Merge pull request #329 from dtag-dev-sec/debian

Prepare for T-Pot 19.03 release

Author: t3chn0m4g3

README.md

@@ -1,4 +1,12 @@
 #!/bin/bash
+# Run as root only.
+myWHOAMI=$(whoami)
+if [ "$myWHOAMI" != "root" ]
+  then
+    echo "Need to run as root ..."
+    exit
+fi
+
 # Backup all ES relevant folders
 # Make sure ES is available
 myES="http://127.0.0.1:64298/"
@@ -16,7 +24,7 @@ fi
 myCOUNT=1
 myDATE=$(date +%Y%m%d%H%M)
 myELKPATH="/data/elk/data"
-myKIBANAINDEXNAME=$(curl -s -XGET ''$myES'_cat/indices/' | grep -w ".kibana_1" | awk '{ print $4 }')
+myKIBANAINDEXNAME=$(curl -s -XGET ''$myES'_cat/indices/.kibana' | awk '{ print $4 }')
 myKIBANAINDEXPATH=$myELKPATH/nodes/0/indices/$myKIBANAINDEXNAME
 
 # Let's ensure normal operation on exit or if interrupted ...

bin/backup_es_folders.sh

@@ -1,6 +1,5 @@
 #!/bin/bash
 # T-Pot Container Data Cleaner & Log Rotator
-
 # Set colors
 myRED=""
 myGREEN=""
@@ -154,6 +153,14 @@ fuHERALDING () {
   chown tpot:tpot /data/heralding -R
 }
 
+# Let's create a function to clean up and prepare honeypy data
+fuHONEYPY () {
+  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/honeypy/*; fi
+  mkdir -p /data/honeypy/log
+  chmod 760 /data/honeypy -R
+  chown tpot:tpot /data/honeypy -R
+}
+
 # Let's create a function to clean up and prepare honeytrap data
 fuHONEYTRAP () {
   if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/honeytrap/*; fi
@@ -258,6 +265,7 @@ if [ "$myPERSISTENCE" = "on" ];
     fuGLASTOPF
     fuGLUTTON
     fuHERALDING
+    fuHONEYPY
     fuHONEYTRAP
     fuMAILONEY
     fuMEDPOT

bin/clean.sh

@@ -1,4 +1,13 @@
 #/bin/bash
+
+# Run as root only.
+myWHOAMI=$(whoami)
+if [ "$myWHOAMI" != "root" ]
+  then
+    echo "Need to run as root ..."
+    exit
+fi
+
 # Show current status of T-Pot containers
 myPARAM="$1"
 myCONTAINERS="$(cat /opt/tpot/etc/tpot.yml | grep -v '#' | grep container_name | cut -d: -f2 | sort | tr -d " ")"
@@ -9,14 +18,13 @@ myWHITE=""
 myMAGENTA=""
 
 function fuGETSTATUS {
-grc docker ps -f status=running -f status=exited --format "table {{.Names}}\t{{.Status}}\t{{.Ports}}" | grep -v "NAME" | sort
+grc --colour=on docker ps -f status=running -f status=exited --format "table {{.Names}}\t{{.Status}}\t{{.Ports}}" | grep -v "NAME" | sort
 }
 
 function fuGETSYS {
 printf "========| System |========\n"
 printf "%+10s %-20s\n" "Date: " "$(date)"
 printf "%+10s %-20s\n" "Uptime: " "$(uptime | cut -b 2-)"
-printf "%+10s %-20s\n" "CPU temp: " "$(sensors | grep 'Physical' | awk '{ print $4" " }' | tr -d [:cntrl:])"
 echo
 }
 

bin/dps.sh

@@ -2,10 +2,10 @@
 # Dump all ES data
 # Make sure ES is available
 myES="http://127.0.0.1:64298/"
-myESSTATUS=$(curl -s -XGET ''$myES'_cluster/health' | jq '.' | grep -c green)
+myESSTATUS=$(curl -s -XGET ''$myES'_cluster/health' | jq '.' | grep -c "green\|yellow")
 if ! [ "$myESSTATUS" = "1" ]
   then
-    echo "### Elasticsearch is not available, try starting via 'systemctl start elk'."
+    echo "### Elasticsearch is not available, try starting via 'systemctl start tpot'."
     exit
   else
     echo "### Elasticsearch is available, now continuing."
@@ -20,12 +20,12 @@ trap fuCLEANUP EXIT
 
 # Set vars
 myDATE=$(date +%Y%m%d%H%M)
-myINDICES=$(curl -s -XGET ''$myES'_cat/indices/' | awk '{ print $3 }' | sort | grep -v 1970)
-myES="http://127.0.0.1:64298/"
+myINDICES=$(curl -s -XGET ''$myES'_cat/indices/logstash-*' | awk '{ print $3 }' | sort | grep -v 1970)
+myINDICES+=" .kibana"
 myCOL1=""
 myCOL0=""
 
-# Dumping all ES data
+# Dumping Kibana and Logstash data
 echo $myCOL1"### The following indices will be dumped: "$myCOL0
 echo $myINDICES
 echo

bin/dump_es.sh

@@ -0,0 +1,124 @@
+#!/bin/bash
+
+# Run as root only.
+myWHOAMI=$(whoami)
+if [ "$myWHOAMI" != "root" ]
+  then
+    echo "Need to run as root ..."
+    exit
+fi
+
+myTPOTYMLFILE="/opt/tpot/etc/tpot.yml"
+
+function fuSISSDEN () {
+echo
+echo "You chose SISSDEN, you just need to provide ident and secret"
+echo
+myENABLE="true"
+myHOST="hpfeeds.sissden.eu"
+myPORT="10000"
+myCHANNEL="t-pot.events"
+myCERT="/opt/ewsposter/sissden.pem"
+read -p "Ident: " myIDENT
+read -p "Secret: " mySECRET
+myFORMAT="json"
+}
+
+function fuGENERIC () {
+echo
+echo "You chose generic, please provide all the details of the broker"
+echo
+myENABLE="true"
+read -p "Host URL: " myHOST
+read -p "Port: " myPORT
+read -p "Channel: " myCHANNEL
+echo "For generic providers set this to 'false'"
+echo "If you received a CA certficate mount it into the ewsposter container by modifying $myTPOTYMLFILE"
+read -p "TLS - 'false' or path to CA in container: " myCERT
+read -p "Ident: " myIDENT
+read -p "Secret: " mySECRET
+read -p "Format ews (xml) or json: " myFORMAT
+}
+
+function fuOPTOUT () {
+echo
+while [ 1 != 2 ]
+  do
+    read -s -n 1 -p "You chose to opt out (y/n)? " mySELECT
+      echo $mySELECT
+      case "$mySELECT" in
+        [y,Y])
+          echo "Opt out."
+          break
+          ;;
+        [n,N])
+          echo "Aborted."
+          exit
+          ;;
+      esac
+done
+myENABLE="false"
+myHOST="host"
+myPORT="port"
+myCHANNEL="channels"
+myCERT="false"
+myIDENT="user"
+mySECRET="secret"
+myFORMAT="json"
+}
+
+function fuAPPLY () {
+echo "Now stopping T-Pot ..."
+systemctl stop tpot
+echo "Applying your settings ... "
+sed --follow-symlinks -i "s/EWS_HPFEEDS_ENABLE.*/EWS_HPFEEDS_ENABLE=${myENABLE}/g" "$myTPOTYMLFILE"
+sed --follow-symlinks -i "s/EWS_HPFEEDS_HOST.*/EWS_HPFEEDS_HOST=${myHOST}/g" "$myTPOTYMLFILE"
+sed --follow-symlinks -i "s/EWS_HPFEEDS_PORT.*/EWS_HPFEEDS_PORT=${myPORT}/g" "$myTPOTYMLFILE"
+sed --follow-symlinks -i "s/EWS_HPFEEDS_CHANNELS.*/EWS_HPFEEDS_CHANNELS=${myCHANNEL}/g" "$myTPOTYMLFILE"
+sed --follow-symlinks -i "s#EWS_HPFEEDS_TLSCERT.*#EWS_HPFEEDS_TLSCERT=${myCERT}#g" "$myTPOTYMLFILE"
+sed --follow-symlinks -i "s/EWS_HPFEEDS_IDENT.*/EWS_HPFEEDS_IDENT=${myIDENT}/g" "$myTPOTYMLFILE"
+sed --follow-symlinks -i "s/EWS_HPFEEDS_SECRET.*/EWS_HPFEEDS_SECRET=${mySECRET}/g" "$myTPOTYMLFILE"
+sed --follow-symlinks -i "s/EWS_HPFEEDS_FORMAT.*/EWS_HPFEEDS_FORMAT=${myFORMAT}/g" "$myTPOTYMLFILE"
+echo "Now starting T-Pot ..."
+systemctl start tpot
+echo "You can always change or review your settings in the ewsposter section of $myTPOTYMLFILE"
+echo "Done."
+}
+
+echo "HPFEEDS Delivery Opt-In for T-Pot"
+echo "---------------------------------"
+echo "By running this script you agree to share your data with a 3rd party and agree to their corresponding sharing terms."
+echo
+echo
+echo "Please choose your broker"
+echo "---------------------------"
+echo "[1] - SISSDEN"
+echo "[2] - Generic (enter details manually)"
+echo "[0] - Opt out of HPFEEDS"
+echo "[q] - Do not agree end exit"
+echo
+while [ 1 != 2 ]
+  do
+    read -s -n 1 -p "Your choice: " mySELECT
+      echo $mySELECT
+      case "$mySELECT" in
+        [1])
+	  fuSISSDEN
+          break
+          ;;
+        [2])
+	  fuGENERIC
+          break
+          ;;
+        [0])
+	  fuOPTOUT
+          break
+          ;;
+        [q,Q])
+	  echo "Aborted."
+          exit
+          ;;
+      esac
+done
+fuAPPLY
+

bin/hpfeeds_optin.sh

@@ -2,10 +2,10 @@
 # Restore folder based ES backup
 # Make sure ES is available
 myES="http://127.0.0.1:64298/"
-myESSTATUS=$(curl -s -XGET ''$myES'_cluster/health' | jq '.' | grep -c green)
+myESSTATUS=$(curl -s -XGET ''$myES'_cluster/health' | jq '.' | grep -c "green\|yellow")
 if ! [ "$myESSTATUS" = "1" ]
   then
-    echo "### Elasticsearch is not available, try starting via 'systemctl start elk'."
+    echo "### Elasticsearch is not available, try starting via 'systemctl start tpot'."
     exit
   else
     echo "### Elasticsearch is available, now continuing."
@@ -41,17 +41,31 @@ echo $myCOL1"### Now unpacking tar archive: "$myDUMP $myCOL0
 tar xvf $myDUMP
 
 # Build indices list
-myINDICES=$(ls tmp/logstash*.gz | cut -c 5- | rev | cut -c 4- | rev)
+myINDICES="$(ls tmp/logstash*.gz | cut -c 5- | rev | cut -c 4- | rev)"
 myINDICES+=" .kibana"
 echo $myCOL1"### The following indices will be restored: "$myCOL0
 echo $myINDICES
 echo
 
+# Force single seat template for everything
+echo -n $myCOL1"### Forcing single seat template: "$myCOL0
+curl -s XPUT ''$myES'_template/.*' -H 'Content-Type: application/json' -d'
+{ "index_patterns": ".*",
+  "order": 1,
+  "settings": 
+    { 
+      "number_of_shards": 1,
+      "number_of_replicas": 0 
+    }
+}'
+echo
+
 # Restore indices
+curl -s -X DELETE ''$myES'.kibana*' > /dev/null
 for i in $myINDICES;
   do
     # Delete index if it already exists
-    curl -s -XDELETE $myES$i > /dev/null
+    curl -s -X DELETE $myES$i > /dev/null
     echo $myCOL1"### Now uncompressing: tmp/$i.gz" $myCOL0
     gunzip -f tmp/$i.gz
     # Restore index to ES

bin/restore_es.sh

@@ -23,10 +23,10 @@ function fuNFQCHECK {
 myNFQCHECK=$(grep -e '^\s*honeytrap:\|^\s*glutton:' $myDOCKERCOMPOSEYML | tr -d ': ' | uniq)
 if [ "$myNFQCHECK" == "" ];
   then
-    echo "No NFQ related honeypot detected, no iptables rules needed. Exiting."
+    echo "No NFQ related honeypot detected, no iptables-legacy rules needed. Exiting."
     exit
   else
-    echo "Detected $myNFQCHECK as NFQ based honeypot, iptables rules needed. Continuing."
+    echo "Detected $myNFQCHECK as NFQ based honeypot, iptables-legacy rules needed. Continuing."
 fi
 }
 
@@ -41,54 +41,54 @@ echo "$myRULESPORTS"
 }
 
 function fuSETRULES {
-### Setting up iptables rules for honeytrap
+### Setting up iptables-legacy rules for honeytrap
 if [ "$myNFQCHECK" == "honeytrap" ];
   then
-    /sbin/iptables -w -A INPUT -s 127.0.0.1 -j ACCEPT
-    /sbin/iptables -w -A INPUT -d 127.0.0.1 -j ACCEPT
+    /usr/sbin/iptables-legacy -w -A INPUT -s 127.0.0.1 -j ACCEPT
+    /usr/sbin/iptables-legacy -w -A INPUT -d 127.0.0.1 -j ACCEPT
 
     for myPORT in $myRULESPORTS; do
-      /sbin/iptables -w -A INPUT -p tcp --dport $myPORT -j ACCEPT
+      /usr/sbin/iptables-legacy -w -A INPUT -p tcp --dport $myPORT -j ACCEPT
     done
 
-    /sbin/iptables -w -A INPUT -p tcp --syn -m state --state NEW -j NFQUEUE
+    /usr/sbin/iptables-legacy -w -A INPUT -p tcp --syn -m state --state NEW -j NFQUEUE
 fi
 
-### Setting up iptables rules for glutton
+### Setting up iptables-legacy rules for glutton
 if [ "$myNFQCHECK" == "glutton" ];
   then
-    /sbin/iptables -w -t raw -A PREROUTING -s 127.0.0.1 -j ACCEPT
-    /sbin/iptables -w -t raw -A PREROUTING -d 127.0.0.1 -j ACCEPT
+    /usr/sbin/iptables-legacy -w -t raw -A PREROUTING -s 127.0.0.1 -j ACCEPT
+    /usr/sbin/iptables-legacy -w -t raw -A PREROUTING -d 127.0.0.1 -j ACCEPT
 
     for myPORT in $myRULESPORTS; do
-      /sbin/iptables -w -t raw -A PREROUTING -p tcp --dport $myPORT -j ACCEPT
+      /usr/sbin/iptables-legacy -w -t raw -A PREROUTING -p tcp --dport $myPORT -j ACCEPT
     done
     # No need for NFQ forwarding, such rules are set up by glutton
 fi
 }
 
 function fuUNSETRULES {
-### Removing  iptables rules for honeytrap
+### Removing  iptables-legacy rules for honeytrap
 if [ "$myNFQCHECK" == "honeytrap" ];
   then
-    /sbin/iptables -w -D INPUT -s 127.0.0.1 -j ACCEPT
-    /sbin/iptables -w -D INPUT -d 127.0.0.1 -j ACCEPT
+    /usr/sbin/iptables-legacy -w -D INPUT -s 127.0.0.1 -j ACCEPT
+    /usr/sbin/iptables-legacy -w -D INPUT -d 127.0.0.1 -j ACCEPT
 
     for myPORT in $myRULESPORTS; do
-      /sbin/iptables -w -D INPUT -p tcp --dport $myPORT -j ACCEPT
+      /usr/sbin/iptables-legacy -w -D INPUT -p tcp --dport $myPORT -j ACCEPT
     done
 
-    /sbin/iptables -w -D INPUT -p tcp --syn -m state --state NEW -j NFQUEUE
+    /usr/sbin/iptables-legacy -w -D INPUT -p tcp --syn -m state --state NEW -j NFQUEUE
 fi
 
-### Removing iptables rules for glutton
+### Removing iptables-legacy rules for glutton
 if [ "$myNFQCHECK" == "glutton" ];
   then
-    /sbin/iptables -w -t raw -D PREROUTING -s 127.0.0.1 -j ACCEPT
-    /sbin/iptables -w -t raw -D PREROUTING -d 127.0.0.1 -j ACCEPT
+    /usr/sbin/iptables-legacy -w -t raw -D PREROUTING -s 127.0.0.1 -j ACCEPT
+    /usr/sbin/iptables-legacy -w -t raw -D PREROUTING -d 127.0.0.1 -j ACCEPT
 
     for myPORT in $myRULESPORTS; do
-      /sbin/iptables -w -t raw -D PREROUTING -p tcp --dport $myPORT -j ACCEPT
+      /usr/sbin/iptables-legacy -w -t raw -D PREROUTING -p tcp --dport $myPORT -j ACCEPT
     done
     # No need for removing NFQ forwarding, such rules are removed by glutton
 fi

bin/rules.sh

@@ -1,5 +1,13 @@
 #!/bin/bash
 
+# Run as root only.
+myWHOAMI=$(whoami)
+if [ "$myWHOAMI" != "root" ]
+  then
+    echo "Need to run as root ..."
+    exit
+fi
+
 # set backtitle, get filename
 myBACKTITLE="T-Pot Edition Selection Tool"
 myYMLS=$(cd /opt/tpot/etc/compose/ && ls -1 *.yml)
@@ -21,7 +29,7 @@ for i in $myYMLS;
   do
     myITEMS+="$i $(echo $i | cut -d "." -f1 | tr [:lower:] [:upper:]) " 
 done
-myEDITION=$(dialog --backtitle "$myBACKTITLE" --menu "Select T-Pot Edition" 13 50 6 $myITEMS 3>&1 1>&2 2>&3 3>&-)
+myEDITION=$(dialog --backtitle "$myBACKTITLE" --menu "Select T-Pot Edition" 12 50 5 $myITEMS 3>&1 1>&2 2>&3 3>&-)
 if [ "$myEDITION" == "" ];
   then
     echo "Have a nice day!"