diff --git a/projects/bash_networking_security/SOLUTION b/projects/bash_networking_security/SOLUTION index 2edfbaf..0c11f9d 100644 --- a/projects/bash_networking_security/SOLUTION +++ b/projects/bash_networking_security/SOLUTION @@ -1,16 +1,25 @@ Local DNS Server IP ------------------- - - - +127.0.0.53 Default gateway IP ------------------- - - +10.0.0.1 DHCP IP allocation sys-logs ------------------- - +Jun 15 05:37:09 ip-10-0-0-141 dhclient[359]: DHCPDISCOVER on ens5 to 255.255.255.255 port 67 interval 3 (xid=0xec60204a) +Jun 15 14:55:28 ip-10-0-0-141 dhclient[364]: DHCPDISCOVER on ens5 to 255.255.255.255 port 67 interval 3 (xid=0xed569a5d) +Jun 16 06:48:30 ip-10-0-0-141 dhclient[368]: DHCPDISCOVER on ens5 to 255.255.255.255 port 67 interval 3 (xid=0x19be7604) +Jun 15 05:37:09 ip-10-0-0-141 dhclient[359]: DHCPOFFER of 10.0.0.141 from 10.0.0.1 +Jun 15 14:55:28 ip-10-0-0-141 dhclient[364]: DHCPOFFER of 10.0.0.141 from 10.0.0.1 +Jun 16 06:48:30 ip-10-0-0-141 dhclient[368]: DHCPOFFER of 10.0.0.141 from 10.0.0.1 +Jun 15 05:37:09 ip-10-0-0-141 dhclient[359]: DHCPREQUEST for 10.0.0.141 on ens5 to 255.255.255.255 port 67 (xid=0x4a2060ec) +Jun 15 14:55:28 ip-10-0-0-141 dhclient[364]: DHCPREQUEST for 10.0.0.141 on ens5 to 255.255.255.255 port 67 (xid=0x5d9a56ed) +Jun 16 06:48:30 ip-10-0-0-141 dhclient[368]: DHCPREQUEST for 10.0.0.141 on ens5 to 255.255.255.255 port 67 (xid=0x476be19) +Jun 15 05:37:09 ip-10-0-0-141 dhclient[359]: DHCPACK of 10.0.0.141 from 10.0.0.1 (xid=0xec60204a) +Jun 15 14:55:28 ip-10-0-0-141 dhclient[364]: DHCPACK of 10.0.0.141 from 10.0.0.1 (xid=0xed569a5d) +Jun 16 06:48:30 ip-10-0-0-141 dhclient[368]: DHCPACK of 10.0.0.141 from 10.0.0.1 (xid=0x19be7604) + diff --git a/projects/bash_networking_security/bastion_connect.sh b/projects/bash_networking_security/bastion_connect.sh index a9bf588..3fff470 100644 --- a/projects/bash_networking_security/bastion_connect.sh +++ b/projects/bash_networking_security/bastion_connect.sh @@ -1 +1,25 @@ -#!/bin/bash +#!/bin/bash + +COMMAND=$3 +# Check if the KEY_PATH environment variable is set +if [ -z "$KEY_PATH" ]; then + echo "KEY_PATH env var is expected" + exit 5 +fi + +# Check if the public instance IP is provided +if [ -z "$1" ]; then + echo "Please provide bastion IP address" + exit 5 +fi + +# If both public and private instance IPs are provided, connect to the private instance via the public instance +if [ -n "$2" ]; then + ssh -ti "$KEY_PATH" ubuntu@"$1" ssh -i "new_ssh_key" ubuntu@"$2" "$COMMAND" + +# Otherwise, connect to the public instance +else + ssh -i "$KEY_PATH" ubuntu@"$1" +fi + + diff --git a/projects/bash_networking_security/tlsHandshake.sh b/projects/bash_networking_security/tlsHandshake.sh index a9bf588..72fb8f7 100644 --- a/projects/bash_networking_security/tlsHandshake.sh +++ b/projects/bash_networking_security/tlsHandshake.sh @@ -1 +1,54 @@ -#!/bin/bash +#!/bin/bash -x + + +IPADDRESS=13.53.122.7 || $PUBLIC_EC2_IP || $1 +# Step 1: Client Hello +client_hello=$(curl -s -X POST -H "Content-Type: application/json" -d '{ + "version": "1.3", + "ciphersSuites": [ + "TLS_AES_128_GCM_SHA256", + "TLS_CHACHA20_POLY1305_SHA256" + ], + "message": "Client Hello" +}' http://$IPADDRESS:8080/clienthello) + +# Step 2: Server Hello +version=$(echo "$client_hello" | jq -r '.version') +cipher_suite=$(echo "$client_hello" | jq -r '.cipherSuite') +session_id=$(echo "$client_hello" | jq -r '.sessionID') +server_cert=$(echo "$client_hello" | jq -r '.serverCert') + +# Step 3: Server Certificate Verification +wget -q https://devops-feb23.s3.eu-north-1.amazonaws.com/cert-ca-aws.pem +openssl verify -CAfile cert-ca-aws.pem <<< "$server_cert" +verification_result=$? + +if [ $verification_result -ne 0 ]; then + echo "Server Certificate is invalid." + exit 5 +fi + +# Step 4: Client-Server master-key exchange +master_key=$(openssl rand -base64 32) +encrypted_master_key=$(echo "$master_key" | openssl smime -encrypt -aes-256-cbc -binary -outform DER cert.pem | base64 -w 0) + +# Step 5: Server verification message +server_verification_msg=$(curl -s -X POST -H "Content-Type: application/json" -d '{ + "sessionID": "'"$session_id"'", + "masterKey": "'"$encrypted_master_key"'", + "sampleMessage": "Hi server, please encrypt me and send to client!" +}' http://$IPADDRESS:8080/keyexchange) + +encrypted_sample_msg=$(echo "$server_verification_msg" | jq -r '.encryptedSampleMessage') + +# Step 6: Client verification message +decrypted_sample_msg=$(echo "$encrypted_sample_msg" | base64 -d | openssl enc -d -aes-256-cbc -pbkdf2 -pass pass:"$master_key" -md sha256) + +if [ "$decrypted_sample_msg" != "Hi server, please encrypt me and send to client!" ]; then + echo "Server symmetric encryption using the exchanged master-key has failed." + exit 6 +fi + +echo "Client-Server TLS handshake has been completed successfully" + + diff --git a/projects/bash_networking_security/vpc.sh b/projects/bash_networking_security/vpc.sh index 951abba..c13975d 100644 --- a/projects/bash_networking_security/vpc.sh +++ b/projects/bash_networking_security/vpc.sh @@ -1,4 +1,4 @@ -REGION="" -VPC_ID="" -PUBLIC_INSTANCE_ID="" -PRIVATE_INSTANCE_ID="" \ No newline at end of file +REGION="eu-north-1" +VPC_ID="vpc-0efa8b8281af85cbf" +PUBLIC_INSTANCE_ID="i-00f629cb350bfb435" +PRIVATE_INSTANCE_ID="i-095d9adca2021336a"