bts_annee_2/cyber2/wordpress-lamp/README.md

@@ -0,0 +1 @@
+Dossier avec les fichiers de configuration du pare-feu, le fichier de test goss et le script de récupération des informations sur le serveur Web Wordpress.

bts_annee_2/cyber2/wordpress-lamp/compte-rendu-2024-09-30

@@ -0,0 +1,100 @@
+# Scan des ports ouverts visibles depuis le poste physique
+
+lun. 30 sept. 2024 16:45:55 CEST
+Starting Nmap 7.93 ( https://nmap.org ) at 2024-09-30 16:45 CEST
+Nmap scan report for 172.16.0.152
+Host is up (0.00069s latency).
+Not shown: 997 filtered tcp ports (no-response)
+PORT    STATE SERVICE  VERSION
+22/tcp  open  ssh      OpenSSH 9.2p1 Debian 2+deb12u3 (protocol 2.0)
+| ssh-hostkey: 
+|   256 507a12ddb833cec5b87c576702e1682a (ECDSA)
+|_  256 c3bbd552f31fbd2d9fdd9e11ca521cbc (ED25519)
+80/tcp  open  http     Apache httpd 2.4.62 ((Debian))
+|_http-title: Did not follow redirect to https://172.16.0.152/
+|_http-server-header: Apache/2.4.62 (Debian)
+443/tcp open  ssl/http Apache httpd 2.4.62 ((Debian))
+|_http-server-header: Apache/2.4.62 (Debian)
+| tls-alpn: 
+|_  http/1.1
+|_http-title: Apache2 Debian Default Page: It works
+| ssl-cert: Subject: commonName=wordpress-ge/organizationName=Lyc\xC3\x83\xC2\xA9e Le Castel/stateOrProvinceName=Bourgogne/countryName=FR
+| Not valid before: 2024-09-26T13:11:27
+|_Not valid after:  2025-09-26T13:11:27
+|_ssl-date: TLS randomness does not represent time
+Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
+
+Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+Nmap done: 1 IP address (1 host up) scanned in 23.30 seconds
+
+# Affichage des règles du pare-feu
+
+# Generated by iptables-save v1.8.9 on Mon Sep 30 16:46:17 2024
+*filter
+:INPUT DROP [30889:1853067]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [142:9272]
+-A INPUT -m state --state INVALID -j DROP
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+-A INPUT -p icmp -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
+-A FORWARD -m state --state INVALID -j DROP
+-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+COMMIT
+# Completed on Mon Sep 30 16:46:17 2024
+
+# Scan des ports UDP ouverts sur le serveur Web
+
+State  Recv-Q Send-Q Local Address:Port Peer Address:PortProcess                                   
+UNCONN 0      0         127.0.0.54:53        0.0.0.0:*    users:(("systemd-resolve",pid=267,fd=19))
+UNCONN 0      0      127.0.0.53%lo:53        0.0.0.0:*    users:(("systemd-resolve",pid=267,fd=17))
+UNCONN 0      0            0.0.0.0:5355      0.0.0.0:*    users:(("systemd-resolve",pid=267,fd=11))
+
+# Scan des ports TCP ouverts sur le serveur Web
+
+State  Recv-Q Send-Q Local Address:Port Peer Address:PortProcess                                   
+LISTEN 0      4096         0.0.0.0:5355      0.0.0.0:*    users:(("systemd-resolve",pid=267,fd=12))
+LISTEN 0      128          0.0.0.0:22        0.0.0.0:*    users:(("sshd",pid=404,fd=3))            
+LISTEN 0      100          0.0.0.0:25        0.0.0.0:*    users:(("master",pid=778,fd=13))         
+LISTEN 0      4096      127.0.0.54:53        0.0.0.0:*    users:(("systemd-resolve",pid=267,fd=20))
+LISTEN 0      80         127.0.0.1:3306      0.0.0.0:*    users:(("mariadbd",pid=462,fd=20))       
+LISTEN 0      4096   127.0.0.53%lo:53        0.0.0.0:*    users:(("systemd-resolve",pid=267,fd=18))
+
+# Résultats des tests Goss
+
+1..31
+ok 1 - Package: apache2: installed: matches expectation: true
+ok 2 - Package: apache2: version: matches expectation: ["2.4.62-1~deb12u1"]
+ok 3 - Package: mariadb-server: installed: matches expectation: true
+ok 4 - Package: mariadb-server: version: matches expectation: ["1:10.11.6-0+deb12u1"]
+ok 5 - Process: apache2: running: matches expectation: true
+ok 6 - Service: sshd: enabled: matches expectation: true
+ok 7 - Service: sshd: running: matches expectation: true
+ok 8 - Process: sshd: running: matches expectation: true
+ok 9 - Port: tcp:22: listening: matches expectation: true
+ok 10 - Port: tcp:22: ip: matches expectation: ["0.0.0.0"]
+ok 11 - Port: tcp6:22: listening: matches expectation: true
+ok 12 - Port: tcp6:22: ip: matches expectation: ["::"]
+ok 13 - User: sshd: exists: matches expectation: true
+ok 14 - User: sshd: uid: matches expectation: 103
+ok 15 - User: sshd: gid: matches expectation: 65534
+ok 16 - User: sshd: home: matches expectation: "/run/sshd"
+ok 17 - User: sshd: groups: matches expectation: ["nogroup"]
+ok 18 - User: sshd: shell: matches expectation: "/usr/sbin/nologin"
+ok 19 - Port: tcp6:80: listening: matches expectation: true
+ok 20 - Port: tcp6:80: ip: matches expectation: ["::"]
+ok 21 - Interface: eth0: exists: matches expectation: true
+ok 22 - Interface: eth0: addrs: matches expectation: ["172.16.0.152/24","fe80::be24:11ff:fe76:ac6f/64"]
+ok 23 - Interface: eth0: mtu: matches expectation: 1500
+ok 24 - Port: tcp6:443: listening: matches expectation: true
+ok 25 - Port: tcp6:443: ip: matches expectation: ["::"]
+ok 26 - Service: ssh: enabled: matches expectation: true
+ok 27 - Service: ssh: running: matches expectation: true
+ok 28 - Service: apache2: enabled: matches expectation: true
+ok 29 - Service: apache2: running: matches expectation: true
+ok 30 - HTTP: http://172.16.0.152/wordpress: status: matches expectation: 200
+ok 31 - HTTP: http://172.16.0.152/wordpress: Body: matches expectation: ["engagement"]

bts_annee_2/cyber2/wordpress-lamp/compterendudistant.sh

@@ -0,0 +1,13 @@
+#!/bin/bash
+DATE=$(date -I)
+echo "Scan nmap et comptes-rendus en cours de création, veuillez patienter..."
+echo -ne "# Scan des ports ouverts visibles depuis le poste physique\n\n" > compte-rendu-$DATE
+(date ; nmap -A 172.16.0.152 ) >> compte-rendu-$DATE
+echo -ne "\n# Affichage des règles du pare-feu\n\n" >> compte-rendu-$DATE
+ssh debian@172.16.0.152 "sudo iptables-legacy-save" >> compte-rendu-$DATE
+echo -ne "\n# Scan des ports UDP ouverts sur le serveur Web\n\n" >> compte-rendu-$DATE
+ssh debian@172.16.0.152 "sudo ss -lnu4p" >> compte-rendu-$DATE
+echo -ne "\n# Scan des ports TCP ouverts sur le serveur Web\n\n" >> compte-rendu-$DATE
+ssh debian@172.16.0.152 "sudo ss -lnt4p" >> compte-rendu-$DATE
+echo -ne "\n# Résultats des tests Goss\n\n" >> compte-rendu-$DATE
+ssh debian@172.16.0.152 "sudo goss v -f tap" >> compte-rendu-$DATE

bts_annee_2/cyber2/wordpress-lamp/ferm.conf

@@ -0,0 +1,43 @@
+# -*- shell-script -*-
+#
+#  Configuration file for ferm(1).
+#
+domain (ip) {
+    table filter {
+        chain INPUT {
+            policy DROP;
+
+            # connection tracking
+            mod state state INVALID DROP;
+            mod state state (ESTABLISHED RELATED) ACCEPT;
+
+            # allow local packet
+            interface lo ACCEPT;
+
+            # respond to ping
+            proto icmp ACCEPT; 
+
+            # allow SSH connections
+            proto tcp dport ssh ACCEPT;
+        
+	    # autorise les connexions HTTP et HTTPS
+	    proto tcp dport (http https) ACCEPT;
+	}
+        chain OUTPUT {
+            policy ACCEPT;
+
+            # connection tracking
+            #mod state state INVALID DROP;
+            mod state state (ESTABLISHED RELATED) ACCEPT;
+        }
+        chain FORWARD {
+            policy DROP;
+
+            # connection tracking
+            mod state state INVALID DROP;
+            mod state state (ESTABLISHED RELATED) ACCEPT;
+        }
+    }
+}
+
+@include ferm.d/;

bts_annee_2/cyber2/wordpress-lamp/goss.yaml

@@ -0,0 +1,73 @@
+package:
+    apache2:
+        installed: true
+        versions:
+            - 2.4.62-1~deb12u1
+    mariadb-server:
+        installed: true
+        versions:
+            - 1:10.11.6-0+deb12u1
+port:
+    tcp:22:
+        listening: true
+        ip:
+            - 0.0.0.0
+    tcp6:22:
+        listening: true
+        ip:
+            - '::'
+    tcp6:80:
+        listening: true
+        ip:
+            - '::'
+    tcp6:443:
+        listening: true
+        ip:
+            - '::'
+service:
+    apache2:
+        enabled: true
+        running: true
+    ssh:
+        enabled: true
+        running: true
+    sshd:
+        enabled: true
+        running: true
+user:
+    sshd:
+        exists: true
+        uid: 103
+        gid: 65534
+        groups:
+            - nogroup
+        home: /run/sshd
+        shell: /usr/sbin/nologin
+process:
+    apache2:
+        running: true
+    sshd:
+        running: true
+interface:
+    eth0:
+        exists: true
+        addrs:
+            - 172.16.0.152/24
+            - fe80::be24:11ff:fe76:ac6f/64
+        mtu: 1500
+http:
+    http://172.16.0.152/wordpress:
+        status: 200
+        allow-insecure: true
+        no-follow-redirects: false
+        timeout: 5000
+        body:
+          - engagement
+https:
+    https://172.16.0.152/wordpress:
+        status: 200
+        allow-insecure: true
+        no-follow-redirects: false
+        timeout: 5000
+        body:
+          - engagement