-
Notifications
You must be signed in to change notification settings - Fork 434
/
cape2.sh
executable file
·1648 lines (1444 loc) · 68.1 KB
/
cape2.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
#!/bin/bash
# set -ex
# By @doomedraven - https://twitter.com/D00m3dR4v3n
# Copyright (C) 2011-2023 doomedraven.
# See the file 'LICENSE.md' for copying permission.
# Huge thanks to: @NaxoneZ @kevoreilly @ENZOK @wmetcalf @ClaudioWayne
# Static values
# Where to place everything
# CAPE TcpDump will sniff this interface
NETWORK_IFACE=virbr1
# On which IP TOR should listen
IFACE_IP="192.168.1.1"
# Confiures default network interface ip route table
INTERNET_IFACE=$(ip route | grep '^default'|awk '{print $5}')
# DB password
PASSWD="SuperPuperSecret"
# Only in case if you using distributed CAPE And MongoDB sharding.
DIST_MASTER_IP="192.168.1.1"
USER="cape"
# https://nginx.org/en/linux_packages.html
nginx_version=1.25.3
prometheus_version=2.20.1
grafana_version=7.1.5
node_exporter_version=1.0.1
# if set to 1, enables snmpd and other various bits to support
# monitoring via LibreNMS
librenms_enable=0
# snmp v1/2c community string to use
snmp_community=ChangeMePublicRO
# value for agentaddress... see snmpd.conf(5)
# if blank the default will be used
snmp_agentaddress=""
snmp_location='Rack, Room, Building, City, Country [GPSX,Y]'
snmp_contact='Foo <foo@bar>'
clamav_enable=0
# enable IPMI sensor checking with LibreNMS
librenms_ipmi=0
# args to pass to /usr/lib/nagios/plugins/check_mongodb.py
librenms_mongo_args=''
# warn value for the clamav check
librenms_clamav_warn=2
# crit value for the clamav check
librenms_clamav_crit=3
# enable librenms support for mdadm
librenms_mdadm_enable=0
# requires lsi_mrdsnmpmain
# https://docs.librenms.org/Extensions/Applications/#megaraid
librenms_megaraid_enable=0
# disabling this will result in the web interface being disabled
MONGO_ENABLE=1
DIE_VERSION="3.09"
TOR_SOCKET_TIMEOUT="60"
# if a config file is present, read it in
if [ -f "./cape-config.sh" ]; then
. ./cape-config.sh
fi
UBUNTU_VERSION=$(lsb_release -rs)
OS="$(uname -s)"
MAINTAINER="$(whoami)"_"$(hostname)"
ARCH="$(dpkg --print-architecture)"
function issues() {
cat << EOI
Problems with PyOpenSSL?
sudo rm -rf /usr/local/lib/python3.8/dist-packages/OpenSSL/
sudo rm -rf /home/${USER}/.local/lib/python3.8/site-packages/OpenSSL/
sudo apt-get install --reinstall python-openssl
Problem with PIP?
sudo python -m pip3 uninstall pip3 && sudo apt-get install python3-pip --reinstall
Problem with pillow:
* ValueError: jpeg is required unless explicitly disabled using --disable-jpeg, aborting
* ValueError: zlib is required unless explicitly disabled using --disable-zlib, aborting
Solution:
# https://askubuntu.com/a/1094768
# you may need to adjust version of libjpeg-turbo8
sudo apt-get install zlib1g-dev libjpeg-turbo8-dev libjpeg-turbo8=1.5.2-0ubuntu5
EOI
}
function usage() {
cat << EndOfHelp
You need to edit NETWORK_IFACE, IFACE_IP and PASSWD for correct install
* This ISN'T a silver bullet, we can't control all changes in all third part software, you are welcome to report updates
Usage: $0 <command> <iface_ip> [options] | tee $0.log
Example: $0 all 192.168.1.1 | tee $0.log
Commands - are case insensitive:
Base - Installs dependencies, CAPE, systemd, see code for full list
All - Installs everything - (don't use it if you don't know what will be installed ;))
Sandbox - Install CAPE
Dependencies - Install all dependencies with performance tricks
Systemd - Install systemd config for cape, we suggest to use systemd
Nginx <domain.com> - Install NGINX with realip plugin and other goodies, pass your domain as argument
LetsEncrypt <domain.com> - Install LetsEncrypt for your site, pass your domain as argument
Suricata - Install latest suricata with performance boost
PostgreSQL - Install latest PostgresSQL
PostgreSQL_Utility - Install pg_activity
Yara - Install latest yara
Yara-x - Install latest yara-x
Volatility3 - Install Volatility3 and windows symbols
Mongo - Install latest mongodb
LetsEncrypt - Install dependencies and retrieves certificate
Dist - will install CAPE distributed stuff
ClamAv - Install ClamAV and unofficial signatures
redsocks2 - install redsocks2
logrotate - install logrotate config to rotate daily or 10G logs
librenms - install and setup LibreNMS support
librenms_cron_config - print the cron entries for the LibreNMS bits
librenms_snmpd_config - print the snmpd config for use with LibreNMS
librenms_sneck_config - print the sneck config for use with LibreNMS
prometheus - Install Prometheus and Grafana
die - Install Detect It Easy
node_exporter - Install node_exporter to report data to Prometheus+Grafana, only on worker servers
jemalloc - Install jemalloc, required for CAPE to decrease memory usage
Details: https://zapier.com/engineering/celery-python-jemalloc/
crowdsecurity - Install CrowdSecurity for NGINX and webgui
docker - install docker
osslsigncode - Linux alternative to Windows signtool.exe
modsecurity - install Nginx ModSecurity plugin
Issues - show some known possible bugs/solutions
Options:
--disable-mongodb-avx-check - Disable check of AVX CPU feature for MongoDB
--disable-libvirt - Disable libvirt related packages installation
Useful links - THEY CAN BE OUTDATED; RTFM!!!
* https://cuckoo.sh/docs/introduction/index.html
* https://medium.com/@seifreed/how-to-deploy-cuckoo-sandbox-431a6e65b848
* https://infosecspeakeasy.org/t/howto-build-a-cuckoo-sandbox/27
Cuckoo V2 customizations neat howto
* https://www.adlice.com/cuckoo-sandbox-customization-v2/
EndOfHelp
}
function install_crowdsecurity() {
echo "[+] Install crowdsecurity"
sudo apt-get install bash gettext whiptail curl wget
cd /tmp || return
if [ ! -d crowdsec-release.tgz ]; then
curl -s https://api.github.com/repos/crowdsecurity/crowdsec/releases/latest | grep browser_download_url| cut -d '"' -f 4 | wget -i -
fi
tar xvzf crowdsec-release.tgz
directory=$(ls | grep "crowdsec-v*")
cd "$directory" || return
sudo ./wizard.sh -i
sudo cscli collections install crowdsecurity/nginx
sudo systemctl reload crowdsec
install_docker
sudo cscli dashboard setup -l 127.0.0.1 -p 8448
wget https://github.com/crowdsecurity/cs-nginx-bouncer/releases/download/v0.0.4/cs-nginx-bouncer.tgz
tar xvzf cs-nginx-bouncer.tgz
directory=$(ls | grep "cs-nginx-bouncer*")
cd "$directory" || return
sudo ./install.sh
}
function install_docker() {
echo "[+] Install docker"
# https://www.digitalocean.com/community/tutorials/how-to-install-and-use-docker-on-ubuntu-20-04
sudo apt-get install apt-transport-https ca-certificates curl software-properties-common
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg --yes
echo "deb [signed-by=/etc/apt/keyrings/docker.gpg arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" > /etc/apt/sources.list.d/docker.list
sudo apt-get update
sudo apt-get install docker-ce
sudo usermod -aG docker ${USER}
}
function install_jemalloc() {
# https://zapier.com/engineering/celery-python-jemalloc/
if ! $(dpkg -l "libjemalloc*" | grep -q "ii libjemalloc"); then
apt-get install -f checkinstall curl build-essential jq autoconf libjemalloc-dev -y
fi
}
function librenms_cron_config() {
echo '*/5 * * * * root /usr/bin/env PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin /usr/local/bin/sneck -u 2> /dev/null > /dev/null'
echo '*/5 * * * * root /usr/bin/env PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin /etc/snmp/extends/cape | /usr/local/bin/librenms_return_optimizer 2> /dev/null > /var/cache/cape.cache'
echo '*/5 * * * * root /usr/bin/env PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin /etc/snmp/extends/smart -u'
echo '*/5 * * * * root /usr/bin/env PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin /usr/local/bin/hv_monitor -c 2> /dev/null > /var/cache/hv_monitor.cache'
echo '*/5 * * * * root /usr/bin/env PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin /etc/snmp/extends/osupdate 2> /dev/null > /var/cache/osupdate.extend'
echo '1 1 * * * root /bin/cat /sys/devices/virtual/dmi/id/board_serial > /etc/snmp/serial'
}
function librenms_sneck_config() {
if [ "$librenms_ipmi" -ge 1 ]; then
echo 'ipmi_sensor|/usr/lib/nagios/plugins/check_ipmi_sensor --nosel'
else
echo '#ipmi_sensor|/usr/lib/nagios/plugins/check_ipmi_sensor --nosel'
fi
echo 'virtqemud_procs|/usr/lib/nagios/plugins/check_procs --ereg-argument-array "^/usr/sbin/virtqemud" 1:1'
echo 'cape_procs|/usr/lib/nagios/plugins/check_procs --ereg-argument-array "poetry.*bin/python cuckoo.py" 1:1'
echo 'cape_processor_procs|/usr/lib/nagios/plugins/check_procs --ereg-argument-array "poetry.*bin/python process.py" 1:'
echo 'cape_rooter_procs|/usr/lib/nagios/plugins/check_procs --ereg-argument-array "poetry.*bin/python rooter.py" 1'
if [ "$clamav_enable" -ge 1 ]; then
echo "clamav|/usr/lib/nagios/plugins/check_clamav -w $librenms_clamav_warn -c $librenms_clamav_crit"
else
echo "#clamav|/usr/lib/nagios/plugins/check_clamav -w $librenms_clamav_warn -c $librenms_clamav_crit"
fi
if [ "$MONGO_ENABLE" -ge 1 ]; then
echo "mongodb|/usr/lib/nagios/plugins/check_mongodb.py $librenms_mongo_args"
echo 'cape_web_procs|/usr/lib/nagios/plugins/check_procs --ereg-argument-array "poetry.*bin/python manage.py" 1:'
else
echo "#mongodb|/usr/lib/nagios/plugins/check_mongodb.py $librenms_mongo_args"
echo 'cape_web_procs|/usr/lib/nagios/plugins/check_procs --ereg-argument-array "poetry.*bin/python manage.py" 0'
fi
}
function librenms_snmpd_config() {
echo "rocommunity $snmp_community"
echo
echo "syslocation $snmp_location"
echo "syscontact $snmp_contact"
echo
if [ "$librenms_megaraid_enable" -ge 1 ]; then
echo "pass .1.3.6.1.4.1.3582 /usr/sbin/lsi_mrdsnmpmain"
else
echo "#pass .1.3.6.1.4.1.3582 /usr/sbin/lsi_mrdsnmpmain"
fi
echo
echo 'extend distro /etc/snmp/extends/distro'
echo "extend hardware '/bin/cat /sys/devices/virtual/dmi/id/product_name'"
echo "extend manufacturer '/bin/cat /sys/devices/virtual/dmi/id/sys_vendor'"
echo "extend serial '/bin/cat /etc/snmp/serial'"
echo
echo "extend cape /bin/cat /var/cache/cape.cache"
echo "extend smart /bin/cat /var/cache/smart"
echo "extend sneck /usr/bin/env PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin /usr/local/bin/sneck -c -b"
echo "extend hv-monitor /bin/cat /var/cache/hv_monitor.cache"
echo "extend osupdate /bin/cat /var/cache/osupdate.extend"
if [ "$librenms_mdadm_enable" -ge 1 ]; then
echo "extend mdadm /usr/bin/env PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin /etc/snmp/extends/mdadm"
else
echo "#extend mdadm /usr/bin/env PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin /etc/snmp/extends/mdadm"
fi
echo
if [ ! -z "$snmp_agentaddress" ]; then
echo "agentaddress $snmp_agentaddress"
fi
}
function install_librenms() {
echo "[+] Install librenms"
if [ "$librenms_enable" -ge 1 ]; then
echo "Enabling stuff for LibreNMS"
apt-get install -y zlib1g-dev cpanminus libjson-perl libfile-readbackwards-perl \
libjson-perl libconfig-tiny-perl libdbi-perl libfile-slurp-perl \
libstatistics-lite-perl libdbi-perl libdbd-pg-perl monitoring-plugins \
monitoring-plugins-contrib monitoring-plugins-standard dmidecode wget snmpd
cpanm HV::Monitor Monitoring::Sneck
mkdir -p /etc/snmp/extends
wget https://raw.githubusercontent.com/librenms/librenms-agent/master/snmp/distro -O /etc/snmp/extends/distro
wget https://raw.githubusercontent.com/librenms/librenms-agent/master/snmp/cape -O /etc/snmp/extends/cape
wget https://raw.githubusercontent.com/librenms/librenms-agent/master/snmp/smart -O /etc/snmp/extends/smart
wget https://raw.githubusercontent.com/librenms/librenms-agent/master/snmp/osupdate -O /etc/snmp/extends/osupdate
chmod +x /etc/snmp/extends/distro /etc/snmp/extends/cape /etc/snmp/extends/smart /etc/snmp/extends/osupdate
if [ "$librenms_mdadm_enable" -ge 1 ]; then
apt-get install -y jq
wget https://raw.githubusercontent.com/librenms/librenms-agent/master/snmp/mdadm -O /etc/snmp/extends/mdadm
chmod +x /etc/snmp/extends/mdadm
fi
/etc/snmp/extends/smart -g > /etc/snmp/extends/smart.config
echo "You will want to check /etc/snmp/extends/smart.config to see if it looks good."
echo "See /etc/snmp/extends/smart for more info"
cat /sys/devices/virtual/dmi/id/board_serial > /etc/snmp/serial
librenms_sneck_config > /usr/local/etc/sneck.conf
librenms_cron_config > /etc/cron.d/librenms_auto
librenms_snmpd_config > /etc/snmp/snmpd.conf
systemctl enable snmpd.service
systemctl restart snmpd.service
systemctl restart cron.service
else
echo "Skipping stuff for LibreNMS"
fi
}
function install_modsecurity() {
echo "[+] Install modsecurity"
# Tested on nginx 1.(16|18).X Based on https://www.nginx.com/blog/compiling-and-installing-modsecurity-for-open-source-nginx/ with fixes
apt-get install -y apt-utils autoconf automake build-essential git libcurl4-openssl-dev libgeoip-dev liblmdb-dev libpcre++-dev libtool libxml2-dev libyajl-dev pkgconf wget zlib1g-dev
git clone --depth 1 -b v3/master --single-branch https://github.com/SpiderLabs/ModSecurity
cd ModSecurity || return
git submodule init
git submodule update
./build.sh
./configure
make -j"$(nproc)"
checkinstall -D --pkgname="ModSecurity" --default
cd .. || return
git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git
# this step is required to install plugin for existing setup
if [ ! -d nginx-"$nginx_version" ]; then
wget http://nginx.org/download/nginx-"$nginx_version".tar.gz
wget http://nginx.org/download/nginx-"$nginx_version".tar.gz.asc
gpg --verify "nginx-$nginx_version.tar.gz.asc"
tar zxf nginx-"$nginx_version".tar.gz
fi
cd nginx-"$nginx_version" || return
./configure --with-compat --add-dynamic-module=../ModSecurity-nginx
make modules
cp objs/ngx_http_modsecurity_module.so /usr/share/nginx/modules/ngx_http_modsecurity_module.so
cd .. || return
mkdir /etc/nginx/modsec
wget -P /etc/nginx/modsec/ https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/modsecurity.conf-recommended
mv /etc/nginx/modsec/modsecurity.conf-recommended /etc/nginx/modsec/modsecurity.conf
cp ModSecurity/unicode.mapping /etc/nginx/modsec
sed -i 's/SecRuleEngine DetectionOnly/SecRuleEngine On/' /etc/nginx/modsec/modsecurity.conf
echo 'Include "/etc/nginx/modsec/modsecurity.conf"' >/etc/nginx/modsec/main.conf
echo '''
1. Add next line to the top of /etc/nginx/nginx.conf
* load_module modules/ngx_http_modsecurity_module.so;
2. Add next 2 rules to enabled-site under server section
modsecurity on;
modsecurity_rules_file /etc/nginx/modsec/main.conf;
'''
}
function install_nginx() {
echo "[+] Install nginx"
if [ ! -d nginx-$nginx_version ]; then
wget http://nginx.org/download/nginx-$nginx_version.tar.gz
wget http://nginx.org/download/nginx-$nginx_version.tar.gz.asc
gpg --verify "nginx-$nginx_version.tar.gz.asc"
tar xzvf nginx-$nginx_version.tar.gz
fi
# PCRE version 8.42
wget https://ftp.exim.org/pub/pcre/pcre-8.45.tar.gz && tar xzvf pcre-8.45.tar.gz
# zlib version 1.2.11
wget https://www.zlib.net/zlib-1.3.1.tar.gz && tar xzvf zlib-1.3.1.tar.gz
# OpenSSL version 3.2.0
wget https://www.openssl.org/source/openssl-3.2.0.tar.gz && tar xzvf openssl-3.2.0.tar.gz
sudo add-apt-repository -y ppa:maxmind/ppa
sudo apt-get update && sudo apt-get upgrade -y
sudo apt-get install -y perl libperl-dev libgd3 libgd-dev libgeoip1 libgeoip-dev geoip-bin libxml2 libxml2-dev libxslt1.1 libxslt1-dev
cd nginx-$nginx_version || return
sudo cp man/nginx.8 /usr/share/man/man8
sudo gzip /usr/share/man/man8/nginx.8
ls /usr/share/man/man8/ | grep nginx.8.gz
./configure --prefix=/usr/share/nginx \
--sbin-path=/usr/sbin/nginx \
--modules-path=/usr/lib/nginx/modules \
--conf-path=/etc/nginx/nginx.conf \
--error-log-path=/var/log/nginx/error.log \
--http-log-path=/var/log/nginx/access.log \
--pid-path=/tmp/nginx.pid \
--lock-path=/var/lock/nginx.lock \
--user=www-data \
--group=www-data \
--build=Ubuntu \
--http-client-body-temp-path=/var/lib/nginx/body \
--http-fastcgi-temp-path=/var/lib/nginx/fastcgi \
--http-proxy-temp-path=/var/lib/nginx/proxy \
--http-scgi-temp-path=/var/lib/nginx/scgi \
--http-uwsgi-temp-path=/var/lib/nginx/uwsgi \
--with-openssl=../openssl-3.2.0 \
--with-openssl-opt=enable-ec_nistp_64_gcc_128 \
--with-openssl-opt=no-nextprotoneg \
--with-openssl-opt=no-weak-ssl-ciphers \
--with-openssl-opt=no-ssl3 \
--with-pcre=../pcre-8.45 \
--with-pcre-jit \
--with-zlib=../zlib-1.3.1 \
--with-compat \
--with-file-aio \
--with-threads \
--with-http_addition_module \
--with-http_auth_request_module \
--with-http_dav_module \
--with-http_flv_module \
--with-http_gunzip_module \
--with-http_gzip_static_module \
--with-http_mp4_module \
--with-http_random_index_module \
--with-http_realip_module \
--with-http_slice_module \
--with-http_ssl_module \
--with-http_sub_module \
--with-http_stub_status_module \
--with-http_v2_module \
--with-http_secure_link_module \
--with-mail \
--with-mail_ssl_module \
--with-stream \
--with-stream_realip_module \
--with-stream_ssl_module \
--with-stream_ssl_preread_module \
--with-debug \
--with-cc-opt='-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2' \
--with-ld-opt='-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now' \
--with-http_v3_module
# checkinstall -D --pkgname="nginx-$nginx_version" --pkgversion="$nginx_version" --default
mkdir -p /tmp/nginx_builded/DEBIAN
make -j"$(nproc)"
echo -e "Package: nginx\nVersion: $nginx_version\nArchitecture: $ARCH\nMaintainer: $MAINTAINER\nDescription: nginx-$nginx_version" > /tmp/nginx_builded/DEBIAN/control
make -j"$(nproc)" install DESTDIR=/tmp/nginx_builded
dpkg-deb --build --root-owner-group /tmp/nginx_builded
dpkg -i --force-overwrite /tmp/nginx_builded.deb
rm /tmp/nginx_builded.deb
sudo ln -s /usr/lib/nginx/modules /etc/nginx/modules
sudo adduser --system --home /nonexistent --shell /bin/false --no-create-home --disabled-login --disabled-password --gecos "nginx user" --group nginx
install_modsecurity
sudo mkdir -p /var/cache/nginx/client_temp /var/cache/nginx/fastcgi_temp /var/cache/nginx/proxy_temp /var/cache/nginx/scgi_temp /var/cache/nginx/uwsgi_temp
sudo chmod 700 /var/cache/nginx/*
sudo chown nginx:root /var/cache/nginx/*
if [ ! -f /lib/systemd/system/nginx.service ]; then
cat >> /lib/systemd/system/nginx.service << EOF
[Unit]
Description=nginx - high performance web server
Documentation=https://nginx.org/en/docs/
After=network-online.target remote-fs.target nss-lookup.target
Wants=network-online.target
[Service]
Type=forking
PIDFile=/tmp/nginx.pid
ExecStartPre=/usr/sbin/nginx -t -c /etc/nginx/nginx.conf
ExecStart=/usr/sbin/nginx -c /etc/nginx/nginx.conf
ExecReload=/bin/kill -s HUP $MAINPID
ExecStop=/bin/kill -s TERM $MAINPID
[Install]
WantedBy=multi-user.target
EOF
fi
sudo systemctl enable nginx.service
sudo systemctl start nginx.service
sudo systemctl is-enabled nginx.service
sudo mkdir /etc/nginx/{conf.d,snippets,sites-available,sites-enabled}
sudo chmod 640 /var/log/nginx/*
sudo chown nginx:adm /var/log/nginx/access.log /var/log/nginx/error.log
if [ ! -f /etc/logrotate.d/nginx ]; then
cat >> /etc/logrotate.d/nginx << EOF
/var/log/nginx/*.log {
daily
missingok
rotate 52
compress
delaycompress
notifempty
create 640 nginx adm
sharedscripts
postrotate
if [ -f /tmp/nginx.pid ]; then
kill -USR1 $(cat /tmp/nginx.pid)
fi
endscript
}
EOF
fi
sudo ln -s /etc/nginx/sites-available/"$1" /etc/nginx/sites-enabled/
#sudo wget https://support.cloudflare.com/hc/en-us/article_attachments/201243967/origin-pull-ca.pem -O
if [ ! -f /etc/nginx/sites-enabled/capesandbox ]; then
cat >> /etc/nginx/sites-enabled/capesandbox << EOF
server {
listen 80 default_server;
server_name $1;
return 301 https://$host$request_uri;
}
server {
if ($http_user_agent = "") {
return 444;
}
# SSL configuration
listen 443 ssl http2;
//listen [::]:443 ssl http2;
//listen 443 http3 reuseport; # UDP listener for QUIC+HTTP/3
ssl on;
//ssl_protocols TLSv1.3; # QUIC requires TLS 1.3
ssl_certificate /etc/letsencrypt/live/$1/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/$1/privkey.pem;
ssl_client_certificate /etc/ssl/certs/cloudflare.crt;
ssl_verify_client on;
//add_header Alt-Svc 'quic=":443"'; # Advertise that QUIC is available
//add_header QUIC-Status $quic; # Sent when QUIC was used
server_name $1 www.$1;
location / {
try_files $uri $uri/ =404;
}
}:
EOF
fi
if [ ! -f /etc/ssl/certs/cloudflare.crt ]; then
cat >> /etc/ssl/certs/cloudflare.crt << EOF
-----BEGIN CERTIFICATE-----
MIIGBjCCA/CgAwIBAgIIV5G6lVbCLmEwCwYJKoZIhvcNAQENMIGQMQswCQYDVQQG
EwJVUzEZMBcGA1UEChMQQ2xvdWRGbGFyZSwgSW5jLjEUMBIGA1UECxMLT3JpZ2lu
IFB1bGwxFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xEzARBgNVBAgTCkNhbGlmb3Ju
aWExIzAhBgNVBAMTGm9yaWdpbi1wdWxsLmNsb3VkZmxhcmUubmV0MB4XDTE1MDEx
MzAyNDc1M1oXDTIwMDExMjAyNTI1M1owgZAxCzAJBgNVBAYTAlVTMRkwFwYDVQQK
ExBDbG91ZEZsYXJlLCBJbmMuMRQwEgYDVQQLEwtPcmlnaW4gUHVsbDEWMBQGA1UE
BxMNU2FuIEZyYW5jaXNjbzETMBEGA1UECBMKQ2FsaWZvcm5pYTEjMCEGA1UEAxMa
b3JpZ2luLXB1bGwuY2xvdWRmbGFyZS5uZXQwggIiMA0GCSqGSIb3DQEBAQUAA4IC
DwAwggIKAoICAQDdsts6I2H5dGyn4adACQRXlfo0KmwsN7B5rxD8C5qgy6spyONr
WV0ecvdeGQfWa8Gy/yuTuOnsXfy7oyZ1dm93c3Mea7YkM7KNMc5Y6m520E9tHooc
f1qxeDpGSsnWc7HWibFgD7qZQx+T+yfNqt63vPI0HYBOYao6hWd3JQhu5caAcIS2
ms5tzSSZVH83ZPe6Lkb5xRgLl3eXEFcfI2DjnlOtLFqpjHuEB3Tr6agfdWyaGEEi
lRY1IB3k6TfLTaSiX2/SyJ96bp92wvTSjR7USjDV9ypf7AD6u6vwJZ3bwNisNw5L
ptph0FBnc1R6nDoHmvQRoyytoe0rl/d801i9Nru/fXa+l5K2nf1koR3IX440Z2i9
+Z4iVA69NmCbT4MVjm7K3zlOtwfI7i1KYVv+ATo4ycgBuZfY9f/2lBhIv7BHuZal
b9D+/EK8aMUfjDF4icEGm+RQfExv2nOpkR4BfQppF/dLmkYfjgtO1403X0ihkT6T
PYQdmYS6Jf53/KpqC3aA+R7zg2birtvprinlR14MNvwOsDOzsK4p8WYsgZOR4Qr2
gAx+z2aVOs/87+TVOR0r14irQsxbg7uP2X4t+EXx13glHxwG+CnzUVycDLMVGvuG
aUgF9hukZxlOZnrl6VOf1fg0Caf3uvV8smOkVw6DMsGhBZSJVwao0UQNqQIDAQAB
o2YwZDAOBgNVHQ8BAf8EBAMCAAYwEgYDVR0TAQH/BAgwBgEB/wIBAjAdBgNVHQ4E
FgQUQ1lLK2mLgOERM2pXzVc42p59xeswHwYDVR0jBBgwFoAUQ1lLK2mLgOERM2pX
zVc42p59xeswCwYJKoZIhvcNAQENA4ICAQDKDQM1qPRVP/4Gltz0D6OU6xezFBKr
LWtDoA1qW2F7pkiYawCP9MrDPDJsHy7dx+xw3bBZxOsK5PA/T7p1dqpEl6i8F692
g//EuYOifLYw3ySPe3LRNhvPl/1f6Sn862VhPvLa8aQAAwR9e/CZvlY3fj+6G5ik
3it7fikmKUsVnugNOkjmwI3hZqXfJNc7AtHDFw0mEOV0dSeAPTo95N9cxBbm9PKv
qAEmTEXp2trQ/RjJ/AomJyfA1BQjsD0j++DI3a9/BbDwWmr1lJciKxiNKaa0BRLB
dKMrYQD+PkPNCgEuojT+paLKRrMyFUzHSG1doYm46NE9/WARTh3sFUp1B7HZSBqA
kHleoB/vQ/mDuW9C3/8Jk2uRUdZxR+LoNZItuOjU8oTy6zpN1+GgSj7bHjiy9rfA
F+ehdrz+IOh80WIiqs763PGoaYUyzxLvVowLWNoxVVoc9G+PqFKqD988XlipHVB6
Bz+1CD4D/bWrs3cC9+kk/jFmrrAymZlkFX8tDb5aXASSLJjUjcptci9SKqtI2h0J
wUGkD7+bQAr+7vr8/R+CBmNMe7csE8NeEX6lVMF7Dh0a1YKQa6hUN18bBuYgTMuT
QzMmZpRpIBB321ZBlcnlxiTJvWxvbCPHKHj20VwwAz7LONF59s84ZsOqfoBv8gKM
s0s5dsq5zpLeaw==
-----END CERTIFICATE-----
EOF
fi
}
function install_letsencrypt(){
echo "[+] Install and configure letsencrypt"
sudo add-apt-repository ppa:certbot/certbot -y
sudo apt-get update
sudo apt-get install python3-certbot-nginx -y
echo "server_name $1 www.$1;" > /etc/nginx/sites-available/"$1"
sudo certbot --nginx -d "$1" -d www."$1"
}
function install_fail2ban() {
echo "[+] Installing fail2ban"
sudo apt-get install fail2ban -y
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo sed -i /etc/fail2ban/jail.local
systemctl start fail2ban
systemctl enable fail2ban
#https://kifarunix.com/how-to-protect-ssh-server-authentication-with-fail2ban-on-ubuntu-18-04/2/
}
function install_logrotate() {
echo "[+] Installing logrotate"
# du -sh /var/log/* | sort -hr | head -n10
# thanks digitalocean.com for the manual
# https://www.digitalocean.com/community/tutorials/how-to-manage-logfiles-with-logrotate-on-ubuntu-16-04
if [ ! -f /etc/logrotate.d/cape.conf ]; then
cat >> /etc/logrotate.d/cape.conf << EOF
#/var/log/*.log {
# daily
# missingok
# rotate 7
# compress
# create
# maxsize 10G
#}
EOF
fi
sudo /usr/sbin/logrotate --force /etc/logrotate.conf
du -sh /var/log/* | sort -hr | head -n10
# wipe kern.log
# cat /dev/null | sudo tee /var/log/kern.log
}
function redsocks2() {
echo "[+] Installing redsocks2"
cd /tmp || return
sudo apt-get install -y git libevent-dev libreadline-dev zlib1g-dev libncurses5-dev libssl1.0-dev libssl-dev
git clone https://github.com/semigodking/redsocks redsocks2 && cd redsocks2 || return
DISABLE_SHADOWSOCKS=true make -j"$(nproc)" #ENABLE_STATIC=true
sudo cp redsocks2 /usr/bin/
}
function distributed() {
echo "[+] Configure distributed configuration"
sudo apt-get install uwsgi uwsgi-plugin-python3 nginx -y 2>/dev/null
sudo -u ${USER} bash -c '/etc/poetry/bin/poetry run pip install flask flask-restful flask-sqlalchemy requests'
sudo cp /opt/CAPEv2/uwsgi/capedist.ini /etc/uwsgi/apps-available/cape_dist.ini
sudo ln -s /etc/uwsgi/apps-available/cape_dist.ini /etc/uwsgi/apps-enabled
sudo -u postgres -H sh -c "psql -c \"CREATE DATABASE ${USER}dist\"";
sudo -u postgres -H sh -c "psql -d \"${USER}\" -c \"GRANT ALL PRIVILEGES ON DATABASE ${USER}dist to ${USER};\""
sudo -u postgres -H sh -c "psql -d \"${USER}\" -c \"ALTER DATABASE ${USER}dist OWNER TO ${USER};\""
if [ "$MONGO_ENABLE" -ge 1 ]; then
sudo mkdir -p /data/{config,}db
sudo chown mongodb:mongodb /data/ -R
if [ ! -f /lib/systemd/system/mongos.service ]; then
cat >> /lib/systemd/system/mongos.service << EOL
[Unit]
Description=Mongo shard service
After=network.target
After=bind9.service
[Service]
PIDFile=/tmp/mongos.pid
User=mongodb
Group=mongodb
# StandardOutput=syslog
# StandardError=syslog
SyslogIdentifier=mongodb
ExecStart=/usr/bin/mongos --configdb cape_config/${DIST_MASTER_IP}:27019 --port 27020
[Install]
WantedBy=multi-user.target
EOL
fi
systemctl daemon-reload
systemctl enable mongos.service
systemctl start mongos.service
echo -e "\n\n\n[+] CAPE distributed documentation: https://github.com/kevoreilly/CAPEv2/blob/master/docs/book/src/usage/dist.rst"
echo -e "\t https://docs.mongodb.com/manual/tutorial/enable-authentication/"
echo -e "\t https://docs.mongodb.com/manual/administration/security-checklist/"
echo -e "\t https://docs.mongodb.com/manual/core/security-users/#sharding-security"
fi
}
function install_suricata() {
echo '[+] Installing Suricata'
add-apt-repository ppa:oisf/suricata-stable -y
apt-get install suricata suricata-update -y
touch /etc/suricata/threshold.config
# Download etupdate to update Emerging Threats Open IDS rules:
mkdir -p "/etc/suricata/rules"
if ! crontab -l | grep -q -F '15 * * * * /usr/bin/suricata-update'; then
crontab -l | { cat; echo "15 * * * * /usr/bin/suricata-update --suricata /usr/bin/suricata --suricata-conf /etc/suricata/suricata.yaml -o /etc/suricata/rules/ && /usr/bin/suricatasc -c reload-rules /tmp/suricata-command.socket &>/dev/null"; } | crontab -
fi
if [ -d /usr/share/suricata/rules/ ]; then
# copy files if rules folder contains files
if [ "$(ls -A /var/lib/suricata/rules/)" ]; then
cp "/usr/share/suricata/rules/"* "/etc/suricata/rules/"
fi
fi
if [ -d /var/lib/suricata/rules/ ]; then
# copy files if rules folder contains files
if [ "$(ls -A /var/lib/suricata/rules/)" ]; then
cp "/var/lib/suricata/rules/"* "/etc/suricata/rules/"
fi
fi
# ToDo this is not the best solution but i don't have time now to investigate proper one
sed -i 's|CapabilityBoundingSet=CAP_NET_ADMIN|#CapabilityBoundingSet=CAP_NET_ADMIN|g' /lib/systemd/system/suricata.service
systemctl daemon-reload
#change suricata yaml
sed -i 's|#default-rule-path: /etc/suricata/rules|default-rule-path: /etc/suricata/rules|g' /etc/default/suricata
sed -i 's|default-rule-path: /var/lib/suricata/rules|default-rule-path: /etc/suricata/rules|g' /etc/suricata/suricata.yaml
sed -i 's/#rule-files:/rule-files:/g' /etc/suricata/suricata.yaml
sed -i 's/# - suricata.rules/ - suricata.rules/g' /etc/suricata/suricata.yaml
sed -i 's/RUN=yes/RUN=no/g' /etc/default/suricata
sed -i 's/mpm-algo: ac/mpm-algo: hs/g' /etc/suricata/suricata.yaml
sed -i 's/mpm-algo: auto/mpm-algo: hs/g' /etc/suricata/suricata.yaml
sed -i 's/#run-as:/run-as:/g' /etc/suricata/suricata.yaml
sed -i "s/# user: suri/ user: ${USER}/g" /etc/suricata/suricata.yaml
sed -i "s/# group: suri/ group: ${USER}/g" /etc/suricata/suricata.yaml
sed -i 's/ depth: 1mb/ depth: 0/g' /etc/suricata/suricata.yaml
sed -i 's/request-body-limit: 100kb/request-body-limit: 0/g' /etc/suricata/suricata.yaml
sed -i 's/response-body-limit: 100kb/response-body-limit: 0/g' /etc/suricata/suricata.yaml
sed -i 's/EXTERNAL_NET: "!$HOME_NET"/EXTERNAL_NET: "ANY"/g' /etc/suricata/suricata.yaml
sed -i 's|#pid-file: /var/run/suricata.pid|pid-file: /tmp/suricata.pid|g' /etc/suricata/suricata.yaml
sed -i 's|#ja3-fingerprints: auto|ja3-fingerprints: yes|g' /etc/suricata/suricata.yaml
#-k none
sed -i 's/#checksum-validation: none/checksum-validation: none/g' /etc/suricata/suricata.yaml
sed -i 's/checksum-checks: auto/checksum-checks: no/g' /etc/suricata/suricata.yaml
# https://forum.suricata.io/t/suricata-service-crashes-with-pthread-create-is-11-error-when-processing-pcap-with-capev2/3870/5
sed -i 's|limit-noproc: true|limit-noproc: false|g' /etc/suricata/suricata.yaml
# enable eve-log
python3 -c "pa = '/etc/suricata/suricata.yaml';q=open(pa, 'rb').read().replace(b'eve-log:\n enabled: no\n', b'eve-log:\n enabled: yes\n');open(pa, 'wb').write(q);"
python3 -c "pa = '/etc/suricata/suricata.yaml';q=open(pa, 'rb').read().replace(b'unix-command:\n enabled: auto\n #filename: custom.socket', b'unix-command:\n enabled: yes\n filename: /tmp/suricata-command.socket');open(pa, 'wb').write(q);"
# file-store
python3 -c "pa = '/etc/suricata/suricata.yaml';q=open(pa, 'rb').read().replace(b'file-store:\n version: 2\n enabled: no', b'file-store:\n version: 2\n enabled: yes');open(pa, 'wb').write(q);"
chown ${USER}:${USER} -R /etc/suricata
chown ${USER}:${USER} -R /var/log/suricata
systemctl restart suricata
}
function install_yara_x() {
echo '[+] Installing Yara-X'
sudo -u ${USER} bash -c 'curl https://sh.rustup.rs -sSf | sh'
cd /tmp || return
# if yara-x exists from previous install remove it
if [ -d yara-x ]; then
sudo rm -rf yara-x
fi
sudo -u ${USER} git clone https://github.com/VirusTotal/yara-x
cd yara-x || return
sudo -u ${USER} bash -c 'source "$HOME/.cargo/env" ; cargo install --path cli'
/etc/poetry/bin/poetry --directory /opt/CAPEv2/ run pip install yara-x
}
function install_yara() {
echo '[+] Checking for old YARA version to uninstall'
dpkg -l|grep "yara-v[0-9]\{1,2\}\.[0-9]\{1,2\}\.[0-9]\{1,2\}"|cut -d " " -f 3|sudo xargs dpkg --purge --force-all 2>/dev/null
echo '[+] Installing Yara'
apt-get install libtool libjansson-dev libmagic1 libmagic-dev jq autoconf libyara-dev -y
cd /tmp || return
yara_info=$(curl -s https://api.github.com/repos/VirusTotal/yara/releases/latest)
yara_version=$(echo "$yara_info" |jq .tag_name|sed "s/\"//g")
yara_repo_url=$(echo "$yara_info" | jq ".zipball_url" | sed "s/\"//g")
if [ ! -f "$yara_version" ]; then
wget -q "$yara_repo_url"
unzip -o -q "$yara_version"
#wget "https://github.com/VirusTotal/yara/archive/v$yara_version.zip" && unzip "v$yara_version.zip"
fi
directory=$(ls | grep "VirusTotal-yara-*")
mkdir -p /tmp/yara_builded/DEBIAN
cd "$directory" || return
./bootstrap.sh
./configure --enable-cuckoo --enable-magic --enable-profiling
make -j"$(getconf _NPROCESSORS_ONLN)"
yara_version_only=$(echo $yara_version|cut -c 2-)
echo -e "Package: yara\nVersion: $yara_version_only\nArchitecture: $ARCH\nMaintainer: $MAINTAINER\nDescription: yara-$yara_version" > /tmp/yara_builded/DEBIAN/control
make -j"$(nproc)" install DESTDIR=/tmp/yara_builded
dpkg-deb --build --root-owner-group /tmp/yara_builded
dpkg -i --force-overwrite /tmp/yara_builded.deb
#checkinstall -D --pkgname="yara-$yara_version" --pkgversion="$yara_version_only" --default
ldconfig
# Run yara installer script
sudo -u ${USER} /etc/poetry/bin/poetry --directory /opt/CAPEv2 run /opt/CAPEv2/extra/yara_installer.sh
if [ -d yara-python ]; then
sudo rm -rf yara-python
fi
}
function install_mongo(){
if [ "$MONGO_ENABLE" -ge 1 ]; then
echo "[+] Installing MongoDB"
# Mongo >=5 requires CPU AVX instruction support https://www.mongodb.com/docs/manual/administration/production-notes/#x86_64
MONGO_VERSION="8.0"
if ! grep -q ' avx ' /proc/cpuinfo; then
if [[ "$DISABLE_MONGO_AVX_CHECK" -eq 0 ]]; then
echo "[-] Mongo >= 5 is not supported"
MONGO_VERSION="4.4"
fi
fi
sudo curl -fsSL "https://pgp.mongodb.com/server-${MONGO_VERSION}.asc" | sudo gpg --dearmor -o /etc/apt/keyrings/mongo.gpg --yes
echo "deb [signed-by=/etc/apt/keyrings/mongo.gpg arch=amd64] https://repo.mongodb.org/apt/ubuntu $(lsb_release -cs)/mongodb-org/${MONGO_VERSION} multiverse" > /etc/apt/sources.list.d/mongodb.list
apt-get update 2>/dev/null
apt-get install libpcre3-dev numactl cron -y
apt-get install -y mongodb-org
# Check pip version. Only pip3 versions 23+ have the '--break-system-packages' flag.
PIP_VERSION=$(pip3 -V | awk '{print $2}' | cut -d'.' -f1)
if [ "$PIP_VERSION" -ge 23 ]; then
pip3 install pymongo -U --break-system-packages
else
pip3 install pymongo -U
fi
apt-get install -y ntp
systemctl start ntp.service && sudo systemctl enable ntp.service
if ! grep -q -E '^kernel/mm/transparent_hugepage/enabled' /etc/sysfs.conf; then
sudo apt-get install sysfsutils -y
echo "kernel/mm/transparent_hugepage/enabled = never" >> /etc/sysfs.conf
echo "kernel/mm/transparent_hugepage/defrag = never" >> /etc/sysfs.conf
fi
if [ -f /lib/systemd/system/mongod.service ]; then
systemctl stop mongod.service
systemctl disable mongod.service
rm /lib/systemd/system/mongod.service
rm /lib/systemd/system/mongod.service
systemctl daemon-reload
fi
if [ ! -f /lib/systemd/system/mongodb.service ]; then
crontab -l | { cat; echo "@reboot /bin/mkdir -p /data/configdb && /bin/mkdir -p /data/db && /bin/chown mongodb:mongodb /data -R"; } | crontab -
cat >> /lib/systemd/system/mongodb.service <<EOF
[Unit]
Description=High-performance, schema-free document-oriented database
Wants=network.target
After=network.target
[Service]
PermissionsStartOnly=true
#ExecStartPre=/bin/mkdir -p /data/{config,}db && /bin/chown mongodb:mongodb /data -R
# https://www.tutorialspoint.com/mongodb/mongodb_replication.htm
ExecStart=/usr/bin/numactl --interleave=all /usr/bin/mongod --setParameter "tcmallocReleaseRate=5.0"
# --replSet rs0
ExecReload=/bin/kill -HUP $MAINPID
Restart=always
# enable on ramfs servers
# --wiredTigerCacheSizeGB=50
User=mongodb
Group=mongodb
# StandardOutput=syslog
# StandardError=syslog
SyslogIdentifier=mongodb
LimitNOFILE=1048576
[Install]
WantedBy=multi-user.target
EOF
fi
sudo mkdir -p /data/{config,}db
sudo chown mongodb:mongodb /data/ -R
systemctl unmask mongodb.service
systemctl enable mongodb.service
systemctl restart mongodb.service
if ! crontab -l | grep -q -F 'delete-unused-file-data-in-mongo'; then
crontab -l | { cat; echo "30 1 * * 0 cd /opt/CAPEv2 && sudo -u ${USER} /etc/poetry/bin/poetry run python ./utils/cleaners.py --delete-unused-file-data-in-mongo"; } | crontab -
fi
echo "https://www.percona.com/blog/2016/08/12/tuning-linux-for-mongodb/"
else
echo "[+] Skipping MongoDB"
fi
}
function install_elastic() {
echo "[+] Installing elastic"
sudo curl -fsSL "https://artifacts.elastic.co/GPG-KEY-elasticsearch" | sudo gpg --dearmor -o /etc/apt/keyrings/elasticsearch-keyring.gpg --yes
# Elasticsearch 7.x
echo "deb [signed-by=/etc/apt/keyrings/elasticsearch-keyring.gpg] https://artifacts.elastic.co/packages/7.x/apt stable main" > /etc/apt/sources.list.d/elastic-7.x.list
# Elasticsearch 8.x
# echo "deb [signed-by=/etc/apt/keyrings/elasticsearch-keyring.gpg] https://artifacts.elastic.co/packages/8.x/apt stable main" > /etc/apt/sources.list.d/elastic-8.x.list
apt-get update && apt-get install elasticsearch
# Check pip version. Only pip3 versions 23+ have the '--break-system-packages' flag.
PIP_VERSION=$(pip3 -V | awk '{print $2}' | cut -d'.' -f1)
if [ "$PIP_VERSION" -ge 23 ]; then
pip3 install elasticsearch --break-system-packages
else
pip3 install elasticsearch
fi
systemctl enable elasticsearch
}
function install_postgresql() {
echo "[+] Installing PostgreSQL"
curl https://www.postgresql.org/media/keys/ACCC4CF8.asc | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/apt.postgresql.org.gpg >/dev/null
echo "deb [signed-by=/etc/apt/trusted.gpg.d/apt.postgresql.org.gpg arch=amd64] http://apt.postgresql.org/pub/repos/apt/ $(lsb_release -cs)-pgdg main" > /etc/apt/sources.list.d/pgdg.list
sudo apt-get update -y
sudo apt -y install libpq-dev postgresql postgresql-client
sudo systemctl enable postgresql.service
sudo systemctl start postgresql.service
sudo -u postgres -H sh -c "psql -d \"${USER}\" -c \"ALTER DATABASE cape REFRESH COLLATION VERSION;\""
sudo -u postgres -H sh -c "psql -d \"${USER}\" -c \"ALTER DATABASE postgres REFRESH COLLATION VERSION;\""
}
function install_capa() {
echo "[+] Installing capa"
# pip3 install flare-capa fails for me
cd /tmp || return
if [ ! -d /tmp/capa ]; then
# problem with test files of dotnet as it goes over ssh insted of https --recurse-submodules
git clone https://github.com/mandiant/capa.git
fi
cd capa || return
git pull
git submodule update --init rules
/etc/poetry/bin/poetry --directory /opt/CAPEv2/ run pip install .
cd /opt/CAPEv2
if [ -d /tmp/capa ]; then
sudo rm -rf /tmp/capa
fi
}
function dependencies() {
echo "[+] Installing dependencies"
timedatectl set-timezone UTC
export LANGUAGE=en_US.UTF-8
export LANG=en_US.UTF-8
export LC_ALL=en_US.UTF-8
#sudo snap install canonical-livepatch
#sudo canonical-livepatch enable APITOKEN
# deps
apt-get install python3-pip build-essential libssl-dev libssl3 python3-dev cmake nfs-common -y
apt-get install innoextract msitools iptables psmisc jq sqlite3 tmux net-tools checkinstall graphviz python3-pydot git numactl python3 python3-dev python3-pip libjpeg-dev zlib1g-dev -y
apt-get install zpaq upx-ucl wget zip unzip 7zip lzip rar unrar unace-nonfree cabextract geoip-database libgeoip-dev libjpeg-dev mono-utils ssdeep libfuzzy-dev exiftool -y
apt-get install uthash-dev libconfig-dev libarchive-dev libtool autoconf automake privoxy software-properties-common wkhtmltopdf xvfb xfonts-100dpi tcpdump libcap2-bin wireshark-common -y
apt-get install python3-pil subversion uwsgi uwsgi-plugin-python3 python3-pyelftools git curl -y
apt-get install openvpn wireguard -y
apt-get install crudini -y
# APT poetry is ultra outdated
curl -sSL https://install.python-poetry.org | POETRY_HOME=/etc/poetry python3 -
echo "PATH=$PATH:/etc/poetry/bin/" >> /etc/bash.bashrc
source /etc/bash.bashrc
apt-get install locate # used by extra/libvirt_installer.sh
# de4dot selfextraction
apt-get install -y libgdiplus libdnlib2.1-cil libgif7 libmono-accessibility4.0-cil libmono-ldap4.0-cil libmono-posix4.0-cil libmono-sqlite4.0-cil libmono-system-componentmodel-dataannotations4.0-cil libmono-system-data4.0-cil libmono-system-design4.0-cil libmono-system-drawing4.0-cil libmono-system-enterpriseservices4.0-cil libmono-system-ldap4.0-cil libmono-system-runtime-serialization-formatters-soap4.0-cil libmono-system-runtime4.0-cil libmono-system-transactions4.0-cil libmono-system-web-applicationservices4.0-cil libmono-system-web-services4.0-cil libmono-system-web4.0-cil libmono-system-windows-forms4.0-cil libmono-webbrowser4.0-cil
de4dot_package_name="de4dot_3.1.41592.3405-2_all.deb"
# if not exist download package
if [ ! -f $de4dot_package_name ]; then
wget http://archive.ubuntu.com/ubuntu/pool/universe/d/de4dot/$de4dot_package_name
fi
if [ -f $de4dot_package_name ]; then
sudo dpkg -i $de4dot_package_name
sudo rm $de4dot_package_name
else
echo "[-] de4dot package not found"
return
fi
# if broken sudo python -m pip uninstall pip && sudo apt-get install python-pip --reinstall
#pip3 install --upgrade pip
# /usr/bin/pip
# from pip import __main__
# if __name__ == '__main__':
# sys.exit(__main__._main())
# re2 - dead on py3.11
# apt-get install libre2-dev -y
#re2 for py3
# pip3 install cython
# pip3 install git+https://github.com/andreasvc/pyre2.git
install_postgresql
sudo -u postgres -H sh -c "psql -c \"CREATE USER ${USER} WITH PASSWORD '$PASSWD'\"";
sudo -u postgres -H sh -c "psql -c \"CREATE DATABASE ${USER}\"";
sudo -u postgres -H sh -c "psql -d \"${USER}\" -c \"GRANT ALL PRIVILEGES ON DATABASE ${USER} to ${USER};\""
sudo -u postgres -H sh -c "psql -d \"${USER}\" -c \"ALTER DATABASE ${USER} OWNER TO ${USER};\""
apt-get install apparmor-utils -y
TCPDUMP_PATH=`which tcpdump`
aa-complain ${TCPDUMP_PATH}
aa-disable ${TCPDUMP_PATH}
if id "${USER}" &>/dev/null; then
echo "user ${USER} already exist"
else