Reformed Recycling Script

[AaronGorbaty]

Description

The recycling script will work alongside the monitoring script but it will additionally be used to set up our honeypot environment

To Dos

• [x] randomize HP configurations to hardcoded IPs
  • [x] make list of given IPs
  • [x] iterate and destroy/redeploy container with randomized configuration

Acceptance Criteria

• Takes in attacker's target IP, port, host logs, private IP of target container and process ID of target MITM process
• Sleeps one hour
• destroy container
  • we will need to parse the file path for the name of the target container and run lxc-stop -n <container_name>
• randomize honeypot configuration to passed in IP
  • [x] #39
• destroy MITM by kill the passed in process ID
• [x] #40
  • routes to passed in private IP
  • listens on passed in port
  • logs to the specified host log files directory (which will be the name of the type of configuration) and to a file which is named after the container instances name and the current time of recycle, e.g. /host_logs/control_honeypot/<container_name><date_or_current_time>
  • make sure to store process id of MITM in a variable to pass into the monitoring script downstream
• [x] #41
• call monitoring script and pass in:
  • MITM host file log path
  • process ID of current MITM
  • IP MITM routes to
  • port MITM is listening on

[dmirani]

sudo forever -l /home/student/personalLogs/"personalContainer$date.log" -a start /home/student/MITM/mitm.js -n $2 -i $personalContainerIP -p 6901 --auto-access --auto-access-fixed 1 --debug --mitm-ip $hostIP

[Patiience]

Updated Skeleton:

#!/bin/bash

if [ $# -ne 4 ]; then
  echo "usage: $0 <container_name external_IP_address mitm_port open_port>"
  exit 1
fi

# Note: For assigning a new configuration for the IP, we will pass in a random string for the CONTAINER_NAME argument
CONTAINER_NAME=$1
EXTERNAL_IP=$2
MITM_PORT=$3
OPEN_PORT=$4
DIRECTORY_NAME=""

if [ -z $(sudo lxc-ls $CONTAINER_NAME) ]; then # If container does not exist...

  # Generate a random number within the specified range using OpenSSL
  random_hex=$(openssl rand -hex 1 | colrm 2)

  # The following if statements are used to randomly assign a configuration to the IP address:
  # Depending on the hex number generated by openssl we spin up the associated honeypot configuration
  if [[ $random_hex == "0" || $random_hex == "1" || $random_hex == "2" || $random_hex == "3" ]]
  then
    # Set the name and open port for the configuration
    CONTAINER_NAME="control_honeypot"
    OPEN_PORT=22
    DIRECTORY_NAME="control_honeypot"

    # Create and start container for specific configuration
    # Note: Control Honeypot SSH Server will be installed below, no need to do anything more for control
    sudo lxc-create -n $CONTAINER_NAME -t download -- -d ubuntu -r focal -a amd64
    sudo lxc-start -n $CONTAINER_NAME
    sleep 5

  elif [[ $random_hex == "4" || $random_hex  == "5" || $random_hex == "6" || $random_hex == "7" ]]
  then
    # Set the name and open port for the configuration
    CONTAINER_NAME="HTTP_honeypot"
    OPEN_PORT=80
    DIRECTORY_NAME="HTTP_honeypot"

    # Create and start specific configuration
    # Need to install necessary service
    sudo lxc-create -n $CONTAINER_NAME -t download -- -d ubuntu -r focal -a amd64
    sudo lxc-start -n $CONTAINER_NAME
    sleep 5

    sudo lxc-attach -n $CONTAINER_NAME -- sudo apt install apache2
    sudo lxc-attach -n $CONTAINER_NAME -- sudo ufw allow 'Apache'

  elif [[ $random_hex == "8" || $random_hex  == "9" || $random_hex == "a" || $random_hex == "b" ]]
  then
    # Set the name and open port for the configuration
    CONTAINER_NAME="HTTPS_honeypot"
    OPEN_PORT=443
    DIRECTORY_NAME="HTTPS_honeypot"

    # Create and start specific configuration
    # Need to install necessary service
    sudo lxc-create -n $CONTAINER_NAME -t download -- -d ubuntu -r focal -a amd64
    sudo lxc-start -n $CONTAINER_NAME
    sleep 5

    sudo lxc-attach -n $CONTAINER_NAME -- sudo apt install apache2
    sudo lxc-attach -n $CONTAINER_NAME -- sudo ufw allow 'Apache Secure' 

  elif [[ $random_hex == "c" || $random_hex == "d" || $random_hex == "e" || $random_hex == "f" ]]
  then
    # Set the name and open port for the configuration
    CONTAINER_NAME="SMTP_honeypot"
    OPEN_PORT=25
    DIRECTORY_NAME="SMTP_honeypot"

    # Create and start specific configuration
    # Need to install necessary service
    sudo lxc-create -n $CONTAINER_NAME -t download -- -d ubuntu -r focal -a amd64
    sudo lxc-start -n $CONTAINER_NAME
    sleep 5

    sudo DEBIAN_FRONTEND=noninteractive apt-get install postfix
    sudo lxc-attach -n $CONTAINER_NAME -- sudo ufw allow 25

  fi

  # Install openssh and allow permit root login
  sudo lxc-attach -n $CONTAINER_NAME -- bash -c "echo y | sudo apt install openssh-server
  sed -i '/#PermitRootLogin prohibit-password/c\\PermitRootLogin yes' /etc/ssh/sshd_config
  systemctl restart ssh"

  # Assign container to external IP address
  sudo sysctl -w net.ipv4.conf.all.route_localnet=1
  CONTAINER_IP=$(sudo lxc-info $CONTAINER_NAME -iH)
  sudo ip addr add $EXTERNAL_IP/16 brd + dev eth1
  sudo iptables --table nat --insert PREROUTING --source 0.0.0.0/0 --destination $EXTERNAL_IP --jump DNAT --to-destination $CONTAINER_IP
  sudo iptables --table nat --insert POSTROUTING --source $CONTAINER_IP --destination 0.0.0.0/0 --jump SNAT --to-source $EXTERNAL_IP

  # Create firewall rule
  sudo iptables --insert FORWARD --source $CONTAINER_IP --destination 0.0.0.0/0 --protocol $PROTOCOL --dport $OPEN_PORT --jump ACCEPT
  sudo iptables --insert FORWARD --source 0.0.0.0/0 --destination $EXTERNAL_IP --protocol $PROTOCOL --dport $OPEN_PORT --jump ACCEPT

  # Port forwarding ssh traffic to MITM
  sudo iptables --table nat --insert PREROUTING --source 0.0.0.0/0 --destination $EXTERNAL_IP --protocol tcp --dport 22 --jump DNAT --to-destination $LOCALHOST:$MITM_PORT

  # Start MITM server, running the forever command to be listening on a specific port
  LOG_FILE="$CONTAINER_NAME.log -> $(date)"
  sudo forever -l ~/$DIRECTORY_NAME/$LOG_FILE -a start --uid "mitm_id_$CONTAINER_NAME" ~/MITM/mitm.js -n $CONTAINER_NAME -i $CONTAINER_IP -p $MITM_PORT --auto-access --auto-access-fixed 1 --debug --mitm-ip $HOST_IP

  # Call attacker detection script with the necessary arguments
  ./attacker_detection.sh  ~/$DIRECTORY_NAME/$LOG_FILE $CONTAINER_NAME $EXTERNAL_IP $MITM_PORT $OPEN_PORT

else 
  # If container already exists delete container and iptables rules
  CONTAINER_IP=$(sudo lxc-info $CONTAINER_NAME -iH)
  sudo iptables --table nat --delete POSTROUTING --source $CONTAINER_IP --destination 0.0.0.0/0 --jump SNAT --to-source $EXTERNAL_IP
  sudo iptables --table nat --delete PREROUTING --source 0.0.0.0/0 --destination $EXTERNAL_IP --jump DNAT --to-destination $CONTAINER_IP

  # Delete the firewall rules for the container
  sudo iptables --delete FORWARD --source $CONTAINER_IP --destination 0.0.0.0/0 --protocol $PROTOCOL --dport $OPEN_PORT --jump ACCEPT
  sudo iptables --delete FORWARD --source 0.0.0.0/0 --destination $EXTERNAL_IP --protocol $PROTOCOL --dport $OPEN_PORT --jump ACCEPT

  # Stop the MITM instance for the container
  sudo forever stop "mitm_id_$CONTAINER_NAME"

  # Stop the container and destroy it 
  # Just to double check if the container is running, which it should be
  if [ -n "$(sudo lxc-ls --running | grep $CONTAINER_NAME)" ]; then
    sudo lxc-stop -n $CONTAINER_NAME
  fi
  sudo lxc-destroy -n $CONTAINER_NAME

  # Call the recycling script again for the same IP
  ./recycler.sh "yay" $EXTERNAL_IP $MITM_PORT 666

fi

[Patiience]

For the above code:

• Note the ip addr add command, this could be done outside of the recycling script, so we don't need to delete it, and then add it over and over again
• Also, once again, the concern for the sudo command, do we need to echo the password to it?