-
Notifications
You must be signed in to change notification settings - Fork 78
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #66 from UzJu/main
feat: Added the challenge of configuring insecure security groups in huawei Cloud ECS
- Loading branch information
Showing
12 changed files
with
431 additions
and
44 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,51 @@ | ||
# Huawei Cloud ECS CIS Security Group Baseline Inspection Target Range | ||
|
||
English | [中文](./README_CN.md) | ||
|
||
## Description | ||
|
||
> The range is only used for security baseline check | ||
This is a firing range for building an insecure ECS security group configuration for Huawei Cloud ECS | ||
|
||
Insecure security group configurations can lead to malicious attackers accessing the ECS | ||
## Deployment Environment | ||
|
||
Execute the following command in the container | ||
|
||
```shell | ||
cd /TerraformGoat/huaweicloud/ecs/cis_unsafe_secgroup/ | ||
``` | ||
|
||
Edit the `terraform.tfvars` file and fill in the file with your `huaweicloud_access_key` and `huaweicloud_secret_key`. | ||
|
||
> The access key can be found in HUAWEI CLOUD [Console --> My Credentials] | ||
```shell | ||
vim terraform.tfvars | ||
``` | ||
|
||
Deployment of firing ranges | ||
|
||
```shell | ||
terraform init | ||
terraform apply | ||
``` | ||
|
||
> When the terminal prompts `Enter a value:`, enter `yes` | ||
![image-20220608104052941](../../../images/image-20220608104052941.png) | ||
|
||
![image-20220608104502920](../../../images/image-20220608104502920.png) | ||
|
||
Although this is still an ECS SSRF environment, we can find in the console that more dangerous ports are open | ||
|
||
![image-20220608104610354](../../../images/image-20220608104610354.png) | ||
|
||
As you can see above, for example, docker's 2375, kibana, es, which are not recommended to be open in the public network | ||
|
||
## Destroy the environment | ||
|
||
```shell | ||
terraform destroy | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,52 @@ | ||
# 华为云 ECS CIS安全组基线检查靶场 | ||
|
||
[English](./README.md) | 中文 | ||
|
||
## 描述信息 | ||
|
||
> 该靶场仅用于安全基线检查 | ||
这是一个用于构建华为云 ECS不安全的ECS安全组配置的靶场 | ||
|
||
不安全的安全组配置可能导致恶意攻击者访问ECS | ||
|
||
## 环境搭建 | ||
|
||
在容器中执行以下命令 | ||
|
||
```shell | ||
cd /TerraformGoat/huaweicloud/ecs/cis_unsafe_secgroup/ | ||
``` | ||
|
||
编辑 `terraform.tfvars` 文件,在文件中填入你的 `huaweicloud_access_key` 和 `huaweicloud_secret_key` | ||
|
||
> 在华为云「控制台 --》我的凭证」处可以找到访问密钥 | ||
```shell | ||
vim terraform.tfvars | ||
``` | ||
|
||
部署靶场 | ||
|
||
```shell | ||
terraform init | ||
terraform apply | ||
``` | ||
|
||
> 在终端提示 `Enter a value:` 时,输入 `yes` 即可 | ||
![image-20220608104052941](../../../images/image-20220608104052941.png) | ||
|
||
![image-20220608104502920](../../../images/image-20220608104502920.png) | ||
|
||
虽然这里还是一个ECS SSRF的环境,但是我们在控制台中可以发现,开放了比较多危险的端口 | ||
|
||
![image-20220608104610354](../../../images/image-20220608104610354.png) | ||
|
||
上图可以看到,例如docker的2375,kibana,es,这些是不建议在公网中开放的 | ||
|
||
## 销毁环境 | ||
|
||
```shell | ||
terraform destroy | ||
``` |
Oops, something went wrong.