security-lab/document at master · AlphaDevelopmental/security-lab · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
# Docker Security Lab - Quick Start Guide

## 🚀 Initial Setup

### 1. Create the .env file
```bash
cd ~/docker/security-lab
nano .env
# Copy the contents from the .env artifact and save
```

### 2. Add .env to .gitignore (if using git)
```bash
echo ".env" >> .gitignore
```

### 3. Verify all images are available
```bash
docker compose config --images
docker compose pull
```

## 📦 Starting Services

### Start ALL services
```bash
docker compose --profile all up -d
```

### Start specific groups

**Web Basics** (DVWA, Juice Shop, Mutillidae, VulnBank):
```bash
docker compose --profile web-basics up -d
```

**API Security** (DVGA, DVRA, Pixi, SSRF):
```bash
docker compose --profile api-security up -d
```

**Advanced Training** (WebGoat, WrongSecrets):
```bash
docker compose --profile advanced up -d
```

**Management Tools** (Portainer only):
```bash
docker compose --profile management up -d
```

### Combine multiple profiles
```bash
docker compose --profile web-basics --profile api-security up -d
```

## 🔍 Monitoring & Management

### View running containers
```bash
docker compose ps
```

### View logs
```bash
# All services
docker compose logs -f

# Specific service
docker compose logs -f juice-shop
```

### Monitor resource usage
```bash
docker stats
```

### Check disk usage
```bash
docker system df
```

## 🛑 Stopping Services

### Stop all services
```bash
docker compose --profile all down
```

### Stop specific profile
```bash
docker compose --profile web-basics down
```

### Stop and remove volumes (⚠️ deletes all data)
```bash
docker compose --profile all down -v
```

## 🔗 Access URLs

| Application | URL | Default Credentials |
|------------|-----|---------------------|
| Juice Shop | http://your-server:3000 | Create account |
| DVWA | http://your-server:8082 | admin / password |
| WebGoat | http://your-server:8080/WebGoat | Create account |
| WebWolf | http://your-server:9090/WebWolf | (companion to WebGoat) |
| Mutillidae | http://your-server:8083 | No auth required |
| VulnBank | http://your-server:5000 | Check app docs |
| DVGA | http://your-server:5013 | No auth required |
| WrongSecrets | http://your-server:8084 | No auth required |
| Pixi | http://your-server:8085 | Check app docs |
| DVRA | http://your-server:3001 | Check app docs |
| SSRF App | http://your-server:8087 | No auth required |
| Portainer | http://localhost:9000 | Set on first access |

## 🔒 Accessing Portainer Remotely

Portainer is bound to localhost for security. To access it remotely:

### Option 1: SSH Tunnel (Recommended)
```bash
# From your local machine:
ssh -L 9000:localhost:9000 student@your-server-ip

# Then open in browser:
# http://localhost:9000
```

### Option 2: Modify docker-compose.yml (Less secure)
```yaml
# Change from:
ports:
  - "127.0.0.1:9000:9000"

# To:
ports:
  - "9000:9000"

# Then restart:
docker compose --profile management down
docker compose --profile management up -d
```

## 🧹 Maintenance

### Clean up stopped containers and unused images
```bash
docker system prune -a
```

### Clean up volumes (⚠️ deletes data)
```bash
docker system prune -a --volumes
```

### Update all images
```bash
docker compose pull
docker compose --profile all up -d --force-recreate
```

## 🔧 Troubleshooting

### Service won't start
```bash
# Check logs
docker compose logs service-name

# Check if port is already in use
sudo netstat -tulpn | grep :PORT_NUMBER
```

### Database connection errors
```bash
# Wait for database to be healthy
docker compose ps

# Restart dependent service
docker compose restart service-name
```

### Out of disk space
```bash
# Check usage
df -h
docker system df

# Clean up
docker system prune -a --volumes
```

### Permission errors
```bash
# Ensure proper ownership
sudo chown -R student:student ~/docker/security-lab
```

## 📊 Resource Monitoring

### Real-time stats
```bash
docker stats --format "table {{.Name}}\t{{.CPUPerc}}\t{{.MemUsage}}"
```

### Check container health
```bash
docker compose ps --format json | jq '.[] | {name: .Name, health: .Health}'
```

## ⚠️ Security Reminders

1. **NEVER** expose these services to the public internet
2. Use firewall rules to restrict access
3. Keep services in an isolated network or VM
4. Regular backups of important data
5. Monitor for unusual activity
6. Change default passwords in production-like scenarios

## 🎓 Recommended Learning Path

1. **Start with Web Basics**: DVWA → Juice Shop → Mutillidae
2. **Move to APIs**: DVGA → DVRA → Pixi
3. **Advanced Topics**: WebGoat → WrongSecrets
4. **Specialized**: SSRF vulnerabilities

## 📝 Notes

- First startup may take 5-10 minutes to download all images
- Some services need initialization time (check with `docker compose logs`)
- Resource limits are set - adjust in docker-compose.yml if needed
- Database data persists in Docker volumes