Topics for today

  • Proxy servers
    • SSH tunnels
    • Tor
  • HTTP security
    • cookies
    • webstorage
    • XSS
    • CSRF
  • Blockchain

Links

SSH keys

Firewalls

HTTP

Encryption

Cookies

Cross-site attacks and their mitigation

Blockchain

Classes overview

  1. Introduction to TCP and UDP: ports, TCP handshake
  2. Overview of standard ports and services
  3. How a statefull firewall works?
  4. Introduction to Tor
  5. Settig up SSH keys on our VMs
  6. Creating tunnels with SSH

Tasks to do during classes

Tor (1 pt)

Connect the Opera browser to the Tor network (through a suitable SOCKS5 proxy). In Opera navigate to the following address (which can only be reached through Tor):

https://www.facebookcorewwwi.onion/

In the second tab open:

https://whatismyipaddress.com/

Note where your Tor traffic enters the usual internet (i.e., where your tor exit node is located).

Virtual machine (container) configuration

Virtual machines dedicated to these classes are available at tin-sXXXXXX.vm.wmi.amu.edu.pl. Before their first use, some configuration is required. The following steps should be taken:

  1. Log into https://cloud.wmi.amu.edu.pl using your LABS credentials.

  2. In the left panel (pool view), find your machine. In the Network tab, we can get the IP address of your machine (which is not public IP). In the Console tab we have access to logging in directly to the machine.

  3. Start the machine and then log in (via Console) to theroot account using the password tin2020.

  4. Change password using passwd command.

  5. To perform the next task, it is necessary to enable login by ssh forroot. To do this, edit the /etc/ssh/sshd_config file. Change permitRootLogin to yes.

  6. Restart sshd service

    # systemctl restart sshd.service
  7. We check if changes have been taken into account by trying to connect to our virtual machine from a local computer.

    $ ssh root@tin-sXXXXXX.vm.wmi.amu.edu.pl

    We will be asked for our password. If we are able to log in correctly, the configuration has been completed.

SSH keys (1 pt)

On your computer generate a public/private key pair. Examples here will use so called Ed25519 keys which are believed to be secure and robust. This is a rather new standard for SSH keys and older software using SSH might not support it. One then has to use other key algorithm (RSA, ECDSA).

$ ssh-keygen -t ed25519

The key pair is automatically saved to .ssh/id_ed25519 and .ssh/id_ed25519.pub. The first one is private, the second one can be shared with the world. One can optionally encrypt the key with a password.

To log into servers without having to type a password every time, one has to add the the public key to the file .ssh/authorized_keys on the server. One can have many keys authorized to access the server.

Fortunately there is an automatic tool just for the job. Typing:

$ ssh-copy-id -i ~/.ssh/id_ed25519 root@tin-s123456.vm.wmi.amu.edu.pl

with your VM address will authorize you to access the server. Now to make things a little shorter, add the following to .ssh/config:

Host lts
    HostName lts.wmi.amu.edu.pl
    User sXXXXXX

Host tin
    HostName tin-s123456.vm.wmi.amu.edu.pl
    User root
    ProxyJump lts

Now you can log into server by typing just ssh tin. Because we also included the section on lts and the line with ProxyJump, you can log into tin from anywhere in the world, even though tin is unreachable. SSH will first log into lts and only then to tin.

Afterwards you may want to disallow logging in with a password for root on the server. To do this make sure you have:

PermitRootLogin prohibit-password

in /etc/ssh/sshd_config. To take into effect one has to restart the SSH server:

# systemctl restart sshd

SSH keys are by no means restricted to accessing shell servers. One can use SSH keys, e.g., to login without password to GitHub or git.wmi.amu.edu.pl.

Fairly easy tasks (at home)

Access to task results

Basic tasks are checked automatically. The results of tasks are available in the per student text file at https://kino.vm.wmi.amu.edu.pl/results/dtin/######.txt, where ###### is a six-digit student index number. Global list of results is available at https://kino.vm.wmi.amu.edu.pl/results/dtin.txt

SSH server key (1 pt.)

Configure the SSH server on your virtual machine in such a way, that it presents a Ed25519 public key (it should be different the one that was installed during VM creation, generate a new one).

In order for this task to be checked, send an email to bikol@wmi.amu.edu.pl with the subject “[DTIN] Z3.1 ######” (with your student ID number, which is a part of your VM address).

Firewall (1 pt.)

Configure firewall on your virtual machine (container) in such a way, that it drops all connections attempts to ports 1–1000 except ports 22, 80 and 443. Let it still answer to the usual PING request.

In order for this task to be checked, send an email to bikol@wmi.amu.edu.pl with the subject “[DTIN] Z3.2 ######” (with your student ID number, which is a part of your VM address).

SSH tunnel (1 pt.)

Using your usual LABS username and password login to the application running at https://kino.vm.wmi.amu.edu.pl:1031/ in such a way, that the server believes your IP address is the IP address of the server lts.wmi.amu.edu.pl.

Hint: Because of how the faculty network is configured, port 1031 is not reachable from outside the campus. Use an SSH tunnel or use SSH as a SOCKS5 proxy.

Port knocking client (2 pt.)

Using your usual LABS username and password login to the application running at https://kino.vm.wmi.amu.edu.pl:1032/. The port is normally blocked, you must first knock under ports 37366 and 22908 (in this order). Then the port 1032 will be accepting connections for 10 seconds. During this time you need to establish the connection. Further traffic will be accepted by the connection state tracking in the firewall. Make sure your IP address is different than the IP address of lts.wmi.amu.edu.pl.

Hint: Because of how the faculty network is configured, port 1032 is not reachable from outside the campus. Normally a solution would be to use SSH tunneling (like above), but the task requires another server than lts. You can solve this problem by either solving this from the campus, using a tunnel to your VM or using the faculty VPN. Details on how to configure the VPN can be found here (unfortunately only in Polish, but with screenshots).

More difficult tasks (at home)

Port knocking server (3 pt.)

Configure port knocking at your virtual machine (container).

  • Port 8085 should be normally filtered (see first task above).
  • Take your student ID number (eg. 412345). Divide it into two 3-digit numbers (eg. 412 and 345). To each of these numbers add 1000. These are the numbers of ports one has to knock in order to open the port 8085.
  • Configure a port knocking server in such a way, that sending a TCP packet to the first port and a UDP packet to the second port opens port 8085 to the source IP only for 15 seconds. Under the port 8085 a http server should be listening returning for any GET request a text file containing just 6 characters: your student ID number.

Blockchain (2 pt.)

Create a sequence of files comprising a simple blockchain in the following manner:

  • Create three text files: 0.txt, 1.txt, 2.txt. Each of these files is the same and contains just one line of text: your name, surname and student ID number in parentheses, eg. Michał Goliński (123456). Use UTF-8 encoding and make sure the files end with a single newline character (Unix style).
  • To put 0.txt on the blockchain find a string of 32 hexadecimal digits (use lowercase letters a-f), such that when appended to the file 0.txt as the second line (once again ending with a single newline character), the MD5 hash of the whole file starts and ends with 2 zeros (i.e. four zeros altogether).
  • To put 1.txt after 0.txt in our blockchain we proceed as follows. First add the MD5 hash calculated above (the one starting and ending with zeros) as the second line of 1.txt. Now find a string of 32 hexadecimal digits (use lowercase letters a-f), such that when appended to the file 1.txt as the third line (once again ending with a single newline character), the MD5 hash of the whole file starts and ends with 2 zeros.
  • In a similar way add 2.txt to the blockchain: first add a line with the hash of the second file and find a string of 32 hexadecimal characters in the third line that makes the MD5 hash start and end with 2 zeros.