-
Notifications
You must be signed in to change notification settings - Fork 1.1k
/
env.example
138 lines (115 loc) · 7.46 KB
/
env.example
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
# T-Pot config file. Do not remove.
###############################################
# T-Pot Base Settings - Adjust to your needs. #
###############################################
# Set Web usernames and passwords here. This section will be used to create / update the Nginx password file nginxpasswd.
# <empty>: This is the default
# <base64 encoded htpasswd usernames / passwords>:
# Use 'htpasswd -n -b "username" "password" | base64 -w0' to create the WEB_USER if you want to manually deploy T-Pot, run 'install.sh' to automatically add a user during installation, or 'genuser.sh' if you just want to add a web user.
# Example: 'htpasswd -n -b "tsec" "tsec" | base64 -w0' will print dHNlYzokYXByMSRYUnE2SC5rbiRVRjZQM1VVQmJVNWJUQmNmSGRuUFQxCgo=
# Copy the string and replace WEB_USER=dHNlYzokYXByMSRYUnE2SC5rbiRVRjZQM1VVQmJVNWJUQmNmSGRuUFQxCgo=
# Multiple users are possible:
# WEB_USER=dHNlYzokYXByMSRYUnE2SC5rbiRVRjZQM1VVQmJVNWJUQmNmSGRuUFQxCgo= dHNlYzokYXByMSR6VUFHVWdmOCRROXI3a09CTjFjY3lCeU1DTloyanEvCgo=
WEB_USER=
# Set Logstash Web usernames and passwords here. This section will be used to create / update the Nginx password file lswebpasswd.
# The Lostsash Web usernames are used for T-Pot log ingestion via Logstash, each sensor should have its own user.
# <empty>: This is empty by default.
# <'htpasswd encoded usernames / passwords'>:
# Use 'htpasswd -n -b "username" "password" | base64 -w0' to create the LS_WEB_USER if you want to manually deploy the sensor.
# Example: 'htpasswd -n -b "sensor" "sensor" | base64 -w0' will print c2Vuc29yOiRhcHIxJGVpMHdzUmdYJHNyWHF4UG53ZzZqWUc3aEFaUWxrWDEKCg==
# Copy the string and replace / add LS_WEB_USER=c2Vuc29yOiRhcHIxJGVpMHdzUmdYJHNyWHF4UG53ZzZqWUc3aEFaUWxrWDEKCg==
# Multiple users are possible:
# LS_WEB_USER=c2Vuc29yMTokYXByMSQ5aXhNRk5yMCR6d3F2dGFwQ2x0cFBhU1pqMm9ZemYxCgo= c2Vuc29yMjokYXByMSRtYTlOS1J2NCQvU3dsVVBMeW5RaVIyM3pyWVAzOUkwCgo=
LS_WEB_USER=
# T-Pot Blackhole
# ENABLED: T-Pot will download a db of known mass scanners and nullroute them.
# Be aware, this will put T-Pot off the map for stealth reasons and
# you will get less traffic. Routes will be active until next reboot
# and will be re-added with every T-Pot start until disabled.
# DISABLED: This is the default and no stealth efforts are in place.
TPOT_BLACKHOLE=DISABLED
# T-Pot Persistence
# on: This is the default. T-Pot will keep the honeypot logfiles and rotate
# with logrotate for 30 days.
# off: This is recommended for Raspberry Pi or setups with weaker CPUs or
# if you just do not need any of the logfiles.
TPOT_PERSISTENCE=on
# T-Pot Type
# HIVE: This is the default and offers everything to connect T-Pot sensors.
# SENSOR: This needs to be used when running a sensor. Be aware to adjust all other
# settings as well.
# 1. You will need to copy compose/sensor.yml to ./docker-comopose.yml
# 2. From HIVE host you will need to copy ~/tpotce/data/nginx/cert/nginx.crt to
# your SENSOR host to ~/tpotce/data/hive.crt
# 3. On HIVE: Create a web user per SENSOR on HIVE and provide credentials below
# Create credentials with 'htpasswd ~/tpotce/data/nginx/conf/lswebpasswd <username>'
# 4. On SENSOR: Provide username / password from (3) for TPOT_HIVE_USER as base64 encoded string:
# "echo -n 'username:password' | base64 -w0"
# MOBILE: This will set the correct type for T-Pot Mobile (https://github.com/telekom-security/tpotmobile)
TPOT_TYPE=HIVE
# T-Pot Hive User (only relevant for SENSOR deployment)
# <empty>: This is empty by default.
# <base64 encoded string>: Provide a base64 encoded string "echo -n 'username:password' | base64 -w0"
# i.e. TPOT_HIVE_USER='dXNlcm5hbWU6cGFzc3dvcmQ='
TPOT_HIVE_USER=
# Logstash Sensor SSL verfication (only relevant on SENSOR hosts)
# full: This is the default. Logstash, by default, verifies the complete certificate chain for ssl certificates.
# This also includes the FQDN and sANs. By default T-Pot will only generate a self-signed certificate which
# contains a sAN for the HIVE IP. In scenario where the HIVE needs to be accessed via Internet, maybe with
# a different NAT address, a new certificate needs to be generated before deployment that includes all the
# IPs and FQDNs as sANs for logstash successfully establishing a connection to the HIVE for transmitting
# logs. Details here: https://github.com/telekom-security/tpotce?tab=readme-ov-file#distributed-deployment
# none: This setting will disable the ssl verification check of logstash and should only be used in a testing
# environment where IPs often change. It is not recommended for a production environment where trust between
# HIVE and SENSOR is only established through a self signed certificate.
LS_SSL_VERIFICATION=full
# T-Pot Hive IP (only relevant for SENSOR deployment)
# <empty>: This is empty by default.
# <IP, FQDN>: This can be either a IP (i.e. 192.168.1.1) or a FQDN (i.e. foo.bar.local)
TPOT_HIVE_IP=
# T-Pot AttackMap Text Output
# ENABLED: This is the default and the docker container map_data will print events to the console.
# DISABLED: Printing events to the console is disabled.
TPOT_ATTACKMAP_TEXT=ENABLED
# T-Pot AttackMap Text Output Timezone
# UTC: (T-Pot default) This is usually the best option.
# Continent/City: In Linux you can check our timezone with `readlink` /etc/localtime or
# see the full list here: https://en.wikipedia.org/wiki/List_of_tz_database_time_zones
# Examples: America/New_York, Asia/Taipei, Australia/Melbourne, Europe/Athens, Europe/Berlin
TPOT_ATTACKMAP_TEXT_TIMEZONE=UTC
###################################################################################
# Honeypots / Tools settings
###################################################################################
# Some services / tools offer adjustments using ENVs which can be adjusted here.
###################################################################################
# Suricata ET Pro ruleset
# OPEN: This is the default and will the ET Open ruleset
# OINKCODE: Replace OPEN with your Oinkcode to use the ET Pro ruleset
OINKCODE=OPEN
###################################################################################
# NEVER MAKE CHANGES TO THIS SECTION UNLESS YOU REALLY KNOW WHAT YOU ARE DOING!!! #
###################################################################################
# docker.sock Path
TPOT_DOCKER_SOCK=/var/run/docker.sock
# docker compose .env
TPOT_DOCKER_ENV=./.env
# Docker-Compose file
TPOT_DOCKER_COMPOSE=./docker-compose.yml
# T-Pot Docker Repo
# Depending on where you are located you may choose between DockerHub and GHCR
# dtagdevsec: This will use the DockerHub image registry
# ghcr.io/telekom-security: This will use the GitHub container registry
TPOT_REPO=dtagdevsec
# T-Pot Version Tag
TPOT_VERSION=24.04
# T-Pot Pull Policy
# always: (T-Pot default) Compose implementations SHOULD always pull the image from the registry.
# never: Compose implementations SHOULD NOT pull the image from a registry and SHOULD rely on the platform cached image.
# missing: Compose implementations SHOULD pull the image only if it's not available in the platform cache.
# build: Compose implementations SHOULD build the image. Compose implementations SHOULD rebuild the image if already present.
TPOT_PULL_POLICY=always
# T-Pot Data Path
TPOT_DATA_PATH=./data
# OSType (linux, mac, win)
# Most docker features are available on linux
TPOT_OSTYPE=linux