Collection for Cyber Security Related Dockers - NETSEC

Latest

Learning, Sharing, Creating

Cybersecurity Memo

Saturday, June 27, 2020

Collection for Cyber Security Related Dockers

Using Docker to run Cyber Security Tools is becoming more and more popular. Here are some useful Cyber Security related dockers I found online. 
Some related posts:

HFish - Honeypot



Following default docker run command might have a confliction on some ports, such as , 22 and 9000. 

docker run -d --name hfish -e USERNAME=admin -e PASSWORD=P@ssword1234 --restart=always -p 21:21 -p 22:22 -p 23:23 -p 3306:3306 -p 6379:6379 -p 8080:8080 -p 8989:8989 -p 9000:9000 -p 9001:9001 -p 11211:11211 imdevops/hfish:latest

Please make sure there is no port conflict with your existing service before you use this. If there is a conflict on port, your docker will not be able to start. You will have to remove this docker first using following command;

[root@docker1 opc]# docker rm /hfish
/hfish


Default user name and password for http://<ip>:9001:admin
It can be changed by passing following two environment variabls: -e USERNAME= -e PASSWORD= 
If need to keep data on host, you can mount host folder to container by using -v $PWD:/opt .

You might need to change your host's ssh port from 22 to 2222. 

For Ubuntu:
[root@localhost ~]# ufw allow 2222/tcp



    For CentOS 7/8:

    Firewall change:
    firewall-cmd -h
    firewall-cmd --state
    firewall-cmd --list-all
    [root@localhost ~]# firewall-cmd --permanent --add-port=2222/tcp #add port 2222 into iptable firewall
    success
    [root@localhost ~]# firewall-cmd --reload #reload firewall
    success

    change sshd configuration file at “/etc/ssh/sshd_config“. In this example, we add a new port 2222 and keep 22 just in case.  22 will be deleted after confirmed 2222 is working.

    [root@localhost ~]# vi /etc/ssh/sshd_config
    
    #       $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $
    
    # This is the sshd server system-wide configuration file.  See
    # sshd_config(5) for more information.
    
    # This sshd was compiled with PATH=/usr/local/bin:/usr/bin
    
    # The strategy used for options in the default sshd_config shipped with
    # OpenSSH is to specify options with their default value where
    # possible, but leave them commented.  Uncommented options override the
    # default value.
    
    # If you want to change the port on a SELinux system, you have to tell
    # SELinux about this change.
    # semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
    #
    Port 22
    Port 2222

    Restart sshd service
    [root@localhost ~]# service sshd restart


    The default port labelled for SSH is 22.

    $ semanage port -l | grep ssh
    ssh_port_t                     tcp      22

    If you want to allow sshd to bind to network port configured, then you need to modify the port type to ssh_port_t.

    sudo semanage port -a -t ssh_port_t -p tcp 2222

    Confirm that the new port has been added to list of allowed ports for ssh.

    $ semanage port -l | grep ssh
    ssh_port_t                     tcp      2222, 22


    Check the port number has been enabled on 2222

    Verify Listen address for ssh. If netstat command is not found, you will need to install net-tools first. 

    $ netstat -tunl | grep 2222
    tcp        0      0 0.0.0.0:2222           0.0.0.0:*               LISTEN     
    tcp6       0      0 :::2222                :::*                    LISTEN  

    Notes: You might get an error when you copy/paste the command in to your VM to run this rocker. That usually causes by conflicted port which you try to open. Mostly it is caused by port 22. In that case, you can either change your VM's port 22 to something else, or you can change your docker command to map 22 to something different, such as 2222. Here is the command:

    docker run -d --name hfish -e USERNAME=admin -e PASSWORD=P@ssword1234 --restart=always -p 21:21 -p 22:22 -p 23:23 -p 3306:3306 -p 6379:6379 -p 8080:8080 -p 8989:8989 -p 8000:9000 -p 9001:9001 -p 11211:11211 imdevops/hfish:latest




    • 21为FTP端口
    • 22为SSH端口
    • 23为Telnet端口
    • 69为TFTP端口
    • 3306为Mysql端口
    • 5900为VNC端口
    • 6379为Redis端口
    • 8080为暗网端口
    • 8081为HTTP代理池端口
    • 8989为插件端口
    • 9000为Web端口 - mapped to 8000
    • 9001为系统管理后台端口
    • 9200为Elasticsearch端口
    • 11211为Memcache端口
    Other two ports might be used by other application
    • 80 - Nginx
    • 9000 - Portainer
    • 2222 - SSH port , changed from 22. 


    References:
    • Hfish a honeypot platform - https://hackingpassion.com/hfish-a-honeypot-platform/

    OWASP Amass

    https://github.com/OWASP/Amass
    The OWASP Amass is a tool to help information security professionals perform network mapping of attack surfaces and perform external asset discovery using open source information gathering and active reconnaissance techniques.



    1. Install Docker
    2. Pull the Docker image by running docker pull caffix/amass
    3. Run docker run -v OUTPUT_DIR_PATH:/.config/amass/ caffix/amass --version
    v3.5.5
    The volume argument allows the Amass graph database to persist between executions and output files to be accessed on the host system. The first field (left of the colon) of the volume option is the amass output directory that is external to Docker, while the second field is the path, internal to Docker, where amass will write the output files.
    The wordlists maintained in the Amass git repository are available in /examples/wordlists/ within the docker container. For example, to use all.txt:
    docker run -v OUTPUT_DIR_PATH:/.config/amass/ caffix/amass enum -brute -w /wordlists/all.txt -d itpro.com

    $ docker run -v OUTPUT_DIR_PATH:/.config/amass/ caffix/amass enum -brute -w /wordlists/all.txt -d itpro.com
    Querying CommonCrawl for itprosec.com subdomains
    Querying Baidu for itprosec.com subdomains
    Querying CertSpotter for itprosec.com subdomains
    Querying Yahoo for itprosec.com subdomains
    Querying Sublist3rAPI for itprosec.com subdomains
    Querying Exalead for itprosec.com subdomains
    Querying Riddler for itprosec.com subdomains
    Querying Robtex for itprosec.com subdomains
    Querying SiteDossier for itprosec.com subdomains
    Querying ThreatCrowd for itprosec.com subdomains
    Querying Ask for itprosec.com subdomains
    Querying ViewDNS for itprosec.com subdomains
    Querying VirusTotal for itprosec.com subdomains
    Querying Dogpile for itprosec.com subdomains
    Querying Crtsh for itprosec.com subdomains
    Querying Google for itprosec.com subdomains
    Querying Mnemonic for itprosec.com subdomains
    Querying Spyse for itprosec.com subdomains
    Querying IPv4Info for itprosec.com subdomains
    Querying Censys for itprosec.com subdomains
    Querying Netcraft for itprosec.com subdomains
    Querying DNSDumpster for itprosec.com subdomains
    Querying BufferOver for itprosec.com subdomains
    Querying DNSTable for itprosec.com subdomains
    Querying PTRArchive for itprosec.com subdomains
    Querying AlienVault for itprosec.com subdomains
    Querying Pastebin for itprosec.com subdomains
    Querying Bing for itprosec.com subdomains
    Querying GoogleCT for itprosec.com subdomains
    Querying HackerTarget for itprosec.com subdomains
    Querying HackerOne for itprosec.com subdomains
    Querying URLScan for itprosec.com subdomains
    Querying Entrust for itprosec.com subdomains
    itpro.com
    www.itpro.com
    webmail.itpro.com
    Average DNS queries performed: 3034/sec, Average retries required: 7.51%
    Average DNS queries performed: 4331/sec, Average retries required: 6.14%
    Average DNS queries performed: 4148/sec, Average retries required: 7.43%
    Average DNS queries performed: 3828/sec, Average retries required: 7.89%
    phpmyadmin.itpro.com
    cpanel.itpro.com
    autoconfig.itpro.com
    Average DNS queries performed: 2183/sec, Average retries required: 11.36%
    
    OWASP Amass v3.5.5                                https://github.com/OWASP/Amass
    --------------------------------------------------------------------------------
    6 names discovered - dns: 1, cert: 1, brute: 4
    --------------------------------------------------------------------------------
    ASN: 13335 - CLOUDFLARENET - Cloudflare, Inc.
            104.18.48.0/20          4    Subdomain Name(s)
    ASN: 47583 - AS-HOSTINGER
            31.220.23.0/24          12   Subdomain Name(s)
    [node1] (local) [email protected] ~
    


    Kali



    $ docker pull kalilinux/kali-rolling  
    Using default tag: latest
    latest: Pulling from kalilinux/kali-rolling
    5b53b44b6629: Pull complete 
    Digest: sha256:b95728038fcbb823a3f32b4dede9f531f56f9e9724d0215d1a34799814efb3c3
    Status: Downloaded newer image for kalilinux/kali-rolling:latest
    docker.io/kalilinux/kali-rolling:latest
    [node1] (local) [email protected] ~
    $ docker run -t -i kalilinux/kali-rolling /bin/bash
    root@7da192e8bc56:/# 
    

    Docker Bench for Security

    The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production. Once the script is run, you will notice a lot of information regarding configuration best practices for deploying Docker containers that can be used to further secure your Docker server and containers.

    [node1] (local) [email protected] ~
    $ docker run -it --net host --pid host --userns host --cap-add audit_control \
    >     -e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST \
    >     -v /etc:/etc \
    >     -v /var/lib:/var/lib:ro \
    >     -v /var/run/docker.sock:/var/run/docker.sock:ro \
    >     --label docker_bench_security \
    >     docker/docker-bench-security
    Unable to find image 'docker/docker-bench-security:latest' locally
    latest: Pulling from docker/docker-bench-security
    cd784148e348: Pull complete 
    48fe0d48816d: Pull complete 
    164e5e0f48c5: Pull complete 
    378ed37ea5ff: Pull complete 
    Digest: sha256:ddbdf4f86af4405da4a8a7b7cc62bb63bfeb75e85bf22d2ece70c204d7cfabb8
    Status: Downloaded newer image for docker/docker-bench-security:latest
    # ------------------------------------------------------------------------------
    # Docker Bench for Security v1.3.4
    #
    # Docker, Inc. (c) 2015-
    #
    # Checks for dozens of common best-practices around deploying Docker containers in production.
    # Inspired by the CIS Docker Community Edition Benchmark v1.1.0.
    # ------------------------------------------------------------------------------
    
    Initializing Sat Apr 18 23:50:05 UTC 2020
    
    
    [INFO] 1 - Host Configuration
    [PASS] 1.1  - Ensure a separate partition for containers has been created
    [NOTE] 1.2  - Ensure the container host has been Hardened
    [INFO] 1.3  - Ensure Docker is up to date
    [INFO]      * Using 19.03.4, verify is it up to date as deemed necessary
    [INFO]      * Your operating system vendor may provide support and security maintenance for Docker
    [INFO] 1.4  - Ensure only trusted users are allowed to control Docker daemon
    [WARN] 1.5  - Ensure auditing is configured for the Docker daemon
    [WARN] 1.6  - Ensure auditing is configured for Docker files and directories - /var/lib/docker
    [WARN] 1.7  - Ensure auditing is configured for Docker files and directories - /etc/docker
    [INFO] 1.8  - Ensure auditing is configured for Docker files and directories - docker.service
    [INFO]      * File not found
    [INFO] 1.9  - Ensure auditing is configured for Docker files and directories - docker.socket
    [INFO]      * File not found
    [INFO] 1.10  - Ensure auditing is configured for Docker files and directories - /etc/default/docker
    [INFO]      * File not found
    [WARN] 1.11  - Ensure auditing is configured for Docker files and directories - /etc/docker/daemon.json
    [INFO] 1.12  - Ensure auditing is configured for Docker files and directories - /usr/bin/docker-containerd
    [INFO]      * File not found
    [INFO] 1.13  - Ensure auditing is configured for Docker files and directories - /usr/bin/docker-runc
    [INFO]      * File not found
    
    
    [INFO] 2 - Docker daemon configuration
    [WARN] 2.1  - Ensure network traffic is restricted between containers on the default bridge
    [PASS] 2.2  - Ensure the logging level is set to 'info'
    [PASS] 2.3  - Ensure Docker is allowed to make changes to iptables
    [WARN] 2.4  - Ensure insecure registries are not used
    [PASS] 2.5  - Ensure aufs storage driver is not used
    [INFO] 2.6  - Ensure TLS authentication for Docker daemon is configured
    [INFO]      * Docker daemon not listening on TCP
    [INFO] 2.7  - Ensure the default ulimit is configured appropriately
    [INFO]      * Default ulimit doesn't appear to be set
    [WARN] 2.8  - Enable user namespace support
    [PASS] 2.9  - Ensure the default cgroup usage has been confirmed
    [PASS] 2.10  - Ensure base device size is not changed until needed
    [WARN] 2.11  - Ensure that authorization for Docker client commands is enabled
    [WARN] 2.12  - Ensure centralized and remote logging is configured
    [INFO] 2.13  - Ensure operations on legacy registry (v1) are Disabled (Deprecated)
    [WARN] 2.14  - Ensure live restore is Enabled
    [WARN] 2.15  - Ensure Userland Proxy is Disabled
    [PASS] 2.16  - Ensure daemon-wide custom seccomp profile is applied, if needed
    [WARN] 2.17  - Ensure experimental features are avoided in production
    [WARN] 2.18  - Ensure containers are restricted from acquiring new privileges
    
    
    [INFO] 3 - Docker daemon configuration files
    [INFO] 3.1  - Ensure that docker.service file ownership is set to root:root
    [INFO]      * File not found
    [INFO] 3.2  - Ensure that docker.service file permissions are set to 644 or more restrictive
    [INFO]      * File not found
    [INFO] 3.3  - Ensure that docker.socket file ownership is set to root:root
    [INFO]      * File not found
    [INFO] 3.4  - Ensure that docker.socket file permissions are set to 644 or more restrictive
    [INFO]      * File not found
    [PASS] 3.5  - Ensure that /etc/docker directory ownership is set to root:root
    [PASS] 3.6  - Ensure that /etc/docker directory permissions are set to 755 or more restrictive
    [INFO] 3.7  - Ensure that registry certificate file ownership is set to root:root
    [INFO]      * Directory not found
    [INFO] 3.8  - Ensure that registry certificate file permissions are set to 444 or more restrictive
    [INFO]      * Directory not found
    [INFO] 3.9  - Ensure that TLS CA certificate file ownership is set to root:root
    [INFO]      * No TLS CA certificate found
    [INFO] 3.10  - Ensure that TLS CA certificate file permissions are set to 444 or more restrictive
    [INFO]      * No TLS CA certificate found
    [INFO] 3.11  - Ensure that Docker server certificate file ownership is set to root:root
    [INFO]      * No TLS Server certificate found
    [INFO] 3.12  - Ensure that Docker server certificate file permissions are set to 444 or more restrictive
    [INFO]      * No TLS Server certificate found
    [INFO] 3.13  - Ensure that Docker server certificate key file ownership is set to root:root
    [INFO]      * No TLS Key found
    [INFO] 3.14  - Ensure that Docker server certificate key file permissions are set to 400
    [INFO]      * No TLS Key found
    [WARN] 3.15  - Ensure that Docker socket file ownership is set to root:docker
    [WARN]      * Wrong ownership for /var/run/docker.sock
    [PASS] 3.16  - Ensure that Docker socket file permissions are set to 660 or more restrictive
    [PASS] 3.17  - Ensure that daemon.json file ownership is set to root:root
    [WARN] 3.18  - Ensure that daemon.json file permissions are set to 644 or more restrictive
    [WARN]      * Wrong permissions for /etc/docker/daemon.json
    [INFO] 3.19  - Ensure that /etc/default/docker file ownership is set to root:root
    [INFO]      * File not found
    [INFO] 3.20  - Ensure that /etc/default/docker file permissions are set to 644 or more restrictive
    [INFO]      * File not found
    
    
    [INFO] 4 - Container Images and Build File
    [WARN] 4.1  - Ensure a user for the container has been created
    [WARN]      * Running as root: charming_brahmagupta
    [NOTE] 4.2  - Ensure that containers use trusted base images
    [NOTE] 4.3  - Ensure unnecessary packages are not installed in the container
    [NOTE] 4.4  - Ensure images are scanned and rebuilt to include security patches
    [WARN] 4.5  - Ensure Content trust for Docker is Enabled
    [WARN] 4.6  - Ensure HEALTHCHECK instructions have been added to the container image
    [WARN]      * No Healthcheck found: [kalilinux/kali-rolling:latest]
    [WARN]      * No Healthcheck found: [docker/whalesay:latest]
    [WARN]      * No Healthcheck found: [vmwarecna/nginx:latest]
    [INFO] 4.7  - Ensure update instructions are not use alone in the Dockerfile
    [INFO]      * Update instruction found: [docker/whalesay:latest]
    [INFO]      * Update instruction found: [vmwarecna/nginx:latest]
    [NOTE] 4.8  - Ensure setuid and setgid permissions are removed in the images
    [INFO] 4.9  - Ensure COPY is used instead of ADD in Dockerfile
    [INFO]      * ADD in image history: [kalilinux/kali-rolling:latest]
    [INFO]      * ADD in image history: [docker/docker-bench-security:latest]
    [INFO]      * ADD in image history: [docker/whalesay:latest]
    [INFO]      * ADD in image history: [vmwarecna/nginx:latest]
    [NOTE] 4.10  - Ensure secrets are not stored in Dockerfiles
    [NOTE] 4.11  - Ensure verified packages are only Installed
    
    
    [INFO] 5 - Container Runtime
    [PASS] 5.1  - Ensure AppArmor Profile is Enabled
    [WARN] 5.2  - Ensure SELinux security options are set, if applicable
    [WARN]      * No SecurityOptions Found: charming_brahmagupta
    [PASS] 5.3  - Ensure Linux Kernel Capabilities are restricted within containers
    [PASS] 5.4  - Ensure privileged containers are not used
    [PASS] 5.5  - Ensure sensitive host system directories are not mounted on containers
    [PASS] 5.6  - Ensure ssh is not run within containers
    [WARN] 5.7  - Ensure privileged ports are not mapped within containers
    [WARN]      * Privileged Port in use: 80 in charming_brahmagupta
    [NOTE] 5.8  - Ensure only needed ports are open on the container
    [PASS] 5.9  - Ensure the host's network namespace is not shared
    [WARN] 5.10  - Ensure memory usage for container is limited
    [WARN]      * Container running without memory restrictions: charming_brahmagupta
    [WARN] 5.11  - Ensure CPU priority is set appropriately on the container
    [WARN]      * Container running without CPU restrictions: charming_brahmagupta
    [WARN] 5.12  - Ensure the container's root filesystem is mounted as read only
    [WARN]      * Container running with root FS mounted R/W: charming_brahmagupta
    [WARN] 5.13  - Ensure incoming container traffic is binded to a specific host interface
    [WARN]      * Port being bound to wildcard IP: 0.0.0.0 in charming_brahmagupta
    [WARN] 5.14  - Ensure 'on-failure' container restart policy is set to '5'
    [WARN]      * MaximumRetryCount is not set to 5: charming_brahmagupta
    [PASS] 5.15  - Ensure the host's process namespace is not shared
    [PASS] 5.16  - Ensure the host's IPC namespace is not shared
    [PASS] 5.17  - Ensure host devices are not directly exposed to containers
    [INFO] 5.18  - Ensure the default ulimit is overwritten at runtime, only if needed
    [INFO]      * Container no default ulimit override: charming_brahmagupta
    [PASS] 5.19  - Ensure mount propagation mode is not set to shared
    [PASS] 5.20  - Ensure the host's UTS namespace is not shared
    [PASS] 5.21  - Ensure the default seccomp profile is not Disabled
    [NOTE] 5.22  - Ensure docker exec commands are not used with privileged option
    [NOTE] 5.23  - Ensure docker exec commands are not used with user option
    [PASS] 5.24  - Ensure cgroup usage is confirmed
    [WARN] 5.25  - Ensure the container is restricted from acquiring additional privileges
    [WARN]      * Privileges not restricted: charming_brahmagupta
    [WARN] 5.26  - Ensure container health is checked at runtime
    [WARN]      * Health check not set: charming_brahmagupta
    [INFO] 5.27  - Ensure docker commands always get the latest version of the image
    [WARN] 5.28  - Ensure PIDs cgroup limit is used
    [WARN]      * PIDs limit not set: charming_brahmagupta
    [INFO] 5.29  - Ensure Docker's default bridge docker0 is not used
    [INFO]      * Container in docker0 network: charming_brahmagupta
    [PASS] 5.30  - Ensure the host's user namespaces is not shared
    [PASS] 5.31  - Ensure the Docker socket is not mounted inside any containers
    
    
    [INFO] 6 - Docker Security Operations
    [INFO] 6.1  - Avoid image sprawl
    [INFO]      * There are currently: 4 images
    [INFO] 6.2  - Avoid container sprawl
    [INFO]      * There are currently a total of 3 containers, with 2 of them currently running
    
    
    [INFO] 7 - Docker Swarm Configuration
    [PASS] 7.1  - Ensure swarm mode is not Enabled, if not needed
    [PASS] 7.2  - Ensure the minimum number of manager nodes have been created in a swarm (Swarm mode not enabled)
    [PASS] 7.3  - Ensure swarm services are binded to a specific host interface (Swarm mode not enabled)
    [PASS] 7.4  - Ensure data exchanged between containers are encrypted on different nodes on the overlay network
    [PASS] 7.5  - Ensure Docker's secret management commands are used for managing secrets in a Swarm cluster (Swarm mode not enabled)
    [PASS] 7.6  - Ensure swarm manager is run in auto-lock mode (Swarm mode not enabled)
    [PASS] 7.7  - Ensure swarm manager auto-lock key is rotated periodically (Swarm mode not enabled)
    [PASS] 7.8  - Ensure node certificates are rotated as appropriate (Swarm mode not enabled)
    [PASS] 7.9  - Ensure CA certificates are rotated as appropriate (Swarm mode not enabled)
    [PASS] 7.10  - Ensure management plane traffic has been separated from data plane traffic (Swarm mode not enabled)
    
    [INFO] Checks: 105
    [INFO] Score: 7
    


    Docker Content Trust

    Docker Content Trust is a new feature incorporated into Docker 1.8. It is disabled by default, but once enabled, it allows you to verify the integrity, authenticity, and publication date of all Docker images from the Docker Hub Registry.

    https://success.docker.com/article/introduction-to-docker-content-trust


    Pull Images with Docker Content Trust

    docker pull --disable-content-trust jpetazzo/clock
    
    docker -D pull --disable-content-trust hello-world
    docker -D pull hello-world
    
    • Temporarily disable content trust to successfully pull unsigned content:
    • Enable debug mode to compare the behavior of pulls where signed content is verified to pulls where no trust data is verified:
    • Enable Docker Content Trust:
      export DOCKER_CONTENT_TRUST=1
      
    • Try to pull unsigned content and observe error messages:
      docker pull jpetazzo/clock



    How to Use PAM to Protect Cloud Assets:



    KMS

    docker pull luodaoyi/kms-server
    docker run -d -p 1688:1688 --restart=always --name="kms" luodaoyi/kms-server


    Configure Windows System to Use KMS server
    slmgr /skms ip:1688
    If you are using default port 1688, slmgr /skms ip
    activate your machine
    slmgr /ato
    check activation status
    slmgr /xpr

    JumpServer

    note: https://jumpserver.readthedocs.io/zh/master/install/setup_by_fast/

    One command deployment JumpServer
    curl -sSL https://github.com/jumpserver/jumpserver/releases/download/2.0.1/quick_start.sh | sh
    

    Unfortunately, I could not get following docker deployment working based on its docker deployment guide:
    docker run --name jms_all -d \
      -p 80:80 -p 2222:2222 \
      -e SECRET_KEY=$SECRET_KEY \
      -e BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN \
      jumpserver/jms_all:latest
    
    Here is the dashboard interface deployed using One Command Deployment method.


    Please make sure you have two vCPU and 4G RAM, else you will get following installation error:
    
    [root@centos1docker ~]# curl -sSL https://github.com/jumpserver/jumpserver/releases/download/2.0.1/quick_start.sh | sh
    remote: Enumerating objects: 13, done.
    remote: Counting objects: 100% (13/13), done.
    remote: Compressing objects: 100% (1/1), done.
    remote: Total 7 (delta 6), reused 7 (delta 6), pack-reused 0
    Unpacking objects: 100% (7/7), done.
    From https://github.com/jumpserver/setuptools
       3d0ddba..b1bee35  master     -> origin/master
     * [new tag]         2.0.1      -> 2.0.1
    Updating 3d0ddba..b1bee35
    Fast-forward
     scripts/install_guacamole.sh |  4 ++++
     scripts/install_koko.sh      |  4 ++++
     scripts/install_nginx.sh     | 11 +++++++----
     scripts/upgrade.sh           | 21 +++++++++++++++++++--
     4 files changed, 34 insertions(+), 6 deletions(-)
    User   Check    ........................ [ OK ]
    OS     Check    ........................ [ OK ]
    CPU    Check    ........................ [ ERROR ] CPU 小于 2核,JumpServer 所在机器的 CPU 需要至少 2核
    Memory Check    ........................ [ ERROR ] 内存小于 4G,JumpServer 所在机器的内存需要至少 4G
    安装环境检测未通过,请查阅上述环境检测结果
    [root@centos1docker ~]#
    
    


    Following is a omitted installation output from a GCP VM (2vCPU and 8G RAM)
    [root@centos7-test-jms-all ~]# curl -sSL https://github.com/jumpserver/jumpserver/releases/download/2.0.1/quick_start.sh | sh
    Loaded plugins: fastestmirror
    Determining fastest mirrors
    epel/x86_64/metalink                                                                         |  18 kB  00:00:00     
     * base: repos.mia.quadranet.com
     * epel: mirror.team-cymru.com
     * extras: mirror.genesisadaptive.com
     * updates: mirror.oss.ou.edu
    base                                                                                         | 3.6 kB  00:00:00     
    epel                                                                                         | 4.7 kB  00:00:00     
    extras                                                                                       | 2.9 kB  00:00:00     
    google-cloud-sdk/signature                                                                   |  454 B  00:00:00     
    google-cloud-sdk/signature                                                                   | 1.4 kB  00:00:00 !!! 
    google-compute-engine/signature                                                              |  454 B  00:00:00     
    google-compute-engine/signature                                                              | 1.4 kB  00:00:00 !!! 
    updates                                                                                      | 2.9 kB  00:00:00     
    (1/9): epel/x86_64/group_gz     
    ..
    ..
    ..
    success
    success
    Created symlink from /etc/systemd/system/multi-user.target.wants/jms_core.service to /usr/lib/systemd/system/jms_core.service.
    >> Install Jms_koko
    Unable to find image 'jumpserver/jms_koko:2.0.1' locally
    2.0.1: Pulling from jumpserver/jms_koko
    524b0c1e57f8: Pull complete 
    25d8611c19e7: Pull complete 
    75998ad1dee0: Pull complete 
    a3b7de5dc37f: Pull complete 
    Digest: sha256:5aab0bb447693da023ae82c50e625d7e98008f4607ac73dabc70845e52f29e1d
    Status: Downloaded newer image for jumpserver/jms_koko:2.0.1
    3f022dfc670c1c2f07f90e39acef94e14e3e1f17d83797d72a587d7c88dd9208
    >> Install Jms_guacamole
    Unable to find image 'jumpserver/jms_guacamole:2.0.1' locally
    2.0.1: Pulling from jumpserver/jms_guacamole
    524b0c1e57f8: Already exists 
    2ebee6bcd03e: Pull complete 
    b9da86ade517: Pull complete 
    09c2231155fd: Pull complete 
    Digest: sha256:3589e1d06c5dc169bf1ce256a82ab111604fa1597049fc6ec6d89e03b61baded
    Status: Downloaded newer image for jumpserver/jms_guacamole:2.0.1
    6ec8537f6351099c61b65203cfeb309561b8fb526ceb17f003971717e38bc6bb
    MySQL  Check    ........................ [ OK ]
    Redis  Check    ........................ [ OK ]
    Ninx   Check    ........................ [ OK ]
    Py3    Check    ........................ [ OK ]
    Core   Check    ........................ [ OK ]
    Koko   Check    ........................ [ OK ]
    Guaca. Check    ........................ [ OK ]
     Jumpserver 安装成功!
    
     默认登陆信息: 
     http://10.128.0.20:80 
     username: admin 
     password: admin 
     [如果你是云服务器请在安全组放行 80 和 2222 端口] 
    [root@centos7-test-jms-all ~]# docker ps
    CONTAINER ID        IMAGE                            COMMAND             CREATED             STATUS              PORTS                                              NAMES
    6ec8537f6351        jumpserver/jms_guacamole:2.0.1   "./entrypoint.sh"   12 minutes ago      Up 12 minutes       127.0.0.1:8081->8080/tcp                           jms_guacamole
    3f022dfc670c        jumpserver/jms_koko:2.0.1        "./entrypoint.sh"   13 minutes ago      Up 12 minutes       0.0.0.0:2222->2222/tcp, 127.0.0.1:5000->5000/tcp   jms_koko
    [root@centos7-test-jms-all ~]#
    


    Webterminal bastion server

    Project address: https://jimmy201602.github.io/webterminal/

    Webterminal implemented by django. This project focus on DevOps and Continuous Delivery. For now it support almost 90% remote management protocol such as vnc, ssh,rdp,telnet,sftp… It support a possiblity to monitor and recorded user action when user use this project to manage their server!You can also replay the user action such as like a video. Hope you enjoy it.

    Run with docker

    docker pull webterminal/webterminal
    docker run -itd -p 80:80 -p 2100:2100 webterminal/webterminal
    Login user & password
    username: admin
    password: password!23456






    References



    No comments:

    Post a Comment