Find the answer to your Linux question:
Results 1 to 4 of 4
Okay, before I go and inivertly raise red flags, allow me to explain that this is a legit request for help. Also, I apologize for this long entry, but I ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Apr 2003
    Location
    Capitol of the Granite State
    Posts
    2

    Need Help with upcoming class assignment


    Okay, before I go and inivertly raise red flags, allow me to explain that this is a legit request for help. Also, I apologize for this long entry, but I need to be very detailed with this request.

    Currently I am learning RH8 in my operating System class, here at New Hampshire Technical Inst. As we are starting to learn using Linux as a server. To make a point about security, Our instructor, who is also a white hat hacker, as decided that our weekly test will be to take down other peoples Apache servers. To me a few other people I talk to in class it's obvious that he wants to see if we've been paying attention. During the last class we did fresh reinstalls of RH8. From the beginging of this course we have all used the same p/w for root, however, he also had us setup accounts with unique user anmes, but the same p/w. Also, during the reinstall, he had us select "no firewall" during setup.

    His plan is to disconnect us fromt he rest of the schools network, write everyone IP on the board and see if we've takent he proper security measures, and can keep our servers going.

    Now I myself do have a plan in place which looks like this (coming into the next class we'll have 30 mins to get our servers ready):

    DEFENSE:
    During the prep time I'm going to:
    -turn on the firewall to highest settings, leaving only port 80 open for Apache which must remain active for this exercise.
    -change all passwords (Like I said the two account that are ont here now, all have the same p/w as everyone else)
    -Not vist other students websites *

    OFFENSE:
    -As I believe about 1/2 to 2/3 of the class will forgot to activate the firewall, and change their p/ws, I'm planning on using SSH to login to there systems, change their p/w's then execute 'init 0'. As we have not talked about SSH in class yet (or telnet) most students don't know about it).

    *The problem come from the instroctor himself. During lab time last week, we used to time to prepare for this upcoming class. (only a few of us stayed). To give an idea of what we can do, he wrote samll web page, whose code (I forgot to save to disk and bring back with me) called on VIM editor and nothing else. Although he didn't do it to me (so I didn't get to see what happens), but after ot students went to this page (which had no viewable content) the instructor went back to his comp and did something that definatly got a reaction out of the students who had gone to his page.

    Obviously, I want to know what it was he did, and how he did it.

    Also, can I put command scripts in a webpage? I'm hoping I can so I can write a script that executes inti 0 when persons go to my server (This will be very effective on those who did remember to activate fireall and change p/w.

    And if yourwondering, what we get for doing this? That last student standing with his server still running will get 20 bonus points on the final (If that isn't motivation I don't know what is). ALSO, the instructor WILL be joing us in this exercise, so we have to go against HIM TOO (remember he's a white hat hacker!). Any and all help with this will be very appreciative.

  2. #2
    flw
    flw is offline
    Linux Engineer
    Join Date
    Mar 2003
    Location
    U.S.A.
    Posts
    1,025
    As far as the other students servers are concerned speed to the hack is the key. Go for the weaker students first then on up, this is after you have secured your server. Stay after class or ask to come in early.

    I would disable all ports and server services until you are really ready to turn yours on for the "test" this also includes your a: drive and password protect the bios.

    Off the top of my head other options could be to install Apache on a Win box and redirect to it or redirect to another rooted linux server. If he hacks the win box or the other linux server, he failed to hack your box, hence you pass.

    Also depending on the rules you can drop a keylogger into several other machines including the instructors. If he already has root access to your machine (and you don't) install the keylogger into yours and get him to log in for some help on a server issue which requires root privleges. Chances are he's using the same or similar paswords for all machines to gain root accesss. Then so can you.

    Just some ideas off the top of my head and depends on the rules of the hack assignment. J should have some better input than I.

    Good luck.
    Dan

    \"Keep your friends close and your enemies even closer\" from The Art of War by Sun Tzu\"

  3. #3
    Linux Guru
    Join Date
    Apr 2003
    Location
    London, UK
    Posts
    3,284
    Hmmmm.....

    This looks like fun

    A couple of small ideas... should get you thinking...

    The one thing you did not specify, is if you are sitting physically in front of "your" machine, or you are accessing it via SSH. for the remainder of this post, i will assume that you are sitting in front of your machine, adjust my ideas if you are not.


    The key to winning this is, without a doubt, speed. What speeds things up in linux? the ability to have a script do all of the work.

    You should create a number of scripts to perform different forseen tasks. You will need somewhere to store these, as you should write them in advance of the day of rekoning. Many places on the web offer free web accounts, with personal webspace, find a free webspace provider that offers a bit of space that you can FTP to without having to be connected to the internet with that provider.

    MAKE SURE YOUR FTP ACCOUNT PASSWORD IS DIFFERENT FROM YOUR LOCAL ROOT PASSWORD. - someone may have already deployed a sniffer on the network.

    Your first script has been done for you:
    Code:
    #!/bin/sh
    
    #quick firewall script.
    #i must remember to chmod 700 <filename> it after download
    #then i do ./<filename> to exexute it!
    
    /usr/sbin/iptables -P INPUT DROP
    /usr/sbin/iptables -F INPUT
    
    /usr/sbin/iptables -A INPUT -p tcp --destination-port 80 -j ACCEPT
    /usr/sbin/iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
    /usr/sbin/iptables -A INPUT -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT
    /usr/sbin/iptables -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
    
    /usr/sbin/iptables -A INPUT -s 127.0.0.1 -j ACCEPT
    This will create a set of rules that will only allow inbound port 80 connections. An important thing to note, once that script has been put into place, only passive FTP will work.

    using ftp from linux cmd line, open a connection to your ftp server, authenticate, then BEFORE trying to ls or get, type "passive", otherwise the FTP connection will "freeze".

    I will leave you to think up some other scripts.

    Securing HTTPD...
    1) Are you allowed to have httpd listening on a port other than 80? if so, edit /usr/local/apache(2?)/conf/httpd.conf, and find the line: "Listen 80" (in apache 2, it might be "Listen 80", change to a different port number, save the file, then run "/usr/local/apache(2?)/bin/apachectrl restart" to make it take effect. (you may need to forcefully kill the process beforehand?).

    2) Redhat has a nice little tool, "up2date", use it to patch your system on the fly.

    3) if you want to go really deep with it, search google for putting apache in a chroot jail

    4) edit your httpd.conf file, and remove CGI access, and the manuals virtual directories.

    Search google for "secure apache" if the battle is going to be long and drawn out.

    No idea what your instructor done last week... dont use a browser, visit other peoples websites using telnet. run "telnet <TARGET_IP> 80". It will drop down a line, and look like it is not doing anything. Type "GET / HTTP/1.0" and hit enter twice, their webpage will be returned to you.

    Next, automated scan and attack tools... You plan to go via SSH? nice one brother! run:
    Code:
    nmap -P0 -p 22 192.168.0.0/24
    (change IP range accordingly). This will show you all the people in the above IP range who still havent bothered to lockdown port 22... You do the rest from there...

    Good Luck, let us know how it went.

    Jason

  4. $spacer_open
    $spacer_close
  5. #4
    flw
    flw is offline
    Linux Engineer
    Join Date
    Mar 2003
    Location
    U.S.A.
    Posts
    1,025
    I think j eluded to it but change the defualt paths and files names. Like htaccess can be anything like "config.old" or whatever you want and move it to somewhere other than where the rest of your web stuff is. Locate the web dir outside the standard location .

    If you don't have console access and are using ssh change the "listen to" ip to your fixed ip only using a ip that falls outside the ip class of what you have been using reguardless of ip class. Using cron turn ssh on and off based on your class times so he can't fool around while your gone.

    Relocate your access.log to non-standard location and change the name again. How about config.old1". The names are to blend in and not standout. If you are familar with cron have it foward a copy to a safe location so you can compare to current log if someone/script is erasing footprints.

    If you look in the newbie section there is a cmd line for bad logins. You can try that as well.

    Just for awareness, reboot the server before you are to start and make a mental note or real note of the services starting. When it starts reboot before, during and after class to see if anything has changed.

    I still like the redirect idea but most likely not acceptable within the rules. All the fun you guys get to have that we old dudes never see anymore

    Let us know what you did well, not so well and what the instructor had in his back pocket to take everyone down. Since he has done this before he has a big head start. And may have already started. It would be a good learning experience for everyone if he intentionally used different techniques to show how they all work in different setups.
    Dan

    \"Keep your friends close and your enemies even closer\" from The Art of War by Sun Tzu\"

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •