Net-Sec-Lab-Project-Chrysoula-Koutkou-71344742/project-sec.adoc

= Εργασία Χειμερινού Εξαμήνου 2020-21

// Metadata:
:description: Intro and Install
:keywords: sec, swarm. docker
:data-uri:
:toc: right
:toc-title: Πίνακας περιεχομένων
:toclevels: 4
:source-highlighter: highlight
:icons: font
:sectnums: 

Μάθημα: Ασφάλεια Δικτύων και Επικοινωνίων +
Ονοματεπώνυμο: Χρυσούλα Κούτκου +
Αριθμός Μητρώου: 71344742

{empty} +

== Docker Installation (Ubuntu)

```
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
sudo apt update

sudo apt install -y docker-ce
 echo   "or"
sudo apt install docker*

sudo systemctl status docker
sudo usermod -aG docker username     #οπου username το όνομα του χρήστη που θα δουλεύει με docker
```


[[cheat-compose]]
== docker-compose

```
 sudo curl -L "https://github.com/docker/compose/releases/download/1.24.1/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
 sudo chmod +x /usr/local/bin/docker-compose
 sudo ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose
```


[[cheat-error]]
== On Error:

- run 

```
$ sudo su
# touch set-ca.sh
```
- copy-paste lines

```
registry_address=registry.vlabs.uniwa.gr
registry_port=5043
mkdir -p /etc/docker/certs.d/$registry_address:$registry_port
openssl s_client -showcerts -connect $registry_address:$registry_port < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /etc/docker/certs.d/$registry_address:$registry_port/ca.crt
registry_port=5080
mkdir -p /etc/docker/certs.d/$registry_address:$registry_port
openssl s_client -showcerts -connect $registry_address:$registry_port < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /etc/docker/certs.d/$registry_address:$registry_port/ca.crt

registry_address=hub.swarmlab.io
registry_port=5443
mkdir -p /etc/docker/certs.d/$registry_address:$registry_port
openssl s_client -showcerts -connect $registry_address:$registry_port < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /etc/docker/certs.d/$registry_address:$registry_port/ca.crt

registry_port=5480
mkdir -p /etc/docker/certs.d/$registry_address:$registry_port
openssl s_client -showcerts -connect $registry_address:$registry_port < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /etc/docker/certs.d/$registry_address:$registry_port/ca.crt

```

=== exec file

```
sudo bash ./set-ca.sh
```

{empty} +

== Install swarmlab-sec (Home PC) 

- Clone repo https://git.swarmlab.io:3000/swarmlab/swarmlab-sec[^] + 

== Usage  (swarmlab-sec)


- Open a console

- cd to swarmlab-sec

- Create a directory

```
cd <dir>

../install/usr/share/swarmlab.io/sec/swarmlab-sec

create       create project      (swarmlab-sec create)
up           start swarmlab-sec  (swarmlab-sec up size=10)
scale        resize swarmlab-sec (swarmlab-sec scale size=30)
reload       rebuild image       (swarmlab-sec reload size=15)
login        login swarmlab-sec  (swarmlab-sec login)
exec         execute command     (swarmlab-sec exec [SHELL COMMAND])
down         stop swarmlab-sec   (swarmlab-sec down)
clean        clean project       (swarmlab-sec clean)
list         show instances      (swarmlab-sec swarmlab-sec list)
help         show help           (swarmlab-sec help)
```


[[cheat-swarmlab-create]]
== Create swarmlab project

```
mkdir project
cd project
../install/usr/share/swarmlab.io/sec/swarmlab-sec create
```
.Relevant files:
```
Project
├── Dockerfile          # Image specification
├── project             # Sample program source code
│   └── hello_world.c
├── ssh                 # keys for accessing
│   ├── id_rsa          # (could generate your own)
│   └── id_rsa.pub
├── docker-compose.yml  # Container orchestration 
```

[[cheat-swarmlab-up]]
== Spin up the swarmlab cluster

```
cd project
../install/usr/share/swarmlab.io/sec/swarmlab-sec up size=5
```

[[cheat-swarmlab-up1]]
== Login to the swarmlab cluster

```
cd project
../install/usr/share/swarmlab.io/sec/swarmlab-sec login
```

User password: docker

Sudo password: docker

== Inside on Docker Master
First of all, type ifconfig to see your ip address. Then, create an inventory.yml with the IPs using nmap -sP 172.27.0.* | grep Nmap | cut -d' ' -f5-6

```
[service]
172.27.0.2
172.27.0.3
172.27.0.4
172.27.0.5
172.27.0.6

```
Afterwards, you have to create a test.yml file.

```
---
- hosts: service
  remote_user: docker
  gather_facts: no
  vars:
    user: "docker"

  tasks:
      # -----------------
      # make directory 
      # -----------------
    - name: make dir for data
      become: true
      file:
        path: "/var/lab/playground/playground-readmongo"
        state: directory
        owner: docker
        group: docker
        mode: '0777'

#    - name: google.com
#      become: yes
#      become_user: "{{ user }}"
#      command:  curl http://www.google.com
#      ignore_errors: yes
#      register: configwww
#
#    - name: ls  configwww
#      debug: var=configwww.stdout_lines

    - name: ls -al /var/lab/playground/playground-readmongo/
      become: yes
      become_user: "{{ user }}"
      #command:  ls -al /var/lab/playground/playground-readmongo
      command:  ls -al /etc
      ignore_errors: yes
      register: config

    - name: ls  config
      debug: var=config.stdout_lines
#
#    - name: Refresh connection
#      meta: clear_host_errors
```
Then, create a run.sh script.

```
ansible-playbook -u docker -i inventory.yml test.yml -f 5 --ask-pass --ask-become-pass

```
In your command line, type:

```
chmod +x run.sh
sudo apt install ansible
./run.sh

(Somewhere here there would be some errors)
sudo apt install sshpass

cd /etc/ansible
vi ansible.cfg
(Add this line)
host_key_checking = False
(Exit and return back)
./run.sh

```
== Hping3 Attack

{empty} +
Here is a video about hping3, tcpdump, netstat and iptables rules. Feel free to press like button and subscribe!

video::lErpyiAbsVs[youtube]

{empty} +

Firstly, connect to the worker that you wish to do the attack. Inside the worker create a script file with these:

```
#!/bin/sh
#installation_of_hping3
sudo apt update
sudo apt install hping3 -y

#syn_flood_attack_with_hping3_on_docker_master_with_IP_172.27.0.2
#hping3 -i u1 -S -p 80 172.27.0.2
#hping3 172.27.0.2 -q -n -d 120 -S -p 80 --flood
hping3 -S -p 80 172.127.0.2

```
In your command line type:

```
chmod +x hping3.sh
sudo ./hping3.sh

```
== Tcpdump on the victim

After connecting to the victim's host, then create a script file tcpdump.sh

```
#!/bin/sh
tcpdump port 80
#tcpdump -Nnn -i any -s0 'tcp[13] & 2 !=0'

```
In your command line type:

```
chmod +x tcpdump.sh
sudo ./tcpdump.sh

```
== Netstat on the victim

Create a netstat.sh script file and type the above:

```
#!/bin/sh

netstat -npt | awk '{print $6}' | sort | uniq -c | sort -nr | head
netstat -anp | grep 'tcp\udp' | awk '{print $6}' | cut -d: f1 | sort | uniq -c | sort -n
netstat -nat | awk '{print $6}' | sort | uniq -c | sort -n
netstat -na
netstat -tna
netstat -antlupe
netstat -n -p | grep SYN_REC | wc -l
netstat -npt | awk '{print $6}' | sort | uniq -c | sort -nr | head

```
In your command line type:

```
chmod +x netstat.sh
sudo ./netstat.sh

```
== Anti-Ddos protection using iptables

Create an anti-ddos.sh file and type inside:

```
#!/bin/sh
#drop invalid packets
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP

#Use SYNPROXY on all ports (disables connection limiting rule) ###
iptables -t raw -A PREROUTING -p tcp -m tcp --syn -j CT --notrack
iptables -A INPUT -p tcp -m tcp -m conntrack --ctstate INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP

```
In your command line type:

```
chmod +x anti-ddos.sh
sudo ./anti-ddos.sh

```
== SSH Brute Force Attack using Medusa

{empty} +
Here is a video about ssh brute force attack using medusa tool, detection using rsyslog and protection using fail2ban

video::6C8suUjJBCA[youtube]

{empty} +

In order to do this attack, you have to create a password list file. For example,

```
123password
root
admin-root
acbdef2147
whatistherealpassword
docker
password
123456789

```
The next step is to create a medusa.sh script file.

```
#!/bin/bash
sudo apt update
sudo apt install medusa
medusa -u docker -P pass.txt -h 172.27.0.3 -M ssh

```
To accomplish the ssh brute force attack I connected as worker_4 and I will attack the worker_1.

In your command line type:

```
chmod +x medusa.sh
sudo ./medusa.sh

```
== Detection of SSH Brute Force using rsyslog tool

I will connect as worker_1 and I will create a rsyslog.sh file.

```
#!/bin/bash
sudo apt update
sudo apt install rsyslog
sudo service rsyslog start
sudo service rsyslog status
sudo grep "Failed password" /var/log/auth.log

```
In your command line type:

```
chmod +x rsyslog.sh
sudo ./rsyslog.sh
(After results are shown type the next line)
sudo service rsyslog stop
```
== Fail2ban tool for SSH protection

Create a fail2ban.sh file and type the below:
```
#!/bin/bash
sudo apt update
sudo apt install fail2ban

```
In your command line type:

```
chmod +x fail2ban.sh
sudo ./fail2ban.sh

```
```
sudo service fail2ban start
sudo service fail2ban status
cd /etc/fail2ban
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

(Inside the jail.local type the below)

[DEFAULT]
loglevel = DEBUG
logtarget = path_to_log

[sshd]
enabled = true
maxretry = 2
bantime = 600
findtime = 30
logpath = %(sshd_log)s
backend = %(sshd_backend)s
action = iptables-multiport[name=%(__name__)s, bantime="%(bantime)s, port=ssh, protocol="%(protocol)s", chain=INPUT]

```

In your command line type:`
```
sudo service fail2ban restart
sudo service fail2ban status
sudo fail2ban-client start
sudo fail2ban-client status
sudo fail2ban-client status sshd

```
== SSH Brute authentication only with keys


To accomplish this brute force login with only key you have to connect to a container, for instance I connected to worker_5.

In your command line type:`
```
(Our server is worker_5)

mkdir .ssh
cd .ssh
ssh-keygen
cat ~/.ssh/id_rsa.pub

(You should do the below for every worker, but for this example I will do only about worker_4)

ssh-copy-id docker@172.27.0.5

(Then it will ask you to connect)

ssh docker@172.27.0.5

(After doing this to all remaining containers type the next below for each host)

scp id_rsa docker@172.27.0.5 #copy id_rsa to every container
sudo service ssh restart

```
Then you have to disable password authentication on you server.

```
(Being on server)

cd /etc/ssh
vi sshd_config

(Inside sshd_config change the below)

PasswordAuthentication no

(After doing this return to your command line and type the below)

sudo service ssh restart

```
And finally you are ready!


== VPN

{empty} +
Here is a video about how you can create VPN and provide services to docker swarm.

video::FnRMonM07yQ[youtube]

{empty} +

In this part, I will show you how you can create a VPN and and provide services to the docker swarm. Firstly, you shoudld be on the /swarmlab-sec/project folder and create a vpn folder.

```
cd swarmlab-sec/project
mkdir vpn
cd vpn

```
The next step is to create a create-vpn. script.

```
#!/bin/bash
IP=127.0.0.1                                            # Server IP       
P=1194                                                  # Server Port     
OVPN_SERVER='10.80.0.0/16'                              # VPN Network     

#vpn_data=/var/lib/swarmlab/openvpn/openvpn-services/   # Dir to save data ** this must exist **
vpn_data=$PWD/openvpn-services/                                           
if [ ! -d $vpn_data ]; then
 mkdir -p $vpn_data
fi

NAME=swarmlab-vpn-services                              # name of docker service 
DOCKERnetwork=swarmlab-vpn-services-network             # docker network
docker=registry.vlabs.uniwa.gr:5080/myownvpn            # docker image

docker stop  $NAME					      #stop container
sleep 1
docker container rm  $NAME				#rm container

# rm config files
rm -f $vpn_data/openvpn.conf.*.bak
rm -f $vpn_data/openvpn.conf
rm -f $vpn_data/ovpn_env.sh.*.bak
rm -f $vpn_data/ovpn_env.sh

# create network
sleep 1
docker network create --attachable=true --driver=bridge --subnet=172.50.0.0/16 --gateway=172.50.0.1 $DOCKERnetwork

#run container        see ovpn_genconfig
docker run --net=none -it -v $vpn_data:/etc/openvpn  -p 1194:1194 --rm $docker ovpn_genconfig  -u udp://$IP:1194 \
-N -d -c -p "route 172.50.20.0 255.255.255.0" -e "topology subnet" -s $OVPN_SERVER   

# create pki          see ovpn_initpki
docker run --net=none -v $vpn_data:/etc/openvpn  --rm -it $docker ovpn_initpki     

#                     see ovpn_copy_server_files
#docker run --net=none -v $vpn_data:/etc/openvpn  --rm $docker ovpn_copy_server_files

#create vpn           see --cap-add=NET_ADMIN
sleep 1
docker run --detach --name $NAME -v $vpn_data:/etc/openvpn --net=$DOCKERnetwork --ip=172.50.0.2 -p $P:1194/udp --cap-add=NET_ADMIN $docker  

sudo sysctl -w net.ipv4.ip_forward=1

#show created
docker ps

```
create-user.sh

```
USERNAME=user1
vpn_data=$PWD/openvpn-services/
docker=registry.vlabs.uniwa.gr:5080/myownvpn

docker run -v $vpn_data:/etc/openvpn --rm -it $docker easyrsa build-client-full $USERNAME nopass
docker run -v $vpn_data:/etc/openvpn --log-driver=none --rm $docker ovpn_getclient $USERNAME  > $USERNAME.user

```
After the user is created add in the $USERNAME.user the below:

```
client
nobind
dev tun
comp-lzo
resolv-retry infinite
keepalive 15 60

remote-cert-tls server
remote 10.0.2.15 1194 udp #type your host IP address in every $USERNAME.user
float

```
rm-user.sh

```
#!/bin/bash

CLIENTNAME=test1
U=$CLIENTNAME

vpn_data=$PWD/openvpn-services/
docker=registry.vlabs.uniwa.gr:5080/myownvpn

rm -f $vpn_data/pki/reqs/$CLIENTNAME.req
rm -f $vpn_data/pki/private/$CLIENTNAME.key
rm -f $vpn_data/pki/issued/$CLIENTNAME.crt
rm -f $vpn_data/server/ccd/$CLIENTNAME
rm -f $vpn_data/ccd/$CLIENTNAME
pem=$(sudo grep "CN=$U$"  $vpn_data/pki/index.txt | cut  -f4)

rm -f $vpn_data/pki/certs_by_serial/$pem.pem
sed -i "/CN=$U$/d"  $vpn_data/pki/index.txt
echo $pem
docker run -v $vpn_data:/etc/openvpn --log-driver=none --rm -it $docker ovpn_revokeclient  $CLIENTNAME remove

rm -f $vpn_data_user_config/$CLIENTNAME.ovpn
rm -f $vpn_data_user_config1/$CLIENTNAME.ovpn

```
show-user.sh

```
NAME=swarmlab-vpn-services                  # name of docker service
docker exec -it  $NAME ovpn_listclients

```
show-conn-user.sh

```
NAME=swarmlab-vpn-services                 # name of docker service
docker exec -it  $NAME  cat /tmp/openvpn-status.log

```
Then you have to type in your command line:

```
chmod +x create-vpn.sh
chmod +x create-user.sh
chmod +x show-user.sh
chmod +x rm-user.sh
chmod +x show-conn-user.sh

./create-vpn.sh
./create-user.sh    #for every user you have to use a different name
./show-user.sh      #you can see all the users
./show-conn-user.sh #you can see all connected users to the vpn

cp $USERNAME.user ../project    #this user will be copied to the master
```
After doing these steps, connect to a docker host, for instance in docker master.

```
sudo apt update
sudo apt install openvpn
ls -al #to check if there is the user1.user file
sudo su
service openvpn start
openvpn --config ./user1.user #client connection to the VPN 

```
Don't close the window or do not stop the execution. Open a new window and connect to the same user and type ifconfig to check if the tun0 has created.


Now connect to an other worker, for instance worker_1. You have to do the same thing in every worker.

```
ssh docker@172.27.0.3

sudo apt update
sudo apt install openvpn
touch user2.user
vi user2.user #copy the user2.user file from the /swarmlab-sec/project/vpn/ and paste it here

ls -al #to check if there is the user1.user file
sudo su
service openvpn start
openvpn --config ./user2.user #client connection to the VPN 

```
You have to do the same procedure for the other workers.

Don't close the window or do not stop the execution. Open a new window and connect to the same user and type ifconfig to check if the tun0 has created. 

Then in docker master tab type:

```
sudo su
tcpdump -i tun0

```
Go to the new docker worker tab and type:

```
ping 10.80.0.2 #this is the new IP of master of tun0

```

You are ready! 


== REMOTE/LOCAL SSH FORWARDING

{empty} +
Here is a video about how you can do ssh local and remote forwarding.

video::gbegXj8pQxs[youtube]

{empty} +

On remote container

```
sudo apt install nginx
curl localhost #to check if localhost is working
hostname -i

```
On localhost host

```
curl localhost #to check if localhost is working
hostname
hostname -i

sudo ssh -nNT -L 80:localhost:80 docker@172.27.0.2

```
Then type on localhost host again in a new tab:

```
curl localhost #to check if localhost is working

```
And it works! +


Please enjoy and thank you for reading my ascii doc and watching my youtube videos!