-
Notifications
You must be signed in to change notification settings - Fork 1.1k
/
deploy.sh
executable file
·153 lines (129 loc) · 5.31 KB
/
deploy.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
#!/usr/bin/env bash
myANSIBLE_PORT=64295
myANSIBLE_TPOT_PLAYBOOK="installer/install/deploy.yml"
myADJECTIVE=$(shuf -n1 installer/install/a.txt)
myNOUN=$(shuf -n1 installer/install/n.txt)
myENV_FILE="$HOME/tpotce/.env"
myDEPLOY=$(cat << "EOF"
____ [ T-Pot ] ____ _
/ ___| ___ _ __ ___ ___ _ __ | _ \ ___ _ __ | | ___ _ _
\___ \ / _ \ _ \/ __|/ _ \| __| | | | |/ _ \ _ \| |/ _ \| | | |
___) | __/ | | \__ \ (_) | | | |_| | __/ |_) | | (_) | |_| |
|____/ \___|_| |_|___/\___/|_| |____/ \___| .__/|_|\___/ \__, |
|_| |___/
EOF
)
# Check if the script is running in a HIVE installation
if ! grep -q 'TPOT_TYPE=HIVE' "$HOME/tpotce/.env";
then
echo "# This script is only supported on HIVE installations."
echo
exit 1
fi
# Check if running on a supported distribution
mySUPPORTED_DISTRIBUTIONS=("AlmaLinux" "Debian GNU/Linux" "Fedora Linux" "openSUSE Tumbleweed" "Raspbian GNU/Linux" "Rocky Linux" "Ubuntu")
myCURRENT_DISTRIBUTION=$(awk -F= '/^NAME/{print $2}' /etc/os-release | tr -d '"')
if [[ ! " ${mySUPPORTED_DISTRIBUTIONS[@]} " =~ " ${myCURRENT_DISTRIBUTION} " ]];
then
echo "# Only the following distributions are supported: AlmaLinux, Fedora, Debian, openSUSE Tumbleweed, Rocky Linux and Ubuntu."
echo
exit 1
fi
echo "${myDEPLOY}"
echo
echo "# This script will prepare a T-Pot SENSOR installation to transmit logs into this HIVE."
echo
# Ask if a T-Pot SENSOR was installed
read -p "# Was a T-Pot SENSOR installed? (y/n): " mySENSOR_INSTALLED
if [[ ${mySENSOR_INSTALLED} != "y" ]];
then
echo "# A T-Pot SENSOR must be installed to continue."
exit 1
fi
# Ask for the remote user
read -p "# Enter the remote username T-Pot SENSOR was installed with: " mySSHUSER
if [[ ${mySSHUSER} == "" ]];
then
echo "# You need to enter a user. Aborting."
exit 1
fi
# Validate IP/domain name loop
while true; do
read -p "# Enter the IP/domain name of the SENSOR: " mySENSOR_IP
if [[ ${mySENSOR_IP} =~ ^([a-zA-Z0-9]+(\.[a-zA-Z0-9]+)*\.[a-zA-Z]{2,})|(([0-9]{1,3}\.){3}[0-9]{1,3})$ ]];
then
break
else
echo "# Invalid IP/domain. Please enter a valid IP or domain name."
fi
done
# Check if ssh key has been deployed
read -p "# Has a SSH key been deployed to the SENSOR? (y/n): " mySSHKEY_DEPLOYED
if [[ ${mySSHKEY_DEPLOYED} != "y" ]];
then
echo "# Generate a SSH key using 'ssh-keygen' and deploy it to the SENSOR (Example: ssh-copy-id -p 64295 ${mySSHUSER}@${mySENSOR_IP})."
exit 1
fi
# Validate IP/domain name of HIVE
while true; do
read -p "# Enter the IP/domain name of this HIVE: " myTPOT_HIVE_IP
if [[ ${myTPOT_HIVE_IP} =~ ^([a-zA-Z0-9]+(\.[a-zA-Z0-9]+)*\.[a-zA-Z]{2,})|(([0-9]{1,3}\.){3}[0-9]{1,3})$ ]];
then
break
else
echo "# Invalid IP/domain. Please enter a valid IP or domain name."
fi
done
# Create a random SENSOR user name that is easily readable
myLS_WEB_USER="sensor-${myADJECTIVE}-${myNOUN}"
# Create a random password
myLS_WEB_PW=$(tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 32 | head -n 1)
# Create myLS_WEB_USER_ENC
myLS_WEB_USER_ENC=$(htpasswd -b -n "${myLS_WEB_USER}" "${myLS_WEB_PW}")
myLS_WEB_USER_ENC_B64=$(echo -n "${myLS_WEB_USER_ENC}" | base64 -w0)
# Create myTPOT_HIVE_USER, since this is for Logstash on the SENSOR, it needs to directly base64 encoded
myTPOT_HIVE_USER=$(echo -n "${myLS_WEB_USER}:${myLS_WEB_PW}" | base64 -w0)
# Print credentials
echo "# The following SENSOR credentials have been created:"
echo "# New SENSOR username: ${myLS_WEB_USER}"
echo "# New SENSOR passowrd: ${myLS_WEB_PW}"
echo "# New htpasswd encoded credentials: ${myLS_WEB_USER_ENC}"
echo "# New htpasswd credentials base64 encoded: ${myLS_WEB_USER_ENC_B64}"
echo "# New SENSOR credentials base64 encoded: ${myTPOT_HIVE_USER}"
echo
echo "# Ansible will ask for the ‘BECOME password‘ which is typically the password you ’sudo’ with on the SENSOR."
echo "# The password will allow Ansible to run a reboot via sudo on the SENSOR."
echo
# Read LS_WEB_USER from file
myENV_LS_WEB_USER=$(grep "^LS_WEB_USER=" "${myENV_FILE}" | sed 's/^LS_WEB_USER=//g' | tr -d "\"'")
# Add the new SENSOR user
if [ "${myENV_LS_WEB_USER}" == "" ];
then
myENV_LS_WEB_USER="${myLS_WEB_USER_ENC_B64}"
else
myENV_LS_WEB_USER="${myENV_LS_WEB_USER} ${myLS_WEB_USER_ENC_B64}"
fi
# Need to export for Ansible
export myTPOT_HIVE_USER
export myTPOT_HIVE_IP
ANSIBLE_LOG_PATH=${HOME}/tpotce/data/deploy_sensor.log ansible-playbook ${myANSIBLE_TPOT_PLAYBOOK} -i ${mySENSOR_IP}, -c ssh -u ${mySSHUSER} --ask-become-pass -e "ansible_port=${myANSIBLE_PORT}"
if [ "$?" == 0 ];
then
# Update the T-Pot .env config and lswebpasswd (avoid the need to restart T-Pot) on the host
echo "# Updating SENSOR users on this HIVE and in the T-Pot .env config:"
sed -i "/^LS_WEB_USER=/c\LS_WEB_USER=$myENV_LS_WEB_USER" "${myENV_FILE}"
: > "${HOME}"/tpotce/data/nginx/conf/lswebpasswd
for i in $myENV_LS_WEB_USER;
do
if [[ -n $i ]];
then
# Need to control newlines as they kept coming up for some reason
echo -n "$i" | base64 -d -w0
echo
echo -n "$i" | base64 -d -w0 | tr -d '\n' >> ${HOME}/tpotce/data/nginx/conf/lswebpasswd
echo >> ${HOME}/tpotce/data/nginx/conf/lswebpasswd
fi
done
fi
unset myTPOT_HIVE_USER
unset myTPOT_HIVE_IP