From d8a4e7c2b5a1e2296cb7d8d3b4339e1e3aeec654 Mon Sep 17 00:00:00 2001 From: NIKHIL SINGH BISHT <90443399+NIKSAM20@users.noreply.github.com> Date: Sun, 11 Jun 2023 10:56:27 +0530 Subject: [PATCH 1/9] Update SOLUTION --- projects/bash_networking_security/SOLUTION | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/projects/bash_networking_security/SOLUTION b/projects/bash_networking_security/SOLUTION index 2edfbaf..a354b7f 100644 --- a/projects/bash_networking_security/SOLUTION +++ b/projects/bash_networking_security/SOLUTION @@ -1,16 +1,18 @@ Local DNS Server IP ------------------- - +127.0.0.53 Default gateway IP ------------------- - +10.0.0.1 DHCP IP allocation sys-logs ------------------- - - +Jun 11 05:13:36 ip-10-0-0-13 dhclient[347]: DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 3 (xid=0xc9c6804f) +Jun 11 05:13:36 ip-10-0-0-13 dhclient[347]: DHCPOFFER of 10.0.0.13 from 10.0.0.1 +Jun 11 05:13:36 ip-10-0-0-13 dhclient[347]: DHCPREQUEST for 10.0.0.13 on eth0 to 255.255.255.255 port 67 (xid=0x4f80c6c9) +Jun 11 05:13:36 ip-10-0-0-13 dhclient[347]: DHCPACK of 10.0.0.13 from 10.0.0.1 (xid=0xc9c6804f) From 03d25cad5f5a31bc81cc016994b11505b8759228 Mon Sep 17 00:00:00 2001 From: NIKHIL SINGH BISHT <90443399+NIKSAM20@users.noreply.github.com> Date: Sun, 11 Jun 2023 17:20:47 +0530 Subject: [PATCH 2/9] Update vpc.sh --- projects/bash_networking_security/vpc.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/projects/bash_networking_security/vpc.sh b/projects/bash_networking_security/vpc.sh index 951abba..3cf6f39 100644 --- a/projects/bash_networking_security/vpc.sh +++ b/projects/bash_networking_security/vpc.sh @@ -1,4 +1,4 @@ -REGION="" -VPC_ID="" -PUBLIC_INSTANCE_ID="" -PRIVATE_INSTANCE_ID="" \ No newline at end of file +REGION="us-west-1a" +VPC_ID="vpc-0d5678d747f2a3003" +PUBLIC_INSTANCE_ID="i-0b99513e561fc2558" +PRIVATE_INSTANCE_ID="i-07307d24f06a827b6" From 3721894ffeb8d7987bda4cc01fee61901d7423c0 Mon Sep 17 00:00:00 2001 From: NIKHIL SINGH BISHT <90443399+NIKSAM20@users.noreply.github.com> Date: Tue, 13 Jun 2023 09:19:18 +0530 Subject: [PATCH 3/9] Update bastion_connect.sh --- .../bastion_connect.sh | 35 +++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/projects/bash_networking_security/bastion_connect.sh b/projects/bash_networking_security/bastion_connect.sh index a9bf588..cf69f35 100644 --- a/projects/bash_networking_security/bastion_connect.sh +++ b/projects/bash_networking_security/bastion_connect.sh @@ -1 +1,36 @@ #!/bin/bash +# Check if KEY_PATH environment variable is set +if [[ -z "${KEY_PATH}" ]]; then + echo "KEY_PATH env var is expected" + exit 5 +fi + +# Check if bastion IP address is provided +if [[ -z "${1}" ]]; then + echo "Please provide bastion IP address" + exit 5 +fi + +bastion_ip="${1}" +private_ip="${2}" +command="${3}" + +# Case 1 - Connect to the private instance from your local machine +if [[ -n "${private_ip}" ]]; then + ssh -i "${KEY_PATH}" -o ProxyCommand="ssh -i ${KEY_PATH} -W %h:%p ubuntu@${bastion_ip}" ubuntu@${private_ip} + exit $? +fi + +# Case 2 - Connect to the public instance +ssh -i "${KEY_PATH}" ubuntu@"${bastion_ip}" +exit $? + +# Case 3 - Run a command in the private machine +if [[ -n "${private_ip}" && -n "${command}" ]]; then + ssh -i "${KEY_PATH}" ubuntu@"${bastion_ip}" -t "ssh -i ${KEY_PATH} ubuntu@${private_ip} ${command}" + exit $? +fi + +# Case 4 - Bad usage +echo "Please provide valid arguments" +exit 1 From 25bb4cf60f184b2b45d4b110277c3eacaa6bd80b Mon Sep 17 00:00:00 2001 From: NIKHIL SINGH BISHT <90443399+NIKSAM20@users.noreply.github.com> Date: Fri, 16 Jun 2023 17:29:05 +0530 Subject: [PATCH 4/9] Update vpc.sh --- projects/bash_networking_security/vpc.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/projects/bash_networking_security/vpc.sh b/projects/bash_networking_security/vpc.sh index 3cf6f39..d647fe7 100644 --- a/projects/bash_networking_security/vpc.sh +++ b/projects/bash_networking_security/vpc.sh @@ -1,4 +1,4 @@ -REGION="us-west-1a" -VPC_ID="vpc-0d5678d747f2a3003" -PUBLIC_INSTANCE_ID="i-0b99513e561fc2558" -PRIVATE_INSTANCE_ID="i-07307d24f06a827b6" +REGION="us-west-1b" +VPC_ID="vpc-0c91212efdc6acbb2" +PUBLIC_INSTANCE_ID="i-0944d11fa7dcc79dd" +PRIVATE_INSTANCE_ID="i-0ddd4cd59c25156a2" From c4651b72aa50e2a226813f33a52d46683dffa35c Mon Sep 17 00:00:00 2001 From: NIKHIL SINGH BISHT <90443399+NIKSAM20@users.noreply.github.com> Date: Sat, 17 Jun 2023 11:48:43 +0530 Subject: [PATCH 5/9] Update SOLUTION --- projects/bash_networking_security/SOLUTION | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/projects/bash_networking_security/SOLUTION b/projects/bash_networking_security/SOLUTION index a354b7f..7ffe46d 100644 --- a/projects/bash_networking_security/SOLUTION +++ b/projects/bash_networking_security/SOLUTION @@ -12,7 +12,7 @@ Default gateway IP DHCP IP allocation sys-logs ------------------- -Jun 11 05:13:36 ip-10-0-0-13 dhclient[347]: DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 3 (xid=0xc9c6804f) -Jun 11 05:13:36 ip-10-0-0-13 dhclient[347]: DHCPOFFER of 10.0.0.13 from 10.0.0.1 -Jun 11 05:13:36 ip-10-0-0-13 dhclient[347]: DHCPREQUEST for 10.0.0.13 on eth0 to 255.255.255.255 port 67 (xid=0x4f80c6c9) -Jun 11 05:13:36 ip-10-0-0-13 dhclient[347]: DHCPACK of 10.0.0.13 from 10.0.0.1 (xid=0xc9c6804f) +Jun 16 10:33:39 ip-10-0-0-70 dhclient[339]: DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 3 (xid=0xc72e421b) +Jun 16 10:33:39 ip-10-0-0-70 dhclient[339]: DHCPOFFER of 10.0.0.70 from 10.0.0.1 +Jun 16 10:33:39 ip-10-0-0-70 dhclient[339]: DHCPREQUEST for 10.0.0.70 on eth0 to 255.255.255.255 port 67 (xid=0x1b422ec7) +Jun 16 10:33:39 ip-10-0-0-70 dhclient[339]: DHCPACK of 10.0.0.70 from 10.0.0.1 (xid=0xc72e421b) From 3d5aae68f36c96d6df2cd27cd137d4700423f609 Mon Sep 17 00:00:00 2001 From: NIKHIL SINGH BISHT <90443399+NIKSAM20@users.noreply.github.com> Date: Sat, 17 Jun 2023 12:58:04 +0530 Subject: [PATCH 6/9] Update tlsHandshake.sh --- .../bash_networking_security/tlsHandshake.sh | 50 +++++++++++++++++++ 1 file changed, 50 insertions(+) diff --git a/projects/bash_networking_security/tlsHandshake.sh b/projects/bash_networking_security/tlsHandshake.sh index a9bf588..e194142 100644 --- a/projects/bash_networking_security/tlsHandshake.sh +++ b/projects/bash_networking_security/tlsHandshake.sh @@ -1 +1,51 @@ #!/bin/bash + +IPADDRESS=54.177.20.188 || $PUBLIC_EC2_IP || $1 +# Step 1: Client Hello +client_hello=$(curl -s -X POST -H "Content-Type: application/json" -d '{ + "version": "1.3", + "ciphersSuites": [ + "TLS_AES_128_GCM_SHA256", + "TLS_CHACHA20_POLY1305_SHA256" + ], + "message": "Client Hello" +}' http://$IPADDRESS:8080/clienthello) + +# Step 2: Server Hello +version=$(echo "$client_hello" | jq -r '.version') +cipher_suite=$(echo "$client_hello" | jq -r '.cipherSuite') +session_id=$(echo "$client_hello" | jq -r '.sessionID') +server_cert=$(echo "$client_hello" | jq -r '.serverCert') + +# Step 3: Server Certificate Verification +wget -q https://devops-feb23.s3.eu-north-1.amazonaws.com/cert-ca-aws.pem +openssl verify -CAfile cert-ca-aws.pem <<< "$server_cert" +verification_result=$? + +if [ $verification_result -ne 0 ]; then + echo "Server Certificate is invalid." + exit 5 +fi + +# Step 4: Client-Server master-key exchange +master_key=$(openssl rand -base64 32) +encrypted_master_key=$(echo "$master_key" | openssl smime -encrypt -aes-256-cbc -binary -outform DER cert.pem | base64 -w 0) + +# Step 5: Server verification message +server_verification_msg=$(curl -s -X POST -H "Content-Type: application/json" -d '{ + "sessionID": "'"$session_id"'", + "masterKey": "'"$encrypted_master_key"'", + "sampleMessage": "Hi server, please encrypt me and send to client!" +}' http://$IPADDRESS:8080/keyexchange) + +encrypted_sample_msg=$(echo "$server_verification_msg" | jq -r '.encryptedSampleMessage') + +# Step 6: Client verification message +decrypted_sample_msg=$(echo "$encrypted_sample_msg" | base64 -d | openssl enc -d -aes-256-cbc -pbkdf2 -pass pass:"$master_key" -md sha256) + +if [ "$decrypted_sample_msg" != "Hi server, please encrypt me and send to client!" ]; then + echo "Server symmetric encryption using the exchanged master-key has failed." + exit 6 +fi + +echo "Client-Server TLS handshake has been completed successfully" From fd65949a2d478c7d19f1703024c5affbbb706fe6 Mon Sep 17 00:00:00 2001 From: NIKHIL SINGH BISHT <90443399+NIKSAM20@users.noreply.github.com> Date: Sat, 17 Jun 2023 12:58:58 +0530 Subject: [PATCH 7/9] Update bastion_connect.sh --- .../bastion_connect.sh | 40 ++++++------------- 1 file changed, 12 insertions(+), 28 deletions(-) diff --git a/projects/bash_networking_security/bastion_connect.sh b/projects/bash_networking_security/bastion_connect.sh index cf69f35..8075c31 100644 --- a/projects/bash_networking_security/bastion_connect.sh +++ b/projects/bash_networking_security/bastion_connect.sh @@ -1,36 +1,20 @@ -#!/bin/bash -# Check if KEY_PATH environment variable is set -if [[ -z "${KEY_PATH}" ]]; then - echo "KEY_PATH env var is expected" +if [[ -z "$KEY_PATH" ]]; then + echo "KEY_PATH environment variable is not set!" exit 5 fi -# Check if bastion IP address is provided -if [[ -z "${1}" ]]; then - echo "Please provide bastion IP address" +if [[ $# -lt 1 ]]; then + echo "KEY_PATH env var is expected" + echo "Please provide Public Instance (Bastion) IP address" exit 5 fi -bastion_ip="${1}" -private_ip="${2}" -command="${3}" - -# Case 1 - Connect to the private instance from your local machine -if [[ -n "${private_ip}" ]]; then - ssh -i "${KEY_PATH}" -o ProxyCommand="ssh -i ${KEY_PATH} -W %h:%p ubuntu@${bastion_ip}" ubuntu@${private_ip} - exit $? -fi - -# Case 2 - Connect to the public instance -ssh -i "${KEY_PATH}" ubuntu@"${bastion_ip}" -exit $? +public_ip=$1 +private_ip=$2 +command="${@:3}" -# Case 3 - Run a command in the private machine -if [[ -n "${private_ip}" && -n "${command}" ]]; then - ssh -i "${KEY_PATH}" ubuntu@"${bastion_ip}" -t "ssh -i ${KEY_PATH} ubuntu@${private_ip} ${command}" - exit $? +if [[ -n "$private_ip" ]]; then + ssh -t -i "$KEY_PATH" ubuntu@"$public_ip" ssh -i "new_key" ubuntu@"$private_ip" "$command" +else + ssh -i "$KEY_PATH" ubuntu@"$public_ip" "$command" fi - -# Case 4 - Bad usage -echo "Please provide valid arguments" -exit 1 From 9fd73f7cc321c084c477cf66a559bddd9d21350b Mon Sep 17 00:00:00 2001 From: NIKHIL SINGH BISHT <90443399+NIKSAM20@users.noreply.github.com> Date: Sat, 17 Jun 2023 13:02:26 +0530 Subject: [PATCH 8/9] Update vpc.sh --- projects/bash_networking_security/vpc.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/projects/bash_networking_security/vpc.sh b/projects/bash_networking_security/vpc.sh index d647fe7..152245d 100644 --- a/projects/bash_networking_security/vpc.sh +++ b/projects/bash_networking_security/vpc.sh @@ -1,4 +1,4 @@ REGION="us-west-1b" VPC_ID="vpc-0c91212efdc6acbb2" PUBLIC_INSTANCE_ID="i-0944d11fa7dcc79dd" -PRIVATE_INSTANCE_ID="i-0ddd4cd59c25156a2" +PRIVATE_INSTANCE_ID="i-0af45a43d1bcdaf7d" From 6ced7a479660563488e67ac3cbb32ed5520347a1 Mon Sep 17 00:00:00 2001 From: NIKHIL SINGH BISHT <90443399+NIKSAM20@users.noreply.github.com> Date: Sat, 17 Jun 2023 13:07:12 +0530 Subject: [PATCH 9/9] Update vpc.sh --- projects/bash_networking_security/vpc.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/projects/bash_networking_security/vpc.sh b/projects/bash_networking_security/vpc.sh index 152245d..2fc070b 100644 --- a/projects/bash_networking_security/vpc.sh +++ b/projects/bash_networking_security/vpc.sh @@ -1,4 +1,4 @@ -REGION="us-west-1b" +REGION="us-west-1" VPC_ID="vpc-0c91212efdc6acbb2" PUBLIC_INSTANCE_ID="i-0944d11fa7dcc79dd" PRIVATE_INSTANCE_ID="i-0af45a43d1bcdaf7d"