nagios conference 2014 - spenser reinhardt - detecting security breaches with docker, honeypots,...
DESCRIPTION
Spenser Reinhardt's presentation on Detecting Security Breaches With Docker, Honeypots, & Nagios. The presentation was given during the Nagios World Conference North America held Oct 13th - Oct 16th, 2014 in Saint Paul, MN. For more information on the conference (including photos and videos), visit: http://go.nagios.com/conferenceTRANSCRIPT
Detecting Security Breaches With Docker, Honeypots, & Nagios
Spenser Reinhardt
Github: sreinhardt
Docker: sreinhardt
Personal: Ask Me
Presentation Goals
What you talkin' bout Willis?
• Basics of Docker containerization virtualization• What is a honeypot?• Why are they valuable to me and my infrastructure?• Where does Nagios fit in?• Demos!• How exactly do I profit from this?
Docker Basics
What is “Docker” and why do I care?
• Lightweight virtualization• Near instant application service recovery• Block level file system differential snapshots• Heavy isolation between host and guest• Optional instant revert to previous snapshots on guest shutdown• Easy file and network sharing between host and containers
Getting Started With Docker
● Dockerfiles● Github.com● Docker.com● Automatic builds● Instant differential updates
#start with ubuntuFROM ubuntu:latest
MAINTAINER Spenser ReinhardtENV DEBIAN_FRONTEND noninteractive
#copy and buildCOPY ./install.sh ./install.shRUN chmod +x ./install.shRUN ./install.sh
#cleanupRUN mv /install.log /opt/[project]/install.log && apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* /install.sh
#Post-build docker infoEXPOSE [ports]WORKDIR /opt/[project]#CMD ["binary-to-start"]
Dockerfiles● FROM: Base image to use
● MAINTAINER: Who controls the container configuration.
● COPY\ADD: Add a file from the host or web to the container.
● RUN: Run a command or script in the container.
● EXPOSE: Open port to container to both host and other containers.
● WORKDIR: Change working directory for all future commands.
● ENTRYPOINT: Sets the binary to start by default. Otherwise it is “/bin/sh -c”
● CMD: Arguments needed for the entrypoint binary
#start with ubuntuFROM ubuntu:latest
MAINTAINER Spenser ReinhardtENV DEBIAN_FRONTEND noninteractive
#copy and buildCOPY ./install.sh ./install.shRUN chmod +x ./install.shRUN ./install.sh
#cleanupRUN mv /install.log /opt/[project]/install.log && apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* /install.sh
#Post-build docker infoEXPOSE [ports]WORKDIR /opt/[project]ENTRYPOINT [“binary/to/start”]CMD ["Arguements", “for”, “binary”]
Github and Docker
● Automated linking of github and bitbucket repositories● Builds from directory with Dockerfile only● Automated builds on git push, or on command● Automated linking and building of linked containers
Github.com – Automated Builds
Docker.com – Automated Builds
Honeypots
● Emulation of operating systems, services, and applications.
● High Interaction – Full OS or applications, must be reverted to a snapshot or reinstalled after an attack.
● Low Interaction – Emulated OS or application, most spawn separate process for attacker, save results and cleanup after session, like most daemons.
● All interactions are suspicious activity
Honeynet Project
● Nepenthes – Low int, many applications and services● Dionaea – Low int, successor to Nepenthes● Glastopf – Web application honeypot● Kippo – SSH emulation and capture● Thug – Client web browser● Conpot – ICS\SCADA emulation● Honeybrid – Intelligent firewall, filtering and classification● Bifrozt – SSH proxy and information collector
Border Honeynets
Internal Honeynets
Docker Honeynet Network
Nagios Monitoring Network
Dynamic Iptables Rules
Putting It All Together(Nagios XI)
Putting It All Together(Nagios Log Monitor)
Putting It All Together(Nagios Network Analyzer)
Nagios XI
● Monitors Docker containers and applications on host● Event handlers restart, save and restart, or killl containers.● Event handlers to disconnect and log abusive
connections.● Active view of all parts working in the system● Notification management
Nagios Network Analyzer
● Collect flow data from:– Host external interface
– Honeybrid internal interface
● Trigger abusive and oversized disconnections with filters
Nagios Log Server
● Collect and store all logs.● Advanced parsing and filtering.● Deep correlation between systems and events.● Distributed storage and computation.
Glastopf
● Web application specific honeypot● Hosts only ports:
– 80
– 443
● Full PHP emulated virtual environment● Emulated sql backend
Web Attack
Log Server Respnse
Dionaea
● General purpose honeypot● Expandable through plugins and modules● Full shellcode emulation● By default hosts applications on:
– 21(ftp), 69(tftp), 135(emap), 445(smb), 1443(mssql), 3306(mysql), 5060-5061(sip), 63001-64000(ftp)
Samba Attack
Log Server Response
Kippo
● SSH specific honeypot● Full virtual shell emulation● Daemon attack emulation● Only port 22/2222
SSH Attack
Log Server Response
Conpot
● Industrial Control Systems(ICS)\ Supervisory Control and Data Acquisition (SCADA)
● Defaults to building device control system● Full Shellcode emulation● Several services available by default
– 80(http), 161(snmp), 503(modbus)
Conclusion
● Docker's has some really cool uses!● Honeynet has some amazing projects!● Combining these with a little nagios magic, makes for
really interesting security!● https://github.com/sreinhardt/Honeynet ● https://docker.com/sreinhardt/Honeynet
Questions?
Spenser Reinhardt
Github: sreinhardt
Docker: sreinhardt
Personal: Ask Me