= Εργασία Χειμερινού Εξαμήνου 2020-21 // Metadata: :description: Intro and Install :keywords: sec, swarm. docker :data-uri: :toc: right :toc-title: Πίνακας περιεχομένων :toclevels: 4 :source-highlighter: highlight :icons: font :sectnums: Μάθημα: Ασφάλεια Δικτύων και Επικοινωνίων + Ονοματεπώνυμο: Χρυσούλα Κούτκου + Αριθμός Μητρώου: 71344742 {empty} + == Docker Installation (Ubuntu) ``` curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add - sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" sudo apt update sudo apt install -y docker-ce echo "or" sudo apt install docker* sudo systemctl status docker sudo usermod -aG docker username #οπου username το όνομα του χρήστη που θα δουλεύει με docker ``` [[cheat-compose]] == docker-compose ``` sudo curl -L "https://github.com/docker/compose/releases/download/1.24.1/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose sudo chmod +x /usr/local/bin/docker-compose sudo ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose ``` [[cheat-error]] == On Error: - run ``` $ sudo su # touch set-ca.sh ``` - copy-paste lines ``` registry_address=registry.vlabs.uniwa.gr registry_port=5043 mkdir -p /etc/docker/certs.d/$registry_address:$registry_port openssl s_client -showcerts -connect $registry_address:$registry_port < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /etc/docker/certs.d/$registry_address:$registry_port/ca.crt registry_port=5080 mkdir -p /etc/docker/certs.d/$registry_address:$registry_port openssl s_client -showcerts -connect $registry_address:$registry_port < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /etc/docker/certs.d/$registry_address:$registry_port/ca.crt registry_address=hub.swarmlab.io registry_port=5443 mkdir -p /etc/docker/certs.d/$registry_address:$registry_port openssl s_client -showcerts -connect $registry_address:$registry_port < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /etc/docker/certs.d/$registry_address:$registry_port/ca.crt registry_port=5480 mkdir -p /etc/docker/certs.d/$registry_address:$registry_port openssl s_client -showcerts -connect $registry_address:$registry_port < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /etc/docker/certs.d/$registry_address:$registry_port/ca.crt ``` === exec file ``` sudo bash ./set-ca.sh ``` {empty} + == Install swarmlab-sec (Home PC) - Clone repo https://git.swarmlab.io:3000/swarmlab/swarmlab-sec[^] + == Usage (swarmlab-sec) - Open a console - cd to swarmlab-sec - Create a directory ``` cd ../install/usr/share/swarmlab.io/sec/swarmlab-sec create create project (swarmlab-sec create) up start swarmlab-sec (swarmlab-sec up size=10) scale resize swarmlab-sec (swarmlab-sec scale size=30) reload rebuild image (swarmlab-sec reload size=15) login login swarmlab-sec (swarmlab-sec login) exec execute command (swarmlab-sec exec [SHELL COMMAND]) down stop swarmlab-sec (swarmlab-sec down) clean clean project (swarmlab-sec clean) list show instances (swarmlab-sec swarmlab-sec list) help show help (swarmlab-sec help) ``` [[cheat-swarmlab-create]] == Create swarmlab project ``` mkdir project cd project ../install/usr/share/swarmlab.io/sec/swarmlab-sec create ``` .Relevant files: ``` Project ├── Dockerfile # Image specification ├── project # Sample program source code │ └── hello_world.c ├── ssh # keys for accessing │ ├── id_rsa # (could generate your own) │ └── id_rsa.pub ├── docker-compose.yml # Container orchestration ``` [[cheat-swarmlab-up]] == Spin up the swarmlab cluster ``` cd project ../install/usr/share/swarmlab.io/sec/swarmlab-sec up size=5 ``` [[cheat-swarmlab-up1]] == Login to the swarmlab cluster ``` cd project ../install/usr/share/swarmlab.io/sec/swarmlab-sec login ``` User password: docker Sudo password: docker == Inside on Docker Master First of all, type ifconfig to see your ip address. Then, create an inventory.yml with the IPs using nmap -sP 172.19.0.* | grep Nmap | cut -d' ' -f5-6 ``` [service] 172.27.0.2 172.27.0.3 172.27.0.4 172.27.0.5 172.27.0.6 ``` Afterwards, you have to create a test.yml file. ``` --- - hosts: service remote_user: docker gather_facts: no vars: user: "docker" tasks: # ----------------- # make directory # ----------------- - name: make dir for data become: true file: path: "/var/lab/playground/playground-readmongo" state: directory owner: docker group: docker mode: '0777' # - name: google.com # become: yes # become_user: "{{ user }}" # command: curl http://www.google.com # ignore_errors: yes # register: configwww # # - name: ls configwww # debug: var=configwww.stdout_lines - name: ls -al /var/lab/playground/playground-readmongo/ become: yes become_user: "{{ user }}" #command: ls -al /var/lab/playground/playground-readmongo command: ls -al /etc ignore_errors: yes register: config - name: ls config debug: var=config.stdout_lines # # - name: Refresh connection # meta: clear_host_errors ``` Then, create a run.sh script. ``` ansible-playbook -u docker -i inventory.yml test.yml -f 5 --ask-pass --ask-become-pass ``` In your command line, type: ``` chmod +x run.sh sudo apt install ansible ./run.sh (Somewhere here there would be some errors) sudo apt install sshpass cd /etc/ansible vi ansible.cfg (Add this line) host_key_checking = False (Exit and return back) ./run.sh ``` == Hping3 Attack {empty} + Here is a video about hping3, tcpdump, netstat and iptables rules. Feel free to press like button and subscribe! video::lErpyiAbsVs[youtube] {empty} + Firstly, connect to the worker that you wish to do the attack. Inside the worker create a script file with these: ``` #!/bin/sh #installation_of_hping3 sudo apt update sudo apt install hping3 -y #syn_flood_attack_with_hping3_on_docker_master_with_IP_172.19.0.2 #hping3 -i u1 -S -p 80 172.27.0.2 #hping3 172.27.0.2 -q -n -d 120 -S -p 80 --flood hping3 -S -p 80 172.127.0.2 ``` In your command line type: ``` chmod +x hping3.sh sudo ./hping3.sh ``` == Tcpdump on the victim After connecting to the victim's host, then create a script file tcpdump.sh ``` #!/bin/sh tcpdump port 80 #tcpdump -Nnn -i any -s0 'tcp[13] & 2 !=0' ``` In your command line type: ``` chmod +x tcpdump.sh sudo ./tcpdump.sh ``` == Netstat on the victim Create a netstat.sh script file and type the above: ``` #!/bin/sh netstat -npt | awk '{print $6}' | sort | uniq -c | sort -nr | head netstat -anp | grep 'tcp\udp' | awk '{print $6}' | cut -d: f1 | sort | uniq -c | sort -n netstat -nat | awk '{print $6}' | sort | uniq -c | sort -n netstat -na netstat -tna netstat -antlupe netstat -n -p | grep SYN_REC | wc -l netstat -npt | awk '{print $6}' | sort | uniq -c | sort -nr | head ``` In your command line type: ``` chmod +x netstat.sh sudo ./netstat.sh ``` == Anti-Ddos protection using iptables Create an anti-ddos.sh file and type inside: ``` #!/bin/sh #drop invalid packets iptables -A INPUT -m state --state INVALID -j DROP iptables -A FORWARD -m state --state INVALID -j DROP iptables -A OUTPUT -m state --state INVALID -j DROP #Use SYNPROXY on all ports (disables connection limiting rule) ### iptables -t raw -A PREROUTING -p tcp -m tcp --syn -j CT --notrack iptables -A INPUT -p tcp -m tcp -m conntrack --ctstate INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460 iptables -A INPUT -m conntrack --ctstate INVALID -j DROP ``` In your command line type: ``` chmod +x anti-ddos.sh sudo ./anti-ddos.sh ``` == SSH Brute Force Attack using Medusa {empty} + Here is a video about ssh brute force attack using medusa tool, detection using rsyslog and protection using fail2ban video::6C8suUjJBCA[youtube] {empty} + In order to do this attack, you have to create a password list file. For example, ``` 123password root admin-root acbdef2147 whatistherealpassword docker password 123456789 ``` The next step is to create a medusa.sh script file. ``` #!/bin/bash sudo apt update sudo apt install medusa medusa -u docker -P pass.txt -h 172.27.0.3 -M ssh ``` To accomplish the ssh brute force attack I connected as worker_4 and I will attack the worker_1. In your command line type: ``` chmod +x medusa.sh sudo ./medusa.sh ``` == Detection of SSH Brute Force using rsyslog tool I will connect as worker_1 and I will create a rsyslog.sh file. ``` #!/bin/bash sudo apt update sudo apt install rsyslog sudo service rsyslog start sudo service rsyslog status sudo grep "Failed password" /var/log/auth.log ``` In your command line type: ``` chmod +x rsyslog.sh sudo ./rsyslog.sh (After results are shown type the next line) sudo service rsyslog stop ``` == Fail2ban tool for SSH protection Create a fail2ban.sh file and type the below: ``` #!/bin/bash sudo apt update sudo apt install fail2ban ``` In your command line type: ``` chmod +x fail2ban.sh sudo ./fail2ban.sh ``` ``` sudo service fail2ban start sudo service fail2ban status cd /etc/fail2ban cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local (Inside the jail.local type the below) [DEFAULT] loglevel = DEBUG logtarget = path_to_log [sshd] enabled = true maxretry = 2 bantime = 600 findtime = 30 logpath = %(sshd_log)s backend = %(sshd_backend)s action = iptables-multiport[name=%(__name__)s, bantime="%(bantime)s, port=ssh, protocol="%(protocol)s", chain=INPUT] ``` In your command line type:` ``` sudo service fail2ban restart sudo service fail2ban status sudo fail2ban-client start sudo fail2ban-client status sudo fail2ban-client status sshd ``` == SSH Brute authentication only with keys To accomplish this brute force login with only key you have to connect to a container, for instance I connected to worker_5. In your command line type:` ``` (Our server is worker_5) mkdir .ssh cd .ssh ssh-keygen cat ~/.ssh/id_rsa.pub (You should do the below for every worker, but for this example I will do only about worker_4) ssh-copy-id docker@172.27.0.5 (Then it will ask you to connect) ssh docker@172.27.0.5 (After doing this to all remaining containers type the next below for each host) scp id_rsa docker@172.27.0.5 #copy id_rsa to every container sudo service ssh restart ``` Then you have to disable password authentication on you server. ``` (Being on server) cd /etc/ssh vi sshd_config (Inside sshd_config change the below) PasswordAuthentication no (After doing this return to your command line and type the below) sudo service ssh restart ``` And finally you are ready! == VPN {empty} + Here is a video about how you can create VPN and provide services to docker swarm. video::FnRMonM07yQ[youtube] {empty} + In this part, I will show you how you can create a VPN and and provide services to the docker swarm. Firstly, you shoudld be on the /swarmlab-sec/project folder and create a vpn folder. ``` cd swarmlab-sec/project mkdir vpn cd vpn ``` The next step is to create a create-vpn. script. ``` #!/bin/bash IP=127.0.0.1 # Server IP P=1194 # Server Port OVPN_SERVER='10.80.0.0/16' # VPN Network #vpn_data=/var/lib/swarmlab/openvpn/openvpn-services/ # Dir to save data ** this must exist ** vpn_data=$PWD/openvpn-services/ if [ ! -d $vpn_data ]; then mkdir -p $vpn_data fi NAME=swarmlab-vpn-services # name of docker service DOCKERnetwork=swarmlab-vpn-services-network # docker network docker=registry.vlabs.uniwa.gr:5080/myownvpn # docker image docker stop $NAME #stop container sleep 1 docker container rm $NAME #rm container # rm config files rm -f $vpn_data/openvpn.conf.*.bak rm -f $vpn_data/openvpn.conf rm -f $vpn_data/ovpn_env.sh.*.bak rm -f $vpn_data/ovpn_env.sh # create network sleep 1 docker network create --attachable=true --driver=bridge --subnet=172.50.0.0/16 --gateway=172.50.0.1 $DOCKERnetwork #run container see ovpn_genconfig docker run --net=none -it -v $vpn_data:/etc/openvpn -p 1194:1194 --rm $docker ovpn_genconfig -u udp://$IP:1194 \ -N -d -c -p "route 172.50.20.0 255.255.255.0" -e "topology subnet" -s $OVPN_SERVER # create pki see ovpn_initpki docker run --net=none -v $vpn_data:/etc/openvpn --rm -it $docker ovpn_initpki # see ovpn_copy_server_files #docker run --net=none -v $vpn_data:/etc/openvpn --rm $docker ovpn_copy_server_files #create vpn see --cap-add=NET_ADMIN sleep 1 docker run --detach --name $NAME -v $vpn_data:/etc/openvpn --net=$DOCKERnetwork --ip=172.50.0.2 -p $P:1194/udp --cap-add=NET_ADMIN $docker sudo sysctl -w net.ipv4.ip_forward=1 #show created docker ps ``` create-user.sh ``` USERNAME=user1 vpn_data=$PWD/openvpn-services/ docker=registry.vlabs.uniwa.gr:5080/myownvpn docker run -v $vpn_data:/etc/openvpn --rm -it $docker easyrsa build-client-full $USERNAME nopass docker run -v $vpn_data:/etc/openvpn --log-driver=none --rm $docker ovpn_getclient $USERNAME > $USERNAME.user ``` After the user is created add in the $USERNAME.user the below: ``` client nobind dev tun comp-lzo resolv-retry infinite keepalive 15 60 remote-cert-tls server remote 10.0.2.15 1194 udp #type your host IP address in every $USERNAME.user float ``` rm-user.sh ``` #!/bin/bash CLIENTNAME=test1 U=$CLIENTNAME vpn_data=$PWD/openvpn-services/ docker=registry.vlabs.uniwa.gr:5080/myownvpn rm -f $vpn_data/pki/reqs/$CLIENTNAME.req rm -f $vpn_data/pki/private/$CLIENTNAME.key rm -f $vpn_data/pki/issued/$CLIENTNAME.crt rm -f $vpn_data/server/ccd/$CLIENTNAME rm -f $vpn_data/ccd/$CLIENTNAME pem=$(sudo grep "CN=$U$" $vpn_data/pki/index.txt | cut -f4) rm -f $vpn_data/pki/certs_by_serial/$pem.pem sed -i "/CN=$U$/d" $vpn_data/pki/index.txt echo $pem docker run -v $vpn_data:/etc/openvpn --log-driver=none --rm -it $docker ovpn_revokeclient $CLIENTNAME remove rm -f $vpn_data_user_config/$CLIENTNAME.ovpn rm -f $vpn_data_user_config1/$CLIENTNAME.ovpn ``` show-user.sh ``` NAME=swarmlab-vpn-services # name of docker service docker exec -it $NAME ovpn_listclients ``` show-conn-user.sh ``` NAME=swarmlab-vpn-services # name of docker service docker exec -it $NAME cat /tmp/openvpn-status.log ``` Then you have to type in your command line: ``` chmod +x create-vpn.sh chmod +x create-user.sh chmod +x show-user.sh chmod +x rm-user.sh chmod +x show-conn-user.sh ./create-vpn.sh ./create-user.sh #for every user you have to use a different name ./show-user.sh #you can see all the users ./show-conn-user.sh #you can see all connected users to the vpn cp $USERNAME.user ../project #this user will be copied to the master ``` After doing these steps, connect to a docker host, for instance in docker master. ``` sudo apt update sudo apt install openvpn ls -al #to check if there is the user1.user file sudo su service openvpn start openvpn --config ./user1.user #client connection to the VPN ``` Don't close the window or do not stop the execution. Open a new window and connect to the same user and type ifconfig to check if the tun0 has created. Now connect to an other worker, for instance worker_1. You have to do the same thing in every worker. ``` ssh docker@@172.27.0.3 sudo apt update sudo apt install openvpn touch user2.user vi user2.user #copy the user2.user file from the /swarmlab-sec/project/vpn/ and paste it here ls -al #to check if there is the user1.user file sudo su service openvpn start openvpn --config ./user2.user #client connection to the VPN ``` You have to do the same procedure for the other workers. Don't close the window or do not stop the execution. Open a new window and connect to the same user and type ifconfig to check if the tun0 has created. Then in docker master tab type: ``` sudo su tcpdump -i tun0 ``` Go to the new docker worker tab and type: ``` ping 10.80.0.2 #this is the new IP of master of tun0 ``` You are ready! == VPN {empty} + Here is a video about how you can do ssh local and remote forwarding. video::gbegXj8pQxs[youtube] {empty} + On remote container ``` sudo apt install nginx curl localhost #to check if localhost is working hostname -i ``` On localhost host ``` curl localhost #to check if localhost is working hostname hostname -i sudo ssh -nNT -L 80:localhost:80 docker@172.27.0.2 ``` Then type on localhost host again in a new tab: ``` curl localhost #to check if localhost is working ``` And it works! + Please enjoy and thank you for reading my ascii doc and watching my youtube videos!