├── INSTALL.md ├── README.md ├── all-in-one.yml ├── docs ├── Makefile ├── appendix │ ├── arachni.rst │ ├── fsl-tb-detect.rst │ ├── host-system.rst │ ├── index.rst │ ├── kickstart.rst │ ├── lynis.rst │ ├── masscan.rst │ ├── network.rst │ ├── nmap.rst │ ├── playbook.rst │ └── virt-install.rst ├── applications │ ├── index.rst │ ├── others.rst │ ├── shells.rst │ └── vul-applications.rst ├── base │ ├── architecture.rst │ ├── index.rst │ └── system-details.rst ├── conf.py ├── images │ ├── cups.png │ ├── droopy.png │ ├── http-server.png │ ├── index.png │ ├── log.png │ ├── mcabber.png │ ├── openvpn.png │ ├── pywebserve.png │ ├── rdp-config.png │ ├── system-cgi.png │ ├── terminal.png │ ├── tomcat.png │ ├── vinagre.png │ ├── virt-console.png │ ├── virt-man-lxc1.png │ ├── virt-man-lxc2.png │ ├── virt-man-lxc3.png │ └── virt-man.png ├── index.rst ├── installation │ ├── first-steps.rst │ ├── index.rst │ ├── isolated-setup.rst │ ├── local-setup.rst │ ├── network-setup.rst │ └── quick-start.rst ├── intro │ └── index.rst ├── machines │ ├── containers.rst │ ├── honeypots.rst │ └── index.rst ├── misc │ ├── contribute │ │ ├── bugs.rst │ │ ├── development.rst │ │ ├── documentation.rst │ │ ├── index.rst │ │ └── web-interface.rst │ ├── faq.rst │ ├── index.rst │ ├── licenses.rst │ ├── security-lab.rst │ └── testing.rst ├── requirements.txt └── services │ ├── db.rst │ ├── file.rst │ ├── ftp.rst │ ├── index.rst │ ├── misc │ ├── cups.rst │ ├── dropbear.rst │ ├── index.rst │ ├── mosquitto.rst │ ├── ngircd.rst │ ├── ntp.rst │ ├── openssh.rst │ ├── openvpn.rst │ ├── prosody.rst │ ├── snmp.rst │ ├── syslog.rst │ ├── telnet.rst │ ├── tftp.rst │ └── xrdp.rst │ └── webserver │ ├── apache.rst │ ├── cherokee.rst │ ├── darkhttpd.rst │ ├── droopy.rst │ ├── flask.rst │ ├── http-server.rst │ ├── index.rst │ ├── lighttpd.rst │ ├── mongoose.rst │ ├── nginx.rst │ ├── pywebserve.rst │ └── tomcat.rst ├── files ├── bricks.j2 ├── cgi │ ├── env-py.j2 │ ├── env-sh.j2 │ ├── system-sh.j2 │ ├── time-pl.j2 │ ├── time-py.j2 │ └── time │ │ ├── Makefile │ │ ├── time.c │ │ └── time.cgi ├── cups.j2 ├── darkhttpd-config.j2 ├── default.j2 ├── dovecot-config.j2 ├── droopy-config.j2 ├── droopy-service.j2 ├── dropbear-config.j2 ├── dvwa.j2 ├── flask-service.j2 ├── flask-webserver.py ├── fsl-virt-install.j2 ├── honeyd.j2 ├── hosts.j2 ├── kickstart │ └── fedora-mini.j2 ├── libvirt-network.j2 ├── lighttpd-cgi.j2 ├── lighttpd-fastcgi.j2 ├── lxc-network.j2 ├── lxc-virt-install.j2 ├── mongoose-service.j2 ├── motd.j2 ├── mqtt_pub-service.j2 ├── mqtt_pub.py ├── my-cnf.j2 ├── nginx-conf.j2 ├── ngircd.j2 ├── nodejs-http-service.j2 ├── ntp-conf.j2 ├── openvpn │ ├── client-static.j2 │ └── server-static.j2 ├── phpldapadmin-config.j2 ├── postfix-config.j2 ├── prosody-config.j2 ├── pywebserve-service.j2 ├── pywebserve.py ├── sqli.j2 ├── tomcat-users.j2 ├── web-interface │ ├── about.j2 │ ├── banner.png │ ├── cgi-bin.j2 │ ├── contact.j2 │ ├── default.j2 │ ├── index.j2 │ ├── log-openvpn.j2 │ ├── log-system.j2 │ ├── openvpn-static-index.j2 │ ├── phpinfo.j2 │ └── template.j2 ├── web01.xml.j2 └── web02.xml.j2 ├── fsl-packages-sync.py ├── fsl-tb-detect.nse ├── fsl-tb-inst ├── fsl.yml ├── handlers ├── services.yml └── system.yml ├── local-setup.yml ├── openvpn-server.yml ├── penet.yml ├── tasks ├── apps │ ├── bricks.yml │ ├── bwapp.yml │ ├── dvwa.yml │ ├── hackademic.yml │ ├── mcir.yml │ ├── sqli.yml │ ├── wacko.yml │ └── xssed.yml ├── auth-key.yml ├── bridge.yml ├── cgi │ ├── cgi.yml │ ├── env-py.yml │ ├── env-sh.yml │ ├── system-sh.yml │ ├── time-pl.yml │ ├── time-py.yml │ └── time.yml ├── chrony.yml ├── cleanup.yml ├── containers.yml ├── db-servers │ ├── mariadb.yml │ ├── mongodb.yml │ └── mysql.yml ├── directory-servers │ └── openldap.yml ├── file-servers │ ├── nfs.yml │ └── samba.yml ├── ftp-servers │ ├── proftpd.yml │ ├── pure-ftpd.yml │ └── vsftpd.yml ├── helpers │ ├── cockpit.yml │ ├── linfo.yml │ ├── log-openvpn.yml │ ├── log-system.yml │ ├── php-shell-detector.yml │ ├── phpinfo.yml │ ├── phpldapadmin.yml │ ├── phpmoadmin.yml │ └── phpmyadmin.yml ├── honeypots │ └── honeyd.yml ├── hosts.yml ├── libvirt.yml ├── lxc.yml ├── mail-servers │ ├── dovecot.yml │ └── postfix.yml ├── mc.yml ├── misc-servers │ ├── cups.yml │ ├── dropbear.yml │ ├── mosquitto.yml │ ├── ngircd.yml │ ├── ntp.yml │ ├── openssh.yml │ ├── openvpn-static.yml │ ├── prosody.yml │ ├── snmp.yml │ ├── telnet.yml │ ├── tftp.yml │ └── xrdp.yml ├── motd.yml ├── preparation.yml ├── shells │ ├── ajaxshell.yml │ ├── ani-shell.yml │ ├── b374k.yml │ ├── dnashell.yml │ ├── escobar.yml │ ├── php-reverse-shell.yml │ ├── phpshell.yml │ └── wso.yml ├── users.yml ├── virt-install.yml ├── web-interface-vpn-static.yml ├── web-interface.yml └── web-servers │ ├── apache.yml │ ├── cherokee.yml │ ├── darkhttpd.yml │ ├── droopy.yml │ ├── flask.yml │ ├── lighttpd.yml │ ├── mongoose.yml │ ├── nginx.yml │ ├── nodejs.yml │ ├── pywebserve.yml │ ├── tomcat.yml │ └── tomcat6.yml ├── template.yml ├── variables ├── application-versions.yml ├── containers.yml ├── local.yml └── sensitive.yml └── webservers.yml /docs/appendix/arachni.rst: -------------------------------------------------------------------------------- 1 | .. _appendix-arachni: 2 | 3 | arachni 4 | ======= 5 | The ``arachni`` output below shows the view of the Test bench from the network 6 | side.:: 7 | 8 | Coming soon... 9 | -------------------------------------------------------------------------------- /docs/appendix/index.rst: -------------------------------------------------------------------------------- 1 | .. _appendix-index: 2 | 3 | ======== 4 | Appendix 5 | ======== 6 | 7 | The appendix contains additional details about the Test bench. 8 | 9 | .. toctree:: 10 | :maxdepth: 2 11 | 12 | nmap 13 | masscan 14 | arachni 15 | lynis 16 | fsl-tb-detect 17 | kickstart 18 | virt-install 19 | playbook 20 | host-system 21 | network 22 | -------------------------------------------------------------------------------- /docs/appendix/kickstart.rst: -------------------------------------------------------------------------------- 1 | .. -*- mode: rst -*- 2 | 3 | .. _appendix-kickstart: 4 | 5 | .. _template: https://github.com/fabaff/fsl-test-bench/blob/master/files/kickstart/fedora-mini.j2 6 | .. _git repository: https://github.com/fabaff/fsl-test-bench 7 | 8 | Kickstart file 9 | ============== 10 | 11 | The ``fsl-testbench.ks`` kickstart file is used to setup a minimal installation 12 | of Fedora as libvirt-based virtual machine. :: 13 | 14 | # Minimal Kickstart file for the Fedora Security Lab test bench 15 | # Installation, not an upgrade 16 | install 17 | 18 | # No graphical things needed 19 | skipx 20 | text 21 | 22 | # Language 23 | lang en_US.UTF-8 24 | 25 | # Kexboard setup 26 | keyboard sg-latin1 27 | #keyboard us 28 | 29 | # Networking 30 | network --onboot yes --device eth0 --bootproto dhcp --ipv6 auto --hostname test-bench 31 | 32 | # Authentication 33 | auth --enableshadow --passalgo=sha512 34 | #rootpw {{ server_root_password }} 35 | rootpw testbench 36 | 37 | # Services, SELinux and firewall 38 | firewall --enabled --ssh 39 | services --enabled network,sshd 40 | selinux --enforcing 41 | #firstboot --disable 42 | logging --level=info 43 | 44 | # Time zone 45 | timezone Europe/Zurich 46 | 47 | # Disk setup 48 | zerombr 49 | bootloader --location=mbr --append="rd_NO_PLYMOUTH" 50 | ignoredisk --only-use=vda 51 | clearpart --none --initlabel --drives=vda 52 | autopart 53 | 54 | poweroff 55 | 56 | %packages 57 | @core 58 | chrony 59 | #dnf 60 | bash-completion 61 | %end 62 | 63 | The `template`_ can be found in the FSL Test bench `git repository`_. 64 | -------------------------------------------------------------------------------- /docs/appendix/masscan.rst: -------------------------------------------------------------------------------- 1 | .. _appendix-masscan: 2 | 3 | masscan 4 | ======= 5 | The nmap output below shows the view of the Test bench from the network side. :: 6 | 7 | $ sudo masscan -p0-65535 10.0.0.64 8 | 9 | Starting masscan 1.0.3 (http://bit.ly/14GZzcT) at 2014-10-28 08:45:22 GMT 10 | -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth 11 | Initiating SYN Stealth Scan 12 | Scanning 1 hosts [65536 ports/host] 13 | Discovered open port 23/tcp on 10.0.0.64 14 | Discovered open port 25/tcp on 10.0.0.64 15 | Discovered open port 8880/tcp on 10.0.0.64 16 | Discovered open port 21/tcp on 10.0.0.64 17 | Discovered open port 8000/tcp on 10.0.0.64 18 | Discovered open port 8889/tcp on 10.0.0.64 19 | Discovered open port 8887/tcp on 10.0.0.64 20 | Discovered open port 3389/tcp on 10.0.0.64 21 | Discovered open port 993/tcp on 10.0.0.64 22 | Discovered open port 22/tcp on 10.0.0.64 23 | Discovered open port 27017/tcp on 10.0.0.64 24 | Discovered open port 222/tcp on 10.0.0.64 25 | Discovered open port 8888/tcp on 10.0.0.64 26 | Discovered open port 80/tcp on 10.0.0.64 27 | Discovered open port 110/tcp on 10.0.0.64 28 | Discovered open port 995/tcp on 10.0.0.64 29 | Discovered open port 8080/tcp on 10.0.0.64 30 | 31 | -------------------------------------------------------------------------------- /docs/appendix/network.rst: -------------------------------------------------------------------------------- 1 | .. _appendix-network: 2 | 3 | Network 4 | ======= 5 | 6 | .. warning:: 7 | This information could be obsolete. 8 | 9 | The diagram below shows the layout of the network during the creation and the 10 | setup of the Fedora Test bench. The FSL Test bench needs an IP address out of 11 | 10.0.0.0/24 because some services have this IP address range in their 12 | configuration files. The hardcoded IP address is 10.0.0.64. This is a drawback 13 | of the distribution as virtual machine. 14 | 15 | The IP range needs to be changed in the livirtd configuration when putting 16 | this virtual machine on a live media. :: 17 | 18 | x 19 | xx +--------------------+ +---------------------+ 20 | xx | Router | | Host | 21 | xxxx| 10.0.0.1 +------+ 10.0.0.10 | 22 | | 10.0.0.0/24 | | | | 23 | | | | vnet0 (Bridge) | 24 | +--------------------+ | ^ | 25 | | | | 26 | | +-+---------------+ | 27 | | | FSL Test bench | | 28 | | | 10.0.0.64 | | 29 | | +-----------------+ | 30 | +---------------------+ 31 | -------------------------------------------------------------------------------- /docs/appendix/virt-install.rst: -------------------------------------------------------------------------------- 1 | .. -*- mode: rst -*- 2 | 3 | .. _appendix-virt-install: 4 | 5 | .. _template: https://github.com/fabaff/fsl-test-bench/blob/master/files/fsl-virt-install.j2 6 | .. _git repository: https://github.com/fabaff/fsl-test-bench 7 | 8 | virt-install 9 | ============ 10 | 11 | ``virt-install`` creates a virtual machine with the a minimal kickstart file 12 | shown in :ref:`appendix-kickstart`. :: 13 | 14 | virt-install \ 15 | --name FSL-Test-bench \ 16 | --os-variant fedora18 \ 17 | --ram 1024 \ 18 | --disk /var/lib/libvirt/images/fsl-tb-f18.img,size=6 \ 19 | --location http://mirror.switch.ch/ftp/mirror/fedora/linux/releases/18/Fedora/x86_64/os/ \ 20 | --initrd-inject fsl-testbench.ks \ 21 | --extra-args "ks=file:fsl-testbench.ks" \ 22 | --noautoconsole \ 23 | --vnc \ 24 | --network=network:testbench \ 25 | --mac=52:52:00:00:00:01 26 | 27 | The `template`_ can be found in the FSL Test bench `git repository`_. 28 | -------------------------------------------------------------------------------- /docs/applications/index.rst: -------------------------------------------------------------------------------- 1 | .. _Fedora: https://fedoraproject.org 2 | .. _bootstrap: http://twitter.github.io/bootstrap 3 | .. _MySQL: https://fedoraproject.org 4 | 5 | .. _applications-index: 6 | 7 | Applications 8 | ============ 9 | All vulnerable web application and helper tools are accessible from the 10 | `bootstrap`_-based web interface hosted on the Test bench. 11 | 12 | .. See :num:`figure #index-fig` on page :page:`index-fig` for the figure labeled :ref:`index-fig`. 13 | 14 | .. _index-fig: 15 | .. figure:: ../images/index.png 16 | :width: 600px 17 | :align: center 18 | 19 | Default start page of the web interface 20 | 21 | The web interface is build during the setup process of the Test bench and only 22 | available features are shown. 23 | 24 | .. toctree:: 25 | :maxdepth: 2 26 | 27 | vul-applications 28 | shells 29 | others 30 | -------------------------------------------------------------------------------- /docs/applications/others.rst: -------------------------------------------------------------------------------- 1 | .. _Fedora: https://fedoraproject.org 2 | .. _linfo: http://linfo.sourceforge.net 3 | .. _phpMyAdmin: http://www.phpmyadmin.net 4 | .. _PHP shell detector: https://github.com/emposha/PHP-Shell-Detector 5 | 6 | .. _applications-others: 7 | 8 | Other web applications 9 | ====================== 10 | Beside the vulnerable web applications, the services, and the PHP shells some 11 | additional web applications and tools are included. They facilitate the 12 | maintenance of the Test bench and are providing details about the various 13 | services and the system itself. 14 | 15 | * `linfo`_ is a small PHP application that displays hardware details and real 16 | time health of your Test bench system. 17 | * `phpMyAdmin`_ is a web appplication to handle the administration of MySQL 18 | servers. 19 | * Log viewer for some services. 20 | * CGIs which details about this system. 21 | * `PHP shell detector`_ is a php script that helps you find and identify 22 | php/cgi(perl)/asp/aspx shells. 23 | 24 | .. note:: PHP shell detector is not inclued by default. This tool is not able 25 | to work with the present amount of files. 26 | -------------------------------------------------------------------------------- /docs/applications/shells.rst: -------------------------------------------------------------------------------- 1 | .. _Fedora: https://fedoraproject.org/ 2 | .. _AJAX shell: http://sourceforge.net/projects/ajaxshell 3 | .. _Ani Shell: http://sourceforge.net/projects/ani-shell 4 | .. _b374k: http://code.google.com/p/b374k-shell/ 5 | .. _DNA Shell: http://sourceforge.net/projects/dna-shell 6 | .. _Escobar: http://sourceforge.net/projects/esc0b4rshell/ 7 | .. _PHP Shell: http://phpshell.sourceforge.net 8 | .. _WSO Shell: https://github.com/orbweb/PHP-SHELL-WSO 9 | 10 | .. _applications-shells: 11 | 12 | PHP Shells 13 | ========== 14 | On a productive system shells are dangerous because they let an attacker to 15 | execute arbitrary shell-commands or browse the filesystem on your server. 16 | The shells mentioned below are available for easy integration to give a 17 | taste on how shells works and how they can be detected. 18 | 19 | * `AJAX shell`_ 20 | * `Ani Shell`_ 21 | * `b374k`_ 22 | * `DNA Shell`_ 23 | * `Escobar`_ 24 | * `PHP Shell`_ 25 | * `WSO Shell`_ 26 | 27 | -------------------------------------------------------------------------------- /docs/base/index.rst: -------------------------------------------------------------------------------- 1 | .. _Fedora: https://fedoraproject.org 2 | .. _Fedora Package Collection: https://admin.fedoraproject.org/pkgdb 3 | 4 | .. _base-index: 5 | 6 | Base 7 | ==== 8 | The initial idea behind the Test benches is that they can be built on-site by 9 | the customers. This way we don't need to ship pre-configured virtual machine 10 | images which are like blackboxes. The customers doesn't need to trust us about 11 | what's inside the VM or check everything by themselves. They should be in 12 | control of every setup step. Nothing is hidden and everything is transparent. 13 | No backdoors, no malware, no evil stuff. 14 | 15 | The core components are installed out of the `Fedora Package Collection`_, if 16 | they are available. This ensures that the operating system run the latest 17 | packages and behave with integrity. 18 | 19 | After the setup of the FSL Test bench is possible to update the system with 20 | the package management tools. :: 21 | 22 | $ sudo dnf -y update 23 | 24 | Vulnerable web application, PHP shells, and some helper tools are download 25 | directly from their upstream locations. It's not possible to update those 26 | application automatically. 27 | 28 | One advantage of the on-site creation process, if creating a network host, is 29 | that the local network setup is detected and is used to configure the Test 30 | benches. The Test bench is ready to use. 31 | 32 | A disadvantage is that a connection to the internet is needed during the 33 | setup process and a already working network infrastructure with DHCP/DNS has 34 | to be present. The customer needs minimal technical skill for the setup. It's 35 | not a one-click-thing. 36 | 37 | It's also possible to build a Fedora Security Lab Test bench on a local machine 38 | which is very straight-forwards and easy to do. The local setup encapsulates 39 | the Test bench from the world and is only accessible from the host. 40 | 41 | .. toctree:: 42 | :maxdepth: 2 43 | 44 | architecture 45 | system-details 46 | -------------------------------------------------------------------------------- /docs/images/cups.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fabaff/fsl-test-bench/4df7a495feb501a5ef3eaa8cd4379fb53203961c/docs/images/cups.png -------------------------------------------------------------------------------- /docs/images/droopy.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fabaff/fsl-test-bench/4df7a495feb501a5ef3eaa8cd4379fb53203961c/docs/images/droopy.png -------------------------------------------------------------------------------- /docs/images/http-server.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fabaff/fsl-test-bench/4df7a495feb501a5ef3eaa8cd4379fb53203961c/docs/images/http-server.png -------------------------------------------------------------------------------- /docs/images/index.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fabaff/fsl-test-bench/4df7a495feb501a5ef3eaa8cd4379fb53203961c/docs/images/index.png -------------------------------------------------------------------------------- /docs/images/log.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fabaff/fsl-test-bench/4df7a495feb501a5ef3eaa8cd4379fb53203961c/docs/images/log.png -------------------------------------------------------------------------------- /docs/images/mcabber.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fabaff/fsl-test-bench/4df7a495feb501a5ef3eaa8cd4379fb53203961c/docs/images/mcabber.png -------------------------------------------------------------------------------- /docs/images/openvpn.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fabaff/fsl-test-bench/4df7a495feb501a5ef3eaa8cd4379fb53203961c/docs/images/openvpn.png -------------------------------------------------------------------------------- /docs/images/pywebserve.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fabaff/fsl-test-bench/4df7a495feb501a5ef3eaa8cd4379fb53203961c/docs/images/pywebserve.png -------------------------------------------------------------------------------- /docs/images/rdp-config.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fabaff/fsl-test-bench/4df7a495feb501a5ef3eaa8cd4379fb53203961c/docs/images/rdp-config.png -------------------------------------------------------------------------------- /docs/images/system-cgi.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fabaff/fsl-test-bench/4df7a495feb501a5ef3eaa8cd4379fb53203961c/docs/images/system-cgi.png -------------------------------------------------------------------------------- /docs/images/terminal.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fabaff/fsl-test-bench/4df7a495feb501a5ef3eaa8cd4379fb53203961c/docs/images/terminal.png -------------------------------------------------------------------------------- /docs/images/tomcat.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fabaff/fsl-test-bench/4df7a495feb501a5ef3eaa8cd4379fb53203961c/docs/images/tomcat.png -------------------------------------------------------------------------------- /docs/images/vinagre.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fabaff/fsl-test-bench/4df7a495feb501a5ef3eaa8cd4379fb53203961c/docs/images/vinagre.png -------------------------------------------------------------------------------- /docs/images/virt-console.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fabaff/fsl-test-bench/4df7a495feb501a5ef3eaa8cd4379fb53203961c/docs/images/virt-console.png -------------------------------------------------------------------------------- /docs/images/virt-man-lxc1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fabaff/fsl-test-bench/4df7a495feb501a5ef3eaa8cd4379fb53203961c/docs/images/virt-man-lxc1.png -------------------------------------------------------------------------------- /docs/images/virt-man-lxc2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fabaff/fsl-test-bench/4df7a495feb501a5ef3eaa8cd4379fb53203961c/docs/images/virt-man-lxc2.png -------------------------------------------------------------------------------- /docs/images/virt-man-lxc3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fabaff/fsl-test-bench/4df7a495feb501a5ef3eaa8cd4379fb53203961c/docs/images/virt-man-lxc3.png -------------------------------------------------------------------------------- /docs/images/virt-man.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fabaff/fsl-test-bench/4df7a495feb501a5ef3eaa8cd4379fb53203961c/docs/images/virt-man.png -------------------------------------------------------------------------------- /docs/index.rst: -------------------------------------------------------------------------------- 1 | .. Fedora Security Lab Test bench documentation master file, created by 2 | sphinx-quickstart on Wed May 1 22:17:14 2013. 3 | You can adapt this file completely to your liking, but it should at least 4 | contain the root `toctree` directive. 5 | 6 | .. _Fedora Security Lab Test bench: https://github.com/fabaff/fsl-test-bench 7 | 8 | Fedora Security Lab Test bench's documentation 9 | ============================================== 10 | 11 | The documentation of the `Fedora Security Lab Test bench`_ should provide the 12 | users with some basic information about the FSL Test bench and the steps taken 13 | for the creation. 14 | 15 | Contents: 16 | 17 | .. toctree:: 18 | :numbered: 19 | :maxdepth: 2 20 | 21 | intro/index 22 | base/index 23 | installation/index 24 | services/index 25 | applications/index 26 | machines/index 27 | misc/index 28 | appendix/index 29 | 30 | .. Indices, glossary and tables 31 | ============================ 32 | 33 | * :ref:`genindex` 34 | * :ref:`modindex` 35 | * :ref:`glossary` 36 | * :ref:`search` 37 | -------------------------------------------------------------------------------- /docs/installation/first-steps.rst: -------------------------------------------------------------------------------- 1 | .. _Virtual Machine Manager: http://virt-manager.et.redhat.com/ 2 | 3 | .. _installation-first-steps: 4 | 5 | First steps 6 | =========== 7 | After the installation is done, the first step is to check if the Test bench 8 | is responding to ping requests. This should work because the whole setup 9 | process was relaying on a working network connection between the all involved 10 | systems. All examples are assuming that the Test bench was created with the 11 | default values as vm on a local machine (e.g. the vm has the IP address 12 | 10.1.1.5). If not, adjust the IP address of your Test bench according your 13 | setup. :: 14 | 15 | $ ping -c 4 10.1.1.5 16 | PING 10.1.1.5 (10.1.1.5) 56(84) bytes of data. 17 | 64 bytes from 10.1.1.5: icmp_seq=1 ttl=64 time=0.308 ms 18 | 64 bytes from 10.1.1.5: icmp_seq=2 ttl=64 time=0.407 ms 19 | 64 bytes from 10.1.1.5: icmp_seq=3 ttl=64 time=0.408 ms 20 | 64 bytes from 10.1.1.5: icmp_seq=4 ttl=64 time=0.248 ms 21 | 22 | --- 10.1.1.5 ping statistics --- 23 | 4 packets transmitted, 4 received, 0% packet loss, time 3000ms 24 | rtt min/avg/max/mdev = 0.248/0.342/0.408/0.071 ms 25 | 26 | If you want to login directly in your virtual machine, launch 27 | `Virtual Machine Manager`_ (``virt-manager``) and connect to the virtual 28 | machine **FSL-Test-bench**. 29 | 30 | .. _virt-man-fig: 31 | .. figure:: ../images/virt-man.png 32 | :align: center 33 | 34 | Virtual Machine Manager 35 | 36 | Make a right-click on the ``FSL-Test-bench`` entry and choose **Open**. Login 37 | with username **root** and passwort **testbench**. 38 | 39 | .. _virt-console-fig: 40 | .. figure:: ../images/virt-console.png 41 | :width: 600px 42 | :align: center 43 | 44 | Virtual Machine Manager console view 45 | 46 | The fastest way is just to connect to the Test bench over ssh and login 47 | with username **root** and passwort **testbench**.:: 48 | 49 | $ ssh -l root 10.1.1.5 50 | 51 | .. _terminal-fig: 52 | .. figure:: ../images/terminal.png 53 | :width: 600px 54 | :align: center 55 | 56 | motd of the Test bench 57 | -------------------------------------------------------------------------------- /docs/installation/index.rst: -------------------------------------------------------------------------------- 1 | .. _installation-index: 2 | 3 | Installation & Setup 4 | ==================== 5 | To setup a Test bench on a host in your network you need at least two systems 6 | either a physical machine with a virtual machine and a bridged network 7 | connection or two physical systems (one as system to perform the the actions 8 | and one which will serve as Test bench). In the latter case a working network 9 | is needed too, incl. DHCP/DNS. For the setup process a connection to the 10 | internet is mandatory because some files need to be downloaded. This guide 11 | will use the definitions from below for the two system to make it clear which 12 | one is involved: 13 | 14 | 15 | .. toctree:: 16 | :maxdepth: 2 17 | 18 | quick-start 19 | local-setup 20 | network-setup 21 | isolated-setup 22 | first-steps 23 | -------------------------------------------------------------------------------- /docs/installation/isolated-setup.rst: -------------------------------------------------------------------------------- 1 | .. _script: https://git.fedorahosted.org/cgit/security-spin.git/plain/test-bench/fsl-tb-inst 2 | .. _git repository: https://github.com/fabaff/fsl-test-bench 3 | .. _Virtual Machine Manager: http://virt-manager.et.redhat.com/ 4 | 5 | .. _installation-local-setup: 6 | 7 | Setup in an isolated environment 8 | ================================ 9 | 10 | .. warning:: 11 | sorry, not implemented. Development will hopefully happen in the future. 12 | 13 | The Fedora Security Lab environment can be used to create a complete 14 | environment consisting of an attack target and attackers in an isolated area 15 | of an existing physical network or a class room. 16 | 17 | Requirement 18 | ----------- 19 | The requirements for running a Fedora Security Lab Environment are: 20 | 21 | * A system which is capable of acting as server, is able to boot from external 22 | devices (USB), and have a network interface 23 | * working physical network (all systems are connected to the same network 24 | segment) 25 | * some systems capable for network booting (PXE boot) 26 | 27 | Basically a class room for the computer science education is a good starting 28 | point. :: 29 | 30 | Switch 31 | +----------------+ +---------+ 32 | |X X X X X X X X | |Server | 33 | +^-^-^---------^-+ |- DHCP | 34 | | | | | |- PXE | 35 | | | | +-------|- Data | 36 | | | | +---------+ 37 | | | | 38 | | | +-----------------+ 39 | | +--------+ | 40 | ++-------+ ++-------+ ++-------+ 41 | |Client 1| |Client 2| |Client 3| 42 | +--------+ +--------+ +--------+ 43 | 44 | Setup Course 45 | ------------ 46 | * Disconnect the physical network from the outside 47 | * Start the system which will become the server 48 | * When the server is up and running, start your other system after you have 49 | changed their BIOS boot sequence to `Boot from network` or similar. 50 | -------------------------------------------------------------------------------- /docs/intro/index.rst: -------------------------------------------------------------------------------- 1 | .. _introduction-index: 2 | 3 | Introduction 4 | ============ 5 | The `Fedora Security Lab`_ Test bench provides a save environment for 6 | security auditing and testing and can be used for teaching security 7 | testing methodologies. The purpose is to support students and teachers 8 | with Linux-based servers and services while they are working on information 9 | security, web security, reconnaissance, network analysis, network statistics, 10 | forensics, and rescue lessons. 11 | 12 | As counterpart to the Fedora Security Lab, the `Fedora Security Lab`_ Test 13 | bench, is the bench where you can use your tools. 14 | 15 | Beside vulnerable web applications, honeypots, and miscellaneous helpers a 16 | couple of well-known services are available to work with. 17 | 18 | .. _Fedora Security Lab: https://fedorahosted.org/security-spin/ 19 | -------------------------------------------------------------------------------- /docs/machines/honeypots.rst: -------------------------------------------------------------------------------- 1 | .. _Fedora: https://fedoraproject.org 2 | .. _honeyd: http://www.honeyd.org 3 | .. _template: https://github.com/fabaff/fsl-test-bench/blob/master/files/honeyd.j2 4 | 5 | .. _machines-honeypots: 6 | 7 | Honeypots 8 | ========= 9 | Currently the low-interaction honeypots make use of `honeyd`_. Those 10 | honeypots are only intended to be targets for port scans. For details about 11 | the honeypot configuration, please check the configuration `template`_. 12 | 13 | * Microsoft Windows XP 14 | * Microsoft Windows 2003 Server 15 | * Linux 2.4.20 16 | 17 | The honeypots are requesting IP addresses by DHCP. :: 18 | 19 | Apr 24 10:09:35 test-bench honeyd[1077]: [eth0] got DHCP offer: 10.0.0.133 20 | Apr 24 10:09:35 test-bench honeyd[1077]: [eth0] got DHCP offer: 10.0.0.134 21 | Apr 24 10:09:35 test-bench honeyd[1077]: [eth0] got DHCP offer: 10.0.0.135 22 | 23 | A fast ``nmap`` scan shows the details about the honeypots: :: 24 | 25 | $ sudo nmap -sVT 10.0.0.133 10.0.0.134 10.0.0.135 26 | 27 | Starting Nmap 6.25 ( http://nmap.org ) at 2013-04-24 23:26 CEST 28 | Nmap scan report for 10.0.0.133 29 | Host is up (0.022s latency). 30 | Not shown: 997 closed ports 31 | PORT STATE SERVICE VERSION 32 | 135/tcp open msrpc? 33 | 139/tcp open netbios-ssn? 34 | 445/tcp open microsoft-ds? 35 | 36 | Nmap scan report for 10.0.0.134 37 | Host is up (0.016s latency). 38 | Not shown: 996 closed ports 39 | PORT STATE SERVICE VERSION 40 | 80/tcp open http? 41 | 135/tcp open msrpc? 42 | 139/tcp open netbios-ssn? 43 | 445/tcp open microsoft-ds? 44 | 45 | Nmap scan report for 10.0.0.135 46 | Host is up (0.015s latency). 47 | Not shown: 994 closed ports 48 | PORT STATE SERVICE VERSION 49 | 21/tcp open tcpwrapped 50 | 22/tcp open tcpwrapped 51 | 23/tcp open tcpwrapped 52 | 25/tcp open smtp Sendmail 8.12.2/8.12.2/SuSE 53 | 110/tcp open tcpwrapped 54 | 143/tcp open tcpwrapped 55 | Service Info: Host: test-bench.; OS: Unix 56 | 57 | Nmap done: 3 IP addresses (3 hosts up) scanned in 163.53 seconds 58 | 59 | -------------------------------------------------------------------------------- /docs/machines/index.rst: -------------------------------------------------------------------------------- 1 | .. _Fedora: https://fedoraproject.org 2 | .. _LXC: http://lxc.sourceforge.net/ 3 | .. _honeyd: http://www.honeyd.org 4 | 5 | .. _machines-index: 6 | 7 | Machines 8 | ======== 9 | The Fedora Security Lab Test bench provides two types of additional systems 10 | for interaction. The first type are virtual systems which are using operating 11 | system-level virtualization (`LXC`_) and the second are low-interaction 12 | honeypots based on `honeyd`_. 13 | 14 | .. toctree:: 15 | :maxdepth: 2 16 | 17 | containers 18 | honeypots 19 | -------------------------------------------------------------------------------- /docs/misc/contribute/bugs.rst: -------------------------------------------------------------------------------- 1 | .. -*- mode: rst -*- 2 | 3 | .. _misc-contribute-bugs: 4 | 5 | .. _Ansible: http://ansible.cc/ 6 | .. _Fedora Package Collection: https://apps.fedoraproject.org/packages/ 7 | .. _setup page: https://fedorahosted.org/security-spin/wiki/Test%20bench%20setup 8 | .. _fsl-packages.yml: https://git.fedorahosted.org/cgit/security-spin.git/log/ansible-playbooks/fsl-packages.yml 9 | .. _Fedora Security Lab: https://fedorahosted.org/security-spin/ 10 | .. _Github issues: https://github.com/fabaff/fsl-test-bench/issues 11 | 12 | Bugs and Improvements 13 | ===================== 14 | Please report all wishes, bugs, improvements, or ideas. Depending on your 15 | preferences please use one of the systems mentionend below. 16 | 17 | - `Fedora Security Lab`_ ticketing system 18 | - `Github issues`_ 19 | -------------------------------------------------------------------------------- /docs/misc/contribute/index.rst: -------------------------------------------------------------------------------- 1 | .. -*- mode: rst -*- 2 | 3 | .. _misc-contribute-index: 4 | 5 | Contribute 6 | ========== 7 | 8 | There are several ways users can contribute to the FSL Test bench project. 9 | 10 | .. toctree:: 11 | :maxdepth: 2 12 | 13 | development 14 | documentation 15 | bugs 16 | web-interface 17 | -------------------------------------------------------------------------------- /docs/misc/contribute/web-interface.rst: -------------------------------------------------------------------------------- 1 | .. -*- mode: rst -*- 2 | 3 | .. _misc-contribute-web-interface: 4 | 5 | .. _Ansible: http://ansible.cc/ 6 | .. _Fedora Package Collection: https://apps.fedoraproject.org/packages/ 7 | 8 | .. _bootstrap: http://twitter.github.io/bootstrap/ 9 | .. _playbook: https://github.com/fabaff/fsl-test-bench/blob/master/tasks/website.yml 10 | .. _Jinja2: http://jinja.pocoo.org/docs/ 11 | .. _folder: https://github.com/fabaff/fsl-test-bench/tree/master/files/website 12 | 13 | Web interface 14 | ============= 15 | 16 | The web interface is based on Twitter's `bootstrap`_ front-end framework. The 17 | `website.yml` `playbook`_ is delivering `Jinja2`_ template pages. 18 | 19 | The *file/website* `folder`_ contains the all template files which will be 20 | rendered as html during the setup process. The most importent files are: 21 | 22 | - **about.j2** : This file contain further details about the Test bench. 23 | - **contact.j2** : This file provides contact details and links to additional 24 | resources. 25 | - **index.j2** : The index.html file shows all available application on the 26 | Test bench and gives the user easy access to those tools. 27 | -------------------------------------------------------------------------------- /docs/misc/index.rst: -------------------------------------------------------------------------------- 1 | .. _Fedora: https://fedoraproject.org 2 | 3 | .. _misc-index: 4 | 5 | Miscellaneous 6 | ============= 7 | This section contains various pieces of documention which doesn't fit in any 8 | other section. 9 | 10 | .. toctree:: 11 | :maxdepth: 2 12 | 13 | security-lab 14 | contribute/index 15 | faq 16 | testing 17 | licenses 18 | -------------------------------------------------------------------------------- /docs/misc/security-lab.rst: -------------------------------------------------------------------------------- 1 | .. _playbook: https://github.com/fabaff/fsl-test-bench/blob/master/fsl.yml 2 | .. _Fedora Security Lab: https://fedorahosted.org/security-spin/ 3 | .. _Fedora 20 x86_64: http://mirror.karneval.cz/pub/linux/fedora-alt/releases/20/Spins/x86_64/Fedora-Live-Security-x86_64-20-1.iso 4 | .. _Fedora 20 i686: http://mirror.karneval.cz/pub/linux/fedora-alt/releases/20/Spins/i386/Fedora-Live-Security-i686-20-1.iso 5 | .. _Making Media: http://docs.fedoraproject.org/en-US/Fedora/18/html/Installation_Guide/sn-making-media.html 6 | .. _Installation Guide: http://docs.fedoraproject.org/en-US/Fedora/18/html/Installation_Guide/index.html 7 | 8 | .. _misc-security-lab: 9 | 10 | Setup the Fedora Security Lab 11 | ============================= 12 | The setup of the `Fedora Security Lab`_ can be done by several ways. 13 | 14 | Live media 15 | ----------- 16 | There are two different Live images available of the Fedora Security Lab. Those 17 | images can be used to create physical CDs or Live USB key. 18 | 19 | * Download the 64-bit PC Edition: `Fedora 20 x86_64`_ Live Security 20 | * Download the 32-bit PC Edition: `Fedora 20 i686`_ Live Security 21 | 22 | For further information please check the `Making Media`_ section in the 23 | Fedora `Installation Guide`_. 24 | 25 | comps Package group 26 | ------------------- 27 | 28 | .. warning:: 29 | This work only on Fedora 19 and beyond. 30 | 31 | You have a default Fedora installation and want all Fedora Security Lab 32 | packages installed, you can use the *groupinstall* feature of ``yum``. :: 33 | 34 | $ sudo yum groupinstall security-lab 35 | 36 | Ansible playbook 37 | ---------------- 38 | The `fsl.yml` `playbook`_ contains all packages which are included in the 39 | Fedora Security Lab. 40 | 41 | Add all your hosts to ``/etc/ansible/hosts`` to the **[fsl_hosts]** group. 42 | Then run the playbook. :: 43 | 44 | $ sudo ansible-playbook fsl.yml -f 10 45 | 46 | -------------------------------------------------------------------------------- /docs/requirements.txt: -------------------------------------------------------------------------------- 1 | sphinxcontrib-blockdiag 2 | sphinxcontrib-nwdiag 3 | -------------------------------------------------------------------------------- /docs/services/db.rst: -------------------------------------------------------------------------------- 1 | .. _MariaDB: https://mariadb.org/ 2 | .. _MySQL: http://www.mysql.com/ 3 | .. _mongoDB: http://www.mongodb.org/ 4 | .. _Sqlite: http://www.sqlite.org/ 5 | 6 | .. _services-db: 7 | 8 | Database server 9 | =============== 10 | The `MariaDB`_ database engine is used for the web applications but it is still 11 | possible to misuse it for your own requirements. All current available DBMS are 12 | accessible by remote systems with client tools. For management or administration 13 | tasks web interfaces are provided, please check the ``Misc`` section on the 14 | default start page of your FSL Test bench. 15 | 16 | * `MariaDB`_ 17 | * `MySQL`_ (replaced by MariaDB) 18 | * `mongoDB`_ 19 | * `Sqlite`_ 20 | 21 | If you want to interact with the `mongoDB`_ instance, make your that you have 22 | the client tools installed on your system. :: 23 | 24 | $ mongo testbench --host 10.0.0.64 25 | -------------------------------------------------------------------------------- /docs/services/file.rst: -------------------------------------------------------------------------------- 1 | .. _Fedora: https://fedoraproject.org/ 2 | .. _samba: http://www.samba.org/ 3 | .. _nfs: http://nfs.sourceforge.net/ 4 | 5 | .. _services-file: 6 | 7 | File servers 8 | ============ 9 | Serving file is often an essential feature of a server. In the Linux world 10 | two popular systems are used, samba and nfs. It depends on the use case which 11 | system is more common. In a Linux-only environment nfs is a good choice. If 12 | you want to serve files for Microsoft Windows systems samba is an easy way to 13 | go. 14 | 15 | * `samba`_ 16 | * `nfs`_ 17 | 18 | There is a samba share available. :: 19 | 20 | $ nmbscan -h 10.0.0.64 21 | nmbscan version 1.2.6 - laptop011 - Thu Apr 25 09:53:17 CEST 2013 22 | domain MYGROUP 23 | server TEST-BENCH 24 | ip-address 10.0.0.64 25 | ip-name fedora-test.home.network 26 | server-software Samba 4.0.5 27 | operating-system Unix 28 | share samba 29 | share-type Disk 30 | share IPC$ 31 | share-type IPC 32 | share-comment IPC Service (Samba Server Version 4.0.5) 33 | -------------------------------------------------------------------------------- /docs/services/ftp.rst: -------------------------------------------------------------------------------- 1 | .. _Fedora: https://fedoraproject.org/ 2 | .. _vsftpd: http://vsftpd.beasts.org 3 | .. _proftpd: http://www.proftpd.org/ 4 | .. _pure-ftpd: http://www.pureftpd.org 5 | 6 | .. _services-ftp: 7 | 8 | FTP servers 9 | =========== 10 | File Transfer Protocol (FTP) is an importent protocol for transferring files 11 | from host to host. All FTP connections are unencrypted to make it possible to 12 | sniff the control and data connections between the client and the server. The 13 | listed ftp servers are ready to include: 14 | 15 | * `vsftpd`_ 16 | * `proftpd`_ 17 | * `pure-ftpd`_ 18 | 19 | To run all ftp servers on one machine it's needed that they use different 20 | ports. Table below shows the ports and the assigned ftp server. 21 | 22 | +------------+-----------+ 23 | | Port | Server | 24 | +============+===========+ 25 | | 21 | vsftpd | 26 | +------------+-----------+ 27 | | 2021 | pure-ftpd | 28 | +------------+-----------+ 29 | | 2221 | proftpd | 30 | +------------+-----------+ 31 | 32 | For vsftpd TLS support is coming soon and the configuration is not really 33 | working. :: 34 | 35 | $ ftp 10.0.0.64 36 | Connected to 10.0.0.64 (10.0.0.64). 37 | 220 (vsFTPd 3.0.2) 38 | Name (10.0.0.64:fab): bob 39 | 331 Please specify the password. 40 | Password: 41 | 230 Login successful. 42 | Remote system type is UNIX. 43 | Using binary mode to transfer files. 44 | ftp> ls 45 | 500 OOPS: priv_sock_get_int 46 | Passive mode refused. 47 | -------------------------------------------------------------------------------- /docs/services/index.rst: -------------------------------------------------------------------------------- 1 | .. _Fedora: https://fedoraproject.org 2 | .. _Lighttpd: https://fedoraproject.org 3 | .. _MySQL: https://fedoraproject.org 4 | 5 | .. _services-index: 6 | 7 | Services 8 | ======== 9 | The Fedora Security Lab Test bench include a width variation of services. Most 10 | services are running with default configuration. If useful a web interface is 11 | provides. 12 | 13 | .. toctree:: 14 | :maxdepth: 2 15 | 16 | db 17 | file 18 | ftp 19 | mail 20 | webserver/index 21 | misc/index 22 | -------------------------------------------------------------------------------- /docs/services/misc/cups.rst: -------------------------------------------------------------------------------- 1 | .. _cups: http://www.cups.org 2 | 3 | .. _services-misc-cups: 4 | 5 | cups 6 | ==== 7 | `cups`_ is a standards-based printing system and uses the Internet Printing 8 | Protocol (IPP) to support printing to local and network printers. The web 9 | interface accessible at http://10.0.0.65:631/ 10 | 11 | .. _cups-fig: 12 | .. figure:: ../../images/cups.png 13 | :width: 600px 14 | :align: center 15 | 16 | CUPS web interface 17 | -------------------------------------------------------------------------------- /docs/services/misc/dropbear.rst: -------------------------------------------------------------------------------- 1 | .. _dropbear: https://matt.ucc.asn.au/dropbear/dropbear.html 2 | .. _nmap: http://nmap.org/ 3 | 4 | .. _services-misc-dropbear: 5 | 6 | dropbear 7 | ======== 8 | `dropbear`_ which is running on port 222 is a lightweight SSH server. 9 | 10 | To retrieve the version with `nmap`_, use the command mentioned below:: 11 | 12 | $ nmap -sV -p 222 --script=banner 10.0.0.65 13 | [...] 14 | Host is up (0.00045s latency). 15 | PORT STATE SERVICE VERSION 16 | 222/tcp open ssh Dropbear sshd 2012.55 (protocol 2.0) 17 | |_banner: SSH-2.0-dropbear_2012.55 18 | Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel 19 | 20 | Banner grabbing with ``netcat`` will give you the version back.:: 21 | 22 | $ nc -v 10.0.0.65 222 23 | Ncat: Version 6.25 ( http://nmap.org/ncat ) 24 | Ncat: Connected to 10.0.0.65:222. 25 | SSH-2.0-dropbear_2012.55 26 | -------------------------------------------------------------------------------- /docs/services/misc/index.rst: -------------------------------------------------------------------------------- 1 | .. _Fedora: https://fedoraproject.org/ 2 | 3 | .. _services-others: 4 | 5 | Other servers/services 6 | ====================== 7 | The Fedora Security Lab Test bench is hosting some services which are usualy 8 | not found on public accessible systems. ``telnet`` was replaced with more secure 9 | systems. Nowadays ``tftp`` is mainly used for provisioning VoIP installations. 10 | Print servers like ``cups`` are used in office environments. 11 | 12 | To give the students the possibility to work with VPN, an OpenVPN setup with 13 | a static key is included. 14 | 15 | .. toctree:: 16 | :maxdepth: 2 17 | 18 | tftp 19 | telnet 20 | openvpn 21 | openssh 22 | dropbear 23 | cups 24 | ngircd 25 | xrdp 26 | ntp 27 | mosquitto 28 | prosody 29 | snmp 30 | -------------------------------------------------------------------------------- /docs/services/misc/mosquitto.rst: -------------------------------------------------------------------------------- 1 | .. _MQTT: http://mqtt.org/ 2 | .. _mosquitto: http://mosquitto.org/ 3 | 4 | .. _services-misc-mosquitto: 5 | 6 | mosquitto 7 | ========= 8 | `mosquitto`_ is a MQ Telemetry Transport (`MQTT`_) message broker. The MQTT 9 | protocol provides a lightweight method of carrying out messaging using a 10 | publish/subscribe model. It is useful and suitable for "machine to machine" 11 | messaging in various way, e. g. for connections with remote locations or just 12 | to collect your data from a microcontroller system. 13 | 14 | Subscribing to the topic **fsl/testbench** of the `MQTT`_ broker from your 15 | local machine:: 16 | 17 | $ mosquitto_sub -h 10.0.0.65 -d -t fsl/testbench 18 | Client mosqsub/24366-laptop011 sending CONNECT 19 | Client mosqsub/24366-laptop011 received CONNACK 20 | Client mosqsub/24366-laptop011 sending SUBSCRIBE (Mid: 1, Topic: fsl/testbench, QoS: 0) 21 | Client mosqsub/24366-laptop011 received SUBACK 22 | Subscribed (mid: 1): 0 23 | 24 | The FSL Test Bench is publishing permanently on a random value in the interval 25 | between 1 to 30 seconds messages. The default string contains 26 | **MQTT message from FSL Test Bench.** and a time stamp. 27 | 28 | Manually publishing messages on your FSL Test bench can be done with the topic 29 | **fsl/testbench**. If you want to publish the message directly from your FSL 30 | Test Bench, use the command mentioned below:: 31 | 32 | $ mosquitto_pub -d -t fsl/testbench -m "This is a message from your FSL Test bench" 33 | Client mosqpub/20531-test-bench sending CONNECT 34 | Client mosqpub/20531-test-bench received CONNACK 35 | Client mosqpub/20531-test-bench sending PUBLISH (d0, q0, r0, m1, 'fsl/testbench', ... (42 bytes)) 36 | Client mosqpub/20531-test-bench sending DISCONNECT 37 | 38 | If you want to pusblish a message from your local machine, the broker's IP 39 | address is needed additionally.:: 40 | 41 | $ mosquitto_pub -h 10.0.0.65 -d -t fsl/testbench -m "This is a message from your FSL Test bench" 42 | 43 | You should now get the message from the FSL Test Bench. :: 44 | 45 | Client mosqsub/24366-laptop011 received PUBLISH (d0, q0, r0, m0, 'fsl/testbench', ... (42 bytes)) 46 | This is a message from your FSL Test bench 47 | 48 | -------------------------------------------------------------------------------- /docs/services/misc/ngircd.rst: -------------------------------------------------------------------------------- 1 | .. _ngircd: http://ngircd.barton.de/ 2 | 3 | .. _services-misc-ngircd: 4 | 5 | ngircd 6 | ====== 7 | 8 | `ngircd`_ is a lightweight Internet Relay Chat server. 9 | -------------------------------------------------------------------------------- /docs/services/misc/ntp.rst: -------------------------------------------------------------------------------- 1 | .. _ntp: http://www.ntp.org/ 2 | .. _nmap: http://nmap.org/ 3 | 4 | .. _services-misc-ntp: 5 | 6 | ntp 7 | === 8 | The Network Time Protocol (`ntp`_) is a networking protocol for the 9 | synchronization of clocks of computer systems over networks. NTP is 10 | providing the information in UTC (Coordinated Universal Time). 11 | 12 | Login your FSL Test bench to check if you have connections to ntp servers.:: 13 | 14 | # ntpq -p 15 | remote refid st t when poll reach delay offset jitter 16 | ============================================================================== 17 | *ds1789963.dedic 192.53.103.103 2 u 1 64 1 16.390 2.484 0.674 18 | ns1.pmodwrc.ch 189.247.1.117 2 u 2 64 1 19.949 0.255 0.502 19 | ntppublic.uzh.c 130.60.205.7 3 u 1 64 1 16.315 2.361 0.341 20 | aerith.projectd 217.147.208.1 3 u 2 64 1 22.728 -0.846 0.022 21 | 22 | Sync your clock with the FSL Test Bench:: 23 | 24 | $ sudo ntpdate 10.0.0.65 25 | 16 Aug 10:56:08 ntpdate[30588]: adjust time server 10.0.0.65 offset 0.002292 sec 26 | 27 | Unless an error message is displayed, the system time of your local system 28 | should now be set. 29 | 30 | .. note:: It was not tested if this works without a connection to the internet. 31 | -------------------------------------------------------------------------------- /docs/services/misc/openssh.rst: -------------------------------------------------------------------------------- 1 | .. _openssh: http://www.openssh.org/ 2 | .. _nmap: http://nmap.org/ 3 | 4 | .. _services-misc-openssh: 5 | 6 | openssh 7 | ======= 8 | `openssh`_ (Port 22) encrypts communication sessions over a computer network 9 | using the SSH protocol. 10 | 11 | Banner grabbing with ``netcat`` will give you the version back:: 12 | 13 | $ nc -v 10.0.0.65 22 14 | Ncat: Version 6.25 ( http://nmap.org/ncat ) 15 | Ncat: Connected to 10.0.0.65:22. 16 | SSH-2.0-OpenSSH_6.1 17 | 18 | There are two other ways to retrieve the version with `nmap`_. The first is :: 19 | 20 | $ nmap -sV -p 22 10.0.0.65 21 | [...] 22 | Host is up (0.00053s latency). 23 | PORT STATE SERVICE VERSION 24 | 22/tcp open ssh OpenSSH 6.1 (protocol 2.0) 25 | 26 | The second is :: 27 | 28 | $ nmap -sV -p 22 --script=banner 10.0.0.65 29 | [...] 30 | Host is up (0.00061s latency). 31 | PORT STATE SERVICE VERSION 32 | 22/tcp open ssh OpenSSH 6.1 (protocol 2.0) 33 | |_banner: SSH-2.0-OpenSSH_6.1 34 | -------------------------------------------------------------------------------- /docs/services/misc/openvpn.rst: -------------------------------------------------------------------------------- 1 | .. _OpenVPN: http://openvpn.net 2 | 3 | .. _services-misc-openvpn: 4 | 5 | OpenVPN 6 | ======= 7 | `OpenVPN`_ is an software application which makes virtual private network 8 | (VPN) techniques available for creating secure point-to-point or site-to-site 9 | connections over unsecure networks like the internet. OpenVPN is capable of 10 | traversing firewall and common SOHO router with network address translators 11 | (NATs). 12 | 13 | Peers are allowed to authenticate each other using certificates, a pre-shared 14 | secret key, or username/password. The FSL Test Bench only provides an OpenVPN 15 | server with a static key configuration. 16 | 17 | .. _openvpn-fig: 18 | .. figure:: ../../images/openvpn.png 19 | :width: 600px 20 | :align: center 21 | 22 | Configuration page for OpenVPN 23 | -------------------------------------------------------------------------------- /docs/services/misc/snmp.rst: -------------------------------------------------------------------------------- 1 | .. _services-misc-snmp: 2 | 3 | snmp 4 | ==== 5 | The Simple Network Management Protocol (SNMP) protocol was designed for 6 | monitoring the health and welfare of computer and network equipment. 7 | 8 | Get the data pn your FSL Test Bench:: 9 | 10 | $ snmpwalk -v2c -c public localhost system 11 | 12 | Or check it from a system in the same network:: 13 | 14 | $ snmpwalk -v2c -c public 10.0.0.64 system 15 | 16 | .. _net-snmp: http://www.net-snmp.org/ 17 | -------------------------------------------------------------------------------- /docs/services/misc/syslog.rst: -------------------------------------------------------------------------------- 1 | .. _syslog-ng: http://www.balabit.com/network-security/syslog-ng 2 | .. _RFC3164: http://tools.ietf.org/html/rfc3164 3 | .. _RFC5424: http://tools.ietf.org/html/rfc5424 4 | 5 | .. _services-misc-syslog: 6 | 7 | syslog-ng 8 | ========= 9 | `syslog-ng`_ is an implementation of the Syslog protocol. It uses the standard 10 | BSD syslog protocol, specified in `RFC3164`_ and the proposed `RFC5424`_. 11 | 12 | Using the server 13 | ---------------- 14 | 15 | mausezahn -t syslog sev=3 -P "Message from FSL." -A 10.1.1.109 -B 192.168.7.7 16 | -------------------------------------------------------------------------------- /docs/services/misc/telnet.rst: -------------------------------------------------------------------------------- 1 | .. _services-misc-telnet: 2 | 3 | telnet 4 | ====== 5 | ``telnet`` supports bidirectional interactive text-oriented communication. 6 | 7 | You should be able to connect to a telnet server. :: 8 | 9 | [testbench@fsl-tb09 ~]$ telnet 10.1.1.5 10 | Trying 10.1.1.5... 11 | Connected to 10.1.1.5. 12 | Escape character is '^]'. 13 | Fedora release 20 (Heisenbug) 14 | Kernel 3.13.8-200.fc20.x86_64 on an x86_64 (1) 15 | test-bench login: 16 | -------------------------------------------------------------------------------- /docs/services/misc/tftp.rst: -------------------------------------------------------------------------------- 1 | .. _tftp: http://sourceforge.net/projects/tftp-server/ 2 | 3 | .. _services-misc-tftp: 4 | 5 | tftp 6 | ==== 7 | `tftp`_ (xinetd) is a single port Trivial File Transfer Protocol server 8 | 9 | The tftp server is serving a simple text file. :: 10 | 11 | $ ls 12 | $ tftp 10.0.0.64 13 | tftp> get info.txt 14 | tftp> quit 15 | $ ls 16 | info.txt 17 | 18 | -------------------------------------------------------------------------------- /docs/services/misc/xrdp.rst: -------------------------------------------------------------------------------- 1 | .. _xrdp: http://www.xrdp.org/ 2 | .. _Vinagre: https://projects.gnome.org/vinagre/ 3 | 4 | .. _services-misc-xrdp: 5 | 6 | xrdp 7 | ==== 8 | `xrdp`_ is an remote desktop protocol (RDP) server. To connect to the FSL Test 9 | Bench use `Vinagre`_ which is named usually **Remote Desktop Viewer** in 10 | graphical user environment (``yum -y install vinagre``) and is a client that 11 | support various protocols (VNC, ssh, rdp, and spice) or a client of your choice. 12 | 13 | .. _rdp-config-fig: 14 | .. figure:: ../../images/rdp-config.png 15 | :align: center 16 | 17 | Remote Desktop Viewer configuration 18 | 19 | .. _vinagre-fig: 20 | .. figure:: ../../images/vinagre.png 21 | :width: 600px 22 | :align: center 23 | 24 | Remote Desktop Viewer configuration 25 | -------------------------------------------------------------------------------- /docs/services/webserver/apache.rst: -------------------------------------------------------------------------------- 1 | .. _Apache: http://httpd.apache.org 2 | 3 | .. _services-webserver-apache: 4 | 5 | apache 6 | ====== 7 | The `Apache`_ HTTP Server, commonly referred to as Apache, is a well-known web 8 | server application. 9 | 10 | .. warning:: 11 | sorry, not implemented/available at the moment. 12 | -------------------------------------------------------------------------------- /docs/services/webserver/cherokee.rst: -------------------------------------------------------------------------------- 1 | .. _cherokee: http://cherokee-project.com 2 | 3 | .. _services-webserver-cherokee: 4 | 5 | cherokee 6 | ======== 7 | `cherokee`_ is a lightweight, high-performance web server/reverse proxy. This 8 | webserver offers support for FastCGI, SCGI, PHP, CGI, SSI, TLS and SSL encrypted 9 | connections, Virtual hosts, Authentication, on the fly encoding, Load Balancing, 10 | Apache compatible log files, Data Base Balancer, downtime-free updates and 11 | upgrades, and Reverse HTTP Proxy. 12 | 13 | .. warning:: 14 | sorry, not implemented/available at the moment. 15 | -------------------------------------------------------------------------------- /docs/services/webserver/darkhttpd.rst: -------------------------------------------------------------------------------- 1 | .. _services-webserver-darkhttpd: 2 | 3 | .. _darkhttpd: http://unix4lyfe.org/darkhttpd/ 4 | 5 | darkhttpd 6 | ========= 7 | `darkhttpd`_ is a simple, fast HTTP 1.1 web server for static content. It 8 | does not support PHP or CGI but is designed to serve static content. 9 | 10 | This example shows the details of the `darkhttpd`_ web server. :: 11 | 12 | $ bannergrab 10.0.0.65 8887 13 | HTTP/1.1 200 OK 14 | Date: Mon, 25 May 2020 10:35:42 GMT 15 | Server: darkhttpd/1.12 16 | Accept-Ranges: bytes 17 | Connection: close 18 | Content-Length: 1352 19 | Content-Type: text/html; charset=UTF-8 20 | -------------------------------------------------------------------------------- /docs/services/webserver/droopy.rst: -------------------------------------------------------------------------------- 1 | .. _services-webserver-droopy: 2 | 3 | .. _droopy: https://github.com/stackp/Droopy 4 | 5 | droopy 6 | ====== 7 | `droopy`_ is a mini web server with the purpose to let one upload files to a 8 | server. It's listening on port 8000. 9 | 10 | .. _droopy-fig: 11 | .. figure:: ../../images/droopy.png 12 | :align: center 13 | 14 | droopy web interface 15 | 16 | -------------------------------------------------------------------------------- /docs/services/webserver/flask.rst: -------------------------------------------------------------------------------- 1 | .. _services-webserver-flask: 2 | 3 | .. _flask: http://flask.pocoo.org 4 | 5 | flask 6 | ===== 7 | `flask`_ is a lightweight Python web application framework. It's and based on 8 | the Werkzeug WSGI toolkit and the Jinja2 template engine. This framework keeps 9 | the core simple but additional feature can be added through extensions. 10 | 11 | This example shows the details a HTTP GET request :: 12 | 13 | $ bannergrab 10.0.0.65 8886 14 | HTTP/1.0 200 OK 15 | Content-Type: text/html; charset=utf-8 16 | Content-Length: 43 17 | Server: Werkzeug/0.14.1 Python/3.7.7 18 | Date: Mon, 25 May 2020 11:19:56 GMT 19 | -------------------------------------------------------------------------------- /docs/services/webserver/http-server.rst: -------------------------------------------------------------------------------- 1 | .. _services-webserver-http-server: 2 | 3 | .. _http-server: https://github.com/nodeapps/http-server 4 | .. _node.js: https://nodejs.org/en/ 5 | 6 | 7 | 8 | http-server (node.js) 9 | ===================== 10 | The `http-server`_ functionality is used on top of `node.js`_. 11 | 12 | .. _http-server-fig: 13 | .. figure:: ../../images/http-server.png 14 | :align: center 15 | 16 | http-server default page 17 | 18 | The next example shows a connection the `http-server`_. :: 19 | 20 | $ nc 10.0.0.64 8888 21 | HEAD / HTTP/1.1 22 | host: localhost 23 | 24 | HTTP/1.1 200 OK 25 | server: ecstatic-0.1.7 26 | etag: "139483-944-Fri Apr 26 2013 19:09:31 GMT+0200 (CEST)" 27 | last-modified: Fri, 26 Apr 2013 17:09:31 GMT 28 | cache-control: max-age=3600 29 | content-type: text/html 30 | Date: Fri, 26 Apr 2013 21:24:51 GMT 31 | Connection: keep-alive 32 | -------------------------------------------------------------------------------- /docs/services/webserver/index.rst: -------------------------------------------------------------------------------- 1 | .. _Fedora: https://fedoraproject.org 2 | .. _nginx: http://nginx.org/ 3 | 4 | .. _services-webserver: 5 | 6 | Web servers 7 | =========== 8 | Every type of web server has its purpose and its unique fingerprint. To give 9 | the students the feeling of the real world, various web servers are running. 10 | They don’t serve content, they are just lurking around for fingerprinting and 11 | bannergrabbing. The following web server are available. 12 | 13 | .. toctree:: 14 | :maxdepth: 2 15 | :glob: 16 | 17 | * 18 | 19 | To run all web servers on one machine it's needed that they use different 20 | ports. Table below shows the ports and the assigned web server. 21 | 22 | +------------+----------------+ 23 | | Port | Server | 24 | +============+================+ 25 | | 80 | lighttpd | 26 | +------------+----------------+ 27 | | 8000 | droopy | 28 | +------------+----------------+ 29 | | 8008 | cherokee | 30 | +------------+----------------+ 31 | | 8080 | tomcat | 32 | +------------+----------------+ 33 | | 8800 | apache | 34 | +------------+----------------+ 35 | | 8808 | nginx | 36 | +------------+----------------+ 37 | | 8880 | pywebserve | 38 | +------------+----------------+ 39 | | 8888 | http-server | 40 | +------------+----------------+ 41 | | 8889 | mongoose | 42 | +------------+----------------+ 43 | | 8887 | darkhttpd | 44 | +------------+----------------+ 45 | | 8886 | flask | 46 | +------------+----------------+ 47 | 48 | At the moment most web servers don't support https. This is a task for 49 | the future. The only web server with SSL support on the FSL Test bench 50 | is :ref:`nginx `. 51 | -------------------------------------------------------------------------------- /docs/services/webserver/lighttpd.rst: -------------------------------------------------------------------------------- 1 | .. _services-webserver-lighttpd: 2 | 3 | .. _lighttpd: http://www.lighttpd.net 4 | 5 | lighttpd 6 | ======== 7 | This is the server which is providing the web interface. `lighttpd`_ is 8 | optimized for speed while still standards-compliant, secure and flexible. 9 | 10 | This example shows the details of the `lighttpd`_ web server. :: 11 | 12 | $ bannergrab 10.0.0.64 80 13 | HTTP/1.0 200 OK 14 | Allow: OPTIONS, GET, HEAD, POST 15 | Content-Length: 0 16 | Connection: close 17 | Date: Sat, 01 Nov 2014 13:18:35 GMT 18 | Server: lighttpd/1.4.35 19 | -------------------------------------------------------------------------------- /docs/services/webserver/mongoose.rst: -------------------------------------------------------------------------------- 1 | .. _services-webserver-mongoose: 2 | 3 | .. _mongoose: https://github.com/cesanta/mongoose/ 4 | 5 | mongoose 6 | ======== 7 | `mongoose`_ is built on top of libmongoose embedded library. Libmongoose is 8 | used to serve Web GUI on embedded devices, implement RESTful services, RPC 9 | frameworks (e.g. JSON-RPC), handle telemetry data exchange, and perform many 10 | other tasks in various different industries. 11 | 12 | This example shows the details of the `mongoose`_ web server. :: 13 | 14 | $ bannergrab 10.0.0.65 8889 15 | HTTP/1.1 200 OK 16 | Date: Wed, 29 May 2013 15:24:20 GMT 17 | Last-Modified: Wed, 29 May 2013 14:44:55 GMT 18 | Etag: "51a61467.3b0" 19 | Content-Type: text/html 20 | Content-Length: 944 21 | Connection: close 22 | Accept-Ranges: bytes 23 | 24 | -------------------------------------------------------------------------------- /docs/services/webserver/pywebserve.rst: -------------------------------------------------------------------------------- 1 | .. _services-webserver-pywebserve: 2 | 3 | .. _pywebserve: http://gitorious.org/pywebserve 4 | 5 | pywebserve 6 | ========== 7 | `pywebserve`_ aims to expose a local directory to the world. It is using only 8 | Python modules (BaseHTTPServer and SimpleHTTPServer) and can be controlled by 9 | systemd. 10 | 11 | The server is listening on port 8880. 12 | 13 | .. _pywebserve-fig: 14 | .. figure:: ../../images/pywebserve.png 15 | :align: center 16 | 17 | pywebserve 18 | 19 | This example shows the details of the `pywebserve`_ web server. :: 20 | 21 | $ nc 10.0.0.64 8880 22 | HEAD / HTTP/1.1 23 | host: localhost 24 | 25 | HTTP/1.0 200 OK 26 | Server: SimpleHTTP/0.6 Python/2.7.5 27 | Date: Sat, 01 Nov 2014 13:12:15 GMT 28 | Content-type: text/html; charset=UTF-8 29 | Content-Length: 434 30 | -------------------------------------------------------------------------------- /docs/services/webserver/tomcat.rst: -------------------------------------------------------------------------------- 1 | .. _services-webserver-tomcat: 2 | 3 | .. _Tomcat: http://tomcat.apache.org/index.html 4 | 5 | tomcat 6 | ====== 7 | Apache `Tomcat`_ is an open source software implementation of the Java Servlet 8 | and JavaServer Pages technologies. This server is listening on port 8080. At 9 | the moment there are no pages served from this server. 10 | 11 | .. _tomcat-fig: 12 | .. figure:: ../../images/tomcat.png 13 | :align: center 14 | 15 | Tomcat admin web interface 16 | 17 | This example shows the details of the `Tomcat`_ web server. :: 18 | 19 | $ bannergrab 10.0.0.64 8080 20 | HTTP/1.1 200 OK 21 | Server: Apache-Coyote/1.1 22 | Content-Type: text/html;charset=ISO-8859-1 23 | Date: Sat, 01 Nov 2014 13:17:27 GMT 24 | Connection: close 25 | 26 | -------------------------------------------------------------------------------- /files/bricks.j2: -------------------------------------------------------------------------------- 1 | 13 | -------------------------------------------------------------------------------- /files/cgi/env-py.j2: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | # 3 | # env.py - A simple CGI in Python which displays the environment variables 4 | # 5 | # Copyright (c) 2013-2015 Fabian Affolter 6 | # 7 | # All rights reserved. 8 | # 9 | # This program is free software; you can redistribute it and/or modify 10 | # it under the terms of the GNU General Public License as published by 11 | # the Free Software Foundation; either version 2 of the License, or 12 | # (at your option) any later version. 13 | # 14 | # This program is distributed in the hope that it will be useful, 15 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | # GNU General Public License for more details. 18 | # 19 | # You should have received a copy of the GNU General Public License 20 | # along with this program; if not, write to the Free Software 21 | # Foundation, Inc., 22 | # 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 23 | # 24 | import datetime 25 | import os 26 | 27 | date = datetime.datetime.now() 28 | 29 | print 'Content-type:text/html\n\n' 30 | print '\n\nInformation delivered by CGI (Python)\n\n\n' 31 | print '

Environment variables

' 32 | for param in os.environ.keys(): 33 | print "%20s: %s
" % (param, os.environ[param]) 34 | print '
© Fedora Security Lab 2013-2015 - Page generated on %s.
' % (date) 35 | print '' 36 | -------------------------------------------------------------------------------- /files/cgi/env-sh.j2: -------------------------------------------------------------------------------- 1 | #!/usr/bin/bash 2 | # 3 | # env - A simple CGI in Bash which displays the environment variables. 4 | # 5 | # Copyright (c) 2013-2015 Fabian Affolter 6 | # 7 | # All rights reserved. 8 | # 9 | # This program is free software; you can redistribute it and/or modify 10 | # it under the terms of the GNU General Public License as published by 11 | # the Free Software Foundation; either version 2 of the License, or 12 | # (at your option) any later version. 13 | # 14 | # This program is distributed in the hope that it will be useful, 15 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | # GNU General Public License for more details. 18 | # 19 | # You should have received a copy of the GNU General Public License 20 | # along with this program; if not, write to the Free Software 21 | # Foundation, Inc., 22 | # 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 23 | # 24 | echo "Content-type: text/html" 25 | echo "" 26 | echo "Environment variables delivered by CGI (Bash)" 27 | echo "

Environment variables

" 28 | echo "" 29 | echo "
$(/usr/bin/env)
" 30 | echo "" 31 | echo "
© Fedora Security Lab 2013-2015 - Page generated on $(date).
" 32 | echo "" 33 | -------------------------------------------------------------------------------- /files/cgi/system-sh.j2: -------------------------------------------------------------------------------- 1 | #!/usr/bin/bash 2 | # 3 | # system - A simple CGI in Bash which displays system information 4 | # 5 | # Copyright (c) 2013-2015 Fabian Affolter 6 | # 7 | # All rights reserved. 8 | # 9 | # This program is free software; you can redistribute it and/or modify 10 | # it under the terms of the GNU General Public License as published by 11 | # the Free Software Foundation; either version 2 of the License, or 12 | # (at your option) any later version. 13 | # 14 | # This program is distributed in the hope that it will be useful, 15 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | # GNU General Public License for more details. 18 | # 19 | # You should have received a copy of the GNU General Public License 20 | # along with this program; if not, write to the Free Software 21 | # Foundation, Inc., 22 | # 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 23 | # 24 | echo 'Content-type: text/html' 25 | echo "" 26 | echo "Information delivered by CGI (Bash)" 27 | echo "

System information for host $(hostname -s)

" 28 | echo "" 29 | echo "

OS details

" 30 | echo "
$(cat /etc/fedora-release)
" 31 | echo "
$(uname -a)
" 32 | echo "

CPU details

" 33 | echo "
$(cat /proc/cpuinfo)
" 34 | echo "

Network detail

" 35 | echo "
$(cat /proc/net/dev)
" 36 | echo "

Memory detail

" 37 | echo "
$(free -m)
" 38 | echo "

Disk details

" 39 | echo "
$(df -h)
" 40 | echo "

Logged in user

" 41 | echo "
$(w)
" 42 | echo "" 43 | echo "
© Fedora Security Lab 2013-2015 - Page generated on $(date).
" 44 | echo "" 45 | -------------------------------------------------------------------------------- /files/cgi/time-pl.j2: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl 2 | # 3 | # time.pl - A simple CGI in Perl which displays the date and the time. 4 | # 5 | # Copyright (c) 2013-2015 Fabian Affolter 6 | # 7 | # All rights reserved. 8 | # 9 | # This program is free software; you can redistribute it and/or modify 10 | # it under the terms of the GNU General Public License as published by 11 | # the Free Software Foundation; either version 2 of the License, or 12 | # (at your option) any later version. 13 | # 14 | # This program is distributed in the hope that it will be useful, 15 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | # GNU General Public License for more details. 18 | # 19 | # You should have received a copy of the GNU General Public License 20 | # along with this program; if not, write to the Free Software 21 | # Foundation, Inc., 22 | # 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 23 | # 24 | 25 | use strict; 26 | use warnings; 27 | use Time::Piece; 28 | use CGI; 29 | 30 | my $date = Time::Piece->new->mdy("/"); 31 | my $time = Time::Piece->new->hms; 32 | my $q = new CGI; 33 | 34 | print $q->header; 35 | 36 | print $q->start_html( 37 | -title => 'Information delivered by Perl (CGI)'); 38 | 39 | print $q->h1('Date and Time'); 40 | 41 | print $q->p('Date: ' . $date); 42 | print $q->p('Time: ' . $time); 43 | 44 | print $q->center($q->small(' Fedora Security Lab 2013-2015 - Page generated on ' . $date)); 45 | 46 | print $q->end_html; 47 | exit 0; 48 | -------------------------------------------------------------------------------- /files/cgi/time-py.j2: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | # 3 | # time.py - A simple CGI in Python which displays the system time and date. 4 | # 5 | # Copyright (c) 2013-2015 Fabian Affolter 6 | # 7 | # All rights reserved. 8 | # 9 | # This program is free software; you can redistribute it and/or modify 10 | # it under the terms of the GNU General Public License as published by 11 | # the Free Software Foundation; either version 2 of the License, or 12 | # (at your option) any later version. 13 | # 14 | # This program is distributed in the hope that it will be useful, 15 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | # GNU General Public License for more details. 18 | # 19 | # You should have received a copy of the GNU General Public License 20 | # along with this program; if not, write to the Free Software 21 | # Foundation, Inc., 22 | # 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 23 | # 24 | import datetime 25 | import os 26 | 27 | date = datetime.datetime.now() 28 | 29 | print 'Content-type:text/html\n\n' 30 | print '\n\nInformation delivered by CGI (Python)\n\n\n' 31 | print '

Date and Time

\n' 32 | print '

%s

' % (date) 33 | print '
© Fedora Security Lab 2013-2015 - Page generated on %s.
' % (date) 34 | print '' 35 | -------------------------------------------------------------------------------- /files/cgi/time/Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | gcc time.c -o time.cgi 3 | 4 | clean: 5 | rm -rf *.o 6 | rm time.cgi 7 | -------------------------------------------------------------------------------- /files/cgi/time/time.c: -------------------------------------------------------------------------------- 1 | /* 2 | * time.c - A simple CGI which displays the system time. 3 | * 4 | * Copyright (c) 2013-2015 Fabian Affolter 5 | * 6 | * All rights reserved. 7 | * 8 | * This program is free software; you can redistribute it and/or modify 9 | * it under the terms of the GNU General Public License as published by 10 | * the Free Software Foundation; either version 2 of the License, or 11 | * (at your option) any later version. 12 | * 13 | * This program is distributed in the hope that it will be useful, 14 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 15 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 16 | * GNU General Public License for more details. 17 | * 18 | * You should have received a copy of the GNU General Public License 19 | * along with this program; if not, write to the Free Software 20 | * Foundation, Inc., 21 | * 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 22 | */ 23 | 24 | #include 25 | #include 26 | #include 27 | 28 | void print_header(void) { 29 | printf("Content-Type: text/html\n\n"); 30 | } 31 | 32 | void print_html_header(char *title) { 33 | printf("\n\n"); 34 | printf("%s\n", title); 35 | printf("\n\n"); 36 | } 37 | 38 | void print_html_heading(char *heading) { 39 | printf("

%s

\n", heading); 40 | } 41 | 42 | void print_content(void) { 43 | time_t curtime; 44 | time(&curtime); 45 | printf("%s", ctime(&curtime)); 46 | } 47 | 48 | void print_html_footer(void) { 49 | char date[3] = "now"; 50 | printf("
© Fedora Security Lab 2013-2015 - Page generated %s
", date); 51 | } 52 | 53 | void print_html_end(void) { 54 | printf("\n\n\n"); 55 | } 56 | 57 | 58 | int main(void) { 59 | print_header(); 60 | print_html_header("Information delivered by CGI (C)"); 61 | print_html_heading("Date and Time"); 62 | print_content(); 63 | print_html_footer(); 64 | print_html_end(); 65 | return EXIT_SUCCESS; 66 | } 67 | -------------------------------------------------------------------------------- /files/cgi/time/time.cgi: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fabaff/fsl-test-bench/4df7a495feb501a5ef3eaa8cd4379fb53203961c/files/cgi/time/time.cgi -------------------------------------------------------------------------------- /files/darkhttpd-config.j2: -------------------------------------------------------------------------------- 1 | DARKHTTPD_ROOT="/var/www/darkhttpd" 2 | DARKHTTPD_FLAGS="--port 8887" 3 | -------------------------------------------------------------------------------- /files/default.j2: -------------------------------------------------------------------------------- 1 | This is a dummy file. The only purpose of this file is to be a placeholder in 2 | the directory where it's lurking around. 3 | 4 | Fedora Security Lab - https://fedorahosted.org/security-spin 5 | -------------------------------------------------------------------------------- /files/droopy-config.j2: -------------------------------------------------------------------------------- 1 | --message=Hi, it's me, your Fedora Security Lab Test bench. You can send me a file. 2 | --directory=/var/www/droopy/uploads 3 | --dl 4 | -------------------------------------------------------------------------------- /files/droopy-service.j2: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=A mini Web server 3 | After=network.target 4 | 5 | [Service] 6 | Type=simple 7 | User=root 8 | ExecStart=/usr/bin/python /var/www/droopy/droopy 9 | 10 | [Install] 11 | WantedBy=multi-user.target 12 | -------------------------------------------------------------------------------- /files/dropbear-config.j2: -------------------------------------------------------------------------------- 1 | OPTIONS="-p 222" 2 | -------------------------------------------------------------------------------- /files/dvwa.j2: -------------------------------------------------------------------------------- 1 | 24 | -------------------------------------------------------------------------------- /files/flask-service.j2: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=A simple flask Web server 3 | After=network.target 4 | 5 | [Service] 6 | Type=simple 7 | User=root 8 | ExecStart=/usr/bin/python /var/www/flask/flask-webserver.py 9 | 10 | [Install] 11 | WantedBy=multi-user.target 12 | -------------------------------------------------------------------------------- /files/flask-webserver.py: -------------------------------------------------------------------------------- 1 | """Simple Flask application.""" 2 | import time 3 | 4 | from flask import Flask 5 | 6 | app = Flask(__name__) 7 | 8 | 9 | @app.route('/') 10 | def hello_world(): 11 | """Default route for the server.""" 12 | return f"Hello World! Time: {time.ctime()}" 13 | 14 | 15 | @app.route("/uptime") 16 | def uptime(): 17 | """Route for the server's uptime.""" 18 | return f"Test bench up for {time.ctime()} hours" 19 | 20 | 21 | if __name__ == '__main__': 22 | app.run(host='0.0.0.0', debug=False) 23 | -------------------------------------------------------------------------------- /files/fsl-virt-install.j2: -------------------------------------------------------------------------------- 1 | # This playbook install a virtual machine for libvirt. 2 | # 3 | # Copyright (c) 2013-2014 Fabian Affolter 4 | # 5 | # Licensed under CC BY 3.0. All rights reserved. 6 | # 7 | virt-install \ 8 | --name {{ virtname }} \ 9 | --os-variant fedora20 \ 10 | --ram {{ ram }} \ 11 | --disk /var/lib/libvirt/images/{{ img_name }}.img,size={{ size }} \ 12 | --location {{ mirror }} \ 13 | --initrd-inject /tmp/fsl-testbench.ks \ 14 | --extra-args "ks=file:fsl-testbench.ks" \ 15 | --noautoconsole \ 16 | --vnc \ 17 | --network={{ network }} \ 18 | --mac={{ mac }} 19 | -------------------------------------------------------------------------------- /files/honeyd.j2: -------------------------------------------------------------------------------- 1 | # This file contains several honeypots. 2 | # 3 | # Default 4 | create default 5 | set default default tcp action block 6 | set default default udp action block 7 | set default default icmp action block 8 | 9 | # Micrsoft Windows XP 10 | create windowsxp 11 | set windowsxp personality "Microsoft Windows XP Professional SP1" 12 | set windowsxp default tcp action reset 13 | add windowsxp tcp port 135 open 14 | add windowsxp tcp port 139 open 15 | add windowsxp tcp port 445 open 16 | 17 | set windowsxp ethernet "00:00:00:00:00:01" 18 | dhcp windowsxp on eth0 19 | 20 | # Micrsoft Windows 2003 Server 21 | create windows2003 22 | set windows2003 personality "Microsoft Windows Server 2003" 23 | set windows2003 default tcp action reset 24 | add windows2003 tcp port 80 "sh /usr/share/honeyd/scripts/web.sh" 25 | add windows2003 tcp port 135 open 26 | add windows2003 tcp port 139 open 27 | add windows2003 tcp port 445 open 28 | set windows2003 ethernet "00:00:00:00:00:02" 29 | dhcp windows2003 on eth0 30 | 31 | # Microsoft Windows 7 SP1 (available in 1.6b) 32 | #create windows7 33 | #set windows7 personality "Microsoft Windows 7 SP1" 34 | #set windows7 default tcp action reset 35 | #set windows7 default udp action reset 36 | #add windows7 tcp port 135 open 37 | #add windows7 tcp port 139 open 38 | #add windows7 tcp port 445 open 39 | #set windows7 ethernet "00:00:00:00:00:03" 40 | #dhcp windows7 on eth0 41 | 42 | # Debian 43 | create debian 44 | set debian personality "Linux 2.4.20" 45 | set debian default tcp action reset 46 | set debian default udp action reset 47 | add debian tcp port 21 "sh /usr/share/honeyd/scripts/ftp.sh" 48 | add debian tcp port 22 "sh /usr/share/honeyd/scripts/ssh.sh" 49 | add debian tcp port 23 "sh /usr/share/honeyd/scripts/telnetd.sh" 50 | add debian tcp port 25 "sh /usr/share/honeyd/scripts/smtp.sh" 51 | add debian tcp port 110 "sh /usr/share/honeyd/scripts/qpop.sh" 52 | add debian tcp port 143 "sh /usr/share/honeyd/scripts/cyrus-imapd.sh" 53 | set debian ethernet "00:00:00:00:00:04" 54 | dhcp debian on eth0 55 | -------------------------------------------------------------------------------- /files/hosts.j2: -------------------------------------------------------------------------------- 1 | 127.0.0.1 {{ server_hostname }} {{ server_hostname }}.localdomain localhost localhost.localdomain localhost4 localhost4.localdomain4 2 | ::1 {{ server_hostname }} {{ server_hostname }}.localdomain localhost localhost.localdomain localhost6 localhost6.localdomain6 3 | -------------------------------------------------------------------------------- /files/kickstart/fedora-mini.j2: -------------------------------------------------------------------------------- 1 | # Minimal Kickstart file for the FSL test bench. 2 | # Installation, not an upgrade 3 | install 4 | 5 | # No graphical things needed 6 | skipx 7 | text 8 | 9 | # Language 10 | lang {{ language }} 11 | 12 | # Keyboard setup 13 | keyboard {{ keyboard }} 14 | 15 | # Networking 16 | network --onboot yes --device eth0 --bootproto dhcp --ipv6 auto --hostname test-bench 17 | 18 | # Authentication 19 | auth --enableshadow --passalgo=sha512 20 | rootpw {{ server_root_password }} 21 | 22 | # Services, SELinux and firewall 23 | firewall --enabled --ssh 24 | services --enabled network,sshd 25 | selinux --enforcing 26 | #firstboot --disable 27 | logging --level=info 28 | 29 | # Time zone 30 | timezone {{ timezone }} 31 | 32 | # Disk setup 33 | zerombr 34 | bootloader --location=mbr --append="rd_NO_PLYMOUTH" 35 | ignoredisk --only-use=vda 36 | clearpart --none --initlabel --drives=vda 37 | autopart 38 | 39 | poweroff 40 | 41 | %packages 42 | @core 43 | chrony 44 | bash-completion 45 | tar 46 | unzip 47 | python 48 | dnf 49 | %end 50 | -------------------------------------------------------------------------------- /files/libvirt-network.j2: -------------------------------------------------------------------------------- 1 | 2 | testbench 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | {% if containers %} 11 | {% for con_name, con_mac, con_ip in containers %} 12 | 13 | {% endfor %} 14 | {% endif %} 15 | 16 | 17 | 18 | -------------------------------------------------------------------------------- /files/lighttpd-cgi.j2: -------------------------------------------------------------------------------- 1 | ####################################################################### 2 | ## 3 | ## CGI modules 4 | ## --------------- 5 | ## 6 | ## http://www.lighttpd.net/documentation/cgi.html 7 | ## 8 | server.modules += ( "mod_cgi" ) 9 | 10 | ## 11 | ## Plain old CGI handling 12 | ## 13 | ## For PHP don't forget to set cgi.fix_pathinfo = 1 in the php.ini. 14 | ## 15 | cgi.assign = ( ".pl" => "", 16 | ".cgi" => "", 17 | ".sh" => "", 18 | ".rb" => "", 19 | ".erb" => "", 20 | ".py" => "" ) 21 | 22 | ## 23 | ## to get the old cgi-bin behavior of apache 24 | ## 25 | ## Note: make sure that mod_alias is loaded if you uncomment the 26 | ## next line. (see modules.conf) 27 | ## 28 | #alias.url += ( "/cgi-bin" => server_root + "/cgi-bin" ) 29 | #$HTTP["url"] =~ "^/cgi-bin" { 30 | # cgi.assign = ( "" => "" ) 31 | #} 32 | 33 | ## 34 | ####################################################################### 35 | -------------------------------------------------------------------------------- /files/lighttpd-fastcgi.j2: -------------------------------------------------------------------------------- 1 | ####################################################################### 2 | ## 3 | ## FastCGI Module 4 | ## --------------- 5 | ## 6 | ## http://www.lighttpd.net/documentation/fastcgi.html 7 | ## 8 | server.modules += ( "mod_fastcgi" ) 9 | 10 | 11 | fastcgi.server = ( ".php" => 12 | ( "localhost" => 13 | ( 14 | "socket" => "/var/run/lighttpd/php-fastcgi.socket", 15 | "bin-path" => "/usr/bin/php-cgi" 16 | ) 17 | ) 18 | ) 19 | 20 | ## This file is managed by Ansible. 21 | -------------------------------------------------------------------------------- /files/lxc-network.j2: -------------------------------------------------------------------------------- 1 | 2 | network1 3 | c98fbbfe-cded-405e-879d-db591fd070a2 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | {% if containers %} 12 | {% for con_name, con_mac, con_ip in containers %} 13 | 14 | {% endfor %} 15 | {% endif %} 16 | 17 | 18 | 19 | -------------------------------------------------------------------------------- /files/mongoose-service.j2: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=The mongoose Web server 3 | After=network.target 4 | 5 | [Service] 6 | Type=simple 7 | User=nobody 8 | Group=nobody 9 | Restart=always 10 | ExecStart=/usr/bin/mongoose -p 8889 -r /var/www/mongoose 11 | StandardOutput=syslog 12 | SyslogIdentifier=mongoose 13 | 14 | [Install] 15 | WantedBy=multi-user.target 16 | -------------------------------------------------------------------------------- /files/motd.j2: -------------------------------------------------------------------------------- 1 | 2 | Fedora Security Lab 3 | _____ _ ____ _ 4 | |_ _|__ ___| |_ | __ ) ___ _ __ ___| |__ 5 | | |/ _ \/ __| __| | _ \ / _ \ '_ \ / __| '_ \ 6 | | | __/\__ \ |_ | |_) | __/ | | | (__| | | | 7 | |_|\___||___/\__| |____/ \___|_| |_|\___|_| |_| 8 | 9 | https://fedorahosted.org/security-spin/ 10 | 11 | *** DO NOT expose this system to the public ! *** 12 | 13 | OS : {{ ansible_distribution }} {{ ansible_distribution_version }} ({{ ansible_distribution_release }}) 14 | Hostname : {{ ansible_hostname }} 15 | System type : {{ ansible_system }} 16 | 17 | 18 | -------------------------------------------------------------------------------- /files/mqtt_pub-service.j2: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=A simple script that send MQTT messages 3 | After=network.target 4 | 5 | [Service] 6 | Type=simple 7 | User=root 8 | ExecStart=/usr/bin/python /usr/bin/mqtt_pub.py 9 | 10 | [Install] 11 | WantedBy=multi-user.target 12 | -------------------------------------------------------------------------------- /files/mqtt_pub.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | # 3 | # mqtt_pub.py - A simple script to send MQTT message. 4 | # 5 | # Copyright (c) 2013-2016 Fabian Affolter 6 | # 7 | # All rights reserved. 8 | # 9 | # This program is free software; you can redistribute it and/or modify 10 | # it under the terms of the GNU General Public License as published by 11 | # the Free Software Foundation; either version 2 of the License, or 12 | # (at your option) any later version. 13 | # 14 | # This program is distributed in the hope that it will be useful, 15 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | # GNU General Public License for more details. 18 | # 19 | # You should have received a copy of the GNU General Public License 20 | # along with this program; if not, write to the Free Software 21 | # Foundation, Inc., 22 | # 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 23 | # 24 | import datetime 25 | import time 26 | import random 27 | import mosquitto 28 | 29 | # Defaults value 30 | message = "MQTT message from FSL Test Bench. Sent at " 31 | topic = "fsl/testbench" 32 | 33 | # Create a client for mosquitto 34 | client = mosquitto.Mosquitto("python-client") 35 | client.connect("127.0.0.1") 36 | 37 | def sendMessage(topic, message): 38 | client.publish(topic, message, 1) 39 | 40 | def main(): 41 | while client.loop() == 0: 42 | # Wait for a random number of seconds 43 | r_int = random.randint(1, 30) 44 | time.sleep(r_int) 45 | # Get a timestamp 46 | timestamp = datetime.datetime.now() 47 | # Publish a message 48 | sendMessage(topic, (message + "%s" % timestamp)) 49 | 50 | if __name__ == "__main__": 51 | main() 52 | -------------------------------------------------------------------------------- /files/my-cnf.j2: -------------------------------------------------------------------------------- 1 | # Default my.cnf file for MySQL. Distributed by Ansible. 2 | [client] 3 | user=root 4 | password={{ mysql_root_password }} 5 | -------------------------------------------------------------------------------- /files/nodejs-http-service.j2: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=A simple node.js Web server 3 | After=network.target 4 | 5 | [Service] 6 | Type=simple 7 | User=nobody 8 | Group=nobody 9 | Restart=always 10 | ExecStart=/usr/bin/http-server /var/www/nodejs -p 8888 -s 11 | StandardOutput=syslog 12 | SyslogIdentifier=nodejs-http 13 | 14 | [Install] 15 | WantedBy=multi-user.target 16 | -------------------------------------------------------------------------------- /files/ntp-conf.j2: -------------------------------------------------------------------------------- 1 | # For more information about this file, see the man pages 2 | # ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5). 3 | 4 | driftfile /var/lib/ntp/drift 5 | 6 | # Permit time synchronization with our time source, but do not 7 | # permit the source to query or modify the service on this system. 8 | restrict default kod nomodify notrap nopeer noquery 9 | restrict -6 default kod nomodify notrap nopeer noquery 10 | 11 | # Permit all access over the loopback interface. This could 12 | # be tightened as well, but to do so would effect some of 13 | # the administrative functions. 14 | restrict 127.0.0.1 15 | restrict -6 ::1 16 | 17 | # Hosts on local network are less restricted. 18 | #restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap 19 | restrict {{ ansible_default_ipv4.address }} mask 255.255.255.0 nomodify notrap 20 | 21 | # Use public servers from the pool.ntp.org project. 22 | # Please consider joining the pool (http://www.pool.ntp.org/join.html). 23 | #server 0.fedora.pool.ntp.org iburst 24 | #server 1.fedora.pool.ntp.org iburst 25 | #server 2.fedora.pool.ntp.org iburst 26 | #server 3.fedora.pool.ntp.org iburst 27 | 28 | #broadcast 192.168.1.255 autokey # broadcast server 29 | #broadcastclient # broadcast client 30 | #broadcast 224.0.1.1 autokey # multicast server 31 | #multicastclient 224.0.1.1 # multicast client 32 | #manycastserver 239.255.254.254 # manycast server 33 | #manycastclient 239.255.254.254 autokey # manycast client 34 | 35 | # Enable public key cryptography. 36 | #crypto 37 | 38 | includefile /etc/ntp/crypto/pw 39 | 40 | # Key file containing the keys and key identifiers used when operating 41 | # with symmetric key cryptography. 42 | keys /etc/ntp/keys 43 | 44 | # Specify the key identifiers which are trusted. 45 | #trustedkey 4 8 42 46 | 47 | # Specify the key identifier to use with the ntpdc utility. 48 | #requestkey 8 49 | 50 | # Specify the key identifier to use with the ntpq utility. 51 | #controlkey 8 52 | 53 | # Enable writing of statistics records. 54 | #statistics clockstats cryptostats loopstats peerstats 55 | 56 | -------------------------------------------------------------------------------- /files/openvpn/client-static.j2: -------------------------------------------------------------------------------- 1 | remote {{ ansible_all_ipv4_addresses[0] }} 2 | dev tun 3 | ifconfig 10.8.0.2 10.8.0.1 4 | comp-lzo 5 | secret /root/static.key 6 | -------------------------------------------------------------------------------- /files/openvpn/server-static.j2: -------------------------------------------------------------------------------- 1 | dev tun 2 | ifconfig 10.8.0.1 10.8.0.2 3 | secret /etc/openvpn/static.key 4 | port 1194 5 | proto udp 6 | user nobody 7 | group nobody 8 | daemon 9 | comp-lzo 10 | keepalive 10 60 11 | ping-timer-rem 12 | persist-tun 13 | persist-key 14 | log-append /var/log/openvpn.log 15 | verb 1 16 | -------------------------------------------------------------------------------- /files/pywebserve-service.j2: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=A simple python Web server 3 | After=network.target 4 | 5 | [Service] 6 | Type=simple 7 | User=root 8 | ExecStart=/usr/bin/python /var/www/pywebserve/pywebserve.py 9 | 10 | [Install] 11 | WantedBy=multi-user.target 12 | -------------------------------------------------------------------------------- /files/pywebserve.py: -------------------------------------------------------------------------------- 1 | # pywebserve - A very simple pytho-based webserver. 2 | # 3 | # Copyright (c) 2013 Fabian Affolter 4 | # 5 | # All rights reserved. 6 | # 7 | # This program is free software; you can redistribute it and/or modify 8 | # it under the terms of the GNU General Public License as published by 9 | # the Free Software Foundation; either version 2 of the License, or 10 | # (at your option) any later version. 11 | # 12 | # This program is distributed in the hope that it will be useful, 13 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 14 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 | # GNU General Public License for more details. 16 | # 17 | # You should have received a copy of the GNU General Public License 18 | # along with this program; if not, write to the Free Software 19 | # Foundation, Inc., 20 | # 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 21 | # 22 | import os 23 | import BaseHTTPServer 24 | import SimpleHTTPServer 25 | 26 | def main(): 27 | datastore = os.chdir('/var/www/') 28 | port = 8880 29 | server_class = BaseHTTPServer.HTTPServer 30 | handler_class = SimpleHTTPServer.SimpleHTTPRequestHandler 31 | server_address = ('', port) 32 | server = server_class(server_address, handler_class) 33 | server.serve_forever() 34 | 35 | if __name__ == "__main__": 36 | main() 37 | -------------------------------------------------------------------------------- /files/sqli.j2: -------------------------------------------------------------------------------- 1 | 10 | -------------------------------------------------------------------------------- /files/tomcat-users.j2: -------------------------------------------------------------------------------- 1 | 2 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | -------------------------------------------------------------------------------- /files/web-interface/banner.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fabaff/fsl-test-bench/4df7a495feb501a5ef3eaa8cd4379fb53203961c/files/web-interface/banner.png -------------------------------------------------------------------------------- /files/web-interface/cgi-bin.j2: -------------------------------------------------------------------------------- 1 | 2 | 10 | 11 | 12 | 13 | Fedora Security Lab Test bench | cgi-bin 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 |
22 |
23 |
24 | 25 | 26 | 27 | 35 | 36 | 37 |

CGI (Common Gateway Interface) is a standard method for web servers 38 | to delegate the generation/creation of web pages (incl. content) 39 | to executable files.

40 |
    41 | 42 | 43 |
44 |
45 |
46 |
47 |

© Fedora Security Lab 48 | 2013-2020 - Lighttpd is running on {{ ansible_distribution }} {{ ansible_distribution_version }}.

49 |
50 | 51 | 52 | 53 | 54 | 55 | -------------------------------------------------------------------------------- /files/web-interface/default.j2: -------------------------------------------------------------------------------- 1 | 2 | 9 | 10 | 11 | 12 | FSL Test bench | Webserver is up and running... 13 | 14 | 15 | 16 | 17 | 18 |
19 |

The webserver is running on {{ ansible_distribution }} {{ ansible_distribution_version }}.


20 |

This server is not hosting any content. It's just here to give you a target for reconnaissance tasks.

21 |
© Fedora Security Lab Test Bench 2013-2020
22 |
23 | 24 | 25 | -------------------------------------------------------------------------------- /files/web-interface/log-openvpn.j2: -------------------------------------------------------------------------------- 1 | 2 | 9 | 10 | 11 | 12 | FSL Test bench | OpenVPN log 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 |
21 |
22 |
23 | 24 | 25 | 26 | 37 | 38 | 39 |
40 | 41 | 42 | 43 |
44 |
45 |
46 |

© Fedora Security Lab 47 | 2013-2020 - Lighttpd is running on {{ ansible_distribution }} {{ ansible_distribution_version }}.

48 |
49 | 50 | 51 | 52 | 53 | 54 | -------------------------------------------------------------------------------- /files/web-interface/log-system.j2: -------------------------------------------------------------------------------- 1 | 2 | 9 | 10 | 11 | 12 | FSL Test bench | System log 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 |
21 |
22 |
23 | 24 | 25 | 26 | 34 | 35 | 36 |
37 | 38 | 39 | 40 |
41 |
42 |
43 |

© Fedora Security Lab 44 | 2013-2020 - Lighttpd is running on {{ ansible_distribution }} {{ ansible_distribution_version }}.

45 |
46 | 47 | 48 | 49 | 50 | 51 | -------------------------------------------------------------------------------- /files/web-interface/phpinfo.j2: -------------------------------------------------------------------------------- 1 | 2 | 9 | 10 | 11 | 12 | FSL Test bench | PHP info 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 |
21 |
22 |
23 | 24 | 25 | 26 | 34 | 35 | 36 |
37 | 40 |
41 |
42 |
43 |

© Fedora Security Lab 44 | 2013-2020 - Lighttpd is running on {{ ansible_distribution }} {{ 45 | ansible_distribution_version }}.

46 | } 47 |
48 | 49 | 50 | 51 | 52 | 53 | -------------------------------------------------------------------------------- /files/web-interface/template.j2: -------------------------------------------------------------------------------- 1 | 2 | 9 | 10 | 11 | 12 | FSL Test bench | Home 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 |
21 |
22 |
23 | 24 | 25 | 26 | 37 | 38 | 39 | 40 | 41 |
42 |
43 |
44 |

© Fedora Security Lab 45 | 2013-2020 - Lighttpd is running on {{ ansible_distribution }} {{ ansible_distribution_version }}.

46 |
47 | 48 | 49 | 50 | 51 | 52 | -------------------------------------------------------------------------------- /files/web01.xml.j2: -------------------------------------------------------------------------------- 1 | 2 | {{ con_name1 }} 3 | 9c871c02-0c94-a80a-57c7-24e9918aece3 4 | 524288 5 | 524288 6 | 1 7 | 8 | exe 9 | /sbin/init 10 | 11 | 12 | destroy 13 | restart 14 | restart 15 | 16 | /usr/libexec/libvirt_lxc 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | -------------------------------------------------------------------------------- /files/web02.xml.j2: -------------------------------------------------------------------------------- 1 | 2 | {{ con_name2 }} 3 | 9c871c02-0c92-a82a-57c7-24e9918aece3 4 | 524288 5 | 524288 6 | 1 7 | 8 | exe 9 | /sbin/init 10 | 11 | 12 | destroy 13 | restart 14 | restart 15 | 16 | /usr/libexec/libvirt_lxc 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | -------------------------------------------------------------------------------- /fsl-tb-detect.nse: -------------------------------------------------------------------------------- 1 | local http = require "http" 2 | local shortport = require "shortport" 3 | local string = require "string" 4 | 5 | description = [[ 6 | Checks for the FSL Test Bench web interface. 7 | ]] 8 | 9 | author = "Fabian Affolter" 10 | license = "Same as Nmap--See http://nmap.org/book/man-legal.html" 11 | categories = {"discovery", "safe"} 12 | 13 | --- 14 | -- @usage 15 | -- nmap --script fsl-tb-detect 16 | -- 17 | --@output 18 | -- Nmap scan report for testbench01.lab-ex.security (10.0.0.64) 19 | -- PORT STATE SERVICE 20 | -- 80/tcp open http 21 | -- |_fsl-tb-detect: Fedora Security Lab Test bench Web interface FOUND. 22 | 23 | -- Changelog: 24 | -- 2013-05-09 Fabian Affolter : 25 | -- + initial release 26 | -- 2014-02-22 Fabian Affolter : 27 | -- + update @usage 28 | 29 | portrule = shortport.http 30 | 31 | action = function(host, port) 32 | local resp, title 33 | resp = http.get( host, port, '/' ) 34 | title = string.match(resp.body, "<[Tt][Ii][Tt][Ll][Ee][^>]*>([^<]*)") 35 | if string.find(title, "Fedora Security Lab Test bench") then 36 | title = "Fedora Security Lab Test bench Web interface FOUND." 37 | else 38 | title = "Fedora Security Lab Test bench Web interface NOT found." 39 | end 40 | 41 | return title 42 | end 43 | -------------------------------------------------------------------------------- /handlers/services.yml: -------------------------------------------------------------------------------- 1 | # This file contains service handlers for Fedora. 2 | # 3 | # Copyright (c) 2013-2018 Fabian Affolter 4 | # 5 | # Licensed under CC BY 3.0. All rights reserved. 6 | # 7 | # Usage: 8 | # handlers: 9 | # - include: handlers/services.yml 10 | # 11 | --- 12 | # Control handlers for sshd 13 | - name: start sshd 14 | service: 15 | name: sshd 16 | state: started 17 | 18 | - name: stop sshd 19 | service: 20 | name: sshd 21 | state: stopped 22 | 23 | - name: restart sshd 24 | service: 25 | name: sshd 26 | state: restarted 27 | 28 | # Control handlers for lighttpd 29 | - name: start lighttpd 30 | service: 31 | name: lighttpd 32 | state: started 33 | 34 | - name: stop lighttpd 35 | service: 36 | name: lighttpd 37 | state: stopped 38 | 39 | - name: restart lighttpd 40 | service: 41 | name: lighttpd 42 | state: restarted 43 | 44 | # Control handlers for httpd 45 | - name: start httpd 46 | service: 47 | name: httpd 48 | state: started 49 | 50 | - name: stop httpd 51 | service: 52 | name: httpd 53 | state: stopped 54 | 55 | - name: restart httpd 56 | service: 57 | name: httpd 58 | state: restarted 59 | 60 | # Control handlers for mysql 61 | - name: start mysql 62 | service: 63 | name: mysqld 64 | state: started 65 | 66 | - name: stop mysql 67 | service: 68 | name: mysqld 69 | state: stopped 70 | 71 | - name: restart mysql 72 | service: 73 | name: mysqld 74 | state: restarted 75 | 76 | -------------------------------------------------------------------------------- /handlers/system.yml: -------------------------------------------------------------------------------- 1 | # This file contains system handlers for Fedora. 2 | # 3 | # Copyright (c) 2013-2018 Fabian Affolter 4 | # 5 | # Licensed under CC BY 3.0. All rights reserved. 6 | # 7 | # Usage: 8 | # handlers: 9 | # - include: handlers/system.yml 10 | # 11 | --- 12 | - name: reboot the system 13 | command: /usr/sbin/reboot 14 | 15 | - name: shutdown the system 16 | command: /usr/sbin/poweroff 17 | 18 | - name: reload firewalld 19 | command: /usr/bin/firewall-cmd --reload 20 | 21 | - name: reload systemd 22 | command: /usr/bin/systemctl --system daemon-reload 23 | 24 | -------------------------------------------------------------------------------- /local-setup.yml: -------------------------------------------------------------------------------- 1 | # This playbook contains all tasks to setup a FSL test bench as 2 | # virtual machine. 3 | # 4 | # Copyright (c) 2013-2021 Fabian Affolter 5 | # 6 | # Licensed under CC BY 3.0. All rights reserved. 7 | # 8 | # Usage: sudo ansible-playbook fsl-test-bench/local-setup.yml --connection=local 9 | --- 10 | - hosts: 127.0.0.1 11 | connection: local 12 | gather_facts: no 13 | remote_user: root 14 | vars_files: 15 | - variables/application-versions.yml 16 | - variables/sensitive.yml 17 | - variables/local.yml 18 | - variables/containers.yml 19 | 20 | tasks: 21 | # Virtual machine setup 22 | 23 | # Setup Test bench connection 24 | - include: tasks/auth-key.yml 25 | 26 | # Runtime changes aren't detected 27 | - name: setup ansible host file 28 | lineinfile: 29 | dest: /etc/ansible/hosts 30 | regexp: '^' 31 | insertafter: '127.0.0.1' 32 | line: '127.0.0.1\n\n[fsl-tb]\n{{ ip }}' 33 | 34 | handlers: 35 | - include: handlers/system.yml 36 | - include: handlers/services.yml 37 | -------------------------------------------------------------------------------- /openvpn-server.yml: -------------------------------------------------------------------------------- 1 | # This playbook contains tasks to perform on a fresh Fedora installation to 2 | # create a Fedora FSLSecurity Lab Test bench. 3 | # 4 | # Copyright (c) 2013-2019 Fabian Affolter 5 | # 6 | # Licensed under CC BY 3.0. All rights reserved. 7 | # 8 | # Usage: ansible-playbook openvpn-server.yml -f 10 9 | # 10 | --- 11 | - hosts: fsl-tb-vpn 12 | user: root 13 | vars_files: 14 | - variables/application-versions.yml 15 | - variables/sensitive.yml 16 | 17 | tasks: 18 | - include: tasks/preparation.yml 19 | - include: tasks/motd.yml 20 | - include: tasks/lighttpd.yml 21 | 22 | # Common tasks 23 | - include: tasks/preparation.yml 24 | 25 | # OpenVPN server with PKI 26 | # - include: tasks/openvpn.yml 27 | 28 | # OpenVPN server with a static key 29 | - include: task/web-interface-vpn-static.yml 30 | - include: tasks/openvpn-static.yml 31 | - include: tasks/helpers/log-openvpn.yml 32 | 33 | # Common tasks 34 | - include: tasks/cleanup.yml 35 | 36 | handlers: 37 | - include: handlers/system.yml 38 | - include: handlers/services.yml 39 | -------------------------------------------------------------------------------- /tasks/apps/bricks.yml: -------------------------------------------------------------------------------- 1 | # This playbook install Bricks (http://sechow.com/brick). 2 | # 3 | # Copyright (c) 2013-2014 Fabian Affolter 4 | # 5 | # Licensed under CC BY 3.0. All rights reserved. 6 | # 7 | --- 8 | - name: download the latest bricks archive 9 | get_url: url=http://sourceforge.net/projects/owaspbricks/files/Tuivai%20-%202.2/OWASP%20Bricks%20-%20Tuivai.zip 10 | dest=/var/www/lighttpd/bricks.zip 11 | mode=0440 12 | 13 | - name: unpack the source archive 14 | unarchive: src=/var/www/lighttpd/bricks.zip 15 | dest=/var/www/lighttpd/ 16 | copy=no 17 | mode=0775 18 | owner=lighttpd 19 | group=lighttpd 20 | 21 | - name: delete the bricks archive 22 | file: path=/var/www/lighttpd/bricks.zip 23 | state=absent 24 | 25 | - name: install a default configuration file 26 | template: src=files/bricks.j2 27 | dest=/var/www/lighttpd/bricks/LocalSettings.php 28 | owner=root 29 | group=root 30 | mode=0755 31 | 32 | - name: create database for bricks 33 | mysql_db: name=bricks 34 | state=present 35 | 36 | - name: add a new entry to the index.html page 37 | lineinfile: dest=/var/www/lighttpd/index.html 38 | regexp='^' 39 | insertafter=' ' 40 | line=' Bricks
' 41 | -------------------------------------------------------------------------------- /tasks/apps/bwapp.yml: -------------------------------------------------------------------------------- 1 | # This playbook install the bWAPP, or a buggy web application, 2 | # (http://sourceforge.net/projects/bwapp/). 3 | # 4 | # Copyright (c) 2013-2014 Fabian Affolter 5 | # 6 | # Licensed under CC BY 3.0. All rights reserved. 7 | # 8 | --- 9 | - name: download the bwapp archive 10 | get_url: url=http://downloads.sourceforge.net/project/bwapp/bWAPP/bWAPPv{{ bwapp_version }}/bWAPPv{{ bwapp_version }}.zip 11 | dest=/var/www/lighttpd/bwapp-{{ bwapp_version }}.zip 12 | mode=0440 13 | 14 | - name: unpack the source archive 15 | unarchive: src=/var/www/lighttpd/bwapp-{{ bwapp_version }}.zip 16 | dest=/var/www/lighttpd/ 17 | copy=no 18 | mode=0775 19 | owner=lighttpd 20 | group=lighttpd 21 | 22 | - name: delete the bwapp archive 23 | file: path=/var/www/lighttpd/bwapp-{{ bwapp_version }}.zip 24 | state=absent 25 | 26 | - name: delete files andstuff that comes with bwapp 27 | file: path=/var/www/lighttpd/{{ item }} 28 | state=absent 29 | with_items: 30 | - bWAPP_intro.pdf 31 | - ClientAccessPolicy.xml 32 | - crossdomain.xml 33 | - INSTALL.txt 34 | - README.txt 35 | - release_notes.txt 36 | - evil 37 | 38 | - name: rename the bwapp folder 39 | command: /usr/bin/mv /var/www/lighttpd/bWAPP /var/www/lighttpd/bwapp 40 | 41 | - name: set permissions 42 | file: path=/var/www/lighttpd/bwapp/{{ item }} 43 | mode=0777 44 | with_items: 45 | - passwords 46 | - images 47 | - documents 48 | - logs 49 | 50 | - name: set the default db password 51 | command: /usr/bin/sed -i 's|$db_password = "";|$db_password = "{{ mysql_root_password }}"|g' /var/www/lighttpd/bwapp/admin/settings.php 52 | 53 | - name: add a new entry to the index.html page 54 | lineinfile: dest=/var/www/lighttpd/index.html 55 | regexp='^' 56 | insertafter=' ' 57 | line=' bWAPP
' 58 | -------------------------------------------------------------------------------- /tasks/apps/dvwa.yml: -------------------------------------------------------------------------------- 1 | # This playbook install the Damn Vulnerable Web Application (DVWA) 2 | # (http://www.dvwa.co.uk/). 3 | # 4 | # Copyright (c) 2013-2014 Fabian Affolter 5 | # 6 | # Licensed under CC BY 3.0. All rights reserved. 7 | # 8 | --- 9 | - name: download the archive 10 | get_url: url=https://github.com/RandomStorm/DVWA/archive/v{{ dvwa_version }}.zip 11 | dest=/var/www/lighttpd/dvwa-{{ dvwa_version }}.zip 12 | mode=0440 13 | 14 | - name: unpack the source archive 15 | unarchive: src=/var/www/lighttpd/dvwa-{{ dvwa_version }}.zip 16 | dest=/var/www/lighttpd/ 17 | copy=no 18 | mode=0775 19 | owner=lighttpd 20 | group=lighttpd 21 | 22 | - name: rename the folder 23 | command: /usr/bin/mv /var/www/lighttpd/DVWA-{{ dvwa_version }} /var/www/lighttpd/dvwa 24 | 25 | - name: delete the archive 26 | file: path=/var/www/lighttpd/dvwa-{{ dvwa_version }}.zip 27 | state=absent 28 | 29 | - name: install a default configuration file 30 | template: src=files/dvwa.j2 31 | dest=/var/www/lighttpd/dvwa/config/config.inc.php 32 | owner=root 33 | group=root 34 | mode=0755 35 | backup=yes 36 | 37 | - name: add a new entry to the index.html page 38 | lineinfile: dest=/var/www/lighttpd/index.html 39 | regexp='^' 40 | insertafter=' ' 41 | line=' DVWA
' 42 | -------------------------------------------------------------------------------- /tasks/apps/hackademic.yml: -------------------------------------------------------------------------------- 1 | # This playbook install the OWASP Hackademic Challenges Project 2 | # (https://code.google.com/p/owasp-hackademic-challenges/). 3 | # 4 | # Copyright (c) 2013-2014 Fabian Affolter 5 | # 6 | # Licensed under CC BY 3.0. All rights reserved. 7 | # 8 | --- 9 | - name: download the hackademic archive 10 | get_url: url=https://owasp-hackademic-challenges.googlecode.com/files/OWASP_Hackademic_Challenges_en_v{{ hackadamemic_version }}.zip 11 | dest=/var/www/lighttpd/hackademic-{{ hackadamemic_version }}.zip 12 | mode=0440 13 | 14 | - name: unpack the source archive 15 | unarchive: src=/var/www/lighttpd/hackademic-{{ hackadamemic_version }}.zip 16 | dest=/var/www/lighttpd/ 17 | copy=no 18 | mode=0775 19 | owner=lighttpd 20 | group=lighttpd 21 | 22 | - name: delete the hackademic archive 23 | file: path=/var/www/lighttpd/hackademic-{{ hackadamemic_version }}.zip 24 | state=absent 25 | 26 | - name: rename the hackademic directory 27 | command: /usr/bin/mv /var/www/lighttpd/Hackademic_Challenges[EN]/Hackademic_Challenges /var/www/lighttpd/hackademic 28 | 29 | - name: delete the unpacked archive elements 30 | file: path=/var/www/lighttpd/Hackademic_Challenges[EN] 31 | state=absent 32 | 33 | - name: set permissons 34 | file: path=/var/www/lighttpd/hackademic 35 | state=directory 36 | mode=0755 37 | 38 | - name: add a new entry to the index.html page 39 | lineinfile: dest=/var/www/lighttpd/index.html 40 | regexp='^' 41 | insertafter=' ' 42 | line=' Hackademic
' 43 | -------------------------------------------------------------------------------- /tasks/apps/mcir.yml: -------------------------------------------------------------------------------- 1 | # This playbook install the Magical Code Injection Rainbow (MCIR) framework 2 | # (https://github.com/SpiderLabs/MCIR). 3 | # 4 | # Copyright (c) 2013-2016 Fabian Affolter 5 | # 6 | # Licensed under CC BY 3.0. All rights reserved. 7 | # 8 | --- 9 | - name: install additional package 10 | dnf: pkg={{ item }} 11 | state=present 12 | with_items: 13 | - php-mcrypt 14 | - libmcrypt 15 | 16 | - name: checkout the source 17 | git: repo=https://github.com/SpiderLabs/MCIR.git 18 | dest=/var/www/lighttpd/mcir 19 | force=yes 20 | 21 | - name: set the default mysql password 22 | command: /usr/bin/sed -i "s|$password = ''|$password = '{{ mysql_root_password }}'|g" /var/www/lighttpd/mcir/sqlol/includes/database.config.php 23 | 24 | - name: set the default mysql password 25 | command: /usr/bin/sed -i 's|$db_user = ""|$db_user = "root"|g' /var/www/lighttpd/mcir/cryptomg/includes/db.inc.php 26 | 27 | - name: set the default mysql password 28 | command: /usr/bin/sed -i 's|$db_pass = ""|$db_pass = "{{ mysql_root_password }}"|g' /var/www/lighttpd/mcir/cryptomg/includes/db.inc.php 29 | 30 | - name: add a new entry to the index.html page 31 | lineinfile: dest=/var/www/lighttpd/index.html 32 | regexp='^' 33 | insertafter=' ' 34 | line=' MCIR
' 35 | -------------------------------------------------------------------------------- /tasks/apps/sqli.yml: -------------------------------------------------------------------------------- 1 | # This playbook install the SQLI Labs (https://github.com/Audi-1/sqli-labs). 2 | # 3 | # Copyright (c) 2013-2016 Fabian Affolter 4 | # 5 | # Licensed under CC BY 3.0. All rights reserved. 6 | # 7 | --- 8 | - name: checkout from sqli git repo 9 | git: repo=git://github.com/Audi-1/sqli-labs.git 10 | dest=/var/www/lighttpd/sqli-labs 11 | force=yes 12 | 13 | - name: install a default configuration file 14 | template: src=files/sqli.j2 15 | dest=/var/www/lighttpd/sqli-labs/sql-connections/db-creds.inc 16 | owner=root 17 | group=root 18 | mode=0755 19 | backup=yes 20 | 21 | - name: add a new entry to the index.html page 22 | lineinfile: dest=/var/www/lighttpd/index.html 23 | regexp='^' 24 | insertafter=' ' 25 | line=' SQLI Labs
' 26 | -------------------------------------------------------------------------------- /tasks/apps/wacko.yml: -------------------------------------------------------------------------------- 1 | # This playbook install the WackoPicko Vulnerable Website 2 | # (https://github.com/adamdoupe/WackoPicko). 3 | # 4 | # Copyright (c) 2013-2016 Fabian Affolter 5 | # 6 | # Licensed under CC BY 3.0. All rights reserved. 7 | # 8 | --- 9 | - name: checkout from the git repo 10 | git: repo=git://github.com/adamdoupe/WackoPicko.git 11 | dest=/tmp/wacko 12 | force=yes 13 | 14 | - name: rename the source directory 15 | command: /bin/mv /tmp/wacko/website/* /var/www/lighttpd/ 16 | 17 | - name: set the right permission 18 | file: path=/var/www/lighttpd/ 19 | mode=0777 20 | state=directory 21 | 22 | - name: import the tables of the database 23 | shell: /usr/bin/mysql -u root --password=$mysql_root_password < /tmp/wacko/current.sql 24 | 25 | - name: remove unneded files 26 | file: path=/tmp/wacko/$item 27 | state=absent 28 | with_items: 29 | - LICENSE 30 | - README.markdown 31 | - current.sql 32 | 33 | - name: restart lighttpd 34 | service: name=lighttpd state=restarted 35 | -------------------------------------------------------------------------------- /tasks/apps/xssed.yml: -------------------------------------------------------------------------------- 1 | # This playbook install XSSeducation (https://github.com/aj00200/xssed). 2 | # 3 | # Copyright (c) 2013-2020 Fabian Affolter 4 | # 5 | # Licensed under CC BY 3.0. All rights reserved. 6 | # 7 | --- 8 | - name: checkout from the git repo 9 | git: 10 | repo: git://github.com/aj00200/xssed.git 11 | dest: /var/www/lighttpd/xssed 12 | 13 | - name: add a new entry to the index.html page 14 | lineinfile: 15 | dest: /var/www/lighttpd/index.html 16 | regexp: '^' 17 | insertafter: ' ' 18 | line: =' xssed
' 19 | -------------------------------------------------------------------------------- /tasks/auth-key.yml: -------------------------------------------------------------------------------- 1 | # This playbook copy the ssh key to the managed node. 2 | # 3 | # Copyright (c) 2013-2019 Fabian Affolter 4 | # 5 | # Licensed under CC BY 3.0. All rights reserved. 6 | # 7 | --- 8 | - name: copy the ssh key to the test bench 9 | command: /usr/bin/ssh-copy-id -i /root/.ssh/id_rsa.pub root@{{ ip }} 10 | -------------------------------------------------------------------------------- /tasks/bridge.yml: -------------------------------------------------------------------------------- 1 | # This playbook creates a network bridge. 2 | # 3 | # Copyright (c) 2013-2019 Fabian Affolter 4 | # 5 | # Licensed under CC BY 3.0. All rights reserved. 6 | # 7 | # Details: http://wiki.libvirt.org/page/Networking#Creating_network_initscripts 8 | --- 9 | - name: install needed packages 10 | dnf: 11 | name: "{{ $item }}" 12 | state: present 13 | with_items: 14 | - bridge-utils 15 | 16 | - name: add the bridge to the configuration file of eth0 17 | lineinfile: 18 | dest: /etc/sysconfig/network-scripts/ifcfg-eth0 19 | regexp: '' 20 | insertafter: EOF 21 | line: 'BRIDGE=br0' 22 | 23 | - name: create the br0 configuration file 24 | template: 25 | src: files/br0.j2 26 | dest: /etc/sysconfig/network-scripts/ifcfg-br0 27 | mode: 0644 28 | 29 | - name: add interface to bridge 30 | command: /usr/sbin/brctl addif br0 eth0 31 | -------------------------------------------------------------------------------- /tasks/cgi/cgi.yml: -------------------------------------------------------------------------------- 1 | # This playbook install the web interface to use cgi-bin. 2 | # 3 | # Copyright (c) 2013-2018 Fabian Affolter 4 | # 5 | # Licensed under CC BY 3.0. All rights reserved. 6 | # 7 | --- 8 | - name: create the cgi-bin directory 9 | file: 10 | path: /var/www/lighttpd/cgi-bin 11 | state: directory 12 | owner: root 13 | group: root 14 | mode: 0775 15 | 16 | - name: install the fsl test bench cgi-bin.html file 17 | template: 18 | src: files/web-interface/cgi-bin.j2 19 | dest: /var/www/lighttpd/cgi-bin.html 20 | owner: root 21 | group: root 22 | mode: 0755 23 | 24 | - name: add a new entry to the index.html page 25 | lineinfile: 26 | dest: /var/www/lighttpd/index.html 27 | regexp: '^' 28 | insertafter: ' ' 29 | line: ' CGI
' 30 | -------------------------------------------------------------------------------- /tasks/cgi/env-py.yml: -------------------------------------------------------------------------------- 1 | # This playbook install a cgi which displays environment variables. 2 | # 3 | # Copyright (c) 2013-2016 Fabian Affolter 4 | # 5 | # Licensed under CC BY 3.0. All rights reserved. 6 | # 7 | # SELinux (to check!!!) 8 | # chcon -t httpd_sys_content_t /var/www/cgi-bin/file 9 | --- 10 | - name: install the time python file 11 | template: src=files/cgi/env-py.j2 12 | dest=/var/www/lighttpd/cgi-bin/env.py 13 | owner=root 14 | group=root 15 | mode=0777 16 | 17 | - name: add a new entry for env to the cgi-bin index.html page 18 | lineinfile: dest=/var/www/lighttpd/cgi-bin.html 19 | regexp='^' 20 | insertafter=' ' 21 | line=' Environment variables (Python)
' 22 | -------------------------------------------------------------------------------- /tasks/cgi/env-sh.yml: -------------------------------------------------------------------------------- 1 | # This playbook install a cgi which displays environment variables. 2 | # 3 | # Copyright (c) 2013-2016 Fabian Affolter 4 | # 5 | # Licensed under CC BY 3.0. All rights reserved. 6 | # 7 | # SELinux (to check!!!) 8 | # chcon -t httpd_sys_content_t /var/www/cgi-bin/file 9 | --- 10 | - name: install the env cgi file 11 | template: src=files/cgi/env-sh.j2 12 | dest=/var/www/lighttpd/cgi-bin/env.sh 13 | owner=root 14 | group=root 15 | mode=0777 16 | 17 | - name: add a new entry for env.cgi to the cgi-bin index.html page 18 | lineinfile: dest=/var/www/lighttpd/cgi-bin.html 19 | regexp='^' 20 | insertafter=' ' 21 | line=' Environment variables (Bash)
' 22 | -------------------------------------------------------------------------------- /tasks/cgi/system-sh.yml: -------------------------------------------------------------------------------- 1 | # This playbook install a cgi which displays system details. 2 | # 3 | # Copyright (c) 2013-2016 Fabian Affolter 4 | # 5 | # Licensed under CC BY 3.0. All rights reserved. 6 | # 7 | # SELinux (to check!!!) 8 | # chcon -t httpd_sys_content_t /var/www/cgi-bin/file 9 | --- 10 | - name: install the system cgi file 11 | template: src=files/cgi/system-sh.j2 12 | dest=/var/www/lighttpd/cgi-bin/system.sh 13 | owner=root 14 | group=root 15 | mode=0777 16 | 17 | - name: add a new entry for system.cgi to the cgi-bin index.html page 18 | lineinfile: dest=/var/www/lighttpd/cgi-bin.html 19 | regexp='^' 20 | insertafter=' ' 21 | line=' System information (Bash)
' 22 | -------------------------------------------------------------------------------- /tasks/cgi/time-pl.yml: -------------------------------------------------------------------------------- 1 | # This playbook install a cgi which displays the date and the time. 2 | # 3 | # Copyright (c) 2013-2016 Fabian Affolter 4 | # 5 | # Licensed under CC BY 3.0. All rights reserved. 6 | # 7 | --- 8 | - name: install additional packages 9 | dnf: pkg={{ item }} 10 | state=present 11 | with_items: 12 | - perl 13 | - perl-CGI 14 | - perl-Time-Piece 15 | 16 | - name: install the time perl file 17 | template: src=files/cgi/time-pl.j2 18 | dest=/var/www/lighttpd/cgi-bin/time.pl 19 | owner=root 20 | group=root 21 | mode=0777 22 | 23 | - name: add a new entry for perl cgi to the cgi-bin index.html page 24 | lineinfile: dest=/var/www/lighttpd/cgi-bin.html 25 | regexp='^' 26 | insertafter=' ' 27 | line=' Date/Time (Perl)
' 28 | -------------------------------------------------------------------------------- /tasks/cgi/time-py.yml: -------------------------------------------------------------------------------- 1 | # This playbook install a cgi which displays environment variables. 2 | # 3 | # Copyright (c) 2013-2016 Fabian Affolter 4 | # 5 | # Licensed under CC BY 3.0. All rights reserved. 6 | # 7 | # SELinux (to check!!!) 8 | # chcon -t httpd_sys_content_t /var/www/cgi-bin/file 9 | --- 10 | - name: install the time python file 11 | template: src=files/cgi/time-py.j2 12 | dest=/var/www/lighttpd/cgi-bin/time.py 13 | owner=root 14 | group=root 15 | mode=0777 16 | 17 | - name: add a new entry for env.cgi to the cgi-bin index.html page 18 | lineinfile: dest=/var/www/lighttpd/cgi-bin.html 19 | regexp='^' 20 | insertafter=' ' 21 | line=' Time (Python)
' 22 | -------------------------------------------------------------------------------- /tasks/cgi/time.yml: -------------------------------------------------------------------------------- 1 | # This playbook install a cgi which displays the system time. 2 | # 3 | # Copyright (c) 2013-2016 Fabian Affolter 4 | # 5 | # Licensed under CC BY 3.0. All rights reserved. 6 | # 7 | # SELinux (to check!!!) /usr/bin/bash 8 | # chcon -t httpd_sys_content_t /var/www/cgi-bin/file 9 | --- 10 | - name: install the time cgi file 11 | copy: src=files/cgi/time/time.cgi 12 | dest=/var/www/lighttpd/cgi-bin/time.cgi 13 | owner=root 14 | group=root 15 | mode=0777 16 | 17 | - name: add a new entry for time.cgi to the index.html page 18 | lineinfile: dest=/var/www/lighttpd/cgi-bin.html 19 | regexp='^' 20 | insertafter=' ' 21 | line=' Date/Time (C)
' 22 | -------------------------------------------------------------------------------- /tasks/chrony.yml: -------------------------------------------------------------------------------- 1 | # This playbook set the system time. 2 | # 3 | # Copyright (c) 2013-2019 Fabian Affolter 4 | # 5 | # Licensed under CC BY 3.0. All rights reserved. 6 | # 7 | --- 8 | - name: check if chronyd is running 9 | service: 10 | name: chronyd 11 | state: started 12 | 13 | - name: use ntp server as long the internet access is available 14 | command: /usr/bin/timedatectl set-ntp true 15 | -------------------------------------------------------------------------------- /tasks/cleanup.yml: -------------------------------------------------------------------------------- 1 | # This playbook remove all components which were needed for the setup. 2 | # 3 | # Copyright (c) 2013-2019 Fabian Affolter 4 | # 5 | # Licensed under CC BY 3.0. All rights reserved. 6 | # 7 | --- 8 | - name: remove additional packages 9 | dnf: 10 | name: "{{ item }}" 11 | state: absent 12 | with_items: 13 | - unzip 14 | - tar 15 | - git 16 | 17 | - name: cleaning task for yum 18 | command: /usr/bin/yum clean all 19 | 20 | - name: delete cache files 21 | file: 22 | path: /var/cache/"{{ item }}" 23 | state: absent 24 | with_items: 25 | - yum 26 | 27 | -------------------------------------------------------------------------------- /tasks/containers.yml: -------------------------------------------------------------------------------- 1 | # This playbook creates LXC containers. 2 | # 3 | # Copyright (c) 2013-2019 Fabian Affolter 4 | # 5 | # Licensed under CC BY 3.0. All rights reserved. 6 | # 7 | --- 8 | - name: create the network template 9 | template: 10 | src: files/lxc-network.j2 11 | dest: /var/lib/libvirt/network/network1.xml 12 | mode: 0644 13 | 14 | - name: create 'network1' network 15 | command: /usr/bin/virsh net-define /var/lib/libvirt/network/network1.xml 16 | 17 | - name: make 'network1' network autostart 18 | command: /usr/bin/virsh net-autostart network1 19 | 20 | - name: start 'network1' network 21 | command: /usr/bin/virsh net-start network1 22 | 23 | - name: create the script to bootstrap fedora 24 | template: 25 | src: files/lxc-virt-install.j2 26 | dest: /tmp/lxc-virt-install 27 | mode: 0755 28 | 29 | - name: create container 30 | command: /usr/bin/bash /tmp/lxc-virt-install {{ item }} 31 | with_items: 32 | - web01 33 | - web02 34 | 35 | ## Every container need its own definition, ansible is not able to evalute 36 | ## the var inside the lookup. 37 | - name: define container in libvirt 38 | virt: 39 | name: web01 40 | command: define 41 | xml: "{{ lookup('template', 'web01.xml.j2') }}" 42 | uri: lxc:/// 43 | 44 | - name: define container in libvirt 45 | virt: 46 | name: web02 47 | command: define 48 | xml: "{{ lookup('template', 'web02.xml.j2') }}" 49 | uri: lxc:/// 50 | ########## 51 | 52 | - name: start container 53 | virt: 54 | name: "{{ item }}" 55 | state: "running" 56 | uri: lxc:/// 57 | with_items: 58 | - web01 59 | - web02 60 | 61 | - name: make container autostart 62 | command: /usr/bin/virsh autostart {{ item }} 63 | with_items: 64 | - web01 65 | - web02 66 | 67 | - name: delete temp files 68 | file: 69 | path: /tmp/{{ item }} 70 | state: absent 71 | with_items: 72 | - lxc-virt-install 73 | - fedora-release-{{ fedora_current }}-2.noarch.rpm 74 | 75 | # Container tests 76 | # virsh --connect lxc:/// start [container name] 77 | -------------------------------------------------------------------------------- /tasks/db-servers/mariadb.yml: -------------------------------------------------------------------------------- 1 | # This playbook install the MariaDB SQL server (https://mariadb.org/). 2 | # 3 | # Copyright (c) 2013-2019 Fabian Affolter 4 | # 5 | # Licensed under CC BY 3.0. All rights reserved. 6 | # 7 | # Based on a playbook by https://github.com/fourkitchens/server-playbooks 8 | --- 9 | - name: install mariadb and related packages 10 | dnf: 11 | pkg: "{{ item }}" 12 | state: present 13 | with_items: 14 | - mariadb 15 | - mariadb-server 16 | - MySQL-python 17 | - php-mysql 18 | - php-pear 19 | 20 | - name: start sql service and enable the service 21 | service: 22 | name: mariadb 23 | state: started 24 | enabled: yes 25 | 26 | - name: set the sql root password 27 | mysql_user: 28 | user: root 29 | password: "{{ mysql_root_password }}" 30 | host: localhost 31 | 32 | - name: config for easy access as root user 33 | template: 34 | src: files/my-cnf.j2 35 | dest: /root/.my.cnf 36 | 37 | - name: delete anonymous sql server user for {{ server_hostname }} 38 | mysql_user: 39 | user: "" 40 | host: "{{ server_hostname }}" 41 | state: absent 42 | 43 | - name: delete anonymous sql server user for localhost 44 | mysql_user: 45 | user: "" 46 | state: absent 47 | 48 | - name: secure the sql root user for ipv6 localhost (::1) 49 | mysql_user: 50 | user: root 51 | password: "{{ mysql_root_password }}" 52 | host: "::1" 53 | 54 | - name: secure the sql root user for ipv4 localhost (127.0.0.1) 55 | mysql_user: 56 | user: "root" 57 | password: "{{ mysql_root_password }}" 58 | host: "127.0.0.1" 59 | 60 | - name: secure the sql root user for localhost domain (localhost) 61 | mysql_user: 62 | user: "root" 63 | password: "{{ mysql_root_password }}" 64 | host: "localhost" 65 | 66 | - name: secure the sql root user for {{ server_hostname }} domain 67 | mysql_user: 68 | user: "root" 69 | password: "{{ mysql_root_password }}" 70 | host: "{{ server_hostname }}" 71 | 72 | - name: remove the mysql test database 73 | mysql_db: 74 | db: test 75 | state: absent 76 | -------------------------------------------------------------------------------- /tasks/db-servers/mongodb.yml: -------------------------------------------------------------------------------- 1 | # This playbook install mongoDB (http://www.mongodb.org/). 2 | # 3 | # Copyright (c) 2013-2019 Fabian Affolter 4 | # 5 | # Licensed under CC BY 3.0. All rights reserved. 6 | # 7 | --- 8 | - name: install mongodb and related packages 9 | dnf: 10 | pkg: "{{ item }}" 11 | state: present 12 | with_items: 13 | - mongodb 14 | - mongodb-server 15 | - python-pymongo 16 | 17 | - name: start mongodb service and enable the service 18 | service: 19 | name: mongod 20 | state: started 21 | enabled: yes 22 | 23 | - name: set the mongodb root password and create db 24 | mongodb_user: 25 | database: testbench 26 | name: root 27 | password: "{{ mysql_root_password }}" 28 | state: present 29 | 30 | - name: create an additional mongodb user (alice) 31 | mongodb_user: 32 | database: testbench 33 | name: alice 34 | password: "{{ alice_password }}" 35 | roles: 'readWrite,dbAdmin,userAdmin' 36 | state: present 37 | 38 | - name: create an additional mongodb user (bob) 39 | mongodb_user: 40 | database: testbench 41 | name: bob 42 | password: "{{ bob_password }}" 43 | roles: 'read' 44 | state: present 45 | 46 | - name: enable remote access to mongodb 47 | lineinfile: 48 | dest: /etc/mongodb.conf 49 | regexp: '^bind_ip = 127.0.0.1' 50 | insertafter: '^bind_ip = 127.0.0.1' 51 | line: ='#bind_ip = 127.0.0.1' 52 | state: =present 53 | 54 | - name: configure firewall, allow traffic to port 27017 55 | firewalld: 56 | port: 27017/tcp 57 | permanent: true 58 | state: enabled 59 | -------------------------------------------------------------------------------- /tasks/db-servers/mysql.yml: -------------------------------------------------------------------------------- 1 | # This playbook install mysql server (http://www.mysql.com/). 2 | # 3 | # Copyright (c) 2013-2014 Fabian Affolter 4 | # 5 | # Licensed under CC BY 3.0. All rights reserved. 6 | # 7 | # Based on a playbook by https://github.com/fourkitchens/server-playbooks 8 | --- 9 | - name: install mysql and related packages 10 | yum: pkg={{ item }} 11 | state=present 12 | with_items: 13 | - mysql 14 | - mysql-server 15 | - MySQL-python 16 | - php-mysql 17 | - php-pear 18 | 19 | - name: start mysql service and enable the service 20 | service: name=mysqld 21 | state=started 22 | enabled=yes 23 | 24 | - name: set the mysql root password 25 | mysql_user: user=root 26 | password={{ mysql_root_password }} 27 | host=localhost 28 | 29 | - name: config for easy access as root user 30 | template: src=files/my-cnf.j2 31 | dest=/root/.my.cnf 32 | 33 | - name: delete anonymous mysql server user for {{ server_hostname }} 34 | mysql_user: user="" 35 | host="{{ server_hostname }}" 36 | state="absent" 37 | 38 | - name: delete anonymous mysql server user for localhost 39 | mysql_user: user="" 40 | state="absent" 41 | 42 | - name: secure the mysql root user for ipv6 localhost (::1) 43 | mysql_user: user="root" 44 | password="{{ mysql_root_password }}" 45 | host="::1" 46 | 47 | - name: secure the mysql root user for ipv4 localhost (127.0.0.1) 48 | mysql_user: user="root" 49 | password="{{ mysql_root_password }}" 50 | host="127.0.0.1" 51 | 52 | - name: secure the mysql root user for localhost domain (localhost) 53 | mysql_user: user="root" 54 | password="{{ mysql_root_password }}" 55 | host="localhost" 56 | 57 | - name: secure the mysql root user for {{ server_hostname domain }} 58 | mysql_user: user="root" 59 | password="{{ mysql_root_password }}" 60 | host="{{ server_hostname }}" 61 | 62 | - name: remove the mysql test database 63 | mysql_db: db=test 64 | state=absent 65 | -------------------------------------------------------------------------------- /tasks/directory-servers/openldap.yml: -------------------------------------------------------------------------------- 1 | # This playbook install the openldap (http://www.openldap.org/) server. 2 | # 3 | # Copyright (c) 2013-2018 Fabian Affolter 4 | # 5 | # Licensed under CC BY 3.0. All rights reserved. 6 | # 7 | --- 8 | - name: install the needed ldap packages 9 | dnf: 10 | pkg: "{{ item }}" 11 | state: present 12 | with_items: 13 | - openldap 14 | - openldap-clients 15 | - openldap-servers 16 | 17 | - name: start openldap 18 | service: 19 | name: slapd 20 | state: running 21 | enabled: yes 22 | 23 | - name: add a password 24 | command: /usr/sbin/slappasswd -h {SSHA} -s "{{ server_root_password }}" 25 | 26 | - name: put config file in place 27 | template: 28 | src: files/openldap-manager.j2 29 | dest: /tmp/manager.ldif 30 | owner: root 31 | group: root 32 | mode: 0644 33 | 34 | - name: put config file in place 35 | template: 36 | src: files/openldap-frontend.j2 37 | dest: /tmp/frontend.ldif 38 | owner: root 39 | group: root 40 | mode: 0644 41 | 42 | - name: configure firewall, allow traffic to port 389 43 | firewalld: 44 | port: 389/tcp 45 | permanent: true 46 | state: enabled 47 | 48 | - name: add a password 49 | command: /usr/bin/ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/manager.ldif 50 | 51 | - name: frontend 52 | command: /usr/bin/ldapadd -x -D cn=admin,dc=server,dc=world -W -f /tmp/frontend.ldif 53 | -------------------------------------------------------------------------------- /tasks/file-servers/nfs.yml: -------------------------------------------------------------------------------- 1 | # This playbook setup nfs (http://nfs.sourceforge.net/) capability. 2 | # 3 | # Copyright (c) 2013-2014 Fabian Affolter 4 | # 5 | # Licensed under CC BY 3.0. All rights reserved. 6 | # 7 | --- 8 | - name: install nfs package 9 | yum: pkg={{ item }} 10 | state=present 11 | with_items: 12 | - nfs-utils 13 | 14 | - name: create a directory to share 15 | file: path=/opt/nfs/ 16 | mode=0755 17 | state=directory 18 | 19 | - name: put a dummy file in the share 20 | template: src=files/default.j2 21 | dest=/opt/nfs/info.txt 22 | mode=0644 23 | 24 | - name: add an export 25 | lineinfile: dest=/etc/exports 26 | regexp='' 27 | insertafter=EOF 28 | line='/opt/nfs/ {{ ansible_eth0.ipv4.network }}/24(rw,sync)' 29 | 30 | - name: configure firewall, allow nfs traffic 31 | firewalld: service=nfs 32 | permanent=true 33 | state=enabled 34 | 35 | #- name: start rpcbind 36 | # service: name=rpcbind 37 | # state=running 38 | # enabled=yes 39 | 40 | #- name: start nfs-server 41 | # service: name=nfs-server 42 | # state=running 43 | # enabled=yes 44 | 45 | #- name: start nfs-idmap 46 | # service: name=nfs-idmap 47 | # state=running 48 | # enabled=yes 49 | 50 | #- name: start nfs-lock 51 | # service: name=nfs-lock 52 | # state=running 53 | # enabled=yes 54 | -------------------------------------------------------------------------------- /tasks/file-servers/samba.yml: -------------------------------------------------------------------------------- 1 | # This playbook install the samba (http://www.samba.org/) server. 2 | # 3 | # Copyright (c) 2013-2016 Fabian Affolter 4 | # 5 | # Licensed under CC BY 3.0. All rights reserved. 6 | # 7 | --- 8 | - name: install samba and related packages 9 | yum: pkg={{ item }}} 10 | state=present 11 | with_items: 12 | - cups-libs 13 | - samba 14 | - samba-client 15 | 16 | - name: create a directory to share 17 | file: path=/opt/samba/ 18 | mode=0755 19 | state=directory 20 | 21 | - name: put a dummy file in the share 22 | template: src=files/default.j2 23 | dest=/opt/samba/info.txt 24 | mode=0644 25 | 26 | - name: set selinux boolean 27 | command: /usr/sbin/setsebool -P allow_smbd_anon_write=1 28 | 29 | - name: allow full access (r/w) 30 | command: /usr/sbin/setsebool -P samba_export_all_rw on 31 | 32 | - name: set selinux context 33 | command: /usr/bin/chcon -t samba_share_t /opt/samba/ 34 | 35 | - name: add a share 36 | lineinfile: dest=/etc/samba/smb.conf 37 | regexp='' 38 | insertafter=EOF 39 | line='[samba]\n\tpath = /opt/samba/\n\tread only = no\n;\tbrowseable = yes\n' 40 | 41 | - name: configure firewall, allow traffic 42 | firewalld: service={{ item }} 43 | permanent=true 44 | state=enabled 45 | with_items: 46 | - samba 47 | - samba-client 48 | 49 | - name: start samba 50 | service: name=smb 51 | state=running 52 | enabled=yes 53 | 54 | - name: start named 55 | service: name=nmb 56 | state=running 57 | enabled=yes 58 | 59 | -------------------------------------------------------------------------------- /tasks/ftp-servers/proftpd.yml: -------------------------------------------------------------------------------- 1 | # This playbook install the proftpd server (http://www.proftpd.org). 2 | # 3 | # Copyright (c) 2013-2014 Fabian Affolter 4 | # 5 | # Licensed under CC BY 3.0. All rights reserved. 6 | # 7 | --- 8 | - name: install proftpd package 9 | yum: pkg={{ item }} 10 | state=present 11 | with_items: 12 | - proftpd 13 | 14 | - name: start proftpd 15 | service: name=proftpd 16 | state=running 17 | enabled=yes 18 | 19 | - name: configure firewall, allow ftp traffic 20 | firewalld: service=ftp 21 | permanent=true 22 | state=enabled 23 | -------------------------------------------------------------------------------- /tasks/ftp-servers/pure-ftpd.yml: -------------------------------------------------------------------------------- 1 | # This playbook install the pure-ftpd server (http://www.pureftpd.org). 2 | # 3 | # Copyright (c) 2013-2014 Fabian Affolter 4 | # 5 | # Licensed under CC BY 3.0. All rights reserved. 6 | # 7 | --- 8 | - name: install pure-ftpd package 9 | yum: pkg={{ item }} 10 | state=present 11 | with_items: 12 | - pure-ftpd 13 | 14 | - name: run pure-ftpd on port 2021 15 | lineinfile: dest=/etc/pure-ftpd/pure-ftpd.conf 16 | regexp='^Bind 127.0.0.1,21' 17 | insertafter='^# Bind 127.0.0.1,21' 18 | line='Bind 127.0.0.1,2121' 19 | state=present 20 | 21 | - name: start pure-ftpd 22 | service: name=pure-ftpd 23 | state=running 24 | enabled=yes 25 | 26 | - name: configure firewall, allow traffic to port 2021 27 | firewalld: port=6667/tcp 28 | permanent=true 29 | state=enabled 30 | 31 | - name: configure firewall, allow traffic to port 2020 32 | firewalld: port=6667/tcp 33 | permanent=true 34 | state=enabled 35 | -------------------------------------------------------------------------------- /tasks/ftp-servers/vsftpd.yml: -------------------------------------------------------------------------------- 1 | # This playbook install the vsftp server (https://security.appspot.com/vsftpd.html). 2 | # 3 | # Copyright (c) 2013-2014 Fabian Affolter 4 | # 5 | # Licensed under CC BY 3.0. All rights reserved. 6 | # 7 | --- 8 | - name: install vsftpd package 9 | yum: pkg={{ item }} 10 | state=present 11 | with_items: 12 | - vsftpd 13 | 14 | #- name: enable ssl 15 | # lineinfile: dest=/etc/vsftpd/vsftpd.conf 16 | # regexp='^' 17 | # insertafter=EOF 18 | # line='tcp_wrapper=YES\nrsa_cert_file=/etc/vsftpd/cert.key\nssl_enable=YES\nforce_local_data_ssl=YES\nforce_local_logins_ssl=YES\nrequire_ssl_reuse=NO\n' 19 | 20 | #- name: copy the server configuration file 21 | # template: src=files/vsftpd-users.j2 22 | # dest=/etc/vsftpd/user_list 23 | # mode=0644 24 | 25 | - name: create the cert 26 | command: /usr/bin/openssl req -new -x509 -subj "/C={{ cert_country }}/ST={{ cert_province }}/L={{ cert_city }}/O={{ cert_org }}/CN={{ cert_cn }}/Email={{ cert_email }}" -days 3650 -keyout /etc/vsftpd/cert.key -out /etc/vsftpd/cert.pem -nodes 27 | 28 | - name: start vsftpd 29 | service: name=vsftpd 30 | state=running 31 | enabled=yes 32 | 33 | - name: configure firewall, allow ftp traffic 34 | firewalld: service=ftp 35 | permanent=true 36 | state=enabled 37 | -------------------------------------------------------------------------------- /tasks/helpers/cockpit.yml: -------------------------------------------------------------------------------- 1 | # This playbook install the cockpit (http://cockpit-project.org/). 2 | # 3 | # Copyright (c) 2014 Fabian Affolter 4 | # 5 | # Licensed under CC BY 3.0. All rights reserved. 6 | # 7 | --- 8 | - name: install additional packages 9 | yum: pkg={{ item }} 10 | state=present 11 | with_items: 12 | - cockpit 13 | 14 | - name: configure firewall, allow traffic to port 1001 15 | firewalld: service=cockpit 16 | permanent=true 17 | state=enabled 18 | 19 | - name: start cockpit 20 | service: name=cockpit 21 | state=running 22 | enabled=yes 23 | 24 | - name: add a new entry to the index.html page 25 | lineinfile: dest=/var/www/lighttpd/index.html 26 | regexp='^' 27 | insertafter=' ' 28 | line=' Cockpit
' 29 | -------------------------------------------------------------------------------- /tasks/helpers/linfo.yml: -------------------------------------------------------------------------------- 1 | # This playbook install the linfo (http://linfo.sourceforge.net/) php 2 | # application. 3 | # 4 | # Copyright (c) 2013-2014 Fabian Affolter 5 | # 6 | # Licensed under CC BY 3.0. All rights reserved. 7 | # 8 | --- 9 | - name: download the source tarball 10 | get_url: url=http://sourceforge.net/projects/linfo/files/Linfo%20Stable%20Releases/linfo-{{ linfo_version }}.tar.gz 11 | dest=/var/www/lighttpd/linfo-{{ linfo_version }}.tar.gz 12 | mode=0440 13 | 14 | - name: unpack the source archive 15 | unarchive: src=/var/www/lighttpd/linfo-{{ linfo_version }}.tar.gz 16 | dest=/var/www/lighttpd/ 17 | copy=no 18 | mode=0775 19 | owner=lighttpd 20 | group=lighttpd 21 | 22 | - name: rename the source directory 23 | command: /usr/bin/mv /var/www/lighttpd/linfo-{{ linfo_version }} /var/www/lighttpd/linfo 24 | 25 | - name: delete the archive 26 | file: path=/var/www/lighttpd/linfo-{{ linfo_version }}.tar.gz 27 | state=absent 28 | 29 | - name: copy the default config file 30 | command: /usr/bin/cp /var/www/lighttpd/linfo/sample.config.inc.php /var/www/lighttpd/linfo/config.inc.php 31 | 32 | - name: add a new entry to the index.html page 33 | lineinfile: dest=/var/www/lighttpd/index.html 34 | regexp='^' 35 | insertafter=' ' 36 | line=' linfo
' 37 | -------------------------------------------------------------------------------- /tasks/helpers/log-openvpn.yml: -------------------------------------------------------------------------------- 1 | # This playbook install the log viewer for the openvpn logs. 2 | # 3 | # Copyright (c) 2013 Fabian Affolter 4 | # 5 | # Licensed under CC BY 3.0. All rights reserved. 6 | # 7 | --- 8 | - name: create the directory for log-openvpn 9 | file: path=/var/www/lighttpd/log-openvpn 10 | owner=root 11 | group=root 12 | mode=0775 13 | state=directory 14 | 15 | - name: download the logtail script 16 | get_url: url=https://raw.github.com/ukhas/js-logtail/master/logtail.js 17 | dest=/var/www/lighttpd/bootstrap/js/logtail.js 18 | mode=0775 19 | 20 | - name: install the log.html file 21 | template: src=files/web-interface/log-openvpn.j2 22 | dest=/var/www/lighttpd/log-openvpn/openvpn-log.html 23 | owner=lighttpd 24 | group=lighttpd 25 | mode=0755 26 | 27 | - name: install the index.html file 28 | template: src=files/web-interface/openvpn-static-index.j2 29 | dest=/var/www/lighttpd/log-openvpn/config.php 30 | owner=lighttpd 31 | group=lighttpd 32 | mode=0755 33 | 34 | - name: create a symlink to the log file 35 | file: src=/var/log/openvpn.log 36 | dest=/var/www/lighttpd/log-openvpn/log 37 | owner=root 38 | group=root 39 | mode=0775 40 | state=link 41 | 42 | - name: set selinux context 43 | command: chcon -h unconfined_u:object_r:httpd_log_t:s0 /var/log/openvpn.log 44 | 45 | - name: set selinux context 46 | command: chcon -R unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/lighttpd/log-openvpn/log 47 | 48 | - name: add a new entry to the index.html page 49 | lineinfile: dest=/var/www/lighttpd/index.html 50 | regexp='^' 51 | insertafter=' ' 52 | line=' OpenVPN
' 53 | -------------------------------------------------------------------------------- /tasks/helpers/log-system.yml: -------------------------------------------------------------------------------- 1 | # This playbook install the log viewer for the system logs. 2 | # 3 | # Copyright (c) 2013 Fabian Affolter 4 | # 5 | # Licensed under CC BY 3.0. All rights reserved. 6 | # 7 | --- 8 | - name: create the directory for log-system 9 | file: path=/var/www/lighttpd/log-system 10 | owner=root 11 | group=root 12 | mode=0775 13 | state=directory 14 | 15 | - name: download the logtail script 16 | get_url: url=https://raw.github.com/ukhas/js-logtail/master/logtail.js 17 | dest=/var/www/lighttpd/bootstrap/js/logtail.js 18 | mode=0775 19 | 20 | - name: install the log.html file 21 | template: src=files/web-interface/log-system.j2 22 | dest=/var/www/lighttpd/log-system/index.html 23 | owner=lighttpd 24 | group=lighttpd 25 | mode=0755 26 | 27 | - name: create a symlink to the log file 28 | file: src=/var/log/messages 29 | dest=/var/www/lighttpd/log-system/log 30 | owner=root 31 | group=root 32 | mode=0775 33 | state=link 34 | 35 | - name: set selinux context 36 | command: /usr/bin/chcon -h unconfined_u:object_r:httpd_log_t:s0 /var/log/messages 37 | 38 | - name: set selinux context 39 | command: /usr/bin/chcon -R unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/lighttpd/log-system/log 40 | 41 | - name: add a new entry to the index.html page 42 | lineinfile: dest=/var/www/lighttpd/index.html 43 | regexp='^' 44 | insertafter=' ' 45 | line=' Logs
' 46 | -------------------------------------------------------------------------------- /tasks/helpers/php-shell-detector.yml: -------------------------------------------------------------------------------- 1 | # This playbook install the PHP Shell detector 2 | # (https://github.com/emposha/PHP-Shell-Detector). 3 | # 4 | # Copyright (c) 2013 Fabian Affolter 5 | # 6 | # Licensed under CC BY 3.0. All rights reserved. 7 | # 8 | --- 9 | - name: checkout from the git repo 10 | git: repo=git://github.com/emposha/PHP-Shell-Detector.git 11 | dest=/var/www/lighttpd/php-shell-detector 12 | 13 | - name: add a new entry to the index.html page 14 | lineinfile: dest=/var/www/lighttpd/index.html 15 | regexp='^' 16 | insertafter=' ' 17 | line=' PHP Shell Detector
' 18 | 19 | - name: reset the username and the password 20 | command: /usr/bin/sed -i 's| private $authentication = array("username" => "admin", "password" => "protect");| private $authentication = array("username" => "root", "password" => "$server_root_password");|g' /var/www/lighttpd/php-shell-detector/shelldetect.php 21 | 22 | - name: set the correct path to grab all directories 23 | command: /usr/bin/sed -i "s| private \$directory = '.';| private $directory = '/var/www/';|g" /var/www/lighttpd/php-shell-detector/shelldetect.php 24 | -------------------------------------------------------------------------------- /tasks/helpers/phpinfo.yml: -------------------------------------------------------------------------------- 1 | # This playbook install a simple file for displaying details about the PHP 2 | # installation. 3 | # 4 | # Copyright (c) 2013-2014 Fabian Affolter 5 | # 6 | # Licensed under CC BY 3.0. All rights reserved. 7 | # 8 | --- 9 | - name: create the directory for phpinfo 10 | file: path=/var/www/lighttpd/phpinfo 11 | owner=root 12 | group=root 13 | mode=0775 14 | state=directory 15 | 16 | - name: install the index.php file 17 | template: src=files/web-interface/phpinfo.j2 18 | dest=/var/www/lighttpd/phpinfo/index.php 19 | owner=lighttpd 20 | group=lighttpd 21 | mode=0644 22 | 23 | - name: add a new entry to the index.html page 24 | lineinfile: dest=/var/www/lighttpd/index.html 25 | regexp='^' 26 | insertafter=' ' 27 | line=' phpInfo
' 28 | -------------------------------------------------------------------------------- /tasks/helpers/phpldapadmin.yml: -------------------------------------------------------------------------------- 1 | # This playbook install phpldapadmin (http://phpldapadmin.sourceforge.net). 2 | # 3 | # Copyright (c) 2013-2014 Fabian Affolter 4 | # 5 | # Licensed under CC BY 3.0. All rights reserved. 6 | # 7 | --- 8 | - name: install needed packages 9 | yum: pkg={{ item }} 10 | state=present 11 | with_items: 12 | - php-ldap 13 | 14 | - name: download the source tarball 15 | get_url: url=http://downloads.sourceforge.net/project/phpldapadmin/phpldapadmin-php5/{{ phpldapadmin_version }}/phpldapadmin-{{ phpldapadmin_version }}.tgz 16 | dest=/var/www/lighttpd/phpldapadmin.tgz 17 | mode=0440 18 | 19 | - name: unpack the source archive 20 | unarchive: src=/var/www/lighttpd/phpldapadmin.tgz 21 | dest=/var/www/lighttpd/ 22 | copy=no 23 | mode=0775 24 | owner=lighttpd 25 | group=lighttpd 26 | 27 | - name: rename the source directory 28 | command: /usr/bin/mv /var/www/lighttpd/phpldapadmin-{{ phpldapadmin_version }} /var/www/lighttpd/phpldapadmin 29 | 30 | - name: delete the archive 31 | file: path=/var/www/lighttpd/phpldapadmin.tgz 32 | state=absent 33 | 34 | - name: put config file in place 35 | template: src=files/phpldapadmin-config.j2 36 | dest=/var/www/lighttpd/phpldapadmin/config/config.php 37 | owner=lighttpd 38 | group=lighttpd 39 | mode=0644 40 | 41 | #- name: add a new entry to the index.html page 42 | # lineinfile: dest=/var/www/lighttpd/index.html 43 | # regexp='^' 44 | # insertafter=' ' 45 | # line=' phpLDAPadmin' 46 | -------------------------------------------------------------------------------- /tasks/helpers/phpmoadmin.yml: -------------------------------------------------------------------------------- 1 | # This playbook install phpMoAdmin (http://www.phpmoadmin.com/). 2 | # 3 | # Copyright (c) 2013 Fabian Affolter 4 | # 5 | # Licensed under CC BY 3.0. All rights reserved. 6 | # 7 | --- 8 | - name: install additional packages 9 | yum: pkg={{ item }} 10 | state=present 11 | with_items: 12 | - php-pecl-mongo 13 | 14 | - name: create the phpmoadmin directory 15 | file: path=/var/www/lighttpd/phpmoadmin 16 | mode=0755 17 | state=directory 18 | 19 | - name: download the phpmoadmin source tarball 20 | get_url: url=http://www.phpmoadmin.com/file/phpmoadmin.zip 21 | dest=/var/www/lighttpd/phpmoadmin.zip 22 | mode=0440 23 | 24 | - name: unpack the archive 25 | command: /usr/bin/unzip -o /var/www/lighttpd/phpmoadmin.zip -d /var/www/lighttpd/phpmoadmin 26 | 27 | - name: delete the archive 28 | file: path=/var/www/lighttpd/phpmoadmin.zip 29 | state=absent 30 | 31 | - name: delete the archive 32 | file: path=/var/www/lighttpd/phpmoadmin.zip 33 | state=absent 34 | 35 | - name: add a new entry to the index.html page 36 | lineinfile: dest=/var/www/lighttpd/index.html 37 | regexp='^' 38 | insertafter=' ' 39 | line=' phpMoAdmin
' 40 | -------------------------------------------------------------------------------- /tasks/helpers/phpmyadmin.yml: -------------------------------------------------------------------------------- 1 | # This playbook install phpmyadmin (http://www.phpmyadmin.net). 2 | # 3 | # Copyright (c) 2013-2014 Fabian Affolter 4 | # 5 | # Licensed under CC BY 3.0. All rights reserved. 6 | # 7 | --- 8 | - name: install additional packages 9 | yum: pkg={{ item }} 10 | state=present 11 | with_items: 12 | - php-mysql 13 | - php-mcrypt 14 | - php-mbstring 15 | - php-gd 16 | 17 | - name: download the source tarball 18 | get_url: url=http://files.directadmin.com/services/all/phpMyAdmin/phpMyAdmin-{{ phpmyadmin_version }}-all-languages.tar.gz 19 | dest=/var/www/lighttpd/phpmyadmin-{{ phpmyadmin_version }}.tar.gz 20 | mode=0440 21 | 22 | - name: unpack the source tarball 23 | unarchive: src=/var/www/lighttpd/phpmyadmin-{{ phpmyadmin_version }}.tar.gz 24 | dest=/var/www/lighttpd/ 25 | copy=no 26 | mode=0775 27 | owner=lighttpd 28 | group=lighttpd 29 | 30 | - name: rename the source directory 31 | command: /usr/bin/mv /var/www/lighttpd/phpMyAdmin-{{ phpmyadmin_version }}-all-languages /var/www/lighttpd/phpmyadmin 32 | 33 | - name: delete the archive 34 | file: path=/var/www/lighttpd/phpmyadmin-{{ phpmyadmin_version }}.tar.gz 35 | state=absent 36 | 37 | - name: add a new entry to the index.html page 38 | lineinfile: dest=/var/www/lighttpd/index.html 39 | regexp='^' 40 | insertafter=' ' 41 | line=' phpMyAdmin
' 42 | -------------------------------------------------------------------------------- /tasks/hosts.yml: -------------------------------------------------------------------------------- 1 | # This playbook customizes the hosts file. 2 | # 3 | # Copyright (c) 2013-2019 Fabian Affolter 4 | # 5 | # Licensed under CC BY 3.0. All rights reserved. 6 | # 7 | --- 8 | - name: put a default hosts file in place 9 | template: 10 | src: files/hosts.j2 11 | dest: /etc/hosts 12 | owner: root 13 | group: root 14 | mode: 0644 15 | 16 | -------------------------------------------------------------------------------- /tasks/libvirt.yml: -------------------------------------------------------------------------------- 1 | # This playbook install and setup libvirt (http://libvirt.org/) for local use. 2 | # 3 | # Copyright (c) 2013-2019 Fabian Affolter 4 | # 5 | # All rights reserved. Licensed under CC BY 3.0 6 | # 7 | --- 8 | - name: install libvirt and other needed packages 9 | dnf: 10 | name: "{{ item }}" 11 | state: present 12 | with_items: 13 | - libvirt 14 | - libvirt-client 15 | - libvirt-daemon-qemu 16 | - libvirt-daemon-kvm 17 | 18 | - name: start libvirtd 19 | service: 20 | name: libvirtd 21 | state: running 22 | enabled: yes 23 | 24 | # Network setup for the virtual machine 25 | # Configuration stored in /var/lib/libvirt/network/ 26 | # Templates stored in /usr/share/libvirt/networks/ 27 | 28 | - name: create the network template 29 | template: 30 | src: files/libvirt-network.j2 31 | dest: /usr/share/libvirt/networks/testbench.xml 32 | mode: 0644 33 | 34 | # Destroy default network if needed 35 | #- name: destroy default network 36 | # command: /usr/bin/virsh net-destroy default 37 | # 38 | #- name: remove the default network 39 | # command: /usr/bin/virsh net-undefine default 40 | 41 | - name: create 'testbench' network 42 | command: /usr/bin/virsh net-define /usr/share/libvirt/networks/testbench.xml 43 | 44 | - name: make 'testbench' network autostart 45 | command: /usr/bin/virsh net-autostart testbench 46 | 47 | - name: start 'testbench' network 48 | command: /usr/bin/virsh net-start testbench 49 | 50 | # Check if the testbench network is ready 51 | # virsh net-list --all 52 | -------------------------------------------------------------------------------- /tasks/lxc.yml: -------------------------------------------------------------------------------- 1 | # This playbook install the Linux Container aka LXC tools 2 | # (http://lxc.sourceforge.net/). 3 | # 4 | # Copyright (c) 2013-2019 Fabian Affolter 5 | # 6 | # Licensed under CC BY 3.0. All rights reserved. 7 | # 8 | --- 9 | - name: install the needed packages 10 | dnf: 11 | name: "{{ item }}" 12 | state: present 13 | with_items: 14 | - lxc 15 | - libvirt-daemon-lxc 16 | - libvirt-daemon-driver-lxc 17 | - libvirt-daemon-config-network 18 | - virt-install 19 | 20 | - name: start libvirtd 21 | service: 22 | name: libvirtd 23 | state: running 24 | enabled: yes 25 | -------------------------------------------------------------------------------- /tasks/mail-servers/dovecot.yml: -------------------------------------------------------------------------------- 1 | # This playbook install a dovecot (http://dovecot.org/) server. 2 | # 3 | # Copyright (c) 2013-2014 Fabian Affolter 4 | # 5 | # Licensed under CC BY 3.0. All rights reserved. 6 | # 7 | --- 8 | - name: install dovecot packages 9 | yum: pkg={{ item }} 10 | state=present 11 | with_items: 12 | - dovecot 13 | 14 | - name: default dovecot configuration file 15 | template: src=files/dovecot-config.j2 16 | dest=/etc/dovecot/dovecot.conf 17 | owner=root 18 | group=root 19 | mode=0644 20 | 21 | - name: enable maildir support 22 | lineinfile: dest=/etc/dovecot/conf.d/10-mail.conf 23 | regexp='^mail_location =' 24 | insertafter='^#mail_location =' 25 | line='mail_location = maildir:~/Maildir' 26 | state=present 27 | 28 | - name: configure firewall, allow encrypted traffic 29 | firewalld: service={{ item }} 30 | permanent=true 31 | state=enabled 32 | with_items: 33 | - pop3s 34 | - imaps 35 | 36 | - name: configure firewall, allow plaintext traffic 37 | firewalld: port={{ item }}/tcp 38 | permanent=true 39 | state=enabled 40 | with_items: 41 | - 110 42 | - 143 43 | 44 | - name: start dovecot 45 | service: name=dovecot 46 | state=running 47 | enabled=yes 48 | -------------------------------------------------------------------------------- /tasks/mail-servers/postfix.yml: -------------------------------------------------------------------------------- 1 | # This playbook install a postfix (http://www.postfix.org/) server. 2 | # 3 | # Copyright (c) 2013-2014 Fabian Affolter 4 | # 5 | # Licensed under CC BY 3.0. All rights reserved. 6 | # 7 | --- 8 | - name: install postfix packages 9 | yum: pkg={{ item }} 10 | state=present 11 | with_items: 12 | - postfix 13 | 14 | - name: default postfix configuration file 15 | template: src=files/postfix-config.j2 16 | dest=/etc/postfix/main.cf 17 | owner=root 18 | group=root 19 | mode=0644 20 | 21 | - name: configure firewall, allow traffic to port 25 22 | firewalld: port=25/tcp 23 | permanent=true 24 | state=enabled 25 | 26 | - name: start postfix 27 | service: name=postfix 28 | state=running 29 | enabled=yes 30 | -------------------------------------------------------------------------------- /tasks/mc.yml: -------------------------------------------------------------------------------- 1 | # This playbook install the mc package. 2 | # 3 | # Copyright (c) 2013-2019 Fabian Affolter 4 | # 5 | # Licensed under CC BY 3.0. All rights reserved. 6 | # 7 | --- 8 | - name: install mc package 9 | dnf: 10 | name: mc 11 | state: present 12 | 13 | -------------------------------------------------------------------------------- /tasks/misc-servers/cups.yml: -------------------------------------------------------------------------------- 1 | # This playbook install a cups server. 2 | # 3 | # Copyright (c) 2013-2016 Fabian Affolter 4 | # 5 | # Licensed under CC BY 3.0. All rights reserved. 6 | # 7 | --- 8 | - name: install cups package 9 | dnf: pkg={{ item }} 10 | state=present 11 | with_items: 12 | - cups 13 | 14 | - name: default cups configuration file 15 | template: src=files/cups.j2 16 | dest=/etc/cups/cupsd.conf 17 | owner=root 18 | group=root 19 | mode=0644 20 | 21 | - name: configure firewall, allow ipp traffic 22 | firewalld: service=ipp 23 | permanent=true 24 | state=enabled 25 | 26 | - name: configure firewall, allow ipp-client traffic 27 | firewalld: service=ipp-client 28 | permanent=true 29 | state=enabled 30 | 31 | - name: start cups 32 | service: name=cups 33 | state=running 34 | enabled=yes 35 | -------------------------------------------------------------------------------- /tasks/misc-servers/dropbear.yml: -------------------------------------------------------------------------------- 1 | # This playbook install a dropbear ssh server 2 | # (https://matt.ucc.asn.au/dropbear/dropbear.html). 3 | # 4 | # Copyright (c) 2013-2016 Fabian Affolter 5 | # 6 | # Licensed under CC BY 3.0. All rights reserved. 7 | # 8 | --- 9 | - name: install dropbear package 10 | dnf: pkg={{ item }} 11 | state=present 12 | with_items: 13 | - dropbear 14 | 15 | - name: enable switch to port 222 16 | template: src=files/dropbear-config.j2 17 | dest=/etc/sysconfig/dropbear 18 | owner=root 19 | group=root 20 | mode=0644 21 | 22 | - name: configure firewall, allow traffic to port 222 23 | firewalld: port=222/tcp 24 | permanent=true 25 | state=enabled 26 | 27 | - name: start dropbear 28 | service: name=dropbear 29 | state=running 30 | enabled=yes 31 | -------------------------------------------------------------------------------- /tasks/misc-servers/mosquitto.yml: -------------------------------------------------------------------------------- 1 | # This playbook install the mosquitto broker (http://mosquitto.org). 2 | # 3 | # Copyright (c) 2013-2016 Fabian Affolter 4 | # 5 | # Licensed under CC BY 3.0. All rights reserved. 6 | # 7 | --- 8 | - name: install mosquitto package 9 | dnf: pkg={{ item }} 10 | state=present 11 | with_items: 12 | - mosquitto 13 | - python-paho-mqtt 14 | 15 | - name: configure firewall, allow traffic to port 1883 16 | firewalld: port=1883/tcp 17 | permanent=true 18 | state=enabled 19 | 20 | - name: start mosquitto 21 | service: name=mosquitto 22 | state=running 23 | enabled=yes 24 | 25 | - name: copy the python script to the test bench 26 | copy: src=files/mqtt_pub.py 27 | dest=/usr/bin/mqtt_pub.py 28 | owner=root 29 | group=root 30 | mode=0775 31 | 32 | - name: copy systemd service for publishing mqtt messages 33 | template: src=files/mqtt_pub-service.j2 34 | dest=/lib/systemd/system/mqtt_pub.service 35 | owner=root 36 | group=root 37 | mode=0644 38 | 39 | - name: reload systemd 40 | command: /usr/bin/systemctl --system daemon-reload 41 | 42 | - name: start mqtt_pub 43 | service: name=mqtt_pub 44 | state=running 45 | enabled=yes 46 | -------------------------------------------------------------------------------- /tasks/misc-servers/ngircd.yml: -------------------------------------------------------------------------------- 1 | # This playbook install the ngIRCd (http://ngircd.barton.de/) irc server. 2 | # 3 | # Copyright (c) 2013-2016 Fabian Affolter 4 | # 5 | # Licensed under CC BY 3.0. All rights reserved. 6 | # 7 | --- 8 | - name: install ngircd package 9 | dnf: pkg={{ item }} 10 | state=present 11 | with_items: 12 | - ngircd 13 | 14 | - name: default ngircd configuration file 15 | template: src=files/ngircd.j2 16 | dest=/etc/ngircd.conf 17 | owner=root 18 | group=root 19 | mode=0644 20 | 21 | - name: configure firewall, allow traffic to port 6667 22 | firewalld: port=6667/tcp 23 | permanent=true 24 | state=enabled 25 | 26 | - name: start ngircd 27 | service: name=ngircd 28 | state=running 29 | enabled=yes 30 | -------------------------------------------------------------------------------- /tasks/misc-servers/ntp.yml: -------------------------------------------------------------------------------- 1 | # This playbook install an ntp server. 2 | # 3 | # Copyright (c) 2013-2018 Fabian Affolter 4 | # 5 | # Licensed under CC BY 3.0. All rights reserved. 6 | # 7 | --- 8 | - name: install ntp package 9 | dnf: 10 | name: "{{ item }}" 11 | state: present 12 | with_items: 13 | - ntp 14 | 15 | - name: copy configuration ntp file 16 | template: 17 | src: files/ntp-conf.j2 18 | dest: /etc/ntp.conf 19 | owner: root 20 | group: root 21 | mode: 0644 22 | 23 | - name: configure firewall, allow traffic to port 123 24 | firewalld: 25 | port: 123/udp 26 | permanent: true 27 | state: enabled 28 | 29 | - name: start ntpd 30 | service: 31 | name: ntpd 32 | state: running 33 | enabled: yes 34 | 35 | -------------------------------------------------------------------------------- /tasks/misc-servers/openssh.yml: -------------------------------------------------------------------------------- 1 | # This playbook install the openssh server (http://www.openssh.org/). 2 | # 3 | # Copyright (c) 2013-2016 Fabian Affolter 4 | # 5 | # Licensed under CC BY 3.0. All rights reserved. 6 | # 7 | --- 8 | - name: install openssh package 9 | dnf: pkg={{ item }} 10 | state=present 11 | with_items: 12 | - openssh-server 13 | - xorg-x11-xauth 14 | 15 | - name: create key directory 16 | file: path=/etc/ssh/authorized_keys 17 | state=directory 18 | owner=root 19 | group=root 20 | mode=0755 21 | 22 | - name: upload user key 23 | copy: src={{ item }} 24 | dest=/etc/ssh/authorized_keys/ 25 | owner=root 26 | group=root 27 | mode=644 28 | with_items: sshusers 29 | 30 | 31 | 32 | - name: configure firewall, allow traffic to port 222 33 | firewalld: port=222/tcp 34 | permanent=true 35 | state=enabled 36 | 37 | 38 | 39 | 40 | 41 | - name: sshd configuration file update 42 | template: src=/etc/ansible/configs/etc/ssh/sshd_config.j2 43 | dest=/etc/ssh/sshd_config 44 | backup=yes 45 | owner=0 group=0 mode=0644 46 | validate='/usr/sbin/sshd -T -f %s' 47 | notify: 48 | - restart sshd 49 | 50 | - name: restart sshd 51 | service: name=sshd state=restarted 52 | 53 | 54 | 55 | - name: start openssh 56 | service: name=sshd 57 | state=running 58 | enabled=yes 59 | -------------------------------------------------------------------------------- /tasks/misc-servers/openvpn-static.yml: -------------------------------------------------------------------------------- 1 | # This playbook install an openvpn server (http://openvpn.net/) with a static 2 | # key. 3 | # 4 | # Copyright (c) 2013-2016 Fabian Affolter 5 | # 6 | # Licensed under CC BY 3.0. All rights reserved. 7 | # 8 | --- 9 | - name: install openvpn package 10 | dnf: pkg={{ item }} 11 | state=present 12 | with_items: 13 | - openvpn 14 | 15 | - name: load tun device 16 | command: /usr/sbin/modprobe tun 17 | 18 | - name: generate a static key 19 | command: /usr/sbin/openvpn --genkey --secret /etc/openvpn/static.key 20 | 21 | - name: create the log file 22 | command: touch /var/log/openvpn.log 23 | 24 | # SELinux context wrong? 25 | #- name: create a symlink to the key file 26 | # file: src=/etc/openvpn/static.key 27 | # dest=/var/www/lighttpd/static.key 28 | # owner=root 29 | # group=root 30 | # state=link 31 | 32 | #- name: set the permission of the key file 33 | # file: path=/etc/openvpn/static.key 34 | # state=file 35 | # mode=0644 36 | 37 | - name: copy the static key to the webserver directory 38 | command: /usr/bin/cp /etc/openvpn/static.key /var/www/lighttpd/static.key 39 | 40 | - name: set the permission of the key file 41 | file: path=/var/www/lighttpd/static.key 42 | state=file 43 | owner=root 44 | group=root 45 | mode=0644 46 | 47 | - name: copy the server configuration file 48 | template: src=files/openvpn/server-static.j2 49 | dest=/etc/openvpn/server.conf 50 | mode=0644 51 | 52 | - name: copy the client configuration file 53 | template: src=files/openvpn/client-static.j2 54 | dest=/var/www/lighttpd/client.conf 55 | mode=0644 56 | 57 | - name: start openvpn server 58 | service: name=openvpn@server 59 | state=running 60 | enabled=yes 61 | 62 | - name: configure firewall, allow traffic to port 1194 63 | firewalld: port=1194/tcp 64 | permanent=true 65 | state=enabled 66 | 67 | - name: configure firewall, allow traffic to port 1194 68 | firewalld: port=1194/udp 69 | permanent=true 70 | state=enabled 71 | -------------------------------------------------------------------------------- /tasks/misc-servers/prosody.yml: -------------------------------------------------------------------------------- 1 | # This playbook install the prosody (http://prosody.im) xmpp server. 2 | # 3 | # Copyright (c) 2013-20164 Fabian Affolter 4 | # 5 | # Licensed under CC BY 3.0. All rights reserved. 6 | # 7 | --- 8 | - name: install prosody package 9 | dnf: pkg={{ item }} 10 | state=present 11 | with_items: 12 | - prosody 13 | 14 | - name: default prosody configuration file 15 | template: src=files/prosody-config.j2 16 | dest=/etc/prosody/prosody.cfg.lua 17 | owner=root 18 | group=root 19 | mode=0644 20 | 21 | - name: download additional prosody modules 22 | get_url: url=http://prosody.im/files/{{ item }}.lua 23 | dest=/usr/lib64/prosody/modules/{{ item }}.lua 24 | mode=0775 25 | with_items: 26 | - mod_listusers 27 | 28 | #- name: download additional prosody modules 29 | # get_url: url=http://prosody-modules.googlecode.com/hg/{{ item }}/{{ item }}.lua 30 | # dest=/usr/lib64/prosody/modules/{{ item }}.lua 31 | # mode=0775 32 | # with_items: 33 | # - mod_broadcast 34 | # - mod_block_registrations 35 | 36 | #- name: add xmpp users 37 | # command: /usr/bin/prosodyctl register {{ item }}@10.0.0.65 mypassword 38 | # with_items: 39 | # - admin 40 | # - bob 41 | # - alice 42 | # - testbench 43 | 44 | - name: configure firewall, allow traffic to different ports 45 | firewalld: port={{ item }}/tcp 46 | permanent=true 47 | state=enabled 48 | with_items: 49 | - 5222 50 | - 5269 51 | - 5582 52 | 53 | - name: start prosody 54 | service: name=prosody 55 | state=running 56 | enabled=yes 57 | -------------------------------------------------------------------------------- /tasks/misc-servers/snmp.yml: -------------------------------------------------------------------------------- 1 | # This playbook install an snmp server. 2 | # 3 | # Copyright (c) 2013-2016 Fabian Affolter 4 | # 5 | # Licensed under CC BY 3.0. All rights reserved. 6 | # 7 | --- 8 | - name: install snmp package 9 | dnf: pkg={{ item }} 10 | state=present 11 | with_items: 12 | - net-snmp 13 | - net-snmp-utils 14 | 15 | - name: configure firewall, allow traffic to port 161 16 | firewalld: port=161/udp 17 | permanent=true 18 | state=enabled 19 | 20 | - name: start snmpd 21 | service: name=snmpd 22 | state=running 23 | enabled=yes 24 | -------------------------------------------------------------------------------- /tasks/misc-servers/telnet.yml: -------------------------------------------------------------------------------- 1 | # This playbook install a telnet server. 2 | # 3 | # Copyright (c) 2013-2016 Fabian Affolter 4 | # 5 | # Licensed under CC BY 3.0. All rights reserved. 6 | # 7 | --- 8 | - name: install telnet package 9 | dnf: pkg={{ item }} 10 | state=present 11 | with_items: 12 | - telnet-server 13 | 14 | - name: configure firewall, allow telnet traffic 15 | firewalld: service=telnet 16 | permanent=true 17 | state=enabled 18 | 19 | - name: start and enable the telnet service 20 | service: name=telnet.socket 21 | state=running 22 | enabled=yes 23 | -------------------------------------------------------------------------------- /tasks/misc-servers/tftp.yml: -------------------------------------------------------------------------------- 1 | # This playbook install a tftp server. 2 | # 3 | # Copyright (c) 2013-2016 Fabian Affolter 4 | # 5 | # Licensed under CC BY 3.0. All rights reserved. 6 | # 7 | --- 8 | - name: install tftp package 9 | dnf: pkg={{ item }} 10 | state=present 11 | with_items: 12 | - tftp-server 13 | 14 | - name: enable tftp in xinetd 15 | command: /usr/bin/sed -i 's|\sdisable\s\{3,\}= yes|\tdisable \t\t= no|g' /etc/xinetd.d/tftp 16 | 17 | - name: configure firewall, allow tftp traffic 18 | firewalld: service=tftp 19 | permanent=true 20 | state=enabled 21 | 22 | - name: start and enable xinetd service 23 | service: name=xinetd 24 | state=running 25 | enabled=yes 26 | 27 | - name: put a dummy file in tftp folder 28 | template: src=files/default.j2 29 | dest=/var/lib/tftpboot/info.txt 30 | mode=0644 31 | -------------------------------------------------------------------------------- /tasks/misc-servers/xrdp.yml: -------------------------------------------------------------------------------- 1 | # This playbook install the xrdp (http://www.xrdp.org/) RDP server. 2 | # 3 | # Copyright (c) 2013-2016 Fabian Affolter 4 | # 5 | # Licensed under CC BY 3.0. All rights reserved. 6 | # 7 | --- 8 | - name: install xrdp package 9 | dnf: pkg={{ item }} 10 | state=present 11 | with_items: 12 | - xrdp 13 | 14 | - name: configure firewall, allow traffic to 3389 15 | firewalld: port=3389/tcp 16 | permanent=true 17 | state=enabled 18 | 19 | - name: start xrdp 20 | service: name=xrdp 21 | state=running 22 | enabled=yes 23 | -------------------------------------------------------------------------------- /tasks/motd.yml: -------------------------------------------------------------------------------- 1 | # This playbook customizes the motd file of Fedora Security Test bench hosts. 2 | # 3 | # Copyright (c) 2013-2019 Fabian Affolter 4 | # 5 | # Licensed under CC BY 3.0. All rights reserved. 6 | # 7 | --- 8 | - name: put a default motd file in place 9 | template: 10 | src: files/motd.j2 11 | dest: /etc/motd 12 | owner: root 13 | group: root 14 | mode: 0644 15 | 16 | -------------------------------------------------------------------------------- /tasks/preparation.yml: -------------------------------------------------------------------------------- 1 | # This playbook checks if all needed components are available for the setup. 2 | # First task is the update of all packages. 3 | # 4 | # Copyright (c) 2013-2019 Fabian Affolter 5 | # 6 | # Licensed under CC BY 3.0. All rights reserved. 7 | # 8 | --- 9 | - name: update all packages 10 | command: /usr/bin/dnf -y update 11 | 12 | - name: install additional packages 13 | dnf: 14 | name: "{{ item }}" 15 | state: present 16 | with_items: 17 | - unzip 18 | - tar 19 | - git 20 | -------------------------------------------------------------------------------- /tasks/shells/ajaxshell.yml: -------------------------------------------------------------------------------- 1 | # This playbook install the AJAX/PHP Command Shell 2 | # (http://sourceforge.net/projects/ajaxshell/). 3 | # 4 | # Copyright (c) 2013-2014 Fabian Affolter 5 | # 6 | # Licensed under CC BY 3.0. All rights reserved. 7 | # 8 | --- 9 | - name: create the directory 10 | file: path=/var/www/lighttpd/ajaxshell 11 | state=directory 12 | 13 | - name: download the source tarball 14 | get_url: url=http://downloads.sourceforge.net/project/ajaxshell/ajaxshell/AJAX_PHP%20Command%20Shell%20v0.7/shell_v0_7_prefinal_.zip 15 | dest=/var/www/lighttpd/shell_v0_7_prefinal_.zip 16 | mode=0440 17 | 18 | - name: unpack the archive 19 | command: /usr/bin/unzip -o /var/www/lighttpd/shell_v0_7_prefinal_.zip -d /var/www/lighttpd/ajaxshell 20 | 21 | - name: delete the archive 22 | file: path=/var/www/lighttpd/shell_v0_7_prefinal_.zip 23 | state=absent 24 | 25 | - name: rename the php file 26 | command: /usr/bin/mv /var/www/lighttpd/ajaxshell/Shell_v0_7.php /var/www/lighttpd/ajaxshell/ajax-shell.php 27 | 28 | - name: remove unneeded files 29 | file: path=/var/www/lighttpd/ajaxshell/{{ item }} 30 | state=absent 31 | with_items: 32 | - README.txt 33 | - CHANGELOG.txt 34 | 35 | - name: add a new entry to the index.html page 36 | lineinfile: dest=/var/www/lighttpd/index.html 37 | regexp='^' 38 | insertafter=' ' 39 | line=' Ajax Shell
' 40 | -------------------------------------------------------------------------------- /tasks/shells/ani-shell.yml: -------------------------------------------------------------------------------- 1 | # This playbook install the ani-shell (http://sourceforge.net/projects/ani-shell). 2 | # 3 | # Copyright (c) 2013-2014 Fabian Affolter 4 | # 5 | # Licensed under CC BY 3.0. All rights reserved. 6 | # 7 | --- 8 | - name: create the directory 9 | file: path=/var/www/lighttpd/ani-shell 10 | state=directory 11 | 12 | - name: download the source tarball 13 | get_url: url=http://downloads.sourceforge.net/project/ani-shell/Ani-Shell%20v{{ ani_version }}/Ani-Shell%20v{{ ani_version }}.zip 14 | dest=/var/www/lighttpd/ani-shell-{{ ani_version }}.zip 15 | mode=0440 16 | 17 | - name: unpack the archive 18 | command: /usr/bin/unzip -o /var/www/lighttpd/ani-shell-{{ ani_version }}.zip -d /var/www/lighttpd/ani-shell 19 | 20 | - name: delete the archive 21 | file: path=/var/www/lighttpd/ani-shell-{{ ani_version }}.zip 22 | state=absent 23 | 24 | - name: remove unneeded files 25 | file: path=/var/www/lighttpd/ani-shell/{{ item }} 26 | state=absent 27 | with_items: 28 | - README.txt 29 | - __MACOSX 30 | 31 | - name: no login 32 | command: /usr/bin/sed -i 's|$lock = "on";|$lock = "off";|g' /var/www/lighttpd/ani-shell/Ani-Shell.php 33 | 34 | - name: add a new entry to the index.html page 35 | lineinfile: dest=/var/www/lighttpd/index.html 36 | regexp='^' 37 | insertafter=' ' 38 | line=' Ani-Shell
' 39 | -------------------------------------------------------------------------------- /tasks/shells/b374k.yml: -------------------------------------------------------------------------------- 1 | # This playbook install the b374k shell (http://code.google.com/p/b374k-shell/). 2 | # 3 | # Copyright (c) 2013-2014 Fabian Affolter 4 | # 5 | # Licensed under CC BY 3.0. All rights reserved. 6 | # 7 | --- 8 | - name: create the directory 9 | file: path=/var/www/lighttpd/b374k 10 | state=directory 11 | 12 | - name: download the source 13 | get_url: url=https://raw.github.com/b374k/b374k/master/b374k.php 14 | dest=/var/www/lighttpd/b374k/b374k.php 15 | mode=0777 16 | 17 | - name: add a new entry to the index.html page 18 | lineinfile: dest=/var/www/lighttpd/index.html 19 | regexp='^' 20 | insertafter=' ' 21 | line=' b374k
' 22 | -------------------------------------------------------------------------------- /tasks/shells/dnashell.yml: -------------------------------------------------------------------------------- 1 | # This playbook install the DNA Shell (http://sourceforge.net/projects/dna-shell). 2 | # 3 | # Copyright (c) 2013 Fabian Affolter 4 | # 5 | # Licensed under CC BY 3.0. All rights reserved. 6 | # 7 | --- 8 | - name: create the directory 9 | file: path=/var/www/lighttpd/dnashell 10 | state=directory 11 | 12 | - name: download the source 13 | get_url: url=http://downloads.sourceforge.net/project/dna-shell/dnashell.php 14 | dest=/var/www/lighttpd/dnashell/dnashell.php 15 | mode=0775 16 | 17 | - name: add a new entry to the index.html page 18 | lineinfile: dest=/var/www/lighttpd/index.html 19 | regexp='^' 20 | insertafter=' ' 21 | line=' DNA Shell
' 22 | -------------------------------------------------------------------------------- /tasks/shells/escobar.yml: -------------------------------------------------------------------------------- 1 | # This playbook install the Esc0b4r PHP shell 2 | # (http://sourceforge.net/projects/esc0b4rshell/). 3 | # 4 | # Copyright (c) 2013 Fabian Affolter 5 | # 6 | # Licensed under CC BY 3.0. All rights reserved. 7 | # 8 | --- 9 | - name: create the directory 10 | file: path=/var/www/lighttpd/escobar 11 | state=directory 12 | 13 | - name: download the source 14 | get_url: url=http://downloads.sourceforge.net/project/esc0b4rshell/esc0b4r.php 15 | dest=/var/www/lighttpd/escobar/esc0b4r.php 16 | mode=0775 17 | 18 | - name: add a new entry to the index.html page 19 | lineinfile: dest=/var/www/lighttpd/index.html 20 | regexp='^' 21 | insertafter=' ' 22 | line=' Esc0b4r
' 23 | -------------------------------------------------------------------------------- /tasks/shells/php-reverse-shell.yml: -------------------------------------------------------------------------------- 1 | # This playbook install php-reverse-shell 2 | # (http://pentestmonkey.net/tools/web-shells/php-reverse-shell). 3 | # 4 | # Copyright (c) 2013-2014 Fabian Affolter 5 | # 6 | # Licensed under CC BY 3.0. All rights reserved. 7 | # 8 | --- 9 | - name: download the source tarball 10 | get_url: url=http://pentestmonkey.net/tools/php-reverse-shell/php-reverse-shell-{{ prs_version }}.tar.gz 11 | dest=/var/www/lighttpd/php-reverse-shell-{{ prs_version }}.tar.gz 12 | mode=0440 13 | 14 | - name: unpack the source tarball 15 | command: /usr/bin/tar -xzf /var/www/lighttpd/php-reverse-shell-{{ prs_version }}.tar.gz -C /var/www/lighttpd/ 16 | 17 | - name: rename the source directory 18 | command: /usr/bin/mv /var/www/lighttpd/php-reverse-shell-{{ prs_version }} /var/www/lighttpd/php-reverse-shell 19 | 20 | - name: delete the archive 21 | file: path=/var/www/lighttpd/php-reverse-shell-{{ prs_version }}.tar.gz 22 | state=absent 23 | 24 | - name: remove unneeded files 25 | file: path=/var/www/lighttpd/php-reverse-shell/{{ item }} 26 | state=absent 27 | with_items: 28 | - CHANGELOG 29 | - COPYING.GPL 30 | - COPYING.PHP-REVERSE-SHELL 31 | 32 | - name: add a new entry to the index.html page 33 | lineinfile: dest=/var/www/lighttpd/index.html 34 | regexp='^' 35 | insertafter=' ' 36 | line=' PHP Reverse Shell
' 37 | -------------------------------------------------------------------------------- /tasks/shells/phpshell.yml: -------------------------------------------------------------------------------- 1 | # This playbook install phpshell (http://phpshell.sourceforge.net/). 2 | # 3 | # Copyright (c) 2013-2014 Fabian Affolter 4 | # 5 | # Licensed under CC BY 3.0. All rights reserved. 6 | # 7 | --- 8 | - name: download the source tarball 9 | get_url: url=http://prdownloads.sourceforge.net/phpshell/phpshell-{{ phpshell_version }}.tar.gz 10 | dest=/var/www/lighttpd/phpshell-{{ phpshell_version }}.tar.gz 11 | mode=0440 12 | 13 | - name: unpack the source tarball 14 | command: /usr/bin/tar -xzf /var/www/lighttpd/phpshell-{{ phpshell_version }}.tar.gz -C /var/www/lighttpd/ 15 | 16 | - name: rename the source directory 17 | command: /usr/bin/mv /var/www/lighttpd/phpshell-{{ phpshell_version }} /var/www/lighttpd/phpshell 18 | 19 | - name: delete the archive 20 | file: path=/var/www/lighttpd/phpshell-{{ phpshell_version }}.tar.gz 21 | state=absent 22 | 23 | - name: set the permissions 24 | file: path=/usr/share/webapps/ 25 | mode=0777 26 | state=directory 27 | 28 | - name: add a new entry to the index.html page 29 | lineinfile: dest=/var/www/lighttpd/index.html 30 | regexp='^' 31 | insertafter=' ' 32 | line=' PHPShell
' 33 | -------------------------------------------------------------------------------- /tasks/shells/wso.yml: -------------------------------------------------------------------------------- 1 | # This playbook install the wso shell (https://github.com/orbweb/PHP-SHELL-WSO). 2 | # 3 | # Copyright (c) 2013 Fabian Affolter 4 | # 5 | # Licensed under CC BY 3.0. All rights reserved. 6 | # 7 | --- 8 | - name: create the directory 9 | file: path=/var/www/lighttpd/wso 10 | state=directory 11 | 12 | - name: download the source 13 | get_url: url=https://github.com/downloads/orbweb/PHP-SHELL-WSO/wso2.5.1.php 14 | dest=/var/www/lighttpd/wso/wso.php 15 | mode=0777 16 | 17 | - name: add a new entry to the index.html page 18 | lineinfile: dest=/var/www/lighttpd/index.html 19 | regexp='^' 20 | insertafter=' ' 21 | line=' WSO
' 22 | -------------------------------------------------------------------------------- /tasks/users.yml: -------------------------------------------------------------------------------- 1 | # This playbook adds some users to the Test bench. 2 | # 3 | # Copyright (c) 2013-2018 Fabian Affolter 4 | # 5 | # Licensed under CC BY 3.0. All rights reserved. 6 | # 7 | --- 8 | - name: add user default users 9 | user: 10 | name: "{{ item }}" 11 | password: "{{ item }}_password" 12 | comment: 'Test bench user "{{ item }}"' 13 | group: users 14 | createhome: yes 15 | generate_ssh_key: yes 16 | ssh_key_bits: 2048 17 | with_items: 18 | - bob 19 | - alice 20 | 21 | - name: add user 'tb' 22 | user: 23 | name: tb 24 | comment: 'Test bench user' 25 | password: "{{ tb_password }}" 26 | group: users 27 | createhome: yes 28 | 29 | - name: add user 'testbench' 30 | user: 31 | name: testbench 32 | comment: 'Test bench user' 33 | group: users 34 | createhome: no 35 | shell: /sbin/nologin 36 | 37 | -------------------------------------------------------------------------------- /tasks/virt-install.yml: -------------------------------------------------------------------------------- 1 | # This playbook install a virtual machine for libvirt. 2 | # 3 | # Copyright (c) 2013-2018 Fabian Affolter 4 | # 5 | # Licensed under CC BY 3.0. All rights reserved. 6 | # 7 | --- 8 | - name: install needed packages 9 | dnf: 10 | pkg: "{{ item }}" 11 | state: present 12 | with_items: 13 | - virt-install 14 | - libvirt-client 15 | - bash 16 | 17 | - name: make sure that libvirtd is running 18 | service: 19 | name: libvirtd 20 | state: running 21 | 22 | - name: create the kickstart file 23 | template: 24 | src: files/kickstart/fedora-mini.j2 25 | dest: /tmp/fsl-testbench.ks 26 | mode: 0644 27 | 28 | - name: create the virt-install file 29 | template: 30 | src: files/fsl-virt-install.j2 31 | dest: /tmp/fsl-virt-install 32 | mode: 0755 33 | 34 | - name: run customized fsl-virt-install 35 | command: /usr/bin/bash /tmp/fsl-virt-install 36 | 37 | - name: wait till the virtual machine is ready 38 | pause: 39 | minutes: "{{ wait_time }}" 40 | 41 | - name: delete temp files 42 | file: 43 | path: /tmp/"{{ item }}" 44 | state: absent 45 | with_items: 46 | - fsl-testbench.ks 47 | - fsl-virt-install 48 | -------------------------------------------------------------------------------- /tasks/web-interface-vpn-static.yml: -------------------------------------------------------------------------------- 1 | # This playbook install the default html file (incl. bootstrap) for an openvpn 2 | # server with a static key. 3 | # 4 | # Copyright (c) 2013-2019 Fabian Affolter 5 | # 6 | # Licensed under CC BY 3.0. All rights reserved. 7 | # 8 | --- 9 | - name: download the bootstrap zip archive 10 | get_url: 11 | url: http://twitter.github.com/bootstrap/assets/bootstrap.zip 12 | dest: /var/www/lighttpd/bootstrap.zip 13 | mode: 0440 14 | 15 | - name: unpack the bootstrap archive 16 | command: /usr/bin/unzip -o /var/www/lighttpd/bootstrap.zip -d /var/www/lighttpd/ 17 | 18 | - name: delete the bootstrap archive 19 | file: 20 | path: /var/www/lighttpd/bootstrap.zip 21 | state: absent 22 | 23 | - name: download the jquery library 24 | get_url: 25 | url: http://code.jquery.com/jquery-{{ jquery_version }}.min.js 26 | dest: /var/www/lighttpd/bootstrap/js/jquery.min.js 27 | mode: 0775 28 | 29 | - name: install the fsl test bench vpn index.html file 30 | template: 31 | src: files/web-interface/openvpn-static-index.j2 32 | dest: /var/www/lighttpd/index.php 33 | owner: root 34 | group: root 35 | mode: 0644 36 | 37 | - name: copy the fsl banner 38 | copy: 39 | src: ./files/web-interface/Spins-banner_security.png 40 | dest: /var/www/lighttpd/Spins-banner_security.png 41 | owner: root 42 | group: root 43 | mode: 0644 44 | -------------------------------------------------------------------------------- /tasks/web-interface.yml: -------------------------------------------------------------------------------- 1 | # This playbook install the default web interface (HTML files incl. bootstrap). 2 | # 3 | # Copyright (c) 2013-2019 Fabian Affolter 4 | # 5 | # Licensed under CC BY 3.0. All rights reserved. 6 | # 7 | --- 8 | - name: download the bootstrap zip archive 9 | get_url: 10 | url: https://github.com/twbs/bootstrap/releases/download/v{{ bootstrap_version }}/bootstrap-{{ bootstrap_version }}-dist.zip 11 | dest: /var/www/lighttpd/bootstrap.zip 12 | mode: 0644 13 | 14 | - name: unpack the bootstrap archive 15 | command: /usr/bin/unzip -o /var/www/lighttpd/bootstrap.zip -d /var/www/lighttpd/ 16 | 17 | - name: rename the created folder 18 | command: /usr/bin/mv /var/www/lighttpd/bootstrap-{{ bootstrap_version }}-dist /var/www/lighttpd/bootstrap 19 | 20 | - name: delete the bootstrap archive 21 | file: 22 | path: /var/www/lighttpd/bootstrap.zip 23 | state: absent 24 | 25 | - name: download the jquery library 26 | get_url: 27 | url: http://code.jquery.com/jquery-{{ jquery_version }}.min.js 28 | dest: /var/www/lighttpd/bootstrap/js/jquery.min.js 29 | mode: 0775 30 | 31 | - name: install the fsl test bench index.html file 32 | template: 33 | src: files/web-interface/index.j2 34 | dest: /var/www/lighttpd/index.html 35 | owner: root 36 | group: root 37 | mode: 0644 38 | 39 | - name: install the fsl test bench about.html file 40 | template: 41 | src: files/web-interface/about.j2 42 | dest: /var/www/lighttpd/about.html 43 | owner: root 44 | group: root 45 | mode: 0644 46 | 47 | - name: install the fsl test bench contact.html file 48 | template: 49 | src: files/web-interface/contact.j2 50 | dest: /var/www/lighttpd/contact.html 51 | owner: root 52 | group: root 53 | mode: 0644 54 | 55 | - name: copy the fsl banner 56 | copy: 57 | src: files/web-interface/banner.png 58 | dest: /var/www/lighttpd/banner.png 59 | owner: root 60 | group: root 61 | mode: 0644 62 | 63 | -------------------------------------------------------------------------------- /tasks/web-servers/apache.yml: -------------------------------------------------------------------------------- 1 | # This playbook install the apache webserver (http://httpd.apache.org/). 2 | # 3 | # Copyright (c) 2013-2019 Fabian Affolter 4 | # 5 | # Licensed under CC BY 3.0. All rights reserved. 6 | # 7 | --- 8 | - name: install apache package 9 | dnf: 10 | name: "{{ item }}" 11 | state: present 12 | with_items: 13 | - httpd 14 | - policycoreutils-python 15 | 16 | - name: run apache on 8800 17 | lineinfile: 18 | dest: /etc/httpd/conf/httpd.conf 19 | regexp: '^Listen 80' 20 | insertafter: '^Listen 80' 21 | line: 'Listen ${ansible_eth0.ipv4.address}:8800' 22 | state: present 23 | 24 | - name: set server name 25 | lineinfile: 26 | dest: /etc/httpd/conf/httpd.conf 27 | regexp: '^ServerName www.example.com:80' 28 | insertafter: '^#ServerName www.example.com:80' 29 | line: 'ServerName $ansible_hostname:8800' 30 | state: present 31 | 32 | - name: set selinux 33 | command: /usr/sbin/semanage port -a -t http_port_t -p tcp 8800 34 | 35 | - name: start apache 36 | service: 37 | name: httpd 38 | state: running 39 | enabled: yes 40 | 41 | - name: configure firewall, allow traffic to port 8800 42 | firewalld: 43 | port: 8800/tcp 44 | permanent: true 45 | state: enabled 46 | 47 | - name: install a default index.html file 48 | template: 49 | src: files/website/default.j2 50 | dest: /var/www/html/index.html 51 | owner: root 52 | group: root 53 | mode: 0644 54 | 55 | -------------------------------------------------------------------------------- /tasks/web-servers/cherokee.yml: -------------------------------------------------------------------------------- 1 | # This playbook install the cherokee webserver (http://cherokee-project.com/). 2 | # 3 | # Copyright (c) 2013-2016 Fabian Affolter 4 | # 5 | # Licensed under CC BY 3.0. All rights reserved. 6 | # 7 | --- 8 | - name: install cherokee package 9 | dnf: pkg={{ item }} 10 | state=present 11 | with_items: 12 | - cherokee 13 | 14 | - name: run cherokee on 8008 15 | lineinfile: dest=/etc/cherokee/cherokee.conf 16 | regexp='^server!bind!1!port = 80' 17 | insertafter='^server!bind!1!port = 80' 18 | line='server!bind!1!port = 8008' 19 | state=present 20 | 21 | - name: start cherokee 22 | service: name=cherokee 23 | state=running 24 | enabled=yes 25 | 26 | - name: configure firewall, allow traffic to port 8008 27 | firewalld: port=8008/tcp 28 | permanent=true 29 | state=enabled 30 | 31 | - name: remove cherokee default file 32 | file: path=/var/www/cherokee/{{ item }} 33 | state=absent 34 | with_items: 35 | - index.html 36 | - images 37 | 38 | - name: install a default index.html file 39 | template: src=files/website/default.j2 40 | dest=/var/www/cherokee/index.html 41 | owner=root 42 | group=root 43 | mode=0644 44 | -------------------------------------------------------------------------------- /tasks/web-servers/darkhttpd.yml: -------------------------------------------------------------------------------- 1 | # This playbook install the darkhttpd (http://unix4lyfe.org/darkhttpd/) web 2 | # server. 3 | # 4 | # Copyright (c) 2013-2020 Fabian Affolter 5 | # 6 | # Licensed under CC BY 3.0. All rights reserved. 7 | # 8 | --- 9 | - name: install darkhttpd package 10 | dnf: 11 | pkg: "{{ item }}" 12 | state: present 13 | with_items: 14 | - darkhttpd 15 | 16 | - name: create a directory for darkhttpd 17 | file: 18 | path: /var/www/darkhttpd 19 | mode: 0755 20 | state: directory 21 | 22 | - name: enable darkhttpd options 23 | template: 24 | src: files/darkhttpd-config.j2 25 | dest: /etc/sysconfig/darkhttpd 26 | owner: root 27 | group: root 28 | mode: 0644 29 | 30 | - name: start darkhttpd 31 | service: 32 | name: darkhttpd 33 | state: started 34 | enabled: yes 35 | 36 | - name: configure firewall, allow traffic to port 8887 37 | firewalld: 38 | port: 8887/tcp 39 | permanent: true 40 | state: enabled 41 | 42 | - name: install a default index.html file 43 | template: 44 | src: files/web-interface/default.j2 45 | dest: /var/www/darkhttpd/index.html 46 | owner: root 47 | group: root 48 | mode: 0644 49 | -------------------------------------------------------------------------------- /tasks/web-servers/droopy.yml: -------------------------------------------------------------------------------- 1 | # This playbook install droopy webserver (https://github.com/stackp/Droopy). 2 | # 3 | # Copyright (c) 2013-2019 Fabian Affolter 4 | # 5 | # Licensed under CC BY 3.0. All rights reserved. 6 | # 7 | --- 8 | - name: create the directory 9 | file: 10 | path: /var/www/droopy 11 | mode: 0755 12 | state: directory 13 | 14 | - name: create the directory 15 | file: 16 | path: /var/www/droopy/uploads 17 | mode: 0755 18 | state: directory 19 | 20 | - name: download the source 21 | get_url: 22 | url: https://raw.githubusercontent.com/stackp/Droopy/master/droopy 23 | dest: /var/www/droopy/droopy 24 | mode: 0777 25 | 26 | - name: copy configuration file 27 | template: 28 | src: files/droopy-config.j2 29 | dest: /root/.droopy 30 | owner: root 31 | group: root 32 | mode: =0644 33 | 34 | - name: configure firewall, allow traffic to port 8000 35 | firewalld: 36 | port: 8000/tcp 37 | permanent: true 38 | state: =enabled 39 | 40 | - name: copy systemd service file 41 | template: 42 | src: files/droopy-service.j2 43 | dest: /lib/systemd/system/droopy.service 44 | owner: root 45 | group: root 46 | mode: 0644 47 | 48 | - name: reload systemd 49 | command: /usr/bin/systemctl --system daemon-reload 50 | 51 | - name: start droopy 52 | service: 53 | name: droopy 54 | state: running 55 | enabled: yes 56 | -------------------------------------------------------------------------------- /tasks/web-servers/flask.yml: -------------------------------------------------------------------------------- 1 | # This playbook install a flask (http://flask.pocoo.org/) server. 2 | # 3 | # Copyright (c) 2014-2020 Fabian Affolter 4 | # 5 | # Licensed under CC BY 3.0. All rights reserved. 6 | # 7 | --- 8 | - name: install flask package 9 | dnf: 10 | pkg: "{{ item }}" 11 | state: present 12 | with_items: 13 | - python-flask 14 | 15 | - name: create the directory 16 | file: 17 | path: /var/www/flask 18 | mode: 0755 19 | state: directory 20 | 21 | - name: copy the python script to the test bench 22 | copy: 23 | src: files/flask-webserver.py 24 | dest: /var/www/flask/flask-webserver.py 25 | owner: root 26 | group: root 27 | mode: 0775 28 | 29 | - name: configure firewall, allow traffic to port 8880 30 | firewalld: 31 | port: 8880/tcp 32 | permanent: true 33 | state: enabled 34 | 35 | - name: copy systemd service file 36 | template: 37 | src: files/flask-service.j2 38 | dest: /lib/systemd/system/flask.service 39 | owner: root 40 | group: root 41 | mode: 0644 42 | 43 | - name: reload systemd 44 | command: /usr/bin/systemctl --system daemon-reload 45 | 46 | - name: start flask webserver 47 | service: 48 | name: flask 49 | state: running 50 | enabled: yes 51 | -------------------------------------------------------------------------------- /tasks/web-servers/mongoose.yml: -------------------------------------------------------------------------------- 1 | # This playbook install the mongoose (https://github.com/cesanta/mongoose/) web 2 | # server. 3 | # 4 | # Copyright (c) 2013-2020 Fabian Affolter 5 | # 6 | # Licensed under CC BY 3.0. All rights reserved. 7 | # 8 | --- 9 | - name: install mongoose package 10 | dnf: 11 | pkg: "{{ item }}" 12 | state: present 13 | with_items: 14 | - mongoose 15 | 16 | - name: create a directory for mongoose 17 | file: 18 | path: /var/www/mongoose 19 | mode: 0755 20 | state: directory 21 | 22 | - name: copy mongoose systemd service file 23 | template: 24 | src: files/mongoose-service.j2 25 | dest: /lib/systemd/system/mongoose.service 26 | owner: root 27 | group: root 28 | mode: 0644 29 | 30 | - name: reload systemd 31 | command: /usr/bin/systemctl --system daemon-reload 32 | 33 | - name: start mongoose 34 | service: 35 | name: mongoose 36 | state: started 37 | enabled: yes 38 | 39 | - name: configure firewall, allow traffic to port 8889 40 | firewalld: 41 | port: 8889/tcp 42 | permanent: true 43 | state: enabled 44 | 45 | - name: install a default index.html file 46 | template: 47 | src: files/web-interface/default.j2 48 | dest: /var/www/mongoose/index.html 49 | owner: root 50 | group: root 51 | mode: 0644 52 | -------------------------------------------------------------------------------- /tasks/web-servers/nginx.yml: -------------------------------------------------------------------------------- 1 | # This playbook install the nginx webserver (http://nginx.org). 2 | # 3 | # Copyright (c) 2013-2016 Fabian Affolter 4 | # 5 | # Licensed under CC BY 3.0. All rights reserved. 6 | # 7 | --- 8 | - name: install nginx package 9 | dnf: pkg={{ item }} 10 | state=present 11 | with_items: 12 | - nginx 13 | 14 | #- name: run nginx on 8088 15 | # lineinfile: dest=/etc/nginx/nginx.conf 16 | # regexp='^ listen 80;' 17 | # insertafter='^ listen 80;' 18 | # line=' listen 8088;' 19 | # state=present 20 | 21 | - name: create the certificate 22 | command: /usr/bin/openssl req -new -x509 -subj "/C={{ cert_country }}/ST={{ cert_province }}/L={{ cert_city }}/O={{ cert_org }}/CN={{ cert_cn }}/Email={{ cert_email }}" -days 3650 -keyout /etc/nginx/cert.key -out /etc/nginx/cert.pem -nodes 23 | 24 | - name: create signing request 25 | command: /usr/bin/openssl req -new -subj "/C={{ cert_country }}/ST={{ cert_province }}/L={{ cert_city }}/O={{ cert_org }}/CN={{ cert_cn }}/Email={{ cert_email }}" -days 3650 -keyout /etc/nginx/tb.key -out /etc/nginx/tb.csr -nodes 26 | 27 | - name: copy configuration file 28 | template: src=files/nginx-conf.j2 29 | dest=/etc/nginx/nginx.conf 30 | owner=root 31 | group=root 32 | mode=0644 33 | 34 | - name: configure firewall, allow traffic to port 8088 35 | firewalld: port=8088/tcp 36 | permanent=true 37 | state=enabled 38 | 39 | - name: configure firewall, allow traffic to port 443 40 | firewalld: port=443/tcp 41 | permanent=true 42 | state=enabled 43 | 44 | #- name: remove nginx default file 45 | # file: path=/usr/share/nginx/html/{{ item }} 46 | # state=absent 47 | # with_items: 48 | # - index.html 49 | # - nginx-logo.png 50 | # - poweredby.png 51 | # - 404.html 52 | # - 50x.html 53 | 54 | - name: install a default index.html file 55 | template: src=files/web-interface/default.j2 56 | dest=/usr/share/nginx/html/index.html 57 | owner=root 58 | group=root 59 | mode=0644 60 | -------------------------------------------------------------------------------- /tasks/web-servers/nodejs.yml: -------------------------------------------------------------------------------- 1 | # This playbook install the node.js webserver (http://nodejs.org/). 2 | # 3 | # Copyright (c) 2013-2020 Fabian Affolter 4 | # 5 | # Licensed under CC BY 3.0. All rights reserved. 6 | # 7 | --- 8 | - name: install node.js and related packages 9 | dnf: 10 | pkg: "{{ item }}" 11 | state: present 12 | with_items: 13 | - nodejs 14 | - npm 15 | 16 | - name: install additional items 17 | command: /usr/bin/npm install {{ item }} -g 18 | with_items: 19 | - http-server 20 | 21 | - name: create a directory for nodejs 22 | file: 23 | path: /var/www/nodejs 24 | mode: 0755 25 | state: directory 26 | 27 | - name: copy nodejs systemd service file 28 | template: 29 | src: files/nodejs-http-service.j2 30 | dest: /lib/systemd/system/nodejs-http.service 31 | owner: root 32 | group: root 33 | mode: 0644 34 | 35 | - name: reload systemd 36 | command: /usr/bin/systemctl --system daemon-reload 37 | 38 | - name: start nodejs-http 39 | service: 40 | name: nodejs-http 41 | state: started 42 | enabled: yes 43 | 44 | - name: configure firewall, allow traffic to port 8888 45 | firewalld: 46 | port: 8888/tcp 47 | permanent: true 48 | state: enabled 49 | 50 | - name: install a default index.html file 51 | template: 52 | src: files/web-interface/default.j2 53 | dest: /var/www/nodejs/index.html 54 | owner: root 55 | group: root 56 | mode: 0644 57 | -------------------------------------------------------------------------------- /tasks/web-servers/pywebserve.yml: -------------------------------------------------------------------------------- 1 | # This playbook install the simple webserver 'pywebserve'. 2 | # 3 | # Copyright (c) 2013-2016 Fabian Affolter 4 | # 5 | # Licensed under CC BY 3.0. All rights reserved. 6 | # 7 | --- 8 | - name: create the directory 9 | file: path=/var/www/pywebserve 10 | mode=0755 11 | state=directory 12 | 13 | - name: copy the pywebserve python script to the test bench 14 | copy: src=files/pywebserve.py 15 | dest=/var/www/pywebserve/pywebserve.py 16 | owner=root 17 | group=root 18 | mode=0775 19 | 20 | - name: configure firewall, allow traffic to port 8880 21 | firewalld: port=8880/tcp 22 | permanent=true 23 | state=enabled 24 | 25 | - name: copy systemd service file for pywebserve 26 | template: src=files/pywebserve-service.j2 27 | dest=/lib/systemd/system/pywebserve.service 28 | owner=root 29 | group=root 30 | mode=0644 31 | 32 | - name: reload systemd 33 | command: /usr/bin/systemctl --system daemon-reload 34 | 35 | - name: start pywebserve webserver 36 | service: name=pywebserve 37 | state=running 38 | enabled=yes 39 | -------------------------------------------------------------------------------- /tasks/web-servers/tomcat.yml: -------------------------------------------------------------------------------- 1 | # This playbook install an Apache Tomcat 7 webserver 2 | # (http://tomcat.apache.org/index.html). 3 | # 4 | # Copyright (c) 2013-2016 Fabian Affolter 5 | # 6 | # Licensed under CC BY 3.0. All rights reserved. 7 | # 8 | --- 9 | - name: install tomcat and related packages 10 | dnf: pkg={{ item }} 11 | state=present 12 | with_items: 13 | - tomcat 14 | - tomcat-webapps 15 | - tomcat-admin-webapps 16 | 17 | - name: setup of users 18 | template: src=files/tomcat-users.j2 19 | dest=/etc/tomcat/tomcat-users.xml 20 | owner=root 21 | group=root 22 | mode=0644 23 | backup=yes 24 | 25 | - name: start webserver 26 | service: name=tomcat 27 | state=running 28 | enabled=yes 29 | 30 | - name: configure firewall, allow traffic to port 8080 31 | firewalld: port=8080/tcp 32 | permanent=true 33 | state=enabled 34 | -------------------------------------------------------------------------------- /tasks/web-servers/tomcat6.yml: -------------------------------------------------------------------------------- 1 | # This playbook install an Apache Tomcat 6 webserver 2 | # (http://tomcat.apache.org/index.html). 3 | # 4 | # Copyright (c) 2013-2016 Fabian Affolter 5 | # 6 | # Licensed under CC BY 3.0. All rights reserved. 7 | # 8 | --- 9 | - name: install tomcat and related packages 10 | dnf: pkg={{ item }} 11 | state=present 12 | with_items: 13 | - tomcat6 14 | - tomcat6-webapps 15 | - tomcat6-admin-webapps 16 | 17 | - name: setup of users 18 | template: src=files/tomcat-users.j2 19 | dest=/etc/tomcat6/tomcat-users.xml 20 | owner=root 21 | group=root 22 | mode=0644 23 | backup=yes 24 | 25 | - name: start webserver 26 | service: name=tomcat6 27 | state=running 28 | enabled=yes 29 | 30 | - name: configure firewall, allow traffic to port 8080 31 | firewalld: port=8080/tcp 32 | permanent=true 33 | state=enabled 34 | -------------------------------------------------------------------------------- /template.yml: -------------------------------------------------------------------------------- 1 | # This playbook is just a template. 2 | # 3 | # Copyright (c) 2013-2024 Fabian Affolter 4 | # 5 | # Licensed under CC BY 3.0. All rights reserved. 6 | # 7 | # Usage: ansible-playbook template.yml -f 10 8 | # 9 | --- 10 | - hosts: fsl-tb 11 | user: root 12 | vars_files: 13 | - variables/application-versions.yml 14 | - variables/sensitive.yml 15 | 16 | tasks: 17 | # Common tasks 18 | # - include: tasks/preparation.yml 19 | 20 | handlers: 21 | - include: handlers/system.yml 22 | - include: handlers/services.yml 23 | -------------------------------------------------------------------------------- /variables/application-versions.yml: -------------------------------------------------------------------------------- 1 | # This variables file contains the version numbers of the software packages 2 | # which will be installed without the package management tool and basic release 3 | # number as helper variables for playbooks. 4 | # 5 | # Copyright (c) 2013-2024 Fabian Affolter 6 | # 7 | # Licensed under CC BY 3.0. All rights reserved. 8 | # 9 | --- 10 | # Fedora - http://fedoraproject.org 11 | fedora_previous: 40 12 | fedora_current: 41 13 | fedora_next: 42 14 | 15 | # Web interface 16 | ################################################################################ 17 | # Bootstrap - http://getbootstrap.com/ 18 | bootstrap_version: 5.2.0 19 | 20 | # jQuery - http://jquery.com 21 | jquery_version: 3.7.1 22 | 23 | # Web tools 24 | ################################################################################ 25 | # linfo - http://linfo.sourceforge.net/ 26 | linfo_version: 2.0.3 27 | 28 | # phpsysinfo - https://github.com/phpsysinfo/phpsysinfo 29 | phpsysinfo_version: 3.4.2 30 | 31 | # phpMyAdmin - http://www.phpmyadmin.net/ 32 | phpmyadmin_version: 5.2.1 33 | 34 | # phpLDAPadmin - http://phpldapadmin.sourceforge.net 35 | phpldapadmin_version: 1.2.3 36 | 37 | # phpLiteAdmin - http://code.google.com/p/phpliteadmin/ 38 | phpliteadmin_version: 1-9-8-2 39 | 40 | ## Web application 41 | ################################################################################ 42 | # Damn Vulnerable Web App (DVWA) - http://www.dvwa.co.uk/ 43 | dvwa_version: 1.9 44 | 45 | # bWAPP - http://sourceforge.net/projects/bwapp/ 46 | bwapp_version: 2.2 47 | 48 | # kippo - https://github.com/desaster/kippo 49 | kippo_version: 0.9 50 | 51 | # hackadamemic - https://github.com/Hackademic/hackademic 52 | hackadamemic_version: 0.1.1 53 | 54 | # NOWASP (Mutillidae) - https://github.com/webpwnized/mutillidae 55 | mutillidae_version: 2.7.9 56 | 57 | ## PHP shells 58 | ################################################################################ 59 | # phpshell - http://phpshell.sourceforge.net/ 60 | phpshell_version: 2.4 61 | 62 | # ani-shell - http://sourceforge.net/projects/ani-shell/ 63 | ani_version: 1.5 64 | -------------------------------------------------------------------------------- /variables/containers.yml: -------------------------------------------------------------------------------- 1 | # This variables file contains the parameters for the Linux containers. 2 | # 3 | # Copyright (c) 2013-2021 Fabian Affolter 4 | # 5 | # Licensed under CC BY 3.0. All rights reserved. 6 | # 7 | --- 8 | # This entry is needed for the libvirt network template. 9 | containers: [ 10 | ['web01', '52:52:22:22:22:22', '10.10.1.10'], 11 | ['web02', '52:52:33:33:33:33', '10.10.1.11'] 12 | ] 13 | 14 | # Common variables 15 | con_bridge: virbr1 16 | 17 | # Bridge MAC address 18 | con_br_mac: '52:52:11:11:11:11' 19 | 20 | # See libvirt docs for details 21 | con_network: 'network:network1' 22 | 23 | # Gateway 24 | con_gw: 10.10.1.1 25 | 26 | # Start of the DHCP range 27 | con_range_start: 10.10.1.50 28 | 29 | # End of the DHCP range 30 | con_range_end: 10.10.1.60 31 | 32 | # Variables for every single containers 33 | con_name1: web01 34 | con_mac1: '52:52:22:22:22:22' 35 | con_ip1: 10.10.1.10 36 | 37 | con_name2: web02 38 | con_mac2: '52:52:33:33:33:33' 39 | con_ip2: 10.10.1.11 40 | -------------------------------------------------------------------------------- /variables/local.yml: -------------------------------------------------------------------------------- 1 | # This variables file contains the default values for the setup of a local 2 | # virtual machine. 3 | # 4 | # Copyright (c) 2013-2019 Fabian Affolter 5 | # 6 | # Licensed under CC BY 3.0. All rights reserved. 7 | # 8 | --- 9 | # User settings 10 | language: en_US.UTF-8 11 | keyboard: sg-latin1 12 | timezone: Europe/Zurich 13 | 14 | # Name of the virtual machine 15 | virtname: FSL-Test-bench 16 | 17 | # Name of the disk image 18 | img_name: fsl01 19 | 20 | # Name of the bridge 21 | bridge: virbr1 22 | 23 | # Memory of the virtual machine 24 | ram: 1024 25 | 26 | # Size of the disk image in GB for the virtual machine 27 | size: 8 28 | 29 | # MAC address of the virtual machine 30 | mac: '52:52:00:00:00:01' 31 | 32 | # Mirror to use 33 | mirror: http://mirror.switch.ch/ftp/mirror/fedora/linux/releases/28/Fedora/x86_64/os/ 34 | 35 | # Time in minutes to wait for the virtual machine 36 | wait_time: 10 37 | 38 | # Be careful when changing network setting and don't forget to change the 39 | # templates. Those setting are fine as long as there is no conflict with your 40 | # local network settings (e.g. IP range, etc.) 41 | 42 | # See libvirt docs for details 43 | network: 'network:testbench' 44 | 45 | # IP address of the Test bench 46 | ip: 10.1.1.5 47 | 48 | # Gateway 49 | gw: 10.1.1.1 50 | 51 | # Start of the DHCP range 52 | range_start: 10.1.1.5 53 | 54 | # End of the DHCP range 55 | range_end: 10.1.1.50 56 | -------------------------------------------------------------------------------- /variables/sensitive.yml: -------------------------------------------------------------------------------- 1 | # This variables file contains the default password for system, user, and 2 | # database accounts. 3 | # 4 | # Copyright (c) 2013-2019 Fabian Affolter 5 | # 6 | # Licensed under CC BY 3.0. All rights reserved. 7 | # 8 | # Details: 9 | # https://github.com/ansible/ansible/blob/devel/examples/playbooks/user_commands.yml 10 | # python -c 'import crypt; print crypt.crypt("password", "$1$TestBench$")' 11 | --- 12 | # Host name 13 | server_hostname: test-bench 14 | 15 | # Server root password 16 | server_root_password: testbench 17 | 18 | # User 'bob' with password 'bob' 19 | bob_password: $1$TestBenc$xgKVyHGZ3pUAkBuM09KDf. 20 | 21 | # User 'alice' with password 'alice' 22 | alice_password: $1$TestBenc$8SIf9GViaxrqkgBl1upQ50 23 | 24 | # User 'tb' with password '12345' 25 | tb_password: $1$TestBenc$t0GB3P5CxxZqOVXOjNHUX0 26 | 27 | # Default user password 28 | default_user_password: password 29 | 30 | # Default mysql password 31 | mysql_root_password: password 32 | 33 | # Cert information 34 | cert_country: CH 35 | cert_province: BE 36 | cert_city: Berne 37 | cert_org: Test bench 38 | cert_cn: test-bench.localdomain 39 | cert_email: root@localhost 40 | -------------------------------------------------------------------------------- /webservers.yml: -------------------------------------------------------------------------------- 1 | # This playbook contains tasks to perform on an installation of various web 2 | # server. 3 | # 4 | # Copyright (c) 2013-2020 Fabian Affolter 5 | # 6 | # Licensed under CC BY 3.0. All rights reserved. 7 | # 8 | --- 9 | - hosts: fsl-tb 10 | user: root 11 | vars_files: 12 | - variables/application-versions.yml 13 | - variables/sensitive.yml 14 | 15 | tasks: 16 | # Common tasks 17 | - include: tasks/preparation.yml 18 | - include: tasks/motd.yml 19 | 20 | # Web server tasks 21 | - include: tasks/webserver/lighttpd.yml 22 | - include: tasks/webserver/apache.yml 23 | # - include: tasks/webserver/cherokee.yml 24 | - include: tasks/webserver/droopy.yml 25 | - include: tasks/webserver/nginx.yml 26 | - include: tasks/webserver/tomcat.yml 27 | - include: tasks/webserver/pywebserve.yml 28 | - include: tasks/webserver/mongoose.yml 29 | - include: tasks/webserver/nodejs.yml 30 | - include: tasks/webserver/darkhttpd.yml 31 | 32 | # Common tasks 33 | - include: tasks/cleanup.yml 34 | 35 | handlers: 36 | - include: handlers/system.yml 37 | - include: handlers/services.yml 38 | --------------------------------------------------------------------------------