Skip to content

Installation

GS McNamara, MS edited this page Jun 23, 2020 · 100 revisions

Tested on CentOS 7 VM with ~4CPU 8GB RAM
e.g. Linode 4 CPU, 160GB Storage, 8GB RAM

Installation:

sudo yum install git docker
sudo curl -L "https://github.com/docker/compose/releases/download/1.26.0/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
sudo chmod +x /usr/local/bin/docker-compose

#enable start on boot
sudo systemctl enable docker
#to start docker
sudo systemctl start docker

#needed by elastic
sudo nano /etc/sysctl.conf
#add the following line
vm.max_map_count=262144
[save change]

#refresh with the new configuration
sudo sysctl -p

git clone https://github.com/GSMcNamara/Floodspark.git
cd Floodspark/docker
sudo /usr/local/bin/docker-compose up
#In a new terminal tab once Elasticsearch is up*:
sudo docker exec -it elk sh -c "/password-setup.sh"

Visit the Analyst Dashboard in your web browser on port 80 or 443 and log in as the elastic user with password qE*7Pj43Or.

FYI an index in Elastic should be created automatically after the first violation takes place. Until then you may not see any data.

*Elastic should be up once you see log entries such as:
elk | waiting for Elasticsearch to be up (13/300)
elk | Waiting for Elasticsearch cluster to respond (1/30)

Optional steps

To enable honeypot mode

cd Floodspark/docker/tanner/snare/
modify both references to "floodspark.com" in the Dockerfile to the domain you wish to emulate
cd ..
docker-compose build
screen
docker-compose up
Press Ctrl-A then Ctrl-D
#next we change resty/nginx's routing mode from block to honeypot
docker exec -it resty /bin/bash
nano /etc/nginx/conf.d/default.conf
change 'set $mode "block";' to 'set $mode "honeypot";'
save changes
nginx -t
#if above test passes, then:
nginx -s reload

Now, the snare server may serve a 500 error because Tanner has a failure. Within the /tmp/tanner/tanner.err file in the tanner Docker container you may see an error message such as "PermissionError: [Errno 13] Permission denied: '/var/log/tanner/tanner_report.json'"

If so, you may have to do this bad workaround:
setenforce 0
docker exec -it -u 0 tanner /bin/sh
touch /var/log/tanner/tanner_report.json
chmod 777 /var/log/tanner/tanner_report.json
exit container

Hopefully this is soon fixed: https://github.com/dtag-dev-sec/tpotce/issues/517

To import the demo dashboard

go to http://[your ip address]/app/infra#/logs?_g=()
click Change source configuration
set Log indices to *
Click Update Source
Go to /app/kibana#/management/kibana/objects?_g=()
Import the JSON file from https://github.com/GSMcNamara/Floodspark/blob/master/demo/export.ndjson or https://raw.githubusercontent.com/GSMcNamara/Floodspark/master/demo/export.ndjson. You may need to remove the ".txt" extension from the downloaded file's name.
Click Done

To create dashboard-only user with only the view permission, e.g. Floodspark Demo

Go to Management > Security > Roles. Create a role with name "demo_dashboard_read". Under Index privileges add the underlying indices that you want this user to be able to view through the dashboard. Add read to Privileges.
Go to Management > Security > Users > Create user and create the username "dashboard_only", set a password you will remember, and add "kibana_dashboard_only_user" and "demo_dashboard_read" to Roles.
User this account to demo your fancy dashboard(s)

To make the dashboard demo experience really slick

#You can have resty/nginx authenticate automatically and load the dashboard URL directly, so it is all that user sees. HOWEVER, the downside is that you cannot log into Kibana using any other account (e.g. elastic) when accessed through the modified resty/nginx instance.
docker exec -it resty /bin/bash
modify /etc/nginx/conf.d/default.conf #(nano is installed)
within the "location /" block, e.g. under "proxy_set_header Host $http_host;" add "proxy_set_header Authorization "Basic ZGFzaGJvYXJkX29ubHk6cUUqN1BqNDNPcg==";" where "ZGFzaGJvYXJkX29ubHk6cUUqN1BqNDNPcg==" is the base64 encoded value for the dashboard_only:password combination. You must replace this with the base64 encoded value for dashboard_only:[the password you set]
#to block people from changing the password of the dashboard_only user, update the following nginx line with "dashboard_only" instead of "floodspark":
location /api/security/v1/users/floodspark/password {
#TODO: to have kibana load a specific dashboard directly
save changes.
#run the following to test nginx config before restarting nginx
nginx -t
#restart nginx if safe
nginx -s reload

To proxy your real website

#change the following line in /etc/nginx/conf.d/default.conf of the resty docker container:
proxy_pass http://elk:5601/;
#update the domain value in this line:
proxy_set_header Host [your domain here];
#reload the config:
nginx -s reload

To install your own SSL certificate

#This should not really differ from a standard installation in NGINX
#Installation takes place in the resty docker container
#Steps might be similar to:
docker cp private.key resty:/etc/ssl/private/
docker cp ssl-bundle.crt resty:/etc/ssl/certs/
docker exec -it resty /bin/bash
nano /etc/nginx/conf.d/default.conf
#comment out the existing SSL cert information, resulting in something like:
ssl_certificate /etc/ssl/certs/ssl-bundle.crt;
ssl_certificate_key /etc/ssl/private/private.key;
# ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
# ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
# ssl_dhparam /etc/ssl/certs/dhparam.pem;
save.
nginx -t
nginx -s reload

To generate data

#pause Redis to avoid blacklisting yourself
docker stop redis
#Wget, cURL, visit in Chrome Incognito mode, and/or Tor browser, etc to generate data
#resume redis when you're ready to start blocking people again
docker start redis

Helpful commands

...for Docker

#check status of all containers
docker ps -a

#debug a container
docker exec -it [container name] /bin/bash

#get command used to start container
docker inspect -f "{{.Name}} {{.Config.Cmd}}" $(docker ps -a -q)

#list all images
docker images

#____# ...for Redis #run the redis-cli:
docker exec -it redis redis-cli #list all existing ip addresses in blacklist:
KEYS *
#delete all ip addresses from blacklist:
FLUSHALL
"quit" to quit

Clone this wiki locally