SE5 IdO sécurité des objets 2025/2026 b5

De wiki-se.plil.fr
Aller à la navigation Aller à la recherche

Serveur Virtuel :

Pour créer la VM : xen-create-image --hostname=SE5-crhanim --dhcp --dir=/usr/local/xen --size=20Gb --memory=2048mb  --dist=daedalus --bridge=bridgeStudents

Configuration réseau de la VM  : 

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet static
        address 172.26.145.108
        netmask 255.255.255.0
        gateway 172.26.145.251
        dsn-nameservers 172.26.145.251
# post-up ethtool -K eth0 tx off

#
# The commented out line above will disable TCP checksumming which
# might resolve problems for some users.  It is disabled by default
#

Vérification : 

ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=113 time=5.72 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=113 time=5.72 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=113 time=6.27 ms
^C
--- 8.8.8.8 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2004ms
rtt min/avg/max/mdev = 5.717/5.901/6.267/0.258 ms

Ajout d'une interface dans le VLAN 408 :

#VLAN 408
auto eth1
iface eth1 inet static
        address 172.16.8.1
        netmask 255.255.255.0
#
# The commented out line above will disable TCP checksumming which
# might resolve problems for some users.  It is disabled by default
#

ip a

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:16:3e:d7:30:83 brd ff:ff:ff:ff:ff:ff
    inet 172.26.145.108/24 brd 172.26.145.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 2001:660:4401:6050:216:3eff:fed7:3083/64 scope global dynamic mngtmpaddr
       valid_lft 989sec preferred_lft 889sec
    inet6 2a01:c916:2047:c850:216:3eff:fed7:3083/64 scope global dynamic mngtmpaddr
       valid_lft 2591989sec preferred_lft 604789sec
    inet6 fe80::216:3eff:fed7:3083/64 scope link
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:16:3e:d7:30:84 brd ff:ff:ff:ff:ff:ff
    inet 172.16.8.0/24 brd 172.16.8.255 scope global eth1
       valid_lft forever preferred_lft forever
    inet6 fe80::216:3eff:fed7:3084/64 scope link
       valid_lft forever preferred_lft forever

Sur Capbreton: etc/xen/SE5-crhanim.cfg

#
#  Networking
#
dhcp        = 'dhcp'
vif         = [ 'mac=00:16:3E:D7:30:83,bridge=bridgeStudents',
                'mac=00:16:3E:D7:30:84,bridge=g5_crhanim' ]

Sur /etc/network/interfaces.d/g5_crhanim Configuration de l'interface Vlan408 et bridge: g5_crhanim

auto Trunk.408
iface Trunk.408 inet manual
        vlan-raw-device Trunk
        up ip link set $IFACE up
        down ip link set $IFACE down

auto g5_crhanim
iface g5_crhanim inet manual
        bridge_ports Trunk.408
        up ip link set $IFACE up
        down ip link set $IFACE down

Sécurisation WiFi par WPA2-PSK

dot11 ssid SE5-crhanim
  vlan 408
  authentication open
  authentication key-management wpa
  wpa-psk ascii 0 " "
  mbssid guest-mode
exit
interface Dot11Radio1
  encryption vlan 408 mode ciphers aes-ccm
  ssid SE5-crhanim
  mbssid
  no shutdown
exit

interface Dot11Radio1.408
  encapsulation dot1Q 408
  bridge-group 8
exit

interface GigabitEthernet0.408
  encapsulation dot1Q 408
  bridge-group 8
exit

Pour vérifier : ap#sh dot11 bssid

ap#sh dot11 bssid                                                               
Interface      BSSID         Guest  SSID                                        
Dot11Radio1   04da.d2d1.4bf0  Yes  SE5-azongo                                   
Dot11Radio1   04da.d2d1.4bf1  Yes  SE5-crhanim                                  
Dot11Radio1   04da.d2d1.4bf2  Yes  SE5-handrian

dans la VM  : /etc/dhcp/dhcpd.conf

subnet 172.16.8.0 netmask 255.255.255.0 {
  range 172.16.8.100 172.16.8.200;
  option routers 172.16.8.1;
  #option routers rtr-239-0-1.example.org, rtr-239-0-2.example.org;
  option domain-name-servers 172.16.8.1;
}

dans /etc/sysctl.conf : j'ai décommenté la ligne : net.ipv4.ip_forward=1

sysctl -p /etc/sysctl.conf : pour recharger configuration sysctl.

sysctl net.ipv4.ip_forward : pour vérifier

Pour implémenter un serveur DNS, dans le fichier /etc/bind/named.conf.options : 

options {
        directory "/var/cache/bind";

        recursion yes;
        allow-query {172.16.8.0/24; 127.0.0.1;};
        
        forwarders {
                8.8.8.8;
                1.1.1.1;
         };
        dnssec-validation auto;

        listen-on { 127.0.0.1; 172.16.8.1; };
        listen-on-v6 { none; };
};

Pour implémenter une mascarade sur le serveur virtuel : 

iptables -t nat -A POSTROUTING -j MASQUERADE -s 172.16.8.0/24
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  122 51438 MASQUERADE  0    --  *      *       172.16.8.0/24        0.0.0.0/0

Interception de flux

Redirection par DNS

Modification de /etc/bind/named.conf.local

//
// Do any local configuration here
//

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";

zone "github.com"{
        type master;
        file "/etc/bind/db.github.com";

};

création de la zone db.github.com

$TTL    604800
@       IN      SOA     ns.github.com. admin.github.com. (
                            1         ; Serial
                       604800         ; Refresh
                        86400         ; Retry
                      2419200         ; Expire
                       604800 )       ; Negative Cache TTL

;
@       IN      NS      ns.github.com.
ns      IN      A       172.16.8.1
@       IN      A       172.16.8.1
www   IN            A       172.16.8.1

Redirection réseau

iptables -t nat -L -n -v
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 REDIRECT   6    --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 redir ports 8080

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  122 51438 MASQUERADE  0    --  *      *       172.16.8.0/24        0.0.0.0/0
Récupérée de « http:///mediawiki/index.php?title=SE5_IdO_sécurité_des_objets_2025/2026_b5&oldid=10466 »