201 lines
No EOL
7.2 KiB
Bash
201 lines
No EOL
7.2 KiB
Bash
#!/bin/bash
|
|
# ==============================================================================
|
|
# Sechpoint Wallarm Smart Deployer - Manual Binary Edition (PoC Optimized)
|
|
# ==============================================================================
|
|
|
|
# --- Styling ---
|
|
YELLOW='\033[1;33m'; GREEN='\033[0;32m'; RED='\033[0;31m'; BLUE='\033[0;34m'; NC='\033[0m'
|
|
|
|
LOG_FILE="/var/log/wallarm-deploy.log"
|
|
EU_DATA_NODES=("api.wallarm.com" "node-data0.eu1.wallarm.com")
|
|
US_DATA_NODES=("us1.api.wallarm.com" "node-data0.us1.wallarm.com")
|
|
|
|
# --- Initialization ---
|
|
sudo touch "$LOG_FILE" && sudo chmod 644 "$LOG_FILE"
|
|
exec > >(tee -a "$LOG_FILE") 2>&1
|
|
|
|
clear
|
|
echo -e "${BLUE}====================================================${NC}"
|
|
echo -e "${BLUE} Wallarm Manual Binary Container Deployer ${NC}"
|
|
echo -e "${BLUE}====================================================${NC}"
|
|
|
|
# --- 1. PRE-FLIGHT & CONNECTIVITY ---
|
|
|
|
check_connectivity() {
|
|
echo -e "\n${YELLOW}[1/5] Testing Cloud & Registry Connectivity...${NC}"
|
|
|
|
# 1. Cloud Selection
|
|
read -p " Wallarm Cloud (US/EU) [US]: " CLOUD_SEL
|
|
CLOUD_SEL=${CLOUD_SEL^^}
|
|
CLOUD_SEL=${CLOUD_SEL:-US}
|
|
|
|
local nodes_to_test=("${US_DATA_NODES[@]}")
|
|
[[ "$CLOUD_SEL" == "EU" ]] && nodes_to_test=("${EU_DATA_NODES[@]}")
|
|
|
|
# 2. Test Wallarm API Endpoints
|
|
echo " Testing $CLOUD_SEL Cloud Endpoints..."
|
|
for node in "${nodes_to_test[@]}"; do
|
|
if curl -skI --connect-timeout 5 "https://$node" > /dev/null 2>&1; then
|
|
echo -e " ${GREEN}[PASS]${NC} Reached $node"
|
|
else
|
|
echo -e " ${RED}[FAIL]${NC} Cannot reach $node (Check Firewall/Proxy)"
|
|
fi
|
|
done
|
|
|
|
API_HOST=$([[ "$CLOUD_SEL" == "EU" ]] && echo "api.wallarm.com" || echo "us1.api.wallarm.com")
|
|
|
|
# 3. Improved Docker Registry Check (Accepting 401 as 'Reachable')
|
|
echo -n " Testing Docker Hub Registry Path... "
|
|
|
|
# Capture the HTTP Status code specifically
|
|
REGISTRY_STATUS=$(curl -skI --connect-timeout 5 -o /dev/null -w "%{http_code}" "https://registry-1.docker.io/v2/")
|
|
|
|
# 401 (Unauthorized) is the expected response from Docker Hub V2 API for unauthenticated probes
|
|
if [[ "$REGISTRY_STATUS" == "200" || "$REGISTRY_STATUS" == "401" ]]; then
|
|
REGISTRY_REACHABLE=true
|
|
echo -e "${GREEN}REACHABLE${NC} (Status: $REGISTRY_STATUS)"
|
|
else
|
|
REGISTRY_REACHABLE=false
|
|
echo -e "${RED}BLOCKED/OFFLINE${NC} (Status: $REGISTRY_STATUS)"
|
|
echo -e " ${YELLOW}i${NC} Falling back to local image check..."
|
|
|
|
if ! ls *.tar >/dev/null 2>&1; then
|
|
echo -e " ${RED}✗ FATAL: Registry unreachable and no local .tar image found.${NC}"
|
|
exit 1
|
|
fi
|
|
fi
|
|
}
|
|
|
|
# --- 2. ENGINE SETUP (Manual Binary Logic) ---
|
|
|
|
setup_manual_engine() {
|
|
echo -e "\n${YELLOW}[2/5] Hardening Manual Docker Engine...${NC}"
|
|
|
|
if sudo docker info > /dev/null 2>&1; then
|
|
echo -e " ${GREEN}[INFO]${NC} Docker is already active."
|
|
else
|
|
if [ ! -f "/usr/bin/dockerd" ]; then
|
|
echo -e " ${RED}[FATAL]${NC} Manual binaries not found in /usr/bin/. Move them first."; exit 1
|
|
fi
|
|
|
|
echo " Configuring systemd service for manual binaries..."
|
|
sudo tee /etc/systemd/system/docker.service > /dev/null <<EOF
|
|
[Unit]
|
|
Description=Docker Engine
|
|
After=network-online.target
|
|
[Service]
|
|
Type=notify
|
|
ExecStart=/usr/bin/dockerd
|
|
Restart=on-failure
|
|
LimitNOFILE=infinity
|
|
[Install]
|
|
WantedBy=multi-user.target
|
|
EOF
|
|
sudo systemctl daemon-reload
|
|
sudo systemctl enable --now docker
|
|
echo -e " ${GREEN}[PASS]${NC} Docker service initialized."
|
|
fi
|
|
}
|
|
|
|
# --- 3. INPUT & WORKSPACE ---
|
|
|
|
get_user_input() {
|
|
echo -e "\n${YELLOW}[3/5] Configuration & Workspace Setup...${NC}"
|
|
|
|
read -p " Enter Instance Number (e.g., 1, 2): " NUM
|
|
INSTANCE_DIR="/opt/wallarm/$NUM"
|
|
TRAFFIC_PORT=$((8000 + NUM))
|
|
MONITOR_PORT=$((9000 + NUM))
|
|
NODE_NAME="wallarm-node-$NUM"
|
|
|
|
read -p " Upstream App IP [127.0.0.1]: " UPSTREAM_IP
|
|
UPSTREAM_IP=${UPSTREAM_IP:-127.0.0.1}
|
|
read -p " Upstream App Port [80]: " UPSTREAM_PORT
|
|
UPSTREAM_PORT=${UPSTREAM_PORT:-80}
|
|
read -p " Paste Wallarm Token: " TOKEN
|
|
|
|
# Pre-check internal app reachability
|
|
if ! timeout 2 bash -c "cat < /dev/null > /dev/tcp/$UPSTREAM_IP/$UPSTREAM_PORT" 2>/dev/null; then
|
|
echo -e " ${RED}[WARN]${NC} VM cannot reach App at $UPSTREAM_IP:$UPSTREAM_PORT. Check networking."
|
|
fi
|
|
}
|
|
|
|
# --- 4. DEPLOYMENT (Replaces Compose) ---
|
|
|
|
execute_deployment() {
|
|
echo -e "\n${YELLOW}[4/5] Launching Instance $NUM...${NC}"
|
|
sudo mkdir -p "$INSTANCE_DIR"
|
|
|
|
# Nginx Config
|
|
sudo tee "$INSTANCE_DIR/nginx.conf" > /dev/null <<EOF
|
|
server {
|
|
listen 80;
|
|
wallarm_mode monitoring;
|
|
location / {
|
|
proxy_pass http://$UPSTREAM_IP:$UPSTREAM_PORT;
|
|
proxy_set_header Host \$host;
|
|
proxy_set_header X-Real-IP \$remote_addr;
|
|
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
|
|
}
|
|
}
|
|
server { listen 90; location /wallarm-status { wallarm_status on; allow all; } }
|
|
EOF
|
|
|
|
# Clean existing
|
|
sudo docker rm -f "$NODE_NAME" &>/dev/null
|
|
|
|
# Image Source Logic
|
|
if [ "$REGISTRY_REACHABLE" = true ]; then
|
|
echo " Pulling wallarm/node:latest..."
|
|
sudo docker pull wallarm/node:latest
|
|
else
|
|
echo " Registry blocked. Loading from local .tar..."
|
|
sudo docker load < *.tar || { echo "No image found!"; exit 1; }
|
|
fi
|
|
|
|
# Persistent Launch (Manual "Compose" behavior)
|
|
sudo docker run -d --name "$NODE_NAME" --restart always \
|
|
-p $TRAFFIC_PORT:80 -p $MONITOR_PORT:90 \
|
|
-e WALLARM_API_TOKEN=$TOKEN -e WALLARM_API_HOST=$API_HOST \
|
|
-v "$INSTANCE_DIR/nginx.conf:/etc/nginx/http.d/default.conf:ro" \
|
|
wallarm/node:latest
|
|
|
|
# Create a start.sh in the directory for easy manual control later
|
|
sudo tee "$INSTANCE_DIR/start.sh" > /dev/null <<EOF
|
|
#!/bin/bash
|
|
sudo docker rm -f $NODE_NAME 2>/dev/null
|
|
sudo docker run -d --name $NODE_NAME --restart always -p $TRAFFIC_PORT:80 -p $MONITOR_PORT:90 -e WALLARM_API_TOKEN=$TOKEN -e WALLARM_API_HOST=$API_HOST -v "$INSTANCE_DIR/nginx.conf:/etc/nginx/http.d/default.conf:ro" wallarm/node:latest
|
|
EOF
|
|
sudo chmod +x "$INSTANCE_DIR/start.sh"
|
|
}
|
|
|
|
# --- 5. ATTACK TEST & VERIFY ---
|
|
|
|
verify_and_test() {
|
|
echo -e "\n${YELLOW}[5/5] Verification & Attack Simulation...${NC}"
|
|
sleep 15
|
|
|
|
if curl -s "http://localhost:$MONITOR_PORT/wallarm-status" | grep -q "requests"; then
|
|
echo -e " ${GREEN}✓${NC} Node Handshake Successful."
|
|
else
|
|
echo -e " ${RED}✗${NC} Node not responding. Check: sudo docker logs $NODE_NAME"
|
|
fi
|
|
|
|
echo -e "\n${YELLOW}⚔️ Simulating Attacks...${NC}"
|
|
local sqli=$(curl -s -o /dev/null -w "%{http_code}" "http://localhost:$TRAFFIC_PORT/?id='OR+1=1--")
|
|
echo -e " SQLi Attack: HTTP $sqli (Logged)"
|
|
local xss=$(curl -s -o /dev/null -w "%{http_code}" "http://localhost:$TRAFFIC_PORT/?search=<script>alert(1)</script>")
|
|
echo -e " XSS Attack: HTTP $xss (Logged)"
|
|
|
|
echo -e "\n${GREEN}${BOLD}✅ DEPLOYMENT FINISHED${NC}"
|
|
echo -e "Instance Path: $INSTANCE_DIR"
|
|
echo -e "Traffic Port: $TRAFFIC_PORT"
|
|
echo -e "Monitor Port: $MONITOR_PORT"
|
|
}
|
|
|
|
# --- EXECUTION ---
|
|
check_connectivity
|
|
setup_manual_engine
|
|
get_user_input
|
|
execute_deployment
|
|
verify_and_test |