refactor: update variable usage, PHP and Nginx versions

seppzer0 · seppzer0 · commit e14431a624e7 · 2024-03-28T18:09:33.000Z
diff --git a/Dockerfile b/Dockerfile
@@ -1,13 +1,16 @@
-# DoD: Installing Nginx with Docker
-FROM nginx:1.25.2-bookworm
+# step: installing Nginx with Docker
+FROM nginx:1.25.4-bookworm
 EXPOSE 80
 EXPOSE 22
 
-# DoD: Deploying DVWA on Nginx
+WORKDIR /ndvwa
+
+# step: deploying DVWA on Nginx
 # copy config files into container
 COPY configs/dvwa.conf /etc/nginx/sites-available/default
 COPY configs/nginx.conf /etc/nginx/nginx.conf
-COPY configs/dbsetup.sql /dbsetup.sql
+COPY configs/dbsetup.sql ${WORKDIR}/dbsetup.sql
+COPY entrypoint.sh /ndvwa/entrypoint.sh
 # install basic packages
 RUN apt-get update && \
     apt-get install -y \
@@ -25,29 +28,27 @@ RUN apt-get update && \
         openssh-server \
         openssh-client \
         sshpass \
-        knockd
+        knockd && \
+    apt-get autoremove -y
 # install a specific version of PHP
 RUN wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg && \
     echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" | tee /etc/apt/sources.list.d/php.list && \
-    apt update && \
-    apt -y install php7.4-fpm php7.4-mysqli
+    apt-get update && \
+    apt-get install -y php8.3-fpm php8.3-mysqli
 # run configurations
-RUN mkdir -p /etc/nginx/sites-available && \
-    mkdir -p /etc/nginx/sites-enabled && \
-    mkdir -p /var/www/html && \
+RUN mkdir -p /etc/nginx/sites-available /etc/nginx/sites-enabled /var/www/html && \
     # prepare DVWA files
     git clone --depth 1 https://github.com/digininja/DVWA.git /var/www/html/dvwa && \
     chmod 777 -R /var/www/html/dvwa && \
     ln -s /etc/nginx/sites-available/default /etc/nginx/sites-enabled/default && \
     # create PHP config
-    cd /var/www/html/dvwa && \
-    cp config/config.inc.php.dist config/config.inc.php && \
+    cp /var/www/html/dvwa/config/config.inc.php.dist /var/www/html/dvwa/config/config.inc.php && \
     # setup database
     service mariadb start && \
-    mysql -u root < /dbsetup.sql && \
+    mysql -u root < ${WORKDIR}/dbsetup.sql && \
     # firewall setting for nginx
     ufw allow 80,443/tcp
 
-# setup entrypoint (technically CMD)
-COPY entrypoint.sh /entrypoint.sh
-CMD [ "bash", "/entrypoint.sh" ]
+# setup entrypoint CMD
+COPY entrypoint.sh ${WORKDIR}/entrypoint.sh
+CMD [ "bash", "/ndvwa/entrypoint.sh" ]
diff --git a/README.md b/README.md
@@ -1,67 +1,49 @@
 # nDVWA
 
-nDVWA is a compact Dockerized solution for deploying DVWA with nginx.
+nDVWA is a compact Dockerized solution for deploying DVWA with Nginx.
 
 Everything is kept in a single container: nginx is pulled as a base image, and DVWA is downloaded directly from it's official git repository.
 
 Additionally, this application offers a few extra SSH configurations between the Docker container and it's host machine.
 
 The SSH connection with port knocking protection is established using internal Docker network (which is evident by `docker0` interface and `172.17.0.1` default host address usage in the codebase). You can opt-out of these configurations via a prompt when starting up the container.
 
-This app was a part of an academic study and had a DoD (Definition-of-Done). The details are presented below.
+This app consist of several key steps. The details are presented below.
 
 ## Contents
 
 - [nDVWA](#ndvwa)
   - [Contents](#contents)
-  - [**Disclaimer**](#disclaimer)
-  - [DoD](#dod)
-    - [Installing Nginx with Docker](#installing-nginx-with-docker)
-    - [Deploying DVWA on Nginx](#deploying-dvwa-on-nginx)
-    - [(optional) Establishing Reverse Tunneling to SSH](#optional-establishing-reverse-tunneling-to-ssh)
-    - [(optional) Protecting SSH from Nmap Scanning](#optional-protecting-ssh-from-nmap-scanning)
+  - [**Important**](#important)
+  - [Key Steps](#key-steps)
   - [How To Use](#how-to-use)
     - [1. Build (or download) the Docker image](#1-build-or-download-the-docker-image)
     - [2. Create a Docker container](#2-create-a-docker-container)
-    - [3. Check deployed DVWA via web-browser](#3-check-deployed-dvwa-via-web-browser)
+    - [3. Check the deployed DVWA instance via web-browser](#3-check-the-deployed-dvwa-instance-via-web-browser)
     - [4. Follow the prompts in Docker container](#4-follow-the-prompts-in-docker-container)
 
-## **Disclaimer**
+## **Important**
 
-If you wish to execute **all** of the steps (including SSH configurations), please take into consideration that it might permanently alternate iptables rules on your machine.
+> [!IMPORTANT]
+> **\- DISCLAIMER \-**
+>
+>If you wish to execute **all** of the steps (including SSH configurations), please take into consideration that it might permanently alternate iptables rules on your machine.
+>
+>Once the SSH configurations are complete, the app flushes `DOCKER` and `INPUT` chains in iptables.
+>
+>Unless you know what you are doing or able to fix your iptables in case of any issue, it is recommended to run this app in a virtual machine (or any other environment that is not someone's primary workspace).
 
-Once the SSH configurations are completed, the app flushes `DOCKER` and `INPUT` chains in iptables.
+> [!NOTE]
+> And just in case, run a `sudo iptables -L > ~/default_iptables.txt` before launching the app. That way you'll have a reference to restore your iptables rules if required.
 
-Unless you know what you are doing or able to fix your iptables in case of any issue, it is recommended to run this app in a virtual machine.
+## Key Steps
 
-Tip: And just in case, run a `sudo iptables -L > ~/default_iptables.txt` before launching the app. That way you'll have a reference to restore your iptables rules if required.
+The whole function of the app can be broken down into the following steps:
 
-## DoD
-
-### Installing Nginx with Docker
-
-1. install Docker on your system;
-2. pull the Nginx Docker image;
-3. create a Docker container using the Nginx image;
-4. configure the necessary ports for Nginx to operate.
-
-### Deploying DVWA on Nginx
-
-1. download the Damn Vulnerable Web Application (DVWA) package;
-2. configure Nginx to serve the DVWA files;
-3. verify the successful deployment of DVWA by accessing it through a web browser.
-
-### (optional) Establishing Reverse Tunneling to SSH
-
-1. configure the SSH server to allow reverse tunneling;
-2. set up the reverse tunnel by initiating an SSH connection from the Docker container to the SSH server;
-3. verify the reverse tunnel connection by accessing the SSH server from the Docker container.
-
-### (optional) Protecting SSH from Nmap Scanning
-
-1. install Nmap for scanning purposes;
-2. implement port knocking or port scanning detection mechanisms to prevent unauthorized access attempts;
-3. test the implemented measures using Nmap to ensure SSH protection against scanning.
+1. installing Nginx with Docker;
+2. deploying DVWA on Nginx;
+3. establishing reverse tunneling to SSH (optional);
+4. protecting SSH from Nmap scanning with port knocking protection (optional).
 
 ## How To Use
 
@@ -73,7 +55,7 @@ In the root of the directory, run:
 docker build . -t ndvwa
 ```
 
-Alternatively, you can download a pre-built image from repository's registry:
+Alternatively, you can download a pre-built image from the repository's registry:
 
 ```sh
 docker pull ghcr.io/seppzer0/ndvwa
@@ -87,7 +69,7 @@ To create a container, run:
 docker run --rm -it -p 80:80 ndvwa
 ```
 
-### 3. Check deployed DVWA via web-browser
+### 3. Check the deployed DVWA instance via web-browser
 
 Using a web-browser, enter `0.0.0.0:80` URL.<br>
 When asked for credentials for the first time, use `dvwa` for both login and password.<br>
@@ -97,9 +79,10 @@ Then, using UI, create a new database. When asked for credentials again, use `ad
 
 Once the container is launched, you will be prompted whether to proceed with SSH configurations or just directly jump into Bash shell.
 
-Keep in mind that in order to establish an SSH connection between a container and a host machine, you need to setup an SSH server on the host machine first.<br>
+Keep in mind that in order to establish an SSH connection between a container and a host machine, you need to setup an SSH server on the host machine first.
+
 On a Debian-based machine:
 
-- install `openssh-server` package (use `sudo apt install openssh-server`);
+- install `openssh-server` package;
 - append `GatewayPorts yes` and `AllowTcpForwarding yes` lines into `/etc/ssh/sshd_config` file;
-- restart ssh service with `sudo service ssh restart`.
+- restart ssh service.
diff --git a/configs/dvwa.conf b/configs/dvwa.conf
@@ -15,7 +15,7 @@ server {
         # this is for the PHP part of DVWA to work properly
         fastcgi_split_path_info ^(.+\.php)(/.+)$;
         try_files $uri =404;
-        fastcgi_pass unix:/run/php/php7.4-fpm.sock;
+        fastcgi_pass unix:/run/php/php8.3-fpm.sock;
         fastcgi_index index.php;
         fastcgi_param SCRIPT_FILENAME $request_filename;
         include fastcgi_params;
diff --git a/entrypoint.sh b/entrypoint.sh
@@ -1,51 +1,54 @@
 #!/bin/bash
 
+IP="172.17.0.1"
+
+
 # start services
 service mariadb start
-service php7.4-fpm start
+service php8.3-fpm start
 service nginx start
 sleep 1
 
 # prompt to either proceed with SSH configurations or jump into shell
 printf "\n\n"
 read -p "[ ? ] Proceed with SSH configurations? [yes/no] " yn
-case $yn in 
-  yes ) 
-      # DoD: Establishing Reverse Tunneling to SSH
+case $yn in
+  yes )
+      # step: establishing reverse tunneling to SSH
       printf "\n\n== Establishing Reverse Tunneling to SSH ==\n"
       # ask for host's credentials, which will be required for sudo operations
       printf "\n[ * ] Please enter the following information from you host environment.\n"
       read -p "    - Username: " USER
       read -s -p "    - Password: " PASS
       printf "\n"
-      # setup containers SSH keys and connection to the SSH server
+      # setup container's SSH keys and connection to the SSH server (host environment)
       printf "\n[ * ] Setting up SSH keys.\n\n"
       ssh-keygen -t rsa -b 4096 -N '' -f ~/.ssh/id_rsa
-      sshpass -p $PASS ssh-copy-id -o StrictHostKeyChecking=no $USER@172.17.0.1
+      sshpass -p ${PASS} ssh-copy-id -o StrictHostKeyChecking=no ${USER}@${IP}
       printf "\n[ * ] Configuring reverse tunneling.\n\n"
-      ssh -f -N -R 2222:localhost:22 $USER@172.17.0.1
+      ssh -f -N -R 2222:localhost:22 ${USER}@${IP}
       printf "[ * ] Opening SSH connection. When ready, \"exit\" it to proceed with port knocking protection setup.\n\n"
-      ssh -p 22 $USER@172.17.0.1
+      ssh -p 22 ${USER}@${IP}
 
-      # DoD: Protecting SSH from Nmap Scanning (port knocking protection)
+      # step: protecting SSH from Nmap scanning with port knocking protection
       printf "\n\n== Protecting SSH from Nmap Scanning ==\n"
       printf "\n[ * ] Please enter the following information from you host environment.\n"
       read -p "    - Full path to this repository: " RPATH
       printf "\n"
       printf "\n[ * ] Checking that SSH port is currently open using NMAP.\n\n"
-      nmap -p 22 172.17.0.1
+      nmap -p 22 ${IP}
       printf "\n[ * ] Configuring knockd service on the host machine (via SSH).\n\n"
-      ssh -p 22 $USER@172.17.0.1 -t "cd $RPATH && echo $PASS | sudo -S bash knockd_setup.sh"
+      ssh -p 22 ${USER}@${IP} -t "cd ${RPATH} && echo ${PASS} | sudo -S bash knockd_setup.sh"
       sleep 1
       printf "\n[ * ] Attemting to scan the SSH port and connect to the SSH server with knockd service running.\n\n"
-      nmap -p 22 172.17.0.1
-      ssh -p 22 $USER@172.17.0.1
+      nmap -p 22 ${IP}
+      ssh -p 22 ${USER}@${IP}
       printf "\n[ * ] Executing magic knock-knock sequence and actually connecting to the SSH server. When ready, \"exit\" it to proceed.\n\n"
-      knock -v 172.17.0.1 20001 20002 20003 -d 500
-      ssh -p 22 $USER@172.17.0.1
+      knock -v ${IP} 20001 20002 20003 -d 500
+      ssh -p 22 ${USER}@${IP}
       printf "\n[ * ] Restoring iptables rules on the host machine.\n\n"
-      knock -v 172.17.0.1 20001 20002 20003 -d 500
-      ssh -p 22 $USER@172.17.0.1 -t "echo $PASS | sudo -S iptables -F DOCKER && sudo -S iptables -F INPUT && sudo -S service knockd stop"
+      knock -v ${IP} 20001 20002 20003 -d 500
+      ssh -p 22 ${USER}@${IP} -t "echo ${PASS} | sudo -S iptables -F DOCKER && sudo -S iptables -F INPUT && sudo -S service knockd stop"
       ;;
   no )
      printf "[ * ] Jumping directly into Bash shell..\n\n";;
