diff --git a/projects/bash_networking_security/SOLUTION b/projects/bash_networking_security/SOLUTION index 2edfbaf..ca5c7d9 100644 --- a/projects/bash_networking_security/SOLUTION +++ b/projects/bash_networking_security/SOLUTION @@ -1,16 +1,22 @@ Local DNS Server IP ------------------- - +-127.0.0.53 Default gateway IP ------------------- - +<10.0.0.1> DHCP IP allocation sys-logs ------------------- + diff --git a/projects/bash_networking_security/bastion_connect.sh b/projects/bash_networking_security/bastion_connect.sh index a9bf588..18dde17 100644 --- a/projects/bash_networking_security/bastion_connect.sh +++ b/projects/bash_networking_security/bastion_connect.sh @@ -1 +1,22 @@ #!/bin/bash +#i +if [[ -z "$KEY_PATH" ]]; then + echo "Error: KEY_PATH environment variable is not set." + exit 5 +fi + +if [[ $# -lt 1 ]]; then + echo "KEY_PATH env var is expected" + echo "Please provide bastion IP address" + exit 5 +fi + +bastion_ip=$1 +private_ip=$2 +command_to_run="${@:3}" + +if [[ -n "$private_ip" ]]; then + ssh -t -i "$KEY_PATH" ubuntu@"$bastion_ip" ssh -i "vidpri-key.pem" ubuntu@"$private_ip" "$command_to_run" +else + ssh -i "$KEY_PATH" ubuntu@"$bastion_ip" "$command_to_run" +fi diff --git a/projects/bash_networking_security/tlsHandshake.sh b/projects/bash_networking_security/tlsHandshake.sh index a9bf588..9fc3a1f 100644 --- a/projects/bash_networking_security/tlsHandshake.sh +++ b/projects/bash_networking_security/tlsHandshake.sh @@ -1 +1,48 @@ -#!/bin/bash +#!/bin/bash -x +# Step 1 - Client Hello (Client -> Server) +RESPONSE=$(curl -X POST -H "Content-Type: application/json" -d '{ + "version": "1.3", + "ciphersSuites": ["TLS_AES_128_GCM_SHA256", "TLS_CHACHA20_POLY1305_SHA256"], + "message": "Client Hello" +}' http://16.170.234.56:8080/clienthello) + +# Step 2 - Server Hello (Server -> Client) +SESSION_ID=$(jq -r '.sessionID' <<< "$RESPONSE") + +echo "$RESPONSE" | jq -r '.serverCert' > cert.pem + +# Step 3 - Server Certificate Verification +wget https://devops-feb23.s3.eu-north-1.amazonaws.com/cert-ca-aws.pem -O cert-ca-aws.pem + +VERIFICATION=$(openssl verify -CAfile cert-ca-aws.pem cert.pem) + +if [ "$VERIFICATION" != "cert.pem: OK" ]; then + echo "Server Certificate is invalid" + exit 5 +fi + +# Step 4 - Client-Server master-key exchange +openssl rand -out masterKey.txt -base64 32 + +MASTER_KEY=$(openssl smime -encrypt -aes-256-cbc -in masterKey.txt -outform DER cert.pem | base64 -w 0) + +# Step 5 - Server verification message +RESPONSE=$(curl -X POST -H "Content-Type: application/json" -d '{ + "sessionID": "'"$SESSION_ID"'", + "masterKey": "'"$MASTER_KEY"'", + "sampleMessage": "Hi server, please encrypt me and send to client!" +}' http://16.170.234.56:8080/keyexchange) + +# Step 6 - Client verification message +echo "$RESPONSE" | jq -r '.encryptedSampleMessage' > encSampleMsg.txt +cat encSampleMsg.txt | base64 -d > encSampleMsgReady.txt + +decrypted_sample_msg=$(openssl enc -d -aes-256-cbc -pbkdf2 -kfile masterKey.txt -in encSampleMsgReady.txt) + +if [ "$decrypted_sample_msg" != "Hi server, please encrypt me and send to client!" ]; then + echo "Server symmetric encryption using the exchanged master-key has failed." + exit 6 +else + echo "Client-Server TLS handshake has been completed successfully" +fi + diff --git a/projects/bash_networking_security/vpc.sh b/projects/bash_networking_security/vpc.sh index 951abba..0812c92 100644 --- a/projects/bash_networking_security/vpc.sh +++ b/projects/bash_networking_security/vpc.sh @@ -1,4 +1,4 @@ -REGION="" -VPC_ID="" -PUBLIC_INSTANCE_ID="" -PRIVATE_INSTANCE_ID="" \ No newline at end of file +REGION="us-east-1" +VPC_ID="vpc-0da47383de0ba257e" +PUBLIC_INSTANCE_ID="i-016c56b2fc4e6f7f9" +PRIVATE_INSTANCE_ID="i-0520e3ace53a56df6" \ No newline at end of file