-Ssh must be reachable from the outside on all machines, as admins need to log as root (in the future, a single ssh-only machine may be reachable as an admin gateway to the LAN, and other ssh services not forwarded)
- All non-root users are assumed "public access", either for public missions or for open-source scripts
-The admin must always be able to obtain a root shell by using the password : if ssh can't be combined with the other services, then sudo must be available to everyone and a guest "shell exploit" must be documented, proved to work in all normal circumstances, and tested when upgrading the server (in the future, a single ssh-only machine may be reachable as an admin gateway to the LAN, and other non-forwarded ssh services enabled on all machines)
- All non-root creds/user are assumed "public access", either for public missions or for open-source scripts
- All files restricted to root are assumed "critical data" by default
- Local libraries are considered unable to be secured against root elevation
- No server is added to an existing LAN until it is deemed secured, as such machine would provide an entrypoint into the whole LAN
- Also, no tool can be provided if can lead to unnecessary uses against the LAN (for example, the ssh command for proxies must contain a custom-made filter)
- Also, no tool can be provided if it can lead to unnecessary uses against the LAN (for example, the ssh command for proxies must contain a custom-made filter)
Threats against a rented service server:
Threat 0 : Exploit requirements
0a) "X active user" is assumed *always* fulfilled, as this requirement is expected to evolve under normal conditions
0b) "minimum N registered users" is assumed fulfilled except exceptional circumstances, as a server is meant to provide more and more services over its lifetime
0b) "minimum N registered users" is assumed fulfilled besides exceptional circumstances, as a server is meant to provide more and more services over its lifetime
0c) "in the same LAN" is assumed always blocking, as an inter-LAN exploit assumes another machine got breached first
0d) "specific X version" can be easily blocked forever, as patching local libraries is pointless
0d) "specific X version" can be easily blocked forever, as local libraries will always allow some kind of root elevation
Threat 1 : Root access
1a) Any service can allow to log or lock root with the good vulnerability
...
...
@@ -37,6 +37,7 @@ Fix : all those security measures must be applied on the router too
I identified 4 types of (legitimate) users (besides root and guest)
Note that the two last ones are *player* usecases and not GuildHack mission requirements (and one extra legitimate use if a future feature is added the way it is expected)
If ssh isn't installed : sudo available to everyone (admin backdoor with guest exploit)
All human users should be able to access '/' in order to navigate easily
Let's be nice and give "clear" so that everybody can reset their screens in ssh :P
