chore: auto-commit 2026-03-18 13:57

2026-03-18 13:57:31 +00:00 · 2026-03-18 13:57:31 +00:00 · 786edd0efd
commit 786edd0efd
parent 208d78d508
1 changed files with 126 additions and 120 deletions
--- a/wallarm-deploy-ct.sh
+++ b/wallarm-deploy-ct.sh
@ -1,39 +1,66 @@
 #!/bin/bash
 # ==============================================================================
-# SECHPOINT WALLARM SMART DEPLOYER - BULLETPROOF V3
-# ==============================================================================
-# Support: Manual Docker/Podman | Auto-Port Mapping | Persistence
+# Sechpoint Wallarm Smart Deployer - Manual Binary Edition (PoC Optimized)
 # ==============================================================================

-# --- UI COLORS ---
-BLUE='\033[0;34m'
-CYAN='\033[0;36m'
-YELLOW='\033[1;33m'
-GREEN='\033[0;32m'
-RED='\033[0;31m'
-NC='\033[0m' # No Color
-BOLD='\033[1m'
+# --- Styling ---
+YELLOW='\033[1;33m'; GREEN='\033[0;32m'; RED='\033[0;31m'; BLUE='\033[0;34m'; NC='\033[0m'
+
+LOG_FILE="/var/log/wallarm-deploy.log"
+EU_DATA_NODES=("api.wallarm.com" "node-data0.eu1.wallarm.com")
+US_DATA_NODES=("us1.api.wallarm.com" "node-data0.us1.wallarm.com")
+
+# --- Initialization ---
+sudo touch "$LOG_FILE" && sudo chmod 644 "$LOG_FILE"
+exec > >(tee -a "$LOG_FILE") 2>&1 

 clear
-echo -e "${BLUE}${BOLD}==========================================================${NC}"
-echo -e "${BLUE}${BOLD}        WALLARM NODE - ENTERPRISE POC DEPLOYER          ${NC}"
-echo -e "${BLUE}${BOLD}==========================================================${NC}"
+echo -e "${BLUE}====================================================${NC}"
+echo -e "${BLUE}      Wallarm Manual Binary Container Deployer      ${NC}"
+echo -e "${BLUE}====================================================${NC}"

-# --- 1. PRE-FLIGHT CHECKS ---
+# --- 1. PRE-FLIGHT & CONNECTIVITY ---

-check_env() {
-    echo -e "\n${CYAN}[STEP 1/5] Checking Environment...${NC}"
+check_connectivity() {
+    echo -e "\n${YELLOW}[1/5] Testing Cloud & Registry Connectivity...${NC}"
    
-    # Engine Detection
-    if sudo docker info > /dev/null 2>&1; then
-        ENGINE="docker"; echo -e "  ${GREEN}✓${NC} Docker Engine detected"
-    elif sudo podman info > /dev/null 2>&1; then
-        ENGINE="podman"; echo -e "  ${GREEN}✓${NC} Podman Engine detected"
-    else
-        echo -e "  ${YELLOW}!${NC} No engine active. Setting up manual Docker service..."
-        if [ ! -f "/usr/bin/dockerd" ]; then
-            echo -e "  ${RED}✗ FATAL: /usr/bin/dockerd not found.${NC}"; exit 1
+    read -p "  Wallarm Cloud (US/EU) [US]: " CLOUD_SEL
+    CLOUD_SEL=${CLOUD_SEL^^}; CLOUD_SEL=${CLOUD_SEL:-US}
+    
+    local nodes_to_test=("${US_DATA_NODES[@]}")
+    [[ "$CLOUD_SEL" == "EU" ]] && nodes_to_test=("${EU_DATA_NODES[@]}")
+
+    for node in "${nodes_to_test[@]}"; do
+        if curl -skI --connect-timeout 5 "https://$node" > /dev/null 2>&1; then
+            echo -e "  ${GREEN}[PASS]${NC} Reached $node"
+        else
+            echo -e "  ${RED}[FAIL]${NC} Cannot reach $node (Check Firewall/Proxy)"
        fi
+    done
+    
+    API_HOST=$([[ "$CLOUD_SEL" == "EU" ]] && echo "api.wallarm.com" || echo "us1.api.wallarm.com")
+
+    # Check Registry for Pull Capability
+    REGISTRY_REACHABLE=true
+    if ! curl -skI --connect-timeout 5 "https://registry-1.docker.io/v2/" > /dev/null 2>&1; then
+        REGISTRY_REACHABLE=false
+        echo -e "  ${YELLOW}[WARN]${NC} Docker Hub unreachable. Will look for local .tar image."
+    fi
+}
+
+# --- 2. ENGINE SETUP (Manual Binary Logic) ---
+
+setup_manual_engine() {
+    echo -e "\n${YELLOW}[2/5] Hardening Manual Docker Engine...${NC}"
+    
+    if sudo docker info > /dev/null 2>&1; then
+        echo -e "  ${GREEN}[INFO]${NC} Docker is already active."
+    else
+        if [ ! -f "/usr/bin/dockerd" ]; then
+            echo -e "  ${RED}[FATAL]${NC} Manual binaries not found in /usr/bin/. Move them first."; exit 1
+        fi
+
+        echo "  Configuring systemd service for manual binaries..."
        sudo tee /etc/systemd/system/docker.service > /dev/null <<EOF
 [Unit]
 Description=Docker Engine
@ -42,136 +69,115 @@ After=network-online.target
 Type=notify
 ExecStart=/usr/bin/dockerd
 Restart=on-failure
+LimitNOFILE=infinity
 [Install]
 WantedBy=multi-user.target
 EOF
-        sudo systemctl daemon-reload && sudo systemctl enable --now docker
-        ENGINE="docker"
-    fi
-
-    # Registry Check
-    REGISTRY_REACHABLE=true
-    curl -skI --connect-timeout 3 "https://registry-1.docker.io/v2/" > /dev/null 2>&1 || REGISTRY_REACHABLE=false
-    if [ "$REGISTRY_REACHABLE" = true ]; then
-        echo -e "  ${GREEN}✓${NC} Docker Hub is reachable"
-    else
-        echo -e "  ${YELLOW}!${NC} Docker Hub offline. Looking for local image..."
-        if ! ls *.tar >/dev/null 2>&1; then
-            echo -e "  ${RED}✗ FATAL: No internet and no .tar image found.${NC}"; exit 1
-        fi
+        sudo systemctl daemon-reload
+        sudo systemctl enable --now docker
+        echo -e "  ${GREEN}[PASS]${NC} Docker service initialized."
    fi
 }

-# --- 2. USER INPUT ---
+# --- 3. INPUT & WORKSPACE ---

-get_config() {
-    echo -e "\n${CYAN}[STEP 2/5] Configuration Settings...${NC}"
+get_user_input() {
+    echo -e "\n${YELLOW}[3/5] Configuration & Workspace Setup...${NC}"
    
-    read -p "  Enter Wallarm Token: " TOKEN
-    read -p "  Inbound Traffic Port [80]: " IN_PORT
-    IN_PORT=${IN_PORT:-80}
-    
-    # Auto-calculate Monitoring Port
-    MON_PORT=$((IN_PORT + 10))
-    echo -e "  ${YELLOW}i${NC} Monitoring port set to: ${BOLD}$MON_PORT${NC}"
+    read -p "  Enter Instance Number (e.g., 1, 2): " NUM
+    INSTANCE_DIR="/opt/wallarm/$NUM"
+    TRAFFIC_PORT=$((8000 + NUM))
+    MONITOR_PORT=$((9000 + NUM))
+    NODE_NAME="wallarm-node-$NUM"

-    read -p "  App IP (Upstream) [127.0.0.1]: " APP_IP
-    APP_IP=${APP_IP:-127.0.0.1}
-    read -p "  App Port (Upstream) [8080]: " APP_PORT
-    APP_PORT=${APP_PORT:-8080}
+    read -p "  Upstream App IP [127.0.0.1]: " UPSTREAM_IP
+    UPSTREAM_IP=${UPSTREAM_IP:-127.0.0.1}
+    read -p "  Upstream App Port [80]: " UPSTREAM_PORT
+    UPSTREAM_PORT=${UPSTREAM_PORT:-80}
+    read -p "  Paste Wallarm Token: " TOKEN

-    # Verify ports are free
-    for p in $IN_PORT $MON_PORT; do
-        if sudo netstat -tulpn | grep -q ":$p "; then
-            echo -e "  ${RED}✗ FATAL: Port $p is already in use.${NC}"; exit 1
-        fi
-    done
+    # Pre-check internal app reachability
+    if ! timeout 2 bash -c "cat < /dev/null > /dev/tcp/$UPSTREAM_IP/$UPSTREAM_PORT" 2>/dev/null; then
+        echo -e "  ${RED}[WARN]${NC} VM cannot reach App at $UPSTREAM_IP:$UPSTREAM_PORT. Check networking."
+    fi
 }

-# --- 3. ARTIFACT GENERATION ---
+# --- 4. DEPLOYMENT (Replaces Compose) ---

-generate_files() {
-    echo -e "\n${CYAN}[STEP 3/5] Generating Persistence Layers...${NC}"
-    
-    INSTANCE_DIR="/opt/wallarm/poc_$IN_PORT"
+execute_deployment() {
+    echo -e "\n${YELLOW}[4/5] Launching Instance $NUM...${NC}"
    sudo mkdir -p "$INSTANCE_DIR"

-    # Nginx Conf
+    # Nginx Config
    sudo tee "$INSTANCE_DIR/nginx.conf" > /dev/null <<EOF
 server {
    listen 80;
    wallarm_mode monitoring;
    location / {
-        proxy_pass http://$APP_IP:$APP_PORT;
+        proxy_pass http://$UPSTREAM_IP:$UPSTREAM_PORT;
        proxy_set_header Host \$host;
        proxy_set_header X-Real-IP \$remote_addr;
+        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
    }
 }
-server { 
-    listen 90; 
-    location /wallarm-status { 
-        wallarm_status on; 
-    } 
-}
+server { listen 90; location /wallarm-status { wallarm_status on; allow all; } }
 EOF

-    # Start Script
+    # Clean existing
+    sudo docker rm -f "$NODE_NAME" &>/dev/null
+
+    # Image Source Logic
+    if [ "$REGISTRY_REACHABLE" = true ]; then
+        echo "  Pulling wallarm/node:latest..."
+        sudo docker pull wallarm/node:latest
+    else
+        echo "  Registry blocked. Loading from local .tar..."
+        sudo docker load < *.tar || { echo "No image found!"; exit 1; }
+    fi
+
+    # Persistent Launch (Manual "Compose" behavior)
+    sudo docker run -d --name "$NODE_NAME" --restart always \
+      -p $TRAFFIC_PORT:80 -p $MONITOR_PORT:90 \
+      -e WALLARM_API_TOKEN=$TOKEN -e WALLARM_API_HOST=$API_HOST \
+      -v "$INSTANCE_DIR/nginx.conf:/etc/nginx/http.d/default.conf:ro" \
+      wallarm/node:latest
+
+    # Create a start.sh in the directory for easy manual control later
    sudo tee "$INSTANCE_DIR/start.sh" > /dev/null <<EOF
 #!/bin/bash
-sudo $ENGINE rm -f wallarm-node-$IN_PORT 2>/dev/null
-sudo $ENGINE run -d \\
-  --name wallarm-node-$IN_PORT \\
-  --restart always \\
-  -p $IN_PORT:80 -p $MON_PORT:90 \\
-  -e WALLARM_API_TOKEN=$TOKEN \\
-  -v "$INSTANCE_DIR/nginx.conf:/etc/nginx/http.d/default.conf:ro" \\
-  wallarm/node:latest
+sudo docker rm -f $NODE_NAME 2>/dev/null
+sudo docker run -d --name $NODE_NAME --restart always -p $TRAFFIC_PORT:80 -p $MONITOR_PORT:90 -e WALLARM_API_TOKEN=$TOKEN -e WALLARM_API_HOST=$API_HOST -v "$INSTANCE_DIR/nginx.conf:/etc/nginx/http.d/default.conf:ro" wallarm/node:latest
 EOF
    sudo chmod +x "$INSTANCE_DIR/start.sh"
-    echo -e "  ${GREEN}✓${NC} Created artifacts in $INSTANCE_DIR"
 }

-# --- 4. DEPLOYMENT ---
+# --- 5. ATTACK TEST & VERIFY ---

-deploy() {
-    echo -e "\n${CYAN}[STEP 4/5] Pulling and Launching...${NC}"
+verify_and_test() {
+    echo -e "\n${YELLOW}[5/5] Verification & Attack Simulation...${NC}"
+    sleep 15
    
-    if [ "$REGISTRY_REACHABLE" = true ]; then
-        sudo $ENGINE pull wallarm/node:latest
+    if curl -s "http://localhost:$MONITOR_PORT/wallarm-status" | grep -q "requests"; then
+        echo -e "  ${GREEN}✓${NC} Node Handshake Successful."
    else
-        sudo $ENGINE load < *.tar
+        echo -e "  ${RED}✗${NC} Node not responding. Check: sudo docker logs $NODE_NAME"
    fi

-    sudo "$INSTANCE_DIR/start.sh"
+    echo -e "\n${YELLOW}⚔️ Simulating Attacks...${NC}"
+    local sqli=$(curl -s -o /dev/null -w "%{http_code}" "http://localhost:$TRAFFIC_PORT/?id='OR+1=1--")
+    echo -e "  SQLi Attack: HTTP $sqli (Logged)"
+    local xss=$(curl -s -o /dev/null -w "%{http_code}" "http://localhost:$TRAFFIC_PORT/?search=<script>alert(1)</script>")
+    echo -e "  XSS Attack:  HTTP $xss (Logged)"
+
+    echo -e "\n${GREEN}${BOLD}✅ DEPLOYMENT FINISHED${NC}"
+    echo -e "Instance Path: $INSTANCE_DIR"
+    echo -e "Traffic Port:  $TRAFFIC_PORT"
+    echo -e "Monitor Port:  $MONITOR_PORT"
 }

-# --- 5. VERIFICATION ---
-
-verify() {
-    echo -e "\n${CYAN}[STEP 5/5] Final Handshake...${NC}"
-    sleep 12
-    
-    if curl -s "http://localhost:$MON_PORT/wallarm-status" | grep -q "requests"; then
-        echo -e "\n${GREEN}${BOLD}==========================================================${NC}"
-        echo -e "${GREEN}${BOLD}           ✅ DEPLOYMENT SUCCESSFUL                     ${NC}"
-        echo -e "${GREEN}${BOLD}==========================================================${NC}"
-        echo -e "  Traffic Entry: ${BOLD}http://<Server-IP>:$IN_PORT${NC}"
-        echo -e "  Node Status:   ${BOLD}http://localhost:$MON_PORT/wallarm-status${NC}"
-        echo -e "  Config Dir:    $INSTANCE_DIR"
-        echo -e "${GREEN}${BOLD}==========================================================${NC}\n"
-    else
-        echo -e "\n${RED}${BOLD}==========================================================${NC}"
-        echo -e "${RED}${BOLD}           ❌ DEPLOYMENT FAILED                         ${NC}"
-        echo -e "${RED}${BOLD}==========================================================${NC}"
-        echo -e "  The container started but is not responding."
-        echo -e "  Check logs: ${BOLD}sudo $ENGINE logs wallarm-node-$IN_PORT${NC}"
-        echo -e "${RED}${BOLD}==========================================================${NC}\n"
-    fi
-}
-
-# --- RUN ---
-check_env
-get_config
-generate_files
-deploy
-verify
+# --- EXECUTION ---
+check_connectivity
+setup_manual_engine
+get_user_input
+execute_deployment
+verify_and_test