To allow only certain IPs/CIDRs to use SSH/Web administration

[landonstewart]

Issues

I'd like to firewall tcp/64295 and tcp/64297 so only certain subnets can reach them. Where can I do this so it persists between reboots and is not overwritten?

I tried updating the file /opt/tpot/host/etc/systemd/tpot.service to specify a source on in the following line but it didn't do anything when restarting or stopping/starting the tpot service.

Changed this: ExecStartPre=/sbin/iptables -w -A INPUT -p tcp -m multiport --dports 64295:64303,7634 -j ACCEPT

To this: ExecStartPre=/sbin/iptables -w -A INPUT -s <subnet/prefix> -p tcp -m multiport --dports 64295:64303,7634 -j ACCEPT

Baisc support information

• What T-Pot version are you currtently using? -- Latest 17.10 ISO

• Are you running on a Intel NUC or a VM? -- Hardware

• How long has your installation been running?

  # uptime
  19:30:52 up 44 min,  2 users,  load average: 0.80, 0.93, 1.11

• Did you install any upgrades or packages? -- no

• Did you modify any scripts? -- No other than the info above

• Have you turned persistence on/off? -- no

• How much RAM available (login via ssh and run htop)? -- 54GB/64GB

• How much stress are the CPUs under (login via ssh and run htop)?

# uptime
19:30:52 up 44 min,  2 users,  load average: 0.80, 0.93, 1.11

• How much swap space is being used (login via ssh and run htop)?

# free -m
              total        used        free      shared  buff/cache   available
Mem:          64395        6625       55413          36        2356       57147
Swap:          7811           0        7811

• How much free disk space is available (login via ssh and run sudo df -h)?

# df -h /
Filesystem      Size  Used Avail Use% Mounted on
/dev/sdb2       910G  6.1G  857G   1% /

• What is the current container status (login via ssh and run sudo start.sh)?

# dps.sh 
========| System |========
    Date:  Wed Nov 21 19:32:49 UTC 2018
  Uptime:  19:32:49 up 46 min,  2 users,  load average: 0.88, 0.93, 1.09
CPU temp:  +44.0°C +46.0°C   

NAME                STATUS                               PORTS
conpot              Up 25 minutes                        0.0.0.0:1025->1025/tcp,
                             0.0.0.0:50100->50100/tcp
cowrie              Up 25 minutes                        0.0.0.0:22->2222/tcp,
                             0.0.0.0:23->2223/tcp
dionaea             Up 25 minutes                        0.0.0.0:20-21->20-21/tcp,
                             0.0.0.0:42->42/tcp,
                             0.0.0.0:135->135/tcp,
                             0.0.0.0:443->443/tcp,
                             0.0.0.0:445->445/tcp,
                             0.0.0.0:1433->1433/tcp,
                             0.0.0.0:1723->1723/tcp,
                             0.0.0.0:1883->1883/tcp,
                             0.0.0.0:3306->3306/tcp,
                             0.0.0.0:69->69/udp,
                             0.0.0.0:5060-5061->5060-5061/tcp,
                             0.0.0.0:27017->27017/tcp,
                             0.0.0.0:5060->5060/udp,
                             0.0.0.0:8081->80/tcp
elasticpot          Up 25 minutes                        0.0.0.0:9200->9200/tcp
elasticsearch       Up 25 minutes (healthy)              127.0.0.1:64298->9200/tcp
kibana              Up 25 minutes (healthy)              127.0.0.1:64296->5601/tcp
logstash            Up 25 minutes (healthy)              
head                Up 25 minutes (healthy)              127.0.0.1:64302->9100/tcp
emobility           Up 25 minutes                        0.0.0.0:8080->8080/tcp
ewsposter           Up 25 minutes                        
glastopf            Up 25 minutes                        0.0.0.0:80->80/tcp
honeytrap           Up 25 minutes                        
mailoney            Up 25 minutes                        0.0.0.0:25->2525/tcp
netdata             Up 25 minutes (healthy)              
rdpy                Up 25 minutes                        0.0.0.0:3389->3389/tcp
spiderfoot          Up 25 minutes (healthy)              127.0.0.1:64303->8080/tcp
ui-for-docker       Up 25 minutes                        127.0.0.1:64299->9000/tcp
suricata            Up 25 minutes                        
p0f                 Up 25 minutes                        
vnclowpot           Up 25 minutes                        0.0.0.0:5900->5900/tcp

[t3chn0m4g3]

For T-Pot 18.10 the best starting point for persistent iptables rules that do not interfere with the basic startup would be in /opt/tpot/bin/rules.sh. This will also ensure to (if inserted before NFQ rules take place) that these ports will not be forwarded to the NFQ based honeypots Honeytrap and Glutton. Please ensure to create a backup of your changes since the file will be overwritten should you use update.sh in the future. The recommended way however is to statically NAT the ports 1-64000 on a router a gateway in front of T-Pot.

[landonstewart]

/opt/tpot/bin/rules.sh

[00ihsan]

Same issue on the newest version.