Distributed Installation

[t3chn0m4g3]

Have a distributed installation option:

1. Install central EL2K
2. Install sensors delivering events to central EL2K

[cozybear-dev]

Hi,

Glad to see this feature finally being added, this would make TPOT by far the best solution out there (even compared to private paid solutions). I'm currently investigating this implementation myself. The current setup is honeypot only installations with Filebeat (with instance-id's for each honeypot) installed to pass all the log files to one central ELK instance (with searchguard and elasticalert). Besides that I'm currently testing management of those honeypots using a Fabric script (to also for example deploy my own honeypots on all servers and change all the configs accordingly) and creating a management panel with alerts to monitor the status (health, cpu, mem usage, etc) of the honeypots on the servers by using the Docker daemon REST API and if an honeypot is hacked by monitoring all commands by additional logging.

There are some challenges if you want to automate it all with SSL certs and all the configs but it can be done.

The ETA for this feature is like a year right? Since the 18.x version will be likely be released before the end of this year. If you have any questions on my setup, feel free to ask. When I'm finished I'll share the code, right now it's really buggy and a combination of scripts.

[pchoobdar]

Hi
We installed standard mode of t-pot and it work correctly then installed a sensor mode to send data to a central t-pot (standard t-pot).
There is a way to gathering data from sensors in network and send data to central t-pot?
Tanks a lot

[ChessSpider]

hi @derp7331 I want this too. Shall we get in touch? I'm Dutch (too) by the way!

[t3chn0m4g3]

For now, please check the Wiki.

[ChessSpider]

Hi @t3chn0m4g3 Thanks! That's a great start
Suggestion for change in wiki:

first step, either copy from running container or get the default

docker cp logstash:/etc/logstash/conf.d/logstash.conf /data/elk/logstash.conf
or
cp /opt/tpot/docker/elk/logstash/dist/logstash.conf /data/elk/logstash.conf

So, in order to do this securely, we should add encryption and authentication to the elasticsearch default install. I have some experience with https://search-guard.com/, which adds both to elasticsearch+kibana. It should not interfere with the http-auth authentication which is present now: we can configure nginx as a trusted proxy of kibana.

Should I work on this and come back with a PR?

Full-disclosure, I'm also testing tpot to see if we can use it as a base honeypot in order to deliver services around it. Are there guidelines to use tpot for this purpose? Aka what do you expect for link-back etc?

[t3chn0m4g3]

@ChessSpider Thanks for the suggestions, of course both of these ways work just fine. The docker exec way also ensures the copied files have the correct permissions by default, not everyone pays attention to such details like you do
Thank you very much for your offer, but we need to find a secure way using the tools at hand, it needs to be as simple as it needs to be secure. While I do know Search Guard and can very well recommend it for a central ELK it is not suited for what we have in mind for a distributed T-Pot. This is still undecided but will very much revolve around multiples instances of logstash and beats.

T-Pot is for sharing - no strings attached. The community will thank you however if you kept submissions to https://sicherheitstacho.eu/start/main alive (aka do not turn ewsposter off).

[ChessSpider]

Cool. So if you suggestions for me, please do tell. I will be building it upon your debian branch and closely follow your programming standards to ensure interoperability in the future. Just to be sure, my plan is to have one central elasticsearch+kibana and multiple logstash. Basically follow your wiki and change the destination of Logstash.

Images of elasticsearch+kibana will have searchguard added and the install.sh and update.sh scripts will create new certificates for searchguard upon installation. The difficult bit would be getting the generated certificates on the sensors. Of course I don't want to reinvent the wheel, so if someone has already done some pre-work or want to help, then that's welcome of course! I just need to clear this w/ my boss but i think he'll see the value of this too.

Is there a tpot telegram group already by the way? Easy communication

[t3chn0m4g3]

Awesome. Nothing like Slack or Telegram. Issues are fine.

[ChessSpider]

So, I'm doing things: https://github.com/Podictive/tpotce/tree/debian big WIP warning obviously.
Question though, what do you use to test your install.sh ? Do you do trial and error or something else?

Are you willing to give feedback on the code at some point? E.g. via me opening a PR?

[ChessSpider]

https://github.com/Podictive/tpotce/tree/debian
Really close to something here. It already works, i just need to make a user-friendly script for reconfiguring a standard.yml into accepting outwards connections.

see differences: https://github.com/dtag-dev-sec/tpotce/compare/debian...Podictive:debian?expand=1

[cozybear-dev]

Little update on the setup I ended up with.

I successfully created a Fabric script that allows you to create a distributed infrastructure using TPOT. It's actually quite awesome too. You only need to create the certificates using another script, define the servers (ip, port, username, password, etc) and execute two commando's (for central server and honeypot servers). All the installation and configuration has been taken care off.

The setup is as follows. One central server with all the tools you need to analyse all the data, that is pushed by Sensor Installation TPOT installs using Filebeat. The central server uses SearchGuard for security reasons. The scripts also take care of SSH keys, enabling one-click remote access via Cockpit (via the central server to all the remote TPOT servers). I also created a script for creating all the nessecary SSL certificates using your own root/CA certs (Besides encryption, the certs are also used for authentication via CA trust.). It's actually quite scalable too, the 'only' real bottleneck is the central server. You will need to selective in the logs you want to keep (and for how long) since one TPOT server already generates a lot of data, let alone 10 or 20.

The biggest downside of my current setup is definitely the lack of future support. That is why I also recommended to the organisation to wait until TPOT develops their own distributed solution. My current setup involves a lot of changes to the configuration files, which need to be changed each time TPOT e.g. adds a honeypot. Not that it's that much of a pain, but reliabillity is also very important. The more you customize and go off-land, the more room for error.

For now I can't upload the scripts due to not yet having approval from the organisation I work for. In approx. 2 weeks I'll post an update, with likely the scripts. As I don't see any reason why the approval would be denied.

[t3chn0m4g3]

On top you need to account for the fact that the current T-Pot ELK images do only account for a single node "cluster". Especially with regard to a more capable central server you would need alone at least 3 nodes with at least two holding index / shard data. Better even to have another node dedicated towards ingest. At this point it should be rather obvious that Docker does no longer provide great advantages over a physical install since you need dedicated machines / VMs anyway. This would not be a good fit for T-Pot.
At this point a final decision has not been made yet, however we will be sticking with a single node central ELK to keep things compatible and easily interchangeable.

[ChessSpider]

I hope a pull request has a chance of getting merged.

I suggest to add warnings to the user when he's adding a sensor to a server about its limitations. A user will be warned about the security implications and recommended that the tpot-nodes should talk to eachother either via VPN or (V)LAN. Perhaps in due time add documentation how a more experienced tpot-maintainer could setup a multi-node elkstack for tpot.

Tpotce is a very powerful platform; having it compared against mhn and CHN-Server I think tpotce excells in its ease of deployment, modular design, support of honeypots and visualization. Not being able to manage or view multiple nodes from one interface is a big miss for me, unfortunately. One I hope to rectify in a way it benefits the tpotce development and community.

[t3chn0m4g3]

At the moment we are still in a phase where we will looking at different and elegant ways that will fit into T-Pot, its user base and the ease of use. We are thankful for all contributions, hints and suggestions, however in the current phase we will not actively accept PRs.
This does not mean that we do not value your efforts on behalf of the community or T-Pot. But we will have to actively look into what will be the best for the future of T-Pot.

[ChessSpider]

Very well, in that case I'd like to invite anyone interested in a distributed tpot to try out my Debian branch:

https://github.com/Podictive/tpotce/tree/debian

It's currently in-sync with dtag-dev-sec/tpotce:debian. Installation instructions and documentation will be added. Issues and PR are open.

Please use https://github.com/Podictive/tpotce/tree/master instead

[javi17]

So what is the use of installing a sensor and a collector?

[iukea1]

@javi17 it is on the to do list.

[javi17]

when it would be resolved??

[iukea1]

@javi17 pretty sure it is not a priority.

Remember the whole code base is open source. You can write a docker container and put it on the main docker compose file and install file beats on there to send the logs back to the main elk server.

[javi17]

and why the sensor and collector options on the install process??

[iukea1]

@javi17 pretty sure I just answered your question dude.

It is on there just not fully supported as of now.

[javi17]

I have manipulated the logstash sensor for to send data to the elastic collector but it does not work yet

[iukea1]

@javi17 sounds like you need to fix your logstash yml file.

[javi17]

One question...the sensor includes log stash intallation??...I don't think so

[iukea1]

@javi17 nope does not have logstash

It has something for hpfeeds

container_name: ewsposter

[cozybear-dev]

Better late then never - eh? Here are the scripts I used for my distributed TPOT installation. They were working late 2018, no clue if they do now. Use at your own risk!

https://github.com/derp7331/tpot_distributed

[amare1307]

how can we configure elastic pot in t-pot ?

[amare1307]

is there any one know how to configure this embedded divce ?

[amare1307]

these also my problem <http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail> Virus-free. www.avg.com <http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail> <#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>

…

On Sat, Jun 6, 2020 at 9:03 PM siajune ***@***.***> wrote: Hello, I made all steps in the WIKI instruction, but tpot service don’t start. Can You add instruction to make distributed installation? TNX ) — You are receiving this because you commented. Reply to this email directly, view it on GitHub <https://github.com/dtag-dev-sec/tpotce/issues/250#issuecomment-640111289>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ANZX6QCAHB5324XUT5IFJN3RVKOJTANCNFSM4F66I64A> .

[Raul1718]

Read all the information on this page.
So currently T-POT's own distributed deployment scheme is still on the todo-list？
And T-POT deployments with a practical plan to reference these two projects, right?

https://github.com/derp7331/tpot_distributed
https://github.com/Podictive/tpotce/tree/debian