diff --git a/projects/bash_networking_security/SOLUTION b/projects/bash_networking_security/SOLUTION index 2edfbaf..a8a167a 100644 --- a/projects/bash_networking_security/SOLUTION +++ b/projects/bash_networking_security/SOLUTION @@ -1,16 +1,19 @@ Local DNS Server IP ------------------- - +127.0.0.53 Default gateway IP ------------------- - +10.0.0.1 DHCP IP allocation sys-logs ------------------- - - +Jun 13 09:32:16 ip-10-0-0-182 dhclient[340]: Internet Systems Consortium DHCP Client 4.4.1 +Jun 13 09:32:16 ip-10-0-0-182 dhclient[340]: For info, please visit https://www.isc.org/software/dhcp/ +Jun 13 09:32:16 ip-10-0-0-182 dhclient[340]: DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 3 (xid=0x64655509) +Jun 13 09:32:16 ip-10-0-0-182 dhclient[340]: DHCPOFFER of 10.0.0.182 from 10.0.0.1 +Jun 13 09:32:16 ip-10-0-0-182 dhclient[340]: DHCPREQUEST for 10.0.0.182 on eth0 to 255.255.255.255 port 67 (xid=0x9556564) diff --git a/projects/bash_networking_security/bastion_connect.sh b/projects/bash_networking_security/bastion_connect.sh index a9bf588..86407bd 100644 --- a/projects/bash_networking_security/bastion_connect.sh +++ b/projects/bash_networking_security/bastion_connect.sh @@ -1 +1,44 @@ #!/bin/bash + +if [[ -z "$KEY_PATH" ]]; then + + echo "KEY_PATH environment variable is not set!" + + exit 5 + +fi + + + + +if [[ $# -lt 1 ]]; then + + echo "KEY_PATH env var is expected" + + echo "Please provide Public Instance (Bastion) IP address" + + exit 5 + +fi + + + + +public_ip=$1 + +private_ip=$2 + +command="${@:3}" + + + + +if [[ -n "$private_ip" ]]; then + + ssh -t -i "$KEY_PATH" ubuntu@"$public_ip" ssh -i "new_key" ubuntu@"$private_ip" "$command" + +else + + ssh -i "$KEY_PATH" ubuntu@"$public_ip" "$command" + +fi diff --git a/projects/bash_networking_security/tlsHandshake.sh b/projects/bash_networking_security/tlsHandshake.sh index a9bf588..5a9850d 100644 --- a/projects/bash_networking_security/tlsHandshake.sh +++ b/projects/bash_networking_security/tlsHandshake.sh @@ -1 +1,62 @@ -#!/bin/bash + +#!/bin/bash #!/bin/bash -x + +# Step 1 - Client Hello (Client -> Server) +RESPONSE=$(curl -X POST -H "Content-Type: application/json" -d '{ + "version": "1.3", + "ciphersSuites": ["TLS_AES_128_GCM_SHA256", "TLS_CHACHA20_POLY1305_SHA256"], + "message": "Client Hello" +}' http://3.80.89.74:8080/clienthello) + + +# Step 2 - Server Hello (Server -> Client) +SESSION_ID=$(echo "$RESPONSE" | jq -r '.sessionID') + +echo "$RESPONSE" | jq -r '.serverCert' > cert.pem + + +# Step 3 - Server Certificate Verification +wget https://devops-feb23.s3.eu-north-1.amazonaws.com/cert-ca-aws.pem + +VERIFICATION=$(openssl verify -CAfile cert-ca-aws.pem cert.pem) + +if [ "$VERIFICATION" != "cert.pem: OK" ]; +then + echo "Server Certificate is invalid." + exit 5 + else + echo "cert.pem: OK" +fi + + +# Step 4 - Client-Server master-key exchange +#echo "Hi server, please encrypt me and send to client!" > masterKey.txt +openssl rand -out masterKey.txt -base64 32 + + + +MASTER_KEY=$(openssl smime -encrypt -aes-256-cbc -in masterKey.txt -outform DER cert.pem | base64 | tr -d '\n') + + + +# Step 5 - Server verification message +RESPONSE=$(curl -X POST -H "Content-Type: application/json" -d '{ + "sessionID": "'"$SESSION_ID"'", + "masterKey": "'"$MASTER_KEY"'", + "sampleMessage": "Hi server, please encrypt me and send to client!" +}' http://3.80.89.74:8080/keyexchange) + + +# Step 6 - Client verification message + +echo "$RESPONSE" | jq -r '.encryptedSampleMessage' > encSampleMsg.txt +cat encSampleMsg.txt | base64 -d > encSampleMsgReady.txt + +decrypted_sample_msg=$(openssl enc -d -aes-256-cbc -pbkdf2 -kfile masterKey.txt -in encSampleMsgReady.txt) + +if [ "$decrypted_sample_msg" != "Hi server, please encrypt me and send to client!" ]; then + echo "Server symmetric encryption using the exchanged master-key has failed." + exit 6 +else + echo "Client-Server TLS handshake has been completed successfully" +fi diff --git a/projects/bash_networking_security/vpc.sh b/projects/bash_networking_security/vpc.sh index 951abba..21897a5 100644 --- a/projects/bash_networking_security/vpc.sh +++ b/projects/bash_networking_security/vpc.sh @@ -1,4 +1,4 @@ -REGION="" -VPC_ID="" -PUBLIC_INSTANCE_ID="" -PRIVATE_INSTANCE_ID="" \ No newline at end of file +REGION="us-east-1" +VPC_ID="vpc-0fa173275baf10b87" +PUBLIC_INSTANCE_ID="i-07a59423027bcd60d" +PRIVATE_INSTANCE_ID="i-00ac045e505098220"