Add setup instructions
This commit is contained in:
nemunaire
parent
b135e7f6f6
commit
27f9e7e372
48
README.md
48
README.md
@ -1,10 +1,12 @@
|
|||||||
# FIC forensic challenge validation server
|
FIC forensic challenge validation server
|
||||||
|
========================================
|
||||||
|
|
||||||
This is a CTF server for distributing and validating exercices. It is design to
|
This is a CTF server for distributing and validating exercices. It is design to
|
||||||
be robust, so it uses some uncommon technologies like client certificate for
|
be robust, so it uses some uncommon technologies like client certificate for
|
||||||
authentication, cryptographic functions and DMZ network architecture.
|
authentication, cryptographic functions and DMZ network architecture.
|
||||||
|
|
||||||
## Development and testing
|
Development and testing
|
||||||
|
-----------------------
|
||||||
|
|
||||||
The easiest way to have a working server is to build a Docker container.
|
The easiest way to have a working server is to build a Docker container.
|
||||||
|
|
||||||
@ -32,17 +34,53 @@ Use `docker ps` to view to which local ports was assigned the contained
|
|||||||
webserver.
|
webserver.
|
||||||
|
|
||||||
|
|
||||||
## Production environnement
|
Production environnement
|
||||||
|
------------------------
|
||||||
|
|
||||||
### Setup
|
### Setup
|
||||||
|
|
||||||
|
You should compile/install hardened kernel (with latest stable GrSec patch) on
|
||||||
|
each machine.
|
||||||
|
|
||||||
|
Prefer GNU/Linux distributions where most packages are compiled with `-fPIC`
|
||||||
|
and `-fstack-protector`, like Ubuntu or
|
||||||
|
[Gentoo Hardened](http://www.gentoo.org/proj/en/hardened/).
|
||||||
|
|
||||||
#### Frontend
|
#### Frontend
|
||||||
|
|
||||||
FIXME
|
Keep in mind that this is the machine exposed to participant.
|
||||||
|
|
||||||
|
##### Requirements
|
||||||
|
|
||||||
|
* `nginx` with those modules: `aio` (for fast delivery of huge
|
||||||
|
content), `fastcgi`, `rewrite`, `ssl`;
|
||||||
|
* `php-fpm` with `mcrypt` module (for submission encryption);
|
||||||
|
|
||||||
|
##### Firewall rules
|
||||||
|
|
||||||
|
Expose to participants only 80 and 443 ports.
|
||||||
|
|
||||||
|
Expose on synchronization interface the 22 port, used for synchronization and
|
||||||
|
administration purpose from backend.
|
||||||
|
|
||||||
|
DROP **has to be** the default rule for INPUT, FORWARD and OUTPUT chains; use
|
||||||
|
CONNTRACK states.
|
||||||
|
|
||||||
|
|
||||||
#### Backend
|
#### Backend
|
||||||
|
|
||||||
FIXME
|
##### Requirements
|
||||||
|
|
||||||
|
* `mysql`;
|
||||||
|
* `nginx` with `fastcgi` module;
|
||||||
|
* `php-fpm` with `mysql` module;
|
||||||
|
* `openssl` and `pwgen` for client certificat generation;
|
||||||
|
* `Mcrypt` from CPAN (`cpan -i Mcrypt`) to decrypt submissions (see https://metacpan.org/pod/Mcrypt);
|
||||||
|
|
||||||
|
##### Firewall rules
|
||||||
|
|
||||||
|
This machine shouldn't have any network connection, except outgoing one to the
|
||||||
|
frontend for synchronization.
|
||||||
|
|
||||||
|
|
||||||
### History
|
### History
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user