-
Notifications
You must be signed in to change notification settings - Fork 1
Installation
Tested on CentOS 7 VM with ~4CPU 8GB RAM
e.g. Linode 4 CPU, 160GB Storage, 8GB RAM
(PS leaving Docker set to 2GB RAM causes Elasticsearch to die)
sudo yum install git docker
sudo curl -L "https://github.com/docker/compose/releases/download/1.26.0/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
sudo chmod +x /usr/local/bin/docker-compose
#enable start on boot
sudo systemctl enable docker
#to start docker
sudo systemctl start docker
#needed by elastic
sudo nano /etc/sysctl.conf
#add the following line
vm.max_map_count=262144
[save change]
#refresh with the new configuration
sudo sysctl -p
git clone https://github.com/GSMcNamara/Floodspark.git
cd Floodspark/docker
sudo /usr/local/bin/docker-compose up
#In a new terminal tab/screen once Elasticsearch is up*:
sudo docker exec -it elk sh -c "/password-setup.sh"
Visit the Analyst Dashboard in your web browser on port 80 or 443 and log in as the elastic user with password qE*7Pj43Or.
FYI an index in Elastic should be created automatically after the first violation takes place. Until then you may not see any data.
*Elastic should be up once you see log entries such as:
elk | waiting for Elasticsearch to be up (13/300)
elk | Waiting for Elasticsearch cluster to respond (1/30)
cd Floodspark/docker/snare/
modify the reference to "floodspark.com" in the Dockerfile to the domain you wish to emulate
cd ..
sudo /usr/local/bin/docker-compose up
#in a new terminal tab we will change resty/nginx's routing mode from block to honeypot
sudo docker exec -it resty /bin/bash
nano /etc/nginx/conf.d/default.conf
change 'set $mode "block";' to 'set $mode "honeypot";'
save changes
nginx -t
#if above test passes, then:
nginx -s reload
Now, the snare server may serve a 500 error because Tanner has a failure. Within the /tmp/tanner/tanner.err file in the tanner Docker container you may see an error message such as "PermissionError: [Errno 13] Permission denied: '/var/log/tanner/tanner_report.json'"
If so, you may have to do this bad workaround:
sudo setenforce 0
sudo docker exec -it -u 0 tanner /bin/sh
touch /var/log/tanner/tanner_report.json
chmod 777 /var/log/tanner/tanner_report.json
exit container
Hopefully this is soon fixed: https://github.com/dtag-dev-sec/tpotce/issues/517
go to http://[your ip address]/app/infra#/logs?_g=()
click Change source configuration
set Log indices to *
Click Update Source
Go to http://[your ip address]/app/kibana#/management/kibana/objects?_g=()
Import the JSON file from https://github.com/GSMcNamara/Floodspark/blob/master/demo/export.ndjson or https://raw.githubusercontent.com/GSMcNamara/Floodspark/master/demo/export.ndjson. You may need to remove the ".txt" extension from the downloaded file's name.
Click Done
To create dashboard-only user with only the view permission, e.g. Floodspark Demo
Go to Management > Security > Roles. Create a role with name "demo_dashboard_read". Under Index privileges add the underlying indices that you want this user to be able to view through the dashboard. Add read to Privileges.
Go to Management > Security > Users > Create user and create the username "dashboard_only", set a password you will remember, and add "kibana_dashboard_only_user" and "demo_dashboard_read" to Roles.
User this account to demo your fancy dashboard(s)
#You can have resty/nginx authenticate automatically and load the dashboard URL directly, so it is all that user sees. HOWEVER, the downside is that you cannot log into Kibana using any other account (e.g. elastic) when accessed through the modified resty/nginx instance.
docker exec -it resty /bin/bash
modify /etc/nginx/conf.d/default.conf #(nano is installed)
within the "location /" block, e.g. under "proxy_set_header Host $http_host;" add "proxy_set_header Authorization "Basic ZGFzaGJvYXJkX29ubHk6cUUqN1BqNDNPcg==";" where "ZGFzaGJvYXJkX29ubHk6cUUqN1BqNDNPcg==" is the base64 encoded value for the dashboard_only:password combination. You must replace this with the base64 encoded value for dashboard_only:[the password you set]
#to block people from changing the password of the dashboard_only user, update the following nginx line with "dashboard_only" instead of "floodspark":
location /api/security/v1/users/floodspark/password {
#TODO: to have kibana load a specific dashboard directly
save changes.
#run the following to test nginx config before restarting nginx
nginx -t
#restart nginx if safe
nginx -s reload
#change the following line in /etc/nginx/conf.d/default.conf of the resty docker container:
proxy_pass http://elk:5601/;
#update the domain value in this line:
proxy_set_header Host [your domain here];
#reload the config:
nginx -s reload
#This should not really differ from a standard installation in NGINX
#Installation takes place in the resty docker container
#Steps might be similar to:
docker cp private.key resty:/etc/ssl/private/
docker cp ssl-bundle.crt resty:/etc/ssl/certs/
docker exec -it resty /bin/bash
nano /etc/nginx/conf.d/default.conf
#comment out the existing SSL cert information, resulting in something like:
ssl_certificate /etc/ssl/certs/ssl-bundle.crt;
ssl_certificate_key /etc/ssl/private/private.key;
# ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
# ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
# ssl_dhparam /etc/ssl/certs/dhparam.pem;
save.
nginx -t
nginx -s reload
#pause Redis to avoid blacklisting yourself
docker stop redis
#Wget, cURL, visit in Chrome Incognito mode, and/or Tor browser, etc to generate data
#resume redis when you're ready to start blocking people again
docker start redis
#check status of all containers
docker ps -a
#debug a container
docker exec -it [container name] /bin/bash
#get command used to start container
docker inspect -f "{{.Name}} {{.Config.Cmd}}" $(docker ps -a -q)
#list all images
docker images
#run the redis-cli:
docker exec -it redis redis-cli
#list all existing ip addresses in blacklist:
KEYS *
#delete all ip addresses from blacklist:
FLUSHALL
"quit" to quit