MOADSD NG SERVER

The MOADSD-NG-SERVER

The MOADSD-NG-SERVER

This repository provides a server container image for MOADSD-NG. The core components of that image are:

Ansible running with Python3
gcloud CLI for Google
aws CLI for AWS
plus all required dependencies to run MOADSD-NG from within a container

Persistence is provided by a mapped working directory on your docker host. That means, you can easily destroy and rebuild the image whenever needed. If you want to move your setup, simply tar / zip your local repo directory including the workdir.

Prerequisites

Docker & Docker-Compose

Tested with

Linux,
Mac OS X with Docker for Desktop and
AWS Cloud9

To ensure that the prerequisites are met choose your target environment below:

Linux

Requirements for Docker & Docker-Compose

curl -fsSL get.docker.com -o get-docker.sh && sudo sh get-docker.sh
sudo usermod -aG docker `whoami` && sudo service docker start
sudo curl -L https://github.com/docker/compose/releases/download/1.24.0/docker-compose-`uname -s`-`uname -m` -o /usr/local/bin/docker-compose && sudo chmod +x /usr/local/bin/docker-compose

Mac OS X

Requirements Docker for Desktop

https://download.docker.com/mac/stable/Docker.dmg

Cloud9

Cloud9 Configuration:

Name: <whatever-you-like>
Instance type: >= t3.medium
Platform: Ubuntu Server 18.04-LTS

From within the Cloud9 shell to a

sudo apt install -y docker-compose

Final step to configure the Cloud9 is to update the aws cli to v2:

curl https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip -o ~/awscliv2.zip
unzip ~/awscliv2.zip -d ~/
sudo ~/aws/install
aws --version

aws-cli/2.1.30 Python/3.8.8 Linux/5.4.0-1039-aws exe/x86_64.ubuntu.18 prompt/off

Note: If you're running into troubles during the instanciation of the Cloud9 environment, they are typically caused by a misconfigured VPC. Cloud9 requires a VPC with a public subnet available. If you don't have that within the desired region you need to create it before creating the Cloud9 instance.

Create a VPC
- Name tag: cloud9-vpc
- IPv4 CIDR block: 10.0.0.0/16
- IPv6 CIDR block: No
- Tenancy: Default
Create a Subnet
- Name tag: cloud9-subnet
- VPC: cloud9-vpc
- Availability Zone: No preference
- IPv4 CIDR block: 10.0.1.0/24
Create an Internet Gateway
- Name tag: cloud9-igw
Attach Internet Gateway to VPC
- VPC: cloud9-vpc
Modify Route Table --> Routes --> Edit routes --> Add route
- Destination 0.0.0.0/0
- Target: cloud9-igw

Windows

NOT SUPPORTED, FULLSTOP.

Get the MOADSD-NG-SERVER

In your shell, do a

git clone https://github.com/mawinkler/moadsd-ng-server.git && \
    cd moadsd-ng-server

If you're running in a Cloud9 environment, you likely need to increase the disk size of the Cloud9 instance depending on the type you chose above. To increase the local volume to 20GB, execute:

./resize.sh

Build the MOADSD-NG-SERVER

To build the container image run

./build.sh

This script will build the container image, fetch the generated /home/ansible-directory and finally populates the ./workdir. The user inside the container is unprivileged but uses the same uid and gid as your hosts user. This ensures, that you can easily access all the files residing in the home environment within the container from outside the container. Effectively, that eases backup and change processes.

Get it up and Running

Start MOADSD-NG-SERVER

First, run the server with

./start.sh

From now on, you're working only within the server container for MOADSD-NG. Do NOT work within Cloud9 if you want to manage or use moadsd-ng

For more information on the moadsd-ng-server see the House Keeping chapter below.

The moadsd-ng-server comes with the full moadsd-ng project prepopulated. This is, because during the build process a git clone was done alongside all the dependency installations.

Change your working directory to moadsd-ng with

cd moadsd-ng

Credential Handling

For all credentials, the ansible-vault is used. Create a file called .vault-pass.txt in the home directory of the ansibleuser with a secret password.

echo '<YOUR VERY STRONG PASSWORD>' > ~/.vault-pass.txt
chmod 600 ~/.vault-pass.txt

Prepare for the Initial Configuration

Depending on the target cloud (AWS / GCP), please choose one of the following paths:

Google

Now, we're connecting to your Google Cloud account and create a project.

gcloud init

You will be asked to pick the project you're willing to use or simply create a new one

Pick cloud project to use:
 [1] erudite-variety-696969
 [2] Create a new project
Please enter numeric choice or text value (must exactly match list
item):  2

Finally configure the default GCE region name.

Next, we will create a service account with owner permissions for the project.

export PROJECT_ID=<project-id>
gcloud iam service-accounts create ansible \
  --display-name "Ansible Account"
gcloud iam service-accounts keys create ~/ansible.json \
  --iam-account=ansible@${PROJECT_ID}.iam.gserviceaccount.com
gcloud projects add-iam-policy-binding ${PROJECT_ID} \
  --member="serviceAccount:ansible@${PROJECT_ID}.iam.gserviceaccount.com" \
  --role="roles/owner"

Now, we need to enable billing and afterwards the compute API within our project. For that, we first need to look up available billing accounts.

gcloud alpha billing accounts list

ACCOUNT_ID            NAME                 OPEN  MASTER_ACCOUNT_ID
019XXX-6XXXX9-4XXXX1  My Billing Account   True

We now link that billing account to our project.

gcloud alpha billing projects link ${PROJECT_ID} \
  --billing-account 019XXX-6XXXX9-4XXXX1

billingAccountName: billingAccounts/019XXX-6XXXX9-4XXXX1
billingEnabled: true
name: projects/<project-id>/billingInfo
projectId: <project-id>

And finally enable the API which may take a minute or two.

gcloud services enable compute.googleapis.com

Operation "operations/acf.6dd93cb1-644b-44a1-b85c-6388f4dd288e" finished successfully.

AWS

Use the configure option to continue with the AWS CLI configuration:

aws configure

AWS Access Key ID [None]: <access key>
AWS Secret Access Key [None]: <secret key>
Default region name [None]: <default region>
Default output format [None]: json

Example for the default region would be eu-central-1 or eu-west-1.

When using instances within AWS EC2 we need to have an keypair. To create it do the following:

KEY_NAME="moadsd-ng-$(date '+%m%d%Y-%H%M%S')"
aws ec2 create-key-pair --key-name ${KEY_NAME} | \
  jq -r '.KeyMaterial' > ~/.ssh/${KEY_NAME}.pem
chmod 600 ~/.ssh/${KEY_NAME}.pem

We now have a private key which allows us to authenticate to the instances.

Next Step

For the next step, head over to the The Configurator.

Training participants:

Use the configuration.yml provided in the lab guide (copy & paste)
Skip the Deep Security chapter

House Keeping

The following sections assume that you are within the moadsd-ng-server directory.

Run moadsd-ng-server

Run the server with

./start.sh

You are now directly within your server environment where you can work with MOADSD-NG as before, but within an isolated and easy to move container.

Exit from moadsd-ng-server

To exit the container environment press ^d, the container will (typically) stay alive.

Stop moadsd-ng-server

To stop a running instance run

./stop.sh

Backup Settings

Backup your settings with

./settings-backup.sh

A directory named backup-YYYY-MM-DD_HH-MM will be created containing all relevant configurations.

Restore Settings

If you want to overwrite your current configuration with a backuped one do the following.

./settings-restore.sh <backup-YYYY-MM-DD_HH-MM>
./start.sh
cd ~/moadsd-ng

If you're restarting from scratch or killed the workdir, it's a little more complicated because we need to fetch moadsd-ng.

./build.sh
./start.sh
git clone https://github.com/mawinkler/moadsd-ng.git
exit
./settings-restore.sh <backup-YYYY-MM-DD_HH-MM>
./start.sh
cd ~/moadsd-ng

And finally run the configurator via the menu.

You can also do a full backup by simply doing a tar/zip of the moadsd-ng-server directory. It contains everything which is required to restore or relocate the environment.