move firewall rules into respective recipes

This commit is contained in:
Dave Eargle 2019-10-30 21:53:17 -06:00
parent 12cb9914bd
commit 6a9693e97e
13 changed files with 67 additions and 23 deletions

View File

@ -7,17 +7,4 @@ default[:metasploitable][:docker_users] = ['boba_fett',
'greedo', 'greedo',
'chewbacca',] 'chewbacca',]
default[:metasploitable][:files_path] = '/vagrant/chef/cookbooks/metasploitable/files/' default[:metasploitable][:files_path] = '/vagrant/chef/cookbooks/metasploitable/files/'
default[:metasploitable][:ports] = { :cups => 631,
:apache => 80,
:unrealircd => 6697,
:proftpd => 21,
:mysql => 3306,
:chatbot_ui => 80,
:chatbot_nodejs => 3000,
:readme_app => 3500,
:sinatra => 8181,
:samba => 445,
:ssh => 22
}

View File

@ -4,6 +4,12 @@
# #
# Copyright:: 2017, Rapid7, All Rights Reserved. # Copyright:: 2017, Rapid7, All Rights Reserved.
include_recipe 'iptables::default'
iptables_rule '1_apache' do
lines "-A INPUT -p tcp --dport 80 -j ACCEPT"
end
package 'apache2' do package 'apache2' do
action :install action :install
end end

View File

@ -8,6 +8,15 @@
include_recipe 'metasploitable::ruby23' include_recipe 'metasploitable::ruby23'
include_recipe 'metasploitable::nodejs' include_recipe 'metasploitable::nodejs'
include_recipe 'iptables::default'
iptables_rule '1_chatbot_ui' do
lines "-A INPUT -p tcp --dport 80 -j ACCEPT"
end
iptables_rule '1_chatbot_nodejs' do
lines "-A INPUT -p tcp --dport 3000 -j ACCEPT"
end
package 'unzip' package 'unzip'

View File

@ -4,6 +4,8 @@
# #
# Copyright:: 2017, Rapid7, All Rights Reserved. # Copyright:: 2017, Rapid7, All Rights Reserved.
include_recipe 'iptables::default'
package 'cups' do package 'cups' do
action :install action :install
end end
@ -13,6 +15,10 @@ cookbook_file '/etc/cups/cupsd.conf' do
mode '0644' mode '0644'
end end
iptables_rule '1_cups' do
lines "-A INPUT -p tcp --dport 631 -j ACCEPT"
end
service 'cups' do service 'cups' do
action [:enable, :restart] action [:enable, :restart]
end end

View File

@ -4,17 +4,17 @@
# #
# Copyright:: 2017, Rapid7, All Rights Reserved. # Copyright:: 2017, Rapid7, All Rights Reserved.
iptables_rule 'established' do include_recipe 'iptables::default'
lines '-I INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT'
iptables_rule '00_established' do
lines '-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT'
end end
node[:metasploitable][:ports].keys.each do |service| iptables_rule '01_ssh' do
iptables_rule service do lines "-A INPUT -p tcp --dport 22 -j ACCEPT"
lines "-I INPUT -p tcp --dport #{node[:metasploitable][:ports][service.to_sym]} -j ACCEPT"
end
end end
iptables_rule 'drop_all' do iptables_rule '999_drop_all' do
lines '-A INPUT -j DROP' lines '-A INPUT -j DROP'
end end

View File

@ -22,7 +22,7 @@ execute 'remove_carriage_returns' do
command "sed -i -e 's/\r//g' /etc/default/knockd" command "sed -i -e 's/\r//g' /etc/default/knockd"
end end
iptables_rule 'knockd' do iptables_rule '1_knockd' do
lines "-I FORWARD 1 -p tcp -m tcp --dport #{node[:flags][:five_of_diamonds][:vuln_port]} -j DROP" lines "-I FORWARD 1 -p tcp -m tcp --dport #{node[:flags][:five_of_diamonds][:vuln_port]} -j DROP"
end end

View File

@ -4,6 +4,12 @@
# #
# Copyright:: 2017, Rapid7, All Rights Reserved. # Copyright:: 2017, Rapid7, All Rights Reserved.
include_recipe 'iptables::default'
iptables_rule '1_mysql' do
lines "-A INPUT -p tcp --dport 3306 -j ACCEPT"
end
mysql_service 'default' do mysql_service 'default' do
initial_root_password "#{node[:mysql][:root_password]}" initial_root_password "#{node[:mysql][:root_password]}"
bind_address '0.0.0.0' bind_address '0.0.0.0'

View File

@ -6,6 +6,12 @@
# Install steps taken from https://github.com/rapid7/metasploit-framework/pull/5224 # Install steps taken from https://github.com/rapid7/metasploit-framework/pull/5224
include_recipe 'iptables::default'
iptables_rule '1_proftpd' do
lines "-A INPUT -p tcp --dport 21 -j ACCEPT"
end
include_recipe 'metasploitable::apache' include_recipe 'metasploitable::apache'
proftpd_tar = 'proftpd-1.3.5.tar.gz' proftpd_tar = 'proftpd-1.3.5.tar.gz'

View File

@ -8,6 +8,13 @@
include_recipe 'metasploitable::ruby23' include_recipe 'metasploitable::ruby23'
include_recipe 'metasploitable::nodejs' include_recipe 'metasploitable::nodejs'
include_recipe 'iptables::default'
recipe_port = 3500
iptables_rule '1_readme_app' do
lines "-A INPUT -p tcp --dport #{recipe_port} -j ACCEPT"
end
package 'git' package 'git'
@ -23,6 +30,7 @@ directory '/opt/readme_app' do
end end
template '/opt/readme_app/start.sh' do template '/opt/readme_app/start.sh' do
variables( readme_app_port: recipe_port )
source 'readme_app/start.sh.erb' source 'readme_app/start.sh.erb'
end end

View File

@ -5,6 +5,11 @@
# Copyright:: 2017, Rapid7, All Rights Reserved. # Copyright:: 2017, Rapid7, All Rights Reserved.
# #
# #
include_recipe 'iptables::default'
iptables_rule '1_samba' do
lines "-A INPUT -p tcp --dport 445 -j ACCEPT"
end
package 'samba' package 'samba'

View File

@ -8,6 +8,11 @@
include_recipe 'metasploitable::sinatra' include_recipe 'metasploitable::sinatra'
include_recipe 'metasploitable::ruby23' include_recipe 'metasploitable::ruby23'
include_recipe 'iptables::default'
iptables_rule '1_sinatra' do
lines "-A INPUT -p tcp --dport 8181 -j ACCEPT"
end
server_path = node['ec2'] ? 'aws' : 'virtualbox' server_path = node['ec2'] ? 'aws' : 'virtualbox'

View File

@ -7,6 +7,12 @@
# Downloaded from https://www.exploit-db.com/exploits/13853/ # Downloaded from https://www.exploit-db.com/exploits/13853/
# Install steps taken from https://wiki.swiftirc.net/wiki/Installing_and_Configuring_UnrealIRCd_on_Linux # Install steps taken from https://wiki.swiftirc.net/wiki/Installing_and_Configuring_UnrealIRCd_on_Linux
include_recipe 'iptables::default'
iptables_rule '1_unrealircd' do
lines "-A INPUT -p tcp --dport 6697 -j ACCEPT"
end
unreal_tar = 'Unreal3.2.8.1_backdoor.tar.gz' unreal_tar = 'Unreal3.2.8.1_backdoor.tar.gz'
remote_file "#{Chef::Config[:file_cache_path]}/#{unreal_tar}" do remote_file "#{Chef::Config[:file_cache_path]}/#{unreal_tar}" do

View File

@ -2,4 +2,4 @@
cd /opt/readme_app cd /opt/readme_app
bundle install --path vendor/bundle bundle install --path vendor/bundle
bundle exec rails s -b 0.0.0.0 -p <%= node[:metasploitable][:ports][:readme_app] %> bundle exec rails s -b 0.0.0.0 -p <%= @readme_app_port %>