ironpants wrote:Bio suggested "server" so I didn't even think of building an XP box.
Granted, we're kind of talking about two different type of tests, one being for server being hacked, the other for basic joe-user being hacked.
I would expect a person installing a server, would know quite a bit more about security and vulnerabilities. Therefore the base-line for the test is a bit more complicated to construct.
Since I've never built -any- Windoze servers, and only a couple of Linux servers, I don't consider myself qualified to know what needs to go into a base level build, but I'll take a stab at what I think the process should be.
Fe-pants, takes the Windows path
Bio, takes the Linux path
- Build the box, using fairly stock components, try to get cpu, ram and swap space to be comparable between the win and Lin boxes, that part is up to you guys.
- Hook the box to the internet prior to doing the software (OS and apps) install. This way the auto-detection of the install can do it's thing, and provid the fastest vulnerability to both systems.
- Install OS. Use original media (out of the box). In the case of Linux, the install -must- be made from ISO imaged CDs (unless using a "boxed" copy). No ftp or NFS installs allowed. (ftp or NFS installs -could- have patched files already in the struture)
- OS updates. Configure the system to fetch OS updates automagically, and allow the system to do it's thing. Do -not- install updates manually that you "know" about, let the OS try to update itself. In the case of the win server, if it doesn't have an auto-update, use the online windows update feature -only-, again, no manual installs of what you "know" needs to be done.
- Install Apache. Apache can run on both OS's, Agree on the version number between you both, and install that version on both machines. If updates are available, you must -both- agree on the update and -then- install it.
- Install basic blog. Agree which blog to use. Wordpress is currently considered the top freely available blog. (from what I've read). Agree on the version and install it. If updates are available, you must -both- agree on the update and -then- install it. NOTE: You must also both agree on specific settings for the blog (comments on/off, that kind of thing)
- Install basic phpBB. Agree on version and install it on both. phpBB is not the -only- BB out there, but it does appear to be one of the more popular, and was the target of most recent cracks. If updates are available, you must -both- agree on the update and -then- install it. NOTE: You both must agree on the configuration, subscription parameters, uploads allowed or not, etc.
- Log the following events separately:
- When the box was first "turned on" (power applied)
- Start of OS installation
- End of OS installation (prior to updates)
- Time any update started, and finished
- Time started and finished Apache install (note, this might be hard if the OS install can -include- the Apache install.
- Time started and finished Wordpress install
- Time started and finished phpBB install
- Time any particular threat was noticed to have invaded, and how you found out (short description, i.e. all of a sudden the machine stopped responding.
- Number of times the box had to be rebooted during the setup, until "hands-off".
How does that sound for a first stab at it? Massage it a bit, and agree on the parameters. This is a non-scientific test, just a fun activity, but we still want to make it as equal as possible.
And before you can start, you both must agree to the final plan and upload it here for forum approval. Once approved, you start in on building the server.
Does this sound reasonable?
Are we taking bets? lol
