[mac-at-kearsarge]

*Mods - If this post doesn't belong here, please feel free to move it to the lounge*

Okay, before I go and inivertly raise red flags, allow me to explain that this is a legit request for help. Also, I apologize for this long entry, but I need to be very detailed with this request.

Currently I am learning RH8 in my operating System class, here at New Hampshire Technical Inst. As we are starting to learn using Linux as a server. To make a point about security, Our instructor, who is also a white hat hacker, as decided that our weekly test will be to take down other peoples Apache servers. To me a few other people I talk to in class it's obvious that he wants to see if we've been paying attention. During the last class we did fresh reinstalls of RH8. From the beginging of this course we have all used the same p/w for root, however, he also had us setup accounts with unique user anmes, but the same p/w. Also, during the reinstall, he had us select "no firewall" during setup.

His plan is to disconnect us fromt he rest of the schools network, write everyone IP on the board and see if we've takent he proper security measures, and can keep our servers going.

Now I myself do have a plan in place which looks like this (coming into the next class we'll have 30 mins to get our servers ready):

DEFENSE:
During the prep time I'm going to:
-turn on the firewall to highest settings, leaving only port 80 open for Apache which must remain active for this exercise.
-change all passwords (Like I said the two account that are ont here now, all have the same p/w as everyone else)
-Not vist other students websites *

OFFENSE:
-As I believe about 1/2 to 2/3 of the class will forgot to activate the firewall, and change their p/ws, I'm planning on using SSH to login to there systems, change their p/w's then execute 'init 0'. As we have not talked about SSH in class yet (or telnet) most students don't know about it).

*The problem come from the instroctor himself. During lab time last week, we used to time to prepare for this upcoming class. (only a few of us stayed). To give an idea of what we can do, he wrote samll web page, whose code (I forgot to save to disk and bring back with me) called on VIM editor and nothing else. Although he didn't do it to me (so I didn't get to see what happens), but after ot students went to this page (which had no viewable content) the instructor went back to his comp and did something that definatly got a reaction out of the students who had gone to his page.

Obviously, I want to know what it was he did, and how he did it.

Also, can I put command scripts in a webpage? I'm hoping I can so I can write a script that executes inti 0 when persons go to my server (This will be very effective on those who did remember to activate fireall and change p/w.

And if yourwondering, what we get for doing this? That last student standing with his server still running will get 20 bonus points on the final (If that isn't motivation I don't know what is). ALSO, the instructor WILL be joing us in this exercise, so we have to go against HIM TOO (remember he's a white hat hacker!). Any and all help with this will be very appreciative.

[bstone]

Seems like you got a good idea already. Maybe try some iptables stuff to further augment your firewall?

Try to restrict any incoming traffic other than your local host. iptables can make you unpingable, etc.

[pimephalis]

Originally posted by bstone:
Seems like you got a good idea already. Maybe try some iptables stuff to further augment your firewall?

Try to restrict any incoming traffic other than your local host. iptables can make you unpingable, etc.

Yeah, but if the instructor wants the web page to be viewable then you can't do that.

Another thing to do is look at your services. Check ps auxw and turn off everything you don't need. For example, you want apache and sshd running, but don't need an ftp daemon, a mail daemon etc. Turn all that crap off.

As for the scripts, I suppose it's doable. If you can convince the browser to download/run a little bash script, then you can (since he knows the passwords) run a vim editing session and wipe stuff out.

Great assignment by the way; this prof sounds like a ton of fun.

[pat++]

I would make sure all the available security patchs are installed (obviously apache security fixes).

[Arkham_c]

First, drop into runlevel 3 instead of runlevel 5. This will kill off Gnome/KDE and swithc you to a command-line only install with networking.

Next, go into /etc/rc3.d/init.d and disable any services you don't need. Also, edit inetd.conf and comment out any inetd services you don't need. Do the same for xinetd by going into /etc/xinetd/ and removing any scripts for services you don't need.

Make sure you have sendmail off. Make sure that you patch your openSSL (used by ssh for encryption) to close the buffer overflow vulnerabilities that were found recently and fixed.

If you want to do a DoS attack on your classmates, don't init 0 the boxes when you get in. Instead, kill off apache and start up a flood attack on one of the remaining servers using wget and a shell script and lots of fork() calls

Sounds like a fun assignment.

[utidjian]

Easy!

Log in to your server.

(as root)

1. Change the root password

2. Run redhat-config-security and set it to highest level but leave port 80 (httpd) open (you may also want to leave port 22 (ssh) open if you want to be able to remote admin the box).

3. Apply ALL patches.. run up2date.

4. Turn of ALL non-essential services.. run redhat-config-services and make sure that only the services you want (or need) are turned on (checked). The services you should leave ON are:
anacron
apmd
atd
autofs
crond
gpm
httpd (for web server)
iptables
keytable
kudzu
network
random
rawdevices
rhnsd
sgi-fam
sshd (for sshd server)
syslog
xinetd

5. At this point you should be OK but check your ports... run nmap localhost which should give you an idea of how exposed you are. If anyhting is left open that you don't want open go back and stop the service (use redhat-config-services).

6. Since this system has been exposed to the other students for a while you may want to run a few simple checks to make sure that nothing has been changed.. run rpm -Va > rpmdump (it will take a while to run). Then check the resulting file with less rpmdump. To understand what each field means you will want to read man rpm under the Verify section. Don't be alarmed that a lot of things seem to be flagged as modified... this is normal. You will want to check certain files that are flagged... especially things that are in /etc and anything in /bin or /sbin.

Once you have checked everything you should be pretty much set.

Too bad you weren't paying attention when the other students had something wierd happen when browsing the instructors webpage. It is extremely unlikely that you will be able to load a script that will shutdown other students machines (init 0) via httpd. In order for that to happen they would have to be running a web browser as the root user (bad!). If such a thing is possible I would be interested in a copy of that script ;-)

[[APi]TheMan]

Originally posted by Arkham_c:
Sounds like a fun assignment.

Heh, that's what I'm talking about! Sign me up!

Hey, mac-at-kearsarge, what is your major? I'm currently trying to decide what major to declare. I love this kind of stuff, but Computer Science is not my deal, eww.

I was thinking Computer Information Systems maybe.

[superlarry]

Originally posted by [APi]TheMan:
I was thinking Computer Information Systems maybe.

my experience as a CIS major, and my future in it, are summarized by Peter's job in the movie "Office Space."
So now I'm an English major ;c)

cool project, btw.

[[APi]TheMan]

Originally posted by superlarry:
my experience as a CIS major, and my future in it, are summarized by Peter's job in the movie "Office Space."
So now I'm an English major ;c)

cool project, btw.

Interesting.

Well CS isn't my piece of cake, so we'll see. I'm only a Freshman right now.