使用中国体育彩票开奖运行网络安全工具变得越来越流行。这是我在网上找到的一些有用的与网络安全相关的码头工人。 

  • HFish –蜜罐
  • OWASP Amass
  • 卡利
  • 码头工人 Bench for 安全
  • 码头工人 内容信任
  • 知识管理系统

HFish –蜜罐

网站:  //hfish.io/
docker run -d –name hfish -e USERNAME = admin -e [电子邮件 protected] –restart =始终-p 21:21 -p 22:22 -p 23:23 -p 3306:3306 -p 6379:6379 -p 8080:8080 -p 8989:8989 -p 9000:9000 -p 9001:9001- p 11211:11211 imdevops / hfish:latest
请确保与您现有的服务没有端口冲突。如果端口上存在冲突,则您的泊坞窗将无法启动。您必须首先使用以下命令删除此docker;
[[电子邮件 protected] opc]#docker rm / hfish
/鱼
的默认用户名和密码 http://<ip>:9001:admin
可以通过传递以下两个环境变量来更改它: -e USERNAME= -e PASSWORD= 
如果需要将数据保留在主机上,可以使用以下命令将主机文件夹安装到容器中 -v $PWD:/opt .

注意:将命令复制/粘贴到VM中以运行此跷板时,可能会出错。这通常是由您尝试打开的端口冲突引起的。通常,这是由端口22引起的。在这种情况下,您可以将VM的端口22更改为其他端口,也可以更改docker命令以将22映射到其他端口,例如2222。这是以下命令:

docker run -d –name hfish -e USERNAME = admin -e [电子邮件 protected] –restart =始终-p 21:21 -p 2222:22 -p 23:23 -p 3306:3306 -p 6379:6379 -p 8080:8080 -p 8989:8989 -p 9000:9000 -p 9001:9001- p 11211:11211 imdevops / hfish:latest

OWASP Amass

//github.com/OWASP/Amass
OWASP Amass 是一种工具,可帮助信息安全专业人员使用开源信息收集和主动侦察技术来执行攻击面的网络映射并执行外部资产发现。

  1. 安装中国体育彩票开奖
  2. 通过运行拉取中国体育彩票开奖映像 docker pull caffix/amass
  3. 跑  docker run -v OUTPUT_DIR_PATH:/.config/amass/ caffix/amass --version
v3.5.5
volume参数允许Amass图数据库在执行之间持久存在,并且可以在主机系统上访问输出文件。 volume选项的第一个字段(冒号左侧)是中国体育彩票开奖外部的amass输出目录,而第二个字段是中国体育彩票开奖内部的路径,amass将在其中写入输出文件。
在Amass git存储库中维护的单词表可以在 /examples/wordlists/ 在docker容器中。例如使用 all.txt:
docker run -v OUTPUT_DIR_PATH:/.config/amass/ caffix/amass enum -brute -w /wordlists/all.txt -d itpro.com
$ docker run -v OUTPUT_DIR_PATH:/.config/amass/ caffix/amass enum -brute -w /wordlists/all.txt -d itpro.com
Querying CommonCrawl for itprosec.com subdomains
Querying Baidu for itprosec.com subdomains
Querying CertSpotter for itprosec.com subdomains
Querying Yahoo for itprosec.com subdomains
Querying Sublist3rAPI for itprosec.com subdomains
Querying Exalead for itprosec.com subdomains
Querying Riddler for itprosec.com subdomains
Querying Robtex for itprosec.com subdomains
Querying SiteDossier for itprosec.com subdomains
Querying ThreatCrowd for itprosec.com subdomains
Querying Ask for itprosec.com subdomains
Querying ViewDNS for itprosec.com subdomains
Querying VirusTotal for itprosec.com subdomains
Querying Dogpile for itprosec.com subdomains
Querying Crtsh for itprosec.com subdomains
Querying Google for itprosec.com subdomains
Querying Mnemonic for itprosec.com subdomains
Querying Spyse for itprosec.com subdomains
Querying IPv4Info for itprosec.com subdomains
Querying Censys for itprosec.com subdomains
Querying Netcraft for itprosec.com subdomains
Querying DNSDumpster for itprosec.com subdomains
Querying BufferOver for itprosec.com subdomains
Querying DNSTable for itprosec.com subdomains
Querying PTRArchive for itprosec.com subdomains
Querying AlienVault for itprosec.com subdomains
Querying Pastebin for itprosec.com subdomains
Querying Bing for itprosec.com subdomains
Querying GoogleCT for itprosec.com subdomains
Querying HackerTarget for itprosec.com subdomains
Querying HackerOne for itprosec.com subdomains
Querying URLScan for itprosec.com subdomains
Querying Entrust for itprosec.com subdomains
itpro.com
www.itpro.com
webmail.itpro.com
Average DNS queries performed: 3034/sec, Average retries required: 7.51%
Average DNS queries performed: 4331/sec, Average retries required: 6.14%
Average DNS queries performed: 4148/sec, Average retries required: 7.43%
Average DNS queries performed: 3828/sec, Average retries required: 7.89%
phpmyadmin.itpro.com
cpanel.itpro.com
autoconfig.itpro.com
Average DNS queries performed: 2183/sec, Average retries required: 11.36%

OWASP Amass v3.5.5                                //github.com/OWASP/Amass
--------------------------------------------------------------------------------
6 names discovered - dns: 1, cert: 1, brute: 4
--------------------------------------------------------------------------------
ASN: 13335 - CLOUDFLARENET -  云 flare, Inc.
        104.18.48.0/20          4    Subdomain Name(s)
ASN: 47583 - AS-HOSTINGER
        31.220.23.0/24          12   Subdomain Name(s)
[node1] (local) [电子邮件 protected] ~

卡利

$ docker pull kalilinux/kali-rolling  
Using default tag: latest
latest: Pulling from kalilinux/kali-rolling
5b53b44b6629: Pull complete 
Digest: sha256:b95728038fcbb823a3f32b4dede9f531f56f9e9724d0215d1a34799814efb3c3
Status: Downloaded newer image for kalilinux/kali-rolling:latest
docker.io/kalilinux/kali-rolling:latest
[node1] (local) [电子邮件 protected] ~
$ docker run -t -i kalilinux/kali-rolling /bin/bash
[电子邮件 protected]:/# 

码头工人 Bench for 安全

码头工人 Bench for 安全 是一个脚本,该脚本检查有关在生产环境中部署中国体育彩票开奖容器的数十种常见最佳实践。 运行脚本后,您会注意到很多有关部署中国体育彩票开奖容器的配置最佳实践的信息,这些信息可用于进一步保护中国体育彩票开奖服务器和容器。

[node1] (local) [电子邮件 protected] ~
$ docker run -it --net host --pid host --userns host --cap-add audit_control \
>     -e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST \
>     -v /etc:/etc \
>     -v /var/lib:/var/lib:ro \
>     -v /var/run/docker.sock:/var/run/docker.sock:ro \
>     --label docker_bench_security \
>     docker/docker-bench-security
Unable to find image 'docker/docker-bench-security:latest' locally
latest: Pulling from docker/docker-bench-security
cd784148e348: Pull complete 
48fe0d48816d: Pull complete 
164e5e0f48c5: Pull complete 
378ed37ea5ff: Pull complete 
Digest: sha256:ddbdf4f86af4405da4a8a7b7cc62bb63bfeb75e85bf22d2ece70c204d7cfabb8
Status: Downloaded newer image for docker/docker-bench-security:latest
# ------------------------------------------------------------------------------
#  码头工人  Bench for  安全  v1.3.4
#
#  码头工人 , Inc. (c) 2015-
#
# Checks for dozens of common best-practices around deploying  码头工人  containers in production.
# Inspired by the CIS  码头工人  Community Edition Benchmark v1.1.0.
# ------------------------------------------------------------------------------

Initializing Sat Apr 18 23:50:05 UTC 2020


[INFO] 1 - Host Configuration
[PASS] 1.1  - Ensure a separate partition for containers has been created
[NOTE] 1.2  - Ensure the container host has been Hardened
[INFO] 1.3  - Ensure  码头工人  is up to date
[INFO]      * Using 19.03.4, verify is it up to date as deemed necessary
[INFO]      * Your operating system vendor may provide support and security maintenance for  码头工人 
[INFO] 1.4  - Ensure  上 ly trusted users are allowed to control  码头工人  daemon
[WARN] 1.5  - Ensure auditing is configured for the  码头工人  daemon
[WARN] 1.6  - Ensure auditing is configured for  码头工人  files and directories - /var/lib/docker
[WARN] 1.7  - Ensure auditing is configured for  码头工人  files and directories - /etc/docker
[INFO] 1.8  - Ensure auditing is configured for  码头工人  files and directories - docker.service
[INFO]      * File not found
[INFO] 1.9  - Ensure auditing is configured for  码头工人  files and directories - docker.socket
[INFO]      * File not found
[INFO] 1.10  - Ensure auditing is configured for  码头工人  files and directories - /etc/default/docker
[INFO]      * File not found
[WARN] 1.11  - Ensure auditing is configured for  码头工人  files and directories - /etc/docker/daemon.json
[INFO] 1.12  - Ensure auditing is configured for  码头工人  files and directories - /usr/bin/docker-containerd
[INFO]      * File not found
[INFO] 1.13  - Ensure auditing is configured for  码头工人  files and directories - /usr/bin/docker-runc
[INFO]      * File not found


[INFO] 2 -  码头工人  daemon configuration
[WARN] 2.1  - Ensure network traffic is restricted between containers  上  the default bridge
[PASS] 2.2  - Ensure the logging level is set to 'info'
[PASS] 2.3  - Ensure  码头工人  is allowed to make changes to iptables
[WARN] 2.4  - Ensure insecure registries are not used
[PASS] 2.5  - Ensure aufs storage driver is not used
[INFO] 2.6  - Ensure TLS authentication for  码头工人  daemon is configured
[INFO]      *  码头工人  daemon not listening  上  TCP
[INFO] 2.7  - Ensure the default ulimit is configured appropriately
[INFO]      * Default ulimit doesn't appear to be set
[WARN] 2.8  - Enable user namespace support
[PASS] 2.9  - Ensure the default cgroup usage has been confirmed
[PASS] 2.10  - Ensure base device size is not changed until needed
[WARN] 2.11  - Ensure that authorization for  码头工人  client commands is enabled
[WARN] 2.12  - Ensure centralized and remote logging is configured
[INFO] 2.13  - Ensure operations  上  legacy registry (v1) are Disabled (Deprecated)
[WARN] 2.14  - Ensure live restore is Enabled
[WARN] 2.15  - Ensure Userland Proxy is Disabled
[PASS] 2.16  - Ensure daemon-wide custom seccomp profile is applied, if needed
[WARN] 2.17  - Ensure experimental features are avoided in production
[WARN] 2.18  - Ensure containers are restricted from acquiring new privileges


[INFO] 3 -  码头工人  daemon configuration files
[INFO] 3.1  - Ensure that docker.service file ownership is set to root:root
[INFO]      * File not found
[INFO] 3.2  - Ensure that docker.service file permissions are set to 644 or more restrictive
[INFO]      * File not found
[INFO] 3.3  - Ensure that docker.socket file ownership is set to root:root
[INFO]      * File not found
[INFO] 3.4  - Ensure that docker.socket file permissions are set to 644 or more restrictive
[INFO]      * File not found
[PASS] 3.5  - Ensure that /etc/docker directory ownership is set to root:root
[PASS] 3.6  - Ensure that /etc/docker directory permissions are set to 755 or more restrictive
[INFO] 3.7  - Ensure that registry certificate file ownership is set to root:root
[INFO]      * Directory not found
[INFO] 3.8  - Ensure that registry certificate file permissions are set to 444 or more restrictive
[INFO]      * Directory not found
[INFO] 3.9  - Ensure that TLS CA certificate file ownership is set to root:root
[INFO]      * No TLS CA certificate found
[INFO] 3.10  - Ensure that TLS CA certificate file permissions are set to 444 or more restrictive
[INFO]      * No TLS CA certificate found
[INFO] 3.11  - Ensure that  码头工人  server certificate file ownership is set to root:root
[INFO]      * No TLS Server certificate found
[INFO] 3.12  - Ensure that  码头工人  server certificate file permissions are set to 444 or more restrictive
[INFO]      * No TLS Server certificate found
[INFO] 3.13  - Ensure that  码头工人  server certificate key file ownership is set to root:root
[INFO]      * No TLS Key found
[INFO] 3.14  - Ensure that  码头工人  server certificate key file permissions are set to 400
[INFO]      * No TLS Key found
[WARN] 3.15  - Ensure that  码头工人  socket file ownership is set to root:docker
[WARN]      * Wrong ownership for /var/run/docker.sock
[PASS] 3.16  - Ensure that  码头工人  socket file permissions are set to 660 or more restrictive
[PASS] 3.17  - Ensure that daemon.json file ownership is set to root:root
[WARN] 3.18  - Ensure that daemon.json file permissions are set to 644 or more restrictive
[WARN]      * Wrong permissions for /etc/docker/daemon.json
[INFO] 3.19  - Ensure that /etc/default/docker file ownership is set to root:root
[INFO]      * File not found
[INFO] 3.20  - Ensure that /etc/default/docker file permissions are set to 644 or more restrictive
[INFO]      * File not found


[INFO] 4 - Container Images and Build File
[WARN] 4.1  - Ensure a user for the container has been created
[WARN]      *  跑 ning as root: charming_brahmagupta
[NOTE] 4.2  - Ensure that containers use trusted base images
[NOTE] 4.3  - Ensure unnecessary packages are not installed in the container
[NOTE] 4.4  - Ensure images are scanned and rebuilt to include security patches
[WARN] 4.5  - Ensure Content trust for  码头工人  is Enabled
[WARN] 4.6  - Ensure HEALTHCHECK instructions have been added to the container image
[WARN]      * No Healthcheck found: [kalilinux/kali-rolling:latest]
[WARN]      * No Healthcheck found: [docker/whalesay:latest]
[WARN]      * No Healthcheck found: [vmwarecna/nginx:latest]
[INFO] 4.7  - Ensure update instructions are not use alone in the  码头工人 file
[INFO]      * Update instruction found: [docker/whalesay:latest]
[INFO]      * Update instruction found: [vmwarecna/nginx:latest]
[NOTE] 4.8  - Ensure setuid and setgid permissions are removed in the images
[INFO] 4.9  - Ensure COPY is used instead of ADD in  码头工人 file
[INFO]      * ADD in image history: [kalilinux/kali-rolling:latest]
[INFO]      * ADD in image history: [docker/docker-bench-security:latest]
[INFO]      * ADD in image history: [docker/whalesay:latest]
[INFO]      * ADD in image history: [vmwarecna/nginx:latest]
[NOTE] 4.10  - Ensure secrets are not stored in  码头工人 files
[NOTE] 4.11  - Ensure verified packages are  上 ly Installed


[INFO] 5 - Container  跑 time
[PASS] 5.1  - Ensure AppArmor Profile is Enabled
[WARN] 5.2  - Ensure SELinux security options are set, if applicable
[WARN]      * No  安全 Options Found: charming_brahmagupta
[PASS] 5.3  - Ensure  的Linux  Kernel Capabilities are restricted within containers
[PASS] 5.4  - Ensure privileged containers are not used
[PASS] 5.5  - Ensure sensitive host system directories are not mounted  上  containers
[PASS] 5.6  - Ensure ssh is not run within containers
[WARN] 5.7  - Ensure privileged ports are not mapped within containers
[WARN]      * Privileged Port in use: 80 in charming_brahmagupta
[NOTE] 5.8  - Ensure  上 ly needed ports are open  上  the container
[PASS] 5.9  - Ensure the host's network namespace is not shared
[WARN] 5.10  - Ensure memory usage for container is limited
[WARN]      * Container running without memory restrictions: charming_brahmagupta
[WARN] 5.11  - Ensure CPU priority is set appropriately  上  the container
[WARN]      * Container running without CPU restrictions: charming_brahmagupta
[WARN] 5.12  - Ensure the container's root filesystem is mounted as read  上 ly
[WARN]      * Container running with root FS mounted R/W: charming_brahmagupta
[WARN] 5.13  - Ensure incoming container traffic is binded to a specific host interface
[WARN]      * Port being bound to wildcard IP: 0.0.0.0 in charming_brahmagupta
[WARN] 5.14  - Ensure 'on-failure' container restart policy is set to '5'
[WARN]      * MaximumRetryCount is not set to 5: charming_brahmagupta
[PASS] 5.15  - Ensure the host's process namespace is not shared
[PASS] 5.16  - Ensure the host's IPC namespace is not shared
[PASS] 5.17  - Ensure host devices are not directly exposed to containers
[INFO] 5.18  - Ensure the default ulimit is overwritten at runtime,  上 ly if needed
[INFO]      * Container no default ulimit override: charming_brahmagupta
[PASS] 5.19  - Ensure mount propagation mode is not set to shared
[PASS] 5.20  - Ensure the host's UTS namespace is not shared
[PASS] 5.21  - Ensure the default seccomp profile is not Disabled
[NOTE] 5.22  - Ensure docker exec commands are not used with privileged option
[NOTE] 5.23  - Ensure docker exec commands are not used with user option
[PASS] 5.24  - Ensure cgroup usage is confirmed
[WARN] 5.25  - Ensure the container is restricted from acquiring additional privileges
[WARN]      * Privileges not restricted: charming_brahmagupta
[WARN] 5.26  - Ensure container health is checked at runtime
[WARN]      * Health check not set: charming_brahmagupta
[INFO] 5.27  - Ensure docker commands always get the latest version of the image
[WARN] 5.28  - Ensure PIDs cgroup limit is used
[WARN]      * PIDs limit not set: charming_brahmagupta
[INFO] 5.29  - Ensure  码头工人 's default bridge docker0 is not used
[INFO]      * Container in docker0 network: charming_brahmagupta
[PASS] 5.30  - Ensure the host's user namespaces is not shared
[PASS] 5.31  - Ensure the  码头工人  socket is not mounted inside any containers


[INFO] 6 -  码头工人   安全  Operations
[INFO] 6.1  - Avoid image sprawl
[INFO]      * There are currently: 4 images
[INFO] 6.2  - Avoid container sprawl
[INFO]      * There are currently a total of 3 containers, with 2 of them currently running


[INFO] 7 -  码头工人  Swarm Configuration
[PASS] 7.1  - Ensure swarm mode is not Enabled, if not needed
[PASS] 7.2  - Ensure the minimum number of manager nodes have been created in a swarm (Swarm mode not enabled)
[PASS] 7.3  - Ensure swarm services are binded to a specific host interface (Swarm mode not enabled)
[PASS] 7.4  - Ensure data exchanged between containers are encrypted  上  different nodes  上  the overlay network
[PASS] 7.5  - Ensure  码头工人 's secret management commands are used for managing secrets in a Swarm cluster (Swarm mode not enabled)
[PASS] 7.6  - Ensure swarm manager is run in auto-lock mode (Swarm mode not enabled)
[PASS] 7.7  - Ensure swarm manager auto-lock key is rotated periodically (Swarm mode not enabled)
[PASS] 7.8  - Ensure node certificates are rotated as appropriate (Swarm mode not enabled)
[PASS] 7.9  - Ensure CA certificates are rotated as appropriate (Swarm mode not enabled)
[PASS] 7.10  - Ensure management plane traffic has been separated from data plane traffic (Swarm mode not enabled)

[INFO] Checks: 105
[INFO] Score: 7

码头工人 内容信任

码头工人 内容信任是中国体育彩票开奖 1.8中的一项新功能。默认情况下禁用它,但是一旦启用,它使您可以从中国体育彩票开奖 Hub注册表中验证所有中国体育彩票开奖映像的完整性,真实性和发布日期。

//success.docker.com/article/introduction-to-docker-content-trust

使用中国体育彩票开奖 Content Trust提取图像

docker pull --disable-content-trust jpetazzo/clock

docker -D pull --disable-content-trust hello-world
docker -D pull hello-world
  • 暂时禁用内容信任以成功提取未签名的内容:
  • 启用调试模式以比较验证签名内容的请求与未验证信任数据的请求的行为:
  • 启用中国体育彩票开奖 Content Trust:
    export DOCKER_CONTENT_TRUST=1
    
  • 尝试提取未签名的内容并观察错误消息:
    docker pull jpetazzo/clock


如何使用PAM保护云资产:


知识管理系统

docker pull luodaoyi/kms-server
docker run -d -p 1688:1688 --restart=always --name="kms" luodaoyi/kms-server

配置Windows系统以使用KMS服务器
slmgr / skms ip:1688
如果您使用默认端口1688, slmgr / skms ip
激活你的机器
slmgr /ato
检查激活状态
slmgr /xpr


参考文献

通过 约翰

发表评论