121 lines
3.3 KiB
Markdown
121 lines
3.3 KiB
Markdown
FIC forensic challenge validation server
|
|
========================================
|
|
|
|
This is a CTF server for distributing and validating exercices. It is design to
|
|
be robust, so it uses some uncommon technologies like client certificate for
|
|
authentication, cryptographic functions and DMZ network architecture.
|
|
|
|
Development And Testing
|
|
-----------------------
|
|
|
|
The easiest way to have a working server is to build a Docker container.
|
|
|
|
### Docker
|
|
|
|
First, build the container with the following command:
|
|
```
|
|
docker build -t fic .
|
|
```
|
|
|
|
Then, run it with:
|
|
```
|
|
docker run -t -i -P fic
|
|
```
|
|
It will ask you for a passphrase, you must provide one with at least 4
|
|
characters. This key is used to generate the server certificate.
|
|
|
|
When you see:
|
|
```
|
|
root@xxxxxxxxxxxx:/var/www/fic-server/misc#
|
|
```
|
|
congratulations, the container is running!
|
|
|
|
Use `docker ps` to view to which local ports was assigned the contained
|
|
webserver.
|
|
|
|
|
|
Production Environnement
|
|
------------------------
|
|
|
|
### Setup
|
|
|
|
You should compile/install hardened kernel (with latest stable GrSec patch) on
|
|
each machine.
|
|
|
|
Prefer GNU/Linux distributions where most packages are compiled with `-fPIC`
|
|
and `-fstack-protector`, like Ubuntu or
|
|
[Gentoo Hardened](http://www.gentoo.org/proj/en/hardened/).
|
|
|
|
As machines aren't always in safe place (transportation, night before CTF,
|
|
...), disks should be encrypted.
|
|
|
|
**Always set strong password when it is possible** eg. SSL certificats, ...
|
|
|
|
#### Frontend
|
|
|
|
Keep in mind that this is the machine exposed to participant.
|
|
|
|
##### Requirements
|
|
|
|
* `nginx` with those modules: `aio` (for fast delivery of huge
|
|
content), `fastcgi`, `rewrite`, `ssl`;
|
|
* `php-fpm` with `mcrypt` module (for submission encryption);
|
|
|
|
##### Firewall rules
|
|
|
|
Expose to participants only 80 and 443 ports.
|
|
|
|
Expose on synchronization interface the 22 port, used for synchronization and
|
|
administration purpose from backend.
|
|
|
|
DROP **has to be** the default rule for INPUT, FORWARD and OUTPUT chains; use
|
|
CONNTRACK states.
|
|
|
|
|
|
#### Backend
|
|
|
|
##### Requirements
|
|
|
|
* `realpath`;
|
|
* `mysql`;
|
|
* `nginx` with `fastcgi` module;
|
|
* `php-fpm` with `mysql` module;
|
|
* `openssl` and `pwgen` for client certificat generation;
|
|
* `mcrypt`;
|
|
* `HTTP::Request::Common` perl module (provided by `libwww-perl`);
|
|
* `Digest::Whirlpool` perl module (provided by `lib-digest-whirlpool-perl`);
|
|
* `Mcrypt` from CPAN (`cpan -i Mcrypt`, on Debian, it requires `libltdl-dev` and
|
|
`build-essential`) to decrypt submissions (see
|
|
https://metacpan.org/pod/Mcrypt);
|
|
|
|
##### Firewall rules
|
|
|
|
This machine shouldn't have any network connection, except outgoing one to the
|
|
frontend for synchronization.
|
|
|
|
##### Others setups
|
|
|
|
Indicate in `/etc/hosts.conf` IP(s) of the frontend.
|
|
|
|
|
|
### History
|
|
|
|
#### FIC2014
|
|
|
|
Two machines were used : one for backend (Deimos) and one for frontend
|
|
(Phobos). They ran a GNU/Linux Gentoo Hardened with custom 3.2 kernel without
|
|
module loading, unused and unecessary components and with all GrSecurity
|
|
features activated.
|
|
|
|
Each machine was two network interfaces: one was used to permit to the backend
|
|
machine to connect to the frontend (over IPv6). The second interface on the
|
|
backend was used for administration purpose (with a laptop not connected to
|
|
Internet). The second interface on the frontend was used to provide network
|
|
connectivity to participants.
|
|
|
|
|
|
The D Day
|
|
---------
|
|
|
|
TODO
|