Closed DrunKnHigh closed 3 weeks ago
nu11secur1ty
commented
3 weeks ago Did you do this?
### Done. Please reboot and re-connect via SSH on tcp/64295.
### Make sure to deploy SSH keys to this SENSOR and disable SSH password authentication.
### On HIVE run the tpotce/deploy.sh script to join this SENSOR to the HIVE.;) BR Everything is working very well, dear friends, you can close this "issue" Best Regards
DrunKnHigh
commented
3 weeks ago I did reboot but I didn't do the two other things, I though it would still deploy the Honeypots, just that it wouldn't be connected to the hive.
The following commands:
sudo systemctl stop tpot
sudo openssl req \
-nodes \
-x509 \
-sha512 \
-newkey rsa:8192 \
-keyout "$HOME/tpotce/data/nginx/cert/nginx.key" \
-out "$HOME/tpotce/data/nginx/cert/nginx.crt" \
-days 3650 \
-subj '/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd' \
-addext "subjectAltName = IP:192.168.1.200, IP:<HIVE_IP???>, DNS:my.primary.domain, DNS:my.secondary.domain"
sudo chmod 774 $HOME/tpotce/data/nginx/cert/*
sudo chown tpot:tpot $HOME/tpotce/data/nginx/cert/*
sudo systemctl start tpotWith the HIVE IP we need to put ? And this:
ssh-keygen
ssh-copy-id -p 64295 <SENSOR_SSH_USER>@<SENSOR_IP>I need to run those commands from the HIVE and not the SENSOR correct ?
P.S.: In the doc it's written: ssh-copy-id -p 64295 SENSOR_SSH_USER>@<SENSOR_IP)
but I assume that the ')' at the end is a typo mistake?
nu11secur1ty
commented
3 weeks ago Next, upgrade your Ubuntu Uninstall the Sensor Install it again! Check that your UFW is enabled and if you have some rules that block the agent! Next, try to attack the sensor, please! Then post your result here. BR
DrunKnHigh
commented
3 weeks ago I'm getting a lot of parsing error in the logs of Logstash but beside that it seems to be working, at least when checking on the elastic UI.
But is there a way I can check if those logs are indeed coming from my sensor ? like where can I find the IP ?
And in "-addext "subjectAltName = IP:192.168.1.200, IP:..." is the "192.168.1.200" ip necessary or the Hive ip is enough ?
The doc to customize the honeypots is a bit unclear to me, but I see the config files for each honeypots in the respective directory of each honeypots in the /docker directory so I imagine those .cfg files are the ones to be modified and then a systemctl restart tpot would refresh their configuration ? Is that how it works ?
Also, why does it says to "Make sure to disable SSH password authentication to the Sensor" ?
nu11secur1ty
commented
3 weeks ago Hive IP is enough, you can analyze all attacks against the Sensor IP from your HIVE IP - MGMT server. So. Everything looks good =) Thanks
{Also, why does it say to "Make sure to disable SSH password authentication to the Sensor" ?} = For security reasons, when you are in the broadcast networks, some malicious users can decide to brute force access your SSH open port by using a password authentication function which you are left enabled. ;)
Good luck my friend. =) BR
DrunKnHigh
commented
3 weeks ago So this is just so they can't brute force their way on the ssh port 64295 ? But this an Azure VM in my case, I don't have physical access to it so I need a ssh port to connect myself to it... :/
nu11secur1ty
commented
3 weeks ago This a preventive measure my friend, in the world has а many scenarios ;) BR
DrunKnHigh
commented
3 weeks ago Already well thanks a lot for you help. That was much appreciated ^^
nu11secur1ty
commented
3 weeks ago Already well thanks a lot for you help. That was much appreciated ^^
You're welcome buddy ;)
Hello, I'm here because I'm having issue when trying to install tpot as a sensor on one of our VM Ubuntu, in .env I have TPOT_TYPE=HIVE instead of "=SENSOR", and the tpot service keeps failling at launching any of the honeypots because "there is no web user", but it shouldn't need a web user since its supposed to be a sensor setup.
So it's not that it did a Hive install but that something in the Sensor install got mixed up with the Hive one it seems.
No errors in the install log. And no matter how many time I uninstall and reinstall I keep getting the same issue.
→ Version of T-POT: the latest release (T-Pot 24.04.0) → lsb -a (same on both Hive and Sensor, both are VM): No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 22.04.4 LTS Release: 22.04 Codename: jammy → uname -a: Linux 6.5.0-1021-azure #22~22.04.1-Ubuntu SMP Tue Apr 30 16:08:18 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
→ no errors in “~/install_tpot.log”
→ Did you install upgrades, packages or use the update script?
NO
→ Did you modify any scripts or configs?
NO
→ df -h (SENSOR):
Filesystem Size Used Avail Use% Mounted on
/dev/root 124G 6.8G 118G 6% /
tmpfs 3.9G 0 3.9G 0% /dev/shm
tmpfs 1.6G 1.1M 1.6G 1% /run
tmpfs 5.0M 0 5.0M 0% /run/lock
efivarfs 128K 32K 92K 27% /sys/firmware/efi/efivars
/dev/sda15 105M 6.1M 99M 6% /boot/efi
tmpfs 788M 4.0K 788M 1% /run/user/1002
--> grc netstat -tulpen (SENSOR): (Not all processes could be identified, non-owned process info will not be shown, you would have to be root to see it all.) Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name
tcp 0 0 0.0.0.0:64295 0.0.0.0: LISTEN 0 20822 -
tcp6 0 0 :::64295 ::: LISTEN 0 20832 -
udp 0 0 10.93.227.14:68 0.0.0.0: 100 20495 -
udp 0 0 127.0.0.1:323 0.0.0.0: 0 20808 -
udp6 0 0 ::1:323 :::* 0 20809 -