Making Spinnaker Go @ Stitch Fix
Le téléchargement de votre SlideShare est en cours.
×
Consultez-les par la suite
Plus De Contenu Connexe
Diaporamas pour vous (20)
Les utilisateurs ont également aimé (20)
Similaire à Nagios Conference 2014 - Spenser Reinhardt - Detecting Security Breaches With Docker, Honeypots, & Nagios (20)
Plus par Nagios (20)
Nagios Conference 2014 - Spenser Reinhardt - Detecting Security Breaches With Docker, Honeypots, & Nagios
- 1. Detecting Security Breaches With Docker, Honeypots, & Nagios Spenser Reinhardt sreinhardt@nagios.com Github: sreinhardt Docker: sreinhardt Personal: Ask Me
- 2. Presentation Goals What you talkin' bout Willis? • Basics of Docker containerization virtualization • What is a honeypot? • Why are they valuable to me and my infrastructure? • Where does Nagios fit in? • Demos! • How exactly do I profit from this?
- 3. Docker Basics What is “Docker” and why do I care? • Lightweight virtualization • Near instant application service recovery • Block level file system differential snapshots • Heavy isolation between host and guest • Optional instant revert to previous snapshots on guest shutdown • Easy file and network sharing between host and containers
- 4. Getting Started With Docker ● Dockerfiles ● Github.com ● Docker.com ● Automatic builds ● Instant differential updates #start with ubuntu FROM ubuntu:latest MAINTAINER Spenser Reinhardt ENV DEBIAN_FRONTEND noninteractive #copy and build COPY ./install.sh ./install.sh RUN chmod +x ./install.sh RUN ./install.sh #cleanup RUN mv /install.log /opt/[project]/install.log && apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* /install.sh #Post-build docker info EXPOSE [ports] WORKDIR /opt/[project] #CMD ["binary-to-start"]
- 5. Dockerfiles ● FROM: Base image to use ● MAINTAINER: Who controls the container configuration. ● COPYADD: Add a file from the host or web to the container. ● RUN: Run a command or script in the container. ● EXPOSE: Open port to container to both host and other containers. ● WORKDIR: Change working directory for all future commands. ● ENTRYPOINT: Sets the binary to start by default. Otherwise it is “/bin/sh -c” ● CMD: Arguments needed for the entrypoint binary #start with ubuntu FROM ubuntu:latest MAINTAINER Spenser Reinhardt ENV DEBIAN_FRONTEND noninteractive #copy and build COPY ./install.sh ./install.sh RUN chmod +x ./install.sh RUN ./install.sh #cleanup RUN mv /install.log /opt/[project]/install.log && apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* /install.sh #Post-build docker info EXPOSE [ports] WORKDIR /opt/[project] ENTRYPOINT [“binary/to/start”] CMD ["Arguements", “for”, “binary”]
- 6. Github and Docker ● Automated linking of github and bitbucket repositories ● Builds from directory with Dockerfile only ● Automated builds on git push, or on command ● Automated linking and building of linked containers
- 7. Github.com – Automated Builds
- 8. Docker.com – Automated Builds
- 9. Honeypots ● Emulation of operating systems, services, and applications. ● High Interaction – Full OS or applications, must be reverted to a snapshot or reinstalled after an attack. ● Low Interaction – Emulated OS or application, most spawn separate process for attacker, save results and cleanup after session, like most daemons. ● All interactions are suspicious activity
- 10. Honeynet Project ● Nepenthes – Low int, many applications and services ● Dionaea – Low int, successor to Nepenthes ● Glastopf – Web application honeypot ● Kippo – SSH emulation and capture ● Thug – Client web browser ● Conpot – ICSSCADA emulation ● Honeybrid – Intelligent firewall, filtering and classification ● Bifrozt – SSH proxy and information collector
- 11. Border Honeynets
- 12. Internal Honeynets
- 13. Docker Honeynet Network
- 14. Nagios Monitoring Network
- 15. Dynamic Iptables Rules
- 16. Putting It All Together (Nagios XI)
- 17. Putting It All Together (Nagios Log Monitor)
- 18. Putting It All Together (Nagios Network Analyzer)
- 19. Nagios XI ● Monitors Docker containers and applications on host ● Event handlers restart, save and restart, or killl containers. ● Event handlers to disconnect and log abusive connections. ● Active view of all parts working in the system ● Notification management
- 20. Nagios Network Analyzer ● Collect flow data from: – Host external interface – Honeybrid internal interface ● Trigger abusive and oversized disconnections with filters
- 21. Nagios Log Server ● Collect and store all logs. ● Advanced parsing and filtering. ● Deep correlation between systems and events. ● Distributed storage and computation.
- 22. Glastopf ● Web application specific honeypot ● Hosts only ports: – 80 – 443 ● Full PHP emulated virtual environment ● Emulated sql backend
- 23. Web Attack
- 24. Log Server Respnse
- 25. Dionaea ● General purpose honeypot ● Expandable through plugins and modules ● Full shellcode emulation ● By default hosts applications on: – 21(ftp), 69(tftp), 135(emap), 445(smb), 1443(mssql), 3306(mysql), 5060-5061(sip), 63001-64000(ftp)
- 26. Samba Attack
- 27. Log Server Response
- 28. Kippo ● SSH specific honeypot ● Full virtual shell emulation ● Daemon attack emulation ● Only port 22/2222
- 29. SSH Attack
- 30. Log Server Response
- 31. Conpot ● Industrial Control Systems(ICS) Supervisory Control and Data Acquisition (SCADA) ● Defaults to building device control system ● Full Shellcode emulation ● Several services available by default – 80(http), 161(snmp), 503(modbus)
- 32. Conclusion ● Docker's has some really cool uses! ● Honeynet has some amazing projects! ● Combining these with a little nagios magic, makes for really interesting security! ● https://github.com/sreinhardt/Honeynet ● https://docker.com/sreinhardt/Honeynet
- 33. Questions? Spenser Reinhardt sreinhardt@nagios.com Github: sreinhardt Docker: sreinhardt Personal: Ask Me
