From 23245eb45a6ddb27c6da204425283d5d67228c62 Mon Sep 17 00:00:00 2001 From: aakshitaa Date: Thu, 15 Jun 2023 23:26:54 +0530 Subject: [PATCH 1/2] networking_project --- projects/bash_networking_security/SOLUTION | 10 ++-- .../bastion_connect.sh | 22 ++++++++ .../bash_networking_security/tlsHandshake.sh | 53 ++++++++++++++++++- projects/bash_networking_security/vpc.sh | 8 +-- simple_flask_webserver/Dockerfile | 6 +++ 5 files changed, 90 insertions(+), 9 deletions(-) create mode 100644 simple_flask_webserver/Dockerfile diff --git a/projects/bash_networking_security/SOLUTION b/projects/bash_networking_security/SOLUTION index 2edfbaf..9c76518 100644 --- a/projects/bash_networking_security/SOLUTION +++ b/projects/bash_networking_security/SOLUTION @@ -1,16 +1,18 @@ Local DNS Server IP ------------------- - +127.0.0.53 Default gateway IP ------------------- - - +10.0.128.1 DHCP IP allocation sys-logs ------------------- - +DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 3 (xid=0x54c05365) +DHCPOFFER of 10.0.0.176 from 10.0.0.1 +DHCPREQUEST for 10.0.0.176 on eth0 to 255.255.255.255 port 67 (xid=0x6553c054) +DHCPACK of 10.0.0.176 from 10.0.0.1 (xid=0x54c05365) diff --git a/projects/bash_networking_security/bastion_connect.sh b/projects/bash_networking_security/bastion_connect.sh index a9bf588..a1f5886 100644 --- a/projects/bash_networking_security/bastion_connect.sh +++ b/projects/bash_networking_security/bastion_connect.sh @@ -1 +1,23 @@ #!/bin/bash +# Check if KEY_PATH environment variable exists +if [[ -z "$KEY_PATH" ]]; then + echo "KEY_PATH env var is expected" + exit 5 +fi +# Check if the public instance IP address is provided +if [[ $# -lt 1 ]]; then + echo "Please provide bastion IP address" + exit 1 +fi +# Connect to the private instance using the public instance as a bastion host +if [[ $# -eq 2 ]]; then + public_instance_ip=$1 + private_instance_ip=$2 + + # Connect to the private instance via the bastion host + ssh -i "$KEY_PATH" ubuntu@"$public_instance_ip" ssh -t -t -i "/home/keys/aakshita-kp-pvt.pem" ubuntu@"$private_instance_ip" +else + public_instance_ip=$1 + # Connect to the public instance + ssh -i "$KEY_PATH" ubuntu@"$public_instance_ip" +fi \ No newline at end of file diff --git a/projects/bash_networking_security/tlsHandshake.sh b/projects/bash_networking_security/tlsHandshake.sh index a9bf588..b7f1381 100644 --- a/projects/bash_networking_security/tlsHandshake.sh +++ b/projects/bash_networking_security/tlsHandshake.sh @@ -1 +1,52 @@ -#!/bin/bash +#!/bin/bash -x +# Step 1 - Client Hello (Client -> Server) +RESPONSE=$(curl -X POST -H "Content-Type: application/json" -d '{ + "version": "1.3", + "ciphersSuites": ["TLS_AES_128_GCM_SHA256", "TLS_CHACHA20_POLY1305_SHA256"], + "message": "Client Hello" +}' http://3.129.7.39:8080/clienthello) + + +# Step 2 - Server Hello (Server -> Client) +SESSION_ID=$(jq -r '.sessionID' <<< "$RESPONSE") + +echo "$RESPONSE" | jq -r '.serverCert' > cert.pem + + +# Step 3 - Server Certificate Verification +wget https://devops-feb23.s3.eu-north-1.amazonaws.com/cert-ca-aws.pem -O cert-ca-aws.pem + +VERIFICATION=$(openssl verify -CAfile cert-ca-aws.pem cert.pem) + +if [ "$VERIFICATION" != "cert.pem: OK" ]; then + echo "Server Certificate is invalid" + exit 5 +fi + + +# Step 4 - Client-Server master-key exchange +openssl rand -out masterKey.txt -base64 32 + +MASTER_KEY=$(openssl smime -encrypt -aes-256-cbc -in masterKey.txt -outform DER cert.pem | base64 -w 0) + + +# Step 5 - Server verification message +RESPONSE=$(curl -X POST -H "Content-Type: application/json" -d '{ + "sessionID": "'"$SESSION_ID"'", + "masterKey": "'"$MASTER_KEY"'", + "sampleMessage": "Hi server, please encrypt me and send to client!" +}' http://3.129.7.39:8080/keyexchange) + + +# Step 6 - Client verification message +echo "$RESPONSE" | jq -r '.encryptedSampleMessage' > encSampleMsg.txt +cat encSampleMsg.txt | base64 -d > encSampleMsgReady.txt + +decrypted_sample_msg=$(openssl enc -d -aes-256-cbc -pbkdf2 -kfile masterKey.txt -in encSampleMsgReady.txt) + +if [ "$decrypted_sample_msg" != "Hi server, please encrypt me and send to client!" ]; then + echo "Server symmetric encryption using the exchanged master-key has failed." + exit 6 +else + echo "Client-Server TLS handshake has been completed successfully" +fi \ No newline at end of file diff --git a/projects/bash_networking_security/vpc.sh b/projects/bash_networking_security/vpc.sh index 951abba..9114c65 100644 --- a/projects/bash_networking_security/vpc.sh +++ b/projects/bash_networking_security/vpc.sh @@ -1,4 +1,4 @@ -REGION="" -VPC_ID="" -PUBLIC_INSTANCE_ID="" -PRIVATE_INSTANCE_ID="" \ No newline at end of file +REGION="us-east-2" +VPC_ID="vpc-0877ccfe93bc02d87" +PUBLIC_INSTANCE_ID="i-0b8a7f68dfbcedf46" +PRIVATE_INSTANCE_ID="i-0fbcb766ffa9fb760" \ No newline at end of file diff --git a/simple_flask_webserver/Dockerfile b/simple_flask_webserver/Dockerfile new file mode 100644 index 0000000..bf8fa94 --- /dev/null +++ b/simple_flask_webserver/Dockerfile @@ -0,0 +1,6 @@ +FROM python:3.8.12-slim-buster +WORKDIR /app +COPY . . +RUN pip install -r requirements.txt +CMD ["python3","app.py"] + From 371659f1ddd864d59adb78f08042c25dcf46916a Mon Sep 17 00:00:00 2001 From: aakshitaa Date: Fri, 16 Jun 2023 00:03:39 +0530 Subject: [PATCH 2/2] updated --- projects/bash_networking_security/SOLUTION | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/projects/bash_networking_security/SOLUTION b/projects/bash_networking_security/SOLUTION index 9c76518..ab597f5 100644 --- a/projects/bash_networking_security/SOLUTION +++ b/projects/bash_networking_security/SOLUTION @@ -1,12 +1,11 @@ Local DNS Server IP ------------------- -127.0.0.53 - +10.0.0.2 Default gateway IP ------------------- -10.0.128.1 +10.0.0.1 DHCP IP allocation sys-logs