shadowtrap/deploy-vps.sh at main · rayketcham/shadowtrap · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
#!/bin/bash
set -euo pipefail

# ============================================================================
# ShadowTrap VPS Deployment Script
# Deploy on a fresh Ubuntu 22.04+ VPS where ALL ports are honeypot.
# Dashboard is protected by IP whitelist via iptables.
#
# Usage:
#   export ADMIN_IP="YOUR.HOME.IP.HERE"
#   curl -sL <raw-url> | sudo bash
#   -- or --
#   sudo ADMIN_IP="1.2.3.4" ./deploy-vps.sh
# ============================================================================

INSTALL_DIR="/opt/shadowtrap"
DATA_DIR="/opt/shadowtrap/data"
LOG_DIR="/opt/shadowtrap/logs"
SERVICE_USER="shadowtrap"
DASHBOARD_PORT=8443
REDIRECT_PORT=8080
ADMIN_IP="${ADMIN_IP:-}"

echo "=========================================="
echo "  ShadowTrap VPS Deployment"
echo "=========================================="
echo ""

# ─── Validate ───────────────────────────────────────────────────────────────
if [[ "$(id -u)" -ne 0 ]]; then
    echo "ERROR: Run as root: sudo ADMIN_IP=x.x.x.x ./deploy-vps.sh"
    exit 1
fi

if [[ -z "${ADMIN_IP}" ]]; then
    echo "ERROR: Set ADMIN_IP to your home/office IP to whitelist dashboard access."
    echo "       sudo ADMIN_IP=\"1.2.3.4\" ./deploy-vps.sh"
    exit 1
fi

echo "[*] Admin IP (dashboard access): ${ADMIN_IP}"
echo "[*] Dashboard will be on port: ${DASHBOARD_PORT}"
echo ""

# ─── System Prep ────────────────────────────────────────────────────────────
echo "[+] Updating system..."
apt-get update -qq
apt-get install -y -qq python3 python3-pip openssl iptables-persistent > /dev/null 2>&1

# ─── Stop conflicting services ──────────────────────────────────────────────
echo "[+] Stopping conflicting services..."
for svc in ssh sshd apache2 nginx mysql mariadb postgresql redis-server postfix \
           smbd nmbd vsftpd proftpd bind9 named; do
    systemctl stop "${svc}" 2>/dev/null || true
    systemctl disable "${svc}" 2>/dev/null || true
done

# Keep SSH alive on a non-standard port so you don't lose access
echo "[+] Moving real SSH to port 2222..."
if [[ -f /etc/ssh/sshd_config ]]; then
    sed -i 's/^#\?Port .*/Port 2222/' /etc/ssh/sshd_config
    systemctl restart sshd 2>/dev/null || systemctl restart ssh 2>/dev/null || true
fi
echo "[!] IMPORTANT: SSH is now on port 2222. Connect with: ssh -p 2222 user@host"

# ─── Create user ────────────────────────────────────────────────────────────
if ! id "${SERVICE_USER}" &>/dev/null; then
    echo "[+] Creating service user: ${SERVICE_USER}"
    useradd --system --shell /usr/sbin/nologin --home-dir "${INSTALL_DIR}" "${SERVICE_USER}"
fi

# ─── Install files ──────────────────────────────────────────────────────────
echo "[+] Installing ShadowTrap to ${INSTALL_DIR}..."
mkdir -p "${INSTALL_DIR}" "${DATA_DIR}/certs" "${DATA_DIR}/capture" "${LOG_DIR}"

SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
for item in honeypot.py config.py database.py logger.py geo_lookup.py \
            services utils web analysis; do
    cp -r "${SCRIPT_DIR}/${item}" "${INSTALL_DIR}/"
done

chown -R "${SERVICE_USER}:${SERVICE_USER}" "${INSTALL_DIR}"
chmod 750 "${INSTALL_DIR}" "${DATA_DIR}" "${LOG_DIR}"

# ─── Firewall: protect dashboard, allow everything else ─────────────────────
echo "[+] Configuring firewall..."

# Flush existing rules
iptables -F INPUT 2>/dev/null || true

# Allow loopback
iptables -A INPUT -i lo -j ACCEPT

# Allow established connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow real SSH on 2222 from anywhere (your lifeline)
iptables -A INPUT -p tcp --dport 2222 -j ACCEPT

# Dashboard: ONLY from admin IP
iptables -A INPUT -p tcp --dport ${DASHBOARD_PORT} -s "${ADMIN_IP}" -j ACCEPT
iptables -A INPUT -p tcp --dport ${REDIRECT_PORT} -s "${ADMIN_IP}" -j ACCEPT
iptables -A INPUT -p tcp --dport ${DASHBOARD_PORT} -j DROP
iptables -A INPUT -p tcp --dport ${REDIRECT_PORT} -j DROP

# Allow ALL other ports (honeypot listens on everything)
iptables -A INPUT -j ACCEPT

# Save rules
netfilter-persistent save 2>/dev/null || iptables-save > /etc/iptables/rules.v4 2>/dev/null || true

echo "[+] Dashboard whitelisted for ${ADMIN_IP} only"

# ─── Set capabilities ──────────────────────────────────────────────────────
echo "[+] Setting port binding capability..."
PYTHON_BIN="$(readlink -f /usr/bin/python3)"
setcap 'cap_net_bind_service=+ep' "${PYTHON_BIN}" 2>/dev/null || true

# ─── Systemd service ────────────────────────────────────────────────────────
echo "[+] Installing systemd service..."
cat > /etc/systemd/system/shadowtrap.service << UNIT
[Unit]
Description=ShadowTrap Honeypot
After=network-online.target
Wants=network-online.target

[Service]
Type=simple
User=${SERVICE_USER}
Group=${SERVICE_USER}
WorkingDirectory=${INSTALL_DIR}
ExecStart=/usr/bin/python3 ${INSTALL_DIR}/honeypot.py
Restart=always
RestartSec=5
TimeoutStopSec=30

Environment=HONEYPOT_DATA=${DATA_DIR}
Environment=HONEYPOT_LOGS=${LOG_DIR}
Environment=WEB_PORT=${DASHBOARD_PORT}
Environment=WEB_HTTP_PORT=${REDIRECT_PORT}
Environment=LOG_LEVEL=INFO

# Security hardening
NoNewPrivileges=yes
ProtectSystem=strict
ProtectHome=yes
ReadWritePaths=${DATA_DIR} ${LOG_DIR}
PrivateTmp=yes
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectControlGroups=yes
AmbientCapabilities=CAP_NET_BIND_SERVICE
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target
UNIT

systemctl daemon-reload
systemctl enable shadowtrap
systemctl start shadowtrap

# ─── Wait and verify ────────────────────────────────────────────────────────
echo "[+] Waiting for services to start..."
sleep 5

LISTENING=$(ss -tlnp | grep python3 | wc -l)

echo ""
echo "=========================================="
echo "  ShadowTrap Deployed!"
echo "=========================================="
echo ""
echo "  Services listening: ${LISTENING} ports"
echo "  Dashboard:  https://<VPS-IP>:${DASHBOARD_PORT}"
echo "  Login:      admin / changeme"
echo "  Real SSH:   ssh -p 2222 user@<VPS-IP>"
echo ""
echo "  Dashboard only accessible from: ${ADMIN_IP}"
echo "  All other ports are honeypot traps."
echo ""
echo "  Commands:"
echo "    systemctl status shadowtrap"
echo "    journalctl -u shadowtrap -f"
echo "    python3 ${INSTALL_DIR}/analysis/report.py"
echo ""
echo "  !! CHANGE the dashboard password on first login !!"
echo "  !! CHANGE your real SSH password / use key auth  !!"
echo ""