Docker Containers for Infrastructure

It’s nice for labs to be able to spin things up fast. What better way to do it than with Docker containers? I’ll add more here as I use them.

OpenLDAP

docker run -d -p 389:389 \
  -e SLAPD_PASSWORD=iw2slep! \
  -e SLAPD_DOMAIN=cci.wisc.edu \
  --name openldap dinkel/openldap

docker run -d -p 80:80 \
  --link openldap:openldap \
  --name ldapadmin dinkel/phpldapadmin

BIND DNS

docker run --name bind -d --restart=always \
  --publish 53:53/tcp \
  --publish 53:53/udp \
  --publish 10000:10000/tcp \
  --volume /srv/docker/bind:/data \
  sameersbn/bind

Cacti

docker run -d -p 80  quantumobject/docker-cacti

Docker Install on Ubuntu

A simple script for installing Docker on an Ubuntu host.

apt-get update
apt-get install apt-transport-https ca-certificates curl software-properties-common curl -y
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
sudo apt-get update
apt-get install -y docker-ce

Shrink LVM Volume – Ubuntu

Boot from an Ubuntu LiveCD

Locate the volume group that you wish to shrink
ubuntu@ubuntu:~$ sudo lvmdiskscan

ubuntu@ubuntu:/dev$ sudo lvmdiskscan
/dev/ram0 [ 64.00 MiB]
/dev/loop0 [ 1.41 GiB]
/dev/ubuntu-vg/root [ 460.32 GiB]

Issue the following command to shrink the file system and the volume
ubuntu@ubuntu:~$ sudo lvreduce –resizefs –size -230G /dev/ubuntu-vg/root

Reboot

Get Log Entries For a Range of Time on Linux

You need to check the logs for a problem and you know when it occurred. This will allow you to grab all of the entries for a period of time to make the search for clues easier.

sudo cat secure | awk '/^Dec  1 09:27/,/^Dec  1 09:33/'
Dec  1 09:03:09 u16532612 sshd[24297]: Failed password for root from 43.229.53.54 port 43335 ssh2
Dec  1 09:03:12 u16532612 sshd[24297]: Failed password for root from 43.229.53.54 port 43335 ssh2
Dec  1 09:03:14 u16532612 sshd[24297]: Failed password for root from 43.229.53.54 port 43335 ssh2

Beacon Attack Script

Using MDK3 to create a bunch of fake wireless networks is a neat party trick. This bash script will create a text file with a list of network names, defined in a the “networks” array, if it doesn’t already exist.

Then the script will configure the interface by putting it in monitor mode. Finally the script will fire off MDK3 using the text file created earlier. Continue reading “Beacon Attack Script”

Fake Access Point with BT5/Kali Linux

I’m not sure who to credit with the writing of the script below. It’s all over the Internet and I haven’t been able to determine with any certainty who originally wrote it.

While technically a way to attack wireless clients, I just wanted a quick way to set up and access point. This worked out well since I had a BackTrack 5 VM, a USB wireless NIC, some familiarity with the Aircrack suite, and a bit of free time.

This post assumes that you already have the Aircrack tools installed. You will also have to install and configure DHCP. Continue reading “Fake Access Point with BT5/Kali Linux”

Delegate DNS Zone in BIND

The following will delegate a zone file for a sub-domain, “sub”, under the “example.com” parent domain.

Edit the “/etc/named.conf” file on “ns1.example.com” by adding a block for the parent domain:

zone "example.com" IN {
        type master;
        file "db.example.com";
        allow-update { none; };
        notify no;
        forwarders { };

Continue reading “Delegate DNS Zone in BIND”

Configure SSHD for Security

The Secure Shell daemon should be hardened to prevent unauthorized access before being put into production.

Verify that /etc/ssh/sshd_config contains the following lines and that they are not commented out.

  • Protocol 2
  • IgnoreRhosts yes
  • HostbasedAuthentication no
  • PermitRootLogin no
  • Banner /etc/issue (See banner example below)
  • PermitEmptyPasswords no
  • AllowTcpForwarding no (unless needed)
  • X11Forwarding no
  • AllowUsers <username1> <username2> (Optional)
  • DenyUsers <username1> <username2> (Optional) Continue reading “Configure SSHD for Security”