################### Setting Up a Server ################### .. attention:: If you haven't participated in a CDC before, read the :doc:`../getting_started/index` document first. It will explain why some of this setup is needed. The :doc:`../remote_setup/index` document will show you how to access your servers to set them up as well as how to test them out. ************************* Introduction and Overview ************************* At this point, you've read the :doc:`../getting_started/index` document, logged in to IScorE and vCenter and powered on your VMs. But wait, IScorE is showing all red for your services! Don't Panic! There is usually just a little bit of setup needed so that IScorE knows where to find your services. This guide is not intended to show the best way to set up your servers, only the quickest and easiest. If you want to do anything fancy like firewalling, NAT, or reverse proxying, you will probably have to disregard most of this document (Protip: Google those terms for some cool ideas on setting up complex networks). Some scenario VMs will need additional configuration; this may be mentioned in the scenario, or it may be up to you to discover it on your own. The basic network configuration in this guide puts all of the servers directly on the Competition Network and does not use the Internal Network at all. The steps will go as follows: #. Power on and connect to Competition Network #. Set up the static network configuration (OS specific) #. Set up the proxy so you can download packages from the Real Internet (OS specific) #. Set up DNS records in IScorE ****************************** Connect to Competition Network ****************************** Follow the instructions in the :doc:`../remote_setup/index` document to log in to vCenter. Make sure the VM has its network interface (NIC) connected to the Competition Network. You can access the Network Adapter settings of a VM by right-clicking the virtual machine and choosing "Edit Settings". ======================= Static IP Configuration ======================= Anything connected to the Competition Network must have a static IP assigned and have the default gateway and DNS statically configured. See `OS-Specific Instructions for Static IP`_. * Find your team's IP range in IScorE * You are free to choose any IP address in your range except :code:`x.x.x.250-254`. Make sure there are no conflicts between two or more of your servers. Record these IP addresses, since they are very important for further configuration and documentation. * Your default route (gateway) is the IP sitting at .254 of your range (check IScorE). For example, Team 1's gateway is :code:`64.39.3.254` * The netmask is :code:`255.255.255.0` (a :code:`/24` subnet) * The DNS server is located at :code:`199.100.16.100` * If your network is set up correctly, you should always be able to ping the DNS server and get a response. Note that due to the way the ISEAGE network is structured you will not be able to ping the real-world (e.g. google.com). ============ Proxy Server ============ Once on the competition range, you will not have access to the internet. Instead, you must use our proxy server, located at :code:`199.100.16.100` port :code:`3128`. .. note:: Due to the way the proxy works, you will not be able to access your systems by IP address from a web browser that is configured to use the proxy; the server's FQDN must be used. To circumvent this, modify your web browser's settings to not use the proxy for your team's IP address range (in Firefox, this setting is called "No proxy for" and appears on the "Connection Settings" page). .. note:: The proxy server provides an NTP server for the competition environment. To use it, configure your NTP client to point to :code:`199.100.16.100`. ---------------------------------------- Setting the proxy in a Linux/Unix system ---------------------------------------- Run the following commands to set the appropriate environment variables: .. code-block:: none export http_proxy="http://199.100.16.100:3128" export https_proxy=$http_proxy export ftp_proxy=$http_proxy This will configure the proxy for just about any command (sudo being an exception, see the next section). Note that these environment variables will not persist across reboots or even shell sessions. You can place these lines at the end of the file :code:`/etc/profile` which will automatically set the variables for you when a user logs in. Sudo ---- By default, environment variables are ignored when running commands with sudo for security reasons. This makes it difficult to run commands like apt-get without being the root user. To configure sudo to keep the proxy settings, edit the sudoers file using :code:`visudo` and add the following line: .. code-block:: none Defaults env_keep += "http_proxy https_proxy ftp_proxy" .. _Apt: Apt (optional) -------------- ISEAGE has an apt-cache server that allows packages to be downloaded and upgraded quicker than usual. On Debian and Ubuntu-based systems, you can optionally add the following to :code:`/etc/apt/apt.conf.d/cache`: .. code-block:: none Acquire::http { Proxy "http://apt-cache.isucdc.net:3142"; }; Setting the proxy in Windows ---------------------------- Windows is easy: Just set the proxy in "Internet Options" for everything. .. attention:: You will still not be able to ping google.com! You will NEVER be able to ping google.com or any real world website! ****************** IScorE DNS Records ****************** Setting up the DNS Records is very easy. For each server, find out what its domain name should be from the scenario, for example www.teamN.isucdc.com (replace N with your team number). Then, under DNS Records in IScorE, add a record for www with the IP address you statically assigned to the server. Once DNS records are assigned, your service should begin to turn green for the service scanner within 5 minutes. Document your network setup for the White Team documentation. *************** Troubleshooting *************** ==================== Server Isn't Working ==================== From the server (Server doesn't work right): * Ping :code:`199.100.16.100` (The proxy) * :code:`Ping x.x.x.254` (Your default gateway) * Install/update a package +--------------+--------------+----------------+---------------------+ | Ping Gateway | Ping Proxy | Update Package | Probable Issue | +--------------+--------------+----------------+---------------------+ | Doesn't work | N/A | N/A | Static IP address | | | | | not set up or | | | | | wrong. | +--------------+--------------+----------------+---------------------+ | Works | Doesn't Work | N/A | Default gateway | | | | | not set or wrong, | | | | | check routing table | +--------------+--------------+----------------+---------------------+ | Works | Works | Doesn't work | Proxy not set up | | | | | right. | +--------------+--------------+----------------+---------------------+ ============= Server Is Red ============= From the RDP Hop: * Wait 5 minutes * Ping the server's domain name (www.teamN.isucdc.com) * Ping the server's IP address * Try protocol-specific tools (Web browser for HTTP, SSH for SSH, etc.) +-----------------+-------------------+-------------------+-----------------------------------+ | Ping IP Address | Ping Domain Name | Unable to Connect | Probable Issue | +-----------------+-------------------+-------------------+-----------------------------------+ | Doesn't Work | N/A | N/A | IP address or | | | | | default gateway of | | | | | server wrong or not set; tried | | | | | to ping wrong IP address | +-----------------+-------------------+-------------------+-----------------------------------+ | Works | Doesn't Work | N/A | Wrong or missing IP | | | | | address or domain | | | | | in IScorE - did ping | | | | | resolve the host to | | | | | the right IP address? | +-----------------+-------------------+-------------------+-----------------------------------+ | Works | Works | Doesn't Work | Service not running | | | | | or domain name | | | | | given to wrong server; server | | | | | has a firewall | +-----------------+-------------------+-------------------+-----------------------------------+ | Works | Works | Works | Wait for service scanner to run ( | | | | | 5 minutes); read service scanner | | | | | error message. | +-----------------+-------------------+-------------------+-----------------------------------+ ************************************** OS-Specific Instructions for Static IP ************************************** ======== OpenSUSE ======== OpenSUSE_ .. _OpenSUSE: https://doc.opensuse.org/documentation/leap/reference/html/book.opensuse.reference/cha.basicnet.html#sec.basicnet.manconf ============= Debian/Ubuntu ============= `Debian/Ubuntu`_ .. _Debian/Ubuntu: https://wiki.debian.org/NetworkConfiguration#Configuring_the_interface_manually ====== Fedora ====== Fedora_ .. _Fedora: https://docs.fedoraproject.org/en-US/Fedora/22/html/Networking_Guide/sec-Using_the_Command_Line_Interface.html#sec-Configuring_a_Network_Interface_Using_ifcg_Files ======= Windows ======= Windows_ .. _Windows: http://www.colorado.edu/oit/tutorial/static-ip-configuration-windows-7 *************** Setup Resources *************** ISEAGE maintains some services to aid you in setting up a server in our environment. These are offered to you at our discretion, and are considered to be safe and out of scope for Red Team. * `paste.iseage.org`_ is a pastebin style application to allow you to easily move configuration files and flags in and out of our environment. Note that there is a rather conservative file size limit. * There is an apt cache server provided to you. Using this allows your services to update more quickly, and reduces load on our uplink. See Apt_ for more info. .. _paste.iseage.org: https://paste.iseage.org