Ajout des fichiers de la séance de Cyber sur une simulation de ransomware, sur partage Samba, et modification de scripts Python.

Reviewed-on: guillaume.emorine/siotp#38

README.md

@@ -1 +1,5 @@
-Dépôt de fichiers personnels provenant de machines virtuelles utilisées en TP.
+Dépôt de fichiers personnels provenant de machines virtuelles utilisées en TP.
+
+Ce Gitea contient aussi un script d'automatisation du processus de push et de pull, adaptés aux deux branches.
+
+Dépôt anciennement privé, devenu public le 16 Septembre 2024.

automate.sh

@@ -2,20 +2,33 @@
 # Script utilisé pour "automatiser" (raccourcir) le processus de pull, d'ajout, de commit et de push pour le répositoire Gitea personnel.
 # Ajout de messages et de délais pour mieux se repérer et se situer dans le processus.
 # Ajout d'un système de choix
+# Ajout d'un export de proxy HTTP/HTTPS automatique vers ceux du lycée pour la machine en salle 214.
+# Ajout d'un système de gestion d'erreur très basique pour éviter qu'un push/un pull se produise en cas de réponses incorrectes.
 
-echo "Voulez-vous récupérer les fichiers à jour ou effectuer un push ? [1 = Pull, 2 = Push]"
+export http_proxy="http://10.121.38.1:8080/"
+export https_proxy="http://10.121.38.1:8080/"
+
+echo "Voulez-vous récupérer les fichiers du dépôt ou effectuer un push sur le dépôt ? [1 = Pull, 2 = Push]"
 read answer
+
 if [ $answer == 1 ] ; then
-	echo "Récupération des fichiers à jour..."
-	git pull
+	git checkout main
+	echo "Récupération des fichiers à jour, branche main..."
+	git pull -q origin main
+	echo "Fichiers à jour récupérés."
 else
+	git checkout main
 	echo "Ajout des fichiers au Gitea..."
-	sleep 2
+	sleep 1
 	git add .
 	echo "Commit en cours..."
-	sleep 2
+	sleep 1
 	git commit
-	echo "Push des fichiers au Gitea..."
-	sleep 2
-	git push
+	git tag -l "v.*" --sort="-v:refname"
+	echo "Entrez la version du tag: (Le plus récent est en haut)"
+	read tag
+	git tag $tag
+	echo "Push des fichiers au Gitea, branche main..."
+	sleep 1
+	git push -q origin main --tag
 fi

bts_annee_2/README.md

@@ -0,0 +1,2 @@
+Dépôt de seconde année de BTS.
+Divisé en deux, un côté SISR, un côté Cybersécurité.

bts_annee_2/cyber2/README.md

@@ -0,0 +1,2 @@
+Dépôt de seconde année de Cybersécurité.
+Chaque dossier porte le numéro de la séance associée.

bts_annee_2/cyber2/ransomware-simulation/README.md

@@ -0,0 +1,2 @@
+Dossier avec le script utilisé pour simuler une attaque de ransomware sur un partage Samba accessible en écriture, avec un mot de passe et nom d'utilisateur connus.
+Les arguments passés après le nom du script sont utilisés plus tard et sont nécessaires.

bts_annee_2/cyber2/ransomware-simulation/smbcc.sh

@@ -0,0 +1,34 @@
+#!/bin/bash
+# déclaration des variables
+chemin=$1
+cred=$2
+action=$3
+ficcle=$4
+
+# récup du mot de passe et nom d'utilisateur
+user=$(echo $cred| cut -d "/" -f1)
+pass=$(echo $cred| cut -d "/" -f2)
+
+# créa du répertoire et on monte dessus
+[[ -e /mnt/samba ]] || mkdir /mnt/samba
+mount.cifs -o "username=$user,password=$pass" "//${chemin}" /mnt/samba
+
+# vérification d'erreurs
+if [[ $? != 0 ]] ; then
+	rmdir /mnt/samba
+	exit 1
+fi
+
+# la commande ccrypt
+ccrypt "$action" -r -k $ficcle /mnt/samba
+
+# vérification d'erreurs
+if [[ $? != 0 ]] ; then
+	echo "ccrypt échoué, revérifie le script."
+	exit 1
+fi
+
+# nettoyage et sortie, code 0
+umount /mnt/samba
+rmdir /mnt/samba
+exit 0

bts_annee_2/cyber2/vpn-ipsec/README.md

@@ -0,0 +1 @@
+Dossier avec les fichiers de configuration du tunnel IPsec fait en TP, ainsi que les IPs et tables de routage.

bts_annee_2/cyber2/vpn-ipsec/gw1/README.md

@@ -0,0 +1 @@
+Il faut renommer le fichier ipsec-gw1.conf en ipsec.conf et le placer dans /etc/ .

bts_annee_2/cyber2/vpn-ipsec/gw1/config_ip_gw1

@@ -0,0 +1,18 @@
+1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
+    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
+    inet 127.0.0.1/8 scope host lo
+       valid_lft forever preferred_lft forever
+    inet6 ::1/128 scope host noprefixroute 
+       valid_lft forever preferred_lft forever
+2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
+    link/ether 08:00:27:71:ec:44 brd ff:ff:ff:ff:ff:ff
+    inet 192.168.1.1/24 brd 192.168.1.255 scope global enp0s3
+       valid_lft forever preferred_lft forever
+    inet6 fe80::a00:27ff:fe71:ec44/64 scope link 
+       valid_lft forever preferred_lft forever
+3: enp0s8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
+    link/ether 08:00:27:c2:6d:0b brd ff:ff:ff:ff:ff:ff
+    inet 10.0.0.1/24 brd 10.0.0.255 scope global enp0s8
+       valid_lft forever preferred_lft forever
+    inet6 fe80::a00:27ff:fec2:6d0b/64 scope link 
+       valid_lft forever preferred_lft forever

bts_annee_2/cyber2/vpn-ipsec/gw1/ipsec-gw1.conf

@@ -0,0 +1,23 @@
+config setup
+        charondebug="all"
+        uniqueids=yes
+        strictcrlpolicy=no
+conn %default
+conn tunnel #
+        left=10.0.0.1
+        leftsubnet=192.168.1.0/24
+        right=10.0.0.2
+        rightsubnet=192.168.2.0/24
+        ike=aes256-sha2_256-modp1024!
+        esp=aes256-sha2_256!
+        keyingtries=0
+        ikelifetime=1h
+        lifetime=8h
+        dpddelay=30
+        dpdtimeout=120
+        dpdaction=restart
+        authby=secret
+        auto=start
+        keyexchange=ikev2
+        type=tunnel
+

bts_annee_2/cyber2/vpn-ipsec/gw1/table_routage_gw1

@@ -0,0 +1,3 @@
+10.0.0.0/24 dev enp0s8 proto kernel scope link src 10.0.0.1 
+192.168.1.0/24 dev enp0s3 proto kernel scope link src 192.168.1.1 
+192.168.2.0/24 via 192.168.1.1 dev enp0s3 

bts_annee_2/cyber2/vpn-ipsec/gw2/README.md

@@ -0,0 +1 @@
+Il faut renommer le fichier ipsec-gw2.conf en ipsec.conf et le placer dans /etc/ .

bts_annee_2/cyber2/vpn-ipsec/gw2/config_ip_gw2

@@ -0,0 +1,18 @@
+1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
+    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
+    inet 127.0.0.1/8 scope host lo
+       valid_lft forever preferred_lft forever
+    inet6 ::1/128 scope host noprefixroute 
+       valid_lft forever preferred_lft forever
+2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
+    link/ether 08:00:27:35:ba:6d brd ff:ff:ff:ff:ff:ff
+    inet 192.168.2.1/24 brd 192.168.2.255 scope global enp0s3
+       valid_lft forever preferred_lft forever
+    inet6 fe80::a00:27ff:fe35:ba6d/64 scope link 
+       valid_lft forever preferred_lft forever
+3: enp0s8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
+    link/ether 08:00:27:ea:8b:77 brd ff:ff:ff:ff:ff:ff
+    inet 10.0.0.2/24 brd 10.0.0.255 scope global enp0s8
+       valid_lft forever preferred_lft forever
+    inet6 fe80::a00:27ff:feea:8b77/64 scope link 
+       valid_lft forever preferred_lft forever

bts_annee_2/cyber2/vpn-ipsec/gw2/ipsec-gw2.conf

@@ -0,0 +1,23 @@
+config setup
+        charondebug="all"
+        uniqueids=yes
+        strictcrlpolicy=no
+conn %default
+conn tunnel #
+        left=10.0.0.2
+        leftsubnet=192.168.2.0/24
+        right=10.0.0.1
+        rightsubnet=192.168.1.0/24
+        ike=aes256-sha2_256-modp1024!
+        esp=aes256-sha2_256!
+        keyingtries=0
+        ikelifetime=1h
+        lifetime=8h
+        dpddelay=30
+        dpdtimeout=120
+        dpdaction=restart
+        authby=secret
+        auto=start
+        keyexchange=ikev2
+        type=tunnel
+

bts_annee_2/cyber2/vpn-ipsec/gw2/table_routage_gw2

@@ -0,0 +1,2 @@
+10.0.0.0/24 dev enp0s8 proto kernel scope link src 10.0.0.2 
+192.168.2.0/24 dev enp0s3 proto kernel scope link src 192.168.2.1 

bts_annee_2/cyber2/vpn-openvpn/README.md

@@ -0,0 +1 @@
+Dossier du TP sur le VPN OpenVPN. Il y a les fichiers relatifs au serveur et au client.

bts_annee_2/cyber2/vpn-openvpn/client/DESKTOP-SK8G91D.crt

@@ -0,0 +1,85 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            7a:40:e4:09:96:70:a7:11:03:89:2c:bb:23:d1:10:05
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: CN=Easy-RSA CA
+        Validity
+            Not Before: Oct 14 09:34:47 2024 GMT
+            Not After : Jan 17 09:34:47 2027 GMT
+        Subject: CN=DESKTOP-SK8G91D
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:a3:54:3e:71:b3:68:7b:11:f0:38:d4:80:5f:60:
+                    55:fe:27:f7:0e:f4:64:fd:6a:e4:be:7e:9c:40:82:
+                    6e:57:bb:09:90:10:3e:f5:2b:13:1d:14:2f:b3:eb:
+                    97:8e:c1:68:8f:23:9a:ac:8a:4f:8c:6d:59:69:88:
+                    e6:75:80:44:80:94:65:17:c4:5a:c3:8c:b1:6e:bb:
+                    6d:bd:fa:af:ce:42:ab:21:b4:33:92:02:d8:1f:e3:
+                    9e:1a:aa:ae:e2:18:42:f9:6c:9f:84:db:a3:1b:23:
+                    d8:fb:37:1f:3e:5f:04:21:72:17:be:4c:52:73:f0:
+                    b7:87:fe:d1:c2:85:a3:4d:57:61:d6:4f:f7:6c:9c:
+                    f1:fb:34:22:e5:44:43:86:a1:d8:29:b8:a2:73:f4:
+                    54:da:93:86:1f:bc:d3:98:2b:29:74:dc:4e:17:0c:
+                    b3:44:d8:77:96:98:45:38:44:36:23:dc:55:d2:d2:
+                    f7:75:1f:ec:bc:23:a9:fc:76:30:78:f8:e9:03:f8:
+                    88:43:9d:ae:fe:e8:e6:cf:02:d5:c7:93:f4:a9:9e:
+                    11:e1:68:4e:10:bb:85:e8:1a:c8:1b:ce:f4:f1:55:
+                    38:31:46:3e:1e:8d:6a:a8:6a:66:a6:85:57:08:76:
+                    3f:24:3f:7e:e4:b8:af:bf:86:d5:73:4a:98:ad:53:
+                    0f:6b
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            X509v3 Subject Key Identifier: 
+                F9:C9:56:7F:09:7A:38:A1:BB:00:6D:56:FA:75:FD:F6:C7:E9:EA:AE
+            X509v3 Authority Key Identifier: 
+                keyid:02:2B:7C:59:A2:6F:3B:DA:07:A4:E9:F3:3F:27:94:B5:0E:62:76:F3
+                DirName:/CN=Easy-RSA CA
+                serial:65:E9:1E:24:AE:9A:EE:B3:E5:D9:79:EA:1E:A9:D7:5D:A1:E2:D4:F1
+            X509v3 Extended Key Usage: 
+                TLS Web Client Authentication
+            X509v3 Key Usage: 
+                Digital Signature
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        55:d1:dd:8c:9a:4e:80:02:32:49:88:6c:82:7f:43:d5:cd:37:
+        e0:8a:d5:d7:20:76:7f:dd:5b:b2:13:80:f0:81:9e:c7:e4:d3:
+        6e:e9:01:5f:91:57:87:97:bc:b7:a9:d0:82:1c:76:21:27:fa:
+        4c:84:c6:29:d0:f9:d4:78:6c:55:0c:9a:9b:9c:c0:ee:b5:35:
+        d0:0d:ef:5d:02:bf:51:40:9e:a8:cc:32:d9:c0:70:2f:c7:05:
+        72:e6:10:6d:fd:da:8d:d8:bb:7f:84:d8:85:64:66:82:a8:50:
+        08:9c:26:a5:27:8f:7b:9c:7b:5e:1d:44:6a:14:d2:4c:42:da:
+        9c:3b:46:34:0e:22:c5:3e:3c:0c:10:c6:52:08:33:32:67:5d:
+        71:00:7b:8a:f2:a7:ef:92:59:cc:fe:a8:4f:62:74:0e:91:ec:
+        5d:61:45:92:73:13:75:59:0b:50:c0:af:a4:90:2d:ed:a6:2a:
+        d7:60:55:d3:c6:f2:df:1c:9c:9f:c2:7b:ba:10:6a:6d:25:9e:
+        c7:f9:30:cf:e3:4f:87:48:ba:ac:37:ea:88:f1:d7:79:62:f9:
+        34:be:04:32:af:bf:a6:f8:91:89:ab:47:08:b5:3b:6e:17:c5:
+        d9:7f:94:f2:5c:47:57:58:62:02:12:7a:fa:83:bf:79:da:bf:
+        ed:88:a1:20
+-----BEGIN CERTIFICATE-----
+MIIDXTCCAkWgAwIBAgIQekDkCZZwpxEDiSy7I9EQBTANBgkqhkiG9w0BAQsFADAW
+MRQwEgYDVQQDDAtFYXN5LVJTQSBDQTAeFw0yNDEwMTQwOTM0NDdaFw0yNzAxMTcw
+OTM0NDdaMBoxGDAWBgNVBAMMD0RFU0tUT1AtU0s4RzkxRDCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBAKNUPnGzaHsR8DjUgF9gVf4n9w70ZP1q5L5+nECC
+ble7CZAQPvUrEx0UL7Prl47BaI8jmqyKT4xtWWmI5nWARICUZRfEWsOMsW67bb36
+r85CqyG0M5IC2B/jnhqqruIYQvlsn4Tboxsj2Ps3Hz5fBCFyF75MUnPwt4f+0cKF
+o01XYdZP92yc8fs0IuVEQ4ah2Cm4onP0VNqThh+805grKXTcThcMs0TYd5aYRThE
+NiPcVdLS93Uf7Lwjqfx2MHj46QP4iEOdrv7o5s8C1ceT9KmeEeFoThC7hegayBvO
+9PFVODFGPh6NaqhqZqaFVwh2PyQ/fuS4r7+G1XNKmK1TD2sCAwEAAaOBojCBnzAJ
+BgNVHRMEAjAAMB0GA1UdDgQWBBT5yVZ/CXo4obsAbVb6df32x+nqrjBRBgNVHSME
+SjBIgBQCK3xZom872gek6fM/J5S1DmJ286EapBgwFjEUMBIGA1UEAwwLRWFzeS1S
+U0EgQ0GCFGXpHiSumu6z5dl56h6p112h4tTxMBMGA1UdJQQMMAoGCCsGAQUFBwMC
+MAsGA1UdDwQEAwIHgDANBgkqhkiG9w0BAQsFAAOCAQEAVdHdjJpOgAIySYhsgn9D
+1c034IrV1yB2f91bshOA8IGex+TTbukBX5FXh5e8t6nQghx2ISf6TITGKdD51Hhs
+VQyam5zA7rU10A3vXQK/UUCeqMwy2cBwL8cFcuYQbf3ajdi7f4TYhWRmgqhQCJwm
+pSePe5x7Xh1EahTSTELanDtGNA4ixT48DBDGUggzMmddcQB7ivKn75JZzP6oT2J0
+DpHsXWFFknMTdVkLUMCvpJAt7aYq12BV08by3xycn8J7uhBqbSWex/kwz+NPh0i6
+rDfqiPHXeWL5NL4EMq+/pviRiatHCLU7bhfF2X+U8lxHV1hiAhJ6+oO/edq/7Yih
+IA==
+-----END CERTIFICATE-----

bts_annee_2/cyber2/vpn-openvpn/client/DESKTOP-SK8G91D.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCjVD5xs2h7EfA4
+1IBfYFX+J/cO9GT9auS+fpxAgm5XuwmQED71KxMdFC+z65eOwWiPI5qsik+MbVlp
+iOZ1gESAlGUXxFrDjLFuu229+q/OQqshtDOSAtgf454aqq7iGEL5bJ+E26MbI9j7
+Nx8+XwQhche+TFJz8LeH/tHChaNNV2HWT/dsnPH7NCLlREOGodgpuKJz9FTak4Yf
+vNOYKyl03E4XDLNE2HeWmEU4RDYj3FXS0vd1H+y8I6n8djB4+OkD+IhDna7+6ObP
+AtXHk/SpnhHhaE4Qu4XoGsgbzvTxVTgxRj4ejWqoamamhVcIdj8kP37kuK+/htVz
+SpitUw9rAgMBAAECggEAQd/J+bDbDHwtL7ahehZQSJxU3G68xqsUzDIjki8pEvBI
+iJbM1bREVr+cB8yXCYg/RDAfg8SbFe/KlrKVBMIxnsx7Q4058FHwBFHLDssrmhyw
+ifz0qcjE44O58lZyB5WyeYgShJLTY7BfJN9UFiNbdqPeKK3+uW1WkJ65emPM+/WD
+7DR/VHOPs8PUS6mf6EMwyzeRHECnb8t9sSx1vqcAPzj/l/3iAQloyn9VxTvJ345/
+yLyFtF+GCqSiXBl5bPR9uN1hrpjeqjcFo/EZFPSLQJNiFtHOUMt3GtJW0h7XQtrf
+PakCeLx4DuMANuLPjdzcK4lZAql/s0A2hHNhEh94QQKBgQDRvxN6E1guXVktZxsS
+rc/2uuOoOYbTkxpkqzqI4WQ24Gb7lu/95jhHdZTWCATLdG+XMDxMdiNWIf2YMAq4
+5+c0ZL3HwiZq6Mo3sbZUP1RnEM4suHZZinTgJgDa3+RDGVF1usSwcvqGjY/+2zL8
+muzjorsY7dBxLne8BDEH9yiHqwKBgQDHWL8o8uiNIpQxz7WzZwi8dNGTKCjA/Oig
+BIin3Rk2nX33y5QIe45Jb9f4V7Q7XZjY2aoYwzVWsZlu1LAFvS9zkuKJB60I6PJt
++5yowZKk2roqR7hreuml1nbyAljoJpuIdrT/xHIQyI3LtgscUOTT2nMwAQ/X0gWz
+xzSrLkjXQQKBgQCBsA2Q66kYceuT4S6iLApsWj4tY/RzmX82Q5Fb1VErhTDn2vnl
+GZYuyQsQE8EzM3lUGCUQefN7bGTq1rmqfuk8QhX+D5PFgs6WBTHhgY7kc0Wn7R5w
+WuXNOnJI4yq2Ok9d5e970nwI+jrQsCQkgH58ecAJt/GsKbkq7cSLUk0jJQKBgACU
+uqHk61aV9jaa812dfEIIWSADqvK9CfSFbtyGYW9uUBKrzjekHIsMP2Xi44yUvkBL
+ihpeX0ZsaBURm524qm28zNo3YoK3IxW8+Pzo64N9e7Np2BjAF/Q6xsf3x8iNbECe
+j/J64RY5b2hblHa1qaUQauuF5UTswMWAXB/vl5jBAoGARQbPUSMgp382ZDN3ohxf
+7XEC/roO6SyuKLaF46kfVgoNXNBK8qvfV4HaUHiWfkBlsdrZioQp7z+S3ijlrAu+
+iae08RHuKQS1XMUN9BvqzmWSB9RMBZSNhVvD8QZwVPSHEqAx8yvORitdjQpDTdFS
+8jKYo+l8sNiEYzv5y/ovagI=
+-----END PRIVATE KEY-----

bts_annee_2/cyber2/vpn-openvpn/client/DESKTOP-SK8G91D.ovpn

@@ -0,0 +1,120 @@
+##############################################
+# Sample client-side OpenVPN 2.6 config file #
+# for connecting to multi-client server.     #
+#                                            #
+# This configuration can be used by multiple #
+# clients, however each client should have   #
+# its own cert and key files.                #
+#                                            #
+# On Windows, you might want to rename this  #
+# file so it has a .ovpn extension           #
+##############################################
+
+# Specify that we are a client and that we
+# will be pulling certain config file directives
+# from the server.
+client
+
+# Use the same setting as you are using on
+# the server.
+# On most systems, the VPN will not function
+# unless you partially or fully disable
+# the firewall for the TUN/TAP interface.
+;dev tap
+dev tun
+
+# Windows needs the TAP-Win32 adapter name
+# from the Network Connections panel
+# if you have more than one.  On XP SP2,
+# you may need to disable the firewall
+# for the TAP adapter.
+;dev-node MyTap
+
+# Are we connecting to a TCP or
+# UDP server?  Use the same setting as
+# on the server.
+;proto tcp
+proto udp
+
+# The hostname/IP and port of the server.
+# You can have multiple remote entries
+# to load balance between the servers.
+remote 192.168.0.48 1194
+;remote my-server-2 1194
+
+# Choose a random host from the remote
+# list for load-balancing.  Otherwise
+# try hosts in the order specified.
+;remote-random
+
+# Keep trying indefinitely to resolve the
+# host name of the OpenVPN server.  Very useful
+# on machines which are not permanently connected
+# to the internet such as laptops.
+resolv-retry infinite
+
+# Most clients don't need to bind to
+# a specific local port number.
+nobind
+
+# Downgrade privileges after initialization (non-Windows only)
+;user openvpn
+;group openvpn
+
+# Try to preserve some state across restarts.
+persist-key
+persist-tun
+
+# If you are connecting through an
+# HTTP proxy to reach the actual OpenVPN
+# server, put the proxy server/IP and
+# port number here.  See the man page
+# if your proxy server requires
+# authentication.
+;http-proxy-retry # retry on connection failures
+;http-proxy [proxy server] [proxy port #]
+
+# Wireless networks often produce a lot
+# of duplicate packets.  Set this flag
+# to silence duplicate packet warnings.
+;mute-replay-warnings
+
+# SSL/TLS parms.
+# See the server config file for more
+# description.  It's best to use
+# a separate .crt/.key file pair
+# for each client.  A single ca
+# file can be used for all clients.
+ca ca.crt
+cert DESKTOP-SK8G91D.crt
+key DESKTOP-SK8G91D.key
+
+# Verify server certificate by checking that the
+# certificate has the correct key usage set.
+# This is an important precaution to protect against
+# a potential attack discussed here:
+#  http://openvpn.net/howto.html#mitm
+#
+# To use this feature, you will need to generate
+# your server certificates with the keyUsage set to
+#   digitalSignature, keyEncipherment
+# and the extendedKeyUsage to
+#   serverAuth
+# EasyRSA can do this for you.
+remote-cert-tls server
+
+# Allow to connect to really old OpenVPN versions
+# without AEAD support (OpenVPN 2.3.x or older)
+# This adds AES-256-CBC as fallback cipher and
+# keeps the modern ciphers as well.
+data-ciphers AES-256-GCM:AES-128-GCM:?CHACHA20-POLY1305:AES-256-CBC
+
+# If a tls-auth key is used on the server
+# then every client must also have the key.
+tls-auth ta.key 1
+
+# Set log file verbosity.
+verb 3
+
+# Silence repeating messages
+;mute 20

bts_annee_2/cyber2/vpn-openvpn/client/README.md

@@ -0,0 +1 @@
+Dossier du serveur OpenVPN, avec les fichiers de configuration, les certificats issus, et le reste.

bts_annee_2/cyber2/vpn-openvpn/client/ca.crt

@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDSzCCAjOgAwIBAgIUZekeJK6a7rPl2XnqHqnXXaHi1PEwDQYJKoZIhvcNAQEL
+BQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMjQxMDE0MDkyMzEwWhcNMzQx
+MDEyMDkyMzEwWjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBAKrBBlOUjpOTZzSSQ3481/1Gv2UmnKkLK6x2rmkJ
+qgFapKB9J8CFjYjKK3IONvP4DvnYLL9wpO/FkIoNQUHl3U0IRoH5DtLg53aqWFIl
+5P0mNDrHzNraLYU3fk+y+bsKRklxxv3UcMvi1Lo3gIbdpP8hRxZ9IaQvSe1E2GDA
+zcc0QeHm6/NHJLKgvXRPohjk6qFTVy0x9bbqhsBpJFOhj2TmbdiI5wo3yBvhjqVh
+66ssF+WDrPjgiLFR3Vgt0Whif5BMMWe9KH53wII6uIM4rWx+NrEOPD5y3ObbgnVX
+yyuXNIbwQw/kvy0ZXF4+J3Ippf8dc15SjS6si7Li8GRxsUcCAwEAAaOBkDCBjTAM
+BgNVHRMEBTADAQH/MB0GA1UdDgQWBBQCK3xZom872gek6fM/J5S1DmJ28zBRBgNV
+HSMESjBIgBQCK3xZom872gek6fM/J5S1DmJ286EapBgwFjEUMBIGA1UEAwwLRWFz
+eS1SU0EgQ0GCFGXpHiSumu6z5dl56h6p112h4tTxMAsGA1UdDwQEAwIBBjANBgkq
+hkiG9w0BAQsFAAOCAQEACRPv+n+H9wZHcSW75cHZCaOQWw2Ze+/gJTW9Wk5leLQn
+jABaLmHzeNenjg2gCDNG1ObBS0Lx5SCE7mf8HY32hqCR7fwJhY+K2gj+MQK7r3VD
+UH60BBzKqH5djRkSq1oSPJSUPNeW6hTH0kn56N1I7cBuez7Vz9VsgiyPYsR6uGxe
+79/AJfuP6Y4KkvO4Hjpr8MvSg+t4NAxNiEp3P/p/CX8AmK75f3DfsD80v5YeBQC7
+H6QeJ24UTD1oH+DhF8pptrNf6yzb8SipI2ShdTdFwHZR+1hcnEPb3eyRLouqbDqy
+n8u2opX/cktET0o29IIc71L23Tsb+SSBR1QvUuIFCA==
+-----END CERTIFICATE-----

bts_annee_2/cyber2/vpn-openvpn/client/ta.key

@@ -0,0 +1,21 @@
+#
+# 2048 bit OpenVPN static key
+#
+-----BEGIN OpenVPN Static key V1-----
+d603ad1c4cec84482158d16fdf2195fc
+00408410be33b106963c91a3ef7f01e6
+85b69e6a37d0928e36bf15d00152817d
+4a16fd1ce4555caca28e602b8124fec6
+a659f275ae06de6a2333dd4a358e4689
+e0914d9416e12c042af8114863159b76
+e79c45aa2f972da28ad19c1b2f6f8b00
+340f4a906f640e0f113483fb50d5799d
+2d75c0ecbf853542e03b4b9f76eec5c1
+fdcc11ab0ba44974eff3c087241521fd
+ae0ef5aad26279907448c6493a77c5d7
+abc5192af4f157ae3f9e25f92c08f7c6
+d33e9ccd18559b886338c515b62bdc8a
+22fb34d04ae4882fcffd74d21e2408af
+5a710d9a6fad0c9d9ca7f985f791999b
+6c8efa6efcf946fc933f7ff0dae6b2ae
+-----END OpenVPN Static key V1-----

bts_annee_2/cyber2/vpn-openvpn/server/README.md

@@ -0,0 +1 @@
+Dossier du serveur OpenVPN, avec les fichiers de configuration, les certificats issus, et le reste.

bts_annee_2/cyber2/vpn-openvpn/server/dh.pem

@@ -0,0 +1,8 @@
+-----BEGIN DH PARAMETERS-----
+MIIBCAKCAQEAuptpuRWmMxML8GOhjTObEZ7OF5RsUfZeK8+Oo+DO0uiF/KBOHoAG
+QrzqWQAtwZJJ5rSqSVxrDR4v5ABkdVCdHfyF3ZI/+Ya+0afMn9g69QiMvhm7yp56
+ey2oyMlYPoI1VzmsOZgS1rTrIQDgcSNBAAcpE2Gn3Rq2+czedhClI5Z+fFPAjzlU
+cXfdWv/0thTW6P4z/6KCRsmJHDbQt0u/6PUizVZdhO+Pw/Fa6r89kAC6ShAd/+hh
+RKoMb3kqJ2op1t87AfgHegHYtYQgAqhtHTkjVJ1AT6HcHVhSomz40Fw0YDkn4DXP
+PGM2LunCSUlwU+z1jlCixmP0NEhVsi8mpwIBAg==
+-----END DH PARAMETERS-----

bts_annee_2/cyber2/vpn-openvpn/server/issued/DESKTOP-SK8G91D.crt

@@ -0,0 +1,85 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            7a:40:e4:09:96:70:a7:11:03:89:2c:bb:23:d1:10:05
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: CN=Easy-RSA CA
+        Validity
+            Not Before: Oct 14 09:34:47 2024 GMT
+            Not After : Jan 17 09:34:47 2027 GMT
+        Subject: CN=DESKTOP-SK8G91D
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:a3:54:3e:71:b3:68:7b:11:f0:38:d4:80:5f:60:
+                    55:fe:27:f7:0e:f4:64:fd:6a:e4:be:7e:9c:40:82:
+                    6e:57:bb:09:90:10:3e:f5:2b:13:1d:14:2f:b3:eb:
+                    97:8e:c1:68:8f:23:9a:ac:8a:4f:8c:6d:59:69:88:
+                    e6:75:80:44:80:94:65:17:c4:5a:c3:8c:b1:6e:bb:
+                    6d:bd:fa:af:ce:42:ab:21:b4:33:92:02:d8:1f:e3:
+                    9e:1a:aa:ae:e2:18:42:f9:6c:9f:84:db:a3:1b:23:
+                    d8:fb:37:1f:3e:5f:04:21:72:17:be:4c:52:73:f0:
+                    b7:87:fe:d1:c2:85:a3:4d:57:61:d6:4f:f7:6c:9c:
+                    f1:fb:34:22:e5:44:43:86:a1:d8:29:b8:a2:73:f4:
+                    54:da:93:86:1f:bc:d3:98:2b:29:74:dc:4e:17:0c:
+                    b3:44:d8:77:96:98:45:38:44:36:23:dc:55:d2:d2:
+                    f7:75:1f:ec:bc:23:a9:fc:76:30:78:f8:e9:03:f8:
+                    88:43:9d:ae:fe:e8:e6:cf:02:d5:c7:93:f4:a9:9e:
+                    11:e1:68:4e:10:bb:85:e8:1a:c8:1b:ce:f4:f1:55:
+                    38:31:46:3e:1e:8d:6a:a8:6a:66:a6:85:57:08:76:
+                    3f:24:3f:7e:e4:b8:af:bf:86:d5:73:4a:98:ad:53:
+                    0f:6b
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            X509v3 Subject Key Identifier: 
+                F9:C9:56:7F:09:7A:38:A1:BB:00:6D:56:FA:75:FD:F6:C7:E9:EA:AE
+            X509v3 Authority Key Identifier: 
+                keyid:02:2B:7C:59:A2:6F:3B:DA:07:A4:E9:F3:3F:27:94:B5:0E:62:76:F3
+                DirName:/CN=Easy-RSA CA
+                serial:65:E9:1E:24:AE:9A:EE:B3:E5:D9:79:EA:1E:A9:D7:5D:A1:E2:D4:F1
+            X509v3 Extended Key Usage: 
+                TLS Web Client Authentication
+            X509v3 Key Usage: 
+                Digital Signature
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        55:d1:dd:8c:9a:4e:80:02:32:49:88:6c:82:7f:43:d5:cd:37:
+        e0:8a:d5:d7:20:76:7f:dd:5b:b2:13:80:f0:81:9e:c7:e4:d3:
+        6e:e9:01:5f:91:57:87:97:bc:b7:a9:d0:82:1c:76:21:27:fa:
+        4c:84:c6:29:d0:f9:d4:78:6c:55:0c:9a:9b:9c:c0:ee:b5:35:
+        d0:0d:ef:5d:02:bf:51:40:9e:a8:cc:32:d9:c0:70:2f:c7:05:
+        72:e6:10:6d:fd:da:8d:d8:bb:7f:84:d8:85:64:66:82:a8:50:
+        08:9c:26:a5:27:8f:7b:9c:7b:5e:1d:44:6a:14:d2:4c:42:da:
+        9c:3b:46:34:0e:22:c5:3e:3c:0c:10:c6:52:08:33:32:67:5d:
+        71:00:7b:8a:f2:a7:ef:92:59:cc:fe:a8:4f:62:74:0e:91:ec:
+        5d:61:45:92:73:13:75:59:0b:50:c0:af:a4:90:2d:ed:a6:2a:
+        d7:60:55:d3:c6:f2:df:1c:9c:9f:c2:7b:ba:10:6a:6d:25:9e:
+        c7:f9:30:cf:e3:4f:87:48:ba:ac:37:ea:88:f1:d7:79:62:f9:
+        34:be:04:32:af:bf:a6:f8:91:89:ab:47:08:b5:3b:6e:17:c5:
+        d9:7f:94:f2:5c:47:57:58:62:02:12:7a:fa:83:bf:79:da:bf:
+        ed:88:a1:20
+-----BEGIN CERTIFICATE-----
+MIIDXTCCAkWgAwIBAgIQekDkCZZwpxEDiSy7I9EQBTANBgkqhkiG9w0BAQsFADAW
+MRQwEgYDVQQDDAtFYXN5LVJTQSBDQTAeFw0yNDEwMTQwOTM0NDdaFw0yNzAxMTcw
+OTM0NDdaMBoxGDAWBgNVBAMMD0RFU0tUT1AtU0s4RzkxRDCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBAKNUPnGzaHsR8DjUgF9gVf4n9w70ZP1q5L5+nECC
+ble7CZAQPvUrEx0UL7Prl47BaI8jmqyKT4xtWWmI5nWARICUZRfEWsOMsW67bb36
+r85CqyG0M5IC2B/jnhqqruIYQvlsn4Tboxsj2Ps3Hz5fBCFyF75MUnPwt4f+0cKF
+o01XYdZP92yc8fs0IuVEQ4ah2Cm4onP0VNqThh+805grKXTcThcMs0TYd5aYRThE
+NiPcVdLS93Uf7Lwjqfx2MHj46QP4iEOdrv7o5s8C1ceT9KmeEeFoThC7hegayBvO
+9PFVODFGPh6NaqhqZqaFVwh2PyQ/fuS4r7+G1XNKmK1TD2sCAwEAAaOBojCBnzAJ
+BgNVHRMEAjAAMB0GA1UdDgQWBBT5yVZ/CXo4obsAbVb6df32x+nqrjBRBgNVHSME
+SjBIgBQCK3xZom872gek6fM/J5S1DmJ286EapBgwFjEUMBIGA1UEAwwLRWFzeS1S
+U0EgQ0GCFGXpHiSumu6z5dl56h6p112h4tTxMBMGA1UdJQQMMAoGCCsGAQUFBwMC
+MAsGA1UdDwQEAwIHgDANBgkqhkiG9w0BAQsFAAOCAQEAVdHdjJpOgAIySYhsgn9D
+1c034IrV1yB2f91bshOA8IGex+TTbukBX5FXh5e8t6nQghx2ISf6TITGKdD51Hhs
+VQyam5zA7rU10A3vXQK/UUCeqMwy2cBwL8cFcuYQbf3ajdi7f4TYhWRmgqhQCJwm
+pSePe5x7Xh1EahTSTELanDtGNA4ixT48DBDGUggzMmddcQB7ivKn75JZzP6oT2J0
+DpHsXWFFknMTdVkLUMCvpJAt7aYq12BV08by3xycn8J7uhBqbSWex/kwz+NPh0i6
+rDfqiPHXeWL5NL4EMq+/pviRiatHCLU7bhfF2X+U8lxHV1hiAhJ6+oO/edq/7Yih
+IA==
+-----END CERTIFICATE-----

bts_annee_2/cyber2/vpn-openvpn/server/issued/openvpn-ge.crt

@@ -0,0 +1,87 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            c0:ab:5f:6d:f5:7d:ef:f2:78:a5:4d:b6:3f:aa:96:01
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: CN=Easy-RSA CA
+        Validity
+            Not Before: Oct 14 09:24:38 2024 GMT
+            Not After : Jan 17 09:24:38 2027 GMT
+        Subject: CN=openvpn-ge
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:91:11:97:66:bf:80:7a:fe:03:8b:a1:6f:6c:9c:
+                    ef:48:cf:3f:38:47:24:00:ef:e1:9e:20:94:db:f2:
+                    0c:2a:07:c9:c5:24:df:4f:9c:42:6a:ab:2e:b4:64:
+                    f5:92:ba:f4:46:fb:d6:3b:24:aa:f3:b1:cc:f7:03:
+                    7f:0a:1d:35:09:74:77:9e:83:44:c9:26:a9:91:9d:
+                    59:03:94:91:4d:af:5e:fb:18:23:43:cb:57:40:6f:
+                    0b:b6:b6:d4:c7:e1:92:42:ee:ac:f5:de:94:75:70:
+                    96:73:3f:25:93:0c:40:c1:25:c9:a6:d5:b5:f2:7e:
+                    21:1c:49:ae:d0:86:a6:d9:68:67:e8:e3:0f:fc:8b:
+                    80:8b:9b:80:3e:e1:38:74:32:48:67:5f:5e:63:be:
+                    1f:3e:cd:70:62:45:bb:c1:29:1c:c1:11:da:33:81:
+                    65:73:66:bf:77:8c:05:49:09:d8:8f:9d:27:0e:a4:
+                    75:cd:1c:ae:74:78:53:38:f1:81:1c:9b:b2:72:a0:
+                    77:33:20:b6:64:f8:ea:7b:8e:f8:89:7a:73:30:22:
+                    db:3c:e5:d8:60:ee:02:42:23:a7:3b:bf:f9:48:08:
+                    24:13:07:28:3f:82:2b:90:9b:8a:79:99:7c:5e:56:
+                    93:6c:9f:2a:32:42:9f:60:f2:4d:69:28:15:b0:9a:
+                    45:19
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            X509v3 Subject Key Identifier: 
+                1D:12:59:5C:FC:A5:F7:73:7A:5D:FD:3C:FC:4B:82:BF:13:F8:8C:96
+            X509v3 Authority Key Identifier: 
+                keyid:02:2B:7C:59:A2:6F:3B:DA:07:A4:E9:F3:3F:27:94:B5:0E:62:76:F3
+                DirName:/CN=Easy-RSA CA
+                serial:65:E9:1E:24:AE:9A:EE:B3:E5:D9:79:EA:1E:A9:D7:5D:A1:E2:D4:F1
+            X509v3 Extended Key Usage: 
+                TLS Web Server Authentication
+            X509v3 Key Usage: 
+                Digital Signature, Key Encipherment
+            X509v3 Subject Alternative Name: 
+                DNS:openvpn-ge
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        67:6e:b2:fc:9c:ea:90:8f:15:bd:49:c0:22:e5:60:32:6e:bc:
+        6b:cf:b6:ec:dc:05:db:b1:55:94:d7:64:af:11:07:2c:cd:93:
+        95:cb:32:2d:89:0d:fe:1e:ab:dd:ab:0b:77:05:48:60:b5:6c:
+        b7:00:e4:5c:47:39:e1:6c:e4:58:0b:36:f0:ef:c7:a0:05:69:
+        c7:94:7c:da:69:f1:bb:52:30:23:d2:d0:68:5f:25:05:bc:2b:
+        82:ba:e8:8d:4e:aa:5f:2e:a3:3a:45:80:fd:45:10:a8:7f:63:
+        2c:85:83:67:b1:67:26:88:67:71:39:0d:39:7f:1e:53:9f:e2:
+        69:5e:be:52:33:30:17:0a:02:1a:eb:b6:77:ca:fa:08:75:b2:
+        ff:e0:65:8c:c8:b1:be:47:a0:8d:c5:bd:f5:a7:e2:93:c7:91:
+        2d:39:6d:78:1c:ef:c0:04:09:9e:85:7c:8b:80:c4:ad:27:07:
+        2d:5e:ee:79:59:11:e3:9e:a2:10:73:16:bf:98:48:54:a0:da:
+        29:5e:2b:f5:b3:2e:a4:e6:02:0c:25:07:ef:19:fb:1b:66:d0:
+        ee:50:82:f6:c2:2e:02:59:6a:51:b0:28:bb:35:d5:f2:59:4d:
+        01:d5:54:a8:69:5e:c2:49:8d:50:c1:3b:87:49:73:84:eb:be:
+        32:b8:c5:fb
+-----BEGIN CERTIFICATE-----
+MIIDcDCCAligAwIBAgIRAMCrX231fe/yeKVNtj+qlgEwDQYJKoZIhvcNAQELBQAw
+FjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMjQxMDE0MDkyNDM4WhcNMjcwMTE3
+MDkyNDM4WjAVMRMwEQYDVQQDDApvcGVudnBuLWdlMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAkRGXZr+Aev4Di6FvbJzvSM8/OEckAO/hniCU2/IMKgfJ
+xSTfT5xCaqsutGT1krr0RvvWOySq87HM9wN/Ch01CXR3noNEySapkZ1ZA5SRTa9e
++xgjQ8tXQG8LtrbUx+GSQu6s9d6UdXCWcz8lkwxAwSXJptW18n4hHEmu0Iam2Whn
+6OMP/IuAi5uAPuE4dDJIZ19eY74fPs1wYkW7wSkcwRHaM4Flc2a/d4wFSQnYj50n
+DqR1zRyudHhTOPGBHJuycqB3MyC2ZPjqe474iXpzMCLbPOXYYO4CQiOnO7/5SAgk
+EwcoP4IrkJuKeZl8XlaTbJ8qMkKfYPJNaSgVsJpFGQIDAQABo4G5MIG2MAkGA1Ud
+EwQCMAAwHQYDVR0OBBYEFB0SWVz8pfdzel39PPxLgr8T+IyWMFEGA1UdIwRKMEiA
+FAIrfFmibzvaB6Tp8z8nlLUOYnbzoRqkGDAWMRQwEgYDVQQDDAtFYXN5LVJTQSBD
+QYIUZekeJK6a7rPl2XnqHqnXXaHi1PEwEwYDVR0lBAwwCgYIKwYBBQUHAwEwCwYD
+VR0PBAQDAgWgMBUGA1UdEQQOMAyCCm9wZW52cG4tZ2UwDQYJKoZIhvcNAQELBQAD
+ggEBAGdusvyc6pCPFb1JwCLlYDJuvGvPtuzcBduxVZTXZK8RByzNk5XLMi2JDf4e
+q92rC3cFSGC1bLcA5FxHOeFs5FgLNvDvx6AFaceUfNpp8btSMCPS0GhfJQW8K4K6
+6I1Oql8uozpFgP1FEKh/YyyFg2exZyaIZ3E5DTl/HlOf4mlevlIzMBcKAhrrtnfK
++gh1sv/gZYzIsb5HoI3FvfWn4pPHkS05bXgc78AECZ6FfIuAxK0nBy1e7nlZEeOe
+ohBzFr+YSFSg2ileK/WzLqTmAgwlB+8Z+xtm0O5QgvbCLgJZalGwKLs11fJZTQHV
+VKhpXsJJjVDBO4dJc4TrvjK4xfs=
+-----END CERTIFICATE-----

bts_annee_2/cyber2/vpn-openvpn/server/private/DESKTOP-SK8G91D.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCjVD5xs2h7EfA4
+1IBfYFX+J/cO9GT9auS+fpxAgm5XuwmQED71KxMdFC+z65eOwWiPI5qsik+MbVlp
+iOZ1gESAlGUXxFrDjLFuu229+q/OQqshtDOSAtgf454aqq7iGEL5bJ+E26MbI9j7
+Nx8+XwQhche+TFJz8LeH/tHChaNNV2HWT/dsnPH7NCLlREOGodgpuKJz9FTak4Yf
+vNOYKyl03E4XDLNE2HeWmEU4RDYj3FXS0vd1H+y8I6n8djB4+OkD+IhDna7+6ObP
+AtXHk/SpnhHhaE4Qu4XoGsgbzvTxVTgxRj4ejWqoamamhVcIdj8kP37kuK+/htVz
+SpitUw9rAgMBAAECggEAQd/J+bDbDHwtL7ahehZQSJxU3G68xqsUzDIjki8pEvBI
+iJbM1bREVr+cB8yXCYg/RDAfg8SbFe/KlrKVBMIxnsx7Q4058FHwBFHLDssrmhyw
+ifz0qcjE44O58lZyB5WyeYgShJLTY7BfJN9UFiNbdqPeKK3+uW1WkJ65emPM+/WD
+7DR/VHOPs8PUS6mf6EMwyzeRHECnb8t9sSx1vqcAPzj/l/3iAQloyn9VxTvJ345/
+yLyFtF+GCqSiXBl5bPR9uN1hrpjeqjcFo/EZFPSLQJNiFtHOUMt3GtJW0h7XQtrf
+PakCeLx4DuMANuLPjdzcK4lZAql/s0A2hHNhEh94QQKBgQDRvxN6E1guXVktZxsS
+rc/2uuOoOYbTkxpkqzqI4WQ24Gb7lu/95jhHdZTWCATLdG+XMDxMdiNWIf2YMAq4
+5+c0ZL3HwiZq6Mo3sbZUP1RnEM4suHZZinTgJgDa3+RDGVF1usSwcvqGjY/+2zL8
+muzjorsY7dBxLne8BDEH9yiHqwKBgQDHWL8o8uiNIpQxz7WzZwi8dNGTKCjA/Oig
+BIin3Rk2nX33y5QIe45Jb9f4V7Q7XZjY2aoYwzVWsZlu1LAFvS9zkuKJB60I6PJt
++5yowZKk2roqR7hreuml1nbyAljoJpuIdrT/xHIQyI3LtgscUOTT2nMwAQ/X0gWz
+xzSrLkjXQQKBgQCBsA2Q66kYceuT4S6iLApsWj4tY/RzmX82Q5Fb1VErhTDn2vnl
+GZYuyQsQE8EzM3lUGCUQefN7bGTq1rmqfuk8QhX+D5PFgs6WBTHhgY7kc0Wn7R5w
+WuXNOnJI4yq2Ok9d5e970nwI+jrQsCQkgH58ecAJt/GsKbkq7cSLUk0jJQKBgACU
+uqHk61aV9jaa812dfEIIWSADqvK9CfSFbtyGYW9uUBKrzjekHIsMP2Xi44yUvkBL
+ihpeX0ZsaBURm524qm28zNo3YoK3IxW8+Pzo64N9e7Np2BjAF/Q6xsf3x8iNbECe
+j/J64RY5b2hblHa1qaUQauuF5UTswMWAXB/vl5jBAoGARQbPUSMgp382ZDN3ohxf
+7XEC/roO6SyuKLaF46kfVgoNXNBK8qvfV4HaUHiWfkBlsdrZioQp7z+S3ijlrAu+
+iae08RHuKQS1XMUN9BvqzmWSB9RMBZSNhVvD8QZwVPSHEqAx8yvORitdjQpDTdFS
+8jKYo+l8sNiEYzv5y/ovagI=
+-----END PRIVATE KEY-----

bts_annee_2/cyber2/vpn-openvpn/server/private/ca.key

@@ -0,0 +1,30 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIcJBKkvZeiKACAggA
+MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECBiqIlSBAXf8BIIEyE3YCOnpXD79
+6t52JDX0eovdDLf2ScDWsOSdDvCHvnEz6Df1ZKYq7jcm5ieFx5XHiRAGwWT/p77O
+OSc73uXheI66RPios2+n0R/IT0mQhc+lOq7CLkCNXn5B1E/ZnAYEXcyhL52TZjQV
+JnBTB/eaz2nz43XviqZ1mwjxDMm6MsyThrtLRbBzrHHcpd93Cdzzk5PofNB+fF5Z
+FXjtb1yecEAHUUh80+xUiVDmtq1elFGR5mI/mRTeIRnWlcez1jgmH2CG39NlyXe5
+Gjz7QnVhzO/z9l2A4kl8LBid0u4fVqx7ja7iWLOVR0XP36ncYZzhpngbiHfGd+y6
+obJN3O1xQnQKE6yL8W+vTv68YnKSgY3RlOs0F1dEVdDIfVX7PnqiRKimiSvGPWl2
+sW6ZtMTITD9q2wL5oMnHemkG/Ugfv1XA/g4SgbfVZAuInRilW4TEU5b7M7jRzJUz
+vdkHYDzaulex8olpXwr1TJGZFNcEoU2dCYz/bU8FZk0ePtLotXK5mobmZJ64Zj4/
+X2mqIl8Wi7pjQQ4nFDifYKgU0J2JbOKbC60s5a1jWSo5RNy1i1sGhkE5kPylAT3Q
+mmxB01GRdgkSrJ90bgdOblgP0OqjRVvkB4GR3Nna0b0tRxEX6C1ahVHc0nWFpcYg
+41xodrs8WSFy8VujH2jbXTBLVVtRSmC32gW5kfYoOqQzV0PdcYIzAh+PCOERGxXP
+ZpBrgqKzup1sOjMmOxZri7iGwQAHbNonOSpRUWQ5k3YupL/VG0dO4nPRB8jySae7
+lVhlhIrG8C4SvOahTNUHc9zOROUST/tTD4RILfq5kIq0cy5FJIqAdzultR8fPPLD
+JUmQswbrxUG9zdEMG8P3bcCAJsjfX8qz5LIzGGETehxlTwNl85god8BslVpi1MEv
+t/+WwUyLRkXYf8b9ooundCbc2PBvjr8Pwi4WmEGHH1fHyKtku9TDVM+KSkpXaLHV
+3sc9GoapcCMeDipvhNT+HFUlrZCj8b8clRUJcd8QZ2Tuj66CJ8BgABGZKjDXYxAu
+cKUVaD2e73qoVwXQDK4q+frlBciAxSdUcdeGFgCeG8aGOBCcJu638oTxDuDlw499
++NPK25mJVH1ppvRYrFHmNlCATL1Hlc2FadX+4H7YvPLFs9woVesVsgy4yVdjA1XN
+dJL9N+5XoOvaUxCKn2e9CIdTCZ/N9d4WtlnsVsJPfP49EV+hYkJZZ/EjqU6dcmQc
+AIj3StPIZb6LrPnHkXrynpzSQNzpQBEW9dXOU/TT3AVV02WfE/7USBI26+iKhj5p
+oxDEHr2LYxWlNZUOTYQ88z/e1/polwOjCilAA4gXobuv1oGlbeoZfJoVzT1578FP
+lkv7MvOHaVCN+V5/RjVxnfsf+n4xMJtEK3Ysj9+7QvWsQJMTZuRhY23Do9cUNbEm
+5ruZeQByIVMPQiPIkmeHU5NEsqKPfw6CUEZXjy62B4cZuN20WzBfT7IsNebhUrwB
+odS9qGkANy/Qa7GAJqeksCoGOeXTu/Ly0IdthqVOJTxcUiEoswrZhYP7eCK8zIKI
+PxgIjyWd6cz/V/NuTg4X8fyT9UyvTKw/pdRXa/P4ndORWucZY4DL+OKeHKqwv9Sq
+TGNCN4VEMQEQhPZ4gidNkg==
+-----END ENCRYPTED PRIVATE KEY-----

bts_annee_2/cyber2/vpn-openvpn/server/private/openvpn-ge.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQCREZdmv4B6/gOL
+oW9snO9Izz84RyQA7+GeIJTb8gwqB8nFJN9PnEJqqy60ZPWSuvRG+9Y7JKrzscz3
+A38KHTUJdHeeg0TJJqmRnVkDlJFNr177GCNDy1dAbwu2ttTH4ZJC7qz13pR1cJZz
+PyWTDEDBJcmm1bXyfiEcSa7QhqbZaGfo4w/8i4CLm4A+4Th0MkhnX15jvh8+zXBi
+RbvBKRzBEdozgWVzZr93jAVJCdiPnScOpHXNHK50eFM48YEcm7JyoHczILZk+Op7
+jviJenMwIts85dhg7gJCI6c7v/lICCQTByg/giuQm4p5mXxeVpNsnyoyQp9g8k1p
+KBWwmkUZAgMBAAECggEAEkNrcutRlspjcmEG2N7yDhHPZPup1/dbSW/TJdSVfPYh
+jBEODyT+RJUcCmh6dThVuBkM+cGuRwNfqUp2pDSUoIXZ6Gogzw0vxG4Rjo6V83iM
+ZeK+T9Lp/2nriNuAMtDee9A2FLcqrBVaT5SH27krbtWdy0P1BdwkuX26RTTqjQy0
+EprOVtuGmkw1P9EMpWhWpvGfsAT+irvPpmWSTJUP9KeD8H9E2Rbd7YLKiOOQaVFo
+u/N69N3vbeemTLvaar+4dX7zBHBnhVTVLWIrX7PQpktHCJQ3Y3tx6IcjohDq1xVz
+TQdEvOt7pATKHaooXngumDTiSoap9N/wtHWdYpPjvQKBgQDJ+KaadSn53iSKA2D2
+uT/jhBfEoDu8s7tf0MU0RFhqjN5gSmsUvMQ2plgEKcvaCTtRY2ON3q0LnnLysZEx
+YHCEvXZGgkmpRKI/dHDmUrhr2+Ne7Jt/Qk9inQhonUj282EkL4I8eqXc+oV7U9Y8
+8afLPLjDhWSwJcUGjUZaR10HbQKBgQC34Cb1czef7Iay9s39UOU4mFb6esxsH6hx
+agk2+WcR0upReToEZ91ujGiORqbZnReTlbLDokxJXY/mkjcwB4+pkAsTtPIjtvtE
+wyQZFyiIUo0vC00CfhK1ZWPYCyUTgR0MFUz4XDyfRe/EX2k4cH1iXbpvaYvj/32u
+mje6xODM3QKBgQDBl4cKEjfz+0wGxgpRM2vbxqeJnxTjYVu/EbuUx9X/+5rDrVFK
+hU2GHJfNFcsB6UtkTeIFAGXZ9zyzCCTlsUzozznph8TXbKQgMpptCuke6ZvdRuod
+Zw/0tBR1Qh3IJ6z7JFavZdhKIg+EEO4PaIqvMjrfnqLOfMWH7C59Jl4zWQKBgQCE
+Kr92IDo0Xqw3iUVpNrN8qaujYY78jQjjdKdo934JhsRcibmVHx8/7fbdhZU6yDsB
+H1IeYtNYzMK5phG7GUQ/SkVcBe0ilM0pkOaqjkXZLxVCYmoZR4ulDVrmGKSuz1iU
+rd7kilAc4AVG7pnQMrM9eEeg+4nM+YFadolmW0uGlQKBgQCGu+f+skjD7R/qcC2r
+QxAayp2IbKv4F0aekTAZjTu8ACoZ0P2wJ/RJIDC657sPLhzY+Ra0XoqLZs9LXRTn
+qKK73UMmJn9BiIHoh7C48kKOSgzOD2YnuFodQS6t200eeAOV1pJdwb9ukKN9bzOW
+bXxUMmZwltTsEz0PH/1ao8f8Fw==
+-----END PRIVATE KEY-----

bts_annee_2/cyber2/vpn-openvpn/server/server.conf

@@ -0,0 +1,315 @@
+#################################################
+# Sample OpenVPN 2.0 config file for            #
+# multi-client server.                          #
+#                                               #
+# This file is for the server side              #
+# of a many-clients <-> one-server              #
+# OpenVPN configuration.                        #
+#                                               #
+# OpenVPN also supports                         #
+# single-machine <-> single-machine             #
+# configurations (See the Examples page         #
+# on the web site for more info).               #
+#                                               #
+# This config should work on Windows            #
+# or Linux/BSD systems.  Remember on            #
+# Windows to quote pathnames and use            #
+# double backslashes, e.g.:                     #
+# "C:\\Program Files\\OpenVPN\\config\\foo.key" #
+#                                               #
+# Comments are preceded with '#' or ';'         #
+#################################################
+
+# Which local IP address should OpenVPN
+# listen on? (optional)
+;local a.b.c.d
+
+# Which TCP/UDP port should OpenVPN listen on?
+# If you want to run multiple OpenVPN instances
+# on the same machine, use a different port
+# number for each one.  You will need to
+# open up this port on your firewall.
+port 1194
+
+# TCP or UDP server?
+;proto tcp
+proto udp
+
+# "dev tun" will create a routed IP tunnel,
+# "dev tap" will create an ethernet tunnel.
+# Use "dev tap0" if you are ethernet bridging
+# and have precreated a tap0 virtual interface
+# and bridged it with your ethernet interface.
+# If you want to control access policies
+# over the VPN, you must create firewall
+# rules for the the TUN/TAP interface.
+# On non-Windows systems, you can give
+# an explicit unit number, such as tun0.
+# On Windows, use "dev-node" for this.
+# On most systems, the VPN will not function
+# unless you partially or fully disable
+# the firewall for the TUN/TAP interface.
+;dev tap
+dev tun
+
+# Windows needs the TAP-Win32 adapter name
+# from the Network Connections panel if you
+# have more than one.  On XP SP2 or higher,
+# you may need to selectively disable the
+# Windows firewall for the TAP adapter.
+# Non-Windows systems usually don't need this.
+;dev-node MyTap
+
+# SSL/TLS root certificate (ca), certificate
+# (cert), and private key (key).  Each client
+# and the server must have their own cert and
+# key file.  The server and all clients will
+# use the same ca file.
+#
+# See the "easy-rsa" directory for a series
+# of scripts for generating RSA certificates
+# and private keys.  Remember to use
+# a unique Common Name for the server
+# and each of the client certificates.
+#
+# Any X509 key management system can be used.
+# OpenVPN can also use a PKCS #12 formatted key file
+# (see "pkcs12" directive in man page).
+ca ca.crt
+cert issued/openvpn-ge.crt
+key private/openvpn-ge.key  # This file should be kept secret
+
+# Diffie hellman parameters.
+# Generate your own with:
+#   openssl dhparam -out dh2048.pem 2048
+dh dh.pem
+
+# Network topology
+# Should be subnet (addressing via IP)
+# unless Windows clients v2.0.9 and lower have to
+# be supported (then net30, i.e. a /30 per client)
+# Defaults to net30 (not recommended)
+;topology subnet
+
+# Configure server mode and supply a VPN subnet
+# for OpenVPN to draw client addresses from.
+# The server will take 10.8.0.1 for itself,
+# the rest will be made available to clients.
+# Each client will be able to reach the server
+# on 10.8.0.1. Comment this line out if you are
+# ethernet bridging. See the man page for more info.
+server 10.8.0.0 255.255.255.0
+
+# Maintain a record of client <-> virtual IP address
+# associations in this file.  If OpenVPN goes down or
+# is restarted, reconnecting clients can be assigned
+# the same virtual IP address from the pool that was
+# previously assigned.
+ifconfig-pool-persist /var/log/openvpn/ipp.txt
+
+# Configure server mode for ethernet bridging.
+# You must first use your OS's bridging capability
+# to bridge the TAP interface with the ethernet
+# NIC interface.  Then you must manually set the
+# IP/netmask on the bridge interface, here we
+# assume 10.8.0.4/255.255.255.0.  Finally we
+# must set aside an IP range in this subnet
+# (start=10.8.0.50 end=10.8.0.100) to allocate
+# to connecting clients.  Leave this line commented
+# out unless you are ethernet bridging.
+;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
+
+# Configure server mode for ethernet bridging
+# using a DHCP-proxy, where clients talk
+# to the OpenVPN server-side DHCP server
+# to receive their IP address allocation
+# and DNS server addresses.  You must first use
+# your OS's bridging capability to bridge the TAP
+# interface with the ethernet NIC interface.
+# Note: this mode only works on clients (such as
+# Windows), where the client-side TAP adapter is
+# bound to a DHCP client.
+;server-bridge
+
+# Push routes to the client to allow it
+# to reach other private subnets behind
+# the server.  Remember that these
+# private subnets will also need
+# to know to route the OpenVPN client
+# address pool (10.8.0.0/255.255.255.0)
+# back to the OpenVPN server.
+;push "route 192.168.10.0 255.255.255.0"
+;push "route 192.168.20.0 255.255.255.0"
+
+# To assign specific IP addresses to specific
+# clients or if a connecting client has a private
+# subnet behind it that should also have VPN access,
+# use the subdirectory "ccd" for client-specific
+# configuration files (see man page for more info).
+
+# EXAMPLE: Suppose the client
+# having the certificate common name "Thelonious"
+# also has a small subnet behind his connecting
+# machine, such as 192.168.40.128/255.255.255.248.
+# First, uncomment out these lines:
+;client-config-dir ccd
+;route 192.168.40.128 255.255.255.248
+# Then create a file ccd/Thelonious with this line:
+#   iroute 192.168.40.128 255.255.255.248
+# This will allow Thelonious' private subnet to
+# access the VPN.  This example will only work
+# if you are routing, not bridging, i.e. you are
+# using "dev tun" and "server" directives.
+
+# EXAMPLE: Suppose you want to give
+# Thelonious a fixed VPN IP address of 10.9.0.1.
+# First uncomment out these lines:
+;client-config-dir ccd
+;route 10.9.0.0 255.255.255.252
+# Then add this line to ccd/Thelonious:
+#   ifconfig-push 10.9.0.1 10.9.0.2
+
+# Suppose that you want to enable different
+# firewall access policies for different groups
+# of clients.  There are two methods:
+# (1) Run multiple OpenVPN daemons, one for each
+#     group, and firewall the TUN/TAP interface
+#     for each group/daemon appropriately.
+# (2) (Advanced) Create a script to dynamically
+#     modify the firewall in response to access
+#     from different clients.  See man
+#     page for more info on learn-address script.
+;learn-address ./script
+
+# If enabled, this directive will configure
+# all clients to redirect their default
+# network gateway through the VPN, causing
+# all IP traffic such as web browsing and
+# and DNS lookups to go through the VPN
+# (The OpenVPN server machine may need to NAT
+# or bridge the TUN/TAP interface to the internet
+# in order for this to work properly).
+;push "redirect-gateway def1 bypass-dhcp"
+
+# Certain Windows-specific network settings
+# can be pushed to clients, such as DNS
+# or WINS server addresses.  CAVEAT:
+# http://openvpn.net/faq.html#dhcpcaveats
+# The addresses below refer to the public
+# DNS servers provided by opendns.com.
+;push "dhcp-option DNS 208.67.222.222"
+;push "dhcp-option DNS 208.67.220.220"
+
+# Uncomment this directive to allow different
+# clients to be able to "see" each other.
+# By default, clients will only see the server.
+# To force clients to only see the server, you
+# will also need to appropriately firewall the
+# server's TUN/TAP interface.
+;client-to-client
+
+# Uncomment this directive if multiple clients
+# might connect with the same certificate/key
+# files or common names.  This is recommended
+# only for testing purposes.  For production use,
+# each client should have its own certificate/key
+# pair.
+#
+# IF YOU HAVE NOT GENERATED INDIVIDUAL
+# CERTIFICATE/KEY PAIRS FOR EACH CLIENT,
+# EACH HAVING ITS OWN UNIQUE "COMMON NAME",
+# UNCOMMENT THIS LINE OUT.
+;duplicate-cn
+
+# The keepalive directive causes ping-like
+# messages to be sent back and forth over
+# the link so that each side knows when
+# the other side has gone down.
+# Ping every 10 seconds, assume that remote
+# peer is down if no ping received during
+# a 120 second time period.
+keepalive 10 120
+
+# For extra security beyond that provided
+# by SSL/TLS, create an "HMAC firewall"
+# to help block DoS attacks and UDP port flooding.
+#
+# Generate with:
+#   openvpn --genkey tls-auth ta.key
+#
+# The server and each client must have
+# a copy of this key.
+# The second parameter should be '0'
+# on the server and '1' on the clients.
+tls-auth ta.key 0 # This file is secret
+
+# Select a cryptographic cipher.
+# This config item must be copied to
+# the client config file as well.
+# Note that v2.4 client/server will automatically
+# negotiate AES-256-GCM in TLS mode.
+# See also the ncp-cipher option in the manpage
+cipher AES-256-GCM
+
+# Enable compression on the VPN link and push the
+# option to the client (v2.4+ only, for earlier
+# versions see below)
+;compress lz4-v2
+;push "compress lz4-v2"
+
+# For compression compatible with older clients use comp-lzo
+# If you enable it here, you must also
+# enable it in the client config file.
+;comp-lzo
+
+# The maximum number of concurrently connected
+# clients we want to allow.
+;max-clients 100
+
+# It's a good idea to reduce the OpenVPN
+# daemon's privileges after initialization.
+#
+# You can uncomment this on non-Windows
+# systems after creating a dedicated user.
+;user openvpn
+;group openvpn
+
+# The persist options will try to avoid
+# accessing certain resources on restart
+# that may no longer be accessible because
+# of the privilege downgrade.
+persist-key
+persist-tun
+
+# Output a short status file showing
+# current connections, truncated
+# and rewritten every minute.
+status /var/log/openvpn/openvpn-status.log
+
+# By default, log messages will go to the syslog (or
+# on Windows, if running as a service, they will go to
+# the "\Program Files\OpenVPN\log" directory).
+# Use log or log-append to override this default.
+# "log" will truncate the log file on OpenVPN startup,
+# while "log-append" will append to it.  Use one
+# or the other (but not both).
+;log         /var/log/openvpn/openvpn.log
+;log-append  /var/log/openvpn/openvpn.log
+
+# Set the appropriate level of log
+# file verbosity.
+#
+# 0 is silent, except for fatal errors
+# 4 is reasonable for general usage
+# 5 and 6 can help to debug connection problems
+# 9 is extremely verbose
+verb 3
+
+# Silence repeating messages.  At most 20
+# sequential messages of the same message
+# category will be output to the log.
+;mute 20
+
+# Notify the client that when the server restarts so it
+# can automatically reconnect.
+explicit-exit-notify 1

bts_annee_2/cyber2/vpn-openvpn/server/ta.key

@@ -0,0 +1,21 @@
+#
+# 2048 bit OpenVPN static key
+#
+-----BEGIN OpenVPN Static key V1-----
+d603ad1c4cec84482158d16fdf2195fc
+00408410be33b106963c91a3ef7f01e6
+85b69e6a37d0928e36bf15d00152817d
+4a16fd1ce4555caca28e602b8124fec6
+a659f275ae06de6a2333dd4a358e4689
+e0914d9416e12c042af8114863159b76
+e79c45aa2f972da28ad19c1b2f6f8b00
+340f4a906f640e0f113483fb50d5799d
+2d75c0ecbf853542e03b4b9f76eec5c1
+fdcc11ab0ba44974eff3c087241521fd
+ae0ef5aad26279907448c6493a77c5d7
+abc5192af4f157ae3f9e25f92c08f7c6
+d33e9ccd18559b886338c515b62bdc8a
+22fb34d04ae4882fcffd74d21e2408af
+5a710d9a6fad0c9d9ca7f985f791999b
+6c8efa6efcf946fc933f7ff0dae6b2ae
+-----END OpenVPN Static key V1-----

bts_annee_2/cyber2/wordpress-lamp/README.md

@@ -0,0 +1 @@
+Dossier avec les fichiers de configuration du pare-feu, le fichier de test goss et le script de récupération des informations sur le serveur Web Wordpress.

bts_annee_2/cyber2/wordpress-lamp/compte-rendu-2024-09-30

@@ -0,0 +1,100 @@
+# Scan des ports ouverts visibles depuis le poste physique
+
+lun. 30 sept. 2024 16:45:55 CEST
+Starting Nmap 7.93 ( https://nmap.org ) at 2024-09-30 16:45 CEST
+Nmap scan report for 172.16.0.152
+Host is up (0.00069s latency).
+Not shown: 997 filtered tcp ports (no-response)
+PORT    STATE SERVICE  VERSION
+22/tcp  open  ssh      OpenSSH 9.2p1 Debian 2+deb12u3 (protocol 2.0)
+| ssh-hostkey: 
+|   256 507a12ddb833cec5b87c576702e1682a (ECDSA)
+|_  256 c3bbd552f31fbd2d9fdd9e11ca521cbc (ED25519)
+80/tcp  open  http     Apache httpd 2.4.62 ((Debian))
+|_http-title: Did not follow redirect to https://172.16.0.152/
+|_http-server-header: Apache/2.4.62 (Debian)
+443/tcp open  ssl/http Apache httpd 2.4.62 ((Debian))
+|_http-server-header: Apache/2.4.62 (Debian)
+| tls-alpn: 
+|_  http/1.1
+|_http-title: Apache2 Debian Default Page: It works
+| ssl-cert: Subject: commonName=wordpress-ge/organizationName=Lyc\xC3\x83\xC2\xA9e Le Castel/stateOrProvinceName=Bourgogne/countryName=FR
+| Not valid before: 2024-09-26T13:11:27
+|_Not valid after:  2025-09-26T13:11:27
+|_ssl-date: TLS randomness does not represent time
+Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
+
+Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+Nmap done: 1 IP address (1 host up) scanned in 23.30 seconds
+
+# Affichage des règles du pare-feu
+
+# Generated by iptables-save v1.8.9 on Mon Sep 30 16:46:17 2024
+*filter
+:INPUT DROP [30889:1853067]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [142:9272]
+-A INPUT -m state --state INVALID -j DROP
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+-A INPUT -p icmp -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
+-A FORWARD -m state --state INVALID -j DROP
+-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+COMMIT
+# Completed on Mon Sep 30 16:46:17 2024
+
+# Scan des ports UDP ouverts sur le serveur Web
+
+State  Recv-Q Send-Q Local Address:Port Peer Address:PortProcess                                   
+UNCONN 0      0         127.0.0.54:53        0.0.0.0:*    users:(("systemd-resolve",pid=267,fd=19))
+UNCONN 0      0      127.0.0.53%lo:53        0.0.0.0:*    users:(("systemd-resolve",pid=267,fd=17))
+UNCONN 0      0            0.0.0.0:5355      0.0.0.0:*    users:(("systemd-resolve",pid=267,fd=11))
+
+# Scan des ports TCP ouverts sur le serveur Web
+
+State  Recv-Q Send-Q Local Address:Port Peer Address:PortProcess                                   
+LISTEN 0      4096         0.0.0.0:5355      0.0.0.0:*    users:(("systemd-resolve",pid=267,fd=12))
+LISTEN 0      128          0.0.0.0:22        0.0.0.0:*    users:(("sshd",pid=404,fd=3))            
+LISTEN 0      100          0.0.0.0:25        0.0.0.0:*    users:(("master",pid=778,fd=13))         
+LISTEN 0      4096      127.0.0.54:53        0.0.0.0:*    users:(("systemd-resolve",pid=267,fd=20))
+LISTEN 0      80         127.0.0.1:3306      0.0.0.0:*    users:(("mariadbd",pid=462,fd=20))       
+LISTEN 0      4096   127.0.0.53%lo:53        0.0.0.0:*    users:(("systemd-resolve",pid=267,fd=18))
+
+# Résultats des tests Goss
+
+1..31
+ok 1 - Package: apache2: installed: matches expectation: true
+ok 2 - Package: apache2: version: matches expectation: ["2.4.62-1~deb12u1"]
+ok 3 - Package: mariadb-server: installed: matches expectation: true
+ok 4 - Package: mariadb-server: version: matches expectation: ["1:10.11.6-0+deb12u1"]
+ok 5 - Process: apache2: running: matches expectation: true
+ok 6 - Service: sshd: enabled: matches expectation: true
+ok 7 - Service: sshd: running: matches expectation: true
+ok 8 - Process: sshd: running: matches expectation: true
+ok 9 - Port: tcp:22: listening: matches expectation: true
+ok 10 - Port: tcp:22: ip: matches expectation: ["0.0.0.0"]
+ok 11 - Port: tcp6:22: listening: matches expectation: true
+ok 12 - Port: tcp6:22: ip: matches expectation: ["::"]
+ok 13 - User: sshd: exists: matches expectation: true
+ok 14 - User: sshd: uid: matches expectation: 103
+ok 15 - User: sshd: gid: matches expectation: 65534
+ok 16 - User: sshd: home: matches expectation: "/run/sshd"
+ok 17 - User: sshd: groups: matches expectation: ["nogroup"]
+ok 18 - User: sshd: shell: matches expectation: "/usr/sbin/nologin"
+ok 19 - Port: tcp6:80: listening: matches expectation: true
+ok 20 - Port: tcp6:80: ip: matches expectation: ["::"]
+ok 21 - Interface: eth0: exists: matches expectation: true
+ok 22 - Interface: eth0: addrs: matches expectation: ["172.16.0.152/24","fe80::be24:11ff:fe76:ac6f/64"]
+ok 23 - Interface: eth0: mtu: matches expectation: 1500
+ok 24 - Port: tcp6:443: listening: matches expectation: true
+ok 25 - Port: tcp6:443: ip: matches expectation: ["::"]
+ok 26 - Service: ssh: enabled: matches expectation: true
+ok 27 - Service: ssh: running: matches expectation: true
+ok 28 - Service: apache2: enabled: matches expectation: true
+ok 29 - Service: apache2: running: matches expectation: true
+ok 30 - HTTP: http://172.16.0.152/wordpress: status: matches expectation: 200
+ok 31 - HTTP: http://172.16.0.152/wordpress: Body: matches expectation: ["engagement"]

bts_annee_2/cyber2/wordpress-lamp/compterendudistant.sh

@@ -0,0 +1,13 @@
+#!/bin/bash
+DATE=$(date -I)
+echo "Scan nmap et comptes-rendus en cours de création, veuillez patienter..."
+echo -ne "# Scan des ports ouverts visibles depuis le poste physique\n\n" > compte-rendu-$DATE
+(date ; nmap -A 172.16.0.152 ) >> compte-rendu-$DATE
+echo -ne "\n# Affichage des règles du pare-feu\n\n" >> compte-rendu-$DATE
+ssh debian@172.16.0.152 "sudo iptables-legacy-save" >> compte-rendu-$DATE
+echo -ne "\n# Scan des ports UDP ouverts sur le serveur Web\n\n" >> compte-rendu-$DATE
+ssh debian@172.16.0.152 "sudo ss -lnu4p" >> compte-rendu-$DATE
+echo -ne "\n# Scan des ports TCP ouverts sur le serveur Web\n\n" >> compte-rendu-$DATE
+ssh debian@172.16.0.152 "sudo ss -lnt4p" >> compte-rendu-$DATE
+echo -ne "\n# Résultats des tests Goss\n\n" >> compte-rendu-$DATE
+ssh debian@172.16.0.152 "sudo goss v -f tap" >> compte-rendu-$DATE

bts_annee_2/cyber2/wordpress-lamp/ferm.conf

@@ -0,0 +1,43 @@
+# -*- shell-script -*-
+#
+#  Configuration file for ferm(1).
+#
+domain (ip) {
+    table filter {
+        chain INPUT {
+            policy DROP;
+
+            # connection tracking
+            mod state state INVALID DROP;
+            mod state state (ESTABLISHED RELATED) ACCEPT;
+
+            # allow local packet
+            interface lo ACCEPT;
+
+            # respond to ping
+            proto icmp ACCEPT; 
+
+            # allow SSH connections
+            proto tcp dport ssh ACCEPT;
+        
+	    # autorise les connexions HTTP et HTTPS
+	    proto tcp dport (http https) ACCEPT;
+	}
+        chain OUTPUT {
+            policy ACCEPT;
+
+            # connection tracking
+            #mod state state INVALID DROP;
+            mod state state (ESTABLISHED RELATED) ACCEPT;
+        }
+        chain FORWARD {
+            policy DROP;
+
+            # connection tracking
+            mod state state INVALID DROP;
+            mod state state (ESTABLISHED RELATED) ACCEPT;
+        }
+    }
+}
+
+@include ferm.d/;

bts_annee_2/cyber2/wordpress-lamp/goss.yaml

@@ -0,0 +1,73 @@
+package:
+    apache2:
+        installed: true
+        versions:
+            - 2.4.62-1~deb12u1
+    mariadb-server:
+        installed: true
+        versions:
+            - 1:10.11.6-0+deb12u1
+port:
+    tcp:22:
+        listening: true
+        ip:
+            - 0.0.0.0
+    tcp6:22:
+        listening: true
+        ip:
+            - '::'
+    tcp6:80:
+        listening: true
+        ip:
+            - '::'
+    tcp6:443:
+        listening: true
+        ip:
+            - '::'
+service:
+    apache2:
+        enabled: true
+        running: true
+    ssh:
+        enabled: true
+        running: true
+    sshd:
+        enabled: true
+        running: true
+user:
+    sshd:
+        exists: true
+        uid: 103
+        gid: 65534
+        groups:
+            - nogroup
+        home: /run/sshd
+        shell: /usr/sbin/nologin
+process:
+    apache2:
+        running: true
+    sshd:
+        running: true
+interface:
+    eth0:
+        exists: true
+        addrs:
+            - 172.16.0.152/24
+            - fe80::be24:11ff:fe76:ac6f/64
+        mtu: 1500
+http:
+    http://172.16.0.152/wordpress:
+        status: 200
+        allow-insecure: true
+        no-follow-redirects: false
+        timeout: 5000
+        body:
+          - engagement
+https:
+    https://172.16.0.152/wordpress:
+        status: 200
+        allow-insecure: true
+        no-follow-redirects: false
+        timeout: 5000
+        body:
+          - engagement

bts_annee_2/sisr2/README.md

@@ -0,0 +1,2 @@
+Dépôt de seconde année de SISR.
+Chaque dossier porte le nom du sujet associé.

bts_annee_2/sisr2/ansible/README.md

@@ -0,0 +1,2 @@
+Fichier hosts utilisé pour ansible lors du TP de la séance 16.
+Sont inclus les fichiers idempotents .yml d'ansible que j'ai fait, ainsi que le dossier avec tous les playbooks pour le DokuWiki.

bts_annee_2/sisr2/ansible/doku/README.md

@@ -0,0 +1 @@
+Dossier des playbooks DokuWiki.

bts_annee_2/sisr2/ansible/doku/hosts

@@ -0,0 +1,6 @@
+[adm]
+infra
+ 
+[web]
+web1
+web2

bts_annee_2/sisr2/ansible/doku/local.yml

@@ -0,0 +1,4 @@
+- hosts: web
+  roles:
+  - web
+  - doku

bts_annee_2/sisr2/ansible/doku/main_doku.yml

@@ -0,0 +1,51 @@
+- name: 1. Récupération du tar.gz du DokuWiki
+  get_url:
+    url: http://depl/store/dokuwiki-stable.tgz
+    dest: /tmp
+
+- name: 2. Extraction de l'archive
+  unarchive:
+    src: /tmp/dokuwiki-stable.tgz
+    dest: /var/www/html
+    remote_src: yes
+
+- name: 3. Status des dossiers du Wiki
+  stat:
+    path: /var/www/html/dokuwiki-2024-02-06b
+  register: rept_stat
+
+- name: 4. On renomme les dossiers
+  command: mv /var/www/html/dokuwiki-2024-02-06b /var/www/html/doku
+  when: rept_stat.stat.exists
+
+- name: 5. Changement des droits sur la racine
+  file:
+    path: /var/www/html/doku
+    owner: root
+    group: root
+
+- name: 6. Changement des droits sur le dossier data
+  file:
+    path: /var/www/html/doku/data
+    owner: www-data
+    group: www-data
+    recurse: true
+
+- name: 7. Changement des droits sur le dossier conf
+  file:
+    path: /var/www/html/doku/conf
+    owner: www-data
+    group: www-data
+    recurse: true
+
+- name: 8. Changement des droits sur le dossier lib
+  file:
+    path: /var/www/html/doku/lib
+    owner: www-data
+    group: www-data
+    recurse: true
+
+- name: 9. Redémarre Apache2
+  service:
+    name: apache2
+    state: restarted

bts_annee_2/sisr2/ansible/doku/main_web.yml

@@ -0,0 +1,10 @@
+- name: 1. Installe les paquets requis pour le DokuWiki 
+  apt:
+    name: "{{ item }}"
+    state: present
+  with_items:
+     - apache2
+     - php
+     - php-mbstring
+     - php-gd
+     - php-xml

bts_annee_2/sisr2/ansible/doku_vagrant/.vagrant/machines/default/virtualbox/action_provision

@@ -0,0 +1 @@
+1.5:958cb3af-259b-4658-a68d-c1857a1e413e

bts_annee_2/sisr2/ansible/doku_vagrant/.vagrant/machines/default/virtualbox/action_set_name

@@ -0,0 +1 @@
+1728918924

bts_annee_2/sisr2/ansible/doku_vagrant/.vagrant/machines/default/virtualbox/box_meta

@@ -0,0 +1 @@
+{"name":"debian/bookworm64","version":"12.20240905.1","provider":"virtualbox","directory":"boxes/debian-VAGRANTSLASH-bookworm64/12.20240905.1/virtualbox"}

bts_annee_2/sisr2/ansible/doku_vagrant/.vagrant/machines/default/virtualbox/creator_uid

@@ -0,0 +1 @@
+1010

bts_annee_2/sisr2/ansible/doku_vagrant/.vagrant/machines/default/virtualbox/id

@@ -0,0 +1 @@
+958cb3af-259b-4658-a68d-c1857a1e413e

bts_annee_2/sisr2/ansible/doku_vagrant/.vagrant/machines/default/virtualbox/index_uuid

@@ -0,0 +1 @@
+f61390876b004055816245659fd5bd63

bts_annee_2/sisr2/ansible/doku_vagrant/.vagrant/machines/default/virtualbox/private_key

@@ -0,0 +1,8 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAA
+AAtzc2gtZWQyNTUxOQAAACCBZZKsafTtksM02cxu00M0JHuzu98jWAYjAE5g
+5nYQewAAAJAH27ajB9u2owAAAAtzc2gtZWQyNTUxOQAAACCBZZKsafTtksM0
+2cxu00M0JHuzu98jWAYjAE5g5nYQewAAAEC/FErqsFWPvvl2PPU4cwB4kJeI
+uUI3/pDFA1jD8ia3I4Flkqxp9O2SwzTZzG7TQzQke7O73yNYBiMATmDmdhB7
+AAAAB3ZhZ3JhbnQBAgMEBQY=
+-----END OPENSSH PRIVATE KEY-----

bts_annee_2/sisr2/ansible/doku_vagrant/.vagrant/machines/default/virtualbox/synced_folders

@@ -0,0 +1 @@
+{"virtualbox":{"/vagrant":{"guestpath":"/vagrant","hostpath":"/home/guillaume.emorine/vagrant/testansible/dokuw","disabled":false,"__vagrantfile":true}}}

bts_annee_2/sisr2/ansible/doku_vagrant/.vagrant/machines/default/virtualbox/vagrant_cwd

@@ -0,0 +1 @@
+/home/guillaume.emorine/vagrant/testansible/dokuw

bts_annee_2/sisr2/ansible/doku_vagrant/.vagrant/provisioners/ansible/inventory/vagrant_ansible_inventory

@@ -0,0 +1,3 @@
+# Generated by Vagrant
+
+default ansible_ssh_host=127.0.0.1 ansible_ssh_port=2202 ansible_ssh_user='vagrant' ansible_ssh_private_key_file='/home/guillaume.emorine/vagrant/testansible/dokuw/.vagrant/machines/default/virtualbox/private_key'

bts_annee_2/sisr2/ansible/doku_vagrant/.vagrant/rgloader/loader.rb

@@ -0,0 +1,12 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: BUSL-1.1
+
+# This file loads the proper rgloader/loader.rb file that comes packaged
+# with Vagrant so that encoded files can properly run with Vagrant.
+
+if ENV["VAGRANT_INSTALLER_EMBEDDED_DIR"]
+  require File.expand_path(
+    "rgloader/loader", ENV["VAGRANT_INSTALLER_EMBEDDED_DIR"])
+else
+  raise "Encoded files can't be read outside of the Vagrant installer."
+end

bts_annee_2/sisr2/ansible/doku_vagrant/README.md

@@ -0,0 +1 @@
+Dossier qui contient les fichiers du test vagrantfile + ansible.

bts_annee_2/sisr2/ansible/doku_vagrant/Vagrantfile

@@ -0,0 +1,30 @@
+# -*- mode: ruby -*-
+# vi: set ft=ruby :
+
+# All Vagrant configuration is done below. The "2" in Vagrant.configure
+# configures the configuration version (we support older styles for
+# backwards compatibility). Please don't change it unless you know what
+# you're doing.
+Vagrant.configure("2") do |config|
+  # Every Vagrant development environment requires a box. You can search for
+  # boxes at https://vagrantcloud.com/search.
+  config.vm.box = "debian/bookworm64"
+
+  config.vm.box_check_update = true
+
+  # Create a forwarded port mapping which allows access to a specific port
+  # within the machine from a port on the host machine. In the example below,
+  # accessing "localhost:8080" will access port 80 on the guest machine.
+  # NOTE: This will enable public access to the opened port
+
+  config.vm.network "forwarded_port", guest: 80, host: 8080
+  config.vm.network "forwarded_port", guest: 22, host: 2022
+
+  config.vm.provision "shell", inline: <<-SHELL
+     apt update && apt-get upgrade -y
+   SHELL
+ 
+   config.vm.provision "ansible" do |ansible|
+     ansible.playbook = "local.yml" # lance le playbook local.yml
+   end
+end

bts_annee_2/sisr2/ansible/doku_vagrant/hosts

@@ -0,0 +1,6 @@
+[adm]
+infra
+ 
+[web]
+web1
+web2

bts_annee_2/sisr2/ansible/doku_vagrant/local.yml

@@ -0,0 +1,5 @@
+- hosts: all
+  become: yes
+  roles:
+  - web
+  - doku

bts_annee_2/sisr2/ansible/doku_vagrant/roles/doku/tasks/main.yml

@@ -0,0 +1,51 @@
+- name: 1. Récupération du tar.gz du DokuWiki
+  get_url:
+    url: http://depl/store/dokuwiki-stable.tgz
+    dest: /tmp
+
+- name: 2. Extraction de l'archive
+  unarchive:
+    src: /tmp/dokuwiki-stable.tgz
+    dest: /var/www/html
+    remote_src: yes
+
+- name: 3. Status des dossiers du Wiki
+  stat:
+    path: /var/www/html/dokuwiki-2024-02-06b
+  register: rept_stat
+
+- name: 4. On renomme les dossiers
+  command: mv /var/www/html/dokuwiki-2024-02-06b /var/www/html/doku
+  when: rept_stat.stat.exists
+
+- name: 5. Changement des droits sur la racine
+  file:
+    path: /var/www/html/doku
+    owner: root
+    group: root
+
+- name: 6. Changement des droits sur le dossier data
+  file:
+    path: /var/www/html/doku/data
+    owner: www-data
+    group: www-data
+    recurse: true
+
+- name: 7. Changement des droits sur le dossier conf
+  file:
+    path: /var/www/html/doku/conf
+    owner: www-data
+    group: www-data
+    recurse: true
+
+- name: 8. Changement des droits sur le dossier lib
+  file:
+    path: /var/www/html/doku/lib
+    owner: www-data
+    group: www-data
+    recurse: true
+
+- name: 9. Redémarre Apache2
+  service:
+    name: apache2
+    state: restarted

bts_annee_2/sisr2/ansible/doku_vagrant/roles/web/tasks/main.yml

@@ -0,0 +1,10 @@
+- name: 1. Installe les paquets requis pour le DokuWiki 
+  apt:
+    name: "{{ item }}"
+    state: present
+  with_items:
+     - apache2
+     - php
+     - php-mbstring
+     - php-gd
+     - php-xml

bts_annee_2/sisr2/ansible/hosts

@@ -0,0 +1,6 @@
+[adm]
+infra
+ 
+[web]
+web1
+web2

bts_annee_2/sisr2/ansible/squid.yml

@@ -0,0 +1,32 @@
+# squid.yml
+---
+- hosts: adm
+  vars:
+    - proxy_port: 8080
+    - proxy_mem: 128
+    - proxy_localnet: "192.168.0.0/24"
+
+  tasks:
+    - name: 1. Installe le proxy Squid sur la machine Infra.
+      apt:
+        name: squid
+        state: present
+
+# Uncomment this on FIRST RUN, comment afterwards !
+#    - name: 2. Récupère le fichier squid.conf.
+#      ansible.builtin.fetch:
+#        src: /etc/squid/squid.conf
+#        dest: squid.conf.j2
+#        flat: yes
+
+    - name: 3. Envoie squid.conf
+      template:
+        src: squid.conf.j2
+        dest: /etc/squid/squid.conf
+      notify: Restart squid
+  
+  handlers:
+    - name: Restart squid
+      service: 
+        name: squid
+        state: restarted

bts_annee_2/sisr2/ansible/syslog-cli.yml

@@ -0,0 +1,35 @@
+# syslog-cli.yml
+---
+- hosts: web
+  tasks:
+  - name: 1. Installe le paquet rsyslog.
+    apt: 
+      name: rsyslog
+      state: present
+
+  - name: 2. Ajoute la ligne pour forwarder les logs rsyslog au bon endroit.
+    lineinfile:
+      path: /etc/rsyslog.conf
+      line: '*.* @192.168.0.37:514'
+      create: yes
+    notify: Restart rsyslog
+
+  - name: 3. Forward les logs journald vers syslog.
+    replace:
+      path: /etc/systemd/journald.conf
+      regexp: '^#ForwardToSyslog=yes'
+      replace: 'ForwardToSyslog=yes'
+    notify: Restart journald
+
+  handlers:
+  - name: Restart rsyslog
+    service:
+      name: rsyslog
+      state: restarted
+
+  - name: Restart journald
+    service:
+      name: systemd-journald
+      state: restarted
+
+

bts_annee_2/sisr2/ansible/syslog.yml

@@ -0,0 +1,30 @@
+# syslog.yml
+---
+- hosts: adm
+  tasks:
+  - name: 1. Installe le paquet rsyslog.
+    apt: 
+      name: rsyslog
+      state: present
+
+  - name: 2. Active le module UDP sur le serveur syslog.
+    replace:
+      path: /etc/rsyslog.conf
+      regexp: '^#module\(load="imudp"\)'
+      replace: 'module(load="imudp")'
+    notify: Restart rsyslog
+
+  - name: 3. Active l'écoute sur le port UDP 514.
+    replace:
+      path: /etc/rsyslog.conf
+      regexp: '^#input\(type="imudp" port="514"\)'
+      replace: 'input(type="imudp" port="514")'
+    notify: Restart rsyslog
+
+  handlers:
+  - name: Restart rsyslog
+    service:
+      name: rsyslog
+      state: restarted
+
+

bts_annee_2/sisr2/ansible/web.yml

@@ -0,0 +1,21 @@
+# playbook.yml
+---
+- hosts: web
+  tasks:
+  - name: 1. installe Apache
+    apt: 
+      name: apache2
+      state: present
+  - name: 2. installe PHP pour Apache
+    apt:
+      name: php
+      state: present
+  - name: 3. installe php-mbstring
+    apt:
+      name: php-mbstring
+      state: present
+  - name: 4. installe index.html
+    copy:
+      src: index.html
+      dest: /var/www/html/index.html
+      mode: 0664 

bts_annee_2/sisr2/heartbeat_repa_charge/README.md

@@ -0,0 +1,2 @@
+Vagrantfiles de la troisième séance en SISR, et scripts pour le heartbeat.
+Les dossiers nominaux sont les machines du heartbeat.

bts_annee_2/sisr2/heartbeat_repa_charge/hb1/inst-hb1.sh

@@ -0,0 +1,49 @@
+#!/bin/bash
+# les bases 
+#  noeud hb1  : 192.168.0.101 
+#  noeud hb2  : 192.168.0.102 
+#  addr virt. : 192.168.0.103 
+    
+sed -i 's/bookworm/hb1/g' /etc/host{s,name}
+apt update
+apt install -y heartbeat apache2 net-tools
+systemctl disable apache2
+
+cat <<EOT> /etc/network/interfaces.d/enp0s3
+allow-hotplug enp0s3
+iface enp0s3 inet static
+address 192.168.0.101/24 # a adapter pour hb2
+EOT
+
+cat <<EOT> /etc/network/interfaces.d/enp0s8
+allow-hotplug enp0s8
+iface enp0s8 inet static
+address 10.0.0.1/24      # a adapter pour hb2
+EOT
+
+cd /usr/share/doc/heartbeat
+gunzip *.gz
+cp ha.cf /etc/ha.d
+cp haresources /etc/ha.d
+cp authkeys /etc/ha.d
+cd /etc/ha.d
+echo "192.168.0.102 hb2" >> /etc/hosts # a adapter pour hb2
+
+cat <<EOT >> /etc/ha.d/ha.cf
+bcast enp0s8
+node hb1
+node hb2
+pacemaker off
+EOT
+
+# echo " hb1 192.168.0.103 apache2" >> /etc/ha.d/haresources pou Debian buster
+echo " hb1 192.168.0.103/24/enp0s3 apache2" >> /etc/ha.d/haresources 
+
+cat <<EOT >> /etc/ha.d/authkeys
+auth 1
+1 crc
+EOT
+
+chmod 600 /etc/ha.d/authkeys
+echo hb1 > /var/www/html/index.html # a adapter pour hb2
+ #

bts_annee_2/sisr2/heartbeat_repa_charge/hb2/inst-hb2.sh

@@ -0,0 +1,49 @@
+#!/bin/bash
+# les bases 
+#  noeud hb1  : 192.168.0.101 
+#  noeud hb2  : 192.168.0.102 
+#  addr virt. : 192.168.0.103 
+    
+sed -i 's/bookworm/hb2/g' /etc/host{s,name}
+apt update
+apt install -y heartbeat apache2 net-tools
+systemctl disable apache2
+
+cat <<EOT> /etc/network/interfaces.d/enp0s3
+allow-hotplug enp0s3
+iface enp0s3 inet static
+address 192.168.0.102/24 # a adapter pour hb2
+EOT
+
+cat <<EOT> /etc/network/interfaces.d/enp0s8
+allow-hotplug enp0s8
+iface enp0s8 inet static
+address 10.0.0.2/24      # a adapter pour hb2
+EOT
+
+cd /usr/share/doc/heartbeat
+gunzip *.gz
+cp ha.cf /etc/ha.d
+cp haresources /etc/ha.d
+cp authkeys /etc/ha.d
+cd /etc/ha.d
+echo "192.168.0.101 hb1" >> /etc/hosts # a adapter pour hb2
+
+cat <<EOT >> /etc/ha.d/ha.cf
+bcast enp0s8
+node hb1
+node hb2
+pacemaker off
+EOT
+
+# echo " hb1 192.168.0.103 apache2" >> /etc/ha.d/haresources pou Debian buster
+echo " hb1 192.168.0.103/24/enp0s3 apache2" >> /etc/ha.d/haresources 
+
+cat <<EOT >> /etc/ha.d/authkeys
+auth 1
+1 crc
+EOT
+
+chmod 600 /etc/ha.d/authkeys
+echo hb2 > /var/www/html/index.html # a adapter pour hb2
+ #

bts_annee_2/sisr2/heartbeat_repa_charge/vagrant/Vagrantfile_bookworm

@@ -0,0 +1,79 @@
+# -*- mode: ruby -*-
+# vi: set ft=ruby :
+ 
+# All Vagrant configuration is done below. The "2" in Vagrant.configure
+# configures the configuration version (we support older styles for
+# backwards compatibility). Please don't change it unless you know what
+# you're doing.
+Vagrant.configure("2") do |config|
+  # The most common configuration options are documented and commented below.
+  # For a complete reference, please see the online documentation at
+  # https://docs.vagrantup.com.
+ 
+  # Every Vagrant development environment requires a box. You can search for
+  # boxes at https://vagrantcloud.com/search.
+  config.vm.box = "debian/bookworm64"
+  config.vm.hostname = "bookworm"
+ 
+  # Disable automatic box update checking. If you disable this, then
+  # boxes will only be checked for updates when the user runs
+  # `vagrant box outdated`. This is not recommended.
+  # config.vm.box_check_update = false
+ 
+  # Create a forwarded port mapping which allows access to a specific port
+  # within the machine from a port on the host machine. In the example below,
+  # accessing "localhost:8080" will access port 80 on the guest machine.
+  # NOTE: This will enable public access to the opened port
+  # config.vm.network "forwarded_port", guest: 80, host: 8080
+ 
+  # Create a forwarded port mapping which allows access to a specific port
+  # within the machine from a port on the host machine and only allow access
+  # via 127.0.0.1 to disable public access
+  # config.vm.network "forwarded_port", guest: 80, host: 8080, host_ip: "127.0.0.1"
+ 
+  # Create a private network, which allows host-only access to the machine
+  # using a specific IP.
+  # config.vm.network "private_network", ip: "192.168.33.10"
+ 
+  # Create a public network, which generally matched to bridged network.
+  # Bridged networks make the machine appear as another physical device on
+  # your network.
+  # config.vm.network "public_network"
+ 
+  # Share an additional folder to the guest VM. The first argument is
+  # the path on the host to the actual folder. The second argument is
+  # the path on the guest to mount the folder. And the optional third
+  # argument is a set of non-required options.
+  # config.vm.synced_folder "../data", "/vagrant_data"
+ 
+  # Disable the default share of the current code directory. Doing this
+  # provides improved isolation between the vagrant box and your host
+  # by making sure your Vagrantfile isn't accessable to the vagrant box.
+  # If you use this you may want to enable additional shared subfolders as
+  # shown above.
+  # config.vm.synced_folder ".", "/vagrant", disabled: true
+ 
+  # Provider-specific configuration so you can fine-tune various
+  # backing providers for Vagrant. These expose provider-specific options.
+  # Example for VirtualBox:
+  #
+  # config.vm.provider "virtualbox" do |vb|
+  #   # Display the VirtualBox GUI when booting the machine
+  #   vb.gui = true
+  #
+  #   # Customize the amount of memory on the VM:
+  #   vb.memory = "1024"
+  # end
+  #
+  # View the documentation for the provider you are using for more
+  # information on available options.
+ 
+  # Enable provisioning with a shell script. Additional provisioners such as
+  # Ansible, Chef, Docker, Puppet and Salt are also available. Please see the
+  # documentation for more information about their specific syntax and use.
+   config.vm.provision "shell", inline: <<-SHELL
+     timedatectl set-timezone Europe/Paris
+     apt-get update
+     apt-get install -y vim wget curl neovim mc
+   SHELL
+end

bts_annee_2/sisr2/heartbeat_repa_charge/vagrant/Vagrantfile_rsync

@@ -0,0 +1,28 @@
+    # -*- mode: ruby -*-
+    # vi: set ft=ruby :
+    Vagrant.configure("2") do |config|
+      config.vm.provision "shell", inline: "apt-get update" # execute pour chacune des machines
+     
+      config.vm.define "srv1" do |srv1|#VM No'1
+        srv1.vm.box = "debian/bookworm64" #Setting machine type
+        srv1.vm.hostname = "srv1" #Setting machine type
+        srv1.vm.network "public_network", ip: "192.168.0.111"#Set static IP
+        srv1.vm.provision "shell", inline: <<-SHELL
+         timedatectl set-timezone Europe/Paris
+         apt-get install -y wget curl vim unzip apache2
+         echo "192.168.0.112 srv2" >> /etc/hosts
+       SHELL
+      end
+     
+      config.vm.define "srv2" do |srv2|# VM No2
+        srv2.vm.box = "debian/bookworm64" #Setting machine type
+        srv2.vm.hostname = "srv2" #Setting machine type
+        srv2.vm.network "public_network", ip: "192.168.0.112"  #Set static IP
+        srv2.vm.provision "shell", inline: <<-SHELL
+         timedatectl set-timezone Europe/Paris
+         apt-get install -y wget curl vim unzip apache2
+         echo "192.168.0.111 srv1" >> /etc/hosts
+        SHELL
+      end
+    end
+

bts_annee_2/sisr2/lvs_haproxy/README.md

@@ -0,0 +1 @@
+Dossier avec les fichiers provenant de la machine LVS pour l'équilibrage des charges.

bts_annee_2/sisr2/lvs_haproxy/lvs/haproxy.cfg

@@ -0,0 +1,44 @@
+global
+	log /dev/log	local0
+	log /dev/log	local1 notice
+	chroot /var/lib/haproxy
+	stats socket /run/haproxy/admin.sock mode 660 level admin
+	stats timeout 30s
+	user haproxy
+	group haproxy
+	daemon
+
+	# Default SSL material locations
+	ca-base /etc/ssl/certs
+	crt-base /etc/ssl/private
+
+	# See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
+        ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+        ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
+        ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
+
+defaults
+	log	global
+	mode	http
+	option	httplog
+	option	dontlognull
+        timeout connect 5000
+        timeout client  50000
+        timeout server  50000
+	errorfile 400 /etc/haproxy/errors/400.http
+	errorfile 403 /etc/haproxy/errors/403.http
+	errorfile 408 /etc/haproxy/errors/408.http
+	errorfile 500 /etc/haproxy/errors/500.http
+	errorfile 502 /etc/haproxy/errors/502.http
+	errorfile 503 /etc/haproxy/errors/503.http
+	errorfile 504 /etc/haproxy/errors/504.http
+# conf perso
+frontend front_webservers
+	bind *:80
+	default_backend backend_webservers
+	option forwardfor
+
+backend backend_webservers
+	balance roundrobin
+	server web1-ge 172.16.1.1:80 check
+	server web2-ge 172.16.1.2:80 check

bts_annee_2/sisr2/lvs_haproxy/lvs/ipvs.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+ipvsadm -A -t 192.168.0.150:80 -s rr
+ipvsadm -a -t 192.168.0.150:80 -r 172.16.1.1:80 -m
+ipvsadm -a -t 192.168.0.150:80 -r 172.16.1.2:80 -m
+ipvsadm -L

bts_annee_2/sisr2/pxe/DHCP/README.md

@@ -0,0 +1 @@
+Fichiers de configuration du serveur DHCP de la machine PXE.

bts_annee_2/sisr2/pxe/DHCP/dhcpd.conf

@@ -0,0 +1,112 @@
+# dhcpd.conf
+#
+# Sample configuration file for ISC dhcpd
+#
+
+# option definitions common to all supported networks...
+#option domain-name "example.org";
+option domain-name-servers 10.121.38.7, 10.121.38.8;
+
+default-lease-time 100000;
+max-lease-time 7200000;
+
+allow booting;
+
+# The ddns-updates-style parameter controls whether or not the server will
+# attempt to do a DNS update when a lease is confirmed. We default to the
+# behavior of the version 2 packages ('none', since DHCP v2 didn't
+# have support for DDNS.)
+ddns-update-style none;
+
+# If this DHCP server is the official DHCP server for the local
+# network, the authoritative directive should be uncommented.
+#authoritative;
+
+# Use this to send dhcp log messages to a different log file (you also
+# have to hack syslog.conf to complete the redirection).
+#log-facility local7;
+
+# No service will be given on this subnet, but declaring it helps the 
+# DHCP server to understand the network topology.
+
+#subnet 10.152.187.0 netmask 255.255.255.0 {
+#}
+
+# This is a very basic subnet declaration.
+
+subnet 192.168.1.0 netmask 255.255.255.0 {
+  range 192.168.1.10 192.168.1.20;
+  option broadcast-address 192.168.1.255;
+  option routers 192.168.1.100;
+  next-server 192.168.1.100;
+  filename "pxelinux.0";
+}
+
+# This declaration allows BOOTP clients to get dynamic addresses,
+# which we don't really recommend.
+
+#subnet 10.254.239.32 netmask 255.255.255.224 {
+#  range dynamic-bootp 10.254.239.40 10.254.239.60;
+#  option broadcast-address 10.254.239.31;
+#  option routers rtr-239-32-1.example.org;
+#}
+
+# A slightly different configuration for an internal subnet.
+#subnet 10.5.5.0 netmask 255.255.255.224 {
+#  range 10.5.5.26 10.5.5.30;
+#  option domain-name-servers ns1.internal.example.org;
+#  option domain-name "internal.example.org";
+#  option routers 10.5.5.1;
+#  option broadcast-address 10.5.5.31;
+#  default-lease-time 600;
+#  max-lease-time 7200;
+#}
+
+# Hosts which require special configuration options can be listed in
+# host statements.   If no address is specified, the address will be
+# allocated dynamically (if possible), but the host-specific information
+# will still come from the host declaration.
+
+#host passacaglia {
+#  hardware ethernet 0:0:c0:5d:bd:95;
+#  filename "vmunix.passacaglia";
+#  server-name "toccata.example.com";
+#}
+
+# Fixed IP addresses can also be specified for hosts.   These addresses
+# should not also be listed as being available for dynamic assignment.
+# Hosts for which fixed IP addresses have been specified can boot using
+# BOOTP or DHCP.   Hosts for which no fixed address is specified can only
+# be booted with DHCP, unless there is an address range on the subnet
+# to which a BOOTP client is connected which has the dynamic-bootp flag
+# set.
+#host fantasia {
+#  hardware ethernet 08:00:07:26:c0:a5;
+#  fixed-address fantasia.example.com;
+#}
+
+# You can declare a class of clients and then do address allocation
+# based on that.   The example below shows a case where all clients
+# in a certain class get addresses on the 10.17.224/24 subnet, and all
+# other clients get addresses on the 10.0.29/24 subnet.
+
+#class "foo" {
+#  match if substring (option vendor-class-identifier, 0, 4) = "SUNW";
+#}
+
+#shared-network 224-29 {
+#  subnet 10.17.224.0 netmask 255.255.255.0 {
+#    option routers rtr-224.example.org;
+#  }
+#  subnet 10.0.29.0 netmask 255.255.255.0 {
+#    option routers rtr-29.example.org;
+#  }
+#  pool {
+#    allow members of "foo";
+#    range 10.17.224.10 10.17.224.250;
+#  }
+#  pool {
+#    deny members of "foo";
+#    range 10.0.29.10 10.0.29.230;
+#  }
+#}

bts_annee_2/sisr2/pxe/Interfaces/README.md

@@ -0,0 +1 @@
+Fichiers d'interfaces réseau des deux cartes de la machine PXE.

bts_annee_2/sisr2/pxe/Interfaces/enp0s3

@@ -0,0 +1,3 @@
+# generated by FAI
+auto enp0s3
+iface enp0s3 inet dhcp

bts_annee_2/sisr2/pxe/Interfaces/enp0s8

@@ -0,0 +1,4 @@
+# generated by FAI
+auto enp0s8
+iface enp0s8 inet static
+address 192.168.1.100/24

bts_annee_2/sisr2/pxe/README.md

@@ -0,0 +1 @@
+Fichiers de configuration de la cinquième séance de SISR, sur PXE et le Netboot.

bts_annee_2/sisr2/pxe/nftables/README.md

@@ -0,0 +1 @@
+Fichier de configuration nftables de la machine PXE.

bts_annee_2/sisr2/pxe/nftables/nftables.conf

@@ -0,0 +1,24 @@
+#!/usr/sbin/nft -f
+
+flush ruleset
+
+table inet filter {
+	chain input {
+		type filter hook input priority filter;
+	}
+	chain forward {
+		type filter hook forward priority filter;
+	}
+	chain output {
+		type filter hook output priority filter;
+	}
+}
+table inet nat {
+	chain prerouting {
+		type nat hook prerouting priority 0;
+	}
+	chain postrouting {
+		type nat hook postrouting priority 100;
+		oifname "enp0s3" masquerade
+	}
+}

bts_annee_2/sisr2/pxe/routing_command

@@ -0,0 +1 @@
+sysctl net.ipv4.ip_forward=1

bts_annee_2/sisr2/python/README.md

@@ -0,0 +1,2 @@
+Dépôt des fichiers Python faits lors de la séance du 3 Octobre, le matin.
+Le fichier users.txt est celui utilisé pour la création des comptes, pour l'exercice 4.

bts_annee_2/sisr2/python/createusers.py

@@ -0,0 +1,26 @@
+#!/usr/bin/python3
+import os
+import sys
+def create_user(login, full_name):
+    try:
+        os.system(f'sudo useradd -m -c "{full_name}" {login}')
+        print(f"Utilisateur {login} créé avec succès.")
+    except Exception as e:
+        print(f"Erreur lors de la création de l'utilisateur {login}: {e}")
+def main(filename):
+    try:
+        with open(filename, 'r') as file:
+            for line in file:
+                line = line.strip()
+                if line:
+                    login, full_name = line.split(':')
+                    create_user(login.strip(), full_name.strip())
+    except FileNotFoundError:
+        print(f"Le fichier {filename} n'a pas été trouvé.")
+    except Exception as e:
+        print(f"Erreur lors de la lecture du fichier {filename}: {e}")
+if __name__ == "__main__":
+    if len(sys.argv) != 2:
+        print("Usage: python3 createusers.py <nom_du_fichier>")
+    else:
+        main(sys.argv[1])

bts_annee_2/sisr2/python/occurences.py

@@ -0,0 +1,18 @@
+#!/usr/bin/python3
+# Demander à l'utilisateur de saisir une phrase
+phrase = input("Entrez une phrase : ")
+# Convertir la phrase en liste de mots
+mots = phrase.split()
+# Crée un dictionnaire pour stocker les occurrences des mots
+occurrences = {}
+# Compter les occurrences de chaque mot
+for mot in mots:
+    if mot in occurrences:
+        occurrences[mot] += 1
+    else:
+        occurrences[mot] = 1
+# Afficher les mots et leurs occurrences
+print("Occurrences des mots :")
+for mot, count in occurrences.items():
+    print(f"{mot} : {count})"
+

bts_annee_2/sisr2/python/perimetre.py

@@ -0,0 +1,6 @@
+#!/usr/bin/python3
+# Récupération de la valeur du rayon
+rayon=int(input("Quel est le rayon du cercle ? "))
+# Calcul et affichage
+perim=(2*3.141592*rayon)
+print("Le périmètre vaut:",perim)

bts_annee_2/sisr2/python/tableau.py

@@ -0,0 +1,31 @@
+#!/usr/bin/python3
+# Les variables:
+tableau=[]
+i=0
+avg=0
+# Boucle while pour l'input et le remplissage du tableau
+while i < 4:
+    x=int(input("Entrez un chiffre : "))
+    tableau.append(x)
+    x=0
+    i=i+1
+# Fin de la boucle while, déclaration de variables pour la suite
+mini=tableau[0]
+maxi=tableau[0]
+# Boucle for pour obtenir les valeurs minimales et maximales
+for y in range (i):
+    if tableau[y] > maxi:
+        maxi=tableau[y]
+    if tableau[y] < mini:
+        mini=tableau[y]
+    avg=avg+tableau[y]
+    # Affichage de chaque élément du tableau
+    print(tableau[y])
+# Calcul de la moyenne
+avg=avg/i
+# Affichage final
+print("La plus grande valeur du tableau est: ",maxi)
+print("La plus petite valeur du tableau est: ",mini)
+print("La moyenne du tableau final est: ",avg)
+
+# On aurait pu faire ça 100x plus vite, mais faut se compliquer la vie.

bts_annee_2/sisr2/python/users.txt

@@ -0,0 +1,5 @@
+adupont:Albert Dupont
+jduroy:Jeannette Duroy
+gemorine:Guillaume Emorine
+jpauchet:Jarod Pauchet
+ngenret:Nathan Genret

sisr1/README.md

@@ -1 +1,17 @@
-Chaque dossier porte le nom du TP associé.
+Chaque dossier porte le numéro et la description du TP associé.
+
+01: Mise en oeuvre d'une infrastructure DHCP et routage.
+
+02: Paramétrage d'un serveur DNS.
+
+03: Création d'un réseau privé à administrer.
+
+04: Administration d'un réseau privé.
+
+05: Création d'un partage de fichiers Samba.
+
+06: Paramétrage d'un serveur proxy.
+
+07: Firewall avec netfilter et nftables.
+
+08: Modification d'une infrastructure.

sisr1/tp01-02/files_dhcp/README.md

@@ -1 +0,0 @@
-Files for the srv-dhcp-ge Virtual Machine, from the FIRST and SECOND TPs.

sisr1/tp01-02/files_dns1/README.md

@@ -1 +0,0 @@
-Files for the srv-dns1-ge Virtual Machine, from the FIRST and SECOND TPs.

sisr1/tp01-02/files_dns2/README.md

@@ -1 +0,0 @@
-Files for the srv-dns2-ge Virtual Machine, from the FIRST AND SECOND TPs.

sisr1/tp01-02_dhcp_dns/files_dhcp_vm/README.md

@@ -0,0 +1 @@
+Fichiers du premier et deuxième TP pour la machine srv-dhcp-ge.