使用Docker运行网络安全工具越来越受欢迎。以下是我在线找到的一些有用的网络安全相关码头。 

  • hbish - 蜜罐
  • Owasp Amass.
  • 卡利
  • 码头替补为安全
  • Docker. Content Trus.
  • KMS.

hbish - 蜜罐

网站:  //hfish.io/
docker运行-d -name hfish -e username = admin -e [电子邮件 protected] -RESTART =始终-P 21:21 -P 22:22 -P 23:23 -P 3306:3306 -P 6379:6379 -P 8080:8080 -P 8989:8989 -P 9000:9000 -P 9001:9001 - P 11211:11211 imdevops / hfish:最新
请确保与您现有的服务没有港口冲突。如果端口上存在冲突,您的Docker无法启动。您必须首先使用以下命令删除此Docker;
[[电子邮件 protected] opc]#docker rm / hfish
/ hbish.
默认用户名和密码 http://<ip>:9001:admin
可以通过以下两个环境variabls来改变它: -e USERNAME= -e PASSWORD= 
如果需要将数据保存在主机上,可以使用主机将主机文件夹挂载到容器 -v $PWD:/opt .

注意:复制/粘贴到VM运行此摇杆的命令时,您可能会收到错误。通常由您尝试打开的冲突端口导致。主要是它是由端口22引起的。在这种情况下,您可以将VM的端口22更改为其他东西,或者您可以将Docker命令更改为将22映射到不同的东西,例如2222.以下是命令:

docker运行-d -name hfish -e username = admin -e [电子邮件 protected] -RESTART =始终-P 21:21 -P 2222:22 -P 23:23 -P 3306:3306 -P 6379:6379 -P 8080:8080 -P 8989:8989 -P 9000:9000 -P 9001:9001 - P 11211:11211 imdevops / hfish:最新

Owasp Amass.

//github.com/OWASP/Amass
OWASP AMASS是一种帮助信息安全专业人员执行攻击曲面的网络映射的工具,并使用开源信息收集和主动侦察技术执行外部资产发现。

  1. 安装Docker.
  2. 通过运行来拉动码头图像 docker pull caffix/amass
  3. 跑步  docker run -v OUTPUT_DIR_PATH:/.config/amass/ caffix/amass --version
v3.5.5
卷参数允许Amass Graph数据库持续到在主机系统上访问的执行和输出文件之间。卷选项的第一个字段(冒号的左侧)是Docker外部的Amass输出目录,而第二个字段是Docker内部的路径,其中Amass将写入输出文件。
The wordlists maintained in the Amass git repository are available in /examples/wordlists/ within the docker container. For example, to use all.txt:
docker run -v OUTPUT_DIR_PATH:/.config/amass/ caffix/amass enum -brute -w /wordlists/all.txt -d itpro.com
$ docker run -v OUTPUT_DIR_PATH:/.config/amass/ caffix/amass enum -brute -w /wordlists/all.txt -d itpro.com
Querying CommonCrawl for itprosec.com subdomains
Querying Baidu for itprosec.com subdomains
Querying CertSpotter for itprosec.com subdomains
Querying Yahoo for itprosec.com subdomains
Querying Sublist3rAPI for itprosec.com subdomains
Querying Exalead for itprosec.com subdomains
Querying Riddler for itprosec.com subdomains
Querying Robtex for itprosec.com subdomains
Querying SiteDossier for itprosec.com subdomains
Querying ThreatCrowd for itprosec.com subdomains
Querying Ask for itprosec.com subdomains
Querying ViewDNS for itprosec.com subdomains
Querying VirusTotal for itprosec.com subdomains
Querying Dogpile for itprosec.com subdomains
Querying Crtsh for itprosec.com subdomains
Querying Google for itprosec.com subdomains
Querying Mnemonic for itprosec.com subdomains
Querying Spyse for itprosec.com subdomains
Querying IPv4Info for itprosec.com subdomains
Querying Censys for itprosec.com subdomains
Querying Netcraft for itprosec.com subdomains
Querying DNSDumpster for itprosec.com subdomains
Querying BufferOver for itprosec.com subdomains
Querying DNSTable for itprosec.com subdomains
Querying PTRArchive for itprosec.com subdomains
Querying AlienVault for itprosec.com subdomains
Querying Pastebin for itprosec.com subdomains
Querying Bing for itprosec.com subdomains
Querying GoogleCT for itprosec.com subdomains
Querying HackerTarget for itprosec.com subdomains
Querying HackerOne for itprosec.com subdomains
Querying URLScan for itprosec.com subdomains
Querying Entrust for itprosec.com subdomains
itpro.com
www.itpro.com
webmail.itpro.com
Average DNS queries performed: 3034/sec, Average retries required: 7.51%
Average DNS queries performed: 4331/sec, Average retries required: 6.14%
Average DNS queries performed: 4148/sec, Average retries required: 7.43%
Average DNS queries performed: 3828/sec, Average retries required: 7.89%
phpmyadmin.itpro.com
cpanel.itpro.com
autoconfig.itpro.com
Average DNS queries performed: 2183/sec, Average retries required: 11.36%

OWASP Amass v3.5.5                                //github.com/OWASP/Amass
--------------------------------------------------------------------------------
6 names discovered - dns: 1, cert: 1, brute: 4
--------------------------------------------------------------------------------
ASN: 13335 - CLOUDFLARENET - Cloudflare, Inc.
        104.18.48.0/20          4    Subdomain Name(s)
ASN: 47583 - AS-HOSTINGER
        31.220.23.0/24          12   Subdomain Name(s)
[node1] (local) [电子邮件 protected] ~

卡利

$ docker pull kalilinux/kali-rolling  
Using default tag: latest
latest: Pulling from kalilinux/kali-rolling
5b53b44b6629: Pull complete 
Digest: sha256:b95728038fcbb823a3f32b4dede9f531f56f9e9724d0215d1a34799814efb3c3
Status: Downloaded newer image for kalilinux/kali-rolling:latest
docker.io/kalilinux/kali-rolling:latest
[node1] (local) [电子邮件 protected] ~
$ docker run -t -i kalilinux/kali-rolling /bin/bash
[电子邮件 protected]:/# 

码头替补为安全

用于安全性的Docker Bench是一种脚本,可以在生产中部署Docker容器周围检查几十个常见的最佳实践。运行脚本后,您将注意到有关部署Docker容器的配置最佳实践的大量信息,可用于进一步保护您的Docker服务器和容器。

[node1] (local) [电子邮件 protected] ~
$ docker run -it --net host --pid host --userns host --cap-add audit_control \
>     -e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST \
>     -v /etc:/etc \
>     -v /var/lib:/var/lib:ro \
>     -v /var/run/docker.sock:/var/run/docker.sock:ro \
>     --label docker_bench_security \
>     docker/docker-bench-security
Unable to find image 'docker/docker-bench-security:latest' locally
latest: Pulling from docker/docker-bench-security
cd784148e348: Pull complete 
48fe0d48816d: Pull complete 
164e5e0f48c5: Pull complete 
378ed37ea5ff: Pull complete 
Digest: sha256:ddbdf4f86af4405da4a8a7b7cc62bb63bfeb75e85bf22d2ece70c204d7cfabb8
Status: Downloaded newer image for docker/docker-bench-security:latest
# ------------------------------------------------------------------------------
# 码头替补为安全 v1.3.4
#
# Docker, Inc. (c) 2015-
#
# Checks for dozens of common best-practices around deploying Docker containers in production.
# Inspired by the CIS Docker Community Edition Benchmark v1.1.0.
# ------------------------------------------------------------------------------

Initializing Sat Apr 18 23:50:05 UTC 2020


[INFO] 1 - Host Configuration
[PASS] 1.1  - Ensure a separate partition for containers has been created
[NOTE] 1.2  - Ensure the container host has been Hardened
[INFO] 1.3  - Ensure Docker is up to date
[INFO]      * Using 19.03.4, verify is it up to date as deemed necessary
[INFO]      * Your operating system vendor may provide support and security maintenance for Docker
[INFO] 1.4  - Ensure only trusted users are allowed to control Docker daemon
[WARN] 1.5  - Ensure auditing is configured for the Docker daemon
[WARN] 1.6  - Ensure auditing is configured for Docker files and directories - /var/lib/docker
[WARN] 1.7  - Ensure auditing is configured for Docker files and directories - /etc/docker
[INFO] 1.8  - Ensure auditing is configured for Docker files and directories - docker.service
[INFO]      * File not found
[INFO] 1.9  - Ensure auditing is configured for Docker files and directories - docker.socket
[INFO]      * File not found
[INFO] 1.10  - Ensure auditing is configured for Docker files and directories - /etc/default/docker
[INFO]      * File not found
[WARN] 1.11  - Ensure auditing is configured for Docker files and directories - /etc/docker/daemon.json
[INFO] 1.12  - Ensure auditing is configured for Docker files and directories - /usr/bin/docker-containerd
[INFO]      * File not found
[INFO] 1.13  - Ensure auditing is configured for Docker files and directories - /usr/bin/docker-runc
[INFO]      * File not found


[INFO] 2 - Docker daemon configuration
[WARN] 2.1  - Ensure network traffic is restricted between containers on the default bridge
[PASS] 2.2  - Ensure the logging level is set to 'info'
[PASS] 2.3  - Ensure Docker is allowed to make changes to iptables
[WARN] 2.4  - Ensure insecure registries are not used
[PASS] 2.5  - Ensure aufs storage driver is not used
[INFO] 2.6  - Ensure TLS authentication for Docker daemon is configured
[INFO]      * Docker daemon not listening on TCP
[INFO] 2.7  - Ensure the default ulimit is configured appropriately
[INFO]      * Default ulimit doesn't appear to be set
[WARN] 2.8  - Enable user namespace support
[PASS] 2.9  - Ensure the default cgroup usage has been confirmed
[PASS] 2.10  - Ensure base device size is not changed until needed
[WARN] 2.11  - Ensure that authorization for Docker client commands is enabled
[WARN] 2.12  - Ensure centralized and remote logging is configured
[INFO] 2.13  - Ensure operations on legacy registry (v1) are Disabled (Deprecated)
[WARN] 2.14  - Ensure live restore is Enabled
[WARN] 2.15  - Ensure Userland Proxy is Disabled
[PASS] 2.16  - Ensure daemon-wide custom seccomp profile is applied, if needed
[WARN] 2.17  - Ensure experimental features are avoided in production
[WARN] 2.18  - Ensure containers are restricted from acquiring new privileges


[INFO] 3 - Docker daemon configuration files
[INFO] 3.1  - Ensure that docker.service file ownership is set to root:root
[INFO]      * File not found
[INFO] 3.2  - Ensure that docker.service file permissions are set to 644 or more restrictive
[INFO]      * File not found
[INFO] 3.3  - Ensure that docker.socket file ownership is set to root:root
[INFO]      * File not found
[INFO] 3.4  - Ensure that docker.socket file permissions are set to 644 or more restrictive
[INFO]      * File not found
[PASS] 3.5  - Ensure that /etc/docker directory ownership is set to root:root
[PASS] 3.6  - Ensure that /etc/docker directory permissions are set to 755 or more restrictive
[INFO] 3.7  - Ensure that registry certificate file ownership is set to root:root
[INFO]      * Directory not found
[INFO] 3.8  - Ensure that registry certificate file permissions are set to 444 or more restrictive
[INFO]      * Directory not found
[INFO] 3.9  - Ensure that TLS CA certificate file ownership is set to root:root
[INFO]      * No TLS CA certificate found
[INFO] 3.10  - Ensure that TLS CA certificate file permissions are set to 444 or more restrictive
[INFO]      * No TLS CA certificate found
[INFO] 3.11  - Ensure that Docker server certificate file ownership is set to root:root
[INFO]      * No TLS Server certificate found
[INFO] 3.12  - Ensure that Docker server certificate file permissions are set to 444 or more restrictive
[INFO]      * No TLS Server certificate found
[INFO] 3.13  - Ensure that Docker server certificate key file ownership is set to root:root
[INFO]      * No TLS Key found
[INFO] 3.14  - Ensure that Docker server certificate key file permissions are set to 400
[INFO]      * No TLS Key found
[WARN] 3.15  - Ensure that Docker socket file ownership is set to root:docker
[WARN]      * Wrong ownership for /var/run/docker.sock
[PASS] 3.16  - Ensure that Docker socket file permissions are set to 660 or more restrictive
[PASS] 3.17  - Ensure that daemon.json file ownership is set to root:root
[WARN] 3.18  - Ensure that daemon.json file permissions are set to 644 or more restrictive
[WARN]      * Wrong permissions for /etc/docker/daemon.json
[INFO] 3.19  - Ensure that /etc/default/docker file ownership is set to root:root
[INFO]      * File not found
[INFO] 3.20  - Ensure that /etc/default/docker file permissions are set to 644 or more restrictive
[INFO]      * File not found


[INFO] 4 - Container Images and Build File
[WARN] 4.1  - Ensure a user for the container has been created
[WARN]      * Running as root: charming_brahmagupta
[NOTE] 4.2  - Ensure that containers use trusted base images
[NOTE] 4.3  - Ensure unnecessary packages are not installed in the container
[NOTE] 4.4  - Ensure images are scanned and rebuilt to include security patches
[WARN] 4.5  - Ensure Content trust for Docker is Enabled
[WARN] 4.6  - Ensure HEALTHCHECK instructions have been added to the container image
[WARN]      * No Healthcheck found: [kalilinux/kali-rolling:latest]
[WARN]      * No Healthcheck found: [docker/whalesay:latest]
[WARN]      * No Healthcheck found: [vmwarecna/nginx:latest]
[INFO] 4.7  - Ensure update instructions are not use alone in the Dockerfile
[INFO]      * Update instruction found: [docker/whalesay:latest]
[INFO]      * Update instruction found: [vmwarecna/nginx:latest]
[NOTE] 4.8  - Ensure setuid and setgid permissions are removed in the images
[INFO] 4.9  - Ensure COPY is used instead of ADD in Dockerfile
[INFO]      * ADD in image history: [kalilinux/kali-rolling:latest]
[INFO]      * ADD in image history: [docker/docker-bench-security:latest]
[INFO]      * ADD in image history: [docker/whalesay:latest]
[INFO]      * ADD in image history: [vmwarecna/nginx:latest]
[NOTE] 4.10  - Ensure secrets are not stored in Dockerfiles
[NOTE] 4.11  - Ensure verified packages are only Installed


[INFO] 5 - Container Runtime
[PASS] 5.1  - Ensure AppArmor Profile is Enabled
[WARN] 5.2  - Ensure SELinux security options are set, if applicable
[WARN]      * No SecurityOptions Found: charming_brahmagupta
[PASS] 5.3  - Ensure Linux Kernel Capabilities are restricted within containers
[PASS] 5.4  - Ensure privileged containers are not used
[PASS] 5.5  - Ensure sensitive host system directories are not mounted on containers
[PASS] 5.6  - Ensure ssh is not run within containers
[WARN] 5.7  - Ensure privileged ports are not mapped within containers
[WARN]      * Privileged Port in use: 80 in charming_brahmagupta
[NOTE] 5.8  - Ensure only needed ports are open on the container
[PASS] 5.9  - Ensure the host's network namespace is not shared
[WARN] 5.10  - Ensure memory usage for container is limited
[WARN]      * Container running without memory restrictions: charming_brahmagupta
[WARN] 5.11  - Ensure CPU priority is set appropriately on the container
[WARN]      * Container running without CPU restrictions: charming_brahmagupta
[WARN] 5.12  - Ensure the container's root filesystem is mounted as read only
[WARN]      * Container running with root FS mounted R/W: charming_brahmagupta
[WARN] 5.13  - Ensure incoming container traffic is binded to a specific host interface
[WARN]      * Port being bound to wildcard IP: 0.0.0.0 in charming_brahmagupta
[WARN] 5.14  - Ensure 'on-failure' container restart policy is set to '5'
[WARN]      * MaximumRetryCount is not set to 5: charming_brahmagupta
[PASS] 5.15  - Ensure the host's process namespace is not shared
[PASS] 5.16  - Ensure the host's IPC namespace is not shared
[PASS] 5.17  - Ensure host devices are not directly exposed to containers
[INFO] 5.18  - Ensure the default ulimit is overwritten at runtime, only if needed
[INFO]      * Container no default ulimit override: charming_brahmagupta
[PASS] 5.19  - Ensure mount propagation mode is not set to shared
[PASS] 5.20  - Ensure the host's UTS namespace is not shared
[PASS] 5.21  - Ensure the default seccomp profile is not Disabled
[NOTE] 5.22  - Ensure docker exec commands are not used with privileged option
[NOTE] 5.23  - Ensure docker exec commands are not used with user option
[PASS] 5.24  - Ensure cgroup usage is confirmed
[WARN] 5.25  - Ensure the container is restricted from acquiring additional privileges
[WARN]      * Privileges not restricted: charming_brahmagupta
[WARN] 5.26  - Ensure container health is checked at runtime
[WARN]      * Health check not set: charming_brahmagupta
[INFO] 5.27  - Ensure docker commands always get the latest version of the image
[WARN] 5.28  - Ensure PIDs cgroup limit is used
[WARN]      * PIDs limit not set: charming_brahmagupta
[INFO] 5.29  - Ensure Docker's default bridge docker0 is not used
[INFO]      * Container in docker0 network: charming_brahmagupta
[PASS] 5.30  - Ensure the host's user namespaces is not shared
[PASS] 5.31  - Ensure the Docker socket is not mounted inside any containers


[INFO] 6 - Docker Security Operations
[INFO] 6.1  - Avoid image sprawl
[INFO]      * There are currently: 4 images
[INFO] 6.2  - Avoid container sprawl
[INFO]      * There are currently a total of 3 containers, with 2 of them currently running


[INFO] 7 - Docker Swarm Configuration
[PASS] 7.1  - Ensure swarm mode is not Enabled, if not needed
[PASS] 7.2  - Ensure the minimum number of manager nodes have been created in a swarm (Swarm mode not enabled)
[PASS] 7.3  - Ensure swarm services are binded to a specific host interface (Swarm mode not enabled)
[PASS] 7.4  - Ensure data exchanged between containers are encrypted on different nodes on the overlay network
[PASS] 7.5  - Ensure Docker's secret management commands are used for managing secrets in a Swarm cluster (Swarm mode not enabled)
[PASS] 7.6  - Ensure swarm manager is run in auto-lock mode (Swarm mode not enabled)
[PASS] 7.7  - Ensure swarm manager auto-lock key is rotated periodically (Swarm mode not enabled)
[PASS] 7.8  - Ensure node certificates are rotated as appropriate (Swarm mode not enabled)
[PASS] 7.9  - Ensure CA certificates are rotated as appropriate (Swarm mode not enabled)
[PASS] 7.10  - Ensure management plane traffic has been separated from data plane traffic (Swarm mode not enabled)

[INFO] Checks: 105
[INFO] Score: 7

Docker. Content Trus.

Docker. Content Trus.是一个包含在Docker 1.8中的新功能。默认情况下禁用它,但启用后,它允许您验证从Docker Hub注册表中的所有Docker映像的完整性,真实性和发布日期。

//success.docker.com/article/introduction-to-docker-content-trust

用Docker内容信任拉映像

docker pull --disable-content-trust jpetazzo/clock

docker -D pull --disable-content-trust hello-world
docker -D pull hello-world
  • 暂时禁用内容信任以成功提取未签名的内容:
  • 启用调试模式以比较拉动的行为,其中验证签名内容以验证无信任数据的位置:
  • 启用Docker Content Trust:
    export DOCKER_CONTENT_TRUST=1
    
  • 尝试提取未签名的内容并观察错误消息:
    docker pull jpetazzo/clock


如何使用PAM保护云资产:


KMS.

docker pull luodaoyi/kms-server
docker run -d -p 1688:1688 --restart=always --name="kms" luodaoyi/kms-server

配置Windows系统以使用KMS服务器
SLMGR / SKMS IP:1688
如果您使用的是默认端口1688, SLMGR / SKMS IP
激活您的机器
slmgr /ato
检查激活状态
slmgr /xpr


参考

经过 Jon.

发表评论