echo "net.ipv6.conf.all.forwarding = 0" >> /etc/sysctl.d/70-yast.conf'
-    dsudorun 'echo "net.ipv6.conf.all.disable_ipv6 = 1" >> /etc/sysctl.d/70-yast.conf'
-  else
-    dlog "IPv6 already disabled in /etc/sysctl.d/70-yast.conf"
-  fi
+  iface=$(ip -4 route show | grep '^default ' | head -1 | cut -f5 -d' ')
+  dsudorun "nmcli device modify $iface  ipv6.method 'disabled'"
 fi
 
 ###########################################################
@@ -1001,7 +999,8 @@ if ! grep -qE '^webhpot' /etc/passwd; then
     if [ "$ID" != "opensuse" ]; then
 	sudorun 'adduser --gecos "Honeypot,A113,555-1212,555-1212" --disabled-password --quiet --home /srv/web --no-create-home webhpot'	
     else
-	sudorun 'useradd -c "Honeypot,A113,555-1212,555-1212" -M -U -d /srv/web webhpot'	
+	sudorun 'useradd -c "Honeypot,A113,555-1212,555-1212" -M -U -d /srv/web webhpot'
+        sudorun 'passwd -d webhpot' #disable password
     fi
     outlog "Added user 'webhpot'"
 else
@@ -1778,7 +1777,7 @@ EOF
 
 else # use_iptables = False -> use nftables
   dlog "using nftables, not iptables"
-  cat > /etc/network/ruleset.nft <<EOF
+  cat > ${TMPDIR}/ruleset.nft <<EOF
 # NFT ruleset generated on $(date)
 add table ip filter
 add chain ip filter INPUT { type filter hook input priority 0; policy drop; }
@@ -1789,7 +1788,7 @@ add rule ip filter INPUT iifname "${interface}" ct state related,established  co
 EOF
 
   # allow pings from localnet
-  echo "# allow ping from local network" >>/etc/network/ruleset.nft
+  echo "# allow ping from local network" >>${TMPDIR}/ruleset.nft
   echo "add rule ip filter INPUT iifname \"$interface\" ip saddr ${localnet} icmp type echo-request counter accept" >>"${TMPDIR}"/ruleset.nft
 
   # insert IPs and ports for which honeypot has to be disabled
@@ -1928,24 +1927,53 @@ fi
 if [ "$INTERACTIVE" == 1 ]; then
   dlog "changing port for sshd"
 
-  run "sed \"s/^[#\s]*Port 22\s*$/Port ${SSHDPORT}/\" < /etc/ssh/sshd_config > ${TMPDIR}/sshd_config"
-  sudorun "mv ${TMPDIR}/sshd_config /etc/ssh/sshd_config"
-
-  dlog "checking if modification was successful"
-  if [ "$(grep -c "^Port ${SSHDPORT}$" /etc/ssh/sshd_config)" -ne 1 ]; then
-    dialog --title 'sshd port' --ok-label 'Understood.' --cr-wrap --msgbox "Congrats, you had already changed your sshd port to something other than 22.
-
+  if [ -f /etc/ssh/sshd_config ] ; then
+    run "sed \"s/^[#\s]*Port 22\s*$/Port ${SSHDPORT}/\" < /etc/ssh/sshd_config > ${TMPDIR}/sshd_config"
+    sudorun "mv ${TMPDIR}/sshd_config /etc/ssh/sshd_config"
+    dlog "checking if modification was successful"
+    if [ "$(grep -c "^Port ${SSHDPORT}$" /etc/ssh/sshd_config)" -ne 1 ]; then
+      dialog --title 'sshd port' --ok-label 'Understood.' --cr-wrap --msgbox "Congrats, you had already changed your sshd port to something other than 22.
 Please clean up and either
   - change the port manually to ${SSHDPORT}
      in  /etc/ssh/sshd_config    OR
   - clean up the firewall rules and
      other stuff reflecting YOUR PORT" 13 50
-    clear
+      clear
 
-    dlog "check unsuccessful, port ${SSHDPORT} not found in sshd_config"
-    drun 'cat /etc/ssh/sshd_config  | grep -v "^\$" | grep -v "^#"'
-  else
-    dlog "check successful, port change to ${SSHDPORT} in sshd_config"
+      dlog "check unsuccessful, port ${SSHDPORT} not found in sshd_config"
+      drun 'cat /etc/ssh/sshd_config  | grep -v "^\$" | grep -v "^#"'
+    else
+      dlog "check successful, port change to ${SSHDPORT} in sshd_config"
+    fi
+  else # when /etc/ssh/sshd_config does not exist
+    if [ "$(cat /etc/ssh/sshd_config.d/*.conf | grep -c "^Port ${SSHDPORT}\$")" -ne 0 ] ; then
+      dlog "check succesfull, port changed to ${SSHDPORT} in a file in /etc/ssh/sshd.config.d/"
+    else
+      if [ -n "$(cat /etc/ssh/sshd_config.d/*.conf)" ] && [ "$(cat /etc/ssh/sshd_config.d/*.conf | grep -c "^Port ")" -ge 1 ] ; then
+        dialog --title 'sshd port' --ok-label 'Understood.' --cr-wrap --msgbox "Congrats, you had already changed your sshd port to something other than 22.
+Please clean up and either
+  - change the port manually to ${SSHDPORT}
+     in a file in /etc/ssh/sshd_config.d/*.conf    OR
+  - clean up the firewall rules and
+     other stuff reflecting YOUR PORT" 13 50
+        clear
+      else # a file Port*.conf does not exist
+        echo "Port ${SSHDPORT}" > "${TMPDIR}"/Port_${SSHDPORT}.conf
+        sudorun "mv ${TMPDIR}/Port_${SSHDPORT}.conf /etc/ssh/sshd_config.d/"
+        sudorun "chown root:root /etc/ssh/sshd_config.d/Port_${SSHDPORT}.conf"
+        if [ -x /usr/sbin/getenforce ] ; then
+          if [ "$(sudo /usr/sbin/getenforce)" = "Enforcing" ] ; then
+            if [ ! -x /usr/sbin/semanage ] ; then
+              sudorun "zypper --non-interactive in --no-recommends policycoreutils-python-utils"
+            else
+              echo "ERROR utility semanage needs to be installed, exiting!!"
+              exit 9
+            fi
+          fi
+          sudorun "semanage port -a -t ssh_port_t -p tcp ${SSHDPORT}"
+        fi
+      fi
+    fi
   fi
 fi # interactive
 ###########################################################
@@ -1964,7 +1992,7 @@ fi
 
 
 
-dsudorun 'cat /etc/rsyslog.d/dshield.conf'
+dsudorun 'cat /etc/rsyslog.d/10-dshield.conf'
 
 ###########################################################
 ## Further copying / configuration
@@ -1987,7 +2015,8 @@ if ! grep -qE '^webhpot' /etc/passwd; then
     if [ "$ID" != "opensuse" ]; then
 	sudorun 'adduser --gecos "Honeypot,A113,555-1212,555-1212" --disabled-password --quiet --home /srv/web --no-create-home webhpot'	
     else
-	sudorun 'useradd -c "Honeypot,A113,555-1212,555-1212" -M -U -d /srv/web webhpot'	
+	sudorun 'useradd -c "Honeypot,A113,555-1212,555-1212" -M -U -d /srv/web webhpot'
+        sudorun 'passwd -d webhpot' # disable password	
     fi
     outlog "Added user 'webhpot'"
 else
@@ -2022,8 +2051,9 @@ if [ -f ${DSHIELDDIR}/updatehoneypotip.sh ]; then
     run "rm ${DSHIELDDIR}/updatehoneypotip.sh"
 fi
 do_copy "$progdir"/updatehoneypotip.sh ${DSHIELDDIR} 700
-[ "$ID" = "opensuse" ] &&
+if [ "$ID" = "opensuse" ]; then
   run "patch ${DSHIELDDIR}/DShield.py $progdir/../srv/dshield/DShield.patch"
+fi
 
 # check: automatic updates allowed?
 
@@ -2164,6 +2194,7 @@ if ! grep '^cowrie:' -q /etc/passwd; then
     sudorun 'adduser --gecos "Honeypot,A113,555-1212,555-1212" --disabled-password --quiet --home /srv/cowrie --no-create-home cowrie'
   else
     sudorun 'useradd -c "Honeypot,A113,555-1212,555-1212" -M -U -d /srv/cowrie cowrie'
+    sudorun 'passwd -d cowrie' # disable password
   fi
   outlog "Added user 'cowrie'"
 else
@@ -2254,6 +2285,8 @@ if [ "$FAST" == "0" ]; then
     run 'sg cowrie -c "pip3 install --require-virtualenv --upgrade bcrypt"'
     run 'sg cowrie -c "pip3 install --require-virtualenv --upgrade requests"'
     run 'sg cowrie -c "pip3 install --require-virtualenv -r requirements.txt"'
+    run 'sg cowrie -c "pip3 install --require-virtualenv dateutils"'
+    run 'sg cowrie -c "pip3 install --require-virtualenv -e ."'
     # shellcheck disable=SC2181
     if [ ${?} -ne 0 ]; then
        outlog "Error installing dependencies from requirements.txt. See ${LOGFILE} for details."
@@ -2282,7 +2315,8 @@ outlog "Doing further cowrie configuration."
 
 # step 6 (Generate a DSA key)
 dlog "generating cowrie SSH host key"
-sudorun "ssh-keygen -t dsa -b 1024 -N '' -f ${COWRIEDIR}/var/lib/cowrie/ssh_host_dsa_key "
+# dsa is too insecure and possibly not supported anymore in ssh-keygen; so use rsa
+sudorun "ssh-keygen -t rsa -b 1024 -N '' -f ${COWRIEDIR}/var/lib/cowrie/ssh_host_rsa_key "
 
 # step 5 (Install configuration file)
 dlog "copying cowrie.cfg and adding entries"
@@ -2315,13 +2349,20 @@ dlog "creating output for text commands"
 
 sudorun "mkdir -p ${TXTCMDS}/bin"
 sudorun "mkdir -p ${TXTCMDS}/usr/bin"
-sudorun "df > ${TXTCMDS}/bin/df"
-sudorun "dmesg > ${TXTCMDS}/bin/dmesg"
-sudorun "mount > ${TXTCMDS}/bin/mount"
-sudorun "ulimit > ${TXTCMDS}/bin/ulimit"
-sudorun "lscpu > ${TXTCMDS}/usr/bin/lscpu"
-sudorun "echo '-bash: emacs: command not found' > ${TXTCMDS}/usr/bin/emacs"
-sudorun "echo '-bash: locate: command not found' > ${TXTCMDS}/usr/bin/locate"
+sudorun "df > ${TMPDIR}/df"
+sudorun "mv ${TMPDIR}/df ${TXTCMDS}/bin/df"
+sudorun "dmesg > ${TMPDIR}/dmesg"
+sudorun "mv ${TMPDIR}/dmesg ${TXTCMDS}/bin/dmesg"
+sudorun "mount > ${TMPDIR}/mount"
+sudorun "mv ${TMPDIR}/mount ${TXTCMDS}/bin/mount"
+run "ulimit > ${TMPDIR}/ulimit"
+sudorun "mv ${TMPDIR}/ulimit ${TXTCMDS}/bin/ulimit"
+sudorun "lscpu > ${TMPDIR}/lscpu"
+sudorun "mv ${TMPDIR}/lscpu ${TXTCMDS}/usr/bin/lscpu"
+sudorun "echo '-bash: emacs: command not found' > ${TMPDIR}/emacs"
+sudorun "mv ${TMPDIR}/emacs ${TXTCMDS}/usr/bin/emacs"
+sudorun "echo '-bash: locate: command not found' > ${TMPDIR}/locate"
+sudorun "mv ${TMPDIR}/locate ${TXTCMDS}/usr/bin/locate"
 
 sudorun "chown -R cowrie:cowrie ${COWRIEDIR}"
 
@@ -2330,7 +2371,17 @@ sudorun "chown -R cowrie:cowrie ${COWRIEDIR}"
 dlog "copying cowrie system files"
 
 sudo_copy "$progdir"/../lib/systemd/system/cowrie.service /lib/systemd/system/cowrie.service 644
+# file copied/added from previous version of cowrie
+sudo_copy "$progdir"/../srv/cowrie/bin/cowrie /srv/cowrie/bin/cowrie
+sudorun chmod cowrie:cowrie /srv/cowrie/bin/cowrie
 sudo_copy "$progdir"/../etc/cron.hourly/cowrie /etc/cron.hourly 755
+if [ "$ID" = opensuse ] ; then
+  # add some selinux policy rules to let cowrie.service succeed
+  sudo_copy "$progdir"/../etc/cowrie.pp /etc/ 644
+  sudo_copy "$progdir"/../etc/cowrie1.pp /etc/ 644
+  sudorun semodule -i /etc/cowrie.pp  
+  sudorun semodule -i /etc/cowrie1.pp
+fi
 
 # make sure to remove old cowrie start if they exist
 if [ -f /etc/init.d/cowrie ]; then
@@ -2347,7 +2398,8 @@ sudorun 'systemctl daemon-reload'
 sudorun 'systemctl enable cowrie.service'
 
 dlog 'deactivate cowrie venv'
-sudorun 'deactivate'
+#sudorun 'deactivate'
+run deactivate
 
 
 ###########################################################
@@ -2372,7 +2424,9 @@ sudo -u webhpot find ./isc_agent -mindepth 1 -type d -exec rm -rf {} +
 sudo_copy "${progdir}"/../srv/web/web-honeypot.service /etc/systemd/system/web-honeypot.service 644
 cd "${WEBHPOTDIR}" || exit
 # disable old service in case it is still enabled
-sudorun "systemctl disable isc-agent.service"
+if [ "$(sudo systemctl is-enabled isc-agent.service)" = "enabled" ] ; then
+  sudorun "systemctl disable isc-agent.service"
+fi
 # enable new service
 sudorun "systemctl daemon-reload"
 sudorun "systemctl enable web-honeypot.service"
@@ -2542,7 +2596,7 @@ run 'mkdir -p /var/tmp/dshield'
 
 # rotate dshield firewall logs
 sudo_copy "$progdir"/../etc/logrotate.d/dshield /etc/logrotate.d 644
-[ "$ID" = "opensuse" ] && sed -e 's/\/usr\/lib.*$/systemctl reload rsyslog/' -i /etc/logrotate.d/dshield
+[ "$ID" = "opensuse" ] && sudo sed -e 's/\/usr\/lib.*$/systemctl reload rsyslog/' -i /etc/logrotate.d/dshield
 if [ -f "/etc/cron.daily/logrotate" ]; then
   sudorun "mv /etc/cron.daily/logrotate /etc/cron.hourly"
 fi
@@ -2568,7 +2622,7 @@ fi
 ###########################################################
 
 if [ -f /root/bin/postinstall.sh ]; then
-  run "/root/bin/postinstall.sh"
+  sudorun "/root/bin/postinstall.sh"
 else
   outlog
   outlog

bin/makecert.sh

@@ -14,16 +14,21 @@ if [ ! -f ${d}/../etc/CA/ca.serial ]; then
     echo -n $serial > "${d}/../etc/CA/ca.serial"
 fi
 
-if [ -f $d/../etc/dshield.sslca ] ; then
-	. $d/../etc/dshield.sslca
-else
-	country="US"
-	state="Florida"
-	city="Jacksonville"
-	company="DShield"
-	depart="Decoy"
+dshieldsslca="/etc/dshield.sslca"
+if [ ! -f $dshieldsslca ] ; then
+  dshieldsslca="$d/../etc/dshield.sslca"
 fi
-hostname=$(hostname);
+if [ -f $dshieldsslca ] ; then
+  . $dshieldsslca
+fi
+if [ -z "$country" ] ; then
+      country="US"
+      state="Florida"
+      city="Jacksonville"
+      company="DShield"
+      depart="Decoy"
+fi
+hostname=$(hostname)
 if [ "$interactive" -eq "1" ]; then
     exec 3>&1
     dialog --title 'Creating SSL Certificate' --separate-widget $'\n' --form\
@@ -47,6 +52,7 @@ if [ "$interactive" -eq "1" ]; then
 	echo "city=\"$city\"" >> $d/../etc/dshield.sslca
 	echo "company=\"$company\"" >> $d/../etc/dshield.sslca
 	echo "depart=\"$department\"" >> $d/../etc/dshield.sslca
+	sudo cp $d/../etc/dshield.sslca /etc/dshield.sslca
 	}
 fi
 if [ ! -d $d/../etc/CA/keys ]; then

bin/status.sh

@@ -128,7 +128,7 @@ fi
 if echo $status | grep -q '<result>ok</result>'; then
   echo "${GREEN}API Key configuration ok${NC}"
   if [ "$version" != "" ]; then
-    currentversion=$(echo $status | egrep -o '<version>([0-9\.]+)</version>' | egrep -o '[0-9\.]+')
+    currentversion=$(echo $status | grep -E -o '<version>([0-9\.]+)</version>' | grep -E -o '[0-9\.]+')
     if [ "$currentversion" != "$version" ]; then
       echo "
 ${RED}Software Version Mismatch

bin/update.sh

@@ -49,7 +49,7 @@ hash=`echo -n $email:$apikey | openssl dgst -hmac $nonce -sha512 -hex | cut -f2
 checkapikey=$(curl -s https://isc.sans.edu/api/checkapikey/$user/$nonce/$hash/$version/$piid)
 if echo $checkapikey | grep -q '<result>ok</result>'; then
     echo "API Key OK"
-    newversion=$(echo $checkapikey | egrep -o '<version>[^<]+</version>'|egrep -o '[0-9]+')
+    newversion=$(echo $checkapikey | grep -E -o '<version>[^<]+</version>'|grep -E -o '[0-9]+')
 else
     echo "Bad API Key. check API key in /etc/dshield.ini"
     exit

bin/updatehoneypotip.sh

@@ -8,17 +8,13 @@ if [ ! "$userid" = "0" ]; then
   exit 9
 fi
 
-if [ ! -f /srv/dshield/etc/dshield.ini ]; then
-    echo "missing /srv/dshield/etc/dshield.ini file"
+if [ ! -f /etc/dshield.ini ]; then
+    echo "missing /etc/dshield.ini file"
     exit 9
 fi
 honeypotip=$(curl -s https://www4.dshield.org/api/myip?json | jq .ip | tr -d '"')
-if echo -n $honeypotip | egrep -q '^[0-9\.]+$'; then
-    sed -i "s/^honeypotip=.*/honeypotip=$honeypotip/" /srv/dshield/etc/dshield.ini
-    if ! grep -q '^piid=' dshield.ini; then
-	piid=$(openssl rand -hex 10)
-	sed -i "^apikey/a piid=$piid"  /srv/dshield/etc/dshield.ini
-    fi
+if echo -n $honeypotip | grep -E -q '^[0-9\.]+$'; then
+    sed -i "s/^honeypotip=.*/honeypotip=$honeypotip/" /etc/dshield.ini
 else
     echo "Bad IP address"
     exit 9