Add support for RHEL/CentOS 7

[marcocen]

Added support for centos 7.

Tried to be as unintrusive as possible with regards to the other OSs installation procedures, only adding general changes where I think they wouldn't break anything.

[marcocen]

I'm currently testing on Ubuntu 18.04 and centos 6.9 to make sure I didn't break anything

[d1str0]

I’ll try and give this a test today!

Oh, and the Readme could be updated as well to mention support for RHEL/Centos.

[marcocen]

Installed on an ubuntu 18.04.3 box and everything seems to be working!

Tomorrow I'll check on Centos6.9 and report back

[marcocen]

So... The installation completes on centos 6.10 but the uwsgi and honeymap services fail.

The thing is... I tried the current installer (the one on the pwnlandia master branch) and that one doesn't even finish (it fails on the mongodb install), so... this PR is still progress?

I will check if I can find why those services fail on my branch.

[marcocen]

Any news on this PR?

[d1str0]

@marcocen sorry, was under the impression you were still working on it. I'll give it a test run this week hopefully.

[neil-fox]

@d1str0 Any update on if MHN works on CentOS 7? My install fails when trying to install mongodb. Cheers.

[d1str0]

@marcocen on a fresh centos box I don't have the firewall-cmd command. Maybe it needs to be installed? If so, we should add it to the script.

+ '[' -f /etc/redhat-release ']'
+ grep -q -i 'release 7' /etc/redhat-release
+ firewall-cmd --zone=public --add-service=http --permanent
./install_mhnserver.sh: line 180: firewall-cmd: command not found

This was on default Centos7 AMI in AWS.

[neil-fox]

I've got Cowrie working on CentOS 7 and successfully sending attack data back to MHN by amending the Ubuntu deploy script.

Make sure selinux is disabled and also install authbind:

wget https://s3.amazonaws.com/aaronsilber/public/authbind-2.1.1-0.1.x86_64.rp

rpm -Uvh https://s3.amazonaws.com/aaronsilber/public/authbind-2.1.1-0.1.x86_64.rpm

Amended script:

#!/bin/bash

set -e
set -x

if [ $# -ne 2 ]
then
echo "Wrong number of arguments supplied."
echo "Usage: $0 <server_url> <deploy_key>."
exit 1
fi

yum update
yum install -y python

server_url=$1
deploy_key=$2

yum -y install epel-release
yum -y install python-dev git supervisor authbind openssl python-virtualenv build-essential python-gmpy2 libgmp-dev libmpfr-dev libmpc-dev libssl-dev python-pip libffi-dev

pip install -U supervisor
service supervisord start

sed -i 's/#Port/Port/g' /etc/ssh/sshd_config
sed -i 's/Port 22$/Port 2222/g' /etc/ssh/sshd_config
systemctl restart sshd.service
useradd -d /home/cowrie -s /bin/bash -m cowrie -g users

cd /opt
git clone https://github.com/micheloosterhof/cowrie.git cowrie
cd cowrie

git checkout 34f8464

cat > /opt/cowrie/requirements.txt <=17.1.0
cryptography>=2.1
configparser
pyopenssl
pyparsing
packaging
appdirs>=1.4.0
pyasn1_modules
attrs
service_identity
python-dateutil
tftpy
bcrypt
EOF

virtualenv cowrie-env #env name has changed to cowrie-env on latest version of cowrie
source cowrie-env/bin/activate
pip install csirtgsdk==0.0.0a6
pip install -r requirements.txt

wget $server_url/static/registration.txt -O registration.sh
chmod 755 registration.sh
. ./registration.sh $server_url $deploy_key "cowrie"

cd etc
cp cowrie.cfg.dist cowrie.cfg
sed -i 's/hostname = svr04/hostname = server/g' cowrie.cfg
sed -i 's/listen_endpoints = tcp:2222:interface=0.0.0.0/listen_endpoints = tcp:22:interface=0.0.0.0/g' cowrie.cfg
sed -i 's/version = SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2/version = SSH-2.0-OpenSSH_6.7p1 Ubuntu-5ubuntu1.3/g' cowrie.cfg
sed -i 's/#[output_hpfeeds]/[output_hpfeeds]/g' cowrie.cfg
sed -i '/[output_hpfeeds]/!b;n;cenabled = true' cowrie.cfg
sed -i "s/#server = hpfeeds.mysite.org/server = $HPF_HOST/g" cowrie.cfg
sed -i "s/#port = 10000/port = $HPF_PORT/g" cowrie.cfg
sed -i "s/#identifier = abc123/identifier = $HPF_IDENT/g" cowrie.cfg
sed -i "s/#secret = secret/secret = $HPF_SECRET/g" cowrie.cfg
sed -i 's/#debug=false/debug=false/' cowrie.cfg
cd ..

chown -R cowrie:users /opt/cowrie/
touch /etc/authbind/byport/22
chown cowrie /etc/authbind/byport/22
chmod 770 /etc/authbind/byport/22

sed -i 's/AUTHBIND_ENABLED=no/AUTHBIND_ENABLED=yes/' bin/cowrie
sed -i 's/DAEMONIZE=""/DAEMONIZE="-n"/' bin/cowrie

cat > /etc/supervisord.conf <<EOF
[program:cowrie]
command=/opt/cowrie/bin/cowrie start
directory=/opt/cowrie
stdout_logfile=/opt/cowrie/var/log/cowrie/cowrie.out
stderr_logfile=/opt/cowrie/var/log/cowrie/cowrie.err
autostart=true
autorestart=true
stopasgroup=true
killasgroup=true
user=cowrie
EOF

``

[marcocen]

@d1str0 I've been working on other projects but I'll try to get this PR ready.

I was testing this install on a centos7 minimal install, but it seems that AWS uses an even more barebones install. I will add a check to either install firewalld if it's missing or to skip the firewall config entirely, maybe even give you the choice of what to do if it comes to that.

I also noticed that @neil-fox mentioned something about supervisor, I'll check that too.

[d1str0]

No worries, @marcocen we've all been busy :P

For Debian/Ubuntu, I offer a prompt on whether or not to set up uwf (the built in firewall) for the user, allowing 3000 (attack map), 10000 (hpfeeds), 80(http), 443(https), and 22(ssh).

[marcocen]

I've added a check to see if firewalld is installed, and in case it isn't ask the user if they want to install it.

I couldn't reproduce @neil-fox report that supervisord doesn't get installed, maybe the issue is that /usr/local/bin isn't in root's PATH by default. I also couldn't reproduce the issue with mhn-celery-worker, that file gets chowned in the install_mhnserver script by a line introduced 4 years ago...

One little thing that I added was that the installation script no longer asks the user if they want to configure ELK integration or UFW if the environment isn't a debian-like one, that seemed unnecesary to me.

Oh, just so that we cna all be on the same page, I'm using the bento/centos-7 vagrant box for all my testing.

[d1str0]

Will give it a test soon. Thanks for also giving your testing env.

[d1str0]

Oh, and good call for ELK/UFW. Same probably goes for Splunk but I'm not sure.

[marcocen]

I also moved the splunk script inside that Debian-like block.