-
Notifications
You must be signed in to change notification settings - Fork 1
Installation
Tested on CentOS 7 VM with ~4CPU 8GB RAM
e.g. Linode 4 CPU, 160GB Storage, 8GB RAM
sudo yum install git docker
#enable start on boot
systemctl enable docker
#to start docker
systemctl start docker
#needed by elastic
nano /etc/sysctl.conf
#add the following line
vm.max_map_count=262144
[save change]
#refresh with the new configuration
sysctl -p
git clone https://github.com/GSMcNamara/Floodspark.git
cd docker
docker-compose up
#In a new terminal tab and once Elasticsearch is up*:
docker exec -it elk sh -c "/password-setup.sh"
#Next we configure Logstash authentication
#Log into the Kibana Web UI using your browser and the elastic user with password qE*7Pj43Or over HTTP or HTTPS plus your VM's IP address
- Use the Management > Roles option in Kibana to create a logstash_writer role.
- For Cluster privileges, add manage_index_templates and monitor.
- For Indices' value, use *. For its Privileges value add write, create, delete, and create_index. Save.
- Now create a logstash_internal user with the password qE*7Pj43Or and assign the user the logstash_writer role.
#More information on these steps, if needed: https://www.elastic.co/guide/en/logstash/current/ls-security.html#ls-http-auth-basic
An index in Elastic should be created automatically after the first violation takes place. Until then you may not see any data.
*Elastic should be up once you see log entries such as:
elk | waiting for Elasticsearch to be up (13/300)
elk | Waiting for Elasticsearch cluster to respond (1/30)
cd Floodspark/docker/tanner/snare/
modify both references to "floodspark.com" in the Dockerfile to the domain you wish to emulate
cd ..
docker-compose build
screen
docker-compose up
Press Ctrl-A then Ctrl-D
#next we change resty/nginx's routing mode from block to honeypot
docker exec -it resty /bin/bash
nano /etc/nginx/conf.d/default.conf
change 'set $mode "block";' to 'set $mode "honeypot";'
save changes
nginx -t
#if above test passes, then:
nginx -s reload
Now, the snare server may serve a 500 error because Tanner has a failure. Within the /tmp/tanner/tanner.err file in the tanner Docker container you may see an error message such as "PermissionError: [Errno 13] Permission denied: '/var/log/tanner/tanner_report.json'"
If so, you may have to do this bad workaround:
setenforce 0
docker exec -it -u 0 tanner /bin/sh
touch /var/log/tanner/tanner_report.json
chmod 777 /var/log/tanner/tanner_report.json
exit container
Hopefully this is soon fixed: https://github.com/dtag-dev-sec/tpotce/issues/517
go to http://[your ip address]/app/infra#/logs?_g=()
click Change source configuration
set Log indices to *
Click Update Source
Go to /app/kibana#/management/kibana/objects?_g=()
Import the JSON file from https://github.com/GSMcNamara/Floodspark/blob/master/demo/export.ndjson or https://raw.githubusercontent.com/GSMcNamara/Floodspark/master/demo/export.ndjson. You may need to remove the ".txt" extension from the downloaded file's name.
Click Done
To create dashboard-only user with only the view permission, e.g. Floodspark Demo
Go to Management > Security > Roles. Create a role with name "demo_dashboard_read". Under Index privileges add the underlying indices that you want this user to be able to view through the dashboard. Add read to Privileges.
Go to Management > Security > Users > Create user and create the username "dashboard_only", set a password you will remember, and add "kibana_dashboard_only_user" and "demo_dashboard_read" to Roles.
User this account to demo your fancy dashboard(s)
#You can have resty/nginx authenticate automatically and load the dashboard URL directly, so it is all that user sees. HOWEVER, the downside is that you cannot log into Kibana using any other account (e.g. elastic) when accessed through the modified resty/nginx instance.
docker exec -it resty /bin/bash
modify /etc/nginx/conf.d/default.conf #(nano is installed)
within the "location /" block, e.g. under "proxy_set_header Host $http_host;" add "proxy_set_header Authorization "Basic ZGFzaGJvYXJkX29ubHk6cUUqN1BqNDNPcg==";" where "ZGFzaGJvYXJkX29ubHk6cUUqN1BqNDNPcg==" is the base64 encoded value for the dashboard_only:password combination. You must replace this with the base64 encoded value for dashboard_only:[the password you set]
#to block people from changing the password of the dashboard_only user, update the following nginx line with "dashboard_only" instead of "floodspark":
location /api/security/v1/users/floodspark/password {
#TODO: to have kibana load a specific dashboard directly
save changes.
#run the following to test nginx config before restarting nginx
nginx -t
#restart nginx if safe
nginx -s reload
#change the following line in /etc/nginx/conf.d/default.conf of the resty docker container:
proxy_pass http://elk:5601/;
#update the domain value in this line:
proxy_set_header Host [your domain here];
#reload the config:
nginx -s reload
#This should not really differ from a standard installation in NGINX
#Installation takes place in the resty docker container
#Steps might be similar to:
docker cp private.key resty:/etc/ssl/private/
docker cp ssl-bundle.crt resty:/etc/ssl/certs/
docker exec -it resty /bin/bash
nano /etc/nginx/conf.d/default.conf
#comment out the existing SSL cert information, resulting in something like:
ssl_certificate /etc/ssl/certs/ssl-bundle.crt;
ssl_certificate_key /etc/ssl/private/private.key;
# ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
# ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
# ssl_dhparam /etc/ssl/certs/dhparam.pem;
save.
nginx -t
nginx -s reload
#pause Redis to avoid blacklisting yourself
docker stop redis
#Wget, cURL, visit in Chrome Incognito mode, and/or Tor browser, etc to generate data
#resume redis when you're ready to start blocking people again
docker start redis
#check status of all containers
docker ps -a
#debug a container
docker exec -it [container name] /bin/bash
#get command used to start container
docker inspect -f "{{.Name}} {{.Config.Cmd}}" $(docker ps -a -q)
#list all images
docker images
#____# ...for Redis
#run the redis-cli:
docker exec -it redis redis-cli
#list all existing ip addresses in blacklist:
KEYS *
#delete all ip addresses from blacklist:
FLUSHALL
"quit" to quit