-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathdocker-maintenance.sh
More file actions
executable file
·332 lines (307 loc) · 10.9 KB
/
docker-maintenance.sh
File metadata and controls
executable file
·332 lines (307 loc) · 10.9 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
#!/bin/bash
# ============================================================
# Docker Maintenance & Troubleshooting Script with Firewall
# Author: Mr. Taiwo Micheal
# Version: 3.0
#
# This script provides a menu-driven interface for managing
# Docker containers, images, networks, system resources, and
# firewall rules for the security lab environment.
#
# Features:
# - Start/stop/restart containers
# - View running or all containers
# - Inspect logs and exec into containers
# - Cleanup unused Docker resources
# - Aggressive cleanup (dangerous: removes ALL resources)
# - Service, ports, and firewall troubleshooting
# - Firewall management (enable/disable/configure rules)
#
# Usage:
# chmod +x docker-maintenance.sh
# ./docker-maintenance.sh
# ============================================================
# Configuration
COMPOSE_DIR="$HOME/docker/security-lab" # Update to your actual path
# Define lab ports (update based on your docker-compose.yml)
declare -A LAB_PORTS=(
[3000]="Juice Shop"
[3001]="DVRA (REST API)"
[5000]="VulnBank"
[5013]="DVGA (GraphQL)"
[8080]="WebGoat"
[8082]="DVWA"
[8083]="Mutillidae II"
[8084]="WrongSecrets"
[8085]="Pixi"
[8087]="SSRF App"
[9000]="Portainer HTTP"
[9090]="WebWolf"
[9443]="Portainer HTTPS"
)
# Database ports (optional - only allow from localhost)
declare -A DB_PORTS=(
[3307]="DVWA MySQL"
[3308]="Mutillidae MySQL"
[5432]="VulnBank PostgreSQL"
)
# --- Startup Banner ---
clear
echo "=========================================="
echo " 🚀 Docker Lab Maintenance Console"
echo " 👤 Maintainer: Mr. Taiwo Micheal"
echo " 🔒 Version: 3.0 (with Firewall)"
echo "=========================================="
sleep 3
echo
echo "⚠️ Maintenance console ready..."
sleep 2
# --- Firewall Functions ---
setup_firewall_rules() {
echo "🔥 Setting up firewall rules for Security Lab..."
echo ""
# Check if UFW is installed
if ! command -v ufw &> /dev/null; then
echo "❌ UFW not installed. Install with: sudo apt install ufw"
return 1
fi
read -p "⚠️ This will modify firewall rules. Continue? (yes/no): " confirm
if [ "$confirm" != "yes" ]; then
echo "❌ Cancelled."
return 1
fi
echo ""
echo "📋 Configuration options:"
echo "1) Lab access from LAN only (recommended for local lab)"
echo "2) Lab access from anywhere (⚠️ dangerous for production)"
echo "3) Lab access from specific IP/subnet"
read -p "Choose access mode: " access_mode
# Enable UFW if not already enabled
echo "🔓 Enabling UFW..."
sudo ufw --force enable
# Always allow SSH (critical!)
echo "✅ Allowing SSH (port 22)..."
sudo ufw allow 22/tcp
# Set default policies
echo "🛡️ Setting default policies..."
sudo ufw default deny incoming
sudo ufw default allow outgoing
# Allow lab ports based on access mode
case $access_mode in
1)
# LAN only - Allow from private network ranges
echo "🏠 Configuring LAN-only access..."
for port in "${!LAB_PORTS[@]}"; do
echo " ✅ Allowing ${LAB_PORTS[$port]} (port $port) from LAN"
sudo ufw allow from 192.168.0.0/16 to any port "$port" proto tcp
sudo ufw allow from 172.16.0.0/12 to any port "$port" proto tcp
sudo ufw allow from 10.0.0.0/8 to any port "$port" proto tcp
done
;;
2)
# From anywhere (less secure)
echo "🌍 Configuring access from anywhere..."
for port in "${!LAB_PORTS[@]}"; do
echo " ✅ Allowing ${LAB_PORTS[$port]} (port $port) from anywhere"
sudo ufw allow "$port"/tcp
done
;;
3)
# Specific IP/subnet
read -p "Enter IP or subnet (e.g., 192.168.1.0/24 or 10.0.0.5): " custom_source
echo "🎯 Configuring access from $custom_source..."
for port in "${!LAB_PORTS[@]}"; do
echo " ✅ Allowing ${LAB_PORTS[$port]} (port $port) from $custom_source"
sudo ufw allow from "$custom_source" to any port "$port" proto tcp
done
;;
*)
echo "❌ Invalid choice. Aborting."
return 1
;;
esac
# Database ports - localhost only (security best practice)
echo ""
echo "🔒 Securing database ports (localhost only)..."
for port in "${!DB_PORTS[@]}"; do
echo " ✅ ${DB_PORTS[$port]} (port $port) - localhost only"
sudo ufw deny "$port"/tcp
done
# Reload and show status
echo ""
echo "🔄 Reloading firewall..."
sudo ufw reload
echo ""
echo "✅ Firewall configuration complete!"
echo ""
sudo ufw status numbered
}
remove_firewall_rules() {
echo "🔥 Removing Security Lab firewall rules..."
echo ""
read -p "⚠️ This will remove lab port rules. Continue? (yes/no): " confirm
if [ "$confirm" != "yes" ]; then
echo "❌ Cancelled."
return 1
fi
# Remove rules for each lab port
for port in "${!LAB_PORTS[@]}"; do
echo " 🗑️ Removing rules for ${LAB_PORTS[$port]} (port $port)"
sudo ufw delete allow "$port"/tcp 2>/dev/null
# Also try to remove LAN-specific rules
sudo ufw delete allow from 192.168.0.0/16 to any port "$port" proto tcp 2>/dev/null
sudo ufw delete allow from 172.16.0.0/12 to any port "$port" proto tcp 2>/dev/null
sudo ufw delete allow from 10.0.0.0/8 to any port "$port" proto tcp 2>/dev/null
done
echo ""
echo "✅ Lab firewall rules removed!"
sudo ufw status numbered
}
disable_firewall() {
echo "🔓 Disabling firewall..."
read -p "⚠️ This will disable UFW completely. Continue? (yes/no): " confirm
if [ "$confirm" = "yes" ]; then
sudo ufw disable
echo "✅ Firewall disabled!"
else
echo "❌ Cancelled."
fi
}
show_firewall_status() {
echo "🔥 Firewall Status:"
echo ""
sudo ufw status verbose
echo ""
echo "📋 Expected Lab Ports:"
for port in "${!LAB_PORTS[@]}"; do
printf " Port %5s - %s\n" "$port" "${LAB_PORTS[$port]}"
done | sort -n
}
# --- Main Menu Loop ---
while true; do
clear
echo "===== DOCKER MAINTENANCE MENU ====="
echo "--- Container Management ---"
echo "1) Start containers (docker compose up -d)"
echo "2) Stop containers (docker compose down)"
echo "3) Restart all running containers"
echo "4) Show running containers"
echo "5) Show ALL containers (including stopped)"
echo "6) Show logs of a container"
echo "7) Exec into a container shell"
echo ""
echo "--- System Management ---"
echo "8) Docker disk usage report"
echo "9) Cleanup (unused images/volumes/networks)"
echo "10) Aggressive cleanup (⚠️ removes EVERYTHING!)"
echo "11) Check Docker service status"
echo "12) Check listening ports (all lab apps)"
echo "13) View container resource usage"
echo ""
echo "--- Firewall Management ---"
echo "14) Setup firewall rules for lab"
echo "15) Remove lab firewall rules"
echo "16) Show firewall status"
echo "17) Disable firewall (⚠️ not recommended)"
echo ""
echo "18) Exit"
echo "====================================="
read -p "Choose an option: " choice
case $choice in
1)
echo "📂 Navigating to: $COMPOSE_DIR"
cd "$COMPOSE_DIR" || { echo "❌ Directory not found!"; sleep 2; continue; }
sudo docker compose up -d
;;
2)
echo "📂 Navigating to: $COMPOSE_DIR"
cd "$COMPOSE_DIR" || { echo "❌ Directory not found!"; sleep 2; continue; }
sudo docker compose down
;;
3)
echo "🔄 Restarting all running containers..."
sudo docker restart $(sudo docker ps -q)
;;
4)
echo "📋 Running containers:"
sudo docker ps --format "table {{.Names}}\t{{.Status}}\t{{.Ports}}"
;;
5)
echo "📋 All containers:"
sudo docker ps -a --format "table {{.Names}}\t{{.Status}}\t{{.Ports}}"
;;
6)
read -p "Enter container name: " cname
sudo docker logs -f "$cname"
;;
7)
read -p "Enter container name: " cname
echo "🐚 Trying /bin/bash first..."
sudo docker exec -it "$cname" /bin/bash 2>/dev/null || \
{ echo "⚠️ /bin/bash not found, trying /bin/sh..."; sudo docker exec -it "$cname" /bin/sh; }
;;
8)
echo "💾 Docker disk usage:"
sudo docker system df -v
;;
9)
echo "🧹 Starting cleanup of unused resources..."
sudo docker system prune -f
sudo docker volume prune -f
sudo docker network prune -f
echo "✅ Cleanup complete!"
;;
10)
read -p "⚠️ This will DELETE EVERYTHING! Type 'DELETE' to confirm: " confirm
if [ "$confirm" = "DELETE" ]; then
echo "💣 Nuclear cleanup initiated..."
cd "$COMPOSE_DIR" && sudo docker compose down -v
sudo docker stop $(sudo docker ps -aq) 2>/dev/null
sudo docker rm -f $(sudo docker ps -aq) 2>/dev/null
sudo docker rmi -f $(sudo docker images -aq) 2>/dev/null
sudo docker volume rm $(sudo docker volume ls -q) 2>/dev/null
sudo docker network prune -f
sudo docker system prune -a --volumes -f
echo "✅ Complete wipe finished!"
else
echo "❌ Cancelled (must type 'DELETE' exactly)."
fi
;;
11)
echo "🐳 Docker service status:"
sudo systemctl status docker
;;
12)
echo "🔌 Checking listening ports for lab applications..."
echo "Expected ports: ${!LAB_PORTS[@]}"
echo ""
sudo ss -tlnp | grep -E '3000|3001|5000|5013|8080|8082|8083|8084|8085|8087|9000|9090|9443' || echo "⚠️ No matching ports found"
;;
13)
echo "📊 Container resource usage:"
sudo docker stats --no-stream --format "table {{.Name}}\t{{.CPUPerc}}\t{{.MemUsage}}\t{{.NetIO}}"
;;
14)
setup_firewall_rules
;;
15)
remove_firewall_rules
;;
16)
show_firewall_status
;;
17)
disable_firewall
;;
18)
echo "👋 Goodbye Mr. Taiwo Micheal!"
exit 0
;;
*)
echo "❌ Invalid choice!"
sleep 2
;;
esac
echo
read -p "Press Enter to continue..." dummy
done