-
Notifications
You must be signed in to change notification settings - Fork 4
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
0 parents
commit b098837
Showing
6 changed files
with
963 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,67 @@ | ||
# Greenbone Vulnerability Manager Appliance | ||
|
||
## GVM (Docker Community Edition) with self signed SSL Nginx reverse proxy and GVM pro version email reporting | ||
|
||
## Auto download & setup link | ||
wget https://raw.githubusercontent.com/itiligent/GVM-Setup/main/setup-gvm.sh && chmod +x setup-gvm.sh && ./setup-gvm.sh | ||
|
||
## Prerequisites: | ||
|
||
Recent flavours of Ubuntu / Debian / Raspian | ||
Min 8GB RAM, 80GB HDD | ||
Private DNS entries matching the server IP address (needed for SSL) | ||
Email relay permitted from the appliance's IP address | ||
|
||
## Setup script menu prompts... | ||
|
||
Prompt 1: [enter sudo password:] (Script must NOT be started as sudo) | ||
Prompt 2: [enter new HOSTNAME:] (Enter to keep existing) | ||
Prompt 3: [Select GVM version:*] (Enter for default currently 22.4) | ||
Prompt 4: [Enter SMTP test email address:] (verify correct email relay for reports feature - enter to skip) | ||
Prompt 5: [Protect GVM behind Nginx rev proxy?:] (Default y) | ||
Prompt 6: [Enter proxy local DNS name:] (Defaults to current hostname) | ||
Prompt 7: [Add self signed SSL certs to Nginx?:] (Default n) Hostname must be in local DNS for SSL | ||
Prompt 8: [Enter sudo password to continue:] (Docker quirk that install needs to switch user context) | ||
|
||
If SSL is selected, newly created Windows & Linux browser certs $site.crt, $site.key & $site.pfx are saved to | ||
$DOWNLOAD_DIR with the exact custom commands for the import of the client certificates being generated on screen (and is also | ||
logged for later reference.) | ||
|
||
* For current versions see https://greenbone.github.io/docs/latest/index.html | ||
|
||
## Adding email reporting | ||
This setup extends Docker with a default Postfix install that provides a base for email reporting functionality (similar to that with GVM Pro appliances). Run the included $/DOWNLOAD_DIR/add-smtp-relay-o365.sh to complete the SMTP relay with Microsoft365 email integration. This scripted configuration uses SMTP with TLS auth, and requires a Microsoft365 email account with an app password configured for it. (Make sure this is a non admin user!). | ||
|
||
## To update GVM containers | ||
|
||
$DOWNLOAD_DIR/update-gvm.sh | ||
(Setup creates a weekly GVM update task at a randomly selected day & time. | ||
|
||
## Vulnerability scanning with Windows SMB authentication | ||
|
||
1. Run the included powershell script on all Windows hosts to be scanned with SMB credentials. | ||
2. Create a GVM service account on all Windows hosts to be scanned, add this account to the local administrators group. (This service account must NOT be a built-in Windows account) | ||
|
||
3. Configure a new credentials object in the GVM management console that reflects the new Windows service account(s). The included powershell script must be run to configure necessary local settings for scanning. | ||
|
||
|
||
## Docker firewall tricks | ||
Blocking http access to GVM's console (tcp 9392) and forcing SSL reverse proxy access is not quite straightforward... | ||
|
||
### Problem: | ||
|
||
Linux's UFW firewall can’t actually filter Docker container networks because Docker's default behaviour bypasses the Linux firewall. (Docker's internal networks and IPchains are all processed BEFORE the Linux UFW firewall and this is a default feature!) Many sysadmins make the mistake of relying on the Linux firewall for their Docker systems, leaving containers open to the world. Docker's main answer to this issue is quite unsophisticated and typically requires blocking all interfaces (! 127.0.0.1), or to only publish containers to 127.0.0.1 and reverse proxy these. Complex systems that have a dozen or so containers and a myriad of network interdependencies, just like GVM, are broken with this blunt approach. | ||
|
||
### Solution: | ||
|
||
With GVM we need granular control over Docker's IP chains at the port & protocol level, but a quirk with Docker and GVM is that the original source/destination ports we need to manage are further hidden behind Docker's internal dynamic NAT. | ||
|
||
The included setup script solves this issue by delicately intercepting only GVM's console port traffic on TCP 9293 between the Docker NAT layer and the system's default route inteface. To do this, conntrack directives are used to unmangle Docker's NAT table to discover the correct dynamic port traffic to block. This approach is very light touch and should not interfere with whatever else is going on under the bonnet with both GVM and Docker. To make this firewall rule persistent through reboots, the installer script further creates a systemd service that must wait for Docker to start its IP chains before inserting the rule. (Iptable rule persistence with Docker can't reliably be gained through the normal "iptables-save" Linux package approach. This is due to the very dynamic nature of Docker's network stack.) | ||
|
||
#!/bin/bash | ||
# Block HTTP access to the GVM console on default http port 9392 | ||
DEFAULT_ROUTE_IF=$(ip route show to default | grep -Eo "dev\s*[[:alnum:]]+" | sed 's/dev\s//g') | ||
sudo iptables -I DOCKER-USER -i $DEFAULT_ROUTE_IF -p tcp -m conntrack --ctorigdstport 9392 -j DROP | ||
|
||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,69 @@ | ||
#!/bin/bash | ||
# To install inside Docker comainters, varibles in the local shell cannot be passed through. Therefore this script | ||
# first dynamically collects the O365 credentials and builds a static script withe all required values, and runs it. | ||
# To procted auth info, after the static secondary script runs it will delete itself. | ||
|
||
# Get container settings to map outgoing emails to the SMTP account so no need to specify an exact return email in send commands | ||
SERVER=$(docker exec greenbone-community-edition_gvmd_1 /bin/bash -c 'uname -n') | ||
DOMAIN_SEARCH_SUFFIX=$(docker exec greenbone-community-edition_gvmd_1 /bin/bash -c 'grep search /etc/resolv.conf | grep -v "#" | sed 's/'search[[:space:]]'//'') | ||
|
||
clear | ||
# Get the Office365 smtp authentication credentials | ||
echo | ||
read -p "Enter O365 SMTP auth enabled email : " SMTP_EMAIL | ||
echo | ||
read -s -p "Enter the SMTP auth account 'app password': " APP_PWD | ||
echo | ||
echo | ||
read -p "Enter an email address to test that email relay is working : " TEST_EMAIL | ||
echo | ||
cat <<EOF > ~/add-smtp-relay-docker.sh | ||
#!/bin/bash | ||
# Remove some default Postifx config items that conflict with new entries | ||
docker exec greenbone-community-edition_gvmd_1 /bin/bash -c 'sed -i "/relayhost/d" /etc/postfix/main.cf' | ||
docker exec greenbone-community-edition_gvmd_1 /bin/bash -c 'sed -i "/smtp_tls_security_level=may/d" /etc/postfix/main.cf' | ||
# For simple relay outbound only, limit Postfix to just loopback and IPv4 | ||
#docker exec greenbone-community-edition_gvmd_1 /bin/bash -c 'sed -i "s/inet_interfaces = all/inet_interfaces = loopback-only/g" /etc/postfix/main.cf' | ||
#docker exec greenbone-community-edition_gvmd_1 /bin/bash -c 'sed -i "s/inet_protocols = all/inet_protocols = ipv4/g" /etc/postfix/main.cf' | ||
# Add the new Office365 SMTP auth with TLS settings | ||
docker exec greenbone-community-edition_gvmd_1 /bin/bash -c 'cat <<EOF | tee -a /etc/postfix/main.cf | ||
relayhost = [smtp.office365.com]:587 | ||
smtp_use_tls = yes | ||
smtp_always_send_ehlo = yes | ||
smtp_sasl_auth_enable = yes | ||
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd | ||
smtp_sasl_security_options = noanonymous | ||
smtp_sasl_tls_security_options = noanonymous | ||
smtp_tls_security_level = encrypt | ||
smtp_generic_maps = hash:/etc/postfix/generic | ||
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt | ||
EOF' | ||
# Setup the password file and postmap | ||
docker exec greenbone-community-edition_gvmd_1 /bin/bash -c 'touch /etc/postfix/sasl_passwd' | ||
docker exec greenbone-community-edition_gvmd_1 /bin/bash -c 'cat <<EOF | tee -a /etc/postfix/sasl_passwd | ||
[smtp.office365.com]:587 ${SMTP_EMAIL}:${APP_PWD} | ||
EOF' | ||
docker exec greenbone-community-edition_gvmd_1 /bin/bash -c 'chown root:root /etc/postfix/sasl_passwd' | ||
docker exec greenbone-community-edition_gvmd_1 /bin/bash -c 'chmod 0600 /etc/postfix/sasl_passwd' | ||
docker exec greenbone-community-edition_gvmd_1 /bin/bash -c 'postmap /etc/postfix/sasl_passwd' | ||
# Setup the generic map file | ||
docker exec greenbone-community-edition_gvmd_1 /bin/bash -c 'touch /etc/postfix/generic' | ||
docker exec greenbone-community-edition_gvmd_1 /bin/bash -c 'cat <<EOF | tee -a /etc/postfix/generic | ||
root@${SERVER} ${SMTP_EMAIL} | ||
@${DOMAIN_SEARCH_SUFFIX} ${SMTP_EMAIL} | ||
EOF' | ||
docker exec greenbone-community-edition_gvmd_1 /bin/bash -c 'chown root:root /etc/postfix/generic' | ||
docker exec greenbone-community-edition_gvmd_1 /bin/bash -c 'chmod 0600 /etc/postfix/generic' | ||
docker exec greenbone-community-edition_gvmd_1 /bin/bash -c 'postmap /etc/postfix/generic' | ||
# Restart and test | ||
docker exec greenbone-community-edition_gvmd_1 /bin/bash -c 'service postfix restart' | ||
docker exec greenbone-community-edition_gvmd_1 /bin/bash -c 'echo "This is a test email" | mail -s "SMTP Auth Relay Is Working" ${TEST_EMAIL} -a "FROM:${SMTP_EMAIL}"' | ||
rm ~/add-smtp-relay-docker.sh | ||
EOF | ||
|
||
chmod +x ~/add-smtp-relay-docker.sh | ||
~/add-smtp-relay-docker.sh |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,54 @@ | ||
##################################################################### | ||
# | ||
# DOCKER CONTAINER HINTS AND USEFUL JUNK | ||
# | ||
##################################################################### | ||
|
||
# Watch docker logs | ||
# docker-compose -f $DOWNLOAD_DIR/docker-compose-$RELEASE.yml -p greenbone-community-edition logs -f | ||
|
||
# Update and start containers | ||
# docker-compose -f $DOWNLOAD_DIR/docker-compose.yml -p greenbone-community-edition pull | ||
# docker-compose -f $DOWNLOAD_DIR/docker-compose.yml -p greenbone-community-edition up -d | ||
|
||
# To start from scratch | ||
# docker-compose -f $DOWNLOAD_DIR/docker-compose.yml -p greenbone-community-edition down -v | ||
|
||
# Gain teminal for a container | ||
# docker exec -it greenbone-community-edition_gvmd_1 /bin/bash | ||
|
||
# Run a command in a container | ||
# docker exec -it <container name> <command> | ||
|
||
# Uddate VTs | ||
# docker-compose -f $DOWNLOAD_DIR/docker-compose.yml -p greenbone-community-edition restart ospd-openvas | ||
|
||
# Force reload of all reports/scan configs and port lists | ||
# docker-compose -f $DOWNLOAD_DIR/docker-compose.yml -p greenbone-community-edition exec -u gvmd gvmd gvmd --rebuild-gvmd-data=all | ||
|
||
# Restart gvmd | ||
# docker-compose -f $DOWNLOAD_DIR/docker-compose.yml -p greenbone-community-edition restart gvmd | ||
|
||
# Get the details of existing containers | ||
# docker ps | ||
|
||
# show container IP and interfaces | ||
# docker inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' greenbone-community-edition_gsa_1 | ||
# ifname=ip link | awk -F: '$0 !~ "lo|vir|wl|ve|br|do|^[^0-9]"{print $2;getline}' | awk '{ gsub(/ /,""); print }' | ||
# ip route show to default | grep -Eo "dev\s*[[:alnum:]]+" | sed 's/dev\s//g' | ||
|
||
|
||
# Add syslog to a container for debug | ||
# docker exec -it greenbone-community-edition_gvmd_1 apt-get update | ||
# docker exec -it greenbone-community-edition_gvmd_1 apt-get install rsyslog -y | ||
# docker exec -it greenbone-community-edition_gvmd_1 service rsyslog start | ||
# | ||
|
||
# docker exec -it greenbone-community-edition_gvmd_1 /bin/bash | ||
# tail -f /var/log/syslog | ||
|
||
#iptables -I DOCKER-USER -i eth0 -p tcp -m conntrack --ctorigdstport 8080 -j DROP | ||
#iptables -I DOCKER-USER -i eth0 -s 10.0.0.0/24 -p tcp -m conntrack --ctorigdstport 8080 -j ACCEPT | ||
|
||
#https://serverfault.com/questions/704643/steps-for-limiting-outside-connections-to-docker-container-with-iptables | ||
# https://serverfault.com/questions/946010/what-are-proper-iptables-rules-for-docker-host |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
#!/bin/bash | ||
######################################################################################## | ||
# Script to make a quick inventory of network hosts | ||
# For Linux | ||
# David Harrop | ||
# August 2022 | ||
######################################################################################## | ||
|
||
clear | ||
|
||
echo | ||
read -p "Enter the network address to scan ie x.x.x.x: " IP_NETWORK | ||
echo | ||
read -p "Enter the subnet CIDR prefix (without forward slash)/" IP_CIDR | ||
echo | ||
nmap -sn $IP_NETWORK/$IP_CIDR | awk '/Nmap scan/{gsub(/[()]/,"",$NF); print $NF > "hosts.txt"}' | ||
cat hosts.txt > $IP_NETWORK-$IP_CIDR-hosts.txt | ||
rm hosts.txt | ||
nano $IP_NETWORK-$IP_CIDR-hosts.txt | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
################################################################################### | ||
# Windows client setup script for GVM Community Edition credential scans | ||
# David Harrop | ||
# August 2022 | ||
################################################################################### | ||
|
||
# Requires: | ||
# Set-ExecutionPolicy Unrestricted -Scope CurrentUser | ||
# Then set it back with: | ||
# Set-ExecutionPolicy RemoteSigned -Scope CurrentUser | ||
|
||
|
||
# Turn On Remote Registry | ||
Set-Service -Name RemoteRegistry -StartupType Automatic | ||
Set-Service -Name RemoteRegistry -Status Running -PassThru | ||
|
||
|
||
# Turn on firewall rules for Windows ports | ||
netsh advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes | ||
|
||
# Set Registry token | ||
If (!(Test-Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System")) { | ||
New-Item -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" | Out-Null | ||
} | ||
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "LocalAccountTokenFilterPolicy" -Type DWord -Value 1 | ||
|
Oops, something went wrong.