Before the exercise, I would become very familiar with this page: http://support.zenwalk.org/viewforum.php?f=48&sid=3320c271ca1cdb2240993243573a5787
Several of these are possible to do concurrently, which will be important in a team environment. 1a) Log into the console as root and touch /etc/nologin to disable remote access while they reset root and user passwords, then remove the file (if necessary) 1b) disable FTP while verifying secure configuration (ie if vsftpd, ensure anonymous is off and user chroot is enabled) then re-enable 1c) As Ed Harvey suggested, netstat to find improper listening processes. kill then removepkg 2a) As Nick Whalen suggested, bind mysql to localhost, restart 2b) Change phpmyadmin's URL 3a) ssh no remote root login 3b) ssh key only authentication 4 (optional) Recompile kernel with SELinux, reboot, setenforce 1, submit updated package to zenwalk ;-) If they can practice with the "real" images, they'll figure out what surreptitious services you'll have running just to mess with them (you are going to mess with them, right?). You may want to randomize it, if you plan on this, in order to keep them on their toes. Sounds like a fun game! Are you going to allow social engineering? --Matt On Mon, Feb 1, 2010 at 9:44 PM, Joseph Kern <joseph.a.k...@gmail.com> wrote: > A group of students at my university will be participating in a round > of computer security CTF (Capture the Flag) as the Defenders [1] early > next week. > > Given that they have to keep their servers and services online; what > would you do in 5 mins to secure a Linux system? > > I'm hoping that I can give them a list of commands and items to check > quickly so they can study/practice before the "big event". They will > be running Zenwalk Linux; probably a LAMP stack (with PHPmyadmin), > ssh, ftp, and postfix. > > Any help would be greatly appreciated. > > > And no, they can't just `iptables -A INPUT -j DROP -p tcp -i eth0` as > they are scored continuously on service uptime. I thought of that too > (this will be the nuclear option). > > Thanks. > > --Joseph Kern > > [1]: http://en.wikipedia.org/wiki/Capture_the_flag#Computer_security > _______________________________________________ > Discuss mailing list > Discuss@lopsa.org > http://lopsa.org/cgi-bin/mailman/listinfo/discuss > This list provided by the League of Professional System Administrators > http://lopsa.org/ > -- LITTLE GIRL: But which cookie will you eat FIRST? COOKIE MONSTER: Me think you have misconception of cookie-eating process. _______________________________________________ Discuss mailing list Discuss@lopsa.org http://lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
