oriolrius.cat

Des del 2000 compartiendo sobre…

Tag: network

Sniffing Network Traffic in Docker Containers: Leveraging Host’s tcpdump, tcpflow, and more

Reading time: 2 – 3 minutes

In a Dockerized environment, one often encounters the need to monitor network traffic. However, one might not always wish to install sniffing tools within the container itself. By diving into the network namespace of the container, one can employ the host’s network packages such as tcpdump, tcpflow, and others, to achieve this without augmenting the container’s environment.

Step 1: Dive into the Container’s Network Namespace

Fetch the SandboxKey, which denotes the container’s network namespace:

SANDBOX_KEY=$(docker inspect <CONTAINER_ID> --format '{{ .NetworkSettings.SandboxKey }}')

Enter the container’s network namespace:

sudo nsenter --net=$SANDBOX_KEY

Step 2: Sniff Network Traffic Using Host’s Tools

Having entered the namespace, you can now utilize the host’s packages.

Using tcpdump:

tcpdump -i <INTERFACE_NAME> -w <OUTPUT_FILE.pcap>

Replace <INTERFACE_NAME> as per requirement (typically eth0 for Docker containers). For tcpdump, <OUTPUT_FILE.pcap> is the desired capture file. For tcpflow, <OUTPUT_DIRECTORY> is where the captured streams will be saved.

Conclusion

By navigating into a Docker container’s network namespace, you can readily use the network tools installed on the host system. This strategy circumvents the need to pollute the container with additional packages, upholding the principle of container immutability.

Enhancing SSH Security with StealthSSHAccess

Reading time: 4 – 7 minutes

In today’s interconnected world, maintaining the security of your server infrastructure is paramount. One critical point of vulnerability is the SSH (Secure Shell) service, which allows remote administration of servers. Despite using a non-default port, many administrators still find their servers bombarded with brute-force and denial-of-service attacks. To address this challenge, I’ve developed a solution called StealthSSHAccess.

The Problem

Attackers often employ brute force attacks to gain unauthorized access to servers via SSH. Even if you’ve changed the default SSH port, determined attackers can still discover the new port and target it. These attacks can lead to service disruption, unauthorized data access, and potential breaches of sensitive information.

The Solution: StealthSSHAccess

StealthSSHAccess is an innovative approach to managing remote SSH access while mitigating the risks associated with brute-force attacks. Let’s delve into how it works and why it’s an effective solution:

Dynamic Access Control

StealthSSHAccess takes a dynamic and personalized approach to SSH access control. It operates as a smart gateway between potential attackers and your SSH service. Here’s a simplified breakdown of how it functions:

  1. Monitoring for Intent: Instead of directly exposing the SSH port, StealthSSHAccess monitors a non-SSH TCP port for connection attempts. Attackers, unaware of this, can’t target the SSH port directly.
  2. Capture and Response: When an attempt is made on the monitored port, StealthSSHAccess captures the IP address of the requester. This initial connection attempt fails, serving as a signal of intent to access SSH.
  3. Secure Access Window: Based on this signal, StealthSSHAccess temporarily opens the SSH port exclusively for the captured IP address. This allows for a secure connection from that specific source.
  4. Time-Bound Access: Access is granted for a predetermined duration. If SSH access isn’t established within this timeframe, the port is automatically closed for that specific IP. This tightens the window of exposure and bolsters security.
  5. Automatic Closure: If the port remains unused during the allowed time, StealthSSHAccess automatically revokes access and closes the port. A continuous monitoring mechanism controls this process.

Benefits and Features

1. Enhanced Security: By hiding the SSH port from attackers, StealthSSHAccess reduces the attack surface and minimizes exposure to potential threats.

2. Selective Accessibility: With StealthSSHAccess, you control who gains access by simply attempting a connection to a specific port. This provides an additional layer of security.

3. Minimal Configuration: Implementing StealthSSHAccess is easy thanks to its Docker-based deployment. This means you can integrate it seamlessly into your existing system.

4. Persistence Across Restarts: StealthSSHAccess ensures continuity by persisting IP timer information across service interruptions or restarts. This keeps the system aware of pending access requests.

Getting Started with StealthSSHAccess

To deploy StealthSSHAccess, follow these steps:

  1. Requirements: Ensure you have Docker and Docker Compose installed.
  2. Configuration: Set up environment variables using the provided .env file. Customize parameters like LOGLEVEL, IFACE, PORT_TO_MONITOR, and more to match your environment.
  3. Building and Running: Build the images using docker-compose build, and then launch the services with docker-compose up -d.
  4. Data Persistence: IP timer data is stored in the ./data directory, so make sure it’s writable by the Docker user.
  5. Security Note: Be aware that these services run with privileged access due to their interaction with the system’s network configuration. Understand the security implications before deployment.

Conclusion

In the ongoing battle against cybersecurity threats, StealthSSHAccess stands as a beacon of innovative protection for your servers. By intelligently managing SSH access and responding dynamically to legitimate requests, this solution offers heightened security without sacrificing convenience. Whether you’re an administrator or a security-conscious user, consider integrating StealthSSHAccess into your infrastructure to safeguard your servers from the persistent threats of the digital landscape.

To explore the project, access the source code, and learn more about its implementation, visit the StealthSSHAccess GitHub repository. Remember, security is a journey, and with StealthSSHAccess, you’re taking a proactive step toward a more resilient and secure server environment.

Network traffic sniffing: tcpdump on Linux + Wireshark on Windows

Reading time: 2 – 2 minutes

From the Windows box using the CLI console (cmd):

ssh USER@HOST "tcpdump -s 0 -U -n -w - -i NETIF FILTER" | "c:\Program Files\Wireshark\Wireshark.exe" -k -i -

# USER - remote user of the linux box
# HOST - host address of the remote linux box
# NETIF - network interface to snif in the remote linux box
# FILTER - (optional) rules for filtering traffic to capture

Use case:

C:\Windows\System32\OpenSSH>ssh root@192.168.4.74 "tcpdump -s 0 -U -n -w - -i eno2 udp and not port 53" | "c:\Program Files\Wireshark\Wireshark.exe" -k -i -

Let me present a rare use case of this useful trick. I use a QNAP NAS as a gateway in my home network, where I have 5 NICs. So it’s really useful to snif traffic remotly but I have no tcpdump packet in the system. What I did is use tcpdump as Docker container and finally the commands is like that.

# sniffing SIP traffic (port 5060) on interface eth0
# remote linux host (QNAP NAS) use SSH port 55222
# docker container is created and when work is done is removed
C:\Windows\System32\OpenSSH>ssh -p 55222 admin@10.2.0.1 "cd /share/Container/tcpdump && docker run --rm --net=host corfr/tcpdump -s 0 -U -n -w - -i eth0 not port 22 and port 5060" | "c:\Program Files\Wireshark\Wireshark.exe" -k -i -

Windows 10: Internal Virtual Switch with NAT

Reading time: 2 – 4 minutes

When you are playing with Windows Hyper-V and you want to create a completely virtual internal network with private virtual machines inside your Windows 10 machine virtual switch are mandatory.

Then it’s the time to connect that virtual switch with the host machine using a virtual network interface. All those steps can be done using Hyper-V manager user interface, but you cannot control 100% of parameters like enable, or not, the NAT of the virtual internal network.

Using PowerShell the steps are:

New-VMSwitch -SwitchName NATSwitch -SwitchType Internal
New-NetIPAddress -IPAddress 10.46.1.1 -PrefixLength 24 -InterfaceAlias "vEthernet (NATSwitch)"
New-NetNAT -Name NATNetwork -InternalIPInterfaceAddressPrefix 10.46.1.0/24

Of course, change “NATSwitch” for your switch name and “10.46.1.1” for the IP address of the host virtual network card. Finally “NATNetwork” is another arbitrary name for referring to the NAT rule, and “10.46.1.0/24” is the network address of the virtual internal host network.

Running the commands looks like:

For removing what you did:

Remove-VMSwitch -Name "NATSwitch"
Remove-NetIPAddress -InterfaceAlias "vEthernet (NATSwitch)"
Remove-NetNAT -Name NATNetwork

In Windows 10 IP forwarding is not enabled and packets between interfaces are not routed. According to the Microsoft forums, you can enable IP forwarding (routing) using the following steps:

Go to Start and search on cmd or command. Right click on either cmd or command then select Run as administrator. At the command prompt type regedit. Navigate to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Services\Tcpip\Parameters\IPEnableRouter setting, right click and select Modify. Change 0 to 1 and exit the editor.

When your back at the command prompt type services.msc and navigate to the Routing and Remote Access service. Right click and select Properties. Change to Automatic and click on Start to start the service.

I had to research a long time until I found all this information, but in my case leverage my proofs of concepts to another level.

rp_filter Linux kernel feature

Reading time: 1 – 2 minutes

It’s just an IP spoofing protection which is by default enabled on Linux kernels. When it’s value is ‘1’ means that all IP address which are not directly routable and received form a network interface they are directly discarded.

So, if you want to scan a range of IP address in your LAN which not belong to that interface address space when packets from IP addresses are received they are going to be discarded by the kernel. So, take that into account when you have those “unusual” requirements.

It can be enable/disabled by all interfaces or just one:

root@mini9:/proc/sys/net/ipv4# cat ./conf/all/rp_filter
1
root@mini9:/proc/sys/net/ipv4# cat ./conf/ztly5q4n37/rp_filter
1

DRY DHCP Client: request and IP address to the DHCP server without a DHCP Client

Reading time: < 1 minute

When you want to discover LAN metadata without being part of that network. So, when you want to discover network address range, gateway, DNS IPs, DHCP server IPs, etc. this simple nmap parameter will help you so much.

# nmap --script broadcast-dhcp-discover

Starting Nmap 7.60 ( https://nmap.org ) at 2021-05-19 15:07 CEST
Pre-scan script results:
| broadcast-dhcp-discover:
|   Response 1 of 1:
|     IP Offered: 192.168.1.127
|     DHCP Message Type: DHCPOFFER
|     Subnet Mask: 255.255.255.0
|     Renewal Time Value: 4d00h00m00s
|     Rebinding Time Value: 7d00h00m00s
|     IP Address Lease Time: 8d00h00m00s
|     Server Identifier: 192.168.1.1
|     Router: 192.168.1.1
|_    Domain Name Server: 8.8.8.8, 8.8.4.4
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 1.43 seconds

nethogs: Linux net top tool

Reading time: < 1 minute When a title says all that you have to say, the best is paste the link of the tool and just attach a screenshot: nethogs.

URL shortener service: https://url.joor.net (pygmy)

Reading time: 2 – 2 minutes

Lately, I started running my own URL shortener service because of Google URL shortener service is going to shut down. Below there is a short video showing how the service runs and also there is a Google Chrome extension which I created for integrating the service with the browser.

For quick access and reference the URLs are:

Final notes:

  • Base URL is not the shortest one, but for my personal requirements, it’s more than enough.
  • Service is in early stages, especially the extension. Expect errors, bugs, and unavailabilities.
  • Service is open and free for everyone. But remember, the main purpose is my personal use.
  • I know that pygmy has more features than I publish but I don’t need them and I don’t want to maintain those parts of the applications.
  • I appreciate the effort of Amit for so good application.

HTTPie – command line HTTP client

Reading time: 1 – 2 minutes

I imagine you are used to using curl for many command line scripts, tests, and much more things. I did the same but some weeks ago I discovered HTTPie which is the best substitute that I’ve ever found for curl. Of course, it’s also available for a lot of Linux distributions, Windows, and Mac. But I used it with docker which is much more transparent for the operative system and easy to update. To be more precise I use next alias trick for using this tool:

alias http='sudo docker run -it --rm --net=host clue/httpie'

Official website: httpie.org

Let me paste some highlights about HTTPie:

  • Sensible defaults
  • Expressive and intuitive command syntax
  • Colorized and formatted terminal output
  • Built-in JSON support
  • Persistent sessions
  • Forms and file uploads
  • HTTPS, proxies, and authentication support
  • Support for arbitrary request data and headers
  • Wget-like downloads
  • Extensions
  • Linux, macOS, and Windows support

From the tool webpage a nice comparison about how HTTPie looks like versus curl.

socat tip: create virtual serial port and link it to TCP

Reading time: < 1 minute Create a virtual serial port and publish it on TCP port:

socat pty,link=/dev/virtualcom0,rawer tcp-listen:2101

In another computer, for instance, another virtual port can be created and connected to the previous one:

socat pty,link=/dev/virtualcom0,rawer tcp:SERVER_IP:2101

If in any of those both sides we want to open a real serial port, for instance, in the server case we can run:

socat /dev/ttyS0,rawer tcp-listen:2101

More information on socat manpage.