Detecting Security Breaches With Docker, Honeypots, & Nagios

Spenser Reinhardt

sreinhardt@nagios.com

Github: sreinhardt

Docker: sreinhardt

Personal: Ask Me

Presentation Goals

What you talkin' bout Willis?

• Basics of Docker containerization virtualization• What is a honeypot?• Why are they valuable to me and my infrastructure?• Where does Nagios fit in?• Demos!• How exactly do I profit from this?

Docker Basics

What is “Docker” and why do I care?

• Lightweight virtualization• Near instant application service recovery• Block level file system differential snapshots• Heavy isolation between host and guest• Optional instant revert to previous snapshots on guest shutdown• Easy file and network sharing between host and containers

Getting Started With Docker

● Dockerfiles● Github.com● Docker.com● Automatic builds● Instant differential updates

#start with ubuntuFROM ubuntu:latest

MAINTAINER Spenser ReinhardtENV DEBIAN_FRONTEND noninteractive

#copy and buildCOPY ./install.sh ./install.shRUN chmod +x ./install.shRUN ./install.sh

#cleanupRUN mv /install.log /opt/[project]/install.log && apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* /install.sh

#Post-build docker infoEXPOSE [ports]WORKDIR /opt/[project]#CMD ["binary-to-start"]

Dockerfiles● FROM: Base image to use

● MAINTAINER: Who controls the container configuration.

● COPY\ADD: Add a file from the host or web to the container.

● RUN: Run a command or script in the container.

● EXPOSE: Open port to container to both host and other containers.

● WORKDIR: Change working directory for all future commands.

● ENTRYPOINT: Sets the binary to start by default. Otherwise it is “/bin/sh -c”

● CMD: Arguments needed for the entrypoint binary

#start with ubuntuFROM ubuntu:latest

MAINTAINER Spenser ReinhardtENV DEBIAN_FRONTEND noninteractive

#copy and buildCOPY ./install.sh ./install.shRUN chmod +x ./install.shRUN ./install.sh

#cleanupRUN mv /install.log /opt/[project]/install.log && apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* /install.sh

#Post-build docker infoEXPOSE [ports]WORKDIR /opt/[project]ENTRYPOINT [“binary/to/start”]CMD ["Arguements", “for”, “binary”]

Github and Docker

● Automated linking of github and bitbucket repositories● Builds from directory with Dockerfile only● Automated builds on git push, or on command● Automated linking and building of linked containers

Github.com – Automated Builds

Docker.com – Automated Builds

Honeypots

● Emulation of operating systems, services, and applications.

● High Interaction – Full OS or applications, must be reverted to a snapshot or reinstalled after an attack.

● Low Interaction – Emulated OS or application, most spawn separate process for attacker, save results and cleanup after session, like most daemons.

● All interactions are suspicious activity

Honeynet Project

● Nepenthes – Low int, many applications and services● Dionaea – Low int, successor to Nepenthes● Glastopf – Web application honeypot● Kippo – SSH emulation and capture● Thug – Client web browser● Conpot – ICS\SCADA emulation● Honeybrid – Intelligent firewall, filtering and classification● Bifrozt – SSH proxy and information collector

Border Honeynets

Internal Honeynets

Docker Honeynet Network

Nagios Monitoring Network

Dynamic Iptables Rules

Putting It All Together(Nagios XI)

Putting It All Together(Nagios Log Monitor)

Putting It All Together(Nagios Network Analyzer)

Nagios XI

● Monitors Docker containers and applications on host● Event handlers restart, save and restart, or killl containers.● Event handlers to disconnect and log abusive

connections.● Active view of all parts working in the system● Notification management

Nagios Network Analyzer

● Collect flow data from:– Host external interface

– Honeybrid internal interface

● Trigger abusive and oversized disconnections with filters

Nagios Log Server

● Collect and store all logs.● Advanced parsing and filtering.● Deep correlation between systems and events.● Distributed storage and computation.

Glastopf

● Web application specific honeypot● Hosts only ports:

– 80

– 443

● Full PHP emulated virtual environment● Emulated sql backend

Web Attack

Log Server Respnse

Dionaea

● General purpose honeypot● Expandable through plugins and modules● Full shellcode emulation● By default hosts applications on:

– 21(ftp), 69(tftp), 135(emap), 445(smb), 1443(mssql), 3306(mysql), 5060-5061(sip), 63001-64000(ftp)

Samba Attack

Log Server Response

Kippo

● SSH specific honeypot● Full virtual shell emulation● Daemon attack emulation● Only port 22/2222

SSH Attack

Log Server Response

Conpot

● Industrial Control Systems(ICS)\ Supervisory Control and Data Acquisition (SCADA)

● Defaults to building device control system● Full Shellcode emulation● Several services available by default

– 80(http), 161(snmp), 503(modbus)

Conclusion

● Docker's has some really cool uses!● Honeynet has some amazing projects!● Combining these with a little nagios magic, makes for

really interesting security!● https://github.com/sreinhardt/Honeynet ● https://docker.com/sreinhardt/Honeynet

Questions?

Spenser Reinhardt

sreinhardt@nagios.com

Github: sreinhardt

Docker: sreinhardt

Personal: Ask Me