-Ssh must be reachable from the outside on all machines, as admins need to log as root (in the future, a single ssh-only machine may be reachable as an admin gateway to the LAN, and other ssh services not forwarded)
-The admin must always be able to obtain a root shell by using the password : if ssh can't be combined with the other services, then sudo must be available to everyone and a guest "shell exploit" must be documented, proved to work in all normal circumstances, and tested when upgrading the server (in the future, a single ssh-only machine may be reachable as an admin gateway to the LAN, and other non-forwarded ssh services enabled on all machines)
- All non-root users are assumed "public access", either for public missions or for open-source scripts
- All non-root creds/user are assumed "public access", either for public missions or for open-source scripts
- All files restricted to root are assumed "critical data" by default
- All files restricted to root are assumed "critical data" by default
- Local libraries are considered unable to be secured against root elevation
- Local libraries are considered unable to be secured against root elevation
- No server is added to an existing LAN until it is deemed secured, as such machine would provide an entrypoint into the whole LAN
- No server is added to an existing LAN until it is deemed secured, as such machine would provide an entrypoint into the whole LAN
- Also, no tool can be provided if can lead to unnecessary uses against the LAN (for example, the ssh command for proxies must contain a custom-made filter)
- Also, no tool can be provided if it can lead to unnecessary uses against the LAN (for example, the ssh command for proxies must contain a custom-made filter)
Threats against a rented service server:
Threats against a rented service server:
Threat 0 : Exploit requirements
Threat 0 : Exploit requirements
0a) "X active user" is assumed *always* fulfilled, as this requirement is expected to evolve under normal conditions
0a) "X active user" is assumed *always* fulfilled, as this requirement is expected to evolve under normal conditions
0b) "minimum N registered users" is assumed fulfilled except exceptional circumstances, as a server is meant to provide more and more services over its lifetime
0b) "minimum N registered users" is assumed fulfilled besides exceptional circumstances, as a server is meant to provide more and more services over its lifetime
0c) "in the same LAN" is assumed always blocking, as an inter-LAN exploit assumes another machine got breached first
0c) "in the same LAN" is assumed always blocking, as an inter-LAN exploit assumes another machine got breached first
0d) "specific X version" can be easily blocked forever, as patching local libraries is pointless
0d) "specific X version" can be easily blocked forever, as local libraries will always allow some kind of root elevation
Threat 1 : Root access
Threat 1 : Root access
1a) Any service can allow to log or lock root with the good vulnerability
1a) Any service can allow to log or lock root with the good vulnerability
...
@@ -37,6 +37,7 @@ Fix : all those security measures must be applied on the router too
...
@@ -37,6 +37,7 @@ Fix : all those security measures must be applied on the router too
I identified 4 types of (legitimate) users (besides root and guest)
I identified 4 types of (legitimate) users (besides root and guest)
Note that the two last ones are *player* usecases and not GuildHack mission requirements (and one extra legitimate use if a future feature is added the way it is expected)
Note that the two last ones are *player* usecases and not GuildHack mission requirements (and one extra legitimate use if a future feature is added the way it is expected)
If ssh isn't installed : sudo available to everyone (admin backdoor with guest exploit)
All human users should be able to access '/' in order to navigate easily
All human users should be able to access '/' in order to navigate easily
Let's be nice and give "clear" so that everybody can reset their screens in ssh :P
Let's be nice and give "clear" so that everybody can reset their screens in ssh :P
