Μάθημα: Ασφάλεια Δικτύων και Επικοινωνίων
Ονοματεπώνυμο: Χρυσούλα Κούτκου
Αριθμός Μητρώου: 71344742
1. Docker Installation (Ubuntu)
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
sudo apt update
sudo apt install -y docker-ce
echo "or"
sudo apt install docker*
sudo systemctl status docker
sudo usermod -aG docker username #οπου username το όνομα του χρήστη που θα δουλεύει με docker
2. docker-compose
sudo curl -L "https://github.com/docker/compose/releases/download/1.24.1/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
sudo chmod +x /usr/local/bin/docker-compose
sudo ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose
3. On Error:
-
run
$ sudo su
# touch set-ca.sh
-
copy-paste lines
registry_address=registry.vlabs.uniwa.gr
registry_port=5043
mkdir -p /etc/docker/certs.d/$registry_address:$registry_port
openssl s_client -showcerts -connect $registry_address:$registry_port < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /etc/docker/certs.d/$registry_address:$registry_port/ca.crt
registry_port=5080
mkdir -p /etc/docker/certs.d/$registry_address:$registry_port
openssl s_client -showcerts -connect $registry_address:$registry_port < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /etc/docker/certs.d/$registry_address:$registry_port/ca.crt
registry_address=hub.swarmlab.io
registry_port=5443
mkdir -p /etc/docker/certs.d/$registry_address:$registry_port
openssl s_client -showcerts -connect $registry_address:$registry_port < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /etc/docker/certs.d/$registry_address:$registry_port/ca.crt
registry_port=5480
mkdir -p /etc/docker/certs.d/$registry_address:$registry_port
openssl s_client -showcerts -connect $registry_address:$registry_port < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /etc/docker/certs.d/$registry_address:$registry_port/ca.crt
3.1. exec file
sudo bash ./set-ca.sh
4. Install swarmlab-sec (Home PC)
5. Usage (swarmlab-sec)
-
Open a console
-
cd to swarmlab-sec
-
Create a directory
cd <dir>
../install/usr/share/swarmlab.io/sec/swarmlab-sec
create create project (swarmlab-sec create)
up start swarmlab-sec (swarmlab-sec up size=10)
scale resize swarmlab-sec (swarmlab-sec scale size=30)
reload rebuild image (swarmlab-sec reload size=15)
login login swarmlab-sec (swarmlab-sec login)
exec execute command (swarmlab-sec exec [SHELL COMMAND])
down stop swarmlab-sec (swarmlab-sec down)
clean clean project (swarmlab-sec clean)
list show instances (swarmlab-sec swarmlab-sec list)
help show help (swarmlab-sec help)
6. Create swarmlab project
mkdir project
cd project
../install/usr/share/swarmlab.io/sec/swarmlab-sec create
Project
├── Dockerfile # Image specification
├── project # Sample program source code
│ └── hello_world.c
├── ssh # keys for accessing
│ ├── id_rsa # (could generate your own)
│ └── id_rsa.pub
├── docker-compose.yml # Container orchestration
7. Spin up the swarmlab cluster
cd project
../install/usr/share/swarmlab.io/sec/swarmlab-sec up size=5
8. Login to the swarmlab cluster
cd project
../install/usr/share/swarmlab.io/sec/swarmlab-sec login
User password: docker
Sudo password: docker
9. Inside on Docker Master
First of all, type ifconfig to see your ip address. Then, create an inventory.yml with the IPs using nmap -sP 172.27.0.* | grep Nmap | cut -d' ' -f5-6
[service]
172.27.0.2
172.27.0.3
172.27.0.4
172.27.0.5
172.27.0.6
Afterwards, you have to create a test.yml file.
---
- hosts: service
remote_user: docker
gather_facts: no
vars:
user: "docker"
tasks:
# -----------------
# make directory
# -----------------
- name: make dir for data
become: true
file:
path: "/var/lab/playground/playground-readmongo"
state: directory
owner: docker
group: docker
mode: '0777'
# - name: google.com
# become: yes
# become_user: "{{ user }}"
# command: curl http://www.google.com
# ignore_errors: yes
# register: configwww
#
# - name: ls configwww
# debug: var=configwww.stdout_lines
- name: ls -al /var/lab/playground/playground-readmongo/
become: yes
become_user: "{{ user }}"
#command: ls -al /var/lab/playground/playground-readmongo
command: ls -al /etc
ignore_errors: yes
register: config
- name: ls config
debug: var=config.stdout_lines
#
# - name: Refresh connection
# meta: clear_host_errors
Then, create a run.sh script.
ansible-playbook -u docker -i inventory.yml test.yml -f 5 --ask-pass --ask-become-pass
In your command line, type:
chmod +x run.sh
sudo apt install ansible
./run.sh
(Somewhere here there would be some errors)
sudo apt install sshpass
cd /etc/ansible
vi ansible.cfg
(Add this line)
host_key_checking = False
(Exit and return back)
./run.sh
10. Hping3 Attack
Here is a video about hping3, tcpdump, netstat and iptables rules.
Feel free to press like button and subscribe!
Firstly, connect to the worker that you wish to do the attack. Inside the worker create a script file with these:
#!/bin/sh
#installation_of_hping3
sudo apt update
sudo apt install hping3 -y
#syn_flood_attack_with_hping3_on_docker_master_with_IP_172.27.0.2
#hping3 -i u1 -S -p 80 172.27.0.2
#hping3 172.27.0.2 -q -n -d 120 -S -p 80 --flood
hping3 -S -p 80 172.127.0.2
In your command line type:
chmod +x hping3.sh
sudo ./hping3.sh
11. Tcpdump on the victim
After connecting to the victim’s host, then create a script file tcpdump.sh
#!/bin/sh
tcpdump port 80
#tcpdump -Nnn -i any -s0 'tcp[13] & 2 !=0'
In your command line type:
chmod +x tcpdump.sh
sudo ./tcpdump.sh
12. Netstat on the victim
Create a netstat.sh script file and type the above:
#!/bin/sh
netstat -npt | awk '{print $6}' | sort | uniq -c | sort -nr | head
netstat -anp | grep 'tcp\udp' | awk '{print $6}' | cut -d: f1 | sort | uniq -c | sort -n
netstat -nat | awk '{print $6}' | sort | uniq -c | sort -n
netstat -na
netstat -tna
netstat -antlupe
netstat -n -p | grep SYN_REC | wc -l
netstat -npt | awk '{print $6}' | sort | uniq -c | sort -nr | head
In your command line type:
chmod +x netstat.sh
sudo ./netstat.sh
13. Anti-Ddos protection using iptables
Create an anti-ddos.sh file and type inside:
#!/bin/sh
#drop invalid packets
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
#Use SYNPROXY on all ports (disables connection limiting rule) ###
iptables -t raw -A PREROUTING -p tcp -m tcp --syn -j CT --notrack
iptables -A INPUT -p tcp -m tcp -m conntrack --ctstate INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
In your command line type:
chmod +x anti-ddos.sh
sudo ./anti-ddos.sh
14. SSH Brute Force Attack using Medusa
Here is a video about ssh brute force attack using medusa tool, detection
using rsyslog and protection using fail2ban
In order to do this attack, you have to create a password list file. For example,
123password
root
admin-root
acbdef2147
whatistherealpassword
docker
password
123456789
The next step is to create a medusa.sh script file.
#!/bin/bash
sudo apt update
sudo apt install medusa
medusa -u docker -P pass.txt -h 172.27.0.3 -M ssh
To accomplish the ssh brute force attack I connected as worker_4 and I will attack the worker_1.
In your command line type:
chmod +x medusa.sh
sudo ./medusa.sh
15. Detection of SSH Brute Force using rsyslog tool
I will connect as worker_1 and I will create a rsyslog.sh file.
#!/bin/bash
sudo apt update
sudo apt install rsyslog
sudo service rsyslog start
sudo service rsyslog status
sudo grep "Failed password" /var/log/auth.log
In your command line type:
chmod +x rsyslog.sh
sudo ./rsyslog.sh
(After results are shown type the next line)
sudo service rsyslog stop
16. Fail2ban tool for SSH protection
Create a fail2ban.sh file and type the below:
#!/bin/bash
sudo apt update
sudo apt install fail2ban
In your command line type:
chmod +x fail2ban.sh
sudo ./fail2ban.sh
sudo service fail2ban start
sudo service fail2ban status
cd /etc/fail2ban
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
(Inside the jail.local type the below)
[DEFAULT]
loglevel = DEBUG
logtarget = path_to_log
[sshd]
enabled = true
maxretry = 2
bantime = 600
findtime = 30
logpath = %(sshd_log)s
backend = %(sshd_backend)s
action = iptables-multiport[name=%(__name__)s, bantime="%(bantime)s, port=ssh, protocol="%(protocol)s", chain=INPUT]
In your command line type:`
sudo service fail2ban restart
sudo service fail2ban status
sudo fail2ban-client start
sudo fail2ban-client status
sudo fail2ban-client status sshd
17. SSH Brute authentication only with keys
To accomplish this brute force login with only key you have to connect to a container, for instance I connected to worker_5.
In your command line type:`
(Our server is worker_5)
mkdir .ssh
cd .ssh
ssh-keygen
cat ~/.ssh/id_rsa.pub
(You should do the below for every worker, but for this example I will do only about worker_4)
ssh-copy-id docker@172.27.0.5
(Then it will ask you to connect)
ssh docker@172.27.0.5
(After doing this to all remaining containers type the next below for each host)
scp id_rsa docker@172.27.0.5 #copy id_rsa to every container
sudo service ssh restart
Then you have to disable password authentication on you server.
(Being on server)
cd /etc/ssh
vi sshd_config
(Inside sshd_config change the below)
PasswordAuthentication no
(After doing this return to your command line and type the below)
sudo service ssh restart
And finally you are ready!
18. VPN
Here is a video about how you can create VPN and provide services
to docker swarm.
In this part, I will show you how you can create a VPN and and provide services to the docker swarm. Firstly, you shoudld be on the /swarmlab-sec/project folder and create a vpn folder.
cd swarmlab-sec/project
mkdir vpn
cd vpn
The next step is to create a create-vpn. script.
#!/bin/bash
IP=127.0.0.1 # Server IP
P=1194 # Server Port
OVPN_SERVER='10.80.0.0/16' # VPN Network
#vpn_data=/var/lib/swarmlab/openvpn/openvpn-services/ # Dir to save data ** this must exist **
vpn_data=$PWD/openvpn-services/
if [ ! -d $vpn_data ]; then
mkdir -p $vpn_data
fi
NAME=swarmlab-vpn-services # name of docker service
DOCKERnetwork=swarmlab-vpn-services-network # docker network
docker=registry.vlabs.uniwa.gr:5080/myownvpn # docker image
docker stop $NAME #stop container
sleep 1
docker container rm $NAME #rm container
# rm config files
rm -f $vpn_data/openvpn.conf.*.bak
rm -f $vpn_data/openvpn.conf
rm -f $vpn_data/ovpn_env.sh.*.bak
rm -f $vpn_data/ovpn_env.sh
# create network
sleep 1
docker network create --attachable=true --driver=bridge --subnet=172.50.0.0/16 --gateway=172.50.0.1 $DOCKERnetwork
#run container see ovpn_genconfig
docker run --net=none -it -v $vpn_data:/etc/openvpn -p 1194:1194 --rm $docker ovpn_genconfig -u udp://$IP:1194 \
-N -d -c -p "route 172.50.20.0 255.255.255.0" -e "topology subnet" -s $OVPN_SERVER
# create pki see ovpn_initpki
docker run --net=none -v $vpn_data:/etc/openvpn --rm -it $docker ovpn_initpki
# see ovpn_copy_server_files
#docker run --net=none -v $vpn_data:/etc/openvpn --rm $docker ovpn_copy_server_files
#create vpn see --cap-add=NET_ADMIN
sleep 1
docker run --detach --name $NAME -v $vpn_data:/etc/openvpn --net=$DOCKERnetwork --ip=172.50.0.2 -p $P:1194/udp --cap-add=NET_ADMIN $docker
sudo sysctl -w net.ipv4.ip_forward=1
#show created
docker ps
create-user.sh
USERNAME=user1
vpn_data=$PWD/openvpn-services/
docker=registry.vlabs.uniwa.gr:5080/myownvpn
docker run -v $vpn_data:/etc/openvpn --rm -it $docker easyrsa build-client-full $USERNAME nopass
docker run -v $vpn_data:/etc/openvpn --log-driver=none --rm $docker ovpn_getclient $USERNAME > $USERNAME.user
After the user is created add in the $USERNAME.user the below:
client
nobind
dev tun
comp-lzo
resolv-retry infinite
keepalive 15 60
remote-cert-tls server
remote 10.0.2.15 1194 udp #type your host IP address in every $USERNAME.user
float
rm-user.sh
#!/bin/bash
CLIENTNAME=test1
U=$CLIENTNAME
vpn_data=$PWD/openvpn-services/
docker=registry.vlabs.uniwa.gr:5080/myownvpn
rm -f $vpn_data/pki/reqs/$CLIENTNAME.req
rm -f $vpn_data/pki/private/$CLIENTNAME.key
rm -f $vpn_data/pki/issued/$CLIENTNAME.crt
rm -f $vpn_data/server/ccd/$CLIENTNAME
rm -f $vpn_data/ccd/$CLIENTNAME
pem=$(sudo grep "CN=$U$" $vpn_data/pki/index.txt | cut -f4)
rm -f $vpn_data/pki/certs_by_serial/$pem.pem
sed -i "/CN=$U$/d" $vpn_data/pki/index.txt
echo $pem
docker run -v $vpn_data:/etc/openvpn --log-driver=none --rm -it $docker ovpn_revokeclient $CLIENTNAME remove
rm -f $vpn_data_user_config/$CLIENTNAME.ovpn
rm -f $vpn_data_user_config1/$CLIENTNAME.ovpn
show-user.sh
NAME=swarmlab-vpn-services # name of docker service
docker exec -it $NAME ovpn_listclients
show-conn-user.sh
NAME=swarmlab-vpn-services # name of docker service
docker exec -it $NAME cat /tmp/openvpn-status.log
Then you have to type in your command line:
chmod +x create-vpn.sh
chmod +x create-user.sh
chmod +x show-user.sh
chmod +x rm-user.sh
chmod +x show-conn-user.sh
./create-vpn.sh
./create-user.sh #for every user you have to use a different name
./show-user.sh #you can see all the users
./show-conn-user.sh #you can see all connected users to the vpn
cp $USERNAME.user ../project #this user will be copied to the master
After doing these steps, connect to a docker host, for instance in docker master.
sudo apt update
sudo apt install openvpn
ls -al #to check if there is the user1.user file
sudo su
service openvpn start
openvpn --config ./user1.user #client connection to the VPN
Don’t close the window or do not stop the execution. Open a new window and connect to the same user and type ifconfig to check if the tun0 has created.
Now connect to an other worker, for instance worker_1. You have to do the same thing in every worker.
ssh docker@172.27.0.3
sudo apt update
sudo apt install openvpn
touch user2.user
vi user2.user #copy the user2.user file from the /swarmlab-sec/project/vpn/ and paste it here
ls -al #to check if there is the user1.user file
sudo su
service openvpn start
openvpn --config ./user2.user #client connection to the VPN
You have to do the same procedure for the other workers.
Don’t close the window or do not stop the execution. Open a new window and connect to the same user and type ifconfig to check if the tun0 has created.
Then in docker master tab type:
sudo su
tcpdump -i tun0
Go to the new docker worker tab and type:
ping 10.80.0.2 #this is the new IP of master of tun0
You are ready!
19. REMOTE/LOCAL SSH FORWARDING
Here is a video about how you can do ssh local and remote forwarding.
On remote container
sudo apt install nginx
curl localhost #to check if localhost is working
hostname -i
On localhost host
curl localhost #to check if localhost is working
hostname
hostname -i
sudo ssh -nNT -L 80:localhost:80 docker@172.27.0.2
Then type on localhost host again in a new tab:
curl localhost #to check if localhost is working
And it works!
Please enjoy and thank you for reading my ascii doc and watching my youtube videos!