User Controls
Data centers and related security.
-
2020-09-14 at 11:49 PM UTCI have been fortunate in that i have the opportunity to build some cool network infrastructure, however networking isn't my strongest suit and while i am reasonably good at security i almost exclusively play as the red team. So this should be interesting and potentially disastrous. The latter is of course the exact opposite of what i want to accomplish. I want to make it secure to the level of just a tad over what would be acceptable for the kind of set up i have to make.
I need data storage and backup, i need to facilitate web app deployment(Containerized and/or Virtualized) i need to have some sort of IDS and ideally IPS. I need to have some capability for automated incident response. And really a way to securely manage/maintain/operate this entire system in a relatively straightforward manner.
The good news is that i have two physical servers to work with, that doesn't seem like much at first glance but together they can hold a lot of data and have the resources between them to set up a virtualized data center quite effectively. I can do whatever i see fit as long as i accomplish the things i outlined in the above paragraphs.
Ideally i'd use Proxmox because it's an awesome piece of kit. But i have this vision in my head where one server is like the main security mechanism with some redundancies built in of course. The 'security' server, would have a set up that monitors(And more) the server that's hosting the web resources but also has some services running that look vulnerable, like SSH/VNC/ADB/DNS you name it, except these would be honeypots, and i might just include an isolated File Server purposefully vulnerable, where i will put MalDocs.
The software solution i had in mind for the honeypots is called HoneyTrap and you can read about it's features over at https://docs.honeytrap.io If you have any experience with this tool i'd love to hear about it.
In any case, i'm no network architect and if you happen to be i would love to hear from you. It might be interesting to note that i will also be hosting a Tor Relay node on the network just because. For that reason as well, i'd like the security to be tight.
So far i have decided to deploy the web apps as containers on what amounts to virtual instances of servers for the one box, and i think i'll use the second box as a hybrid, hosting the honeypots on one hand, while simultaneously monitoring, logging and launching automated incident response scripts when necessary. Every component will be specifically isolated with a container or through virtualization or through chroot et al and accounts i will set up that only have permissions set to execute the active counter measures.
In any case, like i said, if you have experience with this sort of thing i'd love to hear about it, that said, i'll conclude by saying thank you in advance. -
2020-09-15 at 12:13 AM UTCI downloaded ProxMox-VE just to mess around with, even if it turns out i won't use it for this particular project. It's pretty fucking awesome.
-
2020-09-15 at 12:18 AM UTC
-
2020-09-15 at 12:44 AM UTCThe following users say it would be alright if the author of this post didn't die in a fire!
-
2020-09-15 at 1:06 AM UTCnot sure I follow what you're trying to accomplish
are you meaning to offer shared hosting/vps services (or just simulate end users)?
so you want to set up one server as a VM controller and the other as security? -
2020-09-15 at 1:27 AM UTC
-
2020-09-15 at 2:47 AM UTC
Originally posted by aldra not sure I follow what you're trying to accomplish
are you meaning to offer shared hosting/vps services (or just simulate end users)?
so you want to set up one server as a VM controller and the other as security?
I want to deploy some web applications on a couple of homemade 'VPS' clusters. The VPS are hosted on a bigger physical server, i have another physical server, but i have enough storage capacity and resources on the web app cluster, that i want to devote my second physical server to things that will make my little data center more secure.
I am just wondering what the best way of doing that would be. My security server, which i'll just call the security orchestrator or orchestrator from now on, would ideally monitor all traffic that comes into the network, and goes out of it, make a regular backup of the mission critical stuff. And it would also read application logs sent by the web apps, and automatically start incident response like suspending the container or VM that has the web app where suspicious activity occurs, or just block all in and outgoing traffic from the associated vHost.
It would kind of be like a MitM sort of situation where traffic comes in, gets logged and then forwarded to the appropriate host. At the same time, the security orchestrator could run a number of honey pots, and serve as an IDS and IPS. The idea behind the honey pots is that they'll look like interesting targets, on the face of it. While what i am actually concerned about is the security of the vHosts with the web apps, if a honey pot detects activity that is out of the norm, the offending IP would either be blacklisted, or more satisfyingly think they'd hit some intel on a file server lets say, like a bucnh of PDF documents that seem significant but will only serve to deliver malware as a MalDoc to anyone that downloads said documents and opens them.
The orchestrator is an extra layer of security. It will be hardened and made as secure as possible, the only way to the vHost cluster is through the orchestrator.
That's the general gist of it. I am however open to suggestions. -
2020-09-15 at 2:55 AM UTChow powerful are the two servers? generally speaking a security server does not require all that much power so if your two servers are roughly equal I'd use them to simulate and test failover or something instead. It's not too hard to set up in something like VMware/VSphere.
In terms of network security I would want that set up on the gateway/router; I personally like pfsense and you can set that up on a literal $50 computer. I think there's a raspi build but you probably want a little more power than that if you're interested in packet inspection or anything relatively heavy-duty. Monowall/smoothwall/etc are even lighter.
In terms of internal security, IDS/anti-malware etc. I'd set it up as a VM; there's no real need to have that completely external to the VM clusterThe following users say it would be alright if the author of this post didn't die in a fire! -
2020-09-15 at 2:56 AM UTC
Originally posted by Sophie I want to deploy some web applications on a couple of homemade 'VPS' clusters. The VPS are hosted on a bigger physical server, i have another physical server, but i have enough storage capacity and resources on the web app cluster, that i want to devote my second physical server to things that will make my little data center more secure.
I am just wondering what the best way of doing that would be. My security server, which i'll just call the security orchestrator or orchestrator from now on, would ideally monitor all traffic that comes into the network, and goes out of it, make a regular backup of the mission critical stuff. And it would also read application logs sent by the web apps, and automatically start incident response like suspending the container or VM that has the web app where suspicious activity occurs, or just block all in and outgoing traffic from the associated vHost.
It would kind of be like a MitM sort of situation where traffic comes in, gets logged and then forwarded to the appropriate host. At the same time, the security orchestrator could run a number of honey pots, and serve as an IDS and IPS. The idea behind the honey pots is that they'll look like interesting targets, on the face of it. While what i am actually concerned about is the security of the vHosts with the web apps, if a honey pot detects activity that is out of the norm, the offending IP would either be blacklisted, or more satisfyingly think they'd hit some intel on a file server lets say, like a bucnh of PDF documents that seem significant but will only serve to deliver malware as a MalDoc to anyone that downloads said documents and opens them.
The orchestrator is an extra layer of security. It will be hardened and made as secure as possible, the only way to the vHost cluster is through the orchestrator.
That's the general gist of it. I am however open to suggestions.
-
2020-09-15 at 2:57 AM UTCthis is a tropical forum
I will steal your cat and rape you on the way out -
2020-09-15 at 2:58 AM UTC
-
2020-09-15 at 9:34 AM UTC
Originally posted by aldra how powerful are the two servers? generally speaking a security server does not require all that much power so if your two servers are roughly equal I'd use them to simulate and test failover or something instead. It's not too hard to set up in something like VMware/VSphere.
In terms of network security I would want that set up on the gateway/router; I personally like pfsense and you can set that up on a literal $50 computer. I think there's a raspi build but you probably want a little more power than that if you're interested in packet inspection or anything relatively heavy-duty. Monowall/smoothwall/etc are even lighter.
In terms of internal security, IDS/anti-malware etc. I'd set it up as a VM; there's no real need to have that completely external to the VM cluster
They're powerful enough and yeah normally you'd set something like that up on your router, but since hidden services will be involved(No CP just a project i wanted to include), i wrote a script that cycles through cracked APs every N interval of time. So i am working off the assumption that the routers are not secure at all. That's why i need a security server. These two boxes will be the only two that are hopping AP's. As not to jeopordize my other network assets. When i get more servers i plan on making a VM Lab with VMWare ESXi and vSphere and such.
VMWare is one of my favorite companies when it comes to VM stuff. But i'm using the latest Parrot 'Home Edition' as base OS for the servers. This is because in contrast to Parrot's peen testing distro, the 'regular' variety, is a heavily modified, secured and hardened version of Debian, it's designed to be secure out of the box, but it is highly customizable as well and with Snap deploying Ubuntu Core VMs which then in turn allow me to deploy containerized web apps within those VMs, i think i have a very good set up. The virtual appliances combined with Ubuntu Core 18 LTS and the special LXD variety give me near Enterprise capabilities.
Now ProxMox-VE would give me Enterprise level capabilities and if it's feasible, i might put ProxMox on my security server if i can integrate it with my set up as it stands but i don't know if that's realistic. If it is, it would be more of a hybrid solution somewhere between physical and virtual 'data center'. Where i was going with this though is that Proxmox and Parrot use QEMU-KVM integrated with a containered approach to deploying all manner of assets. Besides all of this is OSS. Which is great. -
2020-09-15 at 9:52 AM UTCyeah it looks good; the only enterprise-level ones I've worked with are VSPHERE and XEN
-
2020-09-15 at 4:21 PM UTC
Originally posted by aldra yeah it looks good; the only enterprise-level ones I've worked with are VSPHERE and XEN
Noice. Think any other niggas in T&T have experience relevant to my thread? I've started setting up the VMs and Containers for the web apps and configuring the things i need for the vHost cluster, but i'd love to hear about everyone's ideas regarding the security server/orchestrator. In relation to the specific objectives i am trying to achieve. -
2020-09-17 at 12:06 AM UTCnot on this site I don't think
Burroughs from totse2 was trying to set up something similar as a business (wanted to call it RapeSexRackMount) but I haven't seen/heard from him in a long time -
2020-09-17 at 12:44 AM UTCThe following users say it would be alright if the author of this post didn't die in a fire!
-
2020-09-17 at 12:46 AM UTC
Originally posted by Bueno I did set up a NGINX container with the OWASP Mod Core Security Rule Set to proxy traffic to a container hosting a webapp.
https://owasp.org/www-project-modsecurity-core-rule-set/
Basically a WAF, there is all sorts of paranoia settings, didnt get a chance to play with them, but they did seem very sensitive so those configuration might be a bitch to set.
From what I remember, sending a simple fishy input would lead the service to return a HTTP code forbidden by default.
This might be an interest for you too for IDS/IPS log analysis:
Aw yea, I did that too. -
2020-09-20 at 1:17 PM UTC
Originally posted by Bueno I did set up a NGINX container with the OWASP Mod Core Security Rule Set to proxy traffic to a container hosting a webapp.
https://owasp.org/www-project-modsecurity-core-rule-set/
Basically a WAF, there is all sorts of paranoia settings, didnt get a chance to play with them, but they did seem very sensitive so those configuration might be a bitch to set.
From what I remember, sending a simple fishy input would lead the service to return a HTTP code forbidden by default.
This might be an interest for you too for IDS/IPS log analysis:
Interesting, but my design is a little more grandiose as it involves multiple containers and VMs. I am using a Software Defined Networking solution to do the IDS/IPS, logging and backing up. -
2020-09-20 at 1:24 PM UTCNever realized this, but the blue team actually has a pretty difficult job, lmao.
-
2020-09-21 at 6:07 AM UTCWhat are you making, a darknet marketplace?
