Map wrong location shown

[wirehack7]

⚠️ Basic support information (commands are expected to run as root)

• What version of the OS are you currently using lsb_release -a and uname -a?

  No LSB modules are available.
  Distributor ID: Debian
  Description:    Debian GNU/Linux 11 (bullseye)
  Release:    11
  Codename:   bullseye

• What T-Pot version are you currently using? 22.04.0

• What edition (Standard, Nextgen, etc.) of T-Pot are you running? Standard

• What architecture are you running on (i.e. hardware, cloud, VM, etc.)? VM

• Did you have any problems during the install? If yes, please attach /install.log /install.err. no

• How long has your installation been running? few hours

• Did you install upgrades, packages or use the update script? no

• Did you modify any scripts or configs? If yes, please attach the changes. no

• Please provide a screenshot of glances and htop.

• How much free disk space is available (df -h)? 357G

• What is the current container status (dps.sh)?

  
  [ ========| System |======== ]
   DATE:  Tue 05 Mar 2024 01:44:01 PM UTC
  UPTIME:   13:44:01 up 24 min,  2 users,  load average: 2.10, 1.48, 1.42
  T-POT:  ACTIVE       
  BLACKHOLE:  DISABLED

NAME STATUS PORTS adbhoney Up 23 minutes (healthy) 0.0.0.0:5555->5555/tcp ciscoasa Up 23 minutes 0.0.0.0:5000->5000/udp, 0.0.0.0:8443->8443/tcp citrixhoneypot Up 23 minutes 0.0.0.0:443->443/tcp conpot_guardian_ast Up 23 minutes (healthy) 0.0.0.0:10001->10001/tcp conpot_iec104 Up 23 minutes (healthy) 0.0.0.0:161->161/udp, 0.0.0.0:2404->2404/tcp conpot_ipmi Up 23 minutes (healthy) 0.0.0.0:623->623/udp conpot_kamstrup_382 Up 23 minutes (healthy) 0.0.0.0:1025->1025/tcp, 0.0.0.0:50100->50100/tcp cowrie Up 23 minutes 0.0.0.0:22-23->22-23/tcp ddospot Up 23 minutes 0.0.0.0:19->19/udp, 0.0.0.0:53->53/udp, 0.0.0.0:123->123/udp, 0.0.0.0:1900->1900/udp dicompot Up 23 minutes 0.0.0.0:11112->11112/tcp dionaea Up 23 minutes (healthy) 0.0.0.0:20-21->20-21/tcp, 0.0.0.0:42->42/tcp, 0.0.0.0:81->81/tcp, 0.0.0.0:135->135/tcp, 0.0.0.0:445->445/tcp, 0.0.0.0:1433->1433/tcp, 0.0.0.0:1723->1723/tcp, 0.0.0.0:1883->1883/tcp, 0.0.0.0:3306->3306/tcp, 0.0.0.0:27017->27017/tcp, 0.0.0.0:69->69/udp elasticpot Up 23 minutes 0.0.0.0:9200->9200/tcp elasticsearch Up 23 minutes (healthy) 127.0.0.1:64298->9200/tcp ewsposter Up 23 minutes
fatt Up 24 minutes
heralding Up 23 minutes 0.0.0.0:110->110/tcp, 0.0.0.0:143->143/tcp, 0.0.0.0:465->465/tcp, 0.0.0.0:993->993/tcp, 0.0.0.0:995->995/tcp, 0.0.0.0:1080->1080/tcp, 0.0.0.0:5432->5432/tcp, 0.0.0.0:5900->5900/tcp honeytrap Up 23 minutes
ipphoney Up 23 minutes 0.0.0.0:631->631/tcp kibana Up 21 minutes (healthy) 127.0.0.1:64296->5601/tcp logstash Up 21 minutes (healthy)
mailoney Up 23 minutes 0.0.0.0:25->25/tcp map_data Up 21 minutes
map_redis Up 23 minutes
map_web Up 23 minutes 127.0.0.1:64299->64299/tcp medpot Up 23 minutes 0.0.0.0:2575->2575/tcp nginx Up 24 minutes
p0f Up 24 minutes
redishoneypot Up 23 minutes 0.0.0.0:6379->6379/tcp sentrypeer Up 23 minutes 0.0.0.0:5060->5060/udp snare Up 23 minutes 0.0.0.0:80->80/tcp spiderfoot Up 23 minutes (healthy) 127.0.0.1:64303->8080/tcp suricata Up 24 minutes
tanner Up 23 minutes
tanner_api Up 23 minutes
tanner_phpox Up 23 minutes
tanner_redis Up 23 minutes

- What is the status of the T-Pot service (`systemctl status tpot`)?

● tpot.service - tpot Loaded: loaded (/etc/systemd/system/tpot.service; enabled; vendor preset: enabled) Active: active (running) since Tue 2024-03-05 13:20:09 UTC; 24min ago Process: 782 ExecStartPre=/opt/tpot/bin/updateip.sh (code=exited, status=0/SUCCESS) Process: 822 ExecStartPre=/bin/bash -c /opt/tpot/bin/clean.sh on (code=exited, status=0/SUCCESS) Process: 1018 ExecStartPre=/opt/tpot/bin/tpdclean.sh -y (code=exited, status=0/SUCCESS) Process: 1120 ExecStartPre=/bin/bash -c /sbin/ethtool --offload $(/sbin/ip address | grep "^2: " | awk '{ print $2 }' | tr -d [:punct:]) rx off tx off (code=exited, status=0/SUCCESS) Process: 1126 ExecStartPre=/bin/bash -c /sbin/ethtool -K $(/sbin/ip address | grep "^2: " | awk '{ print $2 }' | tr -d [:punct:]) gso off gro off (code=exited, status=0/SUCCESS) Process: 1132 ExecStartPre=/bin/bash -c /sbin/ip link set $(/sbin/ip address | grep "^2: " | awk '{ print $2 }' | tr -d [:punct:]) promisc on (code=exited, status=0/SUCCESS) Process: 1138 ExecStartPre=/opt/tpot/bin/rules.sh /opt/tpot/etc/tpot.yml set (code=exited, status=0/SUCCESS) Process: 1218 ExecStartPost=/bin/bash -c /usr/bin/sleep 30 && /usr/sbin/conntrack -D -p udp (code=exited, status=0/SUCCESS) Main PID: 1217 (docker-compose) Tasks: 38 (limit: 9490) Memory: 63.3M CPU: 34.980s CGroup: /system.slice/tpot.service └─1217 /usr/bin/python3 /usr/bin/docker-compose -f /opt/tpot/etc/tpot.yml up --no-color

Mar 05 13:44:31 c20dayagency docker-compose[1217]: honeytrap | Loading plugin vncDownload v1.0.1 Mar 05 13:44:31 c20dayagency docker-compose[1217]: honeytrap | Loading plugin SaveFile v1.0.1 Mar 05 13:44:31 c20dayagency docker-compose[1217]: honeytrap | Loading plugin logattacker v1.0.2 Mar 05 13:44:31 c20dayagency docker-compose[1217]: honeytrap | Loading plugin logjson v1.1.0 Mar 05 13:44:31 c20dayagency docker-compose[1217]: honeytrap | Servers will run as user honeytrap (2000). Mar 05 13:44:31 c20dayagency docker-compose[1217]: honeytrap | Servers will run as group honeytrap (2000). Mar 05 13:44:31 c20dayagency docker-compose[1217]: honeytrap | Loading default responses. Mar 05 13:44:31 c20dayagency docker-compose[1217]: honeytrap | Connections will be handled in normal mode by default. Mar 05 13:44:31 c20dayagency docker-compose[1217]: honeytrap | Logging to /opt/honeytrap/var/log/honeytrap.log. Mar 05 13:44:31 c20dayagency docker-compose[1217]: honeytrap | Core module initialized.

- What ports are being occupied? Stop T-Pot `systemctl stop tpot` and run `netstat -tulpen`

Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name
tcp 0 0 127.0.0.1:6010 0.0.0.0: LISTEN 1000 34985 6269/sshd: tsec@pts tcp 0 0 127.0.0.1:45187 0.0.0.0: LISTEN 0 423 509/containerd
tcp 0 0 0.0.0.0:64295 0.0.0.0: LISTEN 0 15421 521/sshd: /usr/sbin tcp 0 0 127.0.0.1:33617 0.0.0.0: LISTEN 1000 40500 8772/cockpit-bridge tcp 0 0 127.0.0.1:36403 0.0.0.0: LISTEN 0 41411 8780/cockpit-bridge tcp6 0 0 ::1:6010 ::: LISTEN 1000 34984 6269/sshd: tsec@pts tcp6 0 0 :::64294 ::: LISTEN 0 10589 1/init
tcp6 0 0 :::64295 ::: LISTEN 0 15423 521/sshd: /usr/sbin

- If a single container shows as `DOWN` you can run `docker logs <container-name>` for the latest log entries

The location on the map is wrong, when I use `updateip.sh` it receives the correct loc from ipinfo.io.  Also I see it correctly during boot.
On the map the loc is in the middle of the USA. I wonder where these data come from, as it should be in Europe.

![image](https://github.com/telekom-security/tpotce/assets/1439039/27e1cc4a-1d6e-4308-bb59-e68e8f6e8d94)
![image](https://github.com/telekom-security/tpotce/assets/1439039/56ef1c1c-6fea-4829-97e1-2d3b73888a9a)

/opt/tpot/bin/updateip.sh

Trying: dig +short whoami.akamai.net @ns1-1.akamaitech.net [MAIN] ip = HONEY_UUID= MY_EXTIP= MY_EXTIP_LAT=49. MY_EXTIP_LONG=10. MY_INTIP= MY_HOSTNAME=

[t3chn0m4g3]

This has been discussed in #1313 and #1375. GeoIP comes from MaxMind within Logstash which is updated every time Logstash starts. Nothing we can do about it.