guillaume.emorine/siotp
guillaume.emorine/siotp
2
1
Fork 1
Code Pull Requests Actions Packages Projects Releases 4 Activity

Compare commits

base: guillaume.emorine:main
Branches Tags
guillaume.emorine:main
nathan.genret:main
guillaume.emorine:v.0.3.1-ge
guillaume.emorine:v.0.3.0-ge
guillaume.emorine:v.0.2.9-ge
guillaume.emorine:v.0.2.8-ge
guillaume.emorine:v.0.2.7-ge
guillaume.emorine:v.0.2.6-ge
guillaume.emorine:v.0.2.5-ge
guillaume.emorine:v.0.2.4-ge
guillaume.emorine:v.0.2.3-ge
guillaume.emorine:v.0.2.2-ge
guillaume.emorine:v.0.2.1-ge
guillaume.emorine:v.0.2.0-ge
guillaume.emorine:v.0.1.9-ge
guillaume.emorine:v.0.1.8-ge
guillaume.emorine:v.0.1.7-ge
guillaume.emorine:v.0.1.6-ge
guillaume.emorine:v.0.1.5-ge
guillaume.emorine:v.0.1.4-ge
guillaume.emorine:v.0.1.3-ge
guillaume.emorine:v.0.1.2-ge
guillaume.emorine:v.0.1.1-ge
guillaume.emorine:v.0.1.0-ge
guillaume.emorine:v0.0.13-ge
guillaume.emorine:v0.0.12-ge
guillaume.emorine:v0.0.11-ge
guillaume.emorine:v0.0.10-ge
guillaume.emorine:v0.0.9-ge
guillaume.emorine:v0.0.8-ge
guillaume.emorine:v0.0.7-ge
guillaume.emorine:v0.0.6-ge
guillaume.emorine:v0.0.5-ge
guillaume.emorine:v0.0.4-ge
guillaume.emorine:v0.0.3-ge
guillaume.emorine:v0.0.2-ge
guillaume.emorine:v0.0.1-ge
guillaume.emorine:v0.0.0-ge
..
compare: nathan.genret:main
Branches Tags
nathan.genret:main
guillaume.emorine:main
guillaume.emorine:v.0.3.1-ge
guillaume.emorine:v.0.3.0-ge
guillaume.emorine:v.0.2.9-ge
guillaume.emorine:v.0.2.8-ge
guillaume.emorine:v.0.2.7-ge
guillaume.emorine:v.0.2.6-ge
guillaume.emorine:v.0.2.5-ge
guillaume.emorine:v.0.2.4-ge
guillaume.emorine:v.0.2.3-ge
guillaume.emorine:v.0.2.2-ge
guillaume.emorine:v.0.2.1-ge
guillaume.emorine:v.0.2.0-ge
guillaume.emorine:v.0.1.9-ge
guillaume.emorine:v.0.1.8-ge
guillaume.emorine:v.0.1.7-ge
guillaume.emorine:v.0.1.6-ge
guillaume.emorine:v.0.1.5-ge
guillaume.emorine:v.0.1.4-ge
guillaume.emorine:v.0.1.3-ge
guillaume.emorine:v.0.1.2-ge
guillaume.emorine:v.0.1.1-ge
guillaume.emorine:v.0.1.0-ge
guillaume.emorine:v0.0.13-ge
guillaume.emorine:v0.0.12-ge
guillaume.emorine:v0.0.11-ge
guillaume.emorine:v0.0.10-ge
guillaume.emorine:v0.0.9-ge
guillaume.emorine:v0.0.8-ge
guillaume.emorine:v0.0.7-ge
guillaume.emorine:v0.0.6-ge
guillaume.emorine:v0.0.5-ge
guillaume.emorine:v0.0.4-ge
guillaume.emorine:v0.0.3-ge
guillaume.emorine:v0.0.2-ge
guillaume.emorine:v0.0.1-ge
guillaume.emorine:v0.0.0-ge

No commits in common. "main" and "main" have entirely different histories.
main ... main

503 changed files with 129 additions and 51829 deletions
Show Stats Expand all files Collapse all files

6
README.md
View File

@ -1,5 +1 @@
# siotp
## Dépôt de fichiers personnels provenant de machines virtuelles utilisées en TP. Ce Gitea contient aussi un script d'automatisation du processus de push et de pull, adaptés aux deux branches.
*Dépôt anciennement privé, devenu public le 16 Septembre 2024.*
Dépôt de fichiers personnels provenant de machines virtuelles utilisées en TP.

28
automate.sh
View File

@ -2,32 +2,20 @@
# Script utilisé pour "automatiser" (raccourcir) le processus de pull, d'ajout, de commit et de push pour le répositoire Gitea personnel.
# Ajout de messages et de délais pour mieux se repérer et se situer dans le processus.
# Ajout d'un système de choix
# Ajout d'un export de proxy HTTP/HTTPS automatique vers ceux du lycée pour la machine en salle 214.
# Ajout d'un système de gestion d'erreur très basique pour éviter qu'un push/un pull se produise en cas de réponses incorrectes.
# Suppression des derniers vestiges de l'existence d'une branche autre que 'main'
export http_proxy="http://10.121.38.1:8080/"
export https_proxy="http://10.121.38.1:8080/"
echo "Voulez-vous récupérer les fichiers du dépôt ou effectuer un push sur le dépôt ? [1 = Pull, 2 = Push]"
echo "Voulez-vous récupérer les fichiers à jour ou effectuer un push ? [1 = Pull, 2 = Push]"
read answer
if [ $answer == 1 ] ; then
echo "Récupération des fichiers à jour, branche main..."
git pull -q origin main
echo "Fichiers à jour récupérés."
echo "Récupération des fichiers à jour..."
git pull
else
echo "Ajout des fichiers au Gitea..."
sleep 1
sleep 2
git add .
echo "Commit en cours..."
sleep 1
sleep 2
git commit
git tag -l "v.*" --sort="-v:refname"
echo "Entrez la version du tag: (Le plus récent est en haut)"
read tag
git tag $tag
echo "Push des fichiers au Gitea, branche main..."
sleep 1
git push -q origin main --tag
echo "Push des fichiers au Gitea..."
sleep 2
git push
fi

19
bts_annee_1/README.md
View File

@ -1,19 +0,0 @@
Chaque dossier porte le(s) numéro(s) du TP, et une abbréviation de son contenu.
Ici se trouve la table de correspondance :
01: Mise en oeuvre d'une infrastructure DHCP et routage.
02: Paramétrage d'un serveur DNS.
03: Création d'un réseau privé à administrer.
04: Administration d'un réseau privé.
05: Création d'un partage de fichiers Samba.
06: Paramétrage d'un serveur proxy.
07: Firewall avec netfilter et nftables.
08: Modification d'une infrastructure.

1
bts_annee_1/tp01-02_dhcp_dns/fichiers_vm_dhcp/README.md
View File

@ -1 +0,0 @@
Fichiers du premier et deuxième TP pour la machine srv-dhcp-ge.

1
bts_annee_1/tp01-02_dhcp_dns/fichiers_vm_dns1/README.md
View File

@ -1 +0,0 @@
Fichiers du premier et deuxième TP pour la machine srv-dns1-ge.

1
bts_annee_1/tp01-02_dhcp_dns/fichiers_vm_dns2/README.md
View File

@ -1 +0,0 @@
Fichiers du premier et deuxième TP pour la machine srv-dns2-ge.

1
bts_annee_1/tp03_reseau_prive_creation/fichiers_vm_admin/README.md
View File

@ -1 +0,0 @@
Fichiers de la machine srv-admin-ge.

1
bts_annee_1/tp03_reseau_prive_creation/fichiers_vm_dns2/README.md
View File

@ -1 +0,0 @@
Fichiers pour la machine srv-dns2-ge.

1
bts_annee_1/tp03_reseau_prive_creation/fichiers_vm_service/README.md
View File

@ -1 +0,0 @@
Fichiers de la machine srv-service-ge.

1
bts_annee_1/tp04_reseau_prive_administration/fichiers_et_scripts/README.md
View File

@ -1 +0,0 @@
Ce dossier content les fichiers et les scripts.

2
bts_annee_1/tp04_reseau_prive_administration/nat_automatique/README.md
View File

@ -1,2 +0,0 @@
Copy to /etc/systemd/system.
C'est un service systemd pour automatiser la NAT.

1
bts_annee_1/tp08_evolution_infrastructure/README.md
View File

@ -1 +0,0 @@
Dossiers contenant la préparation du huitième TP, pour l'évolution de l'infrastructure.

2
bts_annee_1/tp08_evolution_infrastructure/regles_originales/README.md
View File

@ -1,2 +0,0 @@
Ce dossier contient le fichier des règles du pare-feu, tel qu'il était avant la décomposition en étapes progressives.
Ce fichier est donc l'original.

217
bts_annee_1/tp08_evolution_infrastructure/regles_originales/firewall_compiled.txt
View File

@ -1,217 +0,0 @@
# Etapes "réussies"
# Etape 1 - oui
# Etape 2 - oui
# Etape 3 - oui
# Etape 4 - oui
# Etape 5 - oui
# Etape 6 - oui
# Etape 7 - oui
# Etape 8 - oui
# Etape 9 - non
# Définition des interfaces avec un nom
define netif = enp0s3
define dmzif = enp0s8
define lanif = enp0s9
# Définition des réseaux
define dmz-ntw = 172.17.0.0/24
define lan-ntw = 172.16.0.0/24
define net-ntw = 192.168.0.0/24
# Définition des IPs du pare-feu
define firewall-net = 192.168.0.120
define firewall-lan = 172.16.0.254
define firewall-dmz = 172.17.0.254
# Définition des choses importantes - Vérifier comment les commentaires en fin de ligne fonctionnent
define proxy-dns = 172.17.0.1 # IP de srv-dmz
define dns-school = {10.121.38.7 , 10.121.38.8} # Serveurs DNS du lycée
define portproxy = 1080 # Port utilisé par le proxy qu'on va configurer
define dhcp = 172.16.0.1 # IP de srv-service
define pcsecure = 172.16.0.10 # IP de pc-secure
define router = 192.168.0.1 # IP de GWSIO
define lan-dhcp = 172.16.0.100-172.16.0.200 # IPs utilisées en plage DHCP
# Début des tables et des chaînes
table ip ipfilter {
chain prerouting {
type filter hook prerouting priority filter; policy drop;
#Permet le passage des réponses aux requêtes acceptées
ct state established, related accept
#Autorise le SSH, étape 2
tcp dport 22 iif $firewall-net accept
#Accepte les requêtes de ping si elles viennent du LAN, à destination de la DMZ, étape 4
icmp type echo-request iif {$lanif} oif {$dmzif} accept
#Accepte les réponses ping pour l'étape 4
icmp type echo-reply accept
#Autorise les requêtes HTTP/HTTPS venant de la LAN - A vérifier
tcp dport {$portproxy} ip saddr $lan-ntw ip daddr $proxy-dns accept
#Autorise les requêtes DNS venant de la LAN - A vérifier
udp dport 53 ip saddr $lan-ntw ip daddr $proxy-dns accept
udp sport 53 ip saddr $lan-ntw ip daddr $proxy-dns accept
#Autorise les réponses DNS allant vers la LAN (étape 5) - A vérifier, expérimental
udp dport 53 ip daddr $lan-ntw ip saddr $proxy-dns accept
udp sport 53 ip daddr $lan-ntw ip saddr $proxy-dns accept
#Autorise les requêtes DNS depuis le serveur proxy vers sio.lan (gwsio) (étape 6)
tcp dport 53 ip saddr $proxy-dns ip daddr $router accept
#Autorise les requêtes vers internet si elles viennent du serveur proxy (étape 7) - A vérifier
ip saddr $proxy-dns daddr $router accept
}
chain system_in {
type filter hook input priority filter; policy drop;
#Permet le passage des réponses aux requêtes acceptées
ct state established, related accept
#Refuse les paquets sans états/qui viennent d'une connexion inconnue
ct state invalid, untracked drop
#Autorise le SSH, étape 2
tcp dport 22 iif $firewall-net accept
#Accepte les requêtes de ping si elles viennent du LAN, à destination de la DMZ, étape 4
icmp type echo-request iif {$lanif} oif {$dmzif} accept
#Accepte les réponses ping pour l'étape 4
icmp type echo-reply accept
#Autorise les requêtes HTTP/HTTPS venant de la LAN (étape 5) - A vérifier
tcp dport {$portproxy} ip saddr $lan-ntw ip daddr $proxy-dns accept
#Autorise les requêtes DNS venant de la LAN (étape 5) - A vérifier
udp dport 53 ip saddr $lan-ntw ip daddr $proxy-dns accept
udp sport 53 ip saddr $lan-ntw ip daddr $proxy-dns accept
#Autorise les réponses DNS allant vers la LAN (étape 5) - A vérifier, expérimental
udp dport 53 ip daddr $lan-ntw ip saddr $proxy-dns accept
udp sport 53 ip daddr $lan-ntw ip saddr $proxy-dns accept
#Autorise les requêtes vers internet si elles viennent du serveur proxy (étape 7) - A vérifier
ip saddr $proxy-dns daddr $router accept
}
chain routing {
type filter hook forward priority filter; policy drop;
#Permet le passage des réponses aux requêtes acceptées
ct state established, related accept
#Refuse les paquets sans états/qui viennent d'une connexion inconnue
ct state invalid, untracked drop
#Accepte les requêtes de ping si elles viennent du LAN, à destination de la DMZ, étape 4
icmp type echo-request iif {$lanif} oif {$dmzif} accept
#Autorise les requêtes HTTP/HTTPS venant de la LAN (étape 5) - A vérifier
tcp dport {$portproxy} ip saddr $lan-ntw ip daddr $proxy-dns accept
#Autorise les requêtes DNS venant de la LAN (étape 5) - A vérifier
udp dport 53 ip saddr $lan-ntw ip daddr $proxy-dns accept
udp sport 53 ip saddr $lan-ntw ip daddr $proxy-dns accept
#Autorise les réponses DNS allant vers la LAN (étape 5) - A vérifier, expérimental
udp dport 53 ip daddr $lan-ntw ip saddr $proxy-dns accept
udp sport 53 ip daddr $lan-ntw ip saddr $proxy-dns accept
#Autorise les requêtes DNS depuis le serveur proxy vers sio.lan (gwsio) (étape 6)
tcp dport 53 ip saddr $proxy-dns ip daddr $router accept
#Autorise les requêtes vers internet si elles viennent du serveur proxy (étape 7) - A vérifier
ip saddr $proxy-dns daddr $router accept
}
chain system_out {
type filter hook output priority filter; policy drop;
#Autorise le SSH à destination de srv-dmz et srv-service si la requête vient du firewall, étape 3 - A vérifier
tcp sport 22 ip saddr {$firewall-dmz, $firewall-lan} ip daddr {$proxy-dns, $dhcp} accept
#Autorise le pare-feu à faire des pings vers toutes les machines, étape 4 - A vérifier
icmp type echo-request ip saddr {$firewall-net, $firewall-lan, $firewall-dmz} accept
#Autorise les requêtes HTTP/HTTPS venant de la LAN (étape 5) - A vérifier
tcp dport {$portproxy} ip saddr $lan-ntw ip daddr $proxy-dns accept
#Autorise les requêtes DNS venant de la LAN (étape 5) - A vérifier
udp dport 53 ip saddr $lan-ntw ip daddr $proxy-dns accept
udp sport 53 ip saddr $lan-ntw ip daddr $proxy-dns accept
#Autorise les réponses DNS allant vers la LAN (étape 5) - A vérifier, expérimental
udp dport 53 ip daddr $lan-ntw ip saddr $proxy-dns accept
udp sport 53 ip daddr $lan-ntw ip saddr $proxy-dns accept
}
chain postrouting {
type filter hook postrouting priority filter; policy drop;
#Permet le passage des réponses aux requêtes acceptées
ct state established, related accept
#Refuse les paquets sans états/qui viennent d'une connexion inconnue
ct state invalid, untracked drop
#Autorise le SSH à destination de srv-dmz et srv-service si la requête vient du firewall, étape 3 - A vérifier
tcp sport 22 ip saddr {$firewall-dmz, $firewall-lan} ip daddr {$proxy-dns, $dhcp} accept
#Accepte les requêtes de ping si elles viennent du LAN, à destination de la DMZ, étape 4
icmp type echo-request iif {$lanif} oif {$dmzif} accept
#Autorise le pare-feu à faire des pings vers toutes les machines, étape 4 - A vérifier
icmp type echo-request ip saddr {$firewall-net, $firewall-lan, $firewall-dmz} accept
#Autorise les requêtes HTTP/HTTPS venant de la LAN (étape 5) - A vérifier
tcp dport {$portproxy} ip saddr $lan-ntw ip daddr $proxy-dns accept
#Autorise les requêtes DNS venant de la LAN (étape 5) - A vérifier
udp dport 53 ip saddr $lan-ntw ip daddr $proxy-dns accept
udp sport 53 ip saddr $lan-ntw ip daddr $proxy-dns accept
#Autorise les réponses DNS allant vers la LAN (étape 5) - A vérifier, expérimental
udp dport 53 ip daddr $lan-ntw ip saddr $proxy-dns accept
udp sport 53 ip daddr $lan-ntw ip saddr $proxy-dns accept
#Autorise les requêtes DNS depuis le serveur proxy vers sio.lan (gwsio) (étape 6)
tcp dport 53 ip saddr $proxy-dns ip daddr $router accept
#Autorise les requêtes vers internet si elles viennent du serveur proxy (étape 7) - A vérifier
ip saddr $proxy-dns daddr $router accept
}
# Chaînes pour la NAT - étape 8 et 9.
chain nat_prerouting {
type nat hook prerouting priority filter; policy accept;*
# Port Forwarding pour le DNS, entre pare-feu et DMZ (étape 9)
iif eth0 udp dport 53 dnat to $proxy-dns
iif eth0 tcp dport 53 dnat to $proxy-dns
}
chain nat_postrouting {
type nat hook postrouting priority filter; policy accept;
# Masquage des adresses IP de la DMZ via NAT (étape 8)
ip saddr $dmz-ntw snat $firewall-net
}
}

1
bts_annee_1/tp08_evolution_infrastructure/regles_progressives/README.md
View File

@ -1 +0,0 @@
Ce dossier contient le fichier de base (firewall_1-2), ainsi que des fichiers numérotés qui contiennent les règles à rajouter de chaque étape successive.

69
bts_annee_1/tp08_evolution_infrastructure/regles_progressives/firewall_1-2
View File

@ -1,69 +0,0 @@
# Définition des interfaces avec un nom
define netif = enp0s3 # Interface avec accès internet extérieur
define dmzif = enp0s8 # Interface branchée à la DMZ
define lanif = enp0s9 # Interface branchée au LAN
# Définition des réseaux
define dmz-ntw = 172.17.0.0/24 # Plage réseau de la DMZ
define lan-ntw = 172.16.0.0/24 # Plage réseau du LAN
define net-ntw = 192.168.0.0/24 # Plage réseau, accès internet
# Définition des IPs du pare-feu
define firewall-net = 192.168.0.120
define firewall-lan = 172.16.0.254
define firewall-dmz = 172.17.0.254
# Définition des choses importantes - Vérifier comment les commentaires en fin de ligne fonctionnent
define proxy-dns = 172.17.0.1 # IP de srv-dmz
define dns-school = {10.121.38.7 , 10.121.38.8} # Serveurs DNS du lycée
define portproxy = 1080 # Port utilisé par le proxy qu'on va configurer
define dhcp = 172.16.0.1 # IP de srv-service
define pcsecure = 172.16.0.10 # IP de pc-secure
define router = 192.168.0.1 # IP de GWSIO
define lan-dhcp = 172.16.0.100-172.16.0.200 # IPs utilisées en plage DHCP
# Début des tables et des chaînes
table ip ipfilter {
chain prerouting {
type filter hook prerouting priority filter; policy drop;
# Permet le passage des réponses aux requêtes acceptées
ct state established, related accept
# Autorise le SSH, étape 2
tcp dport 22 iif $firewall-net accept
}
chain system_in {
type filter hook input priority filter; policy drop;
# Permet le passage des réponses aux requêtes acceptées
ct state established, related accept
# Autorise le SSH, étape 2
tcp dport 22 iif $firewall-net accept
}
chain routing {
type filter hook forward priority filter; policy drop;
# Permet le passage des réponses aux requêtes acceptées
ct state established, related accept
}
chain system_out {
type filter hook output priority filter; policy drop;
}
chain postrouting {
type filter hook postrouting priority filter; policy drop;
# Permet le passage des réponses aux requêtes acceptées
ct state established, related accept
}
}

21
bts_annee_1/tp08_evolution_infrastructure/regles_progressives/firewall_3
View File

@ -1,21 +0,0 @@
# Ajouts pour l'étape 3
table ip ipfilter {
chain system_out {
type filter hook output priority filter; policy drop;
# Autorise le SSH à destination de srv-dmz et srv-service si la requête vient du firewall, étape 3 - A vérifier
tcp sport 22 ip saddr {$firewall-dmz, $firewall-lan} ip daddr {$proxy-dns, $dhcp} accept
}
chain postrouting {
type filter hook postrouting priority filter; policy drop;
# Permet le passage des réponses aux requêtes acceptées
ct state established, related accept
# Autorise le SSH à destination de srv-dmz et srv-service si la requête vient du firewall, étape 3 - A vérifier
tcp sport 22 ip saddr {$firewall-dmz, $firewall-lan} ip daddr {$proxy-dns, $dhcp} accept
}
}

61
bts_annee_1/tp08_evolution_infrastructure/regles_progressives/firewall_4
View File

@ -1,61 +0,0 @@
# Chaînes à ajouter dans l'étape 4
table ip ipfilter {
chain prerouting {
type filter hook prerouting priority filter; policy drop;
# Permet le passage des réponses aux requêtes acceptées
ct state established, related accept
# Accepte les requêtes de ping si elles viennent du LAN, à destination de la DMZ, étape 4
icmp type echo-request iif {$lanif} oif {$dmzif} accept
# Accepte les réponses ping pour l'étape 4
icmp type echo-reply accept
}
chain system_in {
type filter hook input priority filter; policy drop;
# Accepte les réponses ping pour l'étape 4
icmp type echo-reply accept
}
chain routing {
type filter hook forward priority filter; policy drop;
# Permet le passage des réponses aux requêtes acceptées
ct state established, related accept
# Accepte les requêtes de ping si elles viennent du LAN, à destination de la DMZ, étape 4
icmp type echo-request iif {$lanif} oif {$dmzif} accept
# Accepte les réponses ping pour l'étape 4
icmp type echo-reply iif {$dmzif} oif {$lanif} accept
}
chain system_out {
type filter hook output priority filter; policy drop;
# Autorise le pare-feu à faire des pings vers toutes les machines, étape 4 - A vérifier
icmp type echo-request accept
}
chain postrouting {
type filter hook postrouting priority filter; policy drop;
# Permet le passage des réponses aux requêtes acceptées
ct state established, related accept
# Accepte les requêtes de ping si elles viennent du LAN, à destination de la DMZ, étape 4
icmp type echo-request iif {$lanif} oif {$dmzif} accept
# Autorise le pare-feu à faire des pings vers toutes les machines, étape 4 - A vérifier
icmp type echo-request ip saddr {$firewall-net, $firewall-lan, $firewall-dmz} accept
# Accepte les réponses ping pour l'étape 4
icmp type echo-reply iif {$dmzif} oif {$lanif} accept
}
}

60
bts_annee_1/tp08_evolution_infrastructure/regles_progressives/firewall_5
View File

@ -1,60 +0,0 @@
# Chaînes à ajouter pour l'étape 5
table ip ipfilter {
chain prerouting {
type filter hook prerouting priority filter; policy drop;
# Permet le passage des réponses aux requêtes acceptées
ct state established, related accept
# Autorise les requêtes HTTP/HTTPS venant de la LAN (étape 5)
tcp dport {$portproxy} ip saddr $lan-ntw ip daddr $proxy-dns accept
# Autorise les requêtes DNS venant de la LAN (étape 5)
udp dport 53 ip saddr $lan-ntw ip daddr $proxy-dns accept
udp sport 53 ip saddr $lan-ntw ip daddr $proxy-dns accept
# Autorise les réponses DNS allant vers la LAN (étape 5) - A vérifier, tester sans
udp dport 53 ip daddr $lan-ntw ip saddr $proxy-dns accept
udp sport 53 ip daddr $lan-ntw ip saddr $proxy-dns accept
}
chain routing {
type filter hook forward priority filter; policy drop;
# Permet le passage des réponses aux requêtes acceptées
ct state established, related accept
# Autorise les requêtes HTTP/HTTPS venant de la LAN (étape 5) - A vérifier
tcp dport {$portproxy} ip saddr $lan-ntw ip daddr $proxy-dns accept
# Autorise les requêtes DNS venant de la LAN (étape 5) - A vérifier
udp dport 53 ip saddr $lan-ntw ip daddr $proxy-dns accept
udp sport 53 ip saddr $lan-ntw ip daddr $proxy-dns accept
# Autorise les réponses DNS allant vers la LAN (étape 5) - A vérifier, tester sans
udp dport 53 ip daddr $lan-ntw ip saddr $proxy-dns accept
udp sport 53 ip daddr $lan-ntw ip saddr $proxy-dns accept
}
chain postrouting {
type filter hook postrouting priority filter; policy drop;
# Permet le passage des réponses aux requêtes acceptées
ct state established, related accept
# Autorise les requêtes HTTP/HTTPS venant de la LAN (étape 5) - A vérifier
tcp dport {$portproxy} ip saddr $lan-ntw ip daddr $proxy-dns accept
# Autorise les requêtes DNS venant de la LAN (étape 5) - A vérifier
udp dport 53 ip saddr $lan-ntw ip daddr $proxy-dns accept
udp sport 53 ip saddr $lan-ntw ip daddr $proxy-dns accept
# Autorise les réponses DNS allant vers la LAN (étape 5) - A vérifier, tester sans
udp dport 53 ip daddr $lan-ntw ip saddr $proxy-dns accept
udp sport 53 ip daddr $lan-ntw ip saddr $proxy-dns accept
}
}

31
bts_annee_1/tp08_evolution_infrastructure/regles_progressives/firewall_6
View File

@ -1,31 +0,0 @@
# Chaînes à rajouter pour l'étape 6
table ip ipfilter {
chain prerouting {
type filter hook prerouting priority filter; policy drop;
# Autorise les requêtes DNS depuis le serveur proxy vers sio.lan (gwsio) (étape 6)
tcp dport 53 ip saddr $proxy-dns ip daddr $router accept
}
chain routing {
type filter hook forward priority filter; policy drop;
# Permet le passage des réponses aux requêtes acceptées
ct state established, related accept
# Autorise les requêtes DNS depuis le serveur proxy vers sio.lan (gwsio) (étape 6)
tcp dport 53 ip saddr $proxy-dns ip daddr $router accept
}
chain postrouting {
type filter hook postrouting priority filter; policy drop;
# Permet le passage des réponses aux requêtes acceptées
ct state established, related accept
# Autorise les requêtes DNS depuis le serveur proxy vers sio.lan (gwsio) (étape 6)
tcp dport 53 ip saddr $proxy-dns ip daddr $router accept
}
}

32
bts_annee_1/tp08_evolution_infrastructure/regles_progressives/firewall_7
View File

@ -1,32 +0,0 @@
# Chaînes à rajouter pour l'étape 7
table ip ipfilter {
chain prerouting {
type filter hook prerouting priority filter; policy drop;
# Permet le passage des réponses aux requêtes acceptées
ct state established, related accept
# Autorise les requêtes vers internet si elles viennent du serveur proxy (étape 7) - A vérifier
tcp dport {80,443} ip saddr $proxy-dns daddr $router accept
}
chain routing {
type filter hook forward priority filter; policy drop;
# Autorise les requêtes vers internet si elles viennent du serveur proxy (étape 7) - A vérifier
tcp dport {80,443} ip saddr $proxy-dns daddr $router accept
}
chain postrouting {
type filter hook postrouting priority filter; policy drop;
# Permet le passage des réponses aux requêtes acceptées
ct state established, related accept
# Autorise les requêtes vers internet si elles viennent du serveur proxy (étape 7) - A vérifier
tcp dport {80,443} ip saddr $proxy-dns daddr $router accept
}
}

21
bts_annee_1/tp08_evolution_infrastructure/regles_progressives/firewall_8-9
View File

@ -1,21 +0,0 @@
# Chaînes à rajouter dans les étapes 8 et 9
table ip ipfilter {
chain nat_prerouting {
type nat hook prerouting priority filter; policy accept;
# Port Forwarding pour le DNS, entre pare-feu et DMZ (étape 9 -> à vérifier si chgt règles antérieures nécessaires)
iif $netif udp dport 53 dnat to $proxy-dns
iif $netif tcp dport 53 dnat to $proxy-dns
}
chain nat_postrouting {
type nat hook postrouting priority filter; policy accept;
# Masquage des adresses IP de la DMZ via NAT (étape 8 -> à vérifier si chgt règles antérieures nécessaires)
ip saddr $dmz-ntw snat $firewall-net
}
}

6
bts_annee_2/README.md
View File

@ -1,6 +0,0 @@
## Dépôt de seconde année de BTS.
### Le premier répertoire est dédié au côté SISR des TPs.
### Le deuxième répertoire est dédié au côté Cybersécurité des TPs.
### Le troisième répertoire est dédié aux ateliers de professionalisation, mais les effectifs du BTS font que le seul présent (SDIS 29) sera le dernier en mode "piscine".
### Le quatrième répertoire est dédié aux Vagrantfiles utilisés lors des TPs, que ce soit en cybersécurité ou en SISR.
### Le cinquième répertoire est dédié au contrôle sur les logs, tel qu'il a été rendu.

5
bts_annee_2/ateliers_professionalisation/README.md
View File

@ -1,5 +0,0 @@
# Dépôt de fichiers et du travail de l'AP3-SDIS-29
Ce dépôt contient les documents et scripts, fichiers de configuration et *playbooks* Ansible ayant étés élaborés lors de l'atelier de professionalisation 3, concernant le SDIS-29 comme sujet.
Le SDIS-29 est, si on vulgarise, les sapeurs-pompiers du Finistère.
**Chaque dossier porte un nom explicite, en rapport à ce qu'il contient.**

16
bts_annee_2/ateliers_professionalisation/ansible_bdd/README.md
View File

@ -1,16 +0,0 @@
# Ansible
Dans ce répertoire se situent les *playbooks* Ansible.
## Dossier Wireguard :
Dans le dossier se trouvent le *playbook* ainsi que les fichiers de configuration.
## Playbook de déploiement des **ap31-prod** et **ap31-test** :
### apbase.yml :
Ce *playbook* se charge de mettre à jour les paquets, configurer APT pour passer par le proxy, définit une *timezone* correcte, et se charge d'installer les paquets sur les deux machines.
### apdb.yml :
Ce *playbook* se charge d'installer un module crucial sur la machine **ap31-test**, puis créé une base de données vide, un utilisateur avec l'accès total sur la BDD, puis importe le fichier .sql de base pour rendre la BDD utilisable.
### apdbdump.yml :
Ce *playbook* se charge de créer un dump de la BDD avant de l'envoyer sur la machine qui exécute le *playbook* Ansible.

34
bts_annee_2/ateliers_professionalisation/ansible_bdd/apbase.yml
View File

@ -1,34 +0,0 @@
---
#- name: Install prod/test
- hosts: all
become: true
tasks:
- name: Parametrage Timezone Europe/Paris
community.general.timezone:
name: Europe/Paris
- name: Copie apt.conf
copy:
content: |
Acquire::http::Proxy "http://10.121.38.1:8080/";
Acquire::https::Proxy "http://10.121.38.1:8080/";
dest: /etc/apt/apt.conf
- name: Update and upgrade apt packages
apt:
upgrade: yes
update_cache: yes
cache_valid_time: 86400 #One day
- name: Installation paquets
apt:
name: "{{ item }}"
state: present
with_items:
- tomcat10
- mariadb-server
- ant
- qemu-guest-agent

47
bts_annee_2/ateliers_professionalisation/ansible_bdd/apdb.yml
View File

@ -1,47 +0,0 @@
# apdb.yml
---
- hosts: all
become: true
tasks:
- name: 1. Installe une des dépendances d'une extension Ansible.
apt:
name: python3-pymysql
state: present
- name: 2. Créé la base de données vide.
community.mysql.mysql_db:
check_implicit_admin: true
name: sdis29
state: present
login_unix_socket: /run/mysqld/mysqld.sock
- name: 3. Créé l'utilisateur pour la BDD.
community.mysql.mysql_user:
name: reseau
password: Ilona21?
priv: 'sdis29.*:ALL,GRANT'
state: present
login_unix_socket: /run/mysqld/mysqld.sock
- name: 4. Vérifie si un répertoire db existe.
stat:
path: /home/debian/db
register: rept_stat
- name: 5. Créé le répertoire db pour le fichier sql.
command: mkdir /home/debian/db
when: rept_stat.stat.exists == false
- name: 6. Copie le fichier d'import de la base de données
template:
src: db/sdis29.sql
dest: /home/debian/db/sdis29.sql
- name: 7. Import de la base de données.
run_once: true
community.mysql.mysql_db:
state: import
name: all
encoding: utf8
target: db/sdis29.sql
login_unix_socket: /run/mysqld/mysqld.sock

17
bts_annee_2/ateliers_professionalisation/ansible_bdd/apdbdump.yml
View File

@ -1,17 +0,0 @@
# apbddump.yml
---
- hosts: all
become: true
tasks:
- name: 1. Exécute le dump de la BDD.
community.mysql.mysql_db:
check_implicit_admin: true
state: dump
name: sdis29
target: /home/debian/db/sdis29-backup.sql.gz
login_unix_socket: /run/mysqld/mysqld.sock
- name: 2. Envoie le dump sur la machine Ansible.
ansible.builtin.fetch:
src: /home/debian/db/sdis29-backup.sql.gz
dest: /home/debian/

2
bts_annee_2/ateliers_professionalisation/ansible_bdd/hosts
View File

@ -1,2 +0,0 @@
[pt]
ap31-pt

7
bts_annee_2/ateliers_professionalisation/ansible_wireguard/README.md
View File

@ -1,7 +0,0 @@
# Ansible pour Wireguard
## Description du playbook :
Ce *playbook* se charge d'installer les outils Wireguard et le paquet Wireguard sur chacune des machines, avant de copier le script pour générer les fichiers de configuration sur la machine **ap31-mon**, puis exécute le script, avant de récupérer chacun des trois fichiers de configuration pour les copier sur **ap31-ans**.
Ensuite, le *playbook* se charge de copier les fichiers de configuration à chaque machine de manière individuelle sans possibilité d'erreur, avant d'activer le service Wireguard au démarrage, et de le relancer.

17
bts_annee_2/ateliers_professionalisation/ansible_wireguard/config_files/wg0-mon.conf
View File

@ -1,17 +0,0 @@
# local settings for ap31-mon
[Interface]
PrivateKey = qNrA3qizZyJ7iPfXQepwA6/g5kkabijifGUW61OO4G4=
Address = 10.0.0.1/32
ListenPort = 51820
# remote settings for ap31-prod
[Peer]
PublicKey = mnWYL52q8bzvvary6s81ROHV1hohu3nlQN0YQkTZTzg=
Endpoint = 172.16.0.100:51820
AllowedIPs = 10.0.0.2/32
# remote settings for ap31-test
[Peer]
PublicKey= Amfx3tgY9WyjhVH8gQJWZpbQVNYwpIt3OFZokMqq43M=
Endpoint = 172.16.0.101:51820
AllowedIPs = 10.0.0.3/32

11
bts_annee_2/ateliers_professionalisation/ansible_wireguard/config_files/wg0-prod.conf
View File

@ -1,11 +0,0 @@
# local settings for ap31-prod
[Interface]
PrivateKey = ENtiBbOg56P0DQJhoYe61mNLF06Vtv601rbAAvyKz2M=
Address = 10.0.0.2/32
ListenPort = 51820
# remote settings for ap31-mon
[Peer]
PublicKey = LEkM9UVt21zq7PS8sX+SBihuXr5k9bjAbwSN0dChmAk=
Endpoint = 172.16.0.102:51820
AllowedIPs = 10.0.0.1/32

11
bts_annee_2/ateliers_professionalisation/ansible_wireguard/config_files/wg0-test.conf
View File

@ -1,11 +0,0 @@
# local settings for ap31-test
[Interface]
PrivateKey = 6Hq3I9MdSB/O8xiXxf1ekysWR2GQgYBss9VNDngbZE4=
Address = 10.0.0.3/32
ListenPort = 51820
# remote settings for ap31-mon
[Peer]
PublicKey = LEkM9UVt21zq7PS8sX+SBihuXr5k9bjAbwSN0dChmAk=
Endpoint = 172.16.0.102:51820
AllowedIPs = 10.0.0.1/32

6
bts_annee_2/ateliers_professionalisation/ansible_wireguard/hosts
View File

@ -1,6 +0,0 @@
[wg]
ap31-prod
ap31-test
ap31-mon
[wg_srv]
ap31-mon

80
bts_annee_2/ateliers_professionalisation/ansible_wireguard/mkwgconf-p2p.sh
View File

@ -1,80 +0,0 @@
#!/bin/bash
set -u
set -e
AddressAwg=10.0.0.1/32 # Adresse VPN Wireguard MON
EndpointA=172.16.0.102 # Adresse extremite MON
PortA=51820 # Port ecoute extremite MON
AddressBwg=10.0.0.2/32 # Adresse VPN Wireguard PROD
EndpointB=172.16.0.100 # Adresse extremite PROD
PortB=51820 # Port ecoute extremite PROD
AddressCwg=10.0.0.3/32 # Adresse VPN Wireguard TEST
EndpointC=172.16.0.101 # Adresse extremite TEST
PortC=51820 # Port ecoute extremite TEST
umask 077 ;
wg genkey > endpoint-a.key
wg pubkey < endpoint-a.key > endpoint-a.pub
wg genkey > endpoint-b.key
wg pubkey < endpoint-b.key > endpoint-b.pub
wg genkey > endpoint-c.key
wg pubkey < endpoint-c.key > endpoint-c.pub
PKA=$(cat endpoint-a.key)
pKA=$(cat endpoint-a.pub)
PKB=$(cat endpoint-b.key)
pKB=$(cat endpoint-b.pub)
PKC=$(cat endpoint-c.key)
pKC=$(cat endpoint-c.pub)
cat <<FINI > wg0-mon.conf
# local settings for ap31-mon
[Interface]
PrivateKey = $PKA
Address = $AddressAwg
ListenPort = $PortA
# remote settings for ap31-prod
[Peer]
PublicKey = $pKB
Endpoint = ${EndpointB}:$PortB
AllowedIPs = $AddressBwg
# remote settings for ap31-test
[Peer]
PublicKey= $pKC
Endpoint = ${EndpointC}:$PortC
AllowedIPs = $AddressCwg
FINI
cat <<FINI > wg0-prod.conf
# local settings for ap31-prod
[Interface]
PrivateKey = $PKB
Address = $AddressBwg
ListenPort = $PortB
# remote settings for ap31-mon
[Peer]
PublicKey = $pKA
Endpoint = ${EndpointA}:$PortA
AllowedIPs = $AddressAwg
FINI
cat <<FINI > wg0-test.conf
# local settings for ap31-test
[Interface]
PrivateKey = $PKC
Address = $AddressCwg
ListenPort = $PortC
# remote settings for ap31-mon
[Peer]
PublicKey = $pKA
Endpoint = ${EndpointA}:$PortA
AllowedIPs = $AddressAwg
FINI

74
bts_annee_2/ateliers_professionalisation/ansible_wireguard/wg.yml
View File

@ -1,74 +0,0 @@
# wg.yml
---
- hosts: wg
become: true
tasks:
- name: 1. Installe le paquet Wireguard.
apt:
name: wireguard
state: present
- name: 2. Installe les outils Wireguard.
apt:
name: wireguard-tools
state: present
- hosts: wg_srv
become: true
tasks:
- name: 3. Envoie le script Wireguard.
copy:
src: mkwgconf-p2p.sh
dest: mkwgconf-p2p.sh
- name: 4. Exécute le script Wireguard.
command: bash mkwgconf-p2p.sh
- name: 5. Copie le fichier de configuration Wireguard C sur cette machine.
ansible.builtin.fetch:
src: wg0-mon.conf
dest: wg0-mon.conf
flat: yes
- name: 6. Récupère le fichier de conf A.
ansible.builtin.fetch:
src: wg0-prod.conf
dest: wg0-prod.conf
flat: yes
- name: 7. Récupère le fichier de conf B.
ansible.builtin.fetch:
src: wg0-test.conf
dest: wg0-test.conf
flat: yes
- hosts: wg
become: true
tasks:
- name: 8. Envoie le fichier de conf A vers la machine prod.
copy:
src: wg0-prod.conf
dest: /etc/wireguard/wg0.conf
when: ansible_hostname == "ap31-prod"
- name: 9. Envoie le fichier de conf B vers la machine test.
copy:
src: wg0-test.conf
dest: /etc/wireguard/wg0.conf
when: ansible_hostname == "ap31-test"
- name: 10. Envoie le fichier de conf C vers la machine mon.
copy:
src: wg0-mon.conf
dest: /etc/wireguard/wg0.conf
when: ansible_hostname == "ap31-mon"
- name: 11. Active le service Wireguard.
ansible.builtin.service:
service: wg-quick@wg0.service
enabled: true
- name: 12. Lance le service Wireguard.
ansible.builtin.service:
service: wg-quick@wg0.service
state: restarted

2
bts_annee_2/ateliers_professionalisation/documentation/README.md
View File

@ -1,2 +0,0 @@
Ce fichier README_docu.md contient la documentation complète du projet excepté les parties sur Ansible, avec la syntaxe Markdown.
Pour les fichiers de documentation, allez dans les répertoires Ansible de ce projet.

58
bts_annee_2/ateliers_professionalisation/documentation/README_docu.md
View File

@ -1,58 +0,0 @@
# sdis29-1
## Dépôt Git des programmes sources - SDIS 29.
Version: v.0.0.2b-ge
### Création initiale des serveurs :
* Création des serveurs **ap31-prod** et **ap31-test** via un clone intégral d'une template sur pxlab1.
* Disques redimensionnés de 2Go a 10Go.
* Définition des IPs et ajout des clés SSH dans les machines.
* Création du serveur **ap31-mon** via un clone intégral d'une template.
* Définition de l'IP et ajout des clés SSH.
* Disque redimensionné de 2G à 10Go.
* Doublement de la RAM sur **ap31-mon**. (1024Mo --> 2048Mo)
* Machines définies sur la *timezone* Europe/Paris (UTC +1)
### Installation des paquets :
* Ajout du fichier `/etc/apt/apt.conf` récupéré depuis depl, pour pouvoir passer à travers le proxy.
* Commande `apt update` effectuée sur chaque machine.
* **ap31-prod** : mariadb-server, tomcat10, zabbix-agent2, qemu-guest-agent, wget, goss
* **ap31-test** : mariadb-server, tomcat10, phpmyadmin, zabbix-agent2, qemu-guest-agent, wget, goss, git
* **ap31-mon** : apache2, mariadb-server, zabbix-server-mysql, zabbix-frontend-php, zabbix-apache-conf, zabbix-sql-scripts, zabbix-agent, journald-remote
* Ajout de goss sur **ap31-test** et **ap31-prod**, et création de fichiers de test fonctionnels pour les deux machines.
### Configuration de Zabbix :
* Pour **ap31-mon**, installation de Zabbix avec un script, et configuration initiale de Zabbix via l'interface web.
* Pour **ap31-prod** et **ap31-test**, modification des fichiers `/etc/zabbix/zabbix_agent2.conf` pour ajouter l'IP du serveur Zabbix et le *hostname* avec un script.
* Une fois fait, ajout de **ap31-prod** et **ap31-test** dans Zabbix sur le *template* `Linux by Zabbix agent`.
* Une fois les serveurs ajoutés avec une interface de détection de type `agent` sur l'IP de la machine correspondante, détection sur Zabbix et la supervision est complétée.
* Ajout de la passerelle **gwsio3** avec une *template* `ICMP Ping` sur une interface SNMP avec l'IP de la passerelle, et supervision des temps de réponse et du status possible.
### Centralisation de la gestion des logs :
* Installation du paquet `systemd-journal-remote` sur chaque serveur.
* **ap31-mon** : utilisation d'un script journald-rcv.sh configuré du côté récepteur.
* **ap31-test, ap31-prod** : utilisation d'un script `journald-snd.sh` configuré du côté émetteur.
### Importation de la base de données :
* Création d'un utilisateur `reseau` pour modifier la BDD sans utiliser le compte root si nécessaire.
* Import du fichier `sdis29.sql` sur MariaDB sur la machine **ap31-test**.
* Une fois fait, base de données disponible sur la machine et visible sur phpmyadmin une fois les privilèges requis donnés au compte.
### Création de playbooks Ansible pour **ap31-prod** et **ap31-test** :
* Création du *playbook* `apbase.yml` qui prépare les machines **ap31-prod** et **ap31-test** en installant les paquets nécessaires, en configurant le proxy pour *APT*, et en définissant la *timezone*.
* Création du *playbook* `apdb.yml` qui installe les dépendances utilisées dans le *playbook*, puis se charge de créer la BDD, un utilisateur, et qui peut être exécuté plusieurs fois sans soucis.
* Exécution des deux *playbooks* et résultats corrects, sans erreurs. Les *playbooks* `apbase.yml` et `apdb.yml` sont terminés.
* Création du *playbook* `apdbdump.yml` qui récupère le dump de la BDD une fois celui-ci créé.
* Exécution du *playbook* et résultats corrects, sans erreurs. Le *playbook* est terminé.
### Établissement d'un tunnel VPN entre les machines **ap31-mon**, **ap31-prod** et **ap31-test** :
* Création d'un *playbook* `wg.yml` qui se charge d'installer Wireguard et ses outils sur les trois machines, puis qui exécute un script modifié pour générer les clés et les fichiers de configuration, avant de les mettre au bon endroit.
* Une fois cela fait, et le tunnel fonctionnel, la centralisation des logs peut se faire via le tunnel Wireguard. Les IPs des fichiers de configuration sont donc modifiées pour fonctionner.
* Pour plus de détails, se rendre dans le dossier `ansible`, puis le répertoire `wireguard`.

2
bts_annee_2/ateliers_professionalisation/scripts_logs/README.md
View File

@ -1,2 +0,0 @@
Ce dossier contient les scripts utilisés pour configurer les envois et la réception de logs.
Le script `snd` est à exécuter sur les machines qui envoient, et le fichier `rcv` est à exécuter sur la machine réceptrice.

11
bts_annee_2/ateliers_professionalisation/scripts_logs/journald-rcv.sh
View File

@ -1,11 +0,0 @@
#!/bin/bash
sudo timedatectl set-timezone Europe/Paris
sudo apt-get update
sudo apt-get install -y systemd-journal-remote
sudo systemctl enable --now systemd-journal-remote.socket
sudo cp /lib/systemd/system/systemd-journal-remote.service /etc/systemd/system
sudo sed -i 's/--listen-https=-3/--listen-http=-3/' /etc/systemd/system/systemd-journal-remote.service
[[ -d /var/log/journal/remote ]] || sudo mkdir /var/log/journal/remote
sudo chown systemd-journal-remote /var/log/journal/remote
sudo systemctl daemon-reload
sudo systemctl restart systemd-journal-remote

8
bts_annee_2/ateliers_professionalisation/scripts_logs/journald-snd.sh
View File

@ -1,8 +0,0 @@
#!/bin/bash
sudo timedatectl set-timezone Europe/Paris
sudo apt-get update
sudo apt-get install -y systemd-journal-remote
rpl="s/^# URL=/URL=http:\/\/ap31-mon:19532/"
sudo sed -i "$rpl" /etc/systemd/journal-upload.conf
sudo systemctl enable --now systemd-journal-upload.service
sudo systemctl restart systemd-journal-upload.service

2
bts_annee_2/ateliers_professionalisation/scripts_zabbix/README.md
View File

@ -1,2 +0,0 @@
Ces scripts permettent de paramétrer Zabbix initialement. Pour les détails, il faut aller lire le `README_docu.md` dans le répertoire de documentation.
Chaque script est associé de nom aux machines utilisées dans l'atelier, ou à défaut, un nom générique descriptif.

8
bts_annee_2/ateliers_professionalisation/scripts_zabbix/zabbix-install-client-prod.sh
View File

@ -1,8 +0,0 @@
apt install -y wget curl
wget https://repo.zabbix.com/zabbix/7.0/debian/pool/main/z/zabbix-release/zabbix-release_7.0-2+debian12_all.deb
dpkg -i zabbix-release_7.0-2+debian12_all.deb
apt install -y zabbix-agent2
echo "Server=172.16.0.102" >> /etc/zabbix/zabbix_agent2.conf
echo "ServerActive=172.16.0.102" >> /etc/zabbix/zabbix_agent2.conf
echo "Hostname=ap31-prod" >> /etc/zabbix/zabbix_agent2.conf
systemctl restart zabbix-agent2

8
bts_annee_2/ateliers_professionalisation/scripts_zabbix/zabbix-install-client-test.sh
View File

@ -1,8 +0,0 @@
apt install -y wget curl
wget https://repo.zabbix.com/zabbix/7.0/debian/pool/main/z/zabbix-release/zabbix-release_7.0-2+debian12_all.deb
dpkg -i zabbix-release_7.0-2+debian12_all.deb
apt install -y zabbix-agent2
echo "Server=172.16.0.102" >> /etc/zabbix/zabbix_agent2.conf
echo "ServerActive=172.16.0.102" >> /etc/zabbix/zabbix_agent2.conf
echo "Hostname=ap31-test" >> /etc/zabbix/zabbix_agent2.conf
systemctl restart zabbix-agent2

17
bts_annee_2/ateliers_professionalisation/scripts_zabbix/zabbix-install-server.sh
View File

@ -1,17 +0,0 @@
export http_proxy="http://10.121.38.1:8080/"
export https_proxy="http://10.121.38.1:8080/"
wget https://repo.zabbix.com/zabbix/7.0/debian/pool/main/z/zabbix-release/zabbix-release_7.0-2+debian12_all.deb
dpkg -i zabbix-release_7.0-2+debian12_all.deb
apt-get install -y apache2 mariadb-server
apt-get install -y zabbix-server-mysql zabbix-frontend-php zabbix-apache-conf zabbix-sql-scripts zabbix-agent
echo 'create database zabbix character set utf8mb4 collate utf8mb4_bin;' | mysql -u root
echo "create user zabbix@localhost identified by 'password';" | mysql -u root
echo 'grant all privileges on zabbix.* to zabbix@localhost;' | mysql -u root
echo 'set global log_bin_trust_function_creators = 1;' | mysql -u root
zcat /usr/share/zabbix-sql-scripts/mysql/server.sql.gz | mysql --default-character-set=utf8mb4 -u zabbix -ppassword zabbix
echo 'set global log_bin_trust_function_creators = 0;' | mysql -u root
sed -i 's/# DBPassword=/DBPassword=password/' /etc/zabbix/zabbix_server.conf
systemctl restart zabbix-server zabbix-agent apache2
systemctl enable zabbix-server zabbix-agent apache2
localectl set-locale LANG=en_US.UTF-8
systemctl restart zabbix-server zabbix-agent apache2

5
bts_annee_2/cyber2/README.md
View File

@ -1,5 +0,0 @@
# Dépôt de seconde année de Cybersécurité.
## Chaque dossier porte un nom descriptif, qu'on peut relier à une ou plusieurs séances.
### Séances 12, 14 et 15 : OpenVPN, IPSec.
### Séance 16 : Simulation de Ransomware.
### Sécurité - Mise en pace d'une application Web sécurisée : Wordpress-LAMP.

3
bts_annee_2/cyber2/ransomware-simulation/README.md
View File

@ -1,3 +0,0 @@
Séance sur la simulation d'un *ransomware* sur un partage de fichiers Samba.
Le mode d'emploi du script est dans celui-ci.
Pour générer une clé d'encryption/décryption, on peut faire ceci: `date | sha512sum > macle.txt`.

1
bts_annee_2/cyber2/ransomware-simulation/cle.txt
View File

@ -1 +0,0 @@
f1822d2fe58daeadc88e0e4eef2f155fc3edd3713ff9a5d1e27696afd9231d905db51c98dcf0c6416658239b8d3b5893c5775ffd7941f769a78fcd684c5f9161

40
bts_annee_2/cyber2/ransomware-simulation/smbcc.sh
View File

@ -1,40 +0,0 @@
#!/bin/bash
# Usage :
# bash smbcc.sh <chemin du partage Windows AVEC IP> <nom d'utilisateur/mot de passe> <action> <clé d'encryption>
# Déclaration des variables.
chemin=$1
cred=$2
action=$3
ficcle=$4
# Récupération du nom d'utilisateur et du mot de passe.
user=$(echo $cred| cut -d "/" -f1)
pass=$(echo $cred| cut -d "/" -f2)
# Création du répertoire s'il n'existe pas, et montage du partage Samba dessus.
[[ -e /tmp/samba ]] || mkdir /tmp/samba
mount.cifs -o "username=$user,password=$pass" "//${chemin}" /tmp/samba
# Première vérification d'erreurs.
if [[ $? != 0 ]] ; then
echo "Erreur dans la commande mount.cifs, vérifiez les paramètres entrés."
rmdir /tmp/samba
exit 1
fi
# Commande ccrypt pour encrypter ou décrypter le répertoire avec le partage.
ccrypt "$action" --recursive --key $ficcle /tmp/samba
# Seconde vérification d'erreurs.
if [[ $? != 0 ]] ; then
echo "Échec de ccrypt, veuillez relancer le script après avoir vérifié les paramètres."
umount /tmp/samba
exit 1
fi
# Nettoyage des directoires, et sortie du script avec le code 0.
umount /tmp/samba
rmdir /tmp/samba
exit 0

1
bts_annee_2/cyber2/ransomware-simulation/test.txt
View File

@ -1 +0,0 @@
0d7b9fea61b5707ff8bf6da489a2638153e8c5d74d3bfab9a12dca6698da3ef61441cf86b819b166cae673efc97c99cb3ab8022c62774636f9e8fe18771a13db -

1
bts_annee_2/cyber2/vpn-ipsec/README.md
View File

@ -1 +0,0 @@
Dossier avec les fichiers de configuration du tunnel IPsec fait en TP, ainsi que les IPs et tables de routage.

1
bts_annee_2/cyber2/vpn-ipsec/gw1/README.md
View File

@ -1 +0,0 @@
Il faut renommer le fichier ipsec-gw1.conf en ipsec.conf et le placer dans /etc/ .

18
bts_annee_2/cyber2/vpn-ipsec/gw1/config_ip_gw1
View File

@ -1,18 +0,0 @@
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host noprefixroute
valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 08:00:27:71:ec:44 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.1/24 brd 192.168.1.255 scope global enp0s3
valid_lft forever preferred_lft forever
inet6 fe80::a00:27ff:fe71:ec44/64 scope link
valid_lft forever preferred_lft forever
3: enp0s8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 08:00:27:c2:6d:0b brd ff:ff:ff:ff:ff:ff
inet 10.0.0.1/24 brd 10.0.0.255 scope global enp0s8
valid_lft forever preferred_lft forever
inet6 fe80::a00:27ff:fec2:6d0b/64 scope link
valid_lft forever preferred_lft forever

23
bts_annee_2/cyber2/vpn-ipsec/gw1/ipsec-gw1.conf
View File

@ -1,23 +0,0 @@
config setup
charondebug="all"
uniqueids=yes
strictcrlpolicy=no
conn %default
conn tunnel #
left=10.0.0.1
leftsubnet=192.168.1.0/24
right=10.0.0.2
rightsubnet=192.168.2.0/24
ike=aes256-sha2_256-modp1024!
esp=aes256-sha2_256!
keyingtries=0
ikelifetime=1h
lifetime=8h
dpddelay=30
dpdtimeout=120
dpdaction=restart
authby=secret
auto=start
keyexchange=ikev2
type=tunnel

3
bts_annee_2/cyber2/vpn-ipsec/gw1/table_routage_gw1
View File

@ -1,3 +0,0 @@
10.0.0.0/24 dev enp0s8 proto kernel scope link src 10.0.0.1
192.168.1.0/24 dev enp0s3 proto kernel scope link src 192.168.1.1
192.168.2.0/24 via 192.168.1.1 dev enp0s3

1
bts_annee_2/cyber2/vpn-ipsec/gw2/README.md
View File

@ -1 +0,0 @@
Il faut renommer le fichier ipsec-gw2.conf en ipsec.conf et le placer dans /etc/ .

18
bts_annee_2/cyber2/vpn-ipsec/gw2/config_ip_gw2
View File

@ -1,18 +0,0 @@
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host noprefixroute
valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 08:00:27:35:ba:6d brd ff:ff:ff:ff:ff:ff
inet 192.168.2.1/24 brd 192.168.2.255 scope global enp0s3
valid_lft forever preferred_lft forever
inet6 fe80::a00:27ff:fe35:ba6d/64 scope link
valid_lft forever preferred_lft forever
3: enp0s8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 08:00:27:ea:8b:77 brd ff:ff:ff:ff:ff:ff
inet 10.0.0.2/24 brd 10.0.0.255 scope global enp0s8
valid_lft forever preferred_lft forever
inet6 fe80::a00:27ff:feea:8b77/64 scope link
valid_lft forever preferred_lft forever

23
bts_annee_2/cyber2/vpn-ipsec/gw2/ipsec-gw2.conf
View File

@ -1,23 +0,0 @@
config setup
charondebug="all"
uniqueids=yes
strictcrlpolicy=no
conn %default
conn tunnel #
left=10.0.0.2
leftsubnet=192.168.2.0/24
right=10.0.0.1
rightsubnet=192.168.1.0/24
ike=aes256-sha2_256-modp1024!
esp=aes256-sha2_256!
keyingtries=0
ikelifetime=1h
lifetime=8h
dpddelay=30
dpdtimeout=120
dpdaction=restart
authby=secret
auto=start
keyexchange=ikev2
type=tunnel

2
bts_annee_2/cyber2/vpn-ipsec/gw2/table_routage_gw2
View File

@ -1,2 +0,0 @@
10.0.0.0/24 dev enp0s8 proto kernel scope link src 10.0.0.2
192.168.2.0/24 dev enp0s3 proto kernel scope link src 192.168.2.1

1
bts_annee_2/cyber2/vpn-openvpn/README.md
View File

@ -1 +0,0 @@
Dossier du TP sur le VPN OpenVPN. Il y a les fichiers relatifs au serveur et au client.

85
bts_annee_2/cyber2/vpn-openvpn/client/DESKTOP-SK8G91D.crt
View File

@ -1,85 +0,0 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
7a:40:e4:09:96:70:a7:11:03:89:2c:bb:23:d1:10:05
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=Easy-RSA CA
Validity
Not Before: Oct 14 09:34:47 2024 GMT
Not After : Jan 17 09:34:47 2027 GMT
Subject: CN=DESKTOP-SK8G91D
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:a3:54:3e:71:b3:68:7b:11:f0:38:d4:80:5f:60:
55:fe:27:f7:0e:f4:64:fd:6a:e4:be:7e:9c:40:82:
6e:57:bb:09:90:10:3e:f5:2b:13:1d:14:2f:b3:eb:
97:8e:c1:68:8f:23:9a:ac:8a:4f:8c:6d:59:69:88:
e6:75:80:44:80:94:65:17:c4:5a:c3:8c:b1:6e:bb:
6d:bd:fa:af:ce:42:ab:21:b4:33:92:02:d8:1f:e3:
9e:1a:aa:ae:e2:18:42:f9:6c:9f:84:db:a3:1b:23:
d8:fb:37:1f:3e:5f:04:21:72:17:be:4c:52:73:f0:
b7:87:fe:d1:c2:85:a3:4d:57:61:d6:4f:f7:6c:9c:
f1:fb:34:22:e5:44:43:86:a1:d8:29:b8:a2:73:f4:
54:da:93:86:1f:bc:d3:98:2b:29:74:dc:4e:17:0c:
b3:44:d8:77:96:98:45:38:44:36:23:dc:55:d2:d2:
f7:75:1f:ec:bc:23:a9:fc:76:30:78:f8:e9:03:f8:
88:43:9d:ae:fe:e8:e6:cf:02:d5:c7:93:f4:a9:9e:
11:e1:68:4e:10:bb:85:e8:1a:c8:1b:ce:f4:f1:55:
38:31:46:3e:1e:8d:6a:a8:6a:66:a6:85:57:08:76:
3f:24:3f:7e:e4:b8:af:bf:86:d5:73:4a:98:ad:53:
0f:6b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
F9:C9:56:7F:09:7A:38:A1:BB:00:6D:56:FA:75:FD:F6:C7:E9:EA:AE
X509v3 Authority Key Identifier:
keyid:02:2B:7C:59:A2:6F:3B:DA:07:A4:E9:F3:3F:27:94:B5:0E:62:76:F3
DirName:/CN=Easy-RSA CA
serial:65:E9:1E:24:AE:9A:EE:B3:E5:D9:79:EA:1E:A9:D7:5D:A1:E2:D4:F1
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Key Usage:
Digital Signature
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
55:d1:dd:8c:9a:4e:80:02:32:49:88:6c:82:7f:43:d5:cd:37:
e0:8a:d5:d7:20:76:7f:dd:5b:b2:13:80:f0:81:9e:c7:e4:d3:
6e:e9:01:5f:91:57:87:97:bc:b7:a9:d0:82:1c:76:21:27:fa:
4c:84:c6:29:d0:f9:d4:78:6c:55:0c:9a:9b:9c:c0:ee:b5:35:
d0:0d:ef:5d:02:bf:51:40:9e:a8:cc:32:d9:c0:70:2f:c7:05:
72:e6:10:6d:fd:da:8d:d8:bb:7f:84:d8:85:64:66:82:a8:50:
08:9c:26:a5:27:8f:7b:9c:7b:5e:1d:44:6a:14:d2:4c:42:da:
9c:3b:46:34:0e:22:c5:3e:3c:0c:10:c6:52:08:33:32:67:5d:
71:00:7b:8a:f2:a7:ef:92:59:cc:fe:a8:4f:62:74:0e:91:ec:
5d:61:45:92:73:13:75:59:0b:50:c0:af:a4:90:2d:ed:a6:2a:
d7:60:55:d3:c6:f2:df:1c:9c:9f:c2:7b:ba:10:6a:6d:25:9e:
c7:f9:30:cf:e3:4f:87:48:ba:ac:37:ea:88:f1:d7:79:62:f9:
34:be:04:32:af:bf:a6:f8:91:89:ab:47:08:b5:3b:6e:17:c5:
d9:7f:94:f2:5c:47:57:58:62:02:12:7a:fa:83:bf:79:da:bf:
ed:88:a1:20
-----BEGIN CERTIFICATE-----
MIIDXTCCAkWgAwIBAgIQekDkCZZwpxEDiSy7I9EQBTANBgkqhkiG9w0BAQsFADAW
MRQwEgYDVQQDDAtFYXN5LVJTQSBDQTAeFw0yNDEwMTQwOTM0NDdaFw0yNzAxMTcw
OTM0NDdaMBoxGDAWBgNVBAMMD0RFU0tUT1AtU0s4RzkxRDCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBAKNUPnGzaHsR8DjUgF9gVf4n9w70ZP1q5L5+nECC
ble7CZAQPvUrEx0UL7Prl47BaI8jmqyKT4xtWWmI5nWARICUZRfEWsOMsW67bb36
r85CqyG0M5IC2B/jnhqqruIYQvlsn4Tboxsj2Ps3Hz5fBCFyF75MUnPwt4f+0cKF
o01XYdZP92yc8fs0IuVEQ4ah2Cm4onP0VNqThh+805grKXTcThcMs0TYd5aYRThE
NiPcVdLS93Uf7Lwjqfx2MHj46QP4iEOdrv7o5s8C1ceT9KmeEeFoThC7hegayBvO
9PFVODFGPh6NaqhqZqaFVwh2PyQ/fuS4r7+G1XNKmK1TD2sCAwEAAaOBojCBnzAJ
BgNVHRMEAjAAMB0GA1UdDgQWBBT5yVZ/CXo4obsAbVb6df32x+nqrjBRBgNVHSME
SjBIgBQCK3xZom872gek6fM/J5S1DmJ286EapBgwFjEUMBIGA1UEAwwLRWFzeS1S
U0EgQ0GCFGXpHiSumu6z5dl56h6p112h4tTxMBMGA1UdJQQMMAoGCCsGAQUFBwMC
MAsGA1UdDwQEAwIHgDANBgkqhkiG9w0BAQsFAAOCAQEAVdHdjJpOgAIySYhsgn9D
1c034IrV1yB2f91bshOA8IGex+TTbukBX5FXh5e8t6nQghx2ISf6TITGKdD51Hhs
VQyam5zA7rU10A3vXQK/UUCeqMwy2cBwL8cFcuYQbf3ajdi7f4TYhWRmgqhQCJwm
pSePe5x7Xh1EahTSTELanDtGNA4ixT48DBDGUggzMmddcQB7ivKn75JZzP6oT2J0
DpHsXWFFknMTdVkLUMCvpJAt7aYq12BV08by3xycn8J7uhBqbSWex/kwz+NPh0i6
rDfqiPHXeWL5NL4EMq+/pviRiatHCLU7bhfF2X+U8lxHV1hiAhJ6+oO/edq/7Yih
IA==
-----END CERTIFICATE-----

28
bts_annee_2/cyber2/vpn-openvpn/client/DESKTOP-SK8G91D.key
View File

@ -1,28 +0,0 @@
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCjVD5xs2h7EfA4
1IBfYFX+J/cO9GT9auS+fpxAgm5XuwmQED71KxMdFC+z65eOwWiPI5qsik+MbVlp
iOZ1gESAlGUXxFrDjLFuu229+q/OQqshtDOSAtgf454aqq7iGEL5bJ+E26MbI9j7
Nx8+XwQhche+TFJz8LeH/tHChaNNV2HWT/dsnPH7NCLlREOGodgpuKJz9FTak4Yf
vNOYKyl03E4XDLNE2HeWmEU4RDYj3FXS0vd1H+y8I6n8djB4+OkD+IhDna7+6ObP
AtXHk/SpnhHhaE4Qu4XoGsgbzvTxVTgxRj4ejWqoamamhVcIdj8kP37kuK+/htVz
SpitUw9rAgMBAAECggEAQd/J+bDbDHwtL7ahehZQSJxU3G68xqsUzDIjki8pEvBI
iJbM1bREVr+cB8yXCYg/RDAfg8SbFe/KlrKVBMIxnsx7Q4058FHwBFHLDssrmhyw
ifz0qcjE44O58lZyB5WyeYgShJLTY7BfJN9UFiNbdqPeKK3+uW1WkJ65emPM+/WD
7DR/VHOPs8PUS6mf6EMwyzeRHECnb8t9sSx1vqcAPzj/l/3iAQloyn9VxTvJ345/
yLyFtF+GCqSiXBl5bPR9uN1hrpjeqjcFo/EZFPSLQJNiFtHOUMt3GtJW0h7XQtrf
PakCeLx4DuMANuLPjdzcK4lZAql/s0A2hHNhEh94QQKBgQDRvxN6E1guXVktZxsS
rc/2uuOoOYbTkxpkqzqI4WQ24Gb7lu/95jhHdZTWCATLdG+XMDxMdiNWIf2YMAq4
5+c0ZL3HwiZq6Mo3sbZUP1RnEM4suHZZinTgJgDa3+RDGVF1usSwcvqGjY/+2zL8
muzjorsY7dBxLne8BDEH9yiHqwKBgQDHWL8o8uiNIpQxz7WzZwi8dNGTKCjA/Oig
BIin3Rk2nX33y5QIe45Jb9f4V7Q7XZjY2aoYwzVWsZlu1LAFvS9zkuKJB60I6PJt
+5yowZKk2roqR7hreuml1nbyAljoJpuIdrT/xHIQyI3LtgscUOTT2nMwAQ/X0gWz
xzSrLkjXQQKBgQCBsA2Q66kYceuT4S6iLApsWj4tY/RzmX82Q5Fb1VErhTDn2vnl
GZYuyQsQE8EzM3lUGCUQefN7bGTq1rmqfuk8QhX+D5PFgs6WBTHhgY7kc0Wn7R5w
WuXNOnJI4yq2Ok9d5e970nwI+jrQsCQkgH58ecAJt/GsKbkq7cSLUk0jJQKBgACU
uqHk61aV9jaa812dfEIIWSADqvK9CfSFbtyGYW9uUBKrzjekHIsMP2Xi44yUvkBL
ihpeX0ZsaBURm524qm28zNo3YoK3IxW8+Pzo64N9e7Np2BjAF/Q6xsf3x8iNbECe
j/J64RY5b2hblHa1qaUQauuF5UTswMWAXB/vl5jBAoGARQbPUSMgp382ZDN3ohxf
7XEC/roO6SyuKLaF46kfVgoNXNBK8qvfV4HaUHiWfkBlsdrZioQp7z+S3ijlrAu+
iae08RHuKQS1XMUN9BvqzmWSB9RMBZSNhVvD8QZwVPSHEqAx8yvORitdjQpDTdFS
8jKYo+l8sNiEYzv5y/ovagI=
-----END PRIVATE KEY-----

120
bts_annee_2/cyber2/vpn-openvpn/client/DESKTOP-SK8G91D.ovpn
View File

@ -1,120 +0,0 @@
##############################################
# Sample client-side OpenVPN 2.6 config file #
# for connecting to multi-client server. #
# #
# This configuration can be used by multiple #
# clients, however each client should have #
# its own cert and key files. #
# #
# On Windows, you might want to rename this #
# file so it has a .ovpn extension #
##############################################
# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client
# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one. On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap
# Are we connecting to a TCP or
# UDP server? Use the same setting as
# on the server.
;proto tcp
proto udp
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote 192.168.0.48 1194
;remote my-server-2 1194
# Choose a random host from the remote
# list for load-balancing. Otherwise
# try hosts in the order specified.
;remote-random
# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite
# Most clients don't need to bind to
# a specific local port number.
nobind
# Downgrade privileges after initialization (non-Windows only)
;user openvpn
;group openvpn
# Try to preserve some state across restarts.
persist-key
persist-tun
# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here. See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
# Wireless networks often produce a lot
# of duplicate packets. Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings
# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
ca ca.crt
cert DESKTOP-SK8G91D.crt
key DESKTOP-SK8G91D.key
# Verify server certificate by checking that the
# certificate has the correct key usage set.
# This is an important precaution to protect against
# a potential attack discussed here:
# http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the keyUsage set to
# digitalSignature, keyEncipherment
# and the extendedKeyUsage to
# serverAuth
# EasyRSA can do this for you.
remote-cert-tls server
# Allow to connect to really old OpenVPN versions
# without AEAD support (OpenVPN 2.3.x or older)
# This adds AES-256-CBC as fallback cipher and
# keeps the modern ciphers as well.
data-ciphers AES-256-GCM:AES-128-GCM:?CHACHA20-POLY1305:AES-256-CBC
# If a tls-auth key is used on the server
# then every client must also have the key.
tls-auth ta.key 1
# Set log file verbosity.
verb 3
# Silence repeating messages
;mute 20

1
bts_annee_2/cyber2/vpn-openvpn/client/README.md
View File

@ -1 +0,0 @@
Dossier du serveur OpenVPN, avec les fichiers de configuration, les certificats issus, et le reste.

20
bts_annee_2/cyber2/vpn-openvpn/client/ca.crt
View File

@ -1,20 +0,0 @@
-----BEGIN CERTIFICATE-----
MIIDSzCCAjOgAwIBAgIUZekeJK6a7rPl2XnqHqnXXaHi1PEwDQYJKoZIhvcNAQEL
BQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMjQxMDE0MDkyMzEwWhcNMzQx
MDEyMDkyMzEwWjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBAKrBBlOUjpOTZzSSQ3481/1Gv2UmnKkLK6x2rmkJ
qgFapKB9J8CFjYjKK3IONvP4DvnYLL9wpO/FkIoNQUHl3U0IRoH5DtLg53aqWFIl
5P0mNDrHzNraLYU3fk+y+bsKRklxxv3UcMvi1Lo3gIbdpP8hRxZ9IaQvSe1E2GDA
zcc0QeHm6/NHJLKgvXRPohjk6qFTVy0x9bbqhsBpJFOhj2TmbdiI5wo3yBvhjqVh
66ssF+WDrPjgiLFR3Vgt0Whif5BMMWe9KH53wII6uIM4rWx+NrEOPD5y3ObbgnVX
yyuXNIbwQw/kvy0ZXF4+J3Ippf8dc15SjS6si7Li8GRxsUcCAwEAAaOBkDCBjTAM
BgNVHRMEBTADAQH/MB0GA1UdDgQWBBQCK3xZom872gek6fM/J5S1DmJ28zBRBgNV
HSMESjBIgBQCK3xZom872gek6fM/J5S1DmJ286EapBgwFjEUMBIGA1UEAwwLRWFz
eS1SU0EgQ0GCFGXpHiSumu6z5dl56h6p112h4tTxMAsGA1UdDwQEAwIBBjANBgkq
hkiG9w0BAQsFAAOCAQEACRPv+n+H9wZHcSW75cHZCaOQWw2Ze+/gJTW9Wk5leLQn
jABaLmHzeNenjg2gCDNG1ObBS0Lx5SCE7mf8HY32hqCR7fwJhY+K2gj+MQK7r3VD
UH60BBzKqH5djRkSq1oSPJSUPNeW6hTH0kn56N1I7cBuez7Vz9VsgiyPYsR6uGxe
79/AJfuP6Y4KkvO4Hjpr8MvSg+t4NAxNiEp3P/p/CX8AmK75f3DfsD80v5YeBQC7
H6QeJ24UTD1oH+DhF8pptrNf6yzb8SipI2ShdTdFwHZR+1hcnEPb3eyRLouqbDqy
n8u2opX/cktET0o29IIc71L23Tsb+SSBR1QvUuIFCA==
-----END CERTIFICATE-----

21
bts_annee_2/cyber2/vpn-openvpn/client/ta.key
View File

@ -1,21 +0,0 @@
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
d603ad1c4cec84482158d16fdf2195fc
00408410be33b106963c91a3ef7f01e6
85b69e6a37d0928e36bf15d00152817d
4a16fd1ce4555caca28e602b8124fec6
a659f275ae06de6a2333dd4a358e4689
e0914d9416e12c042af8114863159b76
e79c45aa2f972da28ad19c1b2f6f8b00
340f4a906f640e0f113483fb50d5799d
2d75c0ecbf853542e03b4b9f76eec5c1
fdcc11ab0ba44974eff3c087241521fd
ae0ef5aad26279907448c6493a77c5d7
abc5192af4f157ae3f9e25f92c08f7c6
d33e9ccd18559b886338c515b62bdc8a
22fb34d04ae4882fcffd74d21e2408af
5a710d9a6fad0c9d9ca7f985f791999b
6c8efa6efcf946fc933f7ff0dae6b2ae
-----END OpenVPN Static key V1-----

1
bts_annee_2/cyber2/vpn-openvpn/server/README.md
View File

@ -1 +0,0 @@
Dossier du serveur OpenVPN, avec les fichiers de configuration, les certificats issus, et le reste.

8
bts_annee_2/cyber2/vpn-openvpn/server/dh.pem
View File

@ -1,8 +0,0 @@
-----BEGIN DH PARAMETERS-----
MIIBCAKCAQEAuptpuRWmMxML8GOhjTObEZ7OF5RsUfZeK8+Oo+DO0uiF/KBOHoAG
QrzqWQAtwZJJ5rSqSVxrDR4v5ABkdVCdHfyF3ZI/+Ya+0afMn9g69QiMvhm7yp56
ey2oyMlYPoI1VzmsOZgS1rTrIQDgcSNBAAcpE2Gn3Rq2+czedhClI5Z+fFPAjzlU
cXfdWv/0thTW6P4z/6KCRsmJHDbQt0u/6PUizVZdhO+Pw/Fa6r89kAC6ShAd/+hh
RKoMb3kqJ2op1t87AfgHegHYtYQgAqhtHTkjVJ1AT6HcHVhSomz40Fw0YDkn4DXP
PGM2LunCSUlwU+z1jlCixmP0NEhVsi8mpwIBAg==
-----END DH PARAMETERS-----

85
bts_annee_2/cyber2/vpn-openvpn/server/issued/DESKTOP-SK8G91D.crt
View File

@ -1,85 +0,0 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
7a:40:e4:09:96:70:a7:11:03:89:2c:bb:23:d1:10:05
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=Easy-RSA CA
Validity
Not Before: Oct 14 09:34:47 2024 GMT
Not After : Jan 17 09:34:47 2027 GMT
Subject: CN=DESKTOP-SK8G91D
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:a3:54:3e:71:b3:68:7b:11:f0:38:d4:80:5f:60:
55:fe:27:f7:0e:f4:64:fd:6a:e4:be:7e:9c:40:82:
6e:57:bb:09:90:10:3e:f5:2b:13:1d:14:2f:b3:eb:
97:8e:c1:68:8f:23:9a:ac:8a:4f:8c:6d:59:69:88:
e6:75:80:44:80:94:65:17:c4:5a:c3:8c:b1:6e:bb:
6d:bd:fa:af:ce:42:ab:21:b4:33:92:02:d8:1f:e3:
9e:1a:aa:ae:e2:18:42:f9:6c:9f:84:db:a3:1b:23:
d8:fb:37:1f:3e:5f:04:21:72:17:be:4c:52:73:f0:
b7:87:fe:d1:c2:85:a3:4d:57:61:d6:4f:f7:6c:9c:
f1:fb:34:22:e5:44:43:86:a1:d8:29:b8:a2:73:f4:
54:da:93:86:1f:bc:d3:98:2b:29:74:dc:4e:17:0c:
b3:44:d8:77:96:98:45:38:44:36:23:dc:55:d2:d2:
f7:75:1f:ec:bc:23:a9:fc:76:30:78:f8:e9:03:f8:
88:43:9d:ae:fe:e8:e6:cf:02:d5:c7:93:f4:a9:9e:
11:e1:68:4e:10:bb:85:e8:1a:c8:1b:ce:f4:f1:55:
38:31:46:3e:1e:8d:6a:a8:6a:66:a6:85:57:08:76:
3f:24:3f:7e:e4:b8:af:bf:86:d5:73:4a:98:ad:53:
0f:6b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
F9:C9:56:7F:09:7A:38:A1:BB:00:6D:56:FA:75:FD:F6:C7:E9:EA:AE
X509v3 Authority Key Identifier:
keyid:02:2B:7C:59:A2:6F:3B:DA:07:A4:E9:F3:3F:27:94:B5:0E:62:76:F3
DirName:/CN=Easy-RSA CA
serial:65:E9:1E:24:AE:9A:EE:B3:E5:D9:79:EA:1E:A9:D7:5D:A1:E2:D4:F1
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Key Usage:
Digital Signature
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
55:d1:dd:8c:9a:4e:80:02:32:49:88:6c:82:7f:43:d5:cd:37:
e0:8a:d5:d7:20:76:7f:dd:5b:b2:13:80:f0:81:9e:c7:e4:d3:
6e:e9:01:5f:91:57:87:97:bc:b7:a9:d0:82:1c:76:21:27:fa:
4c:84:c6:29:d0:f9:d4:78:6c:55:0c:9a:9b:9c:c0:ee:b5:35:
d0:0d:ef:5d:02:bf:51:40:9e:a8:cc:32:d9:c0:70:2f:c7:05:
72:e6:10:6d:fd:da:8d:d8:bb:7f:84:d8:85:64:66:82:a8:50:
08:9c:26:a5:27:8f:7b:9c:7b:5e:1d:44:6a:14:d2:4c:42:da:
9c:3b:46:34:0e:22:c5:3e:3c:0c:10:c6:52:08:33:32:67:5d:
71:00:7b:8a:f2:a7:ef:92:59:cc:fe:a8:4f:62:74:0e:91:ec:
5d:61:45:92:73:13:75:59:0b:50:c0:af:a4:90:2d:ed:a6:2a:
d7:60:55:d3:c6:f2:df:1c:9c:9f:c2:7b:ba:10:6a:6d:25:9e:
c7:f9:30:cf:e3:4f:87:48:ba:ac:37:ea:88:f1:d7:79:62:f9:
34:be:04:32:af:bf:a6:f8:91:89:ab:47:08:b5:3b:6e:17:c5:
d9:7f:94:f2:5c:47:57:58:62:02:12:7a:fa:83:bf:79:da:bf:
ed:88:a1:20
-----BEGIN CERTIFICATE-----
MIIDXTCCAkWgAwIBAgIQekDkCZZwpxEDiSy7I9EQBTANBgkqhkiG9w0BAQsFADAW
MRQwEgYDVQQDDAtFYXN5LVJTQSBDQTAeFw0yNDEwMTQwOTM0NDdaFw0yNzAxMTcw
OTM0NDdaMBoxGDAWBgNVBAMMD0RFU0tUT1AtU0s4RzkxRDCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBAKNUPnGzaHsR8DjUgF9gVf4n9w70ZP1q5L5+nECC
ble7CZAQPvUrEx0UL7Prl47BaI8jmqyKT4xtWWmI5nWARICUZRfEWsOMsW67bb36
r85CqyG0M5IC2B/jnhqqruIYQvlsn4Tboxsj2Ps3Hz5fBCFyF75MUnPwt4f+0cKF
o01XYdZP92yc8fs0IuVEQ4ah2Cm4onP0VNqThh+805grKXTcThcMs0TYd5aYRThE
NiPcVdLS93Uf7Lwjqfx2MHj46QP4iEOdrv7o5s8C1ceT9KmeEeFoThC7hegayBvO
9PFVODFGPh6NaqhqZqaFVwh2PyQ/fuS4r7+G1XNKmK1TD2sCAwEAAaOBojCBnzAJ
BgNVHRMEAjAAMB0GA1UdDgQWBBT5yVZ/CXo4obsAbVb6df32x+nqrjBRBgNVHSME
SjBIgBQCK3xZom872gek6fM/J5S1DmJ286EapBgwFjEUMBIGA1UEAwwLRWFzeS1S
U0EgQ0GCFGXpHiSumu6z5dl56h6p112h4tTxMBMGA1UdJQQMMAoGCCsGAQUFBwMC
MAsGA1UdDwQEAwIHgDANBgkqhkiG9w0BAQsFAAOCAQEAVdHdjJpOgAIySYhsgn9D
1c034IrV1yB2f91bshOA8IGex+TTbukBX5FXh5e8t6nQghx2ISf6TITGKdD51Hhs
VQyam5zA7rU10A3vXQK/UUCeqMwy2cBwL8cFcuYQbf3ajdi7f4TYhWRmgqhQCJwm
pSePe5x7Xh1EahTSTELanDtGNA4ixT48DBDGUggzMmddcQB7ivKn75JZzP6oT2J0
DpHsXWFFknMTdVkLUMCvpJAt7aYq12BV08by3xycn8J7uhBqbSWex/kwz+NPh0i6
rDfqiPHXeWL5NL4EMq+/pviRiatHCLU7bhfF2X+U8lxHV1hiAhJ6+oO/edq/7Yih
IA==
-----END CERTIFICATE-----

87
bts_annee_2/cyber2/vpn-openvpn/server/issued/openvpn-ge.crt
View File

@ -1,87 +0,0 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
c0:ab:5f:6d:f5:7d:ef:f2:78:a5:4d:b6:3f:aa:96:01
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=Easy-RSA CA
Validity
Not Before: Oct 14 09:24:38 2024 GMT
Not After : Jan 17 09:24:38 2027 GMT
Subject: CN=openvpn-ge
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:91:11:97:66:bf:80:7a:fe:03:8b:a1:6f:6c:9c:
ef:48:cf:3f:38:47:24:00:ef:e1:9e:20:94:db:f2:
0c:2a:07:c9:c5:24:df:4f:9c:42:6a:ab:2e:b4:64:
f5:92:ba:f4:46:fb:d6:3b:24:aa:f3:b1:cc:f7:03:
7f:0a:1d:35:09:74:77:9e:83:44:c9:26:a9:91:9d:
59:03:94:91:4d:af:5e:fb:18:23:43:cb:57:40:6f:
0b:b6:b6:d4:c7:e1:92:42:ee:ac:f5:de:94:75:70:
96:73:3f:25:93:0c:40:c1:25:c9:a6:d5:b5:f2:7e:
21:1c:49:ae:d0:86:a6:d9:68:67:e8:e3:0f:fc:8b:
80:8b:9b:80:3e:e1:38:74:32:48:67:5f:5e:63:be:
1f:3e:cd:70:62:45:bb:c1:29:1c:c1:11:da:33:81:
65:73:66:bf:77:8c:05:49:09:d8:8f:9d:27:0e:a4:
75:cd:1c:ae:74:78:53:38:f1:81:1c:9b:b2:72:a0:
77:33:20:b6:64:f8:ea:7b:8e:f8:89:7a:73:30:22:
db:3c:e5:d8:60:ee:02:42:23:a7:3b:bf:f9:48:08:
24:13:07:28:3f:82:2b:90:9b:8a:79:99:7c:5e:56:
93:6c:9f:2a:32:42:9f:60:f2:4d:69:28:15:b0:9a:
45:19
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
1D:12:59:5C:FC:A5:F7:73:7A:5D:FD:3C:FC:4B:82:BF:13:F8:8C:96
X509v3 Authority Key Identifier:
keyid:02:2B:7C:59:A2:6F:3B:DA:07:A4:E9:F3:3F:27:94:B5:0E:62:76:F3
DirName:/CN=Easy-RSA CA
serial:65:E9:1E:24:AE:9A:EE:B3:E5:D9:79:EA:1E:A9:D7:5D:A1:E2:D4:F1
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Key Usage:
Digital Signature, Key Encipherment
X509v3 Subject Alternative Name:
DNS:openvpn-ge
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
67:6e:b2:fc:9c:ea:90:8f:15:bd:49:c0:22:e5:60:32:6e:bc:
6b:cf:b6:ec:dc:05:db:b1:55:94:d7:64:af:11:07:2c:cd:93:
95:cb:32:2d:89:0d:fe:1e:ab:dd:ab:0b:77:05:48:60:b5:6c:
b7:00:e4:5c:47:39:e1:6c:e4:58:0b:36:f0:ef:c7:a0:05:69:
c7:94:7c:da:69:f1:bb:52:30:23:d2:d0:68:5f:25:05:bc:2b:
82:ba:e8:8d:4e:aa:5f:2e:a3:3a:45:80:fd:45:10:a8:7f:63:
2c:85:83:67:b1:67:26:88:67:71:39:0d:39:7f:1e:53:9f:e2:
69:5e:be:52:33:30:17:0a:02:1a:eb:b6:77:ca:fa:08:75:b2:
ff:e0:65:8c:c8:b1:be:47:a0:8d:c5:bd:f5:a7:e2:93:c7:91:
2d:39:6d:78:1c:ef:c0:04:09:9e:85:7c:8b:80:c4:ad:27:07:
2d:5e:ee:79:59:11:e3:9e:a2:10:73:16:bf:98:48:54:a0:da:
29:5e:2b:f5:b3:2e:a4:e6:02:0c:25:07:ef:19:fb:1b:66:d0:
ee:50:82:f6:c2:2e:02:59:6a:51:b0:28:bb:35:d5:f2:59:4d:
01:d5:54:a8:69:5e:c2:49:8d:50:c1:3b:87:49:73:84:eb:be:
32:b8:c5:fb
-----BEGIN CERTIFICATE-----
MIIDcDCCAligAwIBAgIRAMCrX231fe/yeKVNtj+qlgEwDQYJKoZIhvcNAQELBQAw
FjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMjQxMDE0MDkyNDM4WhcNMjcwMTE3
MDkyNDM4WjAVMRMwEQYDVQQDDApvcGVudnBuLWdlMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAkRGXZr+Aev4Di6FvbJzvSM8/OEckAO/hniCU2/IMKgfJ
xSTfT5xCaqsutGT1krr0RvvWOySq87HM9wN/Ch01CXR3noNEySapkZ1ZA5SRTa9e
+xgjQ8tXQG8LtrbUx+GSQu6s9d6UdXCWcz8lkwxAwSXJptW18n4hHEmu0Iam2Whn
6OMP/IuAi5uAPuE4dDJIZ19eY74fPs1wYkW7wSkcwRHaM4Flc2a/d4wFSQnYj50n
DqR1zRyudHhTOPGBHJuycqB3MyC2ZPjqe474iXpzMCLbPOXYYO4CQiOnO7/5SAgk
EwcoP4IrkJuKeZl8XlaTbJ8qMkKfYPJNaSgVsJpFGQIDAQABo4G5MIG2MAkGA1Ud
EwQCMAAwHQYDVR0OBBYEFB0SWVz8pfdzel39PPxLgr8T+IyWMFEGA1UdIwRKMEiA
FAIrfFmibzvaB6Tp8z8nlLUOYnbzoRqkGDAWMRQwEgYDVQQDDAtFYXN5LVJTQSBD
QYIUZekeJK6a7rPl2XnqHqnXXaHi1PEwEwYDVR0lBAwwCgYIKwYBBQUHAwEwCwYD
VR0PBAQDAgWgMBUGA1UdEQQOMAyCCm9wZW52cG4tZ2UwDQYJKoZIhvcNAQELBQAD
ggEBAGdusvyc6pCPFb1JwCLlYDJuvGvPtuzcBduxVZTXZK8RByzNk5XLMi2JDf4e
q92rC3cFSGC1bLcA5FxHOeFs5FgLNvDvx6AFaceUfNpp8btSMCPS0GhfJQW8K4K6
6I1Oql8uozpFgP1FEKh/YyyFg2exZyaIZ3E5DTl/HlOf4mlevlIzMBcKAhrrtnfK
+gh1sv/gZYzIsb5HoI3FvfWn4pPHkS05bXgc78AECZ6FfIuAxK0nBy1e7nlZEeOe
ohBzFr+YSFSg2ileK/WzLqTmAgwlB+8Z+xtm0O5QgvbCLgJZalGwKLs11fJZTQHV
VKhpXsJJjVDBO4dJc4TrvjK4xfs=
-----END CERTIFICATE-----

28
bts_annee_2/cyber2/vpn-openvpn/server/private/DESKTOP-SK8G91D.key
View File

@ -1,28 +0,0 @@
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCjVD5xs2h7EfA4
1IBfYFX+J/cO9GT9auS+fpxAgm5XuwmQED71KxMdFC+z65eOwWiPI5qsik+MbVlp
iOZ1gESAlGUXxFrDjLFuu229+q/OQqshtDOSAtgf454aqq7iGEL5bJ+E26MbI9j7
Nx8+XwQhche+TFJz8LeH/tHChaNNV2HWT/dsnPH7NCLlREOGodgpuKJz9FTak4Yf
vNOYKyl03E4XDLNE2HeWmEU4RDYj3FXS0vd1H+y8I6n8djB4+OkD+IhDna7+6ObP
AtXHk/SpnhHhaE4Qu4XoGsgbzvTxVTgxRj4ejWqoamamhVcIdj8kP37kuK+/htVz
SpitUw9rAgMBAAECggEAQd/J+bDbDHwtL7ahehZQSJxU3G68xqsUzDIjki8pEvBI
iJbM1bREVr+cB8yXCYg/RDAfg8SbFe/KlrKVBMIxnsx7Q4058FHwBFHLDssrmhyw
ifz0qcjE44O58lZyB5WyeYgShJLTY7BfJN9UFiNbdqPeKK3+uW1WkJ65emPM+/WD
7DR/VHOPs8PUS6mf6EMwyzeRHECnb8t9sSx1vqcAPzj/l/3iAQloyn9VxTvJ345/
yLyFtF+GCqSiXBl5bPR9uN1hrpjeqjcFo/EZFPSLQJNiFtHOUMt3GtJW0h7XQtrf
PakCeLx4DuMANuLPjdzcK4lZAql/s0A2hHNhEh94QQKBgQDRvxN6E1guXVktZxsS
rc/2uuOoOYbTkxpkqzqI4WQ24Gb7lu/95jhHdZTWCATLdG+XMDxMdiNWIf2YMAq4
5+c0ZL3HwiZq6Mo3sbZUP1RnEM4suHZZinTgJgDa3+RDGVF1usSwcvqGjY/+2zL8
muzjorsY7dBxLne8BDEH9yiHqwKBgQDHWL8o8uiNIpQxz7WzZwi8dNGTKCjA/Oig
BIin3Rk2nX33y5QIe45Jb9f4V7Q7XZjY2aoYwzVWsZlu1LAFvS9zkuKJB60I6PJt
+5yowZKk2roqR7hreuml1nbyAljoJpuIdrT/xHIQyI3LtgscUOTT2nMwAQ/X0gWz
xzSrLkjXQQKBgQCBsA2Q66kYceuT4S6iLApsWj4tY/RzmX82Q5Fb1VErhTDn2vnl
GZYuyQsQE8EzM3lUGCUQefN7bGTq1rmqfuk8QhX+D5PFgs6WBTHhgY7kc0Wn7R5w
WuXNOnJI4yq2Ok9d5e970nwI+jrQsCQkgH58ecAJt/GsKbkq7cSLUk0jJQKBgACU
uqHk61aV9jaa812dfEIIWSADqvK9CfSFbtyGYW9uUBKrzjekHIsMP2Xi44yUvkBL
ihpeX0ZsaBURm524qm28zNo3YoK3IxW8+Pzo64N9e7Np2BjAF/Q6xsf3x8iNbECe
j/J64RY5b2hblHa1qaUQauuF5UTswMWAXB/vl5jBAoGARQbPUSMgp382ZDN3ohxf
7XEC/roO6SyuKLaF46kfVgoNXNBK8qvfV4HaUHiWfkBlsdrZioQp7z+S3ijlrAu+
iae08RHuKQS1XMUN9BvqzmWSB9RMBZSNhVvD8QZwVPSHEqAx8yvORitdjQpDTdFS
8jKYo+l8sNiEYzv5y/ovagI=
-----END PRIVATE KEY-----

30
bts_annee_2/cyber2/vpn-openvpn/server/private/ca.key
View File

@ -1,30 +0,0 @@
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIcJBKkvZeiKACAggA
MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECBiqIlSBAXf8BIIEyE3YCOnpXD79
6t52JDX0eovdDLf2ScDWsOSdDvCHvnEz6Df1ZKYq7jcm5ieFx5XHiRAGwWT/p77O
OSc73uXheI66RPios2+n0R/IT0mQhc+lOq7CLkCNXn5B1E/ZnAYEXcyhL52TZjQV
JnBTB/eaz2nz43XviqZ1mwjxDMm6MsyThrtLRbBzrHHcpd93Cdzzk5PofNB+fF5Z
FXjtb1yecEAHUUh80+xUiVDmtq1elFGR5mI/mRTeIRnWlcez1jgmH2CG39NlyXe5
Gjz7QnVhzO/z9l2A4kl8LBid0u4fVqx7ja7iWLOVR0XP36ncYZzhpngbiHfGd+y6
obJN3O1xQnQKE6yL8W+vTv68YnKSgY3RlOs0F1dEVdDIfVX7PnqiRKimiSvGPWl2
sW6ZtMTITD9q2wL5oMnHemkG/Ugfv1XA/g4SgbfVZAuInRilW4TEU5b7M7jRzJUz
vdkHYDzaulex8olpXwr1TJGZFNcEoU2dCYz/bU8FZk0ePtLotXK5mobmZJ64Zj4/
X2mqIl8Wi7pjQQ4nFDifYKgU0J2JbOKbC60s5a1jWSo5RNy1i1sGhkE5kPylAT3Q
mmxB01GRdgkSrJ90bgdOblgP0OqjRVvkB4GR3Nna0b0tRxEX6C1ahVHc0nWFpcYg
41xodrs8WSFy8VujH2jbXTBLVVtRSmC32gW5kfYoOqQzV0PdcYIzAh+PCOERGxXP
ZpBrgqKzup1sOjMmOxZri7iGwQAHbNonOSpRUWQ5k3YupL/VG0dO4nPRB8jySae7
lVhlhIrG8C4SvOahTNUHc9zOROUST/tTD4RILfq5kIq0cy5FJIqAdzultR8fPPLD
JUmQswbrxUG9zdEMG8P3bcCAJsjfX8qz5LIzGGETehxlTwNl85god8BslVpi1MEv
t/+WwUyLRkXYf8b9ooundCbc2PBvjr8Pwi4WmEGHH1fHyKtku9TDVM+KSkpXaLHV
3sc9GoapcCMeDipvhNT+HFUlrZCj8b8clRUJcd8QZ2Tuj66CJ8BgABGZKjDXYxAu
cKUVaD2e73qoVwXQDK4q+frlBciAxSdUcdeGFgCeG8aGOBCcJu638oTxDuDlw499
+NPK25mJVH1ppvRYrFHmNlCATL1Hlc2FadX+4H7YvPLFs9woVesVsgy4yVdjA1XN
dJL9N+5XoOvaUxCKn2e9CIdTCZ/N9d4WtlnsVsJPfP49EV+hYkJZZ/EjqU6dcmQc
AIj3StPIZb6LrPnHkXrynpzSQNzpQBEW9dXOU/TT3AVV02WfE/7USBI26+iKhj5p
oxDEHr2LYxWlNZUOTYQ88z/e1/polwOjCilAA4gXobuv1oGlbeoZfJoVzT1578FP
lkv7MvOHaVCN+V5/RjVxnfsf+n4xMJtEK3Ysj9+7QvWsQJMTZuRhY23Do9cUNbEm
5ruZeQByIVMPQiPIkmeHU5NEsqKPfw6CUEZXjy62B4cZuN20WzBfT7IsNebhUrwB
odS9qGkANy/Qa7GAJqeksCoGOeXTu/Ly0IdthqVOJTxcUiEoswrZhYP7eCK8zIKI
PxgIjyWd6cz/V/NuTg4X8fyT9UyvTKw/pdRXa/P4ndORWucZY4DL+OKeHKqwv9Sq
TGNCN4VEMQEQhPZ4gidNkg==
-----END ENCRYPTED PRIVATE KEY-----

28
bts_annee_2/cyber2/vpn-openvpn/server/private/openvpn-ge.key
View File

@ -1,28 +0,0 @@
-----BEGIN PRIVATE KEY-----
MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQCREZdmv4B6/gOL
oW9snO9Izz84RyQA7+GeIJTb8gwqB8nFJN9PnEJqqy60ZPWSuvRG+9Y7JKrzscz3
A38KHTUJdHeeg0TJJqmRnVkDlJFNr177GCNDy1dAbwu2ttTH4ZJC7qz13pR1cJZz
PyWTDEDBJcmm1bXyfiEcSa7QhqbZaGfo4w/8i4CLm4A+4Th0MkhnX15jvh8+zXBi
RbvBKRzBEdozgWVzZr93jAVJCdiPnScOpHXNHK50eFM48YEcm7JyoHczILZk+Op7
jviJenMwIts85dhg7gJCI6c7v/lICCQTByg/giuQm4p5mXxeVpNsnyoyQp9g8k1p
KBWwmkUZAgMBAAECggEAEkNrcutRlspjcmEG2N7yDhHPZPup1/dbSW/TJdSVfPYh
jBEODyT+RJUcCmh6dThVuBkM+cGuRwNfqUp2pDSUoIXZ6Gogzw0vxG4Rjo6V83iM
ZeK+T9Lp/2nriNuAMtDee9A2FLcqrBVaT5SH27krbtWdy0P1BdwkuX26RTTqjQy0
EprOVtuGmkw1P9EMpWhWpvGfsAT+irvPpmWSTJUP9KeD8H9E2Rbd7YLKiOOQaVFo
u/N69N3vbeemTLvaar+4dX7zBHBnhVTVLWIrX7PQpktHCJQ3Y3tx6IcjohDq1xVz
TQdEvOt7pATKHaooXngumDTiSoap9N/wtHWdYpPjvQKBgQDJ+KaadSn53iSKA2D2
uT/jhBfEoDu8s7tf0MU0RFhqjN5gSmsUvMQ2plgEKcvaCTtRY2ON3q0LnnLysZEx
YHCEvXZGgkmpRKI/dHDmUrhr2+Ne7Jt/Qk9inQhonUj282EkL4I8eqXc+oV7U9Y8
8afLPLjDhWSwJcUGjUZaR10HbQKBgQC34Cb1czef7Iay9s39UOU4mFb6esxsH6hx
agk2+WcR0upReToEZ91ujGiORqbZnReTlbLDokxJXY/mkjcwB4+pkAsTtPIjtvtE
wyQZFyiIUo0vC00CfhK1ZWPYCyUTgR0MFUz4XDyfRe/EX2k4cH1iXbpvaYvj/32u
mje6xODM3QKBgQDBl4cKEjfz+0wGxgpRM2vbxqeJnxTjYVu/EbuUx9X/+5rDrVFK
hU2GHJfNFcsB6UtkTeIFAGXZ9zyzCCTlsUzozznph8TXbKQgMpptCuke6ZvdRuod
Zw/0tBR1Qh3IJ6z7JFavZdhKIg+EEO4PaIqvMjrfnqLOfMWH7C59Jl4zWQKBgQCE
Kr92IDo0Xqw3iUVpNrN8qaujYY78jQjjdKdo934JhsRcibmVHx8/7fbdhZU6yDsB
H1IeYtNYzMK5phG7GUQ/SkVcBe0ilM0pkOaqjkXZLxVCYmoZR4ulDVrmGKSuz1iU
rd7kilAc4AVG7pnQMrM9eEeg+4nM+YFadolmW0uGlQKBgQCGu+f+skjD7R/qcC2r
QxAayp2IbKv4F0aekTAZjTu8ACoZ0P2wJ/RJIDC657sPLhzY+Ra0XoqLZs9LXRTn
qKK73UMmJn9BiIHoh7C48kKOSgzOD2YnuFodQS6t200eeAOV1pJdwb9ukKN9bzOW
bXxUMmZwltTsEz0PH/1ao8f8Fw==
-----END PRIVATE KEY-----

315
bts_annee_2/cyber2/vpn-openvpn/server/server.conf
View File

@ -1,315 +0,0 @@
#################################################
# Sample OpenVPN 2.0 config file for #
# multi-client server. #
# #
# This file is for the server side #
# of a many-clients <-> one-server #
# OpenVPN configuration. #
# #
# OpenVPN also supports #
# single-machine <-> single-machine #
# configurations (See the Examples page #
# on the web site for more info). #
# #
# This config should work on Windows #
# or Linux/BSD systems. Remember on #
# Windows to quote pathnames and use #
# double backslashes, e.g.: #
# "C:\\Program Files\\OpenVPN\\config\\foo.key" #
# #
# Comments are preceded with '#' or ';' #
#################################################
# Which local IP address should OpenVPN
# listen on? (optional)
;local a.b.c.d
# Which TCP/UDP port should OpenVPN listen on?
# If you want to run multiple OpenVPN instances
# on the same machine, use a different port
# number for each one. You will need to
# open up this port on your firewall.
port 1194
# TCP or UDP server?
;proto tcp
proto udp
# "dev tun" will create a routed IP tunnel,
# "dev tap" will create an ethernet tunnel.
# Use "dev tap0" if you are ethernet bridging
# and have precreated a tap0 virtual interface
# and bridged it with your ethernet interface.
# If you want to control access policies
# over the VPN, you must create firewall
# rules for the the TUN/TAP interface.
# On non-Windows systems, you can give
# an explicit unit number, such as tun0.
# On Windows, use "dev-node" for this.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel if you
# have more than one. On XP SP2 or higher,
# you may need to selectively disable the
# Windows firewall for the TAP adapter.
# Non-Windows systems usually don't need this.
;dev-node MyTap
# SSL/TLS root certificate (ca), certificate
# (cert), and private key (key). Each client
# and the server must have their own cert and
# key file. The server and all clients will
# use the same ca file.
#
# See the "easy-rsa" directory for a series
# of scripts for generating RSA certificates
# and private keys. Remember to use
# a unique Common Name for the server
# and each of the client certificates.
#
# Any X509 key management system can be used.
# OpenVPN can also use a PKCS #12 formatted key file
# (see "pkcs12" directive in man page).
ca ca.crt
cert issued/openvpn-ge.crt
key private/openvpn-ge.key # This file should be kept secret
# Diffie hellman parameters.
# Generate your own with:
# openssl dhparam -out dh2048.pem 2048
dh dh.pem
# Network topology
# Should be subnet (addressing via IP)
# unless Windows clients v2.0.9 and lower have to
# be supported (then net30, i.e. a /30 per client)
# Defaults to net30 (not recommended)
;topology subnet
# Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from.
# The server will take 10.8.0.1 for itself,
# the rest will be made available to clients.
# Each client will be able to reach the server
# on 10.8.0.1. Comment this line out if you are
# ethernet bridging. See the man page for more info.
server 10.8.0.0 255.255.255.0
# Maintain a record of client <-> virtual IP address
# associations in this file. If OpenVPN goes down or
# is restarted, reconnecting clients can be assigned
# the same virtual IP address from the pool that was
# previously assigned.
ifconfig-pool-persist /var/log/openvpn/ipp.txt
# Configure server mode for ethernet bridging.
# You must first use your OS's bridging capability
# to bridge the TAP interface with the ethernet
# NIC interface. Then you must manually set the
# IP/netmask on the bridge interface, here we
# assume 10.8.0.4/255.255.255.0. Finally we
# must set aside an IP range in this subnet
# (start=10.8.0.50 end=10.8.0.100) to allocate
# to connecting clients. Leave this line commented
# out unless you are ethernet bridging.
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
# Configure server mode for ethernet bridging
# using a DHCP-proxy, where clients talk
# to the OpenVPN server-side DHCP server
# to receive their IP address allocation
# and DNS server addresses. You must first use
# your OS's bridging capability to bridge the TAP
# interface with the ethernet NIC interface.
# Note: this mode only works on clients (such as
# Windows), where the client-side TAP adapter is
# bound to a DHCP client.
;server-bridge
# Push routes to the client to allow it
# to reach other private subnets behind
# the server. Remember that these
# private subnets will also need
# to know to route the OpenVPN client
# address pool (10.8.0.0/255.255.255.0)
# back to the OpenVPN server.
;push "route 192.168.10.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"
# To assign specific IP addresses to specific
# clients or if a connecting client has a private
# subnet behind it that should also have VPN access,
# use the subdirectory "ccd" for client-specific
# configuration files (see man page for more info).
# EXAMPLE: Suppose the client
# having the certificate common name "Thelonious"
# also has a small subnet behind his connecting
# machine, such as 192.168.40.128/255.255.255.248.
# First, uncomment out these lines:
;client-config-dir ccd
;route 192.168.40.128 255.255.255.248
# Then create a file ccd/Thelonious with this line:
# iroute 192.168.40.128 255.255.255.248
# This will allow Thelonious' private subnet to
# access the VPN. This example will only work
# if you are routing, not bridging, i.e. you are
# using "dev tun" and "server" directives.
# EXAMPLE: Suppose you want to give
# Thelonious a fixed VPN IP address of 10.9.0.1.
# First uncomment out these lines:
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
# Then add this line to ccd/Thelonious:
# ifconfig-push 10.9.0.1 10.9.0.2
# Suppose that you want to enable different
# firewall access policies for different groups
# of clients. There are two methods:
# (1) Run multiple OpenVPN daemons, one for each
# group, and firewall the TUN/TAP interface
# for each group/daemon appropriately.
# (2) (Advanced) Create a script to dynamically
# modify the firewall in response to access
# from different clients. See man
# page for more info on learn-address script.
;learn-address ./script
# If enabled, this directive will configure
# all clients to redirect their default
# network gateway through the VPN, causing
# all IP traffic such as web browsing and
# and DNS lookups to go through the VPN
# (The OpenVPN server machine may need to NAT
# or bridge the TUN/TAP interface to the internet
# in order for this to work properly).
;push "redirect-gateway def1 bypass-dhcp"
# Certain Windows-specific network settings
# can be pushed to clients, such as DNS
# or WINS server addresses. CAVEAT:
# http://openvpn.net/faq.html#dhcpcaveats
# The addresses below refer to the public
# DNS servers provided by opendns.com.
;push "dhcp-option DNS 208.67.222.222"
;push "dhcp-option DNS 208.67.220.220"
# Uncomment this directive to allow different
# clients to be able to "see" each other.
# By default, clients will only see the server.
# To force clients to only see the server, you
# will also need to appropriately firewall the
# server's TUN/TAP interface.
;client-to-client
# Uncomment this directive if multiple clients
# might connect with the same certificate/key
# files or common names. This is recommended
# only for testing purposes. For production use,
# each client should have its own certificate/key
# pair.
#
# IF YOU HAVE NOT GENERATED INDIVIDUAL
# CERTIFICATE/KEY PAIRS FOR EACH CLIENT,
# EACH HAVING ITS OWN UNIQUE "COMMON NAME",
# UNCOMMENT THIS LINE OUT.
;duplicate-cn
# The keepalive directive causes ping-like
# messages to be sent back and forth over
# the link so that each side knows when
# the other side has gone down.
# Ping every 10 seconds, assume that remote
# peer is down if no ping received during
# a 120 second time period.
keepalive 10 120
# For extra security beyond that provided
# by SSL/TLS, create an "HMAC firewall"
# to help block DoS attacks and UDP port flooding.
#
# Generate with:
# openvpn --genkey tls-auth ta.key
#
# The server and each client must have
# a copy of this key.
# The second parameter should be '0'
# on the server and '1' on the clients.
tls-auth ta.key 0 # This file is secret
# Select a cryptographic cipher.
# This config item must be copied to
# the client config file as well.
# Note that v2.4 client/server will automatically
# negotiate AES-256-GCM in TLS mode.
# See also the ncp-cipher option in the manpage
cipher AES-256-GCM
# Enable compression on the VPN link and push the
# option to the client (v2.4+ only, for earlier
# versions see below)
;compress lz4-v2
;push "compress lz4-v2"
# For compression compatible with older clients use comp-lzo
# If you enable it here, you must also
# enable it in the client config file.
;comp-lzo
# The maximum number of concurrently connected
# clients we want to allow.
;max-clients 100
# It's a good idea to reduce the OpenVPN
# daemon's privileges after initialization.
#
# You can uncomment this on non-Windows
# systems after creating a dedicated user.
;user openvpn
;group openvpn
# The persist options will try to avoid
# accessing certain resources on restart
# that may no longer be accessible because
# of the privilege downgrade.
persist-key
persist-tun
# Output a short status file showing
# current connections, truncated
# and rewritten every minute.
status /var/log/openvpn/openvpn-status.log
# By default, log messages will go to the syslog (or
# on Windows, if running as a service, they will go to
# the "\Program Files\OpenVPN\log" directory).
# Use log or log-append to override this default.
# "log" will truncate the log file on OpenVPN startup,
# while "log-append" will append to it. Use one
# or the other (but not both).
;log /var/log/openvpn/openvpn.log
;log-append /var/log/openvpn/openvpn.log
# Set the appropriate level of log
# file verbosity.
#
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 3
# Silence repeating messages. At most 20
# sequential messages of the same message
# category will be output to the log.
;mute 20
# Notify the client that when the server restarts so it
# can automatically reconnect.
explicit-exit-notify 1

21
bts_annee_2/cyber2/vpn-openvpn/server/ta.key
View File

@ -1,21 +0,0 @@
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
d603ad1c4cec84482158d16fdf2195fc
00408410be33b106963c91a3ef7f01e6
85b69e6a37d0928e36bf15d00152817d
4a16fd1ce4555caca28e602b8124fec6
a659f275ae06de6a2333dd4a358e4689
e0914d9416e12c042af8114863159b76
e79c45aa2f972da28ad19c1b2f6f8b00
340f4a906f640e0f113483fb50d5799d
2d75c0ecbf853542e03b4b9f76eec5c1
fdcc11ab0ba44974eff3c087241521fd
ae0ef5aad26279907448c6493a77c5d7
abc5192af4f157ae3f9e25f92c08f7c6
d33e9ccd18559b886338c515b62bdc8a
22fb34d04ae4882fcffd74d21e2408af
5a710d9a6fad0c9d9ca7f985f791999b
6c8efa6efcf946fc933f7ff0dae6b2ae
-----END OpenVPN Static key V1-----

1
bts_annee_2/cyber2/wordpress-lamp/README.md
View File

@ -1 +0,0 @@
Dossier avec les fichiers de configuration du pare-feu, le fichier de test goss et le script de récupération des informations sur le serveur Web Wordpress.

100
bts_annee_2/cyber2/wordpress-lamp/compte-rendu-2024-09-30
View File

@ -1,100 +0,0 @@
# Scan des ports ouverts visibles depuis le poste physique
lun. 30 sept. 2024 16:45:55 CEST
Starting Nmap 7.93 ( https://nmap.org ) at 2024-09-30 16:45 CEST
Nmap scan report for 172.16.0.152
Host is up (0.00069s latency).
Not shown: 997 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u3 (protocol 2.0)
| ssh-hostkey:
| 256 507a12ddb833cec5b87c576702e1682a (ECDSA)
|_ 256 c3bbd552f31fbd2d9fdd9e11ca521cbc (ED25519)
80/tcp open http Apache httpd 2.4.62 ((Debian))
|_http-title: Did not follow redirect to https://172.16.0.152/
|_http-server-header: Apache/2.4.62 (Debian)
443/tcp open ssl/http Apache httpd 2.4.62 ((Debian))
|_http-server-header: Apache/2.4.62 (Debian)
| tls-alpn:
|_ http/1.1
|_http-title: Apache2 Debian Default Page: It works
| ssl-cert: Subject: commonName=wordpress-ge/organizationName=Lyc\xC3\x83\xC2\xA9e Le Castel/stateOrProvinceName=Bourgogne/countryName=FR
| Not valid before: 2024-09-26T13:11:27
|_Not valid after: 2025-09-26T13:11:27
|_ssl-date: TLS randomness does not represent time
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.30 seconds
# Affichage des règles du pare-feu
# Generated by iptables-save v1.8.9 on Mon Sep 30 16:46:17 2024
*filter
:INPUT DROP [30889:1853067]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [142:9272]
-A INPUT -m state --state INVALID -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Mon Sep 30 16:46:17 2024
# Scan des ports UDP ouverts sur le serveur Web
State Recv-Q Send-Q Local Address:Port Peer Address:PortProcess
UNCONN 0 0 127.0.0.54:53 0.0.0.0:* users:(("systemd-resolve",pid=267,fd=19))
UNCONN 0 0 127.0.0.53%lo:53 0.0.0.0:* users:(("systemd-resolve",pid=267,fd=17))
UNCONN 0 0 0.0.0.0:5355 0.0.0.0:* users:(("systemd-resolve",pid=267,fd=11))
# Scan des ports TCP ouverts sur le serveur Web
State Recv-Q Send-Q Local Address:Port Peer Address:PortProcess
LISTEN 0 4096 0.0.0.0:5355 0.0.0.0:* users:(("systemd-resolve",pid=267,fd=12))
LISTEN 0 128 0.0.0.0:22 0.0.0.0:* users:(("sshd",pid=404,fd=3))
LISTEN 0 100 0.0.0.0:25 0.0.0.0:* users:(("master",pid=778,fd=13))
LISTEN 0 4096 127.0.0.54:53 0.0.0.0:* users:(("systemd-resolve",pid=267,fd=20))
LISTEN 0 80 127.0.0.1:3306 0.0.0.0:* users:(("mariadbd",pid=462,fd=20))
LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:* users:(("systemd-resolve",pid=267,fd=18))
# Résultats des tests Goss
1..31
ok 1 - Package: apache2: installed: matches expectation: true
ok 2 - Package: apache2: version: matches expectation: ["2.4.62-1~deb12u1"]
ok 3 - Package: mariadb-server: installed: matches expectation: true
ok 4 - Package: mariadb-server: version: matches expectation: ["1:10.11.6-0+deb12u1"]
ok 5 - Process: apache2: running: matches expectation: true
ok 6 - Service: sshd: enabled: matches expectation: true
ok 7 - Service: sshd: running: matches expectation: true
ok 8 - Process: sshd: running: matches expectation: true
ok 9 - Port: tcp:22: listening: matches expectation: true
ok 10 - Port: tcp:22: ip: matches expectation: ["0.0.0.0"]
ok 11 - Port: tcp6:22: listening: matches expectation: true
ok 12 - Port: tcp6:22: ip: matches expectation: ["::"]
ok 13 - User: sshd: exists: matches expectation: true
ok 14 - User: sshd: uid: matches expectation: 103
ok 15 - User: sshd: gid: matches expectation: 65534
ok 16 - User: sshd: home: matches expectation: "/run/sshd"
ok 17 - User: sshd: groups: matches expectation: ["nogroup"]
ok 18 - User: sshd: shell: matches expectation: "/usr/sbin/nologin"
ok 19 - Port: tcp6:80: listening: matches expectation: true
ok 20 - Port: tcp6:80: ip: matches expectation: ["::"]
ok 21 - Interface: eth0: exists: matches expectation: true
ok 22 - Interface: eth0: addrs: matches expectation: ["172.16.0.152/24","fe80::be24:11ff:fe76:ac6f/64"]
ok 23 - Interface: eth0: mtu: matches expectation: 1500
ok 24 - Port: tcp6:443: listening: matches expectation: true
ok 25 - Port: tcp6:443: ip: matches expectation: ["::"]
ok 26 - Service: ssh: enabled: matches expectation: true
ok 27 - Service: ssh: running: matches expectation: true
ok 28 - Service: apache2: enabled: matches expectation: true
ok 29 - Service: apache2: running: matches expectation: true
ok 30 - HTTP: http://172.16.0.152/wordpress: status: matches expectation: 200
ok 31 - HTTP: http://172.16.0.152/wordpress: Body: matches expectation: ["engagement"]

13
bts_annee_2/cyber2/wordpress-lamp/compterendudistant.sh
View File

@ -1,13 +0,0 @@
#!/bin/bash
DATE=$(date -I)
echo "Scan nmap et comptes-rendus en cours de création, veuillez patienter..."
echo -ne "# Scan des ports ouverts visibles depuis le poste physique\n\n" > compte-rendu-$DATE
(date ; nmap -A 172.16.0.152 ) >> compte-rendu-$DATE
echo -ne "\n# Affichage des règles du pare-feu\n\n" >> compte-rendu-$DATE
ssh debian@172.16.0.152 "sudo iptables-legacy-save" >> compte-rendu-$DATE
echo -ne "\n# Scan des ports UDP ouverts sur le serveur Web\n\n" >> compte-rendu-$DATE
ssh debian@172.16.0.152 "sudo ss -lnu4p" >> compte-rendu-$DATE
echo -ne "\n# Scan des ports TCP ouverts sur le serveur Web\n\n" >> compte-rendu-$DATE
ssh debian@172.16.0.152 "sudo ss -lnt4p" >> compte-rendu-$DATE
echo -ne "\n# Résultats des tests Goss\n\n" >> compte-rendu-$DATE
ssh debian@172.16.0.152 "sudo goss v -f tap" >> compte-rendu-$DATE

43
bts_annee_2/cyber2/wordpress-lamp/ferm.conf
View File

@ -1,43 +0,0 @@
# -*- shell-script -*-
#
# Configuration file for ferm(1).
#
domain (ip) {
table filter {
chain INPUT {
policy DROP;
# connection tracking
mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;
# allow local packet
interface lo ACCEPT;
# respond to ping
proto icmp ACCEPT;
# allow SSH connections
proto tcp dport ssh ACCEPT;
# autorise les connexions HTTP et HTTPS
proto tcp dport (http https) ACCEPT;
}
chain OUTPUT {
policy ACCEPT;
# connection tracking
#mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;
}
chain FORWARD {
policy DROP;
# connection tracking
mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;
}
}
}
@include ferm.d/;

73
bts_annee_2/cyber2/wordpress-lamp/goss.yaml
View File

@ -1,73 +0,0 @@
package:
apache2:
installed: true
versions:
- 2.4.62-1~deb12u1
mariadb-server:
installed: true
versions:
- 1:10.11.6-0+deb12u1
port:
tcp:22:
listening: true
ip:
- 0.0.0.0
tcp6:22:
listening: true
ip:
- '::'
tcp6:80:
listening: true
ip:
- '::'
tcp6:443:
listening: true
ip:
- '::'
service:
apache2:
enabled: true
running: true
ssh:
enabled: true
running: true
sshd:
enabled: true
running: true
user:
sshd:
exists: true
uid: 103
gid: 65534
groups:
- nogroup
home: /run/sshd
shell: /usr/sbin/nologin
process:
apache2:
running: true
sshd:
running: true
interface:
eth0:
exists: true
addrs:
- 172.16.0.152/24
- fe80::be24:11ff:fe76:ac6f/64
mtu: 1500
http:
http://172.16.0.152/wordpress:
status: 200
allow-insecure: true
no-follow-redirects: false
timeout: 5000
body:
- engagement
https:
https://172.16.0.152/wordpress:
status: 200
allow-insecure: true
no-follow-redirects: false
timeout: 5000
body:
- engagement

1
bts_annee_2/ds_logs/README.md
View File

@ -1 +0,0 @@
# Ce répertoire contient le DS sur les logs tel qu'il a été rendu, le fichier de l'historique bash, ainsi que les fichiers nécessaires pour le contrôle.

1268
bts_annee_2/ds_logs/bash_history_ge
View File

File diff suppressed because it is too large Load Diff

BIN
bts_annee_2/ds_logs/ctrl-cybersec2.odt
View File

Binary file not shown.

24297
bts_annee_2/ds_logs/srv1/auth.log
View File

File diff suppressed because it is too large Load Diff

11
bts_annee_2/ds_logs/srv1/fail2ban-client-status-sshd
View File

@ -1,11 +0,0 @@
root@vpxyxt:~# fail2ban-client status sshd
Status for the jail: sshd
|- Filter
| |- Currently failed: 6
| |- Total failed: 127969
| `- File list: /var/log/auth.log
`- Actions
|- Currently banned: 3
|- Total banned: 14924
`- Banned IP list: 221.131.165.33 125.141.139.7 112.85.42.229

17595
bts_annee_2/ds_logs/srv1/fail2ban.log
View File

File diff suppressed because it is too large Load Diff

18
bts_annee_2/ds_logs/srv1/last-reboot
View File

@ -1,18 +0,0 @@
reboot system boot 4.19.0-18-cloud- Thu Nov 11 23:30 still running
reboot system boot 4.19.0-18-cloud- Sun Oct 24 23:12 - 23:29 (18+01:17)
reboot system boot 4.19.0-17-cloud- Mon Aug 16 19:09 - 23:12 (69+04:02)
reboot system boot 4.19.0-17-cloud- Tue Aug 3 13:52 - 19:07 (13+05:14)
reboot system boot 4.19.0-17-cloud- Wed Jul 21 22:02 - 13:51 (12+15:48)
reboot system boot 4.19.0-17-cloud- Sat Jul 17 14:51 - 22:02 (4+07:10)
reboot system boot 4.19.0-17-cloud- Mon Jun 21 21:04 - 14:49 (25+17:45)
reboot system boot 4.19.0-16-cloud- Wed Apr 21 17:22 - 21:04 (61+03:41)
reboot system boot 4.19.0-16-cloud- Sun Mar 28 23:02 - 17:22 (23+18:20)
reboot system boot 4.19.0-14-cloud- Mon Mar 1 18:48 - 23:00 (27+03:11)
reboot system boot 4.19.0-14-cloud- Sat Feb 6 18:30 - 18:48 (23+00:17)
reboot system boot 4.19.0-9-cloud-a Fri Aug 7 11:12 - 18:30 (183+08:18)
reboot system boot 4.19.0-9-cloud-a Wed Jun 10 22:13 - 11:10 (57+12:56)
reboot system boot 4.19.0-9-cloud-a Sun May 10 21:26 - 22:13 (31+00:47)
reboot system boot 4.19.0-8-cloud-a Wed Apr 22 16:33 - 21:26 (18+04:52)
reboot system boot 4.19.0-5-cloud-a Wed Apr 22 14:33 - 16:33 (01:59)
wtmp begins Wed Apr 22 14:32:29 2020

2781
bts_annee_2/ds_logs/srv2/access.log
View File

File diff suppressed because it is too large Load Diff

22
bts_annee_2/ds_logs/srv2/error.log
View File

@ -1,22 +0,0 @@
2022/01/06 01:10:37 [crit] 25928#25928: *193130 SSL_do_handshake() failed (SSL: error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share) while SSL handshaking, client: 134.122.134.182, server: 0.0.0.0:443
2022/01/06 04:52:51 [crit] 25928#25928: *193597 SSL_do_handshake() failed (SSL: error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share) while SSL handshaking, client: 180.215.192.168, server: 0.0.0.0:443
2022/01/06 05:05:07 [crit] 25928#25928: *193671 SSL_do_handshake() failed (SSL: error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share) while SSL handshaking, client: 184.105.139.68, server: 0.0.0.0:443
2022/01/06 07:48:51 [crit] 25928#25928: *193925 SSL_do_handshake() failed (SSL: error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share) while SSL handshaking, client: 192.241.205.83, server: 0.0.0.0:443
2022/01/06 16:29:13 [error] 25928#25928: *195335 FastCGI sent in stderr: "PHP message: PHP Fatal error: Uncaught Error: Call to undefined function submit_button() in /var/www/html/wordpress/wp-admin/includes/file.php:2269
Stack trace:
#0 /var/www/html/wordpress/wp-admin/includes/class-wp-upgrader-skin.php(136): request_filesystem_credentials('', 'ftpext', false, '/var/www/html/w...', Array, false)
#1 /var/www/html/wordpress/wp-admin/includes/class-automatic-upgrader-skin.php(49): WP_Upgrader_Skin->request_filesystem_credentials(false, '/var/www/html/w...', false)
#2 /var/www/html/wordpress/wp-admin/includes/class-wp-site-health-auto-updates.php(280): Automatic_Upgrader_Skin->request_filesystem_credentials(false, '/var/www/html/w...')
#3 /var/www/html/wordpress/wp-admin/includes/class-wp-site-health-auto-updates.php(36): WP_Site_Health_Auto_Updates->test_check_wp_filesystem_method()
#4 /var/www/html/wordpress/wp-admin/includes/class-wp-site-health.php(1704): WP_Site_Health_Auto_Updates->run_tests()
#5 /var/www/html/wordpress/wp-includes/rest-api/endpoints/class-wp-rest-" while reading response header from upstream, client: 109.215.149.166, server: www.sasti-bfc.fr, request: "GET /wp-json/wp-site-health/v1/tests/background-updates?_locale=user HTTP/1.1", upstream: "fastcgi://unix:/var/run/php/php7.3-fpm.sock:", host: "www.sasti-bfc.fr", referrer: "https://www.sasti-bfc.fr/wp-admin/site-health.php"
2022/01/06 16:31:41 [error] 25928#25928: *195357 FastCGI sent in stderr: "PHP message: PHP Fatal error: Uncaught Error: Call to undefined function submit_button() in /var/www/html/wordpress/wp-admin/includes/file.php:2269
Stack trace:
#0 /var/www/html/wordpress/wp-admin/includes/class-wp-upgrader-skin.php(136): request_filesystem_credentials('', 'ftpext', false, '/var/www/html/w...', Array, false)
#1 /var/www/html/wordpress/wp-admin/includes/class-automatic-upgrader-skin.php(49): WP_Upgrader_Skin->request_filesystem_credentials(false, '/var/www/html/w...', false)
#2 /var/www/html/wordpress/wp-admin/includes/class-wp-site-health-auto-updates.php(280): Automatic_Upgrader_Skin->request_filesystem_credentials(false, '/var/www/html/w...')
#3 /var/www/html/wordpress/wp-admin/includes/class-wp-site-health-auto-updates.php(36): WP_Site_Health_Auto_Updates->test_check_wp_filesystem_method()
#4 /var/www/html/wordpress/wp-admin/includes/class-wp-site-health.php(1704): WP_Site_Health_Auto_Updates->run_tests()
#5 /var/www/html/wordpress/wp-includes/rest-api/endpoints/class-wp-rest-" while reading response header from upstream, client: 109.215.149.166, server: www.sasti-bfc.fr, request: "GET /wp-json/wp-site-health/v1/tests/background-updates?_locale=user HTTP/1.1", upstream: "fastcgi://unix:/var/run/php/php7.3-fpm.sock:", host: "www.sasti-bfc.fr", referrer: "https://www.sasti-bfc.fr/wp-admin/site-health.php"
2022/01/06 17:29:59 [crit] 25928#25928: *195897 SSL_do_handshake() failed (SSL: error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share) while SSL handshaking, client: 198.20.69.98, server: 0.0.0.0:443
2022/01/06 23:36:59 [error] 25928#25928: *196755 directory index of "/var/www/html/wordpress/wp-admin/css/" is forbidden, client: 2.56.57.240, server: www.sasti-bfc.fr, request: "GET /wp-admin/css/ HTTP/1.1", host: "www.sasti-bfc.fr", referrer: "binance.com"

8
bts_annee_2/sisr2/README.md
View File

@ -1,8 +0,0 @@
# Dépôt de seconde année de SISR.
## Chaque dossier porte un nom descriptif, qu'on peut relier à une ou plusieurs séances.
### Séances 3 et 4 : Heartbeat, répartition de charge.
### Séances 4 et 5 : Haproxy et LVS.
### Séance 6 (PXE - Déploiement automatisé de machines) : Intel PXE.
### Séances 13 et 14 : Scripts Python.
### Séances 16, 17 et 18 : Playbooks Ansible.
### Séance 27 : Netbox/IPAM.

2
bts_annee_2/sisr2/heartbeat_repartition_charge/README.md
View File

@ -1,2 +0,0 @@
Vagrantfiles de la troisième séance en SISR, et scripts pour le heartbeat.
Les dossiers nominaux sont les machines du heartbeat.

49
bts_annee_2/sisr2/heartbeat_repartition_charge/hb1/inst-hb1.sh
View File

@ -1,49 +0,0 @@
#!/bin/bash
# les bases
# noeud hb1 : 192.168.0.101
# noeud hb2 : 192.168.0.102
# addr virt. : 192.168.0.103
sed -i 's/bookworm/hb1/g' /etc/host{s,name}
apt update
apt install -y heartbeat apache2 net-tools
systemctl disable apache2
cat <<EOT> /etc/network/interfaces.d/enp0s3
allow-hotplug enp0s3
iface enp0s3 inet static
address 192.168.0.101/24 # a adapter pour hb2
EOT
cat <<EOT> /etc/network/interfaces.d/enp0s8
allow-hotplug enp0s8
iface enp0s8 inet static
address 10.0.0.1/24 # a adapter pour hb2
EOT
cd /usr/share/doc/heartbeat
gunzip *.gz
cp ha.cf /etc/ha.d
cp haresources /etc/ha.d
cp authkeys /etc/ha.d
cd /etc/ha.d
echo "192.168.0.102 hb2" >> /etc/hosts # a adapter pour hb2
cat <<EOT >> /etc/ha.d/ha.cf
bcast enp0s8
node hb1
node hb2
pacemaker off
EOT
# echo " hb1 192.168.0.103 apache2" >> /etc/ha.d/haresources pou Debian buster
echo " hb1 192.168.0.103/24/enp0s3 apache2" >> /etc/ha.d/haresources
cat <<EOT >> /etc/ha.d/authkeys
auth 1
1 crc
EOT
chmod 600 /etc/ha.d/authkeys
echo hb1 > /var/www/html/index.html # a adapter pour hb2
#

49
bts_annee_2/sisr2/heartbeat_repartition_charge/hb2/inst-hb2.sh
View File

@ -1,49 +0,0 @@
#!/bin/bash
# les bases
# noeud hb1 : 192.168.0.101
# noeud hb2 : 192.168.0.102
# addr virt. : 192.168.0.103
sed -i 's/bookworm/hb2/g' /etc/host{s,name}
apt update
apt install -y heartbeat apache2 net-tools
systemctl disable apache2
cat <<EOT> /etc/network/interfaces.d/enp0s3
allow-hotplug enp0s3
iface enp0s3 inet static
address 192.168.0.102/24 # a adapter pour hb2
EOT
cat <<EOT> /etc/network/interfaces.d/enp0s8
allow-hotplug enp0s8
iface enp0s8 inet static
address 10.0.0.2/24 # a adapter pour hb2
EOT
cd /usr/share/doc/heartbeat
gunzip *.gz
cp ha.cf /etc/ha.d
cp haresources /etc/ha.d
cp authkeys /etc/ha.d
cd /etc/ha.d
echo "192.168.0.101 hb1" >> /etc/hosts # a adapter pour hb2
cat <<EOT >> /etc/ha.d/ha.cf
bcast enp0s8
node hb1
node hb2
pacemaker off
EOT
# echo " hb1 192.168.0.103 apache2" >> /etc/ha.d/haresources pou Debian buster
echo " hb1 192.168.0.103/24/enp0s3 apache2" >> /etc/ha.d/haresources
cat <<EOT >> /etc/ha.d/authkeys
auth 1
1 crc
EOT
chmod 600 /etc/ha.d/authkeys
echo hb2 > /var/www/html/index.html # a adapter pour hb2
#

79
bts_annee_2/sisr2/heartbeat_repartition_charge/vagrant/Vagrantfile_bookworm
View File

@ -1,79 +0,0 @@
# -*- mode: ruby -*-
# vi: set ft=ruby :
# All Vagrant configuration is done below. The "2" in Vagrant.configure
# configures the configuration version (we support older styles for
# backwards compatibility). Please don't change it unless you know what
# you're doing.
Vagrant.configure("2") do |config|
# The most common configuration options are documented and commented below.
# For a complete reference, please see the online documentation at
# https://docs.vagrantup.com.
# Every Vagrant development environment requires a box. You can search for
# boxes at https://vagrantcloud.com/search.
config.vm.box = "debian/bookworm64"
config.vm.hostname = "bookworm"
# Disable automatic box update checking. If you disable this, then
# boxes will only be checked for updates when the user runs
# `vagrant box outdated`. This is not recommended.
# config.vm.box_check_update = false
# Create a forwarded port mapping which allows access to a specific port
# within the machine from a port on the host machine. In the example below,
# accessing "localhost:8080" will access port 80 on the guest machine.
# NOTE: This will enable public access to the opened port
# config.vm.network "forwarded_port", guest: 80, host: 8080
# Create a forwarded port mapping which allows access to a specific port
# within the machine from a port on the host machine and only allow access
# via 127.0.0.1 to disable public access
# config.vm.network "forwarded_port", guest: 80, host: 8080, host_ip: "127.0.0.1"
# Create a private network, which allows host-only access to the machine
# using a specific IP.
# config.vm.network "private_network", ip: "192.168.33.10"
# Create a public network, which generally matched to bridged network.
# Bridged networks make the machine appear as another physical device on
# your network.
# config.vm.network "public_network"
# Share an additional folder to the guest VM. The first argument is
# the path on the host to the actual folder. The second argument is
# the path on the guest to mount the folder. And the optional third
# argument is a set of non-required options.
# config.vm.synced_folder "../data", "/vagrant_data"
# Disable the default share of the current code directory. Doing this
# provides improved isolation between the vagrant box and your host
# by making sure your Vagrantfile isn't accessable to the vagrant box.
# If you use this you may want to enable additional shared subfolders as
# shown above.
# config.vm.synced_folder ".", "/vagrant", disabled: true
# Provider-specific configuration so you can fine-tune various
# backing providers for Vagrant. These expose provider-specific options.
# Example for VirtualBox:
#
# config.vm.provider "virtualbox" do |vb|
# # Display the VirtualBox GUI when booting the machine
# vb.gui = true
#
# # Customize the amount of memory on the VM:
# vb.memory = "1024"
# end
#
# View the documentation for the provider you are using for more
# information on available options.
# Enable provisioning with a shell script. Additional provisioners such as
# Ansible, Chef, Docker, Puppet and Salt are also available. Please see the
# documentation for more information about their specific syntax and use.
config.vm.provision "shell", inline: <<-SHELL
timedatectl set-timezone Europe/Paris
apt-get update
apt-get install -y vim wget curl neovim mc
SHELL
end

28
bts_annee_2/sisr2/heartbeat_repartition_charge/vagrant/Vagrantfile_rsync
View File

@ -1,28 +0,0 @@
# -*- mode: ruby -*-
# vi: set ft=ruby :
Vagrant.configure("2") do |config|
config.vm.provision "shell", inline: "apt-get update" # execute pour chacune des machines
config.vm.define "srv1" do |srv1|#VM No'1
srv1.vm.box = "debian/bookworm64" #Setting machine type
srv1.vm.hostname = "srv1" #Setting machine type
srv1.vm.network "public_network", ip: "192.168.0.111"#Set static IP
srv1.vm.provision "shell", inline: <<-SHELL
timedatectl set-timezone Europe/Paris
apt-get install -y wget curl vim unzip apache2
echo "192.168.0.112 srv2" >> /etc/hosts
SHELL
end
config.vm.define "srv2" do |srv2|# VM No2
srv2.vm.box = "debian/bookworm64" #Setting machine type
srv2.vm.hostname = "srv2" #Setting machine type
srv2.vm.network "public_network", ip: "192.168.0.112" #Set static IP
srv2.vm.provision "shell", inline: <<-SHELL
timedatectl set-timezone Europe/Paris
apt-get install -y wget curl vim unzip apache2
echo "192.168.0.111 srv1" >> /etc/hosts
SHELL
end
end

1
bts_annee_2/sisr2/intel_pxe_boot/DHCP/README.md
View File

@ -1 +0,0 @@
Fichiers de configuration du serveur DHCP de la machine PXE.

112
bts_annee_2/sisr2/intel_pxe_boot/DHCP/dhcpd.conf
View File

@ -1,112 +0,0 @@
# dhcpd.conf
#
# Sample configuration file for ISC dhcpd
#
# option definitions common to all supported networks...
#option domain-name "example.org";
option domain-name-servers 10.121.38.7, 10.121.38.8;
default-lease-time 100000;
max-lease-time 7200000;
allow booting;
# The ddns-updates-style parameter controls whether or not the server will
# attempt to do a DNS update when a lease is confirmed. We default to the
# behavior of the version 2 packages ('none', since DHCP v2 didn't
# have support for DDNS.)
ddns-update-style none;
# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
#authoritative;
# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
#log-facility local7;
# No service will be given on this subnet, but declaring it helps the
# DHCP server to understand the network topology.
#subnet 10.152.187.0 netmask 255.255.255.0 {
#}
# This is a very basic subnet declaration.
subnet 192.168.1.0 netmask 255.255.255.0 {
range 192.168.1.10 192.168.1.20;
option broadcast-address 192.168.1.255;
option routers 192.168.1.100;
next-server 192.168.1.100;
filename "pxelinux.0";
}
# This declaration allows BOOTP clients to get dynamic addresses,
# which we don't really recommend.
#subnet 10.254.239.32 netmask 255.255.255.224 {
# range dynamic-bootp 10.254.239.40 10.254.239.60;
# option broadcast-address 10.254.239.31;
# option routers rtr-239-32-1.example.org;
#}
# A slightly different configuration for an internal subnet.
#subnet 10.5.5.0 netmask 255.255.255.224 {
# range 10.5.5.26 10.5.5.30;
# option domain-name-servers ns1.internal.example.org;
# option domain-name "internal.example.org";
# option routers 10.5.5.1;
# option broadcast-address 10.5.5.31;
# default-lease-time 600;
# max-lease-time 7200;
#}
# Hosts which require special configuration options can be listed in
# host statements. If no address is specified, the address will be
# allocated dynamically (if possible), but the host-specific information
# will still come from the host declaration.
#host passacaglia {
# hardware ethernet 0:0:c0:5d:bd:95;
# filename "vmunix.passacaglia";
# server-name "toccata.example.com";
#}
# Fixed IP addresses can also be specified for hosts. These addresses
# should not also be listed as being available for dynamic assignment.
# Hosts for which fixed IP addresses have been specified can boot using
# BOOTP or DHCP. Hosts for which no fixed address is specified can only
# be booted with DHCP, unless there is an address range on the subnet
# to which a BOOTP client is connected which has the dynamic-bootp flag
# set.
#host fantasia {
# hardware ethernet 08:00:07:26:c0:a5;
# fixed-address fantasia.example.com;
#}
# You can declare a class of clients and then do address allocation
# based on that. The example below shows a case where all clients
# in a certain class get addresses on the 10.17.224/24 subnet, and all
# other clients get addresses on the 10.0.29/24 subnet.
#class "foo" {
# match if substring (option vendor-class-identifier, 0, 4) = "SUNW";
#}
#shared-network 224-29 {
# subnet 10.17.224.0 netmask 255.255.255.0 {
# option routers rtr-224.example.org;
# }
# subnet 10.0.29.0 netmask 255.255.255.0 {
# option routers rtr-29.example.org;
# }
# pool {
# allow members of "foo";
# range 10.17.224.10 10.17.224.250;
# }
# pool {
# deny members of "foo";
# range 10.0.29.10 10.0.29.230;
# }
#}

18
bts_annee_2/sisr2/intel_pxe_boot/DHCP/isc-dhcp-server
View File

@ -1,18 +0,0 @@
# Defaults for isc-dhcp-server (sourced by /etc/init.d/isc-dhcp-server)
# Path to dhcpd's config file (default: /etc/dhcp/dhcpd.conf).
DHCPDv4_CONF=/etc/dhcp/dhcpd.conf
#DHCPDv6_CONF=/etc/dhcp/dhcpd6.conf
# Path to dhcpd's PID file (default: /var/run/dhcpd.pid).
DHCPDv4_PID=/var/run/dhcpd.pid
#DHCPDv6_PID=/var/run/dhcpd6.pid
# Additional options to start dhcpd with.
# Don't use options -cf or -pf here; use DHCPD_CONF/ DHCPD_PID instead
#OPTIONS=""
# On what interfaces should the DHCP server (dhcpd) serve DHCP requests?
# Separate multiple interfaces with spaces, e.g. "eth0 eth1".
INTERFACESv4="enp0s8"
INTERFACESv6=""

1
bts_annee_2/sisr2/intel_pxe_boot/Interfaces/README.md
View File

@ -1 +0,0 @@
Fichiers d'interfaces réseau des deux cartes de la machine PXE.

3
bts_annee_2/sisr2/intel_pxe_boot/Interfaces/enp0s3
View File

@ -1,3 +0,0 @@
# generated by FAI
auto enp0s3
iface enp0s3 inet dhcp

Some files were not shown because too many files have changed in this diff Show More