diff --git a/README.md b/README.md index f733b66..1b566f3 100644 --- a/README.md +++ b/README.md @@ -19,9 +19,9 @@ If there is the need for other distros, "someone" has to check and maintain the ## Installation Reference the following files for OS-specific installation instructions: -[Raspbian](docs/install-instructions/Raspbian.md) (Recommended) -[Ubuntu](docs/install-instructions/Ubuntu.md) -[openSUSE](docs/install-instructions/openSUSE.md) +[Raspbian](docs/install-instructions/Raspbian.md) (Recommended), +[Ubuntu](docs/install-instructions/Ubuntu.md), +[openSUSE](docs/install-instructions/openSUSE.md) and [AWS](docs/install-instructions/AWS.md) ## Background: `install.sh` diff --git a/bin/install.sh b/bin/install.sh index f0713ce..f33af3c 100755 --- a/bin/install.sh +++ b/bin/install.sh @@ -519,17 +519,11 @@ if [ "$ID" == "opensuse-tumbleweed" ]; then distversion=Tumbleweed fi -if [ "$ID" == "opensuse-leap" ]; then - ID="opensuse" - dist='yum' - distversion=Leap -fi - dlog "dist: ${dist}, distversion: ${distversion}" if [ "$dist" == "invalid" ]; then outlog "You are not running a supported operating system. Right now, this script only works for Raspbian," - outlog "openSUSE Tumbleweed/Leap and Amazon Linux AMI." + outlog "openSUSE Tumbleweed and Amazon Linux AMI." outlog "Please ask info@dshield.org for help to add support for your OS. Include the /etc/os-release file." exit 9 fi @@ -540,7 +534,7 @@ if [ "$ID" != "raspbian" ] && [ "$ID" != "opensuse" ] && [ "$ID" != "raspbian" ] outlog " - Ubuntu 18.04" outlog " - Ubuntu 20.04" outlog " - Ubuntu 22.04" - outlog " - openSUSE Tumbleweed/Leap." + outlog " - openSUSE Tumbleweed." outlog "It may or may not work with your distro. Feel free to test and contribute." outlog "Press ENTER to continue, CTRL+C to abort." read lala @@ -625,23 +619,15 @@ if [ "$FAST" == "0" ]; then if [ "$ID" == "opensuse" ]; then outlog "Updating your openSUSE Operating System will now be done." - [ "$distversion" = "Tumbleweed" ] && run 'zypper --non-interactive dup --no-recommends' - [ "$distversion" = "Leap" ] && run 'zypper --non-interactive up --no-recommends' + run 'zypper --non-interactive dup --no-recommends' outlog "Installing additional packages" - [ "$distversion" == "Leap" ] && run 'zypper --non-interactive remove systemd-logger' - [ "$distversion" == "Tumbleweed" ] && - run 'zypper --non-interactive install --no-recommends cron gcc libffi-devel python38-devel libopenssl-devel rsyslog dialog' - [ "$distversion" == "Leap" ] && - run 'zypper --non-interactive install --no-recommends cron gcc libffi-devel python3-devel libopenssl-devel rsyslog dialog' + run 'zypper --non-interactive install --no-recommends cron gcc libffi-devel python311-devel libopenssl-devel rsyslog dialog' run 'zypper --non-interactive install --no-recommends perl-libwww-perl perl-Switch perl-LWP-Protocol-https python3-requests' run 'zypper --non-interactive install --no-recommends python3-Twisted python3-pycryptodome python3-pyasn1 python3-virtualenv' - run 'zypper --non-interactive install --no-recommends python3-zope.interface python3-pip rng-tools curl openssh unzip' + run 'zypper --non-interactive install --no-recommends python3-zope.interface python311-pip rng-tools curl openssh unzip' run 'zypper --non-interactive install --no-recommends net-tools-deprecated patch logrotate' run 'zypper --non-interactive install --no-recommends system-user-mail mariadb libmariadb-devel python3-PyMySQL jq' - [ "$distversion" == "Tumbleweed" ] && - run 'zypper --non-interactive install --no-recommends python3-python-snappy snappy-devel gcc-c++' - [ "$distversion" == "Leap" ] && - run 'zypper --non-interactive install --no-recommends snappy-devel gcc-c++' + run 'zypper --non-interactive install --no-recommends python3-python-snappy snappy-devel gcc-c++' # opensuse does not have packet wamerican so copy it mkdir -p /usr/share/dict cp $progdir/../dict/american-english /usr/share/dict/ @@ -1715,7 +1701,7 @@ do_copy $progdir/../srv/dshield/fwlogparser.py ${DSHIELDDIR} 700 do_copy $progdir/status.sh ${DSHIELDDIR} 700 do_copy $progdir/cleanup.sh ${DSHIELDDIR} 700 do_copy $progdir/../srv/dshield/DShield.py ${DSHIELDDIR} 700 -[ "$ID" = "opensuse" -a "$distversion" = "Tumbleweed" ] && +[ "$ID" = "opensuse" ] && run "patch ${DSHIELDDIR}/DShield.py $progdir/../srv/dshield/DShield.patch" # check: automatic updates allowed? @@ -1913,8 +1899,11 @@ OLDDIR=$(pwd) cd ${COWRIEDIR} dlog "installing global dependencies from ${SCRIPTDIR}/requirements.txt" -run 'pip3 install --upgrade pip' -run "pip3 install -r ${SCRIPTDIR}/requirements.txt" +# openSUSE does not support installation with pip ouside environments +if [ "$ID" != "opensuse" ] ; then + run "pip3 install --upgrade pip" + run "pip3 install -r ${SCRIPTDIR}/requirements.txt" +fi dlog "setting up virtual environment" run 'virtualenv --python=python3 cowrie-env' dlog "activating virtual environment" @@ -1938,10 +1927,12 @@ fi # we only need 'requests' # dlog "installing dependencies requirements-output.txt" # run 'pip3 install --upgrade -r requirements-output.txt' -run 'pip3 install --upgrade requests' -if [ ${?} -ne 0 ]; then - outlog "Error installing dependencies from requirements-output.txt. See ${LOGFILE} for details." - exit 9 +if [ "$ID" != "opensuse" ] ; then + run "pip3 install --upgrade requests" + if [ ${?} -ne 0 ]; then + outlog "Error installing dependencies from requirements-output.txt. See ${LOGFILE} for details." + exit 9 + fi fi cd ${OLDDIR} @@ -1990,12 +1981,7 @@ run 'chown -R cowrie:cowrie ${COWRIEDIR}' dlog "copying cowrie system files" -if [ "$ID" != "opensuse" ]; then - systemdpref="" -else # openSUSE - systemdpref="/usr" -fi -do_copy $progdir/../lib/systemd/system/cowrie.service ${systemdpref}/lib/systemd/system/cowrie.service 644 +do_copy $progdir/../lib/systemd/system/cowrie.service /lib/systemd/system/cowrie.service 644 do_copy $progdir/../etc/cron.hourly/cowrie /etc/cron.hourly 755 # make sure to remove old cowrie start if they exist @@ -2008,7 +1994,7 @@ run 'chown cowrie:cowrie ${COWRIEDIR}/log' run 'mkdir -p ${COWRIEDIR}/log/tty' run 'chmod 755 ${COWRIEDIR}/log/tty' run 'chown cowrie:cowrie ${COWRIEDIR}/log/tty' -find /etc/rc?.d -name '*cowrie*' -delete +[ -d /etc/rc?.d ] && find /etc/rc?.d -name '*cowrie*' -delete run 'systemctl daemon-reload' run 'systemctl enable cowrie.service' @@ -2024,8 +2010,8 @@ outlog "Installing ISC-Agent" dlog "installing ISC-Agent" # support for ubuntu server 22.04.2 LTS -dlog "(re)installing python attrs package" -run "pip3 install --ignore-installed attrs" +[ "$ID" != "opensuse" ] && dlog "(re)installing python attrs package" +[ "$ID" != "opensuse" ] && run "pip3 install --ignore-installed attrs" run "mkdir -p ${ISC_AGENT_DIR}" do_copy $progdir/../srv/isc-agent ${ISC_AGENT_DIR}/../ do_copy $progdir/../lib/systemd/system/isc-agent.service ${systemdpref}/lib/systemd/system/ 644 @@ -2034,7 +2020,7 @@ run "mkdir -m 0700 /srv/isc-agent/run" OLDPWD=$PWD cd ${ISC_AGENT_DIR} -run "pip3 install --upgrade pip" +[ "$ID" != "opensuse" ] && run "pip3 install --upgrade pip" ISCAGENTENV="/srv/isc-agent/virtenv" run "virtualenv --python=python3 $ISCAGENTENV" run "pip3 install --ignore-installed -r requirements.txt --prefix $ISCAGENTENV" diff --git a/docs/install-instructions/openSUSE.md b/docs/install-instructions/openSUSE.md index da074e8..9a36cbb 100644 --- a/docs/install-instructions/openSUSE.md +++ b/docs/install-instructions/openSUSE.md @@ -1,7 +1,7 @@ - + # dshield -## DShield Raspberry Pi Sensor for openSUSE Leap 15.3 and Tumbleweed system +## DShield Raspberry Pi Sensor for openSUSE Tumbleweed system This is a set of scripts to setup a Raspberry Pi as a DShield Sensor. @@ -14,15 +14,13 @@ Current design goals and prerequisites for using the automated installation proc - support for IPv4 only (for the internal net) - one interface only (e.g. eth0) -The current version is tested on Raspberry Pi OS, Ubuntu 22.04 LTS Server and on openSUSE Leap 15.3 and Tumbleweed, -not on other distros, sorry. -If there is the need for other distros, "someone" has to check and maintain the installation script. +The current version is tested on openSUSE Tumbleweed. ## Installation In order to use the installation script on the Raspberry Pi, you will need to first prepare it. For openSUSE it is assumed that you are using openSUSE for this preparation. -- get the openSUSE image for your Raspberry Pi for Leap 15.3 [RPI3 from](http://download.opensuse.org/ports/aarch64/distribution/leap/15.3/appliances/openSUSE-Leap-15.3-ARM-JeOS-raspberrypi3.aarch64.raw.xz) or [RPi4 from](http://download.opensuse.org/ports/aarch64/distribution/leap/15.3/appliances/openSUSE-Leap-15.3-ARM-JeOS-raspberrypi4.aarch64.raw.xz) for Tumbleweed [RPi3 from](http://download.opensuse.org/ports/aarch64/tumbleweed/appliances/openSUSE-Tumbleweed-ARM-JeOS-raspberrypi4.aarch64.raw.xz) or [RPi4 from](http://download.opensuse.org/ports/aarch64/tumbleweed/appliances/openSUSE-Tumbleweed-ARM-JeOS-raspberrypi3.aarch64.raw.xz) +- get the openSUSE image for your Raspberry Pi for Tumbleweed [RPi3 and RPi4 from](http://download.opensuse.org/ports/aarch64/tumbleweed/appliances/openSUSE-Tumbleweed-ARM-JeOS-raspberrypi3.aarch64.raw.xz) - put it onto a micro-SD card (e.g. using procedures described [here for RPi3](https://en.opensuse.org/HCL:Raspberry_Pi3) or [here for RPi4](https://en.opensuse.org/HCL:Raspberry_Pi4) - insert the micro-SD card in the Pi and power it on, to boot the Pi from the micro-SD card. @@ -38,13 +36,9 @@ In order to use the installation script on the Raspberry Pi, you will need to fi - make sure the Pi can reach out to the Internet using http(s), can resolve DNS, ... (DHCP) - you may use the command *yast language* to set your language as the default language, the layout of the keyboard and the timezone. - The first thing the install script will do is update the system. - - For Leap 15.3 it uses: - - *zypper up --no-recommends* - - - For Tumbleweed use: + - For Tumbleweed it uses: - *zypper dup --no-recommends* + *zypper dup --no-interactive --no-recommends* - reboot @@ -56,7 +50,7 @@ In order to use the installation script on the Raspberry Pi, you will need to fi - get GIT repository - git clone https://github.com/Dshield-ISC/dshield.git + git clone https://github.com/Dshield-ISC/dshield.git – in case you do a reinstall of a previous system, you should have saved the files `/etc/dshield.ini` and `/etc/dshield.sslca`, copy these files in the same locations; when you run the installation script answers are filled in and you only need to acknowledge the questions @@ -76,7 +70,7 @@ In order to use the installation script on the Raspberry Pi, you will need to fi - from now on you have to use port 12222 to connect to the device by SSH - expose the Pi to inbound traffic. For example, in many firewalls and home routers - you will be able to configure it as a "DMZ Hosts", "exposed devices", ... see [hints below](#how-to-place-the-dshield-sensor--honeypot) for - well - hints ... + you will be able to configure it as a "DMZ Host", "exposed devices", ... see [hints below](#how-to-place-the-dshield-sensor--honeypot) for - well - hints ... ## Background: `install.sh` @@ -87,15 +81,13 @@ This script will: – openSUSE, from version 88 on, will use nftables instead of the depricated iptables - change your ssh server to listen on port 12222 for you as administator (access only from configurable IP addresses) - install the ssh honeypot cowrie (for ssh and telnet) -- install honeypot web server +- install honeypot web server (isc-agent) - install needed environment (Perl and Python3 packages, bash scripts...) ## Troubleshooting - logs are sent twice an hour to the [dshield portal](https://www.dshield.org) by the cron job `/etc/cron.d/dshield`, this can be verified by ['My Account' -> 'My Reports'](https://www.dshield.org/myreports.html) -- have a look at the output from the status script: `/root/install/dshield/bin/status.sh` -- if you get strange python / pip errors during installation / updates you may try the following commands as root: -`pip freeze --local | grep -v '^\-e' | cut -d = -f 1 | xargs -n1 pip install -U` +- have a look at the output from the status script: `/root/install/dshield/bin/status.sh`or /srv/dshield/status.sh ## Updates @@ -103,20 +95,24 @@ This script will: Inside your "dshield" directory (the directory created above when you run `git clone`), run -*cd install/dshield* +*cd ~/dshield* *git pull* -*bin/install.sh* +*bin/install.sh --update* +The "--update" parameter will automatically use the existing configuration and not prompt the user for any configuration options. Configuration parameters like your API Key will be retained. To edit the configuration, edit `/etc/dshield.ini`, rerun the install.sh script to configure the firewall. Editing `/etc/network/iptables` or `/etc/network/ruleset.nft` is not recommended (note: nat table is also used). + Also certificate information is saved in `/etc/dshield.sslca`. Save these two `/etc/dshield.*` files on another system, and put these back in `/etc/` before you run the installation script, when you start allover again. +A feature is available, especially for automatic updates. At the end of the installation the install.sh script will search for the file `/root/bin/postinstall.sh` and execute its content, if it exists. If you need some extra changes in the newly installed files, this is the location to put them. This file NEEDS execute rights + Please make sure to keep special port and network configuration up to date (e.g. manually configure recently added telnet / web ports in firewall config), e.g. no-log config, no-honey config, ... unfortunately this can't be done automagically as of now. If unsure delete respective lines in `/etc/dshield.ini` and re-run the installation script. Testing of update procedure is normally done (between two releases) as follows: - update on Pi 3 from the last version to current -- install on a current clean image of raspbian lite on a Pi 3 +- install on a current clean image of openSUSE Tumbleweed on a Pi 4 ## Hints @@ -141,7 +137,7 @@ To test your set up you may use a public port scanner and point it to the router - cursor up / down: navigate through form / between input fields - cursor left / right: navigate within an input field - TAB: swich between input field and "buttons" -- don't use Pos 1 / End +- don't use Home / End ## Todos @@ -151,18 +147,7 @@ To test your set up you may use a public port scanner and point it to the router - see comments in install.sh - see GIT commit comments - - -## DEV Instance - web.py - -- It will not change the links at this time - to do -- Any data posted or user request strings will be logged to DB\webserver.sqlite - -web.py - it will serve up a very basic page that can accept input and files. -Todo: -- Need to figure out how to serve up vulnerable pages - probably from the path -- SQL Injection - will likely use separate dorked database -- Would like to integrate with cowrie for shell attacks - (BHAG) +- An earlier version did support openSUSE Leap 15.3, which is end of life. The version 15.5 has Python 3.6, which is too old to support the current version of this software, so support for openSUSE Leap has been withdrawn. Any input appreciated - Please file a bug report / issue via github - thanks! diff --git a/srv/isc-agent/requirements.txt b/srv/isc-agent/requirements.txt index 6fc0ab0..ef5b218 100644 --- a/srv/isc-agent/requirements.txt +++ b/srv/isc-agent/requirements.txt @@ -12,7 +12,7 @@ defusedxml==0.7.1 ; python_full_version >= "3.7.1" and python_full_version < "4. dnspython==2.3.0 ; python_full_version >= "3.7.1" and python_version < "4.0" email-validator==2.0.0.post2 ; python_full_version >= "3.7.1" and python_full_version < "4.0.0" exceptiongroup==1.1.3 ; python_full_version >= "3.7.1" and python_version < "3.11" -greenlet==2.0.2 ; python_full_version >= "3.7.1" and (platform_machine == "aarch64" or platform_machine == "ppc64le" or platform_machine == "x86_64" or platform_machine == "amd64" or platform_machine == "AMD64" or platform_machine == "win32" or platform_machine == "WIN32") and python_full_version < "4.0.0" +greenlet==3.0.0 ; python_full_version >= "3.7.1" and (platform_machine == "aarch64" or platform_machine == "ppc64le" or platform_machine == "x86_64" or platform_machine == "amd64" or platform_machine == "AMD64" or platform_machine == "win32" or platform_machine == "WIN32") and python_full_version < "4.0.0" h2==4.1.0 ; python_full_version >= "3.7.1" and python_full_version < "4.0.0" hpack==4.0.0 ; python_full_version >= "3.7.1" and python_full_version < "4.0.0" hyperframe==6.0.1 ; python_full_version >= "3.7.1" and python_full_version < "4.0.0" @@ -42,6 +42,6 @@ sqlalchemy==1.4.49 ; python_full_version >= "3.7.1" and python_full_version < "4 twisted-iocpsupport==1.0.4 ; python_full_version >= "3.7.1" and python_full_version < "4.0.0" and platform_system == "Windows" twisted[all-non-platform,http2]==22.10.0 ; python_full_version >= "3.7.1" and python_full_version < "4.0.0" typing-extensions==4.7.1 ; python_full_version >= "3.7.1" and python_full_version < "4.0.0" -urllib3==1.26.16 ; python_full_version >= "3.7.1" and python_full_version < "4.0.0" +urllib3==1.26.17 ; python_full_version >= "3.7.1" and python_full_version < "4.0.0" zipp==3.15.0 ; python_full_version >= "3.7.1" and python_version < "3.8" -zope-interface==6.0 ; python_full_version >= "3.7.1" and python_full_version < "4.0.0" +zope-interface==6.1 ; python_full_version >= "3.7.1" and python_full_version < "4.0.0"