diff --git a/project-sec.adoc b/project-sec.adoc new file mode 100644 index 0000000..19b6d8c --- /dev/null +++ b/project-sec.adoc @@ -0,0 +1,732 @@ += Εργασία Χειμερινού Εξαμήνου 2020-21 + +// Metadata: +:description: Intro and Install +:keywords: sec, swarm. docker +:data-uri: +:toc: right +:toc-title: Πίνακας περιεχομένων +:toclevels: 4 +:source-highlighter: highlight +:icons: font +:sectnums: + +Μάθημα: Ασφάλεια Δικτύων και Επικοινωνίων + +Ονοματεπώνυμο: Χρυσούλα Κούτκου + +Αριθμός Μητρώου: 71344742 + +{empty} + + +== Docker Installation (Ubuntu) + +``` +curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add - +sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" +sudo apt update + +sudo apt install -y docker-ce + echo "or" +sudo apt install docker* + +sudo systemctl status docker +sudo usermod -aG docker username #οπου username το όνομα του χρήστη που θα δουλεύει με docker +``` + + +[[cheat-compose]] +== docker-compose + +``` + sudo curl -L "https://github.com/docker/compose/releases/download/1.24.1/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose + sudo chmod +x /usr/local/bin/docker-compose + sudo ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose +``` + + +[[cheat-error]] +== On Error: + +- run + +``` +$ sudo su +# touch set-ca.sh +``` +- copy-paste lines + +``` +registry_address=registry.vlabs.uniwa.gr +registry_port=5043 +mkdir -p /etc/docker/certs.d/$registry_address:$registry_port +openssl s_client -showcerts -connect $registry_address:$registry_port < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /etc/docker/certs.d/$registry_address:$registry_port/ca.crt +registry_port=5080 +mkdir -p /etc/docker/certs.d/$registry_address:$registry_port +openssl s_client -showcerts -connect $registry_address:$registry_port < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /etc/docker/certs.d/$registry_address:$registry_port/ca.crt + +registry_address=hub.swarmlab.io +registry_port=5443 +mkdir -p /etc/docker/certs.d/$registry_address:$registry_port +openssl s_client -showcerts -connect $registry_address:$registry_port < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /etc/docker/certs.d/$registry_address:$registry_port/ca.crt + +registry_port=5480 +mkdir -p /etc/docker/certs.d/$registry_address:$registry_port +openssl s_client -showcerts -connect $registry_address:$registry_port < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /etc/docker/certs.d/$registry_address:$registry_port/ca.crt + +``` + +=== exec file + +``` +sudo bash ./set-ca.sh +``` + +{empty} + + +== Install swarmlab-sec (Home PC) + +- Clone repo https://git.swarmlab.io:3000/swarmlab/swarmlab-sec[^] + + +== Usage (swarmlab-sec) + + +- Open a console + +- cd to swarmlab-sec + +- Create a directory + +``` +cd + +../install/usr/share/swarmlab.io/sec/swarmlab-sec + +create create project (swarmlab-sec create) +up start swarmlab-sec (swarmlab-sec up size=10) +scale resize swarmlab-sec (swarmlab-sec scale size=30) +reload rebuild image (swarmlab-sec reload size=15) +login login swarmlab-sec (swarmlab-sec login) +exec execute command (swarmlab-sec exec [SHELL COMMAND]) +down stop swarmlab-sec (swarmlab-sec down) +clean clean project (swarmlab-sec clean) +list show instances (swarmlab-sec swarmlab-sec list) +help show help (swarmlab-sec help) +``` + + +[[cheat-swarmlab-create]] +== Create swarmlab project + +``` +mkdir project +cd project +../install/usr/share/swarmlab.io/sec/swarmlab-sec create +``` +.Relevant files: +``` +Project +├── Dockerfile # Image specification +├── project # Sample program source code +│ └── hello_world.c +├── ssh # keys for accessing +│ ├── id_rsa # (could generate your own) +│ └── id_rsa.pub +├── docker-compose.yml # Container orchestration +``` + +[[cheat-swarmlab-up]] +== Spin up the swarmlab cluster + +``` +cd project +../install/usr/share/swarmlab.io/sec/swarmlab-sec up size=5 +``` + +[[cheat-swarmlab-up1]] +== Login to the swarmlab cluster + +``` +cd project +../install/usr/share/swarmlab.io/sec/swarmlab-sec login +``` + +User password: docker + +Sudo password: docker + +== Inside on Docker Master +First of all, type ifconfig to see your ip address. Then, create an inventory.yml with the IPs using nmap -sP 172.19.0.* | grep Nmap | cut -d' ' -f5-6 + +``` +[service] +172.27.0.2 +172.27.0.3 +172.27.0.4 +172.27.0.5 +172.27.0.6 + +``` +Afterwards, you have to create a test.yml file. + +``` +--- +- hosts: service + remote_user: docker + gather_facts: no + vars: + user: "docker" + + tasks: + # ----------------- + # make directory + # ----------------- + - name: make dir for data + become: true + file: + path: "/var/lab/playground/playground-readmongo" + state: directory + owner: docker + group: docker + mode: '0777' + +# - name: google.com +# become: yes +# become_user: "{{ user }}" +# command: curl http://www.google.com +# ignore_errors: yes +# register: configwww +# +# - name: ls configwww +# debug: var=configwww.stdout_lines + + - name: ls -al /var/lab/playground/playground-readmongo/ + become: yes + become_user: "{{ user }}" + #command: ls -al /var/lab/playground/playground-readmongo + command: ls -al /etc + ignore_errors: yes + register: config + + - name: ls config + debug: var=config.stdout_lines +# +# - name: Refresh connection +# meta: clear_host_errors +``` +Then, create a run.sh script. + +``` +ansible-playbook -u docker -i inventory.yml test.yml -f 5 --ask-pass --ask-become-pass + +``` +In your command line, type: + +``` +chmod +x run.sh +sudo apt install ansible +./run.sh + +(Somewhere here there would be some errors) +sudo apt install sshpass + +cd /etc/ansible +vi ansible.cfg +(Add this line) +host_key_checking = False +(Exit and return back) +./run.sh + +``` +== Hping3 Attack + +{empty} + +Here is a video about hping3, tcpdump, netstat and iptables rules. Feel free to press like button and subscribe! + +video::lErpyiAbsVs[youtube] + +{empty} + + +Firstly, connect to the worker that you wish to do the attack. Inside the worker create a script file with these: + +``` +#!/bin/sh +#installation_of_hping3 +sudo apt update +sudo apt install hping3 -y + +#syn_flood_attack_with_hping3_on_docker_master_with_IP_172.19.0.2 +#hping3 -i u1 -S -p 80 172.27.0.2 +#hping3 172.27.0.2 -q -n -d 120 -S -p 80 --flood +hping3 -S -p 80 172.127.0.2 + +``` +In your command line type: + +``` +chmod +x hping3.sh +sudo ./hping3.sh + +``` +== Tcpdump on the victim + +After connecting to the victim's host, then create a script file tcpdump.sh + +``` +#!/bin/sh +tcpdump port 80 +#tcpdump -Nnn -i any -s0 'tcp[13] & 2 !=0' + +``` +In your command line type: + +``` +chmod +x tcpdump.sh +sudo ./tcpdump.sh + +``` +== Netstat on the victim + +Create a netstat.sh script file and type the above: + +``` +#!/bin/sh + +netstat -npt | awk '{print $6}' | sort | uniq -c | sort -nr | head +netstat -anp | grep 'tcp\udp' | awk '{print $6}' | cut -d: f1 | sort | uniq -c | sort -n +netstat -nat | awk '{print $6}' | sort | uniq -c | sort -n +netstat -na +netstat -tna +netstat -antlupe +netstat -n -p | grep SYN_REC | wc -l +netstat -npt | awk '{print $6}' | sort | uniq -c | sort -nr | head + +``` +In your command line type: + +``` +chmod +x netstat.sh +sudo ./netstat.sh + +``` +== Anti-Ddos protection using iptables + +Create an anti-ddos.sh file and type inside: + +``` +#!/bin/sh +#drop invalid packets +iptables -A INPUT -m state --state INVALID -j DROP +iptables -A FORWARD -m state --state INVALID -j DROP +iptables -A OUTPUT -m state --state INVALID -j DROP + +#Use SYNPROXY on all ports (disables connection limiting rule) ### +iptables -t raw -A PREROUTING -p tcp -m tcp --syn -j CT --notrack +iptables -A INPUT -p tcp -m tcp -m conntrack --ctstate INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460 +iptables -A INPUT -m conntrack --ctstate INVALID -j DROP + +``` +In your command line type: + +``` +chmod +x anti-ddos.sh +sudo ./anti-ddos.sh + +``` +== SSH Brute Force Attack using Medusa + +{empty} + +Here is a video about ssh brute force attack using medusa tool, detection using rsyslog and protection using fail2ban + +video::6C8suUjJBCA[youtube] + +{empty} + + +In order to do this attack, you have to create a password list file. For example, + +``` +123password +root +admin-root +acbdef2147 +whatistherealpassword +docker +password +123456789 + +``` +The next step is to create a medusa.sh script file. + +``` +#!/bin/bash +sudo apt update +sudo apt install medusa +medusa -u docker -P pass.txt -h 172.27.0.3 -M ssh + +``` +To accomplish the ssh brute force attack I connected as worker_4 and I will attack the worker_1. + +In your command line type: + +``` +chmod +x medusa.sh +sudo ./medusa.sh + +``` +== Detection of SSH Brute Force using rsyslog tool + +I will connect as worker_1 and I will create a rsyslog.sh file. + +``` +#!/bin/bash +sudo apt update +sudo apt install rsyslog +sudo service rsyslog start +sudo service rsyslog status +sudo grep "Failed password" /var/log/auth.log + +``` +In your command line type: + +``` +chmod +x rsyslog.sh +sudo ./rsyslog.sh +(After results are shown type the next line) +sudo service rsyslog stop +``` +== Fail2ban tool for SSH protection + +Create a fail2ban.sh file and type the below: +``` +#!/bin/bash +sudo apt update +sudo apt install fail2ban + +``` +In your command line type: + +``` +chmod +x fail2ban.sh +sudo ./fail2ban.sh + +``` +``` +sudo service fail2ban start +sudo service fail2ban status +cd /etc/fail2ban +cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local + +(Inside the jail.local type the below) + +[DEFAULT] +loglevel = DEBUG +logtarget = path_to_log + +[sshd] +enabled = true +maxretry = 2 +bantime = 600 +findtime = 30 +logpath = %(sshd_log)s +backend = %(sshd_backend)s +action = iptables-multiport[name=%(__name__)s, bantime="%(bantime)s, port=ssh, protocol="%(protocol)s", chain=INPUT] + +``` + +In your command line type:` +``` +sudo service fail2ban restart +sudo service fail2ban status +sudo fail2ban-client start +sudo fail2ban-client status +sudo fail2ban-client status sshd + +``` +== SSH Brute authentication only with keys + + +To accomplish this brute force login with only key you have to connect to a container, for instance I connected to worker_5. + +In your command line type:` +``` +(Our server is worker_5) + +mkdir .ssh +cd .ssh +ssh-keygen +cat ~/.ssh/id_rsa.pub + +(You should do the below for every worker, but for this example I will do only about worker_4) + +ssh-copy-id docker@172.27.0.5 + +(Then it will ask you to connect) + +ssh docker@172.27.0.5 + +(After doing this to all remaining containers type the next below for each host) + +scp id_rsa docker@172.27.0.5 #copy id_rsa to every container +sudo service ssh restart + +``` +Then you have to disable password authentication on you server. + +``` +(Being on server) + +cd /etc/ssh +vi sshd_config + +(Inside sshd_config change the below) + +PasswordAuthentication no + +(After doing this return to your command line and type the below) + +sudo service ssh restart + +``` +And finally you are ready! + + +== VPN + +{empty} + +Here is a video about how you can create VPN and provide services to docker swarm. + +video::FnRMonM07yQ[youtube] + +{empty} + + +In this part, I will show you how you can create a VPN and and provide services to the docker swarm. Firstly, you shoudld be on the /swarmlab-sec/project folder and create a vpn folder. + +``` +cd swarmlab-sec/project +mkdir vpn +cd vpn + +``` +The next step is to create a create-vpn. script. + +``` +#!/bin/bash +IP=127.0.0.1 # Server IP +P=1194 # Server Port +OVPN_SERVER='10.80.0.0/16' # VPN Network + +#vpn_data=/var/lib/swarmlab/openvpn/openvpn-services/ # Dir to save data ** this must exist ** +vpn_data=$PWD/openvpn-services/ +if [ ! -d $vpn_data ]; then + mkdir -p $vpn_data +fi + +NAME=swarmlab-vpn-services # name of docker service +DOCKERnetwork=swarmlab-vpn-services-network # docker network +docker=registry.vlabs.uniwa.gr:5080/myownvpn # docker image + +docker stop $NAME #stop container +sleep 1 +docker container rm $NAME #rm container + +# rm config files +rm -f $vpn_data/openvpn.conf.*.bak +rm -f $vpn_data/openvpn.conf +rm -f $vpn_data/ovpn_env.sh.*.bak +rm -f $vpn_data/ovpn_env.sh + +# create network +sleep 1 +docker network create --attachable=true --driver=bridge --subnet=172.50.0.0/16 --gateway=172.50.0.1 $DOCKERnetwork + +#run container see ovpn_genconfig +docker run --net=none -it -v $vpn_data:/etc/openvpn -p 1194:1194 --rm $docker ovpn_genconfig -u udp://$IP:1194 \ +-N -d -c -p "route 172.50.20.0 255.255.255.0" -e "topology subnet" -s $OVPN_SERVER + +# create pki see ovpn_initpki +docker run --net=none -v $vpn_data:/etc/openvpn --rm -it $docker ovpn_initpki + +# see ovpn_copy_server_files +#docker run --net=none -v $vpn_data:/etc/openvpn --rm $docker ovpn_copy_server_files + +#create vpn see --cap-add=NET_ADMIN +sleep 1 +docker run --detach --name $NAME -v $vpn_data:/etc/openvpn --net=$DOCKERnetwork --ip=172.50.0.2 -p $P:1194/udp --cap-add=NET_ADMIN $docker + +sudo sysctl -w net.ipv4.ip_forward=1 + +#show created +docker ps + +``` +create-user.sh + +``` +USERNAME=user1 +vpn_data=$PWD/openvpn-services/ +docker=registry.vlabs.uniwa.gr:5080/myownvpn + +docker run -v $vpn_data:/etc/openvpn --rm -it $docker easyrsa build-client-full $USERNAME nopass +docker run -v $vpn_data:/etc/openvpn --log-driver=none --rm $docker ovpn_getclient $USERNAME > $USERNAME.user + +``` +After the user is created add in the $USERNAME.user the below: + +``` +client +nobind +dev tun +comp-lzo +resolv-retry infinite +keepalive 15 60 + +remote-cert-tls server +remote 10.0.2.15 1194 udp #type your host IP address in every $USERNAME.user +float + +``` +rm-user.sh + +``` +#!/bin/bash + +CLIENTNAME=test1 +U=$CLIENTNAME + +vpn_data=$PWD/openvpn-services/ +docker=registry.vlabs.uniwa.gr:5080/myownvpn + +rm -f $vpn_data/pki/reqs/$CLIENTNAME.req +rm -f $vpn_data/pki/private/$CLIENTNAME.key +rm -f $vpn_data/pki/issued/$CLIENTNAME.crt +rm -f $vpn_data/server/ccd/$CLIENTNAME +rm -f $vpn_data/ccd/$CLIENTNAME +pem=$(sudo grep "CN=$U$" $vpn_data/pki/index.txt | cut -f4) + +rm -f $vpn_data/pki/certs_by_serial/$pem.pem +sed -i "/CN=$U$/d" $vpn_data/pki/index.txt +echo $pem +docker run -v $vpn_data:/etc/openvpn --log-driver=none --rm -it $docker ovpn_revokeclient $CLIENTNAME remove + +rm -f $vpn_data_user_config/$CLIENTNAME.ovpn +rm -f $vpn_data_user_config1/$CLIENTNAME.ovpn + +``` +show-user.sh + +``` +NAME=swarmlab-vpn-services # name of docker service +docker exec -it $NAME ovpn_listclients + +``` +show-conn-user.sh + +``` +NAME=swarmlab-vpn-services # name of docker service +docker exec -it $NAME cat /tmp/openvpn-status.log + +``` +Then you have to type in your command line: + +``` +chmod +x create-vpn.sh +chmod +x create-user.sh +chmod +x show-user.sh +chmod +x rm-user.sh +chmod +x show-conn-user.sh + +./create-vpn.sh +./create-user.sh #for every user you have to use a different name +./show-user.sh #you can see all the users +./show-conn-user.sh #you can see all connected users to the vpn + +cp $USERNAME.user ../project #this user will be copied to the master +``` +After doing these steps, connect to a docker host, for instance in docker master. + +``` +sudo apt update +sudo apt install openvpn +ls -al #to check if there is the user1.user file +sudo su +service openvpn start +openvpn --config ./user1.user #client connection to the VPN + +``` +Don't close the window or do not stop the execution. Open a new window and connect to the same user and type ifconfig to check if the tun0 has created. + + +Now connect to an other worker, for instance worker_1. You have to do the same thing in every worker. + +``` +ssh docker@@172.27.0.3 + +sudo apt update +sudo apt install openvpn +touch user2.user +vi user2.user #copy the user2.user file from the /swarmlab-sec/project/vpn/ and paste it here + +ls -al #to check if there is the user1.user file +sudo su +service openvpn start +openvpn --config ./user2.user #client connection to the VPN + +``` +You have to do the same procedure for the other workers. + +Don't close the window or do not stop the execution. Open a new window and connect to the same user and type ifconfig to check if the tun0 has created. + +Then in docker master tab type: + +``` +sudo su +tcpdump -i tun0 + +``` +Go to the new docker worker tab and type: + +``` +ping 10.80.0.2 #this is the new IP of master of tun0 + +``` + +You are ready! + + +== VPN + +{empty} + +Here is a video about how you can do ssh local and remote forwarding. + +video::gbegXj8pQxs[youtube] + +{empty} + + +On remote container + +``` +sudo apt install nginx +curl localhost #to check if localhost is working +hostname -i + +``` +On localhost host + +``` +curl localhost #to check if localhost is working +hostname +hostname -i + +sudo ssh -nNT -L 80:localhost:80 docker@172.27.0.2 + +``` +Then type on localhost host again in a new tab: + +``` +curl localhost #to check if localhost is working + +``` +And it works! + + + +Please enjoy and thank you for reading my ascii doc and watching my youtube videos! + +