182 lines
6.2 KiB
Bash
Executable File
182 lines
6.2 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
# - TODO IMPORTANT - This file contains a line with 'setenforce 0'
|
|
# - TODO change cron job minute from '*' to '0' (set this for tests)
|
|
# - TODO change 'centos' with $USER env variable everywhere
|
|
|
|
|
|
# - Check sudo
|
|
|
|
if [[ "$EUID" != 0 ]]; then
|
|
echo "This script must be run with sudo"
|
|
exit
|
|
fi
|
|
|
|
# - Set current working dir
|
|
cd /home/centos/
|
|
|
|
# - Update
|
|
#sudo apt-get update && sudo apt-get dist-upgrade
|
|
echo "Checking for updates..."
|
|
yum check-update
|
|
sudo yum update -y
|
|
|
|
# - Install required packages
|
|
#sudo apt-get install python3-dev python3-pip python3-virtualenv python3-venv python3-scapy libssl-dev libpcap-dev
|
|
echo "Installing required packages (git, vim, virtualenv)..."
|
|
sudo yum install git -y
|
|
sudo yum install vim -y
|
|
sudo yum install virtualenv -y
|
|
|
|
|
|
# - Install EPEL repo (Extra Packages for Enterprise Linux)
|
|
# - AWSClient present in it
|
|
echo "Adding EPEL repo..."
|
|
sudo yum install epel-release.noarch -y
|
|
echo "Checking for updates..."
|
|
yum check-update
|
|
sudo yum update -y
|
|
|
|
# - Install AWS Client (from EPEL)
|
|
echo "Installing Amazon AWS Client (awscli.noarch)..."
|
|
sudo yum install awscli.noarch -y
|
|
|
|
# - Configure AWS Client
|
|
echo "Copy of awscli config (credentials and config file)..."
|
|
sudo cp -R /home/centos/ocanary-setup/.aws /root/
|
|
sudo chmod -R 755 /root/.aws
|
|
sudo chmod 600 /root/.aws/*
|
|
sudo chown -R root:root /root/.aws
|
|
|
|
# - Create folder to sync with S3 Bucket (where we will store a copy of ocanary logs)
|
|
echo "Creating folder that will contain a copy of ocanary logs (under /home/$USER/opencanary_logs/) ..."
|
|
sudo mkdir /home/centos/opencanary_logs
|
|
sudo mkdir /home/centos/opencanary_logs/to_sync
|
|
|
|
sudo chmod -R 600 /home/centos/opencanary_logs
|
|
# - ( umask not working properly)
|
|
#sudo umask 077 /home/centos/opencanary_logs/
|
|
|
|
# - Add cron jobs in crontab
|
|
echo "Adding cron jobs (copy of logs in /home/$USER/opencanary_logs/to_sync and aws S3 sync) ..."
|
|
sudo crontab -l > /root/cron_content
|
|
sudo echo "0 * * * * cp /home/centos/opencanary_logs/opencanary.log /home/centos/opencanary_logs/to_sync; sudo chmod 600 /home/centos/opencanary_logs/to_sync/opencanary.log; aws s3 sync /home/centos/opencanary_logs/to_sync s3://s3-protonlab-02" >> /root/cron_content
|
|
sudo crontab /root/cron_content
|
|
|
|
# - Create LogRotate rule
|
|
echo "Creating a LogRotate rule..."
|
|
sudo cp /home/centos/ocanary-setup/opencanary.logrotate /etc/logrotate.d/opencanary
|
|
|
|
# - Create Virtual Environment
|
|
echo "Creating virtual env..."
|
|
sudo virtualenv -p python3 /var/lib/canary-env
|
|
sudo source /var/lib/canary-env/bin/activate
|
|
|
|
# - Python (pip update)
|
|
#pip install --upgrade pip setuptools
|
|
|
|
# - Clone Opencanary Git repo
|
|
echo "Cloning opencanary git repo..."
|
|
git clone https://github.com/thinkst/opencanary
|
|
|
|
# - Opencanary initial setup
|
|
echo "Opencanary general install..."
|
|
cd opencanary
|
|
##pip install opencanary
|
|
#python setup.py install
|
|
sudo /var/lib/canary-env/bin/python setup.py install
|
|
sudo /var/lib/canary-env/bin/pip install -r requirements.txt
|
|
# - Opencanary config
|
|
echo "Creating Opencanary config..."
|
|
sudo mkdir /etc/opencanaryd -p
|
|
sudo cp /home/centos/ocanary-setup/opencanary.conf /etc/opencanaryd/opencanary.conf
|
|
|
|
# - Import HTTP Honeypot Proton Skin
|
|
echo "Import HTTP Honeypot Proton Skin..."
|
|
sudo cp -R /home/centos/ocanary-setup/protonLogin_2/ /home/centos/opencanary/opencanary/modules/data/http/skin/
|
|
|
|
# - Copy Service config
|
|
echo "Making Opencanary run as a service..."
|
|
sudo cp /home/centos/ocanary-setup/opencanary.service /etc/systemd/system/opencanary.service
|
|
|
|
# - Reload services daemon to add opencanary.service
|
|
sudo systemctl daemon-reload
|
|
|
|
# - Enable opencanary.service at boot
|
|
echo "Enable Opencanary service at boot..."
|
|
sudo systemctl enable opencanary.service
|
|
|
|
# - Update SSH port to 2222 on the system (OpenCanary runs HoneyPot on port 22)
|
|
# Backup default config
|
|
echo "Updating SSHD config (make sshd run on port 2222, let port 22 for HoneyPot)..."
|
|
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config_bkp
|
|
|
|
# Change port to 2222
|
|
sudo sed -i 's/#Port\ 22/Port 2222/g' /etc/ssh/sshd_config
|
|
|
|
echo "Adding rule for SELinux to let SSHD listen on port 2222..."
|
|
# Add SELinux policy to let ssh bind on port 2222
|
|
sudo semanage port -a -t ssh_port_t -p tcp 2222
|
|
|
|
# Change opencanaryd file type to a 'bin_t' type. Will ensure that the file type does not trisition to a confined domain
|
|
# Without this instruction, SELinux will block many actions
|
|
echo "Adding rules for SELinux to let opencanaryd service run..."
|
|
sudo chcon -t bin_t /var/lib/canary-env/bin/opencanaryd
|
|
#sudo semanage fcontext -a -t bin_t /var/lib/canary-env/bin/opencanaryd
|
|
|
|
echo "Setting SELinux to permisive - IMPORTANT - This action must be removed for production"
|
|
# ----- TODO Change this setting -----
|
|
# - Set SELinux to permisive
|
|
#sudo setenforce 0
|
|
# ------------------------------------
|
|
|
|
# Restart ssh-server
|
|
read -p "Restart ssh server now ?" -r
|
|
echo ""
|
|
|
|
# - Don't ask user confirmation (run with ansible)
|
|
if [ true ]
|
|
#if [[ $REPLY =~ ^[Yy]$ ]]
|
|
then
|
|
echo "SSH Server restarting..."
|
|
sudo systemctl restart sshd.service
|
|
echo "SSH Server restarted"
|
|
|
|
# - Enable and start service
|
|
echo "Start opencanary service"
|
|
sudo systemctl start opencanary.service
|
|
else
|
|
echo "For OpenCanary to run you must:"
|
|
echo "- restart sshd"
|
|
echo "- start opencanary"
|
|
echo ""
|
|
echo "sudo systemctl restart sshd.service"
|
|
echo "sudo systemctl start opencanary.service"
|
|
fi
|
|
|
|
# - Wait for Opencanary to start completely, and create the log file
|
|
echo "Waiting for Opencanary to finish starting process..."
|
|
|
|
# - To do so, we first try to see if the logfile is now present on the system
|
|
# - If the log file is not present, we wait a few more seconds
|
|
check_oc_running_tries=0
|
|
while [ ! -f /home/centos/opencanary_logs/opencanary.log ] && [ $check_oc_running_tries -le 6 ]
|
|
do
|
|
sleep 1
|
|
check_oc_running_tries=$((check_oc_running_tries+1))
|
|
echo "Opencanary not running... [ waiting ]"
|
|
done
|
|
|
|
# - If Opencanary is running
|
|
if $(systemctl is-active --quiet opencanary.service)
|
|
then
|
|
# - Set rw permission to root only for the log file
|
|
# - This is important for the first run, then logrotate will force the permission at the first rotation
|
|
echo "Changing permissions on pencanary log file..."
|
|
sudo chmod 600 /home/centos/opencanary_logs/opencanary.log
|
|
echo -e "\nThe system says that Opencanary is now running"
|
|
else
|
|
echo "Opencanary could not run :("
|
|
fi
|
|
|