project-sec.adoc

4 years ago · 581b4acb04
1 changed files with 732 additions and 0 deletions
--- a/project-sec.adoc
+++ b/project-sec.adoc
@ -0,0 +1,732 @@
 = Εργασία Χειμερινού Εξαμήνου 2020-21
 // Metadata:
 :description: Intro and Install
 :keywords: sec, swarm. docker
 :data-uri:
 :toc: right
 :toc-title: Πίνακας περιεχομένων
 :toclevels: 4
 :source-highlighter: highlight
 :icons: font
 :sectnums: 
 Μάθημα: Ασφάλεια Δικτύων και Επικοινωνίων +
 Ονοματεπώνυμο: Χρυσούλα Κούτκου +
 Αριθμός Μητρώου: 71344742
 {empty} +
 == Docker Installation (Ubuntu)
 ```
 curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
 sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
 sudo apt update
 sudo apt install -y docker-ce
 echo   "or"
 sudo apt install docker*
 sudo systemctl status docker
 sudo usermod -aG docker username     #οπου username το όνομα του χρήστη που θα δουλεύει με docker
 ```
 [[cheat-compose]]
 == docker-compose
 ```
 sudo curl -L "https://github.com/docker/compose/releases/download/1.24.1/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
 sudo chmod +x /usr/local/bin/docker-compose
 sudo ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose
 ```
 [[cheat-error]]
 == On Error:
 - run 
 ```
 $ sudo su
 # touch set-ca.sh
 ```
 - copy-paste lines
 ```
 registry_address=registry.vlabs.uniwa.gr
 registry_port=5043
 mkdir -p /etc/docker/certs.d/$registry_address:$registry_port
 openssl s_client -showcerts -connect $registry_address:$registry_port < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /etc/docker/certs.d/$registry_address:$registry_port/ca.crt
 registry_port=5080
 mkdir -p /etc/docker/certs.d/$registry_address:$registry_port
 openssl s_client -showcerts -connect $registry_address:$registry_port < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /etc/docker/certs.d/$registry_address:$registry_port/ca.crt
 registry_address=hub.swarmlab.io
 registry_port=5443
 mkdir -p /etc/docker/certs.d/$registry_address:$registry_port
 openssl s_client -showcerts -connect $registry_address:$registry_port < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /etc/docker/certs.d/$registry_address:$registry_port/ca.crt
 registry_port=5480
 mkdir -p /etc/docker/certs.d/$registry_address:$registry_port
 openssl s_client -showcerts -connect $registry_address:$registry_port < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /etc/docker/certs.d/$registry_address:$registry_port/ca.crt
 ```
 === exec file
 ```
 sudo bash ./set-ca.sh
 ```
 {empty} +
 == Install swarmlab-sec (Home PC) 
 - Clone repo https://git.swarmlab.io:3000/swarmlab/swarmlab-sec[^] + 
 == Usage  (swarmlab-sec)
 - Open a console
 - cd to swarmlab-sec
 - Create a directory
 ```
 cd <dir>
 ../install/usr/share/swarmlab.io/sec/swarmlab-sec
 create       create project      (swarmlab-sec create)
 up           start swarmlab-sec  (swarmlab-sec up size=10)
 scale        resize swarmlab-sec (swarmlab-sec scale size=30)
 reload       rebuild image       (swarmlab-sec reload size=15)
 login        login swarmlab-sec  (swarmlab-sec login)
 exec         execute command     (swarmlab-sec exec [SHELL COMMAND])
 down         stop swarmlab-sec   (swarmlab-sec down)
 clean        clean project       (swarmlab-sec clean)
 list         show instances      (swarmlab-sec swarmlab-sec list)
 help         show help           (swarmlab-sec help)
 ```
 [[cheat-swarmlab-create]]
 == Create swarmlab project
 ```
 mkdir project
 cd project
 ../install/usr/share/swarmlab.io/sec/swarmlab-sec create
 ```
 .Relevant files:
 ```
 Project
 ├── Dockerfile          # Image specification
 ├── project             # Sample program source code
 │   └── hello_world.c
 ├── ssh                 # keys for accessing
 │   ├── id_rsa          # (could generate your own)
 │   └── id_rsa.pub
 ├── docker-compose.yml  # Container orchestration 
 ```
 [[cheat-swarmlab-up]]
 == Spin up the swarmlab cluster
 ```
 cd project
 ../install/usr/share/swarmlab.io/sec/swarmlab-sec up size=5
 ```
 [[cheat-swarmlab-up1]]
 == Login to the swarmlab cluster
 ```
 cd project
 ../install/usr/share/swarmlab.io/sec/swarmlab-sec login
 ```
 User password: docker
 Sudo password: docker
 == Inside on Docker Master
 First of all, type ifconfig to see your ip address. Then, create an inventory.yml with the IPs using nmap -sP 172.19.0.* | grep Nmap | cut -d' ' -f5-6
 ```
 [service]
 172.27.0.2
 172.27.0.3
 172.27.0.4
 172.27.0.5
 172.27.0.6
 ```
 Afterwards, you have to create a test.yml file.
 ```
 ---
 - hosts: service
  remote_user: docker
  gather_facts: no
  vars:
    user: "docker"
  tasks:
      # -----------------
      # make directory 
      # -----------------
    - name: make dir for data
      become: true
      file:
        path: "/var/lab/playground/playground-readmongo"
        state: directory
        owner: docker
        group: docker
        mode: '0777'
 #    - name: google.com
 #      become: yes
 #      become_user: "{{ user }}"
 #      command:  curl http://www.google.com
 #      ignore_errors: yes
 #      register: configwww
 #
 #    - name: ls  configwww
 #      debug: var=configwww.stdout_lines
    - name: ls -al /var/lab/playground/playground-readmongo/
      become: yes
      become_user: "{{ user }}"
      #command:  ls -al /var/lab/playground/playground-readmongo
      command:  ls -al /etc
      ignore_errors: yes
      register: config
    - name: ls  config
      debug: var=config.stdout_lines
 #
 #    - name: Refresh connection
 #      meta: clear_host_errors
 ```
 Then, create a run.sh script.
 ```
 ansible-playbook -u docker -i inventory.yml test.yml -f 5 --ask-pass --ask-become-pass
 ```
 In your command line, type:
 ```
 chmod +x run.sh
 sudo apt install ansible
 ./run.sh
 (Somewhere here there would be some errors)
 sudo apt install sshpass
 cd /etc/ansible
 vi ansible.cfg
 (Add this line)
 host_key_checking = False
 (Exit and return back)
 ./run.sh
 ```
 == Hping3 Attack
 {empty} +
 Here is a video about hping3, tcpdump, netstat and iptables rules. Feel free to press like button and subscribe!
 video::lErpyiAbsVs[youtube]
 {empty} +
 Firstly, connect to the worker that you wish to do the attack. Inside the worker create a script file with these:
 ```
 #!/bin/sh
 #installation_of_hping3
 sudo apt update
 sudo apt install hping3 -y
 #syn_flood_attack_with_hping3_on_docker_master_with_IP_172.19.0.2
 #hping3 -i u1 -S -p 80 172.27.0.2
 #hping3 172.27.0.2 -q -n -d 120 -S -p 80 --flood
 hping3 -S -p 80 172.127.0.2
 ```
 In your command line type:
 ```
 chmod +x hping3.sh
 sudo ./hping3.sh
 ```
 == Tcpdump on the victim
 After connecting to the victim's host, then create a script file tcpdump.sh
 ```
 #!/bin/sh
 tcpdump port 80
 #tcpdump -Nnn -i any -s0 'tcp[13] & 2 !=0'
 ```
 In your command line type:
 ```
 chmod +x tcpdump.sh
 sudo ./tcpdump.sh
 ```
 == Netstat on the victim
 Create a netstat.sh script file and type the above:
 ```
 #!/bin/sh
 netstat -npt | awk '{print $6}' | sort | uniq -c | sort -nr | head
 netstat -anp | grep 'tcp\udp' | awk '{print $6}' | cut -d: f1 | sort | uniq -c | sort -n
 netstat -nat | awk '{print $6}' | sort | uniq -c | sort -n
 netstat -na
 netstat -tna
 netstat -antlupe
 netstat -n -p | grep SYN_REC | wc -l
 netstat -npt | awk '{print $6}' | sort | uniq -c | sort -nr | head
 ```
 In your command line type:
 ```
 chmod +x netstat.sh
 sudo ./netstat.sh
 ```
 == Anti-Ddos protection using iptables
 Create an anti-ddos.sh file and type inside:
 ```
 #!/bin/sh
 #drop invalid packets
 iptables -A INPUT -m state --state INVALID -j DROP
 iptables -A FORWARD -m state --state INVALID -j DROP
 iptables -A OUTPUT -m state --state INVALID -j DROP
 #Use SYNPROXY on all ports (disables connection limiting rule) ###
 iptables -t raw -A PREROUTING -p tcp -m tcp --syn -j CT --notrack
 iptables -A INPUT -p tcp -m tcp -m conntrack --ctstate INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460
 iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
 ```
 In your command line type:
 ```
 chmod +x anti-ddos.sh
 sudo ./anti-ddos.sh
 ```
 == SSH Brute Force Attack using Medusa
 {empty} +
 Here is a video about ssh brute force attack using medusa tool, detection using rsyslog and protection using fail2ban
 video::6C8suUjJBCA[youtube]
 {empty} +
 In order to do this attack, you have to create a password list file. For example,
 ```
 123password
 root
 admin-root
 acbdef2147
 whatistherealpassword
 docker
 password
 123456789
 ```
 The next step is to create a medusa.sh script file.
 ```
 #!/bin/bash
 sudo apt update
 sudo apt install medusa
 medusa -u docker -P pass.txt -h 172.27.0.3 -M ssh
 ```
 To accomplish the ssh brute force attack I connected as worker_4 and I will attack the worker_1.
 In your command line type:
 ```
 chmod +x medusa.sh
 sudo ./medusa.sh
 ```
 == Detection of SSH Brute Force using rsyslog tool
 I will connect as worker_1 and I will create a rsyslog.sh file.
 ```
 #!/bin/bash
 sudo apt update
 sudo apt install rsyslog
 sudo service rsyslog start
 sudo service rsyslog status
 sudo grep "Failed password" /var/log/auth.log
 ```
 In your command line type:
 ```
 chmod +x rsyslog.sh
 sudo ./rsyslog.sh
 (After results are shown type the next line)
 sudo service rsyslog stop
 ```
 == Fail2ban tool for SSH protection
 Create a fail2ban.sh file and type the below:
 ```
 #!/bin/bash
 sudo apt update
 sudo apt install fail2ban
 ```
 In your command line type:
 ```
 chmod +x fail2ban.sh
 sudo ./fail2ban.sh
 ```
 ```
 sudo service fail2ban start
 sudo service fail2ban status
 cd /etc/fail2ban
 cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
 (Inside the jail.local type the below)
 [DEFAULT]
 loglevel = DEBUG
 logtarget = path_to_log
 [sshd]
 enabled = true
 maxretry = 2
 bantime = 600
 findtime = 30
 logpath = %(sshd_log)s
 backend = %(sshd_backend)s
 action = iptables-multiport[name=%(__name__)s, bantime="%(bantime)s, port=ssh, protocol="%(protocol)s", chain=INPUT]
 ```
 In your command line type:`
 ```
 sudo service fail2ban restart
 sudo service fail2ban status
 sudo fail2ban-client start
 sudo fail2ban-client status
 sudo fail2ban-client status sshd
 ```
 == SSH Brute authentication only with keys
 To accomplish this brute force login with only key you have to connect to a container, for instance I connected to worker_5.
 In your command line type:`
 ```
 (Our server is worker_5)
 mkdir .ssh
 cd .ssh
 ssh-keygen
 cat ~/.ssh/id_rsa.pub
 (You should do the below for every worker, but for this example I will do only about worker_4)
 ssh-copy-id docker@172.27.0.5
 (Then it will ask you to connect)
 ssh docker@172.27.0.5
 (After doing this to all remaining containers type the next below for each host)
 scp id_rsa docker@172.27.0.5 #copy id_rsa to every container
 sudo service ssh restart
 ```
 Then you have to disable password authentication on you server.
 ```
 (Being on server)
 cd /etc/ssh
 vi sshd_config
 (Inside sshd_config change the below)
 PasswordAuthentication no
 (After doing this return to your command line and type the below)
 sudo service ssh restart
 ```
 And finally you are ready!
 == VPN
 {empty} +
 Here is a video about how you can create VPN and provide services to docker swarm.
 video::FnRMonM07yQ[youtube]
 {empty} +
 In this part, I will show you how you can create a VPN and and provide services to the docker swarm. Firstly, you shoudld be on the /swarmlab-sec/project folder and create a vpn folder.
 ```
 cd swarmlab-sec/project
 mkdir vpn
 cd vpn
 ```
 The next step is to create a create-vpn. script.
 ```
 #!/bin/bash
 IP=127.0.0.1                                            # Server IP       
 P=1194                                                  # Server Port     
 OVPN_SERVER='10.80.0.0/16'                              # VPN Network     
 #vpn_data=/var/lib/swarmlab/openvpn/openvpn-services/   # Dir to save data ** this must exist **
 vpn_data=$PWD/openvpn-services/                                           
 if [ ! -d $vpn_data ]; then
 mkdir -p $vpn_data
 fi
 NAME=swarmlab-vpn-services                              # name of docker service 
 DOCKERnetwork=swarmlab-vpn-services-network             # docker network
 docker=registry.vlabs.uniwa.gr:5080/myownvpn            # docker image
 docker stop  $NAME					      #stop container
 sleep 1
 docker container rm  $NAME				#rm container
 # rm config files
 rm -f $vpn_data/openvpn.conf.*.bak
 rm -f $vpn_data/openvpn.conf
 rm -f $vpn_data/ovpn_env.sh.*.bak
 rm -f $vpn_data/ovpn_env.sh
 # create network
 sleep 1
 docker network create --attachable=true --driver=bridge --subnet=172.50.0.0/16 --gateway=172.50.0.1 $DOCKERnetwork
 #run container        see ovpn_genconfig
 docker run --net=none -it -v $vpn_data:/etc/openvpn  -p 1194:1194 --rm $docker ovpn_genconfig  -u udp://$IP:1194 \
 -N -d -c -p "route 172.50.20.0 255.255.255.0" -e "topology subnet" -s $OVPN_SERVER   
 # create pki          see ovpn_initpki
 docker run --net=none -v $vpn_data:/etc/openvpn  --rm -it $docker ovpn_initpki     
 #                     see ovpn_copy_server_files
 #docker run --net=none -v $vpn_data:/etc/openvpn  --rm $docker ovpn_copy_server_files
 #create vpn           see --cap-add=NET_ADMIN
 sleep 1
 docker run --detach --name $NAME -v $vpn_data:/etc/openvpn --net=$DOCKERnetwork --ip=172.50.0.2 -p $P:1194/udp --cap-add=NET_ADMIN $docker  
 sudo sysctl -w net.ipv4.ip_forward=1
 #show created
 docker ps
 ```
 create-user.sh
 ```
 USERNAME=user1
 vpn_data=$PWD/openvpn-services/
 docker=registry.vlabs.uniwa.gr:5080/myownvpn
 docker run -v $vpn_data:/etc/openvpn --rm -it $docker easyrsa build-client-full $USERNAME nopass
 docker run -v $vpn_data:/etc/openvpn --log-driver=none --rm $docker ovpn_getclient $USERNAME  > $USERNAME.user
 ```
 After the user is created add in the $USERNAME.user the below:
 ```
 client
 nobind
 dev tun
 comp-lzo
 resolv-retry infinite
 keepalive 15 60
 remote-cert-tls server
 remote 10.0.2.15 1194 udp #type your host IP address in every $USERNAME.user
 float
 ```
 rm-user.sh
 ```
 #!/bin/bash
 CLIENTNAME=test1
 U=$CLIENTNAME
 vpn_data=$PWD/openvpn-services/
 docker=registry.vlabs.uniwa.gr:5080/myownvpn
 rm -f $vpn_data/pki/reqs/$CLIENTNAME.req
 rm -f $vpn_data/pki/private/$CLIENTNAME.key
 rm -f $vpn_data/pki/issued/$CLIENTNAME.crt
 rm -f $vpn_data/server/ccd/$CLIENTNAME
 rm -f $vpn_data/ccd/$CLIENTNAME
 pem=$(sudo grep "CN=$U$"  $vpn_data/pki/index.txt | cut  -f4)
 rm -f $vpn_data/pki/certs_by_serial/$pem.pem
 sed -i "/CN=$U$/d"  $vpn_data/pki/index.txt
 echo $pem
 docker run -v $vpn_data:/etc/openvpn --log-driver=none --rm -it $docker ovpn_revokeclient  $CLIENTNAME remove
 rm -f $vpn_data_user_config/$CLIENTNAME.ovpn
 rm -f $vpn_data_user_config1/$CLIENTNAME.ovpn
 ```
 show-user.sh
 ```
 NAME=swarmlab-vpn-services                  # name of docker service
 docker exec -it  $NAME ovpn_listclients
 ```
 show-conn-user.sh
 ```
 NAME=swarmlab-vpn-services                 # name of docker service
 docker exec -it  $NAME  cat /tmp/openvpn-status.log
 ```
 Then you have to type in your command line:
 ```
 chmod +x create-vpn.sh
 chmod +x create-user.sh
 chmod +x show-user.sh
 chmod +x rm-user.sh
 chmod +x show-conn-user.sh
 ./create-vpn.sh
 ./create-user.sh    #for every user you have to use a different name
 ./show-user.sh      #you can see all the users
 ./show-conn-user.sh #you can see all connected users to the vpn
 cp $USERNAME.user ../project    #this user will be copied to the master
 ```
 After doing these steps, connect to a docker host, for instance in docker master.
 ```
 sudo apt update
 sudo apt install openvpn
 ls -al #to check if there is the user1.user file
 sudo su
 service openvpn start
 openvpn --config ./user1.user #client connection to the VPN 
 ```
 Don't close the window or do not stop the execution. Open a new window and connect to the same user and type ifconfig to check if the tun0 has created.
 Now connect to an other worker, for instance worker_1. You have to do the same thing in every worker.
 ```
 ssh docker@@172.27.0.3
 sudo apt update
 sudo apt install openvpn
 touch user2.user
 vi user2.user #copy the user2.user file from the /swarmlab-sec/project/vpn/ and paste it here
 ls -al #to check if there is the user1.user file
 sudo su
 service openvpn start
 openvpn --config ./user2.user #client connection to the VPN 
 ```
 You have to do the same procedure for the other workers.
 Don't close the window or do not stop the execution. Open a new window and connect to the same user and type ifconfig to check if the tun0 has created. 
 Then in docker master tab type:
 ```
 sudo su
 tcpdump -i tun0
 ```
 Go to the new docker worker tab and type:
 ```
 ping 10.80.0.2 #this is the new IP of master of tun0
 ```
 You are ready! 
 == VPN
 {empty} +
 Here is a video about how you can do ssh local and remote forwarding.
 video::gbegXj8pQxs[youtube]
 {empty} +
 On remote container
 ```
 sudo apt install nginx
 curl localhost #to check if localhost is working
 hostname -i
 ```
 On localhost host
 ```
 curl localhost #to check if localhost is working
 hostname
 hostname -i
 sudo ssh -nNT -L 80:localhost:80 docker@172.27.0.2
 ```
 Then type on localhost host again in a new tab:
 ```
 curl localhost #to check if localhost is working
 ```
 And it works! +
 Please enjoy and thank you for reading my ascii doc and watching my youtube videos!