-
Notifications
You must be signed in to change notification settings - Fork 24
OS Configuration Docker
I'm using Ubuntu 16.04 LTS Server for compatability with most tools available. Other flavors of Linux can be used, but I'll be writing this guide with Ubuntu 16.04 in mind.
Configure your management interface as you would any other server. Either leverage DHCP or static addresses, whichever your network calls for.
Now we'll configure the other port to monitor traffic from.
Find the name of the device that you'll be monitoring from. In this example, we're concerned with enp8s0 (YAY SYSTEMD NAMING).
root@grIDS:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
<SNIP>
2: enp4s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
<SNIP>
3: enp7s0: <NO-CARRIER,BROADCAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
link/ether 00:0a:cd:21:47:23 brd ff:ff:ff:ff:ff:ff
4: enp8s0: <BROADCAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0a:cd:21:47:24 brd ff:ff:ff:ff:ff:ff
inet6 fe80::20a:cdff:fe21:4724/64 scope link
valid_lft forever preferred_lft forever
root@grIDS:~# ip link set enp8s0 multicast off
root@grIDS:~# ip link set enp8s0 promisc on
root@grIDS:~# ip link set enp8s0 up
Validating traffic is difficult if you're not aware of what might be passing through the network. The best approach I've found to ensure you're not only seeing broadcast traffic is to use tcpdump to check that you're seeing common network traffic like HTTP/DNS/etc. Try navigating to a site that uses only HTTP (ragu.com is an option).
root@grIDS:~# tcpdump -i $INTERFACE port 80
Now that the configuration has been validated, save these settings to /etc/network/interfaces where $INTERFACE is the name of the interface you configured earlier:
up ip link set $INTERFACE multicast off
up ip link set $INTERFACE up
up ip link set $INTERFACE promisc on
Add the Docker GPG key to your system:
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
Add the Docker repositories to your APT sources:
sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
Update your APT sources and install Docker:
sudo apt-get update
sudo apt-get install docker-ce
Add your non-root user to the Docker group to execute Docker commands without sudo:
sudo usermod -aG docker ${USER}
Log out and log back in to have the right account permissions.