« SE5 IdO sécurité des objets 2025/2026 b3 » : différence entre les versions
Aller à la navigation
Aller à la recherche
Aucun résumé des modifications |
Aucun résumé des modifications |
||
| Ligne 1 : | Ligne 1 : | ||
=== Création de la machine virtuelle === | === Création de la machine virtuelle === | ||
<syntaxhighlight lang="c"> | |||
xen-create-image --hostname=SE5-handrian --dhcp --bridge=bridgeStudents --dir=/usr/local/xen --size=10GB --dist=daedalus --memory=1024M | xen-create-image --hostname=SE5-handrian --dhcp --bridge=bridgeStudents --dir=/usr/local/xen --size=10GB --dist=daedalus --memory=1024M | ||
</syntaxhighlight> | |||
=== Configuration VM === | === Configuration VM === | ||
< | <syntaxhighlight lang="c"> | ||
# This file describes the network interfaces available on your system | |||
# and how to activate them. For more information, see interfaces(5). | |||
# The loopback network interface | |||
auto lo | auto lo | ||
| Ligne 13 : | Ligne 16 : | ||
iface lo inet loopback | iface lo inet loopback | ||
# The primary network interface | |||
auto eth0 | auto eth0 | ||
| Ligne 28 : | Ligne 31 : | ||
#VLAN411 | |||
auto eth1 | auto eth1 | ||
| Ligne 36 : | Ligne 39 : | ||
address 172.16.11.0 | address 172.16.11.0 | ||
netmask 255.255.255.0 | netmask 255.255.255.0 | ||
</syntaxhighlight> | |||
=== Capbreton === | === Capbreton === | ||
< | <syntaxhighlight lang="c"> | ||
# Networking | |||
# | |||
dhcp = 'dhcp' | dhcp = 'dhcp' | ||
| Ligne 49 : | Ligne 54 : | ||
'mac=00:16:3E:1A:68:1F,bridge=g3_handrian'] | 'mac=00:16:3E:1A:68:1F,bridge=g3_handrian'] | ||
# | |||
Configuration | |||
auto Trunk.411 | auto Trunk.411 | ||
| Ligne 68 : | Ligne 74 : | ||
bridge_ports Trunk.411 | bridge_ports Trunk.411 | ||
up ip link set $IFACE up | up ip link set $IFACE up | ||
down ip link set $IFACE down | down ip link set $IFACE down | ||
</syntaxhighlight> | |||
== Sécurisation WiFi par WPA2-PSK == | == Sécurisation WiFi par WPA2-PSK == | ||
Version actuelle datée du 4 décembre 2025 à 16:14
Création de la machine virtuelle
xen-create-image --hostname=SE5-handrian --dhcp --bridge=bridgeStudents --dir=/usr/local/xen --size=10GB --dist=daedalus --memory=1024M
Configuration VM
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
auto eth0
iface eth0 inet static
address 172.26.145.111
netmask 255.255.255.0
gateway 172.26.145.251
dns-nameservers 172.26.145.251
#VLAN411
auto eth1
iface eth1 inet static
address 172.16.11.0
netmask 255.255.255.0
Capbreton
# Networking
#
dhcp = 'dhcp'
vif = [ 'mac=00:16:3E:1A:68:1E,bridge=bridgeStudents' ,
'mac=00:16:3E:1A:68:1F,bridge=g3_handrian']
#
Configuration
auto Trunk.411
iface Trunk.411 inet manual
vlan-raw-device Trunk
up ip link set $IFACE up
down ip link set $IFACE down
auto g3_handrian
iface g3_handrian inet manual
bridge_ports Trunk.411
up ip link set $IFACE up
down ip link set $IFACE down
Sécurisation WiFi par WPA2-PSK
dot11 ssid SE5-handrian
vlan 411
authentication open
authentication key-management wpa
wpa-psk ascii 0 " "
mbssid guest-mode
exit
interface Dot11Radio1
encryption vlan 411 mode ciphers aes-ccm
ssid SE5-handrian
mbssid
no shutdown
exit
interface Dot11Radio1.411
encapsulation dot1Q 411
bridge-group 11
exit
interface GigabitEthernet0.411
encapsulation dot1Q 411
bridge-group 11
exitPour vérifier : ap# sh dot11 bssid
ap#sh dot11 bssid
Interface BSSID Guest SSID
Dot11Radio1 04da.d2d1.4bf0 Yes SE5-azongo
Dot11Radio1 04da.d2d1.4bf1 Yes SE5-crhanim
Dot11Radio1 04da.d2d1.4bf2 Yes SE5-handrianInstaller isc-dhcp-server dans la VM : /etc/dhcp/dhcpd.conf
subnet 172.16.11.0 netmask 255.255.255.0 {
range 172.16.11.100 172.16.11.200;
option routers 172.16.11.1;
#option routers rtr-239-0-1.example.org, rtr-239-0-2.example.org;
option domain-name-servers 172.16.11.1;
}dans /etc/default/isc-dhcp-server : INTERFACESv4="eth1"
dans /etc/sysctl.conf : décommenter : net.ipv4.ip_forward=1
sysctl -p /etc/sysctl.conf : pour recharger configuration sysctl.
sysctl net.ipv4.ip_forward : pour vérifier
Interception de flux
Redirection par DNS
Modification du fichier /etc/bind/named.conf.local
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
zone "wikipedia.org" {
type master;
file "/etc/bind/db.wikipedia.org";
};
Création de la zone db.wikipedia.org
$TTL 604800
@ IN SOA ns.wikipedia.org. admin.wikipedia.org. (
10 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS ns.wikipedia.org.
ns IN A 172.16.11.1
@ IN A 172.16.11.1
www IN A 172.16.11.1
Redirection réseau
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-ports 8080
iptables -t nat -L -n -v
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REDIRECT 6 -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 8080
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
5 1468 MASQUERADE 0 -- * * 172.16.11.0/24 0.0.0.0/0
Serveur Apache sécurisé
Génération du certificat auto-signé Apache
openssl req -x509 -nodes -days 365 \
-newkey rsa:2048 \
-keyout /etc/ssl/apache/apache-selfsigned.key \
-out /etc/ssl/apache/apache-selfsigned.crt \
-subj "/C=FR/ST=Nord/L=Lille/O=Polytech/CN=wikipedia.org"Configuration Apache
<VirtualHost *:443>
ServerName wikipedia.org
DocumentRoot /var/www/html
SSLEngine on
SSLCertificateFile /etc/ssl/apache/apache-selfsigned.crt
SSLCertificateKeyFile /etc/ssl/apache/apache-selfsigned.key
ErrorLog ${APACHE_LOG_DIR}/site-error.log
CustomLog ${APACHE_LOG_DIR}/site-access.log combined
</VirtualHost>
<VirtualHost *:80>
ServerName wikipedia.org
Redirect permanent / https://wikipedia.org/
</VirtualHost>
Pour activer
a2ensite site-se5.conf
service apache2 reload
Pour véridier l'écoute du port 443
# ss -tulpn | grep 443
tcp LISTEN 0 128 *:443 *:* users:(("apache2",pid=5394,fd=6),("apache2",pid=5393,fd=6),("apache2",pid=5390,fd=6))
Machine virtuelle android
Création disque
qemu-img create -f qcow2 android.qcow2 16G
Formatting 'android.qcow2', fmt=qcow2 cluster_size=65536 extended_l2=off compression_type=zlib size=17179869184 lazy_refcounts=off refcount_bits=16
Installation de l'android
qemu-system-x86_64 \
-m 4096 \
-smp 4 \
-enable-kvm \
-drive file=android.qcow2,format=qcow2 \
-cdrom ~/Downloads/android-x86-9.0-r2.iso \
-boot d \
-net nic -net user
Pour lancer l'android :
qemu-system-x86_64 -m 4096 -smp 4 -enable-kvm -drive file=android.qcow2,format=qcow2 -net nic -net user