customer-engineering/wallarm
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

chore: auto-commit 2026-03-18 14:12

Browse source
This commit is contained in:
cclohmar 2026-03-18 14:12:30 +00:00
parent f22d1e5c03
commit 33ebc1b8b6
1 changed files with 71 additions and 83 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

154
wallarm-deploy-ct.sh
View file

@ -1,11 +1,9 @@
#!/bin/bash #!/bin/bash
# ============================================================================== # ==============================================================================
# Sechpoint Wallarm Smart Deployer - Manual Binary Edition (PoC Optimized) # SECHPOINT WALLARM SMART DEPLOYER - V6 (FULL BINARY INSTALL + PORT SELECTION)
# ============================================================================== # ==============================================================================
# --- Styling --- YELLOW='\033[1;33m'; GREEN='\033[0;32m'; RED='\033[0;31m'; BLUE='\033[0;34m'; NC='\033[0m'; BOLD='\033[1m'
YELLOW='\033[1;33m'; GREEN='\033[0;32m'; RED='\033[0;31m'; BLUE='\033[0;34m'; NC='\033[0m'
LOG_FILE="/var/log/wallarm-deploy.log" LOG_FILE="/var/log/wallarm-deploy.log"
EU_DATA_NODES=("api.wallarm.com" "node-data0.eu1.wallarm.com") EU_DATA_NODES=("api.wallarm.com" "node-data0.eu1.wallarm.com")
US_DATA_NODES=("us1.api.wallarm.com" "node-data0.us1.wallarm.com") US_DATA_NODES=("us1.api.wallarm.com" "node-data0.us1.wallarm.com")
@ -15,70 +13,70 @@ sudo touch "$LOG_FILE" && sudo chmod 644 "$LOG_FILE"
exec > >(tee -a "$LOG_FILE") 2>&1 exec > >(tee -a "$LOG_FILE") 2>&1
clear clear
echo -e "${BLUE}====================================================${NC}" echo -e "${BLUE}${BOLD}==========================================================${NC}"
echo -e "${BLUE} Wallarm Manual Binary Container Deployer ${NC}" echo -e "${BLUE}${BOLD} Wallarm Full Binary & Container Deployer V6 ${NC}"
echo -e "${BLUE}====================================================${NC}" echo -e "${BLUE}${BOLD}==========================================================${NC}"
# --- 1. PRE-FLIGHT & CONNECTIVITY --- # --- 1. PRE-FLIGHT & CONNECTIVITY ---
check_connectivity() { check_connectivity() {
echo -e "\n${YELLOW}[1/5] Testing Cloud & Registry Connectivity...${NC}" echo -e "\n${YELLOW}[1/5] Testing Cloud & Registry Connectivity...${NC}"
# 1. Cloud Selection
read -p " Wallarm Cloud (US/EU) [US]: " CLOUD_SEL read -p " Wallarm Cloud (US/EU) [US]: " CLOUD_SEL
CLOUD_SEL=${CLOUD_SEL^^} CLOUD_SEL=${CLOUD_SEL^^}; CLOUD_SEL=${CLOUD_SEL:-US}
CLOUD_SEL=${CLOUD_SEL:-US}
local nodes_to_test=("${US_DATA_NODES[@]}") local nodes_to_test=("${US_DATA_NODES[@]}")
[[ "$CLOUD_SEL" == "EU" ]] && nodes_to_test=("${EU_DATA_NODES[@]}") [[ "$CLOUD_SEL" == "EU" ]] && nodes_to_test=("${EU_DATA_NODES[@]}")
# 2. Test Wallarm API Endpoints
echo " Testing $CLOUD_SEL Cloud Endpoints..." echo " Testing $CLOUD_SEL Cloud Endpoints..."
for node in "${nodes_to_test[@]}"; do for node in "${nodes_to_test[@]}"; do
if curl -skI --connect-timeout 5 "https://$node" > /dev/null 2>&1; then if curl -skI --connect-timeout 5 "https://$node" > /dev/null 2>&1; then
echo -e " ${GREEN}[PASS]${NC} Reached $node" echo -e " ${GREEN}[PASS]${NC} Reached $node"
else else
echo -e " ${RED}[FAIL]${NC} Cannot reach $node (Check Firewall/Proxy)" echo -e " ${RED}[FAIL]${NC} Cannot reach $node"
fi fi
done done
API_HOST=$([[ "$CLOUD_SEL" == "EU" ]] && echo "api.wallarm.com" || echo "us1.api.wallarm.com") API_HOST=$([[ "$CLOUD_SEL" == "EU" ]] && echo "api.wallarm.com" || echo "us1.api.wallarm.com")
# 3. Improved Docker Registry Check (Accepting 401 as 'Reachable')
echo -n " Testing Docker Hub Registry Path... " echo -n " Testing Docker Hub Registry Path... "
# Capture the HTTP Status code specifically
REGISTRY_STATUS=$(curl -skI --connect-timeout 5 -o /dev/null -w "%{http_code}" "https://registry-1.docker.io/v2/") REGISTRY_STATUS=$(curl -skI --connect-timeout 5 -o /dev/null -w "%{http_code}" "https://registry-1.docker.io/v2/")
# 401 (Unauthorized) is the expected response from Docker Hub V2 API for unauthenticated probes
if [[ "$REGISTRY_STATUS" == "200" || "$REGISTRY_STATUS" == "401" ]]; then if [[ "$REGISTRY_STATUS" == "200" || "$REGISTRY_STATUS" == "401" ]]; then
REGISTRY_REACHABLE=true REGISTRY_REACHABLE=true
echo -e "${GREEN}REACHABLE${NC} (Status: $REGISTRY_STATUS)" echo -e "${GREEN}REACHABLE${NC} ($REGISTRY_STATUS)"
else else
REGISTRY_REACHABLE=false REGISTRY_REACHABLE=false
echo -e "${RED}BLOCKED/OFFLINE${NC} (Status: $REGISTRY_STATUS)" echo -e "${RED}OFFLINE${NC} ($REGISTRY_STATUS)"
echo -e " ${YELLOW}i${NC} Falling back to local image check..."
if ! ls *.tar >/dev/null 2>&1; then if ! ls *.tar >/dev/null 2>&1; then
echo -e " ${RED}✗ FATAL: Registry unreachable and no local .tar image found.${NC}" echo -e " ${RED}✗ FATAL: No registry and no local .tar found.${NC}"; exit 1
exit 1
fi fi
fi fi
} }
# --- 2. ENGINE SETUP (Manual Binary Logic) --- # --- 2. ENGINE SETUP (Manual Binary Download & Install) ---
setup_manual_engine() { setup_manual_engine() {
echo -e "\n${YELLOW}[2/5] Hardening Manual Docker Engine...${NC}" echo -e "\n${YELLOW}[2/5] Setting up Docker Engine (Manual Binaries)...${NC}"
if sudo docker info > /dev/null 2>&1; then if command -v docker > /dev/null 2>&1 && sudo docker info > /dev/null 2>&1; then
echo -e " ${GREEN}[INFO]${NC} Docker is already active." echo -e " ${GREEN}${NC} Docker is already installed and running."
else else
if [ ! -f "/usr/bin/dockerd" ]; then echo " Docker not found. Proceeding with static binary installation..."
echo -e " ${RED}[FATAL]${NC} Manual binaries not found in /usr/bin/. Move them first."; exit 1
fi # Determine Architecture
ARCH=$(uname -m)
echo " Configuring systemd service for manual binaries..." BINARY_URL="https://download.docker.com/linux/static/stable/$ARCH/docker-24.0.7.tgz"
echo " Downloading Docker Binaries ($ARCH)..."
curl -L "$BINARY_URL" -o docker-static.tgz || { echo -e "${RED}Download failed.${NC}"; exit 1; }
echo " Extracting and moving binaries to /usr/bin/..."
tar xzvf docker-static.tgz > /dev/null
sudo cp docker/* /usr/bin/
rm -rf docker docker-static.tgz
echo " Creating systemd service..."
sudo tee /etc/systemd/system/docker.service > /dev/null <<EOF sudo tee /etc/systemd/system/docker.service > /dev/null <<EOF
[Unit] [Unit]
Description=Docker Engine Description=Docker Engine
@ -93,37 +91,43 @@ WantedBy=multi-user.target
EOF EOF
sudo systemctl daemon-reload sudo systemctl daemon-reload
sudo systemctl enable --now docker sudo systemctl enable --now docker
echo -e " ${GREEN}[PASS]${NC} Docker service initialized."
# Wait for daemon to wake up
sleep 5
sudo docker info > /dev/null 2>&1 || { echo -e "${RED}Engine failed to start.${NC}"; exit 1; }
echo -e " ${GREEN}${NC} Docker Engine manually installed and started."
fi fi
} }
# --- 3. INPUT & WORKSPACE --- # --- 3. INPUT & WORKSPACE ---
get_user_input() { get_user_input() {
echo -e "\n${YELLOW}[3/5] Configuration & Workspace Setup...${NC}" echo -e "\n${YELLOW}[3/5] Configuration Setup...${NC}"
read -p " Enter Instance Number (e.g., 1, 2): " NUM read -p " Enter Inbound Traffic Port [80]: " IN_PORT
INSTANCE_DIR="/opt/wallarm/$NUM" IN_PORT=${IN_PORT:-80}
TRAFFIC_PORT=$((8000 + NUM)) MON_PORT=$((IN_PORT + 10))
MONITOR_PORT=$((9000 + NUM)) echo -e " ${YELLOW}i${NC} Monitoring port set to: ${BOLD}$MON_PORT${NC}"
NODE_NAME="wallarm-node-$NUM"
INSTANCE_DIR="/opt/wallarm/poc_$IN_PORT"
NODE_NAME="wallarm-node-$IN_PORT"
read -p " Upstream App IP [127.0.0.1]: " UPSTREAM_IP read -p " Upstream App IP [127.0.0.1]: " UPSTREAM_IP
UPSTREAM_IP=${UPSTREAM_IP:-127.0.0.1} UPSTREAM_IP=${UPSTREAM_IP:-127.0.0.1}
read -p " Upstream App Port [80]: " UPSTREAM_PORT read -p " Upstream App Port [8080]: " UPSTREAM_PORT
UPSTREAM_PORT=${UPSTREAM_PORT:-80} UPSTREAM_PORT=${UPSTREAM_PORT:-8080}
read -p " Paste Wallarm Token: " TOKEN read -p " Paste Wallarm Token: " TOKEN
# Pre-check internal app reachability # Port Collision Check
if ! timeout 2 bash -c "cat < /dev/null > /dev/tcp/$UPSTREAM_IP/$UPSTREAM_PORT" 2>/dev/null; then if sudo netstat -tulpn | grep -E ":$IN_PORT |:$MON_PORT " > /dev/null 2>&1; then
echo -e " ${RED}[WARN]${NC} VM cannot reach App at $UPSTREAM_IP:$UPSTREAM_PORT. Check networking." echo -e " ${RED}✗ FATAL: Port $IN_PORT or $MON_PORT is already in use.${NC}"; exit 1
fi fi
} }
# --- 4. DEPLOYMENT (Replaces Compose) --- # --- 4. DEPLOYMENT & PERSISTENCE ---
execute_deployment() { execute_deployment() {
echo -e "\n${YELLOW}[4/5] Launching Instance $NUM...${NC}" echo -e "\n${YELLOW}[4/5] Launching Wallarm Instance...${NC}"
sudo mkdir -p "$INSTANCE_DIR" sudo mkdir -p "$INSTANCE_DIR"
# Nginx Config # Nginx Config
@ -141,61 +145,45 @@ server {
server { listen 90; location /wallarm-status { wallarm_status on; allow all; } } server { listen 90; location /wallarm-status { wallarm_status on; allow all; } }
EOF EOF
# Clean existing # Image Logic
sudo docker rm -f "$NODE_NAME" &>/dev/null
# Image Source Logic
if [ "$REGISTRY_REACHABLE" = true ]; then if [ "$REGISTRY_REACHABLE" = true ]; then
echo " Pulling wallarm/node:latest..." echo " Pulling wallarm/node:latest..."
sudo docker pull wallarm/node:latest sudo docker pull wallarm/node:latest
else else
echo " Registry blocked. Loading from local .tar..." echo " Registry offline. Loading local .tar..."
sudo docker load < *.tar || { echo "No image found!"; exit 1; } sudo docker load < *.tar
fi fi
# Persistent Launch (Manual "Compose" behavior) # The Persistence Script
sudo docker run -d --name "$NODE_NAME" --restart always \
-p $TRAFFIC_PORT:80 -p $MONITOR_PORT:90 \
-e WALLARM_API_TOKEN=$TOKEN -e WALLARM_API_HOST=$API_HOST \
-v "$INSTANCE_DIR/nginx.conf:/etc/nginx/http.d/default.conf:ro" \
wallarm/node:latest
# Create a start.sh in the directory for easy manual control later
sudo tee "$INSTANCE_DIR/start.sh" > /dev/null <<EOF sudo tee "$INSTANCE_DIR/start.sh" > /dev/null <<EOF
#!/bin/bash #!/bin/bash
sudo docker rm -f $NODE_NAME 2>/dev/null sudo docker rm -f $NODE_NAME 2>/dev/null
sudo docker run -d --name $NODE_NAME --restart always -p $TRAFFIC_PORT:80 -p $MONITOR_PORT:90 -e WALLARM_API_TOKEN=$TOKEN -e WALLARM_API_HOST=$API_HOST -v "$INSTANCE_DIR/nginx.conf:/etc/nginx/http.d/default.conf:ro" wallarm/node:latest sudo docker run -d --name $NODE_NAME --restart always \\
-p $IN_PORT:80 -p $MON_PORT:90 \\
-e WALLARM_API_TOKEN=$TOKEN -e WALLARM_API_HOST=$API_HOST \\
-v "$INSTANCE_DIR/nginx.conf:/etc/nginx/http.d/default.conf:ro" \\
wallarm/node:latest
EOF EOF
sudo chmod +x "$INSTANCE_DIR/start.sh" sudo chmod +x "$INSTANCE_DIR/start.sh"
sudo "$INSTANCE_DIR/start.sh"
} }
# --- 5. ATTACK TEST & VERIFY --- # --- 5. VERIFY ---
verify_and_test() { verify_and_test() {
echo -e "\n${YELLOW}[5/5] Verification & Attack Simulation...${NC}" echo -e "\n${YELLOW}[5/5] Final Verification...${NC}"
sleep 15 sleep 15
if curl -s "http://localhost:$MON_PORT/wallarm-status" | grep -q "requests"; then
if curl -s "http://localhost:$MONITOR_PORT/wallarm-status" | grep -q "requests"; then echo -e "\n${GREEN}${BOLD}✅ SUCCESS: Wallarm Node is active on Port $IN_PORT${NC}"
echo -e " ${GREEN}${NC} Node Handshake Successful." echo -e "Monitoring available at: http://localhost:$MON_PORT/wallarm-status\n"
echo -e "${YELLOW}⚔️ Simulating SQLi Attack...${NC}"
curl -s -o /dev/null -w "Result: HTTP %{http_code}\n" "http://localhost:$IN_PORT/?id='OR+1=1--"
else else
echo -e " ${RED}${NC} Node not responding. Check: sudo docker logs $NODE_NAME" echo -e "\n${RED}❌ FAILED: Container started but status page is unreachable.${NC}"
sudo docker logs $NODE_NAME | tail -n 5
fi fi
echo -e "\n${YELLOW}⚔️ Simulating Attacks...${NC}"
local sqli=$(curl -s -o /dev/null -w "%{http_code}" "http://localhost:$TRAFFIC_PORT/?id='OR+1=1--")
echo -e " SQLi Attack: HTTP $sqli (Logged)"
local xss=$(curl -s -o /dev/null -w "%{http_code}" "http://localhost:$TRAFFIC_PORT/?search=<script>alert(1)</script>")
echo -e " XSS Attack: HTTP $xss (Logged)"
echo -e "\n${GREEN}${BOLD}✅ DEPLOYMENT FINISHED${NC}"
echo -e "Instance Path: $INSTANCE_DIR"
echo -e "Traffic Port: $TRAFFIC_PORT"
echo -e "Monitor Port: $MONITOR_PORT"
} }
# --- EXECUTION --- # --- RUN ---
check_connectivity check_connectivity; setup_manual_engine; get_user_input; execute_deployment; verify_and_test
setup_manual_engine
get_user_input
execute_deployment
verify_and_test