Don't forget to crypt disks
This commit is contained in:
parent
27f9e7e372
commit
76269a821d
16
README.md
16
README.md
@ -5,7 +5,7 @@ This is a CTF server for distributing and validating exercices. It is design to
|
|||||||
be robust, so it uses some uncommon technologies like client certificate for
|
be robust, so it uses some uncommon technologies like client certificate for
|
||||||
authentication, cryptographic functions and DMZ network architecture.
|
authentication, cryptographic functions and DMZ network architecture.
|
||||||
|
|
||||||
Development and testing
|
Development And Testing
|
||||||
-----------------------
|
-----------------------
|
||||||
|
|
||||||
The easiest way to have a working server is to build a Docker container.
|
The easiest way to have a working server is to build a Docker container.
|
||||||
@ -34,7 +34,7 @@ Use `docker ps` to view to which local ports was assigned the contained
|
|||||||
webserver.
|
webserver.
|
||||||
|
|
||||||
|
|
||||||
Production environnement
|
Production Environnement
|
||||||
------------------------
|
------------------------
|
||||||
|
|
||||||
### Setup
|
### Setup
|
||||||
@ -46,6 +46,11 @@ Prefer GNU/Linux distributions where most packages are compiled with `-fPIC`
|
|||||||
and `-fstack-protector`, like Ubuntu or
|
and `-fstack-protector`, like Ubuntu or
|
||||||
[Gentoo Hardened](http://www.gentoo.org/proj/en/hardened/).
|
[Gentoo Hardened](http://www.gentoo.org/proj/en/hardened/).
|
||||||
|
|
||||||
|
As machines aren't always in safe place (transportation, night before CTF,
|
||||||
|
...), disks should be encrypted.
|
||||||
|
|
||||||
|
**Always set strong password when it is possible** eg. SSL certificats, ...
|
||||||
|
|
||||||
#### Frontend
|
#### Frontend
|
||||||
|
|
||||||
Keep in mind that this is the machine exposed to participant.
|
Keep in mind that this is the machine exposed to participant.
|
||||||
@ -75,6 +80,7 @@ CONNTRACK states.
|
|||||||
* `nginx` with `fastcgi` module;
|
* `nginx` with `fastcgi` module;
|
||||||
* `php-fpm` with `mysql` module;
|
* `php-fpm` with `mysql` module;
|
||||||
* `openssl` and `pwgen` for client certificat generation;
|
* `openssl` and `pwgen` for client certificat generation;
|
||||||
|
* `mcrypt`;
|
||||||
* `Mcrypt` from CPAN (`cpan -i Mcrypt`) to decrypt submissions (see https://metacpan.org/pod/Mcrypt);
|
* `Mcrypt` from CPAN (`cpan -i Mcrypt`) to decrypt submissions (see https://metacpan.org/pod/Mcrypt);
|
||||||
|
|
||||||
##### Firewall rules
|
##### Firewall rules
|
||||||
@ -97,3 +103,9 @@ machine to connect to the frontend (over IPv6). The second interface on the
|
|||||||
backend was used for administration purpose (with a laptop not connected to
|
backend was used for administration purpose (with a laptop not connected to
|
||||||
Internet). The second interface on the frontend was used to provide network
|
Internet). The second interface on the frontend was used to provide network
|
||||||
connectivity to participants.
|
connectivity to participants.
|
||||||
|
|
||||||
|
|
||||||
|
The D Day
|
||||||
|
---------
|
||||||
|
|
||||||
|
TODO
|
||||||
|
Loading…
Reference in New Issue
Block a user