SE5 IdO sécurité des objets 2025/2026 b3

De wiki-se.plil.fr
Aller à la navigation Aller à la recherche

Création de la machine virtuelle

xen-create-image --hostname=SE5-handrian --dhcp --bridge=bridgeStudents --dir=/usr/local/xen --size=10GB --dist=daedalus --memory=1024M

Configuration VM

# This file describes the network interfaces available on your system

# and how to activate them. For more information, see interfaces(5).

# The loopback network interface

auto lo

iface lo inet loopback

# The primary network interface

auto eth0

iface eth0 inet static

       address 172.26.145.111

       netmask 255.255.255.0

       gateway 172.26.145.251

       dns-nameservers 172.26.145.251


#VLAN411

auto eth1

iface eth1 inet static

       address 172.16.11.0

       netmask 255.255.255.0  

Capbreton

#  Networking

#

dhcp        = 'dhcp'

vif         = [ 'mac=00:16:3E:1A:68:1E,bridge=bridgeStudents' ,

       'mac=00:16:3E:1A:68:1F,bridge=g3_handrian']

#

Configuration

auto Trunk.411

iface Trunk.411 inet manual

       vlan-raw-device Trunk

       up ip link set $IFACE up

       down ip link set $IFACE down

auto g3_handrian

iface g3_handrian inet manual

   bridge_ports Trunk.411

   up ip link set $IFACE up

   down ip link set $IFACE down

Sécurisation WiFi par WPA2-PSK

dot11 ssid SE5-handrian
  vlan 411
  authentication open
  authentication key-management wpa
  wpa-psk ascii 0 " "
  mbssid guest-mode
exit
interface Dot11Radio1
  encryption vlan 411 mode ciphers aes-ccm
  ssid SE5-handrian
  mbssid
  no shutdown
exit

interface Dot11Radio1.411
  encapsulation dot1Q 411
  bridge-group 11
exit

interface GigabitEthernet0.411
  encapsulation dot1Q 411
  bridge-group 11
exit

Pour vérifier : ap# sh dot11 bssid

ap#sh dot11 bssid                                                               
Interface      BSSID         Guest  SSID                                        
Dot11Radio1   04da.d2d1.4bf0  Yes  SE5-azongo                                   
Dot11Radio1   04da.d2d1.4bf1  Yes  SE5-crhanim                                  
Dot11Radio1   04da.d2d1.4bf2  Yes  SE5-handrian

Installer isc-dhcp-server dans la VM  : /etc/dhcp/dhcpd.conf

subnet 172.16.11.0 netmask 255.255.255.0 {
  range 172.16.11.100 172.16.11.200;
  option routers 172.16.11.1;
  #option routers rtr-239-0-1.example.org, rtr-239-0-2.example.org;
  option domain-name-servers 172.16.11.1;
}

dans /etc/default/isc-dhcp-server : INTERFACESv4="eth1"

dans /etc/sysctl.conf : décommenter : net.ipv4.ip_forward=1

sysctl -p /etc/sysctl.conf : pour recharger configuration sysctl.

sysctl net.ipv4.ip_forward : pour vérifier

Interception de flux

Redirection par DNS

Modification du fichier /etc/bind/named.conf.local

//
// Do any local configuration here
//

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";

zone "wikipedia.org" {
        type master;
        file "/etc/bind/db.wikipedia.org";
};

Création de la zone db.wikipedia.org

$TTL    604800
@       IN      SOA     ns.wikipedia.org. admin.wikipedia.org. (
                             10         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
;
@       IN      NS      ns.wikipedia.org.
ns      IN      A       172.16.11.1
@       IN      A       172.16.11.1
www     IN      A       172.16.11.1

Redirection réseau

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-ports 8080

iptables -t nat -L -n -v

Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 REDIRECT   6    --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 redir ports 8080

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    5  1468 MASQUERADE  0    --  *      *       172.16.11.0/24       0.0.0.0/0

Serveur Apache sécurisé

Génération du certificat auto-signé pour Apache,

openssl req -x509 -nodes -days 365 \
  -newkey rsa:2048 \
  -keyout /etc/ssl/apache/apache-selfsigned.key \
  -out /etc/ssl/apache/apache-selfsigned.crt \
  -subj "/C=FR/ST=Nord/L=Lille/O=Polytech/CN=wikipedia.org"

Configuration Apache

<VirtualHost *:443>
    ServerName wikipedia.org

    DocumentRoot /var/www/html


    SSLEngine on
    SSLCertificateFile /etc/ssl/apache/apache-selfsigned.crt
    SSLCertificateKeyFile /etc/ssl/apache/apache-selfsigned.key

    ErrorLog ${APACHE_LOG_DIR}/site-error.log
    CustomLog ${APACHE_LOG_DIR}/site-access.log combined

</VirtualHost>

<VirtualHost *:80>
    ServerName wikipedia.org
    Redirect permanent / https://wikipedia.org/
</VirtualHost>

Pour activer

a2ensite site-se5.conf
service apache2 reload

Pour véridier l'écoute du port 443

# ss -tulpn | grep 443
tcp   LISTEN 0      128                *:443             *:*    users:(("apache2",pid=5394,fd=6),("apache2",pid=5393,fd=6),("apache2",pid=5390,fd=6))
Récupérée de « http:///mediawiki/index.php?title=SE5_IdO_sécurité_des_objets_2025/2026_b3&oldid=10727 »