[WIP] Config Cleanup

[Trolldemorted]

TODOs:

• ansible cleanup/refactoring
  • sort out iptables-related ansible roles (with @ldruschk)
  • refactor programs role (remove tmux/move into seperate role)
  • refactor role dependencies (e.g. pip packages should depend on programs with python3-pip)
  • refactor other role dependencies?
• include arkime
  • make arkimes peer directly instead of going through the routers
  • use anonymous mode once fixed
  • stop capturing traffic twice
  • capture before SNAT (see MASQUERADE happens on the ingress gateway instead of the egress gateway #33 )
  • address capture monitor mode freezes if a valid pcap file without a packet is encountered (Arkime 5.0.0+) arkime/arkime#2742
  • fix enorouterdump (it crashes due to perm issues)
  • properly wait until ES is green
  • don't throw traffic to engine (flagsub and ips.txt) into arkime
  • prevent teams from accessing arkime AND elastic
  • add cpu/mem limits for arkime&elastic
• rebuild openvpn
  • build configs
  • assert that configs are complete (to some extent)
  • properly autostart the correct services on the correct routers
  • ensure routers are properly reachable (local 0.0.0.0 appears to be working for only one of the 2 addresses? cc @ldruschk )
  • prevent teams from reaching the vulnboxes before the game starts (see Make password only avaiable after the game starts EnoCTFPortal#57)
  • enable teams to reach their moloch through their openvpn
• set PermitRootLogin yes on vulnbox
• Misc fixes
  • enodump systemd unit should declare a dependency on wireguard #46
• push new bambictf image
• have a testing run with e.g. HTW Hackt

Related Issues:

• closes tcpdump on the router can not execute scripts #14
• closes Generate iptables ruless that allow intra-team traffic (traffic between players in their VPN) #35
• closes Fix moloch/arkime login creds #37

[ldruschk]

  * [ ]  prevent teams from reaching the vulnboxes before the game starts

https://askubuntu.com/questions/1212868/iptables-restricting-access-by-time

How about this? This could also help us get rid of the act of manually opening/closing the game network

[ldruschk]

ensure routers are properly reachable (local 0.0.0.0 appears to be working for only one of the 2 addresses? cc @ldruschk )

What exactly do you mean by that? If I recall correctly, using local 0.0.0.0 caused issues and setting the server to explicitly listen on a single IP address (that of the floating IP) worked around that issue. This, however, should not be a problem, since clients will always use the floating IP instead of the dynamic IP.

[ldruschk]

For my understanding, is the initialization with a default account (arkime:arkime) no longer necessary when using anonymous mode?

[ldruschk]

prevent teams from reaching the vulnboxes before the game starts

I gave this some though, we might want to use the hcloud firewall for this. We could use the firewall to block SSH traffic and delete that once the game starts.

To prevent the teams from accessing the vulnbox over the VPN, we could use a rule on the gateways that we need to manually remove once the game starts.

[ldruschk]

enable teams to reach their moloch through their openvpn

We would need to adjust the MASQUERADE rule to avoid masquerading traffic from the own team so that we could then use the source IP in the firewall on the vulnbox

[ldruschk]

don't throw traffic to engine (flagsub and ips.txt) into arkime

I think a simple and not ip host 10.0.13.37 in the tcpdump filter should suffice.