Spenser Reinhardt's presentation on Detecting Security Breaches With Docker, Honeypots, & Nagios.
The presentation was given during the Nagios World Conference North America held Oct 13th - Oct 16th, 2014 in Saint Paul, MN. For more information on the conference (including photos and videos), visit: http://go.nagios.com/conference
1. Detecting Security Breaches With Docker,
Honeypots, & Nagios
Spenser Reinhardt
sreinhardt@nagios.com
Github: sreinhardt
Docker: sreinhardt
Personal: Ask Me
2. Presentation Goals
What you talkin' bout Willis?
• Basics of Docker containerization virtualization
• What is a honeypot?
• Why are they valuable to me and my infrastructure?
• Where does Nagios fit in?
• Demos!
• How exactly do I profit from this?
3. Docker Basics
What is “Docker” and why do I care?
• Lightweight virtualization
• Near instant application service recovery
• Block level file system differential snapshots
• Heavy isolation between host and guest
• Optional instant revert to previous snapshots on guest shutdown
• Easy file and network sharing between host and containers
4. Getting Started With Docker
● Dockerfiles
● Github.com
● Docker.com
● Automatic builds
● Instant differential updates
#start with ubuntu
FROM ubuntu:latest
MAINTAINER Spenser Reinhardt
ENV DEBIAN_FRONTEND noninteractive
#copy and build
COPY ./install.sh ./install.sh
RUN chmod +x ./install.sh
RUN ./install.sh
#cleanup
RUN mv /install.log /opt/[project]/install.log && apt-get clean
&& rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* /install.sh
#Post-build docker info
EXPOSE [ports]
WORKDIR /opt/[project]
#CMD ["binary-to-start"]
5. Dockerfiles
● FROM: Base image to use
● MAINTAINER: Who controls the container
configuration.
● COPYADD: Add a file from the host or web to
the container.
● RUN: Run a command or script in the
container.
● EXPOSE: Open port to container to both host
and other containers.
● WORKDIR: Change working directory for all
future commands.
● ENTRYPOINT: Sets the binary to start by
default. Otherwise it is “/bin/sh -c”
● CMD: Arguments needed for the entrypoint
binary
#start with ubuntu
FROM ubuntu:latest
MAINTAINER Spenser Reinhardt
ENV DEBIAN_FRONTEND noninteractive
#copy and build
COPY ./install.sh ./install.sh
RUN chmod +x ./install.sh
RUN ./install.sh
#cleanup
RUN mv /install.log /opt/[project]/install.log && apt-get clean
&& rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* /install.sh
#Post-build docker info
EXPOSE [ports]
WORKDIR /opt/[project]
ENTRYPOINT [“binary/to/start”]
CMD ["Arguements", “for”, “binary”]
6. Github and Docker
● Automated linking of github and bitbucket repositories
● Builds from directory with Dockerfile only
● Automated builds on git push, or on command
● Automated linking and building of linked containers
9. Honeypots
● Emulation of operating systems, services, and
applications.
● High Interaction – Full OS or applications, must be
reverted to a snapshot or reinstalled after an attack.
● Low Interaction – Emulated OS or application, most
spawn separate process for attacker, save results and
cleanup after session, like most daemons.
● All interactions are suspicious activity
10. Honeynet Project
● Nepenthes – Low int, many applications and services
● Dionaea – Low int, successor to Nepenthes
● Glastopf – Web application honeypot
● Kippo – SSH emulation and capture
● Thug – Client web browser
● Conpot – ICSSCADA emulation
● Honeybrid – Intelligent firewall, filtering and classification
● Bifrozt – SSH proxy and information collector
19. Nagios XI
● Monitors Docker containers and applications on host
● Event handlers restart, save and restart, or killl containers.
● Event handlers to disconnect and log abusive
connections.
● Active view of all parts working in the system
● Notification management
20. Nagios Network Analyzer
● Collect flow data from:
– Host external interface
– Honeybrid internal interface
● Trigger abusive and oversized
disconnections with filters
21. Nagios Log Server
● Collect and store all logs.
● Advanced parsing and filtering.
● Deep correlation between systems and events.
● Distributed storage and computation.
22. Glastopf
● Web application specific honeypot
● Hosts only ports:
– 80
– 443
● Full PHP emulated virtual environment
● Emulated sql backend
31. Conpot
● Industrial Control Systems(ICS) Supervisory Control and
Data Acquisition (SCADA)
● Defaults to building device control system
● Full Shellcode emulation
● Several services available by default
– 80(http), 161(snmp), 503(modbus)
32. Conclusion
● Docker's has some really cool uses!
● Honeynet has some amazing projects!
● Combining these with a little nagios magic, makes for
really interesting security!
● https://github.com/sreinhardt/Honeynet
● https://docker.com/sreinhardt/Honeynet