Docker – Container technology in Cloud

Docker is a container virtualization technology that offers the promise of a more efficient, lightweight approach to application deployment than most organizations are currently implementing. Docker uses the resource isolation features of the Linux kernel such as cgroups and kernel namespaces, and a union-capable filesystem such as aufs and others to allow independent “containers” to run within a single Linux instance, avoiding the overhead of starting and maintaining virtual machines.

Docker is a tool that is designed to benefit both developers and system administrators, making it a part of many DevOps (developers + operations) toolchains. For developers, it means that they can focus on writing code without worrying about the system that it will ultimately be running on. It also allows them to get a head start by using one of thousands of programs already designed to run in a Docker container as a part of their application. For operations staff, Docker gives flexibility and potentially reduces the number of systems needed because of its small footprint and lower overhead.

Docker Security

There are three major areas to consider when reviewing Docker security:

  • the intrinsic security of the kernel and its support for namespaces and cgroups;
  • the attack surface of the Docker daemon itself;
  • loopholes in the container configuration profile, either by default, or when customized by users.
    the “hardening” security features of the kernel and how they interact with containers.

One of the many security feature is provided by modern Linux kernels. It is also possible to leverage existing, well-known systems like TOMOYO, AppArmor, SELinux, GRSEC, etc. with Docker.

docker

docker container

Docker installation

You can review all other platform installation here

Docker installation on Centos

It should be need kernel version 3.10 at minimum.

You can install Docker engine using the yum package manager. Log into your machine as a user with sudo or root privileges.

Make sure your existing yum packages are up-to-date.

# yum update

Add the yum repo.

vi /etc/yum.repos.d/docker.repo
[dockerrepo]
name=Docker Repository
baseurl=https://yum.dockerproject.org/repo/main/centos/$releasever/
enabled=1
gpgcheck=1
gpgkey=https://yum.dockerproject.org/gpg
EOF

Install the Docker package.

# yum install docker

Start the Docker daemon.

#service docker start

Thats it. Check your docker container status.

#docker ps
 

secure ssh server attacks – DenyHosts

DenyHosts is a Python script that analyzes the sshd server log messages to determine what hosts are attempting to hack into your system. It also determines what user accounts are being targeted. It keeps track of the frequency of attempts from each host. Additionally, upon discovering a repeated attack host, the /etc/hosts.deny file is updated to prevent future break-in attempts from that host. An email report can be sent to a system admin and you may be alarmed to see how many hackers attempted to gain access to your server.

Secure SSH server attacks using DenyHosts tool for Linux servers.

Features

– Parses /var/log/secure to find all login attempts and filters failed and successful attempts.

– Synchronization mode (new in 2.0) allows DenyHosts daemons the ability to share data via a centralized server to proactively thwart attacks.

– Can be run from the command line, cron or as a daemon (new in 0.9)

– Records all failed login attempts for the user and offending host

– For each host that exceeds a threshold count, records the evil host

– Keeps track of each non-existent user (eg. sdadasd) when a login attempt failed.

– Keeps track of each existing user (eg. root) when a login attempt failed.

– Keeps track of each offending host (with 0.8+ these hosts can be purged if the associated entry in /etc/hosts.deny is
expired)

– Keeps track of suspicious logins (that is, logins that were successful for a host that had many login failures)

– Keeps track of the file offset, so that you can reparse the same file (/var/log/secure) continuously (until it is rotated).

– When the log file is rotated, the script will detect it and parse from the beginning.

– Appends /etc/hosts.deny and adds the newly banned hosts

– Optionally sends an email of newly banned hosts and suspicious logins.

– Keeps a history of all user, host, user/host combo and suspicious logins encountered which includes the data and number of corresponding failed login attempts.

– Maintains failed valid and invalid user login attempts in separate files, such that it is easy to see which valid user is
under attack (which would give you the opportunity to remove the account, change the password or change it’s default shell to something like /sbin/nologin

– Upon each run, the script will load the previously saved data and re-use it to append new failures.

– Resolves IP addresses to hostnames, if available (new in v0.6.0).

– /etc/hosts.deny entries can be expired (purge) at a user specified time (new in 0.8)

 

secure ssh server attacks denyhosts

Secure SSH server attacks in centos

Install DenyHosts on RHEL 6.3/6.2/6.1/6/5.8, CentOS 6.3/6.2/6.1/6/5.8 and Fedora 17,16,15,14,13,12 systems using epel repository.

 

By default DenyHosts tool is not included in the Linux systems, we need to install it using third party EPEL repository.

 

## RHEL/CentOS 7 64-Bit ##

# wget http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-5.noarch.rpm
# rpm -ivh epel-release-7-5.noarch.rpm

## RHEL/CentOS 6 32-Bit ##

# wget http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm
# rpm -ivh epel-release-6-8.noarch.rpm

## RHEL/CentOS 6 64-Bit ##

# wget http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
# rpm -ivh epel-release-6-8.noarch.rpm
# yum install denyhosts

Once the Denyhosts installed, make sure to whitelist your own IP address, so you will never get locked out. To do this, open a file /etc/hosts.allow.

# vi /etc/hosts.allow

sshd: <yourIp>
sshd: <yourIP>

Configuring Email Alerts

# vi /etc/denyhosts.conf

change ADMIN_EMAIL and SMTP_FROM details.

ADMIN_EMAIL = [email protected]

SMTP_FROM = DenyHosts <[email protected]>

SMTP_SUBJECT = DenyHosts Report from $[HOSTNAME]

# chkconfig denyhosts on
# service denyhosts start

To watch denyhosts ssh logs for how many attackers and hackers are attempted to gain access to your server.

# tail -f /var/log/secure

Add your IP Addresses Permanently in whitelist

# vi /var/lib/denyhosts/allowed-hosts

### We mustn't block localhost
127.0.0.1
110.18.15.11

You can view denied ipaddress in /etc/hosts.deny

[[email protected] ~]# cat /etc/hosts.deny

#
# hosts.deny This file contains access rules which are used to deny connections to network services that either use
# the tcp_wrappers library or that have been # started through a tcp_wrappers-enabled xinetd.
## The rules in this file can also be set up in /etc/hosts.allow with a 'deny' option instead.
#
# DenyHosts: Thu Mar 5 03:26:50 2015 | sshd: 192.168.1.110
sshd: 192.168.1.110
# DenyHosts: Thu Mar 5 03:26:50 015 | sshd: 192.168.1.11
sshd: 192.168.1.11

In order to remove or delete banned IP address completely. You need to edit the following files and remove the IP address.

# vi /etc/hosts.deny
#  vi /var/lib/denyhosts/hosts
# vi /var/lib/denyhosts/hosts-restricted
# vi /var/lib/denyhosts/hosts-root
#  vi /var/lib/denyhosts/hosts-valid
# vi /var/lib/denyhosts/users-hosts

Once completed, restart denyhost service.

service denyhosts start

Thats all!!

 

DenyHosts v2.6 release contains a minor DoS security fix and some minor bug fixes. The DoS security issue affects all versions of DenyHosts prior to v2.6. All users are urged to upgrade to DenyHosts v2.6. Consult the Changelog for the gory details.

 

 

 

Trickle – Bandwidth controller in linux

trickle is a portable lightweight userspace bandwidth shaper. It can run in collaborative mode (together with trickled) or in stand alone mode.

Limit the bandwidth for your particular service.

trickle is a userspace bandwidth manager. Currently, trickle supports the shaping of any SOCK_STREAM (see socket(2)) connection established via the socket(2) interface. Furthermore, trickle will not work with statically linked executables, nor with setuid(2) executables. trickle is highly configurable; download and upload rates can be set separately, or in an aggregate fashion.

bandwidth controller

How to install trickle?

To install trickle bandwidth controller in linux Ubuntu, Debian and their derivatives:

# sudo apt-get install trickle
Update EPEL repository for CentOS/RHEL 6.*

# rpm -Uvh http://mirrors.kernel.org/fedora-epel/6/i386/epel-release-6-8.noarch.rpm

To install trickle on Fedora or CentOS/RHEL

# yum install trickle

Once the installation completed you can verify the options.

 

The options are as follows:

-h Displays help.

-v Increases the verbosity level (can be specified multiple times).

-V Prints version.

-u rate Limit the upload bandwidth consumption to rate KB/s.

-d rate Limit the download bandwidth consumption to rate KB/s.

-w size Set peak detection window size to size KB. This determines how aggressive trickle is at eliminating bandwidth consump- tion peaks. Lower values will be more aggressive, but may also result in over shaping. The default value (512 KB) is usually sufficient.

-n path Use trickled(8) socket path to communicate with trickled(8).

By default, /tmp/.trickled.sock is used.

 

EXAMPLES

# trickle -u 10 -d 20 ncftp

Launch ncftp(1) limiting its upload capacity to 10 KB/s, and download ca-pacity at 20 KB/s.

Basic usage of trickle is as follows. Simply put, you prepend trickle (with rate) in front of the command you are trying to run.

# trickle -d <download-rate> -u <upload-rate> <command>

This will limit the download and upload rate of <command> to specified values (in KBytes/s).

For example, set the maximum upload bandwidth of your scp session to 100 KB/s:

# trickle -u 100 scp backup.tgz [email protected]_host.com:

If you want, you can set the maximum download speed (e.g., 300 KB/s) of your Firefox browser by creating a custom launcher with the following command.

# trickle -d 300 firefox %u

Finally, trickle can run in a daemon mode, where it can restrict the “aggregate” bandwidth usage of all running programs launched via trickle. To launch trickle as a daemon (i.e., trickled):

# sudo trickled -d 1000

Once the trickled daemon is running in the background, you can launch other programs via trickle. If you launch one program with trickle, its maximum download rate is 1000 KB/s. If you launch another program with trickle, each of them will be rate limited to 500 KB/s, etc.