fic/server
2
0
Fork 0
Code Issues Pull Requests 3 Releases Wiki Activity
9a57642029
server/README.md

3.1 KiB
Raw Blame History

FIC forensic challenge validation server

This is a CTF server for distributing and validating exercices. It is design to be robust, so it uses some uncommon technologies like client certificate for authentication, cryptographic functions and DMZ network architecture.

Development And Testing

The easiest way to have a working server is to build a Docker container.

Docker

First, build the container with the following command:

docker build -t fic .

Then, run it with:

docker run -t -i -P fic

It will ask you for a passphrase, you must provide one with at least 4 characters. This key is used to generate the server certificate.

When you see:

root@xxxxxxxxxxxx:/var/www/fic-server/misc#

congratulations, the container is running!

Use docker ps to view to which local ports was assigned the contained webserver.

Production Environnement

Setup

You should compile/install hardened kernel (with latest stable GrSec patch) on each machine.

Prefer GNU/Linux distributions where most packages are compiled with -fPIC and -fstack-protector, like Ubuntu or Gentoo Hardened.

As machines aren't always in safe place (transportation, night before CTF, ...), disks should be encrypted.

Always set strong password when it is possible eg. SSL certificats, ...

Frontend

Keep in mind that this is the machine exposed to participant.

Requirements
  • nginx with those modules: aio (for fast delivery of huge content), fastcgi, rewrite, ssl;
  • php-fpm with mcrypt module (for submission encryption);
Firewall rules

Expose to participants only 80 and 443 ports.

Expose on synchronization interface the 22 port, used for synchronization and administration purpose from backend.

DROP has to be the default rule for INPUT, FORWARD and OUTPUT chains; use CONNTRACK states.

Backend

Requirements
  • mysql;
  • nginx with fastcgi module;
  • php-fpm with mysql module;
  • openssl and pwgen for client certificat generation;
  • mcrypt;
  • Mcrypt from CPAN (cpan -i Mcrypt, on Debian, it requires libtool and build-essential) to decrypt submissions (see https://metacpan.org/pod/Mcrypt);
Firewall rules

This machine shouldn't have any network connection, except outgoing one to the frontend for synchronization.

Others setups

Indicate in /etc/hosts.conf IP(s) of the frontend.

History

FIC2014

Two machines were used : one for backend (Deimos) and one for frontend (Phobos). They ran a GNU/Linux Gentoo Hardened with custom 3.2 kernel without module loading, unused and unecessary components and with all GrSecurity features activated.

Each machine was two network interfaces: one was used to permit to the backend machine to connect to the frontend (over IPv6). The second interface on the backend was used for administration purpose (with a laptop not connected to Internet). The second interface on the frontend was used to provide network connectivity to participants.

The D Day

TODO