vasco/FSI
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fuck...

Browse Source
This commit is contained in:
jelly Tomas
2026-04-28 00:04:30 +01:00
parent c31c4602f2 10e2db0f38
commit c175b85239
10 changed files with 61 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
VM_OPENSSL_APACHE.sh
View File

@@ -7,6 +7,18 @@ sudo yum install -y epel-release
sudo yum install -y openssl httpd mod_ssl mod_authnz_pam google-authenticator
sudo yum install -y mod_session
# utilizador
id -u john &>/dev/null || useradd john
echo "password" | passwd --stdin john
# dar acesso ao apache para ler o .google_authenticator
groupadd -f totp
usermod -aG totp apache
usermod -aG totp john
sudo chown apache:totp /home/john/.google_authenticator
sudo chmod 660 /home/john/.google_authenticator
if_dentro="enp0s8"
ip_dentro="10.60.0.1"
ifconfig $if_dentro $ip_dentro netmask 255.255.255.0
@@ -34,6 +46,7 @@ cp ca/ca.crt /etc/httpd/ssl/
cp ca/apache.crt /etc/httpd/ssl/
cp ca/apache.key /etc/httpd/ssl/
cp conf/ssl.conf /etc/httpd/conf.d/ssl.conf
cp conf/httpd.conf /etc/httpd/conf/httpd.conf
cp conf/httpd-totp /etc/pam.d/httpd-totp
# NOTA(vasco) é preciso desativar home protection outra vez
@@ -51,12 +64,3 @@ cp -r www/* /var/www/html/
chown -R apache:apache /var/www/html/
systemctl enable --now httpd
# acho ?????
sudo chgrp apache /etc/shadow
sudo chmod o+x /home/john
sudo chown apache /home/john/.google_authenticator
sudo chmod 400 /home/john/.google_authenticator
sudo chmod o+x /home/user
sudo chown apache /home/user/.google_authenticator
sudo chmod 400 /home/user/.google_authenticator

24
VM_VPN_GATEWAY.sh
View File

@@ -8,7 +8,6 @@
source VM_CONFIG.sh
yum install -y google-authenticator qrencode ntpsec
# --- forwarding --- #
if_fora="enp0s8"
ip_fora="193.136.212.1"
@@ -23,13 +22,13 @@ ifconfig $if_dentro $ip_dentro netmask 255.255.255.0
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
sysctl -p /etc/sysctl.conf
iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT # :O
iptables -I FORWARD 1 -i $mega_tunel -o $if_dentro -j ACCEPT # :P
iptables -I FORWARD 1 -i $if_dentro -o $mega_tunel -j ACCEPT # ;)
iptables -I FORWARD 1 -i $mega_tunel -o $if_fora -j ACCEPT # faltava isto ?
iptables -I FORWARD 1 -i $if_fora -m state --state ESTABLISHED,RELATED -j ACCEPT # faltava isto ?
iptables -t nat -A POSTROUTING -s $ip_mega_tunel -o $if_fora -j MASQUERADE # :D
iptables-save > /etc/sysconfig/iptables # :3
iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT
iptables -I FORWARD 1 -i $mega_tunel -o $if_dentro -j ACCEPT
iptables -I FORWARD 1 -i $if_dentro -o $mega_tunel -j ACCEPT
iptables -I FORWARD 1 -i $mega_tunel -o $if_fora -j ACCEPT
iptables -I FORWARD 1 -i $if_fora -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -s $ip_mega_tunel -o $if_fora -j MASQUERADE
iptables-save > /etc/sysconfig/iptables
# --- vpn server --- #
vpn_dir="/etc/openvpn/server"
@@ -42,3 +41,12 @@ cp conf/vpn.conf $vpn_dir
cp conf/ocsp-verify.sh $vpn_dir
cp conf/totp /etc/pam.d/
systemctl enable --now openvpn-server@vpn.service
# --- utilizador --- #
id -u john &>/dev/null || useradd john
echo "password" | passwd --stdin john
groupadd -f totp
usermod -aG totp john
usermod -aG totp openvpn
sudo chown john:totp /home/john/.google_authenticator
sudo chmod 660 /home/john/.google_authenticator

2
conf/httpd.conf
View File

@@ -1 +1 @@
# LoadModule authnz_pam_module modules/mod_authnz_pam.so
LoadModule authnz_pam_module modules/mod_authnz_pam.so

6
conf/ssl.conf
View File

@@ -57,3 +57,9 @@ Listen 443 https
</Location>
</VirtualHost>
# redirect para https
<VirtualHost *:80>
ServerName 10.60.0.1
Redirect permanent / https://10.60.0.1/
</VirtualHost>

6
conf/vpn.conf
View File

@@ -3,16 +3,16 @@ port 1194
proto udp
dev tun
verb 4
# Bro is too honorable
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/vpn.crt
key /etc/openvpn/server/vpn.key
dh /etc/openvpn/server/dh2048.pem
server 10.8.0.0 255.255.255.0
verb 4
topology subnet
server 10.8.0.0 255.255.255.0
push "route 10.60.0.0 255.255.255.0"
# OCSP and Revocation

2
relatorio/relatorio.aux
View File

@@ -24,7 +24,7 @@
\@writefile{toc}{\contentsline {subsection}{\numberline {5.2}Configuração do Serviço Apache}{9}{subsection.5.2}\protected@file@percent }
\@writefile{toc}{\contentsline {subsubsection}{\numberline {5.2.1}Testes}{9}{subsubsection.5.2.1}\protected@file@percent }
\@writefile{toc}{\contentsline {subsection}{\numberline {5.3}Configuração do Serviço OpenSSL}{9}{subsection.5.3}\protected@file@percent }
\@writefile{toc}{\contentsline {subsubsection}{\numberline {5.3.1}Testes}{9}{subsubsection.5.3.1}\protected@file@percent }
\@writefile{toc}{\contentsline {subsubsection}{\numberline {5.3.1}Testes}{10}{subsubsection.5.3.1}\protected@file@percent }
\@writefile{toc}{\contentsline {section}{\numberline {6}Teste Integrado}{10}{section.6}\protected@file@percent }
\@writefile{toc}{\contentsline {section}{\numberline {7}Conclusão}{10}{section.7}\protected@file@percent }
\gdef \@abspage@last{10}

13
relatorio/relatorio.log
View File

@@ -1,4 +1,4 @@
This is pdfTeX, Version 3.141592653-2.6-1.40.29 (TeX Live 2026/Arch Linux) (preloaded format=pdflatex 2026.4.13) 27 APR 2026 20:43
This is pdfTeX, Version 3.141592653-2.6-1.40.29 (TeX Live 2026/Arch Linux) (preloaded format=pdflatex 2026.4.13) 27 APR 2026 22:37
entering extended mode
\write18 enabled.
%&-line parsing enabled.
@@ -1221,8 +1221,13 @@ Package pdftex.def Info: google-authenticator.jpg used on input line 314.
\openout6 = `relatorio.listing'.
(/home/raw/uni/fsi/trabalho/relatorio/relatorio.listing) [8 </home/raw/uni/fsi/
trabalho/relatorio/google-authenticator.jpg>]
(/home/raw/uni/fsi/trabalho/relatorio/relatorio.listing)
Overfull \hbox (2.06862pt too wide) in paragraph at lines 352--356
\T1/Raleway-OsF/m/n/10.95 Para ve-ri-fi-car que o OCSP fun-ci-ona cor-rec-ta-me
nte, o cli-ente co-nec-tou ao ser-vi-dor OpenVPN:
[]
[8 </home/raw/uni/fsi/trabalho/relatorio/google-authenticator.jpg>]
\openout6 = `relatorio.listing'.
@@ -1256,7 +1261,7 @@ xmf-dist/fonts/type1/impallari/raleway/Raleway-Regular.pfb></usr/share/texmf-di
st/fonts/type1/public/cm-super/sftt0900.pfb></usr/share/texmf-dist/fonts/type1/
public/cm-super/sftt1095.pfb>
Output written on /home/raw/uni/fsi/trabalho/relatorio/relatorio.pdf (10 pages,
168978 bytes).
169461 bytes).
PDF statistics:
387 PDF objects out of 1000 (max. 8388607)
336 compressed objects within 4 object streams

BIN
relatorio/relatorio.pdf
View File

Binary file not shown.

11
relatorio/relatorio.tex
View File

@@ -375,6 +375,17 @@ sudo systemctl start openvpn-client@config %para depois verificar se connecta
% TODO: screenshots? dizer que erros exatos nos obtemos a cada etapa
% TODO: erros ortograficos lol
Para verificar que o OCSP funciona correctamente, o cliente conectou ao servidor OpenVPN:
primeiro, sem o servidor OCSP a correr, uma segunda vez com ele a correr e com o certificado correcto
e uma terceira vez com um certificado revogado. Fizemos estes testes sabendo que o
cliente e o servidor já estavam correctamente configurados.
Verificamos que, como é suposto: sem OCSP não é possivel autenticar; com OCSP e com certificado válido,
podemos autenticar; e com OCSP mas com certificado revogado, a autenticação falha.
\section{Servidor Apache e OCSP}
\subsection{Configuração da Máquina}

2
relatorio/relatorio.toc
View File

@@ -17,6 +17,6 @@
\contentsline {subsection}{\numberline {5.2}Configuração do Serviço Apache}{9}{subsection.5.2}%
\contentsline {subsubsection}{\numberline {5.2.1}Testes}{9}{subsubsection.5.2.1}%
\contentsline {subsection}{\numberline {5.3}Configuração do Serviço OpenSSL}{9}{subsection.5.3}%
\contentsline {subsubsection}{\numberline {5.3.1}Testes}{9}{subsubsection.5.3.1}%
\contentsline {subsubsection}{\numberline {5.3.1}Testes}{10}{subsubsection.5.3.1}%
\contentsline {section}{\numberline {6}Teste Integrado}{10}{section.6}%
\contentsline {section}{\numberline {7}Conclusão}{10}{section.7}%