Setting Up a Server¶
Attention
If you haven’t participated in a CDC before, read the Getting Started document first. It will explain why some of this setup is needed. The Remote Setup Guide document will show you how to access your servers to set them up as well as how to test them out.
Introduction and Overview¶
At this point, you’ve read the Getting Started document, logged in to IScorE and vCenter and powered on your VMs. But wait, IScorE is showing all red for your services! Don’t Panic! There is usually just a little bit of setup needed so that IScorE knows where to find your services.
This guide is not intended to show the best way to set up your servers, only the quickest and easiest. If you want to do anything fancy like firewalling, NAT, or reverse proxying, you will probably have to disregard most of this document (Protip: Google those terms for some cool ideas on setting up complex networks). Some scenario VMs will need additional configuration; this may be mentioned in the scenario, or it may be up to you to discover it on your own.
The basic network configuration in this guide puts all of the servers directly on the Competition Network and does not use the Internal Network at all. The steps will go as follows:
- Power on and connect to Competition Network
- Set up the static network configuration (OS specific)
- Set up the proxy so you can download packages from the Real Internet (OS specific)
- Set up DNS records in IScorE
Connect to Competition Network¶
Follow the instructions in the Remote Setup Guide document to log in to vCenter. Make sure the VM has its network interface (NIC) connected to the Competition Network. You can access the Network Adapter settings of a VM by right-clicking the virtual machine and choosing “Edit Settings”.
Static IP Configuration¶
Anything connected to the Competition Network must have a static IP assigned and have the default gateway and DNS statically configured. See OS-Specific Instructions for Static IP.
- Find your team’s IP range in IScorE
- You are free to choose any IP address in your range except
x.x.x.250-254
. Make sure there are no conflicts between two or more of your servers. Record these IP addresses, since they are very important for further configuration and documentation. - Your default route (gateway) is the IP sitting at .254 of your range
(check IScorE). For example, Team 1’s gateway is
64.39.3.254
- The netmask is
255.255.255.0
(a/24
subnet) - The DNS server is located at
199.100.16.100
- If your network is set up correctly, you should always be able to ping the DNS server and get a response. Note that due to the way the ISEAGE network is structured you will not be able to ping the real-world (e.g. google.com).
Proxy Server¶
Once on the competition range, you will not have access to the internet.
Instead, you must use our proxy server, located at 199.100.16.100
port
3128
.
Note
Due to the way the proxy works, you will not be able to access your systems by IP address from a web browser that is configured to use the proxy; the server’s FQDN must be used. To circumvent this, modify your web browser’s settings to not use the proxy for your team’s IP address range (in Firefox, this setting is called “No proxy for” and appears on the “Connection Settings” page).
Note
The proxy server provides an NTP server for the competition environment. To use it, configure your NTP client to point to
199.100.16.100
.
Setting the proxy in a Linux/Unix system¶
Run the following commands to set the appropriate environment variables:
export http_proxy="http://199.100.16.100:3128"
export https_proxy=$http_proxy
export ftp_proxy=$http_proxy
This will configure the proxy for just about any command (sudo being an
exception, see the next section). Note that these environment variables will not
persist across reboots or even shell sessions. You can place these lines at the
end of the file /etc/profile
which will automatically set the variables
for you when a user logs in.
Sudo¶
By default, environment variables are ignored when running commands with sudo
for security reasons. This makes it difficult to run commands like apt-get
without being the root user. To configure sudo to keep the proxy settings,
edit the sudoers file using visudo
and add the following line:
Defaults env_keep += "http_proxy https_proxy ftp_proxy"
Apt (optional)¶
ISEAGE has an apt-cache server that allows packages to be downloaded and upgraded quicker than usual.
On Debian and Ubuntu-based systems, you can optionally add the following to
/etc/apt/apt.conf.d/cache
:
Acquire::http { Proxy "http://apt-cache.isucdc.net:3142"; };
Setting the proxy in Windows¶
Windows is easy: Just set the proxy in “Internet Options” for everything.
Attention
You will still not be able to ping google.com! You will NEVER be able to ping google.com or any real world website!
IScorE DNS Records¶
Setting up the DNS Records is very easy. For each server, find out what its domain name should be from the scenario, for example www.teamN.isucdc.com (replace N with your team number). Then, under DNS Records in IScorE, add a record for www with the IP address you statically assigned to the server.
Once DNS records are assigned, your service should begin to turn green for the service scanner within 5 minutes. Document your network setup for the White Team documentation.
Troubleshooting¶
Server Isn’t Working¶
From the server (Server doesn’t work right):
- Ping
199.100.16.100
(The proxy) Ping x.x.x.254
(Your default gateway)- Install/update a package
Ping Gateway | Ping Proxy | Update Package | Probable Issue |
Doesn’t work | N/A | N/A | Static IP address not set up or wrong. |
Works | Doesn’t Work | N/A | Default gateway not set or wrong, check routing table |
Works | Works | Doesn’t work | Proxy not set up right. |
Server Is Red¶
From the RDP Hop:
- Wait 5 minutes
- Ping the server’s domain name (www.teamN.isucdc.com)
- Ping the server’s IP address
- Try protocol-specific tools (Web browser for HTTP, SSH for SSH, etc.)
Ping IP Address | Ping Domain Name | Unable to Connect | Probable Issue |
Doesn’t Work | N/A | N/A | IP address or default gateway of server wrong or not set; tried to ping wrong IP address |
Works | Doesn’t Work | N/A | Wrong or missing IP address or domain in IScorE - did ping resolve the host to the right IP address? |
Works | Works | Doesn’t Work | Service not running or domain name given to wrong server; server has a firewall |
Works | Works | Works | Wait for service scanner to run ( 5 minutes); read service scanner error message. |
Setup Resources¶
ISEAGE maintains some services to aid you in setting up a server in our environment. These are offered to you at our discretion, and are considered to be safe and out of scope for Red Team.
- paste.iseage.org is a pastebin style application to allow you to easily move configuration files and flags in and out of our environment. Note that there is a rather conservative file size limit.
- There is an apt cache server provided to you. Using this allows your services to update more quickly, and reduces load on our uplink. See Apt for more info.