From 1037d4bd98063b8e76fb2e598b9ba05c5bc4440e Mon Sep 17 00:00:00 2001 From: Joseph P Date: Thu, 28 Mar 2024 21:09:21 +0300 Subject: [PATCH] refactor: update variable usage, PHP and Nginx versions --- Dockerfile | 33 ++++++++++----------- README.md | 73 ++++++++++++++++++----------------------------- configs/dvwa.conf | 2 +- entrypoint.sh | 37 +++++++++++++----------- 4 files changed, 66 insertions(+), 79 deletions(-) diff --git a/Dockerfile b/Dockerfile index 1255cca..c355e7e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,13 +1,16 @@ -# DoD: Installing Nginx with Docker -FROM nginx:1.25.2-bookworm +# step: installing Nginx with Docker +FROM nginx:1.25.4-bookworm EXPOSE 80 EXPOSE 22 -# DoD: Deploying DVWA on Nginx +WORKDIR /ndvwa + +# step: deploying DVWA on Nginx # copy config files into container COPY configs/dvwa.conf /etc/nginx/sites-available/default COPY configs/nginx.conf /etc/nginx/nginx.conf -COPY configs/dbsetup.sql /dbsetup.sql +COPY configs/dbsetup.sql ${WORKDIR}/dbsetup.sql +COPY entrypoint.sh /ndvwa/entrypoint.sh # install basic packages RUN apt-get update && \ apt-get install -y \ @@ -25,29 +28,27 @@ RUN apt-get update && \ openssh-server \ openssh-client \ sshpass \ - knockd + knockd && \ + apt-get autoremove -y # install a specific version of PHP RUN wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg && \ echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" | tee /etc/apt/sources.list.d/php.list && \ - apt update && \ - apt -y install php7.4-fpm php7.4-mysqli + apt-get update && \ + apt-get install -y php8.3-fpm php8.3-mysqli # run configurations -RUN mkdir -p /etc/nginx/sites-available && \ - mkdir -p /etc/nginx/sites-enabled && \ - mkdir -p /var/www/html && \ +RUN mkdir -p /etc/nginx/sites-available /etc/nginx/sites-enabled /var/www/html && \ # prepare DVWA files git clone --depth 1 https://github.com/digininja/DVWA.git /var/www/html/dvwa && \ chmod 777 -R /var/www/html/dvwa && \ ln -s /etc/nginx/sites-available/default /etc/nginx/sites-enabled/default && \ # create PHP config - cd /var/www/html/dvwa && \ - cp config/config.inc.php.dist config/config.inc.php && \ + cp /var/www/html/dvwa/config/config.inc.php.dist /var/www/html/dvwa/config/config.inc.php && \ # setup database service mariadb start && \ - mysql -u root < /dbsetup.sql && \ + mysql -u root < ${WORKDIR}/dbsetup.sql && \ # firewall setting for nginx ufw allow 80,443/tcp -# setup entrypoint (technically CMD) -COPY entrypoint.sh /entrypoint.sh -CMD [ "bash", "/entrypoint.sh" ] +# setup entrypoint CMD +COPY entrypoint.sh ${WORKDIR}/entrypoint.sh +CMD [ "bash", "/ndvwa/entrypoint.sh" ] diff --git a/README.md b/README.md index 7488ab9..663cd42 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # nDVWA -nDVWA is a compact Dockerized solution for deploying DVWA with nginx. +nDVWA is a compact Dockerized solution for deploying DVWA with Nginx. Everything is kept in a single container: nginx is pulled as a base image, and DVWA is downloaded directly from it's official git repository. @@ -8,60 +8,42 @@ Additionally, this application offers a few extra SSH configurations between the The SSH connection with port knocking protection is established using internal Docker network (which is evident by `docker0` interface and `172.17.0.1` default host address usage in the codebase). You can opt-out of these configurations via a prompt when starting up the container. -This app was a part of an academic study and had a DoD (Definition-of-Done). The details are presented below. +This app consist of several key steps. The details are presented below. ## Contents - [nDVWA](#ndvwa) - [Contents](#contents) - - [**Disclaimer**](#disclaimer) - - [DoD](#dod) - - [Installing Nginx with Docker](#installing-nginx-with-docker) - - [Deploying DVWA on Nginx](#deploying-dvwa-on-nginx) - - [(optional) Establishing Reverse Tunneling to SSH](#optional-establishing-reverse-tunneling-to-ssh) - - [(optional) Protecting SSH from Nmap Scanning](#optional-protecting-ssh-from-nmap-scanning) + - [**Important**](#important) + - [Key Steps](#key-steps) - [How To Use](#how-to-use) - [1. Build (or download) the Docker image](#1-build-or-download-the-docker-image) - [2. Create a Docker container](#2-create-a-docker-container) - - [3. Check deployed DVWA via web-browser](#3-check-deployed-dvwa-via-web-browser) + - [3. Check the deployed DVWA instance via web-browser](#3-check-the-deployed-dvwa-instance-via-web-browser) - [4. Follow the prompts in Docker container](#4-follow-the-prompts-in-docker-container) -## **Disclaimer** +## **Important** -If you wish to execute **all** of the steps (including SSH configurations), please take into consideration that it might permanently alternate iptables rules on your machine. +> [!IMPORTANT] +> **\- DISCLAIMER \-** +> +>If you wish to execute **all** of the steps (including SSH configurations), please take into consideration that it might permanently alternate iptables rules on your machine. +> +>Once the SSH configurations are complete, the app flushes `DOCKER` and `INPUT` chains in iptables. +> +>Unless you know what you are doing or able to fix your iptables in case of any issue, it is recommended to run this app in a virtual machine (or any other environment that is not someone's primary workspace). -Once the SSH configurations are completed, the app flushes `DOCKER` and `INPUT` chains in iptables. +> [!NOTE] +> And just in case, run a `sudo iptables -L > ~/default_iptables.txt` before launching the app. That way you'll have a reference to restore your iptables rules if required. -Unless you know what you are doing or able to fix your iptables in case of any issue, it is recommended to run this app in a virtual machine. +## Key Steps -Tip: And just in case, run a `sudo iptables -L > ~/default_iptables.txt` before launching the app. That way you'll have a reference to restore your iptables rules if required. +The whole function of the app can be broken down into the following steps: -## DoD - -### Installing Nginx with Docker - -1. install Docker on your system; -2. pull the Nginx Docker image; -3. create a Docker container using the Nginx image; -4. configure the necessary ports for Nginx to operate. - -### Deploying DVWA on Nginx - -1. download the Damn Vulnerable Web Application (DVWA) package; -2. configure Nginx to serve the DVWA files; -3. verify the successful deployment of DVWA by accessing it through a web browser. - -### (optional) Establishing Reverse Tunneling to SSH - -1. configure the SSH server to allow reverse tunneling; -2. set up the reverse tunnel by initiating an SSH connection from the Docker container to the SSH server; -3. verify the reverse tunnel connection by accessing the SSH server from the Docker container. - -### (optional) Protecting SSH from Nmap Scanning - -1. install Nmap for scanning purposes; -2. implement port knocking or port scanning detection mechanisms to prevent unauthorized access attempts; -3. test the implemented measures using Nmap to ensure SSH protection against scanning. +1. installing Nginx with Docker; +2. deploying DVWA on Nginx; +3. establishing reverse tunneling to SSH (optional); +4. protecting SSH from Nmap scanning with port knocking protection (optional). ## How To Use @@ -73,7 +55,7 @@ In the root of the directory, run: docker build . -t ndvwa ``` -Alternatively, you can download a pre-built image from repository's registry: +Alternatively, you can download a pre-built image from the repository's registry: ```sh docker pull ghcr.io/seppzer0/ndvwa @@ -87,7 +69,7 @@ To create a container, run: docker run --rm -it -p 80:80 ndvwa ``` -### 3. Check deployed DVWA via web-browser +### 3. Check the deployed DVWA instance via web-browser Using a web-browser, enter `0.0.0.0:80` URL.
When asked for credentials for the first time, use `dvwa` for both login and password.
@@ -97,9 +79,10 @@ Then, using UI, create a new database. When asked for credentials again, use `ad Once the container is launched, you will be prompted whether to proceed with SSH configurations or just directly jump into Bash shell. -Keep in mind that in order to establish an SSH connection between a container and a host machine, you need to setup an SSH server on the host machine first.
+Keep in mind that in order to establish an SSH connection between a container and a host machine, you need to setup an SSH server on the host machine first. + On a Debian-based machine: -- install `openssh-server` package (use `sudo apt install openssh-server`); +- install `openssh-server` package; - append `GatewayPorts yes` and `AllowTcpForwarding yes` lines into `/etc/ssh/sshd_config` file; -- restart ssh service with `sudo service ssh restart`. +- restart ssh service. diff --git a/configs/dvwa.conf b/configs/dvwa.conf index d40704c..1e4ab32 100644 --- a/configs/dvwa.conf +++ b/configs/dvwa.conf @@ -15,7 +15,7 @@ server { # this is for the PHP part of DVWA to work properly fastcgi_split_path_info ^(.+\.php)(/.+)$; try_files $uri =404; - fastcgi_pass unix:/run/php/php7.4-fpm.sock; + fastcgi_pass unix:/run/php/php8.3-fpm.sock; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $request_filename; include fastcgi_params; diff --git a/entrypoint.sh b/entrypoint.sh index 7c4e36c..1121f80 100644 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -1,51 +1,54 @@ #!/bin/bash +IP="172.17.0.1" + + # start services service mariadb start -service php7.4-fpm start +service php8.3-fpm start service nginx start sleep 1 # prompt to either proceed with SSH configurations or jump into shell printf "\n\n" read -p "[ ? ] Proceed with SSH configurations? [yes/no] " yn -case $yn in - yes ) - # DoD: Establishing Reverse Tunneling to SSH +case $yn in + yes ) + # step: establishing reverse tunneling to SSH printf "\n\n== Establishing Reverse Tunneling to SSH ==\n" # ask for host's credentials, which will be required for sudo operations printf "\n[ * ] Please enter the following information from you host environment.\n" read -p " - Username: " USER read -s -p " - Password: " PASS printf "\n" - # setup containers SSH keys and connection to the SSH server + # setup container's SSH keys and connection to the SSH server (host environment) printf "\n[ * ] Setting up SSH keys.\n\n" ssh-keygen -t rsa -b 4096 -N '' -f ~/.ssh/id_rsa - sshpass -p $PASS ssh-copy-id -o StrictHostKeyChecking=no $USER@172.17.0.1 + sshpass -p ${PASS} ssh-copy-id -o StrictHostKeyChecking=no ${USER}@${IP} printf "\n[ * ] Configuring reverse tunneling.\n\n" - ssh -f -N -R 2222:localhost:22 $USER@172.17.0.1 + ssh -f -N -R 2222:localhost:22 ${USER}@${IP} printf "[ * ] Opening SSH connection. When ready, \"exit\" it to proceed with port knocking protection setup.\n\n" - ssh -p 22 $USER@172.17.0.1 + ssh -p 22 ${USER}@${IP} - # DoD: Protecting SSH from Nmap Scanning (port knocking protection) + # step: protecting SSH from Nmap scanning with port knocking protection printf "\n\n== Protecting SSH from Nmap Scanning ==\n" printf "\n[ * ] Please enter the following information from you host environment.\n" read -p " - Full path to this repository: " RPATH printf "\n" printf "\n[ * ] Checking that SSH port is currently open using NMAP.\n\n" - nmap -p 22 172.17.0.1 + nmap -p 22 ${IP} printf "\n[ * ] Configuring knockd service on the host machine (via SSH).\n\n" - ssh -p 22 $USER@172.17.0.1 -t "cd $RPATH && echo $PASS | sudo -S bash knockd_setup.sh" + ssh -p 22 ${USER}@${IP} -t "cd ${RPATH} && echo ${PASS} | sudo -S bash knockd_setup.sh" sleep 1 printf "\n[ * ] Attemting to scan the SSH port and connect to the SSH server with knockd service running.\n\n" - nmap -p 22 172.17.0.1 - ssh -p 22 $USER@172.17.0.1 + nmap -p 22 ${IP} + ssh -p 22 ${USER}@${IP} printf "\n[ * ] Executing magic knock-knock sequence and actually connecting to the SSH server. When ready, \"exit\" it to proceed.\n\n" - knock -v 172.17.0.1 20001 20002 20003 -d 500 - ssh -p 22 $USER@172.17.0.1 + knock -v ${IP} 20001 20002 20003 -d 500 + ssh -p 22 ${USER}@${IP} printf "\n[ * ] Restoring iptables rules on the host machine.\n\n" - knock -v 172.17.0.1 20001 20002 20003 -d 500 - ssh -p 22 $USER@172.17.0.1 -t "echo $PASS | sudo -S iptables -F DOCKER && sudo -S iptables -F INPUT && sudo -S service knockd stop" + knock -v ${IP} 20001 20002 20003 -d 500 + ssh -p 22 ${USER}@${IP} -t "echo ${PASS} | sudo -S iptables -F DOCKER && sudo -S iptables -F INPUT && sudo -S service knockd stop" ;; no ) printf "[ * ] Jumping directly into Bash shell..\n\n";;