-
Notifications
You must be signed in to change notification settings - Fork 43
/
sensor.sh
executable file
·331 lines (254 loc) · 12.5 KB
/
sensor.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
#!/bin/bash
#Tango Sensor Install
#Should be compatible with Ubuntu and Debian
#Disclaimer. Continues for yes, quits for no.
while true; do
read -p "[!] You are about to install Cowrie and the Splunk Universal Forwarder. By running this installer, you accept Splunk's EULA. Do you wish to proceed? (Yes/No)" yn
case $yn in
[Yy]* ) break;;
[Nn]* ) exit;;
* ) echo "Please answer Yes or No.";;
esac
done
########################################
#User input variables
#Splunk Indexer hostname/IP address from user
read -e -p "[?] Enter the Splunk Indexer to forward logs to: (example: splunk.test.com:9997) " SPLUNK_INDEXER
#Sensor hostname from user
read -e -p "[?] Enter Sensor name. (example: hp-US-Las_Vegas-01) " HOST_NAME
#SSH Port number from user
read -e -p "[?] Enter new SSH port number, since Kippo will listen on default SSH port. (example: 1337) " SSH_PORT
########################################
# Logging setup. This is done to log all the output from commands executed in the script to a file.
#This provides us troubleshooting data if the script fails.
logfile=/var/log/tango_install.log
mkfifo ${logfile}.pipe
tee < ${logfile}.pipe $logfile &
exec &> ${logfile}.pipe
rm ${logfile}.pipe
########################################
#metasploit-like print statements. Status messages, error messages, good status returns.
# I added in a notification print for areas users should definitely pay attention to.
function print_status ()
{
echo -e "\x1B[01;34m[*]\x1B[0m $1"
}
function print_good ()
{
echo -e "\x1B[01;32m[*]\x1B[0m $1"
}
function print_error ()
{
echo -e "\x1B[01;31m[*]\x1B[0m $1"
}
function print_notification ()
{
echo -e "\x1B[01;33m[*]\x1B[0m $1"
}
########################################
#Script does a lot of error checking. Decided to insert an error check function.
# If a task performed returns a non zero status code, something very likely went wrong.
function error_check
{
if [ $? -eq 0 ]; then
print_good "$1 successfully completed."
else
print_error "$1 failed. Please check $logfile for more details."
exit 1
fi
}
########################################
#BEGIN MAIN#
########################################
# These Variables Need to be set! #
#SPLUNK_INDEXER: This is the box that is going to process your splunk logs.
#Can be a hostname or an IP address. The default port is 9997/tcp. #
#SPLUNK_INDEXER="splunkserver.yourdomain.com:9997"
#HOST_NAME: This controls what name your kippo server will have when reviewing its
# data in the Tango Splunk App. Use unique names.
# Suggestion: "hp-{country code}-{city}-{number}" such as: hp-US-Las_Vegas-01 #
#HOST_NAME="hp-countrycode-city-01"
#SSH_PORT: This port will replace the default SSH port (22), so that Kippo may run on it, and you'll stil be able
# to access the host using SSH.
#SSH_PORT= "1337"
########################################
# Set the directory we are initially executing the script in.
execdir=`pwd`
########################################
#We need root privs to run most of this, this is a quick check to ensure that we are root. If not, bail.
print_status "Checking for root privs.."
if [ $(whoami) != "root" ]; then
print_error "This script must be ran with sudo or root privileges."
exit 1
else
print_good "We are root."
fi
########################################
#We check what architecture the system is and download the correct splunk Universal Forwarder for that CPU arch.
arch=`uname -m`
if [[ $arch == "x86_64" ]]; then
INSTALL_FILE="splunkforwarder-6.3.0-aa7d4b1ccb80-Linux-x86_64.tgz"
print_notification "System is $arch. Downloading: $INSTALL_FILE to /opt.."
wget -O /opt/splunkforwarder-6.3.0-aa7d4b1ccb80-Linux-x86_64.tgz 'http://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=6.3.0&product=universalforwarder&filename=splunkforwarder-6.3.0-aa7d4b1ccb80-Linux-x86_64.tgz&wget=true' &>> $logfile
error_check 'Splunk Forwarder Download'
elif [[ $arch == "i686" ]]; then
INSTALL_FILE="splunkforwarder-6.3.0-aa7d4b1ccb80-Linux-i686.tgz"
print_notification "System is $arch. Downloading: $INSTALL_FILE to /opt.."
wget -O /opt/splunkforwarder-6.3.0-aa7d4b1ccb80-Linux-i686.tgz 'http://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86&platform=linux&version=6.3.0&product=universalforwarder&filename=splunkforwarder-6.3.0-aa7d4b1ccb80-Linux-i686.tgz&wget=true' &>> $logfile
error_check 'Splunk Forwarder Download'
else
print_error "System arch is not x86_64 or i686. Tango Honeypot is not yet supported on other CPU architectures."
exit 1
fi
########################################
# Based on the OS (Debian or Redhat based), use the OS package mangaer to download required packages
if [ -f /etc/debian_version ]; then
apt-get -y update &>> $logfile
print_notification "Installing required packages via apt-get.."
apt-get -y install python-dev python-openssl python-pyasn1 authbind git libcurl4-gnutls-dev libssl-dev libffi-dev openssh-server&>> $logfile
error_check 'Apt Package Installation'
curl "https://bootstrap.pypa.io/get-pip.py" -o "get-pip.py" &>> $logfile
python get-pip.py &>> $logfile
print_notification "Installed pip"
print_notification "Installing required python packages via pip.."
pip install pycrypto cryptography service_identity requests ipwhois twisted &>> $logfile
error_check 'Python pip'
iptables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-port 2222
elif [ -f /etc/redhat-release ]; then
yum -y update &>> $logfile
print_notification "Installing required packages via yum.."
yum -y install wget python-devel python-zope-interface unzip git gnutls-devel gcc gcc-c++ &>> $logfile
error_check 'Yum Package Installation'
print_notification "Installing required python packages via easy_install.."
easy_install pycrypto pyasn1 twisted requests &>> $logfile
error_check 'Python easy_install'
else
print_error "Unable to determine correct package manager to use. This script currently supports apt-based Operating Systems (Debian, Ubuntu, Kali) and yum-based Operating Systems (Redhat, CentOS, etc.) and relies on either /etc/redhat-release or /etc/debian_version being present to determine the correct package manager to use."
exit 1
fi
########################################
# Adding splunk user for service to run as. Shell is set to /bin/false.
print_status "Checking for splunk user and group.."
getent passwd splunk &>> $logfile
if [ $? -eq 0 ]; then
print_status "splunk user exists. Verifying group exists.."
id -g splunk &>> $logfile
if [ $? -eq 0 ]; then
print_notification "splunk group exists."
else
print_notification "splunk group does not exist. Creating.."
groupadd splunk &>> $logfile
usermod -G splunk splunk &>> $logfile
error_check 'Creation of Splunk group and Addition of Splunk user to group'
fi
else
print_status "Creating splunk user and group.."
groupadd splunk &>> $logfile
useradd -g splunk splunk -d /home/splunk -s /bin/false &>> $logfile
mkdir /home/splunk
chown -R splunk:splunk /home/splunk
error_check 'Splunk user and group creation'
fi
chown -R splunk:splunk /home/splunk &>> $logfile
########################################
# Adding splunk user for service to run as. Shell is set to /bin/false.
print_status "Checking for cowrie user and group.."
getent passwd cowrie &>> $logfile
if [ $? -eq 0 ]; then
print_status "cowrie user exists. Verifying group exists.."
id -g cowrie &>> $logfile
if [ $? -eq 0 ]; then
print_notification "cowrie group exists."
else
print_notification "cowrie group does not exist. Creating.."
groupadd cowrie &>> $logfile
usermod -G cowrie cowrie &>> $logfile
error_check 'Creation of cowrie group and Addition of cowrie user to group'
fi
else
print_status "Creating cowrie user and group.."
groupadd cowrie &>> $logfile
useradd -g cowrie cowrie -d /home/splunk -s /bin/false &>> $logfile
error_check 'Cowrie user and group creation'
fi
chown -R splunk:splunk /home/splunk &>> $logfile
########################################
# Installing Cowrie Honeypot
print_notification "Installing Cowrie Honeypot.."
cd /opt
git clone https://github.com/micheloosterhof/cowrie.git &>> $logfile
error_check "Cloned Cowrie Repository from GitHub"
cd cowrie
cp cowrie.cfg.dist cowrie.cfg &>> $logfile
# Changing the Honeypot name as well as changing the port that Kippo listens on
#sed -i "s/#listen_port = 2222/listen_port = 22/" cowrie.cfg &>> $logfile
#sed -i "s/#\[database_jsonlog\]/\[database_jsonlog\]/" cowrie.cfg &>> $logfile
#sed -i "s/#logfile = log\/kippolog.json/logfile = log\/kippolog.json/" cowrie.cfg &>> $logfile
#sed -i "s/\[output_jsonlog\]/#\[output_jsonlog\]/" cowrie.cfg &>> $logfile
#sed -i "s/logfile = log\/kippo.json/#logfile = log\/kippo.json/" cowrie.cfg &>> $logfile
print_notification "Configured Cowrie Honeypot"
########################################
# Changing Default SSH Port
# Changing the port that SSH listens on to the variable set above
if [[ $arch == "x86_64" ]]; then
cd /etc/ssh/
sed -i "s/Port 22/Port $SSH_PORT/" sshd_config &>> $logfile
service ssh restart &>> $logfile
error_check 'SSH Service Restarted'
elif [[ $arch == "i686" ]]; then
cd /etc/ssh/
sed -i "s/#Port 22/Port $SSH_PORT/" sshd_config &>> $logfile
service sshd restart &>> $logfile
error_check "SSH Service Restarted"
cd /tmp
git clone https://github.com/tootedom/authbind-centos-rpm.git &>> $logfile
error_check 'Cloned authbind repo from GitHub'
cd authbind-centos-rpm/authbind/RPMS/x86_64/
rpm -i authbind-2.1.1-0.x86_64.rpm &>> $logfile
error_check 'Installed authbind'
else
print_error "System arch is not x86_64 or i686. Tango Honeypot is not yet supported on other CPU architectures."
exit 1
fi
########################################
# Setting up authbind to allow kippo user to bind to privileged port
#print_notification "Configuring Authbind"
#touch /etc/authbind/byport/22 &>> $logfile
#chown cowrie:cowrie /etc/authbind/byport/22 &>> $logfile
chown -R cowrie:cowrie /opt/cowrie &>> $logfile
cd /opt/cowrie
#sed -i "s,twistd -y kippo.tac -l log/kippo.log --pidfile kippo.pid,authbind --deep twistd -y kippo.tac -l log/kippo.log --pidfile kippo.pid," start.sh &>> $logfile
sudo -u cowrie ./start.sh &>> $logfile
error_check "Cowrie started successfully"
#print_notification "Authbind Configured to use Port 22"
########################################
# Installing Splunk Universal Forwarder and setting it to persist on reboot
print_notification "Installing Splunk Universal Forwarder.."
cd /opt
tar -xzf $INSTALL_FILE &>> $logfile
chown -R splunk:splunk splunkforwarder &>> $logfile
sudo -u splunk /opt/splunkforwarder/bin/splunk start --accept-license --answer-yes --auto-ports --no-prompt &>> $logfile
error_check 'Universal Forwarder Configuration'
/opt/splunkforwarder/bin/splunk enable boot-start -user splunk &>> $logfile
error_check 'Universal Forwarder Install'
########################################
#Check to see if the user tried to execute uf_only outside of the Tango directory. Yell at them if they did.
# Grab tango_input from the Tango directory (if it's there), configure inputs.conf, start up the forwarder. We done here.
print_notification "Installing tango_input.."
if [ ! -d "$execdir/tango_input" ]; then
print_error "Unable to find tango_input directory in $execdir. tango_input should be in the same directory as uf_only.sh. Please correct this and run the script again."
exit 1
else
cp -r "$execdir/tango_input" /opt/splunkforwarder/etc/apps &>> $logfile
fi
print_notification "Configuring /opt/splunkforwarder/etc/apps/tango_input/default/inputs.conf and outputs.conf.."
cd /opt/splunkforwarder/etc/apps/tango_input/default
sed -i "s/test/$HOST_NAME/" inputs.conf &>> $logfile
sed -i "s/test/$SPLUNK_INDEXER/" outputs.conf &>> $logfile
chown -R splunk:splunk /opt/splunkforwarder &>> $logfile
/opt/splunkforwarder/bin/splunk restart &>> $logfile
error_check 'Tango_input installation'
sudo -u cowrie chmod 777 /opt/cowrie/log/cowrie.json
print_notification "If the location of your kippo log files changes or the hostname/ip of the indexer changes, you will need to modify /opt/splunkfowarder/etc/apps/tango_input/default/inputs.conf and outputs.conf respectively."
print_good "Install Completed. The splunk forwarder should be reporting and sending data to your indexer. Log file is located at /var/log/tango_install.log"
exit 0