CS 159.5 (Summer Semester, 2005-2006)

This is the website for the class "Special Topics In Systems: Basic Systems and Network Administration".

Statement of the Challenge

The goal of this challenge is to practice principles of good systems administration. Although, the challenge starts even before a good deal of best practices have been discussed, it will serve as a venue for discovering those lessons to be learned. Hence, this exercise aims to highlight and reward students who pro-actively search for possible solutions and exploits. Each positive action or standing service will have corresponding positive points. Each compromise or missing action will have negative points. The pair with the highest points gets an 'A' for this challenge. The next group will get a 'B+'. The next two (2) groups a 'B'. The next three (3) groups a 'C+' and so on. In the case of ties and disputes, special challenges shall be given to the groups under dispute. May the best group win!

Point System

• Successfully installed Linux system (+50)
• Successfully installed HTTP+PHP system (+25)
• Successfully installed SSH system (+25)
• Successfully installed SMTP system (+25)
• Successfully installed DNS system (+25)
• Successfully installed Web Proxy system (+25)
• Successfully installed PHP system (+25)
• Logo and Description in Website (+5)
• PHP script that accepts guestbook entries in Website (+50)
• Best Logo and Description (+10)
• Best Website (+10)
• Last website defaced (+10)
• Last system rooted (+10)
• Compromise another group's website (+25/website)
• Local root compromise on another group's host (+25/compromise)
• DOS'd or crashed another site (+10/compromise)
• First to deface another group (+15)
• First to execute a root compromise on another group (+15)
• Website compromised by another group (-25)
• Local root compromise by another group (-25)
• Own site DOS'd or crashed (-10)
• Own mail server is an Open Relay (-15)
• First to be defaced (-10)
• First to be root compromised by another group (-10)
• Violation of rules (-20/violation)

Mechanics

1. Each group must have at most two (2) members. The selection of partners will be done at the first class meeting. Each group shall select a single word group name. The single word shall be a character is greek mythology.
2. Each group will be assigned a permanent workstation for the entire class. This workstation shall be the responsibility of that group. The hostname of this machine shall be the greek character's name plus the cs1595.ateneo.net domain. (ie. artemis.cs1595.ateneo.net)
3. All groups shall install Fedora Linux Core 3 for this challenge.
4. Each group must have a working HTTP+PHP, DNS, Proxy, SMTP and SSH. These services must be accessible from all addresses.
5. Only software from http://mirrors.ateneo.net can be used.
6. The HTTP server must have at least one HTML page with at least the group name, hostname and members of the group. A logo and a short description of the group would be bonuses.
7. The SSH server must have at least the 'guest' with 'guest' as its password. This account must have a shell account.
8. All other passwords and user accounts shall be submitted to the instructor and the laboratory technician.
9. A website is considered defaced only if the attacking group modifies the HTML file of that website. The name of the defacing group shall be a prominently seen on the modified page.
10. A root compromised is considered if the root password of the attacked system has been changed.
11. A DOS is considered if the DOS'd service cannot be access. Points are awarded for each DOS'd service displayed in class.
12. A crash is considered if the attacked service is taken offline. Points are awarded for each crashed service displayed in class.
13. Powering off another groups system shall not be considered a DOS.
14. Each group will have the first few weeks of class to configure, customize and protect their systems. After that, the instructor will announce the start date and the end date of the challenge. After the challenge starts, the group website is not allowed to be changed.
15. Attacks can be executed either off or on class. However, notification of successful attacks shall be mentioned only during class hours. Checking of the said compromises shall also be done during class hours. Only the first few minutes of the class will be considered for scoring.
16. Any additional rules to be added shall be at the discretion of the instructor.