I know there are plenty of pages floating around the Internet about knock daemons that open ports in a firewall after a predefined series of ports are “knocked”. For some reason ALL the pages I found assumed that a) you want the filter in your INPUT chain, and that the INPUT chain defaulted to DROP or REJECT.
In my case, I’m defiantly not going to have a iptables firewall with a default that drops packets. Every few weeks I try out some new software and can’t be bothered with adjusting my firewall every time. All I need it to do is keep pesky people off my ssh, that’s all.
So here is a short tutorial how to set up s knock daemon with a ACCEPT default for INPUT:
sequence = 76:udp,123:tcp,7630:tcp,1921:udp
seq_timeout = 25
tcpflags = syn,ack
start_command = /sbin/iptables -I SSH-Knock 2 -s %IP% -p tcp --dport 22 --syn -j ACCEPT
cmd_timeout = 20
stop_command = /sbin/iptables -D SSH-Knock -s %IP% -p tcp --dport 22 --syn -j ACCEPT
iptables -N SSH-Knock
iptables -A INPUT -p tcp --dport 22 -j SSH-Knock
iptables -A SSH-Knock -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A SSH-Knock -j REJECT --reject-with icmp-port-unreachable
/etc/init.d/iptables save active
Ok, the contest is ready. I’ll start off with the information everybody has been waiting for:
There is a webserver running with a brief description of the target and rules of the contest http://18.104.22.168/ The webserver is actually part of the contest since people are supposed to deface this page. To make it a bit more interresting, the ssh sessions are recorded with script and saved here for everyone to see (e.g. “less -r filename”).
Rules and Target of the contest:
As stated above, deface this page. To achieve this goal, everything is allowed. Do what you need/want to achieve the goal.
Unfortunatly we will still need a short list of actions that are not allowed:
- (D)DoS against this box, or via this box against other hosts are
of course not allowed
- Brute Force attacks against accounts are not prohibited … but trust me, you really don’t want to waste your time with that
- Be nice, don’t try to make the accounts or box unusable for others
- If you are doing something that isn’t aimed at solving the contest, than it probably isn’t allowed
A few details to the box and the system:
- It is a vmware box (so I can reset it and/or access the console without any problems)
- Linux debian testing is installed
- some basic hardening done with normal linux tools and grsecurity
- Don’t worry, I left enough room for you all to poke around, I didn’t make it “too secure to have fun”
- This time no holes were intentionally added to the system. On the other hand there will also be no updates of software packages or changes to the RBAC system, no matter what security flaws arise (or I may have overseen)
- On a scale of 1 to 10: I’d say the security is around 7
Have fun 😉
btw. I’m also posting this in the buha forums for anyone who prefers a German description.
I spent the last few days fine tuning the HackIt server I mentioned last week. After lots of thought on how I was going to punch holes into the security, I decided on a different approach. Since in the past contests I always found it fustrating to see people with high skills trying out stuff I would never have dreamed of, and in the end to get beaten by people who by sheer luck tried out the right thing at the right time … I decided to minimize the “luck” factor of the contest by not putting any holes in the server on purpose.
What I am going to do is not update any of the packages any more from now on. I’m doing an update right now as I post this, and from here on no more updates. There will also be no updates or changes to the RBAC system. The only changes I will be making to the box from now on, are if it breaks and needs to be fixed.
-> The box will be shamelessly neglected, waiting to be owned.
If nothing strange pops up tonight, I will be posting information about the contest tomorrow in the buha forum, here and a few other places …
The last HackIt I set up was a few years ago, so I decided to have a go at it again. As before it will be a Linux server. And I will also have some fun with grsecurity kernel patches (including the additional Role-Based Access Control system). So nothing new up to here. I’m also going to be using most of the features I used back then too (like “trusted path execution” and no outgoing/server sockets for users, …)
Last time it was separate hardware on my little DSL line (meaning back then all users had to share a 128kbit upstream). This time it will be a vmware box on a 100Mbit Internet connection and it’s own IP, so no more worry about laggy ssh sessions.
I’ll post more details as soon as this gets more “ready-for-release”. Right now I’m still hardening the box, I still haven’t decided on which holes I’m going to build into it to make it a “HackIt”.