diff --git a/projects/bash_networking_security/SOLUTION b/projects/bash_networking_security/SOLUTION index 2edfbaf..0a3cce6 100644 --- a/projects/bash_networking_security/SOLUTION +++ b/projects/bash_networking_security/SOLUTION @@ -1,11 +1,15 @@ Local DNS Server IP ------------------- - +Local DNS server IP: 127.0.0.53 + Default gateway IP -------------------- +------Default Gateway: +Default Gateway: 10.0.0.1 + +------------- @@ -14,3 +18,28 @@ DHCP IP allocation sys-logs ------------------- +Jun 14 14:22:53 ip-10-0-0-231 dhclient[355]: DHCPDISCOVER on ens5 to 255.255.255.255 port 67 interval 3 (xid=0xc3bea82d) +Jun 14 16:54:57 ip-10-0-0-231 dhclient[362]: DHCPDISCOVER on ens5 to 255.255.255.255 port 67 interval 3 (xid=0x22184278) +Jun 15 04:53:16 ip-10-0-0-231 dhclient[370]: DHCPDISCOVER on ens5 to 255.255.255.255 port 67 interval 3 (xid=0x9ee9214e) +Jun 15 17:29:07 ip-10-0-0-231 dhclient[372]: DHCPDISCOVER on ens5 to 255.255.255.255 port 67 interval 3 (xid=0x70c0936c) +Jun 16 07:03:23 ip-10-0-0-231 dhclient[372]: DHCPDISCOVER on ens5 to 255.255.255.255 port 67 interval 3 (xid=0x28607d5a) +Jun 16 13:02:02 ip-10-0-0-231 dhclient[372]: DHCPDISCOVER on ens5 to 255.255.255.255 port 67 interval 3 (xid=0x97cbe568) +Jun 14 14:22:53 ip-10-0-0-231 dhclient[355]: DHCPOFFER of 10.0.0.231 from 10.0.0.1 +Jun 14 16:54:57 ip-10-0-0-231 dhclient[362]: DHCPOFFER of 10.0.0.231 from 10.0.0.1 +Jun 15 04:53:16 ip-10-0-0-231 dhclient[370]: DHCPOFFER of 10.0.0.231 from 10.0.0.1 +Jun 15 17:29:07 ip-10-0-0-231 dhclient[372]: DHCPOFFER of 10.0.0.231 from 10.0.0.1 +Jun 16 07:03:23 ip-10-0-0-231 dhclient[372]: DHCPOFFER of 10.0.0.231 from 10.0.0.1 +Jun 16 13:02:02 ip-10-0-0-231 dhclient[372]: DHCPOFFER of 10.0.0.231 from 10.0.0.1 +Jun 14 14:22:53 ip-10-0-0-231 dhclient[355]: DHCPREQUEST for 10.0.0.231 on ens5 to 255.255.255.255 port 67 (xid=0x2da8bec3) +Jun 14 16:54:57 ip-10-0-0-231 dhclient[362]: DHCPREQUEST for 10.0.0.231 on ens5 to 255.255.255.255 port 67 (xid=0x78421822) +Jun 15 04:53:16 ip-10-0-0-231 dhclient[370]: DHCPREQUEST for 10.0.0.231 on ens5 to 255.255.255.255 port 67 (xid=0x4e21e99e) +Jun 15 17:29:07 ip-10-0-0-231 dhclient[372]: DHCPREQUEST for 10.0.0.231 on ens5 to 255.255.255.255 port 67 (xid=0x6c93c070) +Jun 16 07:03:23 ip-10-0-0-231 dhclient[372]: DHCPREQUEST for 10.0.0.231 on ens5 to 255.255.255.255 port 67 (xid=0x5a7d6028) +Jun 16 13:02:02 ip-10-0-0-231 dhclient[372]: DHCPREQUEST for 10.0.0.231 on ens5 to 255.255.255.255 port 67 (xid=0x68e5cb97) +Jun 14 14:22:53 ip-10-0-0-231 dhclient[355]: DHCPACK of 10.0.0.231 from 10.0.0.1 (xid=0xc3bea82d) +Jun 14 16:54:57 ip-10-0-0-231 dhclient[362]: DHCPACK of 10.0.0.231 from 10.0.0.1 (xid=0x22184278) +Jun 15 04:53:16 ip-10-0-0-231 dhclient[370]: DHCPACK of 10.0.0.231 from 10.0.0.1 (xid=0x9ee9214e) +Jun 15 17:29:07 ip-10-0-0-231 dhclient[372]: DHCPACK of 10.0.0.231 from 10.0.0.1 (xid=0x70c0936c) +Jun 16 07:03:23 ip-10-0-0-231 dhclient[372]: DHCPACK of 10.0.0.231 from 10.0.0.1 (xid=0x28607d5a) +Jun 16 13:02:02 ip-10-0-0-231 dhclient[372]: DHCPACK of 10.0.0.231 from 10.0.0.1 (xid=0x97cbe568) +ubuntu@ip-10-0-0-231:~$ diff --git a/projects/bash_networking_security/bastion_connect.sh b/projects/bash_networking_security/bastion_connect.sh index a9bf588..6b41365 100644 --- a/projects/bash_networking_security/bastion_connect.sh +++ b/projects/bash_networking_security/bastion_connect.sh @@ -1 +1,39 @@ -#!/bin/bash +#!/bin/bash#!/bin/bash + +PUBLIC_IP=$1 + +PRIVATE_IP=$2 + +COMMAND=$3 + + +# if the keyexists - a. if public but not private exist connect to public b. if both exist then public->private. else exit ffor bad input + +if [[ -n "$KEY_PATH" ]]; then + + if [[ -n "$PUBLIC_IP" ]] && [[ ! "$PRIVATE_IP" ]]; then + + ssh -i "$KEY_PATH" "ubuntu@$PUBLIC_IP" + + fi + + + + if [[ -n "$PUBLIC_IP" ]] && [[ -n "$PRIVATE_IP" ]]; then + + ssh -ti "$KEY_PATH" "ubuntu@$PUBLIC_IP" "ssh -i "$KEY_PATH" 'ubuntu@$PRIVATE_IP'" "$COMMAND" + + fi + +else + + echo "KEY_PATH env var is expected and must point to an existing file. try: export KEY_PATH='~/pampampam.pem' " + + exit 5 + +fi + + if [ $# -lt 1 ]; then + echo "Please provide bastion IP address" + exit 5 +fi diff --git a/projects/bash_networking_security/tlsHandshake.sh b/projects/bash_networking_security/tlsHandshake.sh index a9bf588..6eb6c2a 100644 --- a/projects/bash_networking_security/tlsHandshake.sh +++ b/projects/bash_networking_security/tlsHandshake.sh @@ -1 +1,43 @@ #!/bin/bash + +# Step 1: Client Hello +client_hello='{"version": "1.3", "ciphersSuites": ["TLS_AES_128_GCM_SHA256", "TLS_CHACHA20_POLY1305_SHA256"], "message": "Client Hello"}' +response=$(curl -s -X POST -d "$client_hello" http://:8080/clienthello) +session_id=$(echo "$response" | jq -r '.sessionID') +server_cert=$(echo "$response" | jq -r '.serverCert') + +# Step 2: Server Hello +echo "Server Hello response: $response" +echo "Session ID: $session_id" +echo "$server_cert" > cert.pem + +# Step 3: Server Certificate Verification +wget -q https://devops-feb23.s3.eu-north-1.amazonaws.com/cert-ca-aws.pem +openssl verify -CAfile cert-ca-aws.pem cert.pem +verification_result=$? +rm cert-ca-aws.pem + +if [ $verification_result -ne 0 ]; then + echo "Server Certificate is invalid." + exit 5 +fi + +# Step 4: Client-Server master-key exchange +master_key=$(openssl rand -base64 32) +encrypted_master_key=$(echo "$master_key" | openssl smime -encrypt -aes-256-cbc -outform DER cert.pem | base64 -w 0) + +# Step 5: Server verification message +key_exchange='{"sessionID": "'$session_id'", "masterKey": "'$encrypted_master_key'", "sampleMessage": "Hi server, please encrypt me and send to client!"}' +response=$(curl -s -X POST -d "$key_exchange" http://:8080/keyexchange) +encrypted_sample_message=$(echo "$response" | jq -r '.encryptedSampleMessage') + +# Step 6: Client verification message +echo "$encrypted_sample_message" | base64 -d > encSampleMsgReady.txt +decrypted_sample_message=$(openssl enc -d -aes-256-cbc -in encSampleMsgReady.txt -base64 -K "$master_key" -iv 0 -nosalt 2>/dev/null) + +if [ "$decrypted_sample_message" != "Hi server, please encrypt me and send to client!" ]; then + echo "Server symmetric encryption using the exchanged master-key has failed." + exit 6 +fi + +echo "Client-Server TLS handshake has been completed successfully"#!/bin/bash