diff --git a/Dockerfile b/Dockerfile
index 1255cca..c355e7e 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,13 +1,16 @@
-# DoD: Installing Nginx with Docker
-FROM nginx:1.25.2-bookworm
+# step: installing Nginx with Docker
+FROM nginx:1.25.4-bookworm
EXPOSE 80
EXPOSE 22
-# DoD: Deploying DVWA on Nginx
+WORKDIR /ndvwa
+
+# step: deploying DVWA on Nginx
# copy config files into container
COPY configs/dvwa.conf /etc/nginx/sites-available/default
COPY configs/nginx.conf /etc/nginx/nginx.conf
-COPY configs/dbsetup.sql /dbsetup.sql
+COPY configs/dbsetup.sql ${WORKDIR}/dbsetup.sql
+COPY entrypoint.sh /ndvwa/entrypoint.sh
# install basic packages
RUN apt-get update && \
apt-get install -y \
@@ -25,29 +28,27 @@ RUN apt-get update && \
openssh-server \
openssh-client \
sshpass \
- knockd
+ knockd && \
+ apt-get autoremove -y
# install a specific version of PHP
RUN wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg && \
echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" | tee /etc/apt/sources.list.d/php.list && \
- apt update && \
- apt -y install php7.4-fpm php7.4-mysqli
+ apt-get update && \
+ apt-get install -y php8.3-fpm php8.3-mysqli
# run configurations
-RUN mkdir -p /etc/nginx/sites-available && \
- mkdir -p /etc/nginx/sites-enabled && \
- mkdir -p /var/www/html && \
+RUN mkdir -p /etc/nginx/sites-available /etc/nginx/sites-enabled /var/www/html && \
# prepare DVWA files
git clone --depth 1 https://github.com/digininja/DVWA.git /var/www/html/dvwa && \
chmod 777 -R /var/www/html/dvwa && \
ln -s /etc/nginx/sites-available/default /etc/nginx/sites-enabled/default && \
# create PHP config
- cd /var/www/html/dvwa && \
- cp config/config.inc.php.dist config/config.inc.php && \
+ cp /var/www/html/dvwa/config/config.inc.php.dist /var/www/html/dvwa/config/config.inc.php && \
# setup database
service mariadb start && \
- mysql -u root < /dbsetup.sql && \
+ mysql -u root < ${WORKDIR}/dbsetup.sql && \
# firewall setting for nginx
ufw allow 80,443/tcp
-# setup entrypoint (technically CMD)
-COPY entrypoint.sh /entrypoint.sh
-CMD [ "bash", "/entrypoint.sh" ]
+# setup entrypoint CMD
+COPY entrypoint.sh ${WORKDIR}/entrypoint.sh
+CMD [ "bash", "/ndvwa/entrypoint.sh" ]
diff --git a/README.md b/README.md
index 7488ab9..663cd42 100644
--- a/README.md
+++ b/README.md
@@ -1,6 +1,6 @@
# nDVWA
-nDVWA is a compact Dockerized solution for deploying DVWA with nginx.
+nDVWA is a compact Dockerized solution for deploying DVWA with Nginx.
Everything is kept in a single container: nginx is pulled as a base image, and DVWA is downloaded directly from it's official git repository.
@@ -8,60 +8,42 @@ Additionally, this application offers a few extra SSH configurations between the
The SSH connection with port knocking protection is established using internal Docker network (which is evident by `docker0` interface and `172.17.0.1` default host address usage in the codebase). You can opt-out of these configurations via a prompt when starting up the container.
-This app was a part of an academic study and had a DoD (Definition-of-Done). The details are presented below.
+This app consist of several key steps. The details are presented below.
## Contents
- [nDVWA](#ndvwa)
- [Contents](#contents)
- - [**Disclaimer**](#disclaimer)
- - [DoD](#dod)
- - [Installing Nginx with Docker](#installing-nginx-with-docker)
- - [Deploying DVWA on Nginx](#deploying-dvwa-on-nginx)
- - [(optional) Establishing Reverse Tunneling to SSH](#optional-establishing-reverse-tunneling-to-ssh)
- - [(optional) Protecting SSH from Nmap Scanning](#optional-protecting-ssh-from-nmap-scanning)
+ - [**Important**](#important)
+ - [Key Steps](#key-steps)
- [How To Use](#how-to-use)
- [1. Build (or download) the Docker image](#1-build-or-download-the-docker-image)
- [2. Create a Docker container](#2-create-a-docker-container)
- - [3. Check deployed DVWA via web-browser](#3-check-deployed-dvwa-via-web-browser)
+ - [3. Check the deployed DVWA instance via web-browser](#3-check-the-deployed-dvwa-instance-via-web-browser)
- [4. Follow the prompts in Docker container](#4-follow-the-prompts-in-docker-container)
-## **Disclaimer**
+## **Important**
-If you wish to execute **all** of the steps (including SSH configurations), please take into consideration that it might permanently alternate iptables rules on your machine.
+> [!IMPORTANT]
+> **\- DISCLAIMER \-**
+>
+>If you wish to execute **all** of the steps (including SSH configurations), please take into consideration that it might permanently alternate iptables rules on your machine.
+>
+>Once the SSH configurations are complete, the app flushes `DOCKER` and `INPUT` chains in iptables.
+>
+>Unless you know what you are doing or able to fix your iptables in case of any issue, it is recommended to run this app in a virtual machine (or any other environment that is not someone's primary workspace).
-Once the SSH configurations are completed, the app flushes `DOCKER` and `INPUT` chains in iptables.
+> [!NOTE]
+> And just in case, run a `sudo iptables -L > ~/default_iptables.txt` before launching the app. That way you'll have a reference to restore your iptables rules if required.
-Unless you know what you are doing or able to fix your iptables in case of any issue, it is recommended to run this app in a virtual machine.
+## Key Steps
-Tip: And just in case, run a `sudo iptables -L > ~/default_iptables.txt` before launching the app. That way you'll have a reference to restore your iptables rules if required.
+The whole function of the app can be broken down into the following steps:
-## DoD
-
-### Installing Nginx with Docker
-
-1. install Docker on your system;
-2. pull the Nginx Docker image;
-3. create a Docker container using the Nginx image;
-4. configure the necessary ports for Nginx to operate.
-
-### Deploying DVWA on Nginx
-
-1. download the Damn Vulnerable Web Application (DVWA) package;
-2. configure Nginx to serve the DVWA files;
-3. verify the successful deployment of DVWA by accessing it through a web browser.
-
-### (optional) Establishing Reverse Tunneling to SSH
-
-1. configure the SSH server to allow reverse tunneling;
-2. set up the reverse tunnel by initiating an SSH connection from the Docker container to the SSH server;
-3. verify the reverse tunnel connection by accessing the SSH server from the Docker container.
-
-### (optional) Protecting SSH from Nmap Scanning
-
-1. install Nmap for scanning purposes;
-2. implement port knocking or port scanning detection mechanisms to prevent unauthorized access attempts;
-3. test the implemented measures using Nmap to ensure SSH protection against scanning.
+1. installing Nginx with Docker;
+2. deploying DVWA on Nginx;
+3. establishing reverse tunneling to SSH (optional);
+4. protecting SSH from Nmap scanning with port knocking protection (optional).
## How To Use
@@ -73,7 +55,7 @@ In the root of the directory, run:
docker build . -t ndvwa
```
-Alternatively, you can download a pre-built image from repository's registry:
+Alternatively, you can download a pre-built image from the repository's registry:
```sh
docker pull ghcr.io/seppzer0/ndvwa
@@ -87,7 +69,7 @@ To create a container, run:
docker run --rm -it -p 80:80 ndvwa
```
-### 3. Check deployed DVWA via web-browser
+### 3. Check the deployed DVWA instance via web-browser
Using a web-browser, enter `0.0.0.0:80` URL.
When asked for credentials for the first time, use `dvwa` for both login and password.
@@ -97,9 +79,10 @@ Then, using UI, create a new database. When asked for credentials again, use `ad
Once the container is launched, you will be prompted whether to proceed with SSH configurations or just directly jump into Bash shell.
-Keep in mind that in order to establish an SSH connection between a container and a host machine, you need to setup an SSH server on the host machine first.
+Keep in mind that in order to establish an SSH connection between a container and a host machine, you need to setup an SSH server on the host machine first.
+
On a Debian-based machine:
-- install `openssh-server` package (use `sudo apt install openssh-server`);
+- install `openssh-server` package;
- append `GatewayPorts yes` and `AllowTcpForwarding yes` lines into `/etc/ssh/sshd_config` file;
-- restart ssh service with `sudo service ssh restart`.
+- restart ssh service.
diff --git a/configs/dvwa.conf b/configs/dvwa.conf
index d40704c..1e4ab32 100644
--- a/configs/dvwa.conf
+++ b/configs/dvwa.conf
@@ -15,7 +15,7 @@ server {
# this is for the PHP part of DVWA to work properly
fastcgi_split_path_info ^(.+\.php)(/.+)$;
try_files $uri =404;
- fastcgi_pass unix:/run/php/php7.4-fpm.sock;
+ fastcgi_pass unix:/run/php/php8.3-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $request_filename;
include fastcgi_params;
diff --git a/entrypoint.sh b/entrypoint.sh
index 7c4e36c..1121f80 100644
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -1,51 +1,54 @@
#!/bin/bash
+IP="172.17.0.1"
+
+
# start services
service mariadb start
-service php7.4-fpm start
+service php8.3-fpm start
service nginx start
sleep 1
# prompt to either proceed with SSH configurations or jump into shell
printf "\n\n"
read -p "[ ? ] Proceed with SSH configurations? [yes/no] " yn
-case $yn in
- yes )
- # DoD: Establishing Reverse Tunneling to SSH
+case $yn in
+ yes )
+ # step: establishing reverse tunneling to SSH
printf "\n\n== Establishing Reverse Tunneling to SSH ==\n"
# ask for host's credentials, which will be required for sudo operations
printf "\n[ * ] Please enter the following information from you host environment.\n"
read -p " - Username: " USER
read -s -p " - Password: " PASS
printf "\n"
- # setup containers SSH keys and connection to the SSH server
+ # setup container's SSH keys and connection to the SSH server (host environment)
printf "\n[ * ] Setting up SSH keys.\n\n"
ssh-keygen -t rsa -b 4096 -N '' -f ~/.ssh/id_rsa
- sshpass -p $PASS ssh-copy-id -o StrictHostKeyChecking=no $USER@172.17.0.1
+ sshpass -p ${PASS} ssh-copy-id -o StrictHostKeyChecking=no ${USER}@${IP}
printf "\n[ * ] Configuring reverse tunneling.\n\n"
- ssh -f -N -R 2222:localhost:22 $USER@172.17.0.1
+ ssh -f -N -R 2222:localhost:22 ${USER}@${IP}
printf "[ * ] Opening SSH connection. When ready, \"exit\" it to proceed with port knocking protection setup.\n\n"
- ssh -p 22 $USER@172.17.0.1
+ ssh -p 22 ${USER}@${IP}
- # DoD: Protecting SSH from Nmap Scanning (port knocking protection)
+ # step: protecting SSH from Nmap scanning with port knocking protection
printf "\n\n== Protecting SSH from Nmap Scanning ==\n"
printf "\n[ * ] Please enter the following information from you host environment.\n"
read -p " - Full path to this repository: " RPATH
printf "\n"
printf "\n[ * ] Checking that SSH port is currently open using NMAP.\n\n"
- nmap -p 22 172.17.0.1
+ nmap -p 22 ${IP}
printf "\n[ * ] Configuring knockd service on the host machine (via SSH).\n\n"
- ssh -p 22 $USER@172.17.0.1 -t "cd $RPATH && echo $PASS | sudo -S bash knockd_setup.sh"
+ ssh -p 22 ${USER}@${IP} -t "cd ${RPATH} && echo ${PASS} | sudo -S bash knockd_setup.sh"
sleep 1
printf "\n[ * ] Attemting to scan the SSH port and connect to the SSH server with knockd service running.\n\n"
- nmap -p 22 172.17.0.1
- ssh -p 22 $USER@172.17.0.1
+ nmap -p 22 ${IP}
+ ssh -p 22 ${USER}@${IP}
printf "\n[ * ] Executing magic knock-knock sequence and actually connecting to the SSH server. When ready, \"exit\" it to proceed.\n\n"
- knock -v 172.17.0.1 20001 20002 20003 -d 500
- ssh -p 22 $USER@172.17.0.1
+ knock -v ${IP} 20001 20002 20003 -d 500
+ ssh -p 22 ${USER}@${IP}
printf "\n[ * ] Restoring iptables rules on the host machine.\n\n"
- knock -v 172.17.0.1 20001 20002 20003 -d 500
- ssh -p 22 $USER@172.17.0.1 -t "echo $PASS | sudo -S iptables -F DOCKER && sudo -S iptables -F INPUT && sudo -S service knockd stop"
+ knock -v ${IP} 20001 20002 20003 -d 500
+ ssh -p 22 ${USER}@${IP} -t "echo ${PASS} | sudo -S iptables -F DOCKER && sudo -S iptables -F INPUT && sudo -S service knockd stop"
;;
no )
printf "[ * ] Jumping directly into Bash shell..\n\n";;