Kibana and other service are down (502 Gateway error, blank page from dashboard)

[gioolio]

Greetings, I have used the [E] Everything option to install T-Pot 17.10 (iso). When I run dps.sh, the following services are DOWN: kibana, logstash, head, netdata. Inside the /data/ folder there is no "kibana" folder or log. I have tried to manually start the services but they are impossible to find. What am I missing? In my previous experiences with T-Pot, everything was out-of-the-box after installation.

Basic support information

• What T-Pot version are you currently using? T-Pot 17.10, last released on 7 Nov 2017
• Are you running on an Intel NUC or a VM? Nope, just an Acer Notebook, Intel CPU
• How long has your installation been running? 1 hour maybe
• Did you install any upgrades or packages? Nope
• Did you modify any scripts? Nope
• Have you turned persistence on/off? Nope
• How much RAM available (login via ssh and run htop)? 1.75G/1.95G
• How much stress are the CPUs under (login via ssh and run htop)? Load Average: 0.62 0.47 0.60
• How much swap space is being used (login via ssh and run htop)? swap 2.17G/7.63G
• How much free disk space is available (login via ssh and run sudo df -h)? 58%
• What is the current container status (login via ssh and run sudo start.sh)? start.sh: command not found

[t3chn0m4g3]

Not enough RAM. You need 8GB for Everything.

[gioolio]

It's strange because on my virtual machine I have used just 2Gb of ram; however, I'm installing the [T] Standard version right now. I will let you know if this fixes my problem. thanks

Edit: kibana, logstash, head, netdata are still down even with the [T] Standard option. I will try the 16.10 version on the notebook since I know it works well on the virtual machine with 2gb of ram. I will let you know.

Edit: The 16.10 and the 16.04 versions ([E] and [T] options) gives me the

"Failed to start /etc/rc.local Compatibility"

error; If I execute rc.local, I just "unlock" the screen, ending up with an Ubuntu terminal (no cool T-pot ASCII logo is shown). I will try the 17.10 again (since it is the only installation that is not "aborted" by any errors) manually installing Elasticsearch, Logstash and Kibana. Then I will give up.

Please let me know if anyone has any inspiring idea, T-pot was so cool :( Thanks.

Edit: SOLVED [ removed by @techn0m4g3, will result in vulnerable and T-Pot incompatible installation of the ELK stack ]

[t3chn0m4g3]

I cannot reproduce the error on our supported hardware which is the Intel NUC series up until 6, VMWare and Virtualbox. Following the instructions will leave you with a vulnerable ELK stack (version out of support) and not the features T-Pot will provide. I recommend to install Ubuntu 16.04 and use the T-Pot Autoinstaller.

[gioolio]

THANKS for the support. I wish I could give you more info...the last time I installed T-Pot 17.10 from USB (unebootin with 1024mb persistency (but even without pers. was the same)) I can tell you that I have seen the installer downloading the docker image of kibana so I presume that the issue comes after it (?). I mean, at least it tried to download the image... I installed it on an Acer Travelmate 5720g, 2gb ram, 200gbhdd, Intel Core 2 Duo Processor T7300, ethernet connection.

I will try the virtual machine just for the sake of my curiosity and I will inform you. I will try also the autoinstaller. Meanwhile, I take off the "solved" from the title.

P.S. Anyway, I tried a massive attack using the Armitage hail mary on the t-pot and now the ssh and the https connections are not available even after a restart (but there aren't working sessions for Metasploit)

[t3chn0m4g3]

By default we are using the Ubuntu Network Installer which works fine for most hardware with Intel chipsets and is just 50 MB in size. Different hardware is always a challenge from a software and (human) resource perspective (we just do not have the hardware / time to test it). This is the reason why @vorband built the Auto Installer, just in case some drivers are missing or need to be installed at first you can install T-Pot on-top making sure everything else works fine.

Hoping for the best 😃

[gioolio]

Thank you for bearing with me. so... I installed Ubuntu 16.04 Server, just the standard essential things plus openssh (for the key, it was required by install.sh) and git. Then I started the autoinstaller and I had this error (just after the ctop installation) :

Cloning T-pot

fatal: destination path '/opt/tpot/' already exist and is not an empty directory.

And then everything was aborted. Inside the /opt/ folder I have a kibana and a tpot folder; inside the /opt/tpot/ I have: bin, CONTRIBUTING.MD, doc, docker, etc, host, iso, LICENSE, makeiso.sh, README.md, update.sh

I'm looking into the install.sh code right now, the fuECHO "### Cloning T-Pot." is on 320th line. I didn't see any "### Adding new user." printed on the monitor so I presume the error was generated by: git clone https://github.com/dtag-dev-sec/tpotce /opt/tpot (line 321) (I tried this command right now, the output has the same error, checked online and it's quite normal for git clone with a non-empty folder) I will add rm -rf /opt/tpot before the line 321 and I will try everything from zero; since it's the only "git clone" inside install.sh, it should work. I just hope the directories weren't meant to be merged 👍

[t3chn0m4g3]

Did you by any chance run the script twice? We are setting up honeypots at least once a week using the same script and it works rock solid for us on a fresh ubuntu installation.

[gioolio]

No, I didn't. Ubuntu, install git, install openssh, run install.sh are the only steps. Since your suspicions are my suspicions too, I will use Gparted live cd to format the hard disk before repeat the steps; (but I will add an if [ ! -d /opt/tpot ]; then to install.sh so I will not have to repeat the entire process just in case I'll get the same error). Before this evening I will let you know

Edit: The docker installations trigger some warning about versions compatibility (in red) but the installation goes on. docker warning

For some reason, after pip install --upgrade pip (line 306), the pip install docker-compose==1.16.1 generated the typical python error of a library that can't be found. I typed the command manually and it ran without problems. pip output - possible solution/explaination

Edit: After the pip error, I just ran the installation again creating an empty "default" file for the nginx webpage since the script deletes it and deleting the log file (but I have a backup if you want to). The installation terminated correctly but Kibana and the others were still down. I tried something (sudo docker start elk, service start kibana) nothing worked. I left the pc for a while; when I came back, I used sudo socker psand kibana looked fine and running, dps.sh again and he was up. (Previously, even waiting hours I never got the chance to see the kibana up) At the end I think, patching the pip issues, the autoinstall should work flawlessly. I blame myself for the /opt/tpot/ error, maybe I forgot to delete the partition in Ubuntu. Thanks for the support @t3chn0m4g3

P.S. I hope the docker version warning isn't a threat to the security :|

[t3chn0m4g3]

Thanks, but I am little puzzled since it is working flawlessly for us (I actually do care and test the stuff :bowtie:)

What type of internet connection do you have (bandwidth, technology)? Were you using WLAN or a wired ethernet connection when setting up T-Pot?

[gioolio]

What type of internet connection do you have (bandwidth, technology)? _12000 kbps, ADSL2plus Were you using WLAN or a wired ethernet connection when setting up T-Pot? ethernet wired, directly connected to my router.

Forgive my off-topic here, but I wish to report 2 other things: executing this nmap command nmap -sV -T4 -O -F --version-light HONEYIPADDRESS against the honeypot shows on port 23/tcp the version "Cowrie Honeypot telnetd" and on port 1433/tcp the version "Dionaea honeypot MS-SQL server". I know it's not a big thing, but maybe it's a lil too "brazen" 😄

[t3chn0m4g3]

Deployed 5 new honeypots in the last 24h and everything was working fine (Auto Installer). Maybe it is really something with the hardware Ubuntu cannot really deal with and thus is not reproducable for me.

Honeypot detection will always remain a cat vs. mouse game. Once the deception technology of a honeypot is exposed it takes just a few lines of code and nessus & co. will be able to detect them. This has been discussed so often that I actually lost count, there is no viable solution; even if you take closed source into account.

Closing this issue for now. Have a nice weekend 😃

[TomaszKot11]

@t3chn0m4g3 today I deployed the T-Pot on Azure and I don't know why 4 GB Ram was not enough so I took 8 GB... on the graph, there was a constant state of 8 GB consumption so I entered 16 GB and the Kibana started to work. What is the reason? 😄

[jumanji46]

I am experiencing this issue and have not been able to fix it. Kindly assist. My machine is 32GB so memory is not an issue. I have updated it and run a fresh install but no change, kibana and elastic head are both blank.

[henrykrauss]

I am experiencing this issue and have not been able to fix it. Kindly assist. My machine is 32GB so memory is not an issue. I have updated it and run a fresh install but no change, kibana and elastic head are both blank.

The same with me. Did you can fix it? find some solution for this?

[jumanji46]

I figured it out by following the steps on the main page:

sudo su - systemctl stop tpot vi /opt/tpot/etc/tpot.yml docker-compose -f /opt/tpot/etc/tpot.yml up (to see if everything works, CTRL+C) docker-compose -f /opt/tpot/etc/tpot.yml down -v systemctl restart tpot

Kibana was working after these steps