#!/bin/bash # - TODO IMPORTANT - This file contains a line with 'setenforce 0' # - TODO change cron job minute from '*' to '0' (set this for tests) # - TODO change 'centos' with $USER env variable everywhere # - Check sudo if [[ "$EUID" != 0 ]]; then echo "This script must be run with sudo" exit fi # - Set current working dir cd /home/centos/ # - Update #sudo apt-get update && sudo apt-get dist-upgrade echo "Checking for updates..." yum check-update sudo yum update -y # - Install required packages #sudo apt-get install python3-dev python3-pip python3-virtualenv python3-venv python3-scapy libssl-dev libpcap-dev echo "Installing required packages (git, vim, virtualenv)..." sudo yum install git -y sudo yum install vim -y sudo yum install virtualenv -y # - Install EPEL repo (Extra Packages for Enterprise Linux) # - AWSClient present in it echo "Adding EPEL repo..." sudo yum install epel-release.noarch -y echo "Checking for updates..." yum check-update sudo yum update -y # - Install AWS Client (from EPEL) echo "Installing Amazon AWS Client (awscli.noarch)..." sudo yum install awscli.noarch -y # - Configure AWS Client echo "Copy of awscli config (credentials and config file)..." sudo cp -R /home/centos/ocanary-setup/.aws /root/ sudo chmod -R 755 /root/.aws sudo chmod 600 /root/.aws/* sudo chown -R root:root /root/.aws # - Create folder to sync with S3 Bucket (where we will store a copy of ocanary logs) echo "Creating folder that will contain a copy of ocanary logs (under /home/$USER/opencanary_logs/) ..." sudo mkdir /home/centos/opencanary_logs sudo mkdir /home/centos/opencanary_logs/to_sync sudo chmod -R 600 /home/centos/opencanary_logs # - ( umask not working properly) #sudo umask 077 /home/centos/opencanary_logs/ # - Add cron jobs in crontab echo "Adding cron jobs (copy of logs in /home/$USER/opencanary_logs/to_sync and aws S3 sync) ..." sudo crontab -l > /root/cron_content sudo echo "0 * * * * cp /home/centos/opencanary_logs/opencanary.log /home/centos/opencanary_logs/to_sync; sudo chmod 600 /home/centos/opencanary_logs/to_sync/opencanary.log; aws s3 sync /home/centos/opencanary_logs/to_sync s3://s3-protonlab-02" >> /root/cron_content sudo crontab /root/cron_content # - Create LogRotate rule echo "Creating a LogRotate rule..." sudo cp /home/centos/ocanary-setup/opencanary.logrotate /etc/logrotate.d/opencanary # - Create Virtual Environment echo "Creating virtual env..." sudo virtualenv -p python3 /var/lib/canary-env sudo source /var/lib/canary-env/bin/activate # - Python (pip update) #pip install --upgrade pip setuptools # - Clone Opencanary Git repo echo "Cloning opencanary git repo..." git clone https://github.com/thinkst/opencanary # - Opencanary initial setup echo "Opencanary general install..." cd opencanary ##pip install opencanary #python setup.py install sudo /var/lib/canary-env/bin/python setup.py install sudo /var/lib/canary-env/bin/pip install -r requirements.txt # - Opencanary config echo "Creating Opencanary config..." sudo mkdir /etc/opencanaryd -p sudo cp /home/centos/ocanary-setup/opencanary.conf /etc/opencanaryd/opencanary.conf # - Import HTTP Honeypot Proton Skin echo "Import HTTP Honeypot Proton Skin..." sudo cp -R /home/centos/ocanary-setup/protonLogin_2/ /home/centos/opencanary/opencanary/modules/data/http/skin/ # - Copy Service config echo "Making Opencanary run as a service..." sudo cp /home/centos/ocanary-setup/opencanary.service /etc/systemd/system/opencanary.service # - Reload services daemon to add opencanary.service sudo systemctl daemon-reload # - Enable opencanary.service at boot echo "Enable Opencanary service at boot..." sudo systemctl enable opencanary.service # - Update SSH port to 2222 on the system (OpenCanary runs HoneyPot on port 22) # Backup default config echo "Updating SSHD config (make sshd run on port 2222, let port 22 for HoneyPot)..." sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config_bkp # Change port to 2222 sudo sed -i 's/#Port\ 22/Port 2222/g' /etc/ssh/sshd_config echo "Adding rule for SELinux to let SSHD listen on port 2222..." # Add SELinux policy to let ssh bind on port 2222 sudo semanage port -a -t ssh_port_t -p tcp 2222 # Change opencanaryd file type to a 'bin_t' type. Will ensure that the file type does not trisition to a confined domain # Without this instruction, SELinux will block many actions echo "Adding rules for SELinux to let opencanaryd service run..." sudo chcon -t bin_t /var/lib/canary-env/bin/opencanaryd echo "Setting SELinux to permisive - IMPORTANT - This action must be removed for production" # ----- TODO Change this setting ----- # - Set SELinux to permisive #sudo setenforce 0 # ------------------------------------ # Restart ssh-server read -p "Restart ssh server now ?" -r echo "" if [[ $REPLY =~ ^[Yy]$ ]] then echo "SSH Server restarting..." sudo systemctl restart sshd.service echo "SSH Server restarted" # - Enable and start service echo "Start opencanary service" sudo systemctl start opencanary.service else echo "For OpenCanary to run you must:" echo "- restart sshd" echo "- start opencanary" echo "" echo "sudo systemctl restart sshd.service" echo "sudo systemctl start opencanary.service" fi # - Wait for Opencanary to start completely, and create the log file echo "Waiting for Opencanary to finish starting process..." # - To do so, we first try to see if the logfile is now present on the system # - If the log file is not present, we wait a few more seconds check_oc_running_tries=0 while [ ! -f /home/centos/opencanary_logs/opencanary.log ] && [ $check_oc_running_tries -le 6 ] do sleep 1 check_oc_running_tries=$((check_oc_running_tries+1)) echo "Opencanary not running... [ waiting ]" done # - If Opencanary is running if $(systemctl is-active --quiet opencanary.service) then # - Set rw permission to root only for the log file # - This is important for the first run, then logrotate will force the permission at the first rotation echo "Changing permissions on pencanary log file..." sudo chmod 600 /home/centos/opencanary_logs/opencanary.log echo -e "\nThe system says that Opencanary is now running" else echo "Opencanary could not run :(" fi