vasco/FSI
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: vasco:2e16b804abcb2de8791163b5d82d4e8760695cab
Branches Tags
vasco:main vasco:secret_branch
..
compare: vasco:secret_branch
Branches Tags
vasco:main vasco:secret_branch

1 Commits
2e16b804ab ... secret_bra

Author SHA1 Message Date
vascoalvesxyz
a91dd239ef secret branch 2026-03-21 19:57:55 +00:00
90 changed files with 160 additions and 6695 deletions
Expand all files Collapse all files

10
assignment1/DMZ.sh → DMZ.sh
View File

@@ -7,10 +7,10 @@ routerIp=23.214.219.254
mask25=255.255.255.128 mask25=255.255.255.128
dns=23.214.219.130 dns=23.214.219.130
mail=23.214.219.134 mail=23.214.219.131
vpn_gw=23.214.219.133 vpn_gw=23.214.219.132
www=23.214.219.132 www=23.214.219.133
smtp=23.214.219.131 smtp=23.214.219.134
dnsPort=53 dnsPort=53
mailPort=888 mailPort=888
@@ -26,7 +26,7 @@ sudo systemctl enable iptables
sudo iptables -F sudo iptables -F
sudo ifconfig enp0s8 $ip netmask $mask25 sudo ifconfig enp0s8 $ip netmask $mask25
sudo ip route add 192.168.10.0/24 via $routerIp sudo ip route add 192.168.10.0/24 via $routerIp
sudo route add default gw $routerIp sudo add default gw $routerIp
# alias dos ips # alias dos ips
sudo ip addr add $dns dev enp0s8 sudo ip addr add $dns dev enp0s8
sudo ip addr add $mail dev enp0s8 sudo ip addr add $mail dev enp0s8

0
assignment1/INTERNAL.sh → INTERNAL.sh
View File

4
assignment1/INTERNET.sh → INTERNET.sh
View File

@@ -9,7 +9,7 @@ sudo systemctl disable firewalld
sudo systemctl mask firewalld sudo systemctl mask firewalld
sudo systemctl enable iptables sudo systemctl enable iptables
sudo iptables -F sudo iptables -F
sudo ifconfig enp0s8 $dns2 netmask $mask24 sudo ifconfig enp0s8 $dn2 netmask $mask24
sudo route add default gw $routerIp sudo route add default gw $routerIp
#sudo ip addr add $dns2 dev enp0s8 sudo ip addr add $dns2 dev enp0s8
sudo ip addr add $eden dev enp0s8 sudo ip addr add $eden dev enp0s8

0
assignment1/Practical Assignment 1.pdf → Practical Assignment 1.pdf
View File

6
README.md
View File

@@ -1,6 +0,0 @@
# Coisas para leres que sao fixes wowowowowowow !!!!! (Assignment 2)
- Os slides (duh)
- Okay o mais importante é os slides.
- [X.509 (ssl.com)](https://www.ssl.com/faqs/what-is-an-x-509-certificate/)
- [X.509 (youtube)](https://www.youtube.com/watch?v=kAaIYRJoJkc)

69
ROUTER.sh Normal file
View File

@@ -0,0 +1,69 @@
IF_DMZ="enp0s8"
IF_INT="enp0s9"
IF_EXT="enp0s10"
NET_DMZ="23.214.219.128/25"
NET_INT="192.168.10.0/24"
IP_EXT_FW="87.248.214.97"
IP_DMZ_FW="23.214.219.254"
IP_INT_FW="192.168.10.254"
IP_DMZ_DNS="23.214.219.130"
IP_DMZ_SMTP="23.214.219.131"
IP_DMZ_WWW="23.214.219.132"
IP_DMZ_VPN_GW="23.214.219.133"
IP_DMZ_MAIL="23.214.219.134"
IP_INT_FTP="192.168.10.2"
IP_INT_DATASTORE="192.168.10.3"
IP_DNS2="193.137.16.75"
IP_EDEN="193.136.212.1"
sudo yum install epel-release -y
sudo yum install suricata -y
sudo suricata-update
sudo ifconfig $IF_DMZ $IP_DMZ_FW netmask 255.255.255.128
sudo ifconfig $IF_INT $IP_INT_FW netmask 255.255.255.0
sudo ifconfig $IF_EXT $IP_EXT_FW netmask 255.255.255.0
sudo iptables -F
sudo iptables -t nat -F
sudo iptables -t mangle -F
sudo sysctl -w net.ipv4.ip_forward=1
sudo iptables -P INPUT DROP
sudo iptables -P FORWARD DROP
sudo iptables -P OUTPUT ACCEPT
sudo modprobe nf_conntrack_ftp
sudo modprobe nf_nat_ftp
sudo iptables -A FORWARD -j NFQUEUE --queue-num 0
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A INPUT -p udp --dport 53 -j ACCEPT
sudo iptables -A INPUT -i $IF_INT -p tcp --dport 22 -j ACCEPT
sudo iptables -A INPUT -i $IF_DMZ -s $IP_DMZ_VPN_GW -p tcp --dport 22 -j ACCEPT
sudo iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A FORWARD -p udp -d $IP_DMZ_DNS --dport 53 -j ACCEPT
sudo iptables -A FORWARD -s $IP_DMZ_DNS -d $IP_DNS2 -p tcp --dport 53 -j ACCEPT
sudo iptables -A FORWARD -s $IP_DNS2 -d $IP_DMZ_DNS -p tcp --dport 53 -j ACCEPT
sudo iptables -A FORWARD -p tcp -d $IP_DMZ_SMTP --dport 25 -j ACCEPT
sudo iptables -A FORWARD -p tcp -d $IP_DMZ_MAIL --dport 110 -j ACCEPT
sudo iptables -A FORWARD -p tcp -d $IP_DMZ_MAIL --dport 143 -j ACCEPT
sudo iptables -A FORWARD -p tcp -d $IP_DMZ_WWW -m multiport --dports 80,443 -j ACCEPT
sudo iptables -A FORWARD -p udp -d $IP_DMZ_VPN_GW --dport 1194 -j ACCEPT
sudo iptables -A FORWARD -i $IF_DMZ -s $IP_DMZ_VPN_GW -d $NET_INT -j ACCEPT
sudo iptables -t nat -A POSTROUTING -s $NET_INT -o $IF_EXT -j SNAT --to-source $IP_EXT_FW
sudo iptables -A FORWARD -i $IF_INT -o $IF_EXT -p udp --dport 53 -j ACCEPT
sudo iptables -A FORWARD -i $IF_INT -o $IF_EXT -p tcp -m multiport --dports 80,443,22,21 -j ACCEPT
sudo iptables -t nat -A PREROUTING -i $IF_EXT -d $IP_EXT_FW -p tcp --dport 21 -j DNAT --to-destination $IP_INT_FTP
sudo iptables -A FORWARD -i $IF_EXT -d $IP_INT_FTP -p tcp --dport 21 -j ACCEPT
sudo iptables -t nat -A PREROUTING -i $IF_EXT -s $IP_EDEN -d $IP_EXT_FW -p tcp --dport 22 -j DNAT --to-destination $IP_INT_DATASTORE
sudo iptables -t nat -A PREROUTING -i $IF_EXT -s $IP_DNS2 -d $IP_EXT_FW -p tcp --dport 22 -j DNAT --to-destination $IP_INT_DATASTORE
sudo iptables -A FORWARD -i $IF_EXT -d $IP_INT_DATASTORE -p tcp --dport 22 -j ACCEPT

7
TODO.md
View File

@@ -1,7 +0,0 @@
# Objectivos de acordo com o enunciado
## Goals
- [X] Configure a tunnel in the "road warrior"
- [ ] Enable two factor authentication with OpenSSL and Apache services
- [ ] Manage PKI: certification authorities, X.509 certificates, revocation and OCSP.

36
VM_CONFIG.sh
View File

@@ -1,36 +0,0 @@
#!/bin/bash
# NOTA(vasco): feito para correr como root
if [[ "$USER" != "root" ]]; then
echo "corre o script como root"
exit 1
fi
yum install -y epel-release
yum install -y openvpn iptables-services dhcp-client
systemctl stop firewalld
systemctl disable firewalld
systemctl mask firewalld
systemctl enable iptables
iptables -F
CA_DIR="/etc/pki/CA"
mkdir -p "${CA_DIR}/newcerts"
mkdir -p "${CA_DIR}/private"
touch "${CA_DIR}/index.txt"
cp ca/serial "${CA_DIR}/serial"
mkdir -p /etc/openvpn/server
mkdir -p /etc/openvpn/client
# NOTE(vasco): tive problemas com a sincronização de tempo
# se nao tiver sincronizado, o TOTP nao funciona
systemctl stop chronyd
ntpdate pool.ntp.org
systemctl start chronyd
# NOTE(vasco): o openvpn não consegui aceder ao home e ler os secrets
# do google authenticator, por isso fiz isto:
mkdir -p /etc/systemd/system/openvpn-server@.service.d
echo -e "[Service]\nProtectHome=false" > /etc/systemd/system/openvpn-server@.service.d/override.conf
systemctl daemon-reload

53
VM_OPENSSL_APACHE.sh
View File

@@ -1,53 +0,0 @@
#!/bin/bash
# configuracao
source VM_CONFIG.sh
sudo yum install -y epel-release
sudo yum install -y openssl httpd mod_ssl mod_authnz_pam google-authenticator
if_dentro="enp0s8"
ip_dentro="10.60.0.1"
ifconfig $if_dentro $ip_dentro netmask 255.255.255.0
# route de volta para comunicar com o warrior
route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.60.0.3
cp conf/openssl.cnf /etc/pki/tls/
# copiar ca para esta VM
cp ca/index.txt $CA_DIR
cp ca/ca.crt $CA_DIR
cp ca/ca.key $CA_DIR
cp ca/serial $CA_DIR
cp ca/dh2048.pem $CA_DIR
# correr oscp
killall openssl 2>/dev/null
openssl ocsp -index $CA_DIR/index.txt -port 8888 -rsigner $CA_DIR/ca.crt -rkey $CA_DIR/ca.key -CA $CA_DIR/ca.crt -text &
# apache
mkdir -p /etc/httpd/ssl
cp ca/ca.crt /etc/httpd/ssl/
cp ca/apache.crt /etc/httpd/ssl/
cp ca/apache.key /etc/httpd/ssl/
cp conf/ssl.conf /etc/httpd/conf.d/ssl.conf
cp conf/httpd-totp /etc/pam.d/httpd-totp
# NOTA(vasco) é preciso desativar home protection outra vez
mkdir -p /etc/systemd/system/httpd.service.d
echo -e "[Service]\nProtectHome=false" > /etc/systemd/system/httpd.service.d/override.conf
systemctl daemon-reload
# serviço !!!
systemctl enable --now httpd
# acho ?????
sudo chgrp apache /etc/shadow
sudo chmod o+x /home/john
sudo chown apache /home/john/.google_authenticator
sudo chmod 400 /home/john/.google_authenticator
sudo chmod o+x /home/user
sudo chown apache /home/user/.google_authenticator
sudo chmod 400 /home/user/.google_authenticator

19
VM_ROAD_WARRIOR.sh
View File

@@ -1,19 +0,0 @@
#!/bin/bash
# --- configuração --- #
source VM_CONFIG.sh
ifconfig enp0s8 193.136.212.10 netmask 255.255.255.0
route add default gw 193.136.212.1
if ! grep -q "apache" /etc/hosts; then
echo "10.60.0.1 apache" >> /etc/hosts
fi
# --- vpn client --- #
vpn_dir="/etc/openvpn/client/"
cp ca/ta.key $vpn_dir
cp ca/ca.crt $vpn_dir
cp ca/user.key $vpn_dir
cp ca/user.crt $vpn_dir
cp conf/client.conf $vpn_dir
openvpn --config "${vpn_dir}/client.conf"

44
VM_VPN_GATEWAY.sh
View File

@@ -1,44 +0,0 @@
#!/bin/bash
# NOTE(vasco):
# Ao configurar a maquina virtual em si deixei a rede externa primeiro (enp0s8)
# E a rede interna como a segunda interface (enp0s9).
# --- configuração --- #
source VM_CONFIG.sh
yum install -y google-authenticator qrencode ntpsec
# --- forwarding --- #
if_fora="enp0s8"
ip_fora="193.136.212.1"
if_dentro="enp0s9"
ip_dentro="10.60.0.3"
mega_tunel="tun0"
ip_mega_tunel="10.8.0.0/24"
ifconfig $if_fora $ip_fora netmask 255.255.255.0
ifconfig $if_dentro $ip_dentro netmask 255.255.255.0
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
sysctl -p /etc/sysctl.conf
iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT # :O
iptables -I FORWARD 1 -i $mega_tunel -o $if_dentro -j ACCEPT # :P
iptables -I FORWARD 1 -i $if_dentro -o $mega_tunel -j ACCEPT # ;)
iptables -I FORWARD 1 -i $mega_tunel -o $if_fora -j ACCEPT # faltava isto ?
iptables -I FORWARD 1 -i $if_fora -m state --state ESTABLISHED,RELATED -j ACCEPT # faltava isto ?
iptables -t nat -A POSTROUTING -s $ip_mega_tunel -o $if_fora -j MASQUERADE # :D
iptables-save > /etc/sysconfig/iptables # :3
# --- vpn server --- #
vpn_dir="/etc/openvpn/server"
cp ca/ta.key $vpn_dir
cp ca/ca.crt $vpn_dir
cp ca/vpn.key $vpn_dir
cp ca/vpn.crt $vpn_dir
cp ca/dh2048.pem $vpn_dir
cp conf/vpn.conf $vpn_dir
cp conf/ocsp-verify.sh $vpn_dir
cp conf/totp /etc/pam.d/
systemctl enable --now openvpn-server@vpn.service

106
assignment1/ROUTER.sh
View File

@@ -1,106 +0,0 @@
#!/bin/bash
dns2="87.248.214.99"
eden="87.248.214.100"
# Router 1
dmzIP="23.214.219.254"
internalIP="192.168.10.254"
externalIP="87.248.214.97"
# DMZ /25
dns="23.214.219.130"
smtp="23.214.219.131"
www="23.214.219.132"
vpn_gw="23.214.219.133"
mail="23.214.219.134"
# Internal
ftp="192.168.10.2"
datastore="192.168.10.3"
dhcpClient="192.168.10.4"
# Interfaces
dmzIF="enp0s8"
internalIF="enp0s9"
externalIF="enp0s10"
sudo ifconfig $dmzIF $dmzIP netmask 255.255.255.128
sudo ifconfig $internalIF $internalIP netmask 255.255.255.0
sudo ifconfig $externalIF $externalIP netmask 255.255.255.0
sudo yum install iptables-services -y
sudo systemctl stop firewalld
sudo systemctl disable firewalld
sudo systemctl mask firewalld
sudo systemctl enable iptables
sudo iptables -F
sudo iptables -t nat -F
sudo iptables -t mangle -F
sudo sysctl -w net.ipv4.ip_forward=1
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A OUTPUT -o lo -j ACCEPT
#sudo iptables -t nat -A POSTROUTING -i $internalIF -o enp0s3 -j MASQUERADE #SUS
sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT #CAREFULL
#DNS name resolution requests sent to outside servers and want a response:
sudo iptables -A INPUT -i $externalIF -p udp --dport 53 -j ACCEPT
#SSH connections to the router system that originate from the inside and want an answer:
sudo iptables -A INPUT -i $internalIF -p tcp --dport 22 -j ACCEPT
sudo iptables -A INPUT -i $dmzIF -s $vpn_gw -p tcp --dport 22 -j ACCEPT
#The dns server should be able to resolve names using the internet (and others???)
sudo iptables -I FORWARD -j NFQUEUE --queue-bypass
sudo iptables -I INPUT -j NFQUEUE --queue-bypass
sudo iptables -A FORWARD -i $dmzIF -o $externalIF -s $dns -p udp --dport 53 -j ACCEPT
#The internal network should be able to send and recieve dns name resolutions to the dns server (1!)
sudo iptables -A FORWARD -i $internalIF -o $dmzIF -d $dns -p udp --dport 53 -j ACCEPT
sudo iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT #THIS IS IMPORTANT AND MIGHT FUCK US
#The dns and dns2 servers should be able to synchronize the contents of DNS zones. (protocol tcp port 53)
sudo iptables -A FORWARD -i $dmzIF -o $externalIF -s $dns -p tcp --dport 53 -j ACCEPT
#SMTP connections to the smtp server and returns
sudo iptables -A FORWARD -i $internalIF -o $dmzIF -d $smtp -p tcp --dport 587 -j ACCEPT
#sudo iptables -A FORWARD -i $dmzIF -o $internalIF -p tcp --dport 587 -m state --state ESTABLISHED,RELATED -j ACCEPT
#POP and IMAP connections to the www server
sudo iptables -A FORWARD -i $internalIF -o $dmzIF -d $mail -p tcp --dport 143 -j ACCEPT
sudo iptables -A FORWARD -i $internalIF -o $dmzIF -d $mail -p tcp --dport 110 -j ACCEPT
#HTTP and HTTPS connectins
sudo iptables -A FORWARD -i $internalIF -o $dmzIF -d $www -p tcp --dport 80 -j ACCEPT
sudo iptables -A FORWARD -i $internalIF -o $dmzIF -d $www -p tcp --dport 443 -j ACCEPT
#OpenVPN connections to the vpn-gw server
sudo iptables -A FORWARD -i $internalIF -o $dmzIF -d $vpn_gw -p udp --dport 1194 -j ACCEPT
#sudo iptables -A FORWARD -i $dmzIF -o $internalIF -p udp --dport 1194 -j ACCEPT
#VPN clients connected to the gateway vpn-gw ???? vpn should be able to acess ftp e datastore
sudo iptables -A FORWARD -i $dmzIF -o $internalIF -s $vpn_gw -d $ftp -j ACCEPT
sudo iptables -A FORWARD -i $dmzIF -o $internalIF -s $vpn_gw -d $datastore -j ACCEPT
#FTP da internet WORRIED ???
sudo iptables -A FORWARD -i $externalIF -o $internalIF -d $ftp -p tcp --dport 21 -j ACCEPT
sudo iptables -A FORWARD -i $internalIF -o $externalIF -p tcp --sport 20 -j ACCEPT #MIGHT BE NEEDED
#SSH CONNECTIONS datastore server but only from eden or dn2 DNAT -s servers, and port and -d interface
sudo iptables -t nat -A PREROUTING -s $dns2 -p tcp --dport 22 -j DNAT --to-destination $datastore
sudo iptables -t nat -A PREROUTING -s $eden -p tcp --dport 22 -j DNAT --to-destination $datastore
sudo iptables -t nat -A PREROUTING -i $externalIF -p tcp --dport 21 -j DNAT --to-destination $ftp
sudo iptables -A FORWARD -i $externalIF -o $internalIF -d $datastore -s $dns2 -p tcp --dport 22 -j ACCEPT #Need to check and make diferent ip addresses
sudo iptables -A FORWARD -i $externalIF -o $internalIF -d $datastore -s $eden -p tcp --dport 22 -j ACCEPT
#$internalIF to internet DNS, http, https, ssh, FTP(SERVERS??????(WHO INVITED THIS GUY)) SNAT
sudo iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -o $externalIF -j SNAT --to-source $externalIP
sudo iptables -A FORWARD -i $internalIF -o $externalIF -p udp --dport 53 -j ACCEPT
sudo iptables -A FORWARD -i $internalIF -o $externalIF -p tcp --dport 80 -j ACCEPT
sudo iptables -A FORWARD -i $internalIF -o $externalIF -p tcp --dport 443 -j ACCEPT
sudo iptables -A FORWARD -i $internalIF -o $externalIF -p tcp --sport 21 -j ACCEPT #MIGHT NOT BE ENOUGH
sudo iptables -A FORWARD -i $internalIF -o $externalIF -p tcp --dport 21 -j ACCEPT

BIN
assignment1/entrega.zip
View File

Binary file not shown.

2281
assignment1/entrega.zip.asc
View File

File diff suppressed because it is too large Load Diff

BIN
assignment1/relatorio.pdf
View File

Binary file not shown.

126
assignment1/relatorio.tex
View File

@@ -1,126 +0,0 @@
\documentclass[12pt,a4paper]{article}
\usepackage[portuguese]{babel}
\usepackage[lining]{ebgaramond}
\usepackage{listings}
\lstdefinestyle{mystyle}{
basicstyle=\ttfamily\footnotesize,
breakatwhitespace=false,
breaklines=true,
captionpos=b,
keepspaces=true,
numbers=left,
numbersep=5pt,
showspaces=false,
showstringspaces=false,
showtabs=false,
tabsize=2
}
\lstset{style=mystyle}
\title{Practical Assignment \#1}
\author{
João Neto -- 2023234004\\[1em]
Vasco Alves -- 2022228207
}
\begin{document}
\maketitle
\tableofcontents
\newpage
\section{Introduction}
O objetivo principal deste trabalho era aprender IPTables e como configurar um com o Suricata um sistema de filtração e deteção de ataques. Para esse fim, foi simulado um sistema dividido em três redes e um router para conectar-las. As três redes são a DMZ (23.214.219.128/25, enp0s8), Internal network (192.168.10.0/24, enp0s9) e Internet (87.248.214.0/24, enp0s10).
\begin{lstlisting}[language=bash]
Rede,Interface,Gama IP
DMZ,enp0s8,23.214.219.128/25
Internal,enp0s9,192.168.10.0/24
Internet,enp0s10,87.248.214.0/24
\end{lstlisting}
As três redes tem varios serviços, o DMZ tem dns(23.214.219.130), mail(23.214.219.134), vpn-gw(23.214.219.133), www(23.214.219.132) e smpt(23.214.219.131). A Internal network tem ftp(192.168.10.2), datastore(192.168.10.3) e clientes (nos testes os clientes tem ip 192.168.10.4, mas está configurado para dar para qualquer edereço). Por fim a rede Internet tem dns2 (87.248.214.99) e eden (87.248.214.100), existe também outros serviços (87.248.214.98).
Para facilitar a recriação deste sistema foi criado 4 ficheiros .sh (um para cada rede e o router), e disponibilizamos os ficheiros suricata.rules e suricata.yaml, para o suricata que estiver ligado ao Router. Os ficheiros .sh vão ter comandos para configurar o sistema para este exercicio.
\section{Firewall}
\subsection{Packet fileter without NAT}
O policy que foi escolhido foi:
\begin{lstlisting}[language=bash]
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
\end{lstlisting}
Foi escolhido porque é mais facil dar DROP a todos os pacotes que não foi criado regras do que criar uma regra de DROP para todos os protocolos e possibilidades, o OUTPUT ficou para ACCEPT porque não existe razão para dar DROP dos pacotes que estamos a enviar neste trabalho.
Para o router conseguir resolver DNS requests e para aceitar coneções SSH da rede interna ou da VPN gateway foi utilizado estes comandos:
\begin{lstlisting}[language=bash]
sudo iptables -A INPUT -i enp0s10 -p udp --dport 53 -j ACCEPT
sudo iptables -A INPUT -i enp0s9 -p tcp --dport 22 -j ACCEPT
sudo iptables -A INPUT -i enp0s8 -s 23.214.219.133 -p tcp --dport 22 -j ACCEPT
\end{lstlisting}
Para conseguirmos a confirguração pedida entre redes foi utilizado estes commandos:
\begin{lstlisting}[language=bash]
sudo iptables -A FORWARD -i enp0s8 -o enp0s10 -s 23.214.219.130 -p udp --dport 53 -j ACCEPT
sudo iptables -A FORWARD -i enp0s9 -o enp0s8 -d 23.214.219.130 -p udp --dport 53 -j ACCEPT
sudo iptables -A FORWARD -i enp0s8 -o enp0s10 -s 23.214.219.130 -p tcp --dport 53 -j ACCEPT
sudo iptables -A FORWARD -i enp0s9 -o enp0s8 -d 23.214.219.131 -p tcp --dport 587 -j ACCEPT
sudo iptables -A FORWARD -i enp0s9 -o enp0s8 -d 23.214.219.134 -p tcp --dport 143 -j ACCEPT
sudo iptables -A FORWARD -i enp0s9 -o enp0s8 -d 23.214.219.134 -p tcp --dport 110 -j ACCEPT
sudo iptables -A FORWARD -i enp0s9 -o enp0s8 -d 23.214.219.132 -p tcp --dport 80 -j ACCEPT
sudo iptables -A FORWARD -i enp0s9 -o enp0s8 -d 23.214.219.132 -p tcp --dport 443 -j ACCEPT
sudo iptables -A FORWARD -i enp0s9 -o enp0s8 -d 23.214.219.133 -p udp --dport 1194 -j ACCEPT
sudo iptables -A FORWARD -i enp0s8 -o enp0s9 -s 23.214.219.133 -d 192.168.10.2 -j ACCEPT
sudo iptables -A FORWARD -i enp0s8 -o enp0s9 -s 23.214.219.133 -d 192.168.10.3 -j ACCEPT
\end{lstlisting}
Inicialmente as implementações de respostas a forward eram especificas para cada regra isto é por exemplo:
\begin{lstlisting}[language=bash]
sudo iptables -A FORWARD -o enp0s8 -i enp0s10 -p udp --dport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT
\end{lstlisting}
No entanto isso facilmente originava confusão entre nós, então decimos utilizar estas duas regras:
\begin{lstlisting}[language=bash]
sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
\end{lstlisting}
Neste cenario o uso destas regras faz sentido, mas pode existir outros cenarios no futuro que não queremos uma resposta, e nesse caso temos de criar as regras necessarias.
\subsection{Packet filtering with NAT}
Para conecções com origem/destino na internet foi utilizado DNAT/SNAT e iptables para "esconder" o ip para a internet que querer aceder a rede interna para não terem acesso ao edereço ip e iproutes para bloquear certos pacotes de entrar, para conseguir a configuração utilizamos estes comandos:
\begin{lstlisting}[language=bash]
sudo iptables -A FORWARD -i enp0s10 -o enp0s9 -d 192.168.10.2 -p tcp --dport 21 -j ACCEPT
sudo iptables -A FORWARD -i enp0s9 -o enp0s10 -p tcp --sport 20 -j ACCEPT
sudo iptables -t nat -A PREROUTING -s $dns2 -p tcp --dport 22 -j DNAT --to-destination 192.168.10.3
sudo iptables -t nat -A PREROUTING -s $eden -p tcp --dport 22 -j DNAT --to-destination 192.168.10.3
sudo iptables -t nat -A PREROUTING -i enp0s10 -p tcp --dport 21 -j DNAT --to-destination 192.168.10.2
sudo iptables -A FORWARD -i enp0s10 -o enp0s9 -d 192.168.10.3 -s $dns2 -p tcp --dport 22 -j ACCEPT
sudo iptables -A FORWARD -i enp0s10 -o enp0s9 -d 192.168.10.3 -s $eden -p tcp --dport 22 -j ACCEPT
sudo iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -o enp0s10 -j SNAT --to-source 87.248.214.97
sudo iptables -A FORWARD -i enp0s9 -o enp0s10 -p udp --dport 53 -j ACCEPT
sudo iptables -A FORWARD -i enp0s9 -o enp0s10 -p tcp --dport 80 -j ACCEPT
sudo iptables -A FORWARD -i enp0s9 -o enp0s10 -p tcp --dport 443 -j ACCEPT
sudo iptables -A FORWARD -i enp0s9 -o enp0s10 -p tcp --sport 21 -j ACCEPT
sudo iptables -A FORWARD -i enp0s9 -o enp0s10 -p tcp --dport 21 -j ACCEPT
\end{lstlisting}
\section{Intrusion Detection}
As regras que utilizamos para o suricata foram estas:
\begin{lstlisting}[language=bash]
drop tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET"; flags:S; threshold:type both, track by_src, count 5, seconds 60; classtype:attempted-recon; sid:1000001; rev:1;)
drop tcp any any -> any 80 (msg:"SQL injection"; content:"union"; nocase; content:"select"; nocase; classtype:web-application-attack; sid:1000002; rev:1;)
drop tcp any any -> any 80 (msg:"SQl injection"; content:"'or 1=1"; nocase; classtype:web-application-attack; sid:1000003; rev:1;)
drop tcp any any -> any 80 (msg:"XSS"; content:"<script"; nocase; classtype:web-application-attack; sid:1000004; rev:1;)
\end{lstlisting}
A primeira é para port scaning, a segunda e a terceira é para o caso de SQL injection, e a ultima é para XSS atacks.
Também atualizamos o iptables para passar para o suricata os pacotes para analizar e bloquear com:
\begin{lstlisting}[language=bash]
sudo iptables -I FORWARD -j NFQUEUE --queue-bypass
sudo iptables -I INPUT -j NFQUEUE --queue-bypass
\end{lstlisting}
\section{Tests utilizados}
Netcat foi utilizado para maior parte dos testes excepto para FTP, em que devido ás suas caracteristicas especificas, utilizamos os serviços para ter a certeza que funcionava com a nossa configuração. Utilizamos estes comandos curl para testar se eram bloqueados:
\begin{lstlisting}[language=bash]
curl -i "http://23.214.219.132/index.php?id=1%20union%20select%201,2,3"
curl -i "http://23.214.219.132/login.php?user='or%201=1"
curl -i "http://23.214.219.132/search.php?q=<script>alert('XSS')</script>"
\end{lstlisting}
\section{Conclusion}
Ao realizar-mos este projeto aprendemos sobre a criação de scenarios em VMs, a configuração de uma firewall utilizando IPTables e a configuração de um IDS/IPS system utilizando Suricata
\end{document}

8
assignment1/relatorio.toc
View File

@@ -1,8 +0,0 @@
\babel@toc {portuguese}{}\relax
\contentsline {section}{\numberline {1}Introduction}{2}{}%
\contentsline {section}{\numberline {2}Firewall}{2}{}%
\contentsline {subsection}{\numberline {2.1}Packet fileter without NAT}{2}{}%
\contentsline {subsection}{\numberline {2.2}Packet filtering with NAT}{3}{}%
\contentsline {section}{\numberline {3}Intrusion Detection}{4}{}%
\contentsline {section}{\numberline {4}Tests utilizados}{5}{}%
\contentsline {section}{\numberline {5}Conclusion}{5}{}%

5
assignment1/suricata.rules
View File

@@ -1,5 +0,0 @@
drop tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET"; flags:S; threshold:type both, track by_src, count 5, seconds 60; classtype:attempted-recon; sid:1000001; rev:1;)
drop tcp any any -> any 80 (msg:"SQL injection"; content:"union"; nocase; content:"select"; nocase; classtype:web-application-attack; sid:1000002; rev:1;)
drop tcp any any -> any 80 (msg:"SQl injection"; content:"'or 1=1"; nocase; classtype:web-application-attack; sid:1000003; rev:1;)
drop tcp any any -> any 80 (msg:"XSS"; content:"<script"; nocase; classtype:web-application-attack; sid:1000004; rev:1;)

2242
assignment1/suricata.yaml
View File

File diff suppressed because it is too large Load Diff

74
ca/1000.pem
View File

@@ -1,74 +0,0 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4096 (0x1000)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=PT, ST=Coimbra, L=Coimbra, O=UC, CN=CoimbraVPN
Validity
Not Before: Apr 22 10:50:26 2026 GMT
Not After : Apr 22 10:50:26 2027 GMT
Subject: CN=gateway
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:bc:46:6b:0e:12:3f:c2:64:0d:dd:36:e7:86:a2:
f6:98:04:86:21:73:85:3b:cc:ce:7d:c5:74:f9:8d:
97:f8:c9:01:1c:e9:88:db:10:fc:40:a8:2a:44:76:
de:07:bd:39:58:c3:ba:b3:9a:d2:01:91:12:c8:7f:
0e:7a:51:56:f6:a4:ad:4e:63:92:8e:05:b9:9d:5a:
76:37:60:58:60:0a:10:f2:6e:15:6b:76:a1:34:91:
c5:cf:c7:86:00:cd:3f:53:c2:e9:45:8c:86:49:c2:
a1:36:f9:ca:3b:a5:30:76:92:ff:a6:e5:fa:40:67:
d9:91:ea:24:90:a5:a4:e0:15:2a:da:ce:1b:4e:f9:
86:7e:9f:33:de:e9:24:dc:b9:60:fa:c9:f0:e0:79:
83:a3:d3:b3:c9:61:37:9d:26:ab:e9:bd:21:68:74:
51:02:e0:a2:36:24:9e:c6:5d:22:f3:f6:76:8d:17:
ab:e3:46:a2:dc:a3:e4:f8:bc:a2:4b:59:8b:76:f4:
91:7e:2f:48:79:b6:72:1b:d5:45:e2:9f:d3:8d:b2:
f6:45:53:07:95:4d:8e:76:73:b8:54:10:17:63:c4:
07:bf:bf:a6:72:4f:ea:be:b7:1d:38:37:3a:95:26:
8f:36:81:a0:53:07:d3:49:32:7a:de:3c:7f:61:b6:
7c:21
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
96:52:2F:9E:1C:51:4D:A7:91:73:93:1B:E6:69:6C:06:99:28:2D:0B
X509v3 Authority Key Identifier:
AC:CD:79:CC:80:17:AA:8D:16:CC:97:B1:E9:36:5E:00:2A:BD:5B:D5
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
9a:fd:c0:13:d2:8a:7d:8d:d6:79:d0:35:1f:a6:75:ea:ff:1b:
73:1a:4b:30:d9:c8:3b:9d:96:e5:a8:28:eb:74:26:0d:13:fa:
e1:89:ad:eb:38:d4:57:d1:72:af:c5:93:ab:ce:07:35:3a:b5:
34:9f:72:af:71:b7:79:23:c8:88:99:af:a9:bf:72:8f:01:f2:
cf:f8:a1:57:8e:2a:05:e7:05:c2:0e:ac:92:df:db:f4:fd:64:
16:01:28:5a:7b:8b:c1:e3:8b:49:48:58:b4:36:28:ed:a3:99:
60:9c:a7:a6:3b:eb:07:3d:42:36:29:f2:d2:ff:07:86:34:3c:
0a:b0:70:cb:23:d2:f3:f1:f7:88:74:a5:a6:c3:ee:4e:5f:d7:
6d:ba:a6:83:09:76:f5:e4:1a:3b:d5:58:e9:be:a8:80:cf:68:
13:82:95:b3:da:75:43:4b:e7:f3:fb:6b:0d:b3:d5:07:5e:1b:
7a:69:f4:77:1b:59:eb:c5:a1:84:fb:cc:3e:5c:26:f5:b3:b3:
4d:36:8d:40:d2:53:f9:1e:bd:cf:b9:4b:c3:a8:40:29:97:58:
48:c2:94:94:28:9d:3f:e7:e3:d2:a3:db:32:8d:fb:a9:bb:c3:
32:a5:b3:c0:8b:c5:e3:56:45:55:2d:fb:62:5a:c0:36:f1:df:
b6:00:f9:b9
-----BEGIN CERTIFICATE-----
MIIDIzCCAgugAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwUzELMAkGA1UEBhMCUFQx
EDAOBgNVBAgMB0NvaW1icmExEDAOBgNVBAcMB0NvaW1icmExCzAJBgNVBAoMAlVD
MRMwEQYDVQQDDApDb2ltYnJhVlBOMB4XDTI2MDQyMjEwNTAyNloXDTI3MDQyMjEw
NTAyNlowEjEQMA4GA1UEAwwHZ2F0ZXdheTCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBALxGaw4SP8JkDd0254ai9pgEhiFzhTvMzn3FdPmNl/jJARzpiNsQ
/ECoKkR23ge9OVjDurOa0gGREsh/DnpRVvakrU5jko4FuZ1adjdgWGAKEPJuFWt2
oTSRxc/HhgDNP1PC6UWMhknCoTb5yjulMHaS/6bl+kBn2ZHqJJClpOAVKtrOG075
hn6fM97pJNy5YPrJ8OB5g6PTs8lhN50mq+m9IWh0UQLgojYknsZdIvP2do0Xq+NG
otyj5Pi8oktZi3b0kX4vSHm2chvVReKf042y9kVTB5VNjnZzuFQQF2PEB7+/pnJP
6r63HTg3OpUmjzaBoFMH00kyet48f2G2fCECAwEAAaNCMEAwHQYDVR0OBBYEFJZS
L54cUU2nkXOTG+ZpbAaZKC0LMB8GA1UdIwQYMBaAFKzNecyAF6qNFsyXsek2XgAq
vVvVMA0GCSqGSIb3DQEBCwUAA4IBAQCa/cAT0op9jdZ50DUfpnXq/xtzGksw2cg7
nZblqCjrdCYNE/rhia3rONRX0XKvxZOrzgc1OrU0n3Kvcbd5I8iIma+pv3KPAfLP
+KFXjioF5wXCDqyS39v0/WQWAShae4vB44tJSFi0Nijto5lgnKemO+sHPUI2KfLS
/weGNDwKsHDLI9Lz8feIdKWmw+5OX9dtuqaDCXb15Bo71VjpvqiAz2gTgpWz2nVD
S+fz+2sNs9UHXht6afR3G1nrxaGE+8w+XCb1s7NNNo1A0lP5Hr3PuUvDqEApl1hI
wpSUKJ0/5+PSo9syjfupu8MypbPAi8XjVkVVLftiWsA28d+2APm5
-----END CERTIFICATE-----

74
ca/1001.pem
View File

@@ -1,74 +0,0 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4097 (0x1001)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=PT, ST=Coimbra, L=Coimbra, O=UC, CN=CoimbraVPN
Validity
Not Before: Apr 22 10:50:26 2026 GMT
Not After : Apr 22 10:50:26 2027 GMT
Subject: CN=warrior
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d8:5e:36:38:85:bb:f8:15:29:90:2a:03:47:26:
36:ad:47:b8:80:c2:1c:b2:35:53:34:a3:c8:79:73:
1a:7b:c5:06:f9:0e:fb:61:e9:16:81:81:4d:55:ac:
25:7d:96:f4:a4:1a:46:d0:0a:af:48:65:b7:1e:9b:
02:4a:4a:af:53:64:20:4f:af:d8:ab:f7:99:c2:b7:
80:b2:80:24:00:7c:a7:43:f7:35:69:47:fc:bc:ce:
fa:1a:8e:81:c3:2b:55:ea:57:c8:ec:76:3b:1b:58:
e9:65:c1:66:97:c5:39:62:1f:c7:f2:64:b3:6a:31:
41:a9:66:00:f5:48:3c:31:9b:70:a7:ca:f0:b8:28:
d3:cf:fb:86:25:f0:93:17:ad:3f:c8:60:dd:a7:a1:
be:b4:e8:fc:79:47:53:68:ed:eb:21:b5:f7:aa:f5:
bf:22:45:d9:10:5a:db:be:41:c3:09:47:72:f4:6b:
d6:21:65:77:43:79:89:0d:cd:72:58:14:e2:25:55:
0b:17:e8:97:d4:d0:0e:9c:7d:9c:38:6e:52:50:cb:
25:a5:00:fc:cb:69:bb:09:f0:3a:f1:8a:83:e7:7c:
95:07:46:58:11:41:25:8d:5c:91:02:ec:d2:83:4c:
98:d0:aa:ad:b0:fa:67:6c:22:79:87:de:5a:f5:01:
8f:59
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
30:84:32:04:21:19:F0:A6:B7:C1:32:4C:1B:9F:7E:EF:EC:3C:D3:79
X509v3 Authority Key Identifier:
AC:CD:79:CC:80:17:AA:8D:16:CC:97:B1:E9:36:5E:00:2A:BD:5B:D5
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
60:76:03:78:46:0e:db:33:a4:1a:13:67:11:66:b6:7e:bf:ba:
23:4e:01:9e:6b:28:dc:46:9c:5e:e8:a9:2a:72:d2:ae:c0:c7:
b7:68:6f:92:55:43:b7:cd:8f:6b:78:ad:86:d1:8a:bb:ba:7a:
a7:3b:fa:53:8f:1d:ec:75:0b:36:05:6b:14:91:c4:79:51:b2:
d0:2f:b9:17:0c:f1:6b:88:4d:24:6b:ae:15:36:2b:ac:4b:94:
67:04:f8:93:49:cc:c1:d7:ec:ae:a2:dc:32:c8:d1:f4:ee:4b:
0c:11:ad:4c:84:5d:96:97:31:d6:9f:c5:a7:79:b2:f1:b8:42:
5b:79:b8:12:d2:a3:56:a0:ae:3b:ba:7f:56:25:d4:ad:a7:fa:
39:52:e0:57:af:4f:d2:c6:3c:24:5d:d6:07:84:b0:a5:5f:d2:
3c:8b:36:2a:1f:24:55:cd:89:22:94:b7:f2:93:69:01:89:6e:
a4:67:2d:8b:d9:cd:af:29:70:09:83:69:e5:46:35:51:59:90:
71:c0:0a:8a:00:5c:55:c6:12:34:1a:b7:3d:a9:67:9c:0b:2f:
71:32:cb:87:92:b0:18:ff:fe:ec:f0:3e:cc:e3:1c:65:c8:24:
a9:bd:c9:8f:96:f7:19:af:95:a6:e0:e5:21:65:50:ad:69:da:
d3:09:27:84
-----BEGIN CERTIFICATE-----
MIIDIzCCAgugAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwUzELMAkGA1UEBhMCUFQx
EDAOBgNVBAgMB0NvaW1icmExEDAOBgNVBAcMB0NvaW1icmExCzAJBgNVBAoMAlVD
MRMwEQYDVQQDDApDb2ltYnJhVlBOMB4XDTI2MDQyMjEwNTAyNloXDTI3MDQyMjEw
NTAyNlowEjEQMA4GA1UEAwwHd2FycmlvcjCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBANheNjiFu/gVKZAqA0cmNq1HuIDCHLI1UzSjyHlzGnvFBvkO+2Hp
FoGBTVWsJX2W9KQaRtAKr0hltx6bAkpKr1NkIE+v2Kv3mcK3gLKAJAB8p0P3NWlH
/LzO+hqOgcMrVepXyOx2OxtY6WXBZpfFOWIfx/Jks2oxQalmAPVIPDGbcKfK8Lgo
08/7hiXwkxetP8hg3aehvrTo/HlHU2jt6yG196r1vyJF2RBa275BwwlHcvRr1iFl
d0N5iQ3NclgU4iVVCxfol9TQDpx9nDhuUlDLJaUA/MtpuwnwOvGKg+d8lQdGWBFB
JY1ckQLs0oNMmNCqrbD6Z2wieYfeWvUBj1kCAwEAAaNCMEAwHQYDVR0OBBYEFDCE
MgQhGfCmt8EyTBuffu/sPNN5MB8GA1UdIwQYMBaAFKzNecyAF6qNFsyXsek2XgAq
vVvVMA0GCSqGSIb3DQEBCwUAA4IBAQBgdgN4Rg7bM6QaE2cRZrZ+v7ojTgGeayjc
Rpxe6KkqctKuwMe3aG+SVUO3zY9reK2G0Yq7unqnO/pTjx3sdQs2BWsUkcR5UbLQ
L7kXDPFriE0ka64VNiusS5RnBPiTSczB1+yuotwyyNH07ksMEa1MhF2WlzHWn8Wn
ebLxuEJbebgS0qNWoK47un9WJdStp/o5UuBXr0/SxjwkXdYHhLClX9I8izYqHyRV
zYkilLfyk2kBiW6kZy2L2c2vKXAJg2nlRjVRWZBxwAqKAFxVxhI0Grc9qWecCy9x
MsuHkrAY//7s8D7M4xxlyCSpvcmPlvcZr5Wm4OUhZVCtadrTCSeE
-----END CERTIFICATE-----

74
ca/1002.pem
View File

@@ -1,74 +0,0 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4098 (0x1002)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=PT, ST=Coimbra, L=Coimbra, O=UC, CN=CoimbraVPN
Validity
Not Before: Apr 22 12:33:59 2026 GMT
Not After : Apr 22 12:33:59 2027 GMT
Subject: CN=apache
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d0:88:fb:32:17:9b:9d:95:15:42:a5:b3:20:0e:
27:1a:bd:aa:10:6a:59:9c:18:40:cb:81:80:70:33:
1a:22:34:08:6f:94:0c:97:1c:68:d4:69:59:7e:50:
65:c1:46:2a:fd:9d:4e:96:13:47:58:da:87:86:0e:
ac:ad:ad:48:ad:d1:b1:6e:61:2b:de:04:c1:5f:cf:
60:f5:a6:bd:3d:fd:b3:eb:a0:db:8f:9f:67:5b:91:
76:aa:a5:87:9a:83:57:1a:84:3d:11:c2:b3:71:84:
51:48:d3:38:8e:0e:f2:c5:96:55:b5:6e:86:4c:f0:
22:9d:19:13:ae:23:21:ea:d5:fe:e4:1d:9c:fb:42:
3a:84:81:43:03:2e:c5:bd:ed:0b:7e:48:50:83:e0:
0b:15:87:bd:65:9b:0d:d0:7e:55:8d:02:e9:03:af:
fe:7d:19:28:ef:46:6b:2c:02:04:33:05:2e:73:94:
10:ae:54:25:d2:82:55:10:22:74:7b:44:7c:c6:d3:
e5:35:5e:10:af:9e:67:49:0a:1f:fe:bb:00:60:26:
a8:ee:4b:66:2f:7d:f4:76:24:3e:73:81:e4:79:53:
3c:30:e6:25:00:80:fb:d2:0c:fa:e7:db:01:15:52:
4e:c4:ec:9f:95:b4:1d:a0:e7:7a:a2:59:77:c0:24:
13:a9
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
13:9F:64:BF:CB:5E:2F:7D:F8:0B:26:94:DB:17:9D:F4:59:CE:79:20
X509v3 Authority Key Identifier:
AC:CD:79:CC:80:17:AA:8D:16:CC:97:B1:E9:36:5E:00:2A:BD:5B:D5
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
a4:24:8d:a2:b8:b4:da:5c:a6:e0:75:2a:e0:71:aa:03:35:e8:
b4:64:49:90:b9:f3:09:a6:c6:99:0c:64:04:5e:65:e6:09:72:
13:11:e8:4c:29:a4:99:c5:dd:67:ff:49:fb:5f:8a:b3:cf:3a:
e5:b7:1c:a0:8a:59:ca:10:a9:dd:26:c3:3d:25:c7:82:b8:0d:
db:91:fe:45:d1:3b:ac:80:1d:11:49:85:13:9b:c2:86:fd:17:
81:5d:e3:a4:d1:64:2d:27:0c:c9:77:08:2a:89:ed:7e:2e:ac:
d2:86:f5:d5:fd:de:a6:c4:5d:18:33:ec:78:a1:ca:cf:64:68:
cb:1a:25:1e:a3:cf:e5:28:0b:a2:f8:45:bd:b6:99:54:17:62:
09:f0:ab:ba:d2:38:dc:bc:7b:1d:b8:f2:51:e5:d3:0c:1d:8d:
a3:3e:57:c2:0d:ef:93:5d:39:9c:ee:50:f1:e3:f8:fb:ff:94:
88:2c:37:f7:39:47:97:2c:fc:71:27:88:21:b3:da:68:ac:f4:
c6:a0:77:00:25:37:67:ea:ee:d1:a8:44:01:f6:40:79:68:4a:
94:24:d8:1a:d9:07:7d:73:0b:8c:b0:80:dd:b4:a9:49:3f:33:
73:7e:4d:5a:b6:f0:51:94:46:b2:81:a3:cb:81:a2:d9:7f:dd:
32:60:ba:8c
-----BEGIN CERTIFICATE-----
MIIDIjCCAgqgAwIBAgICEAIwDQYJKoZIhvcNAQELBQAwUzELMAkGA1UEBhMCUFQx
EDAOBgNVBAgMB0NvaW1icmExEDAOBgNVBAcMB0NvaW1icmExCzAJBgNVBAoMAlVD
MRMwEQYDVQQDDApDb2ltYnJhVlBOMB4XDTI2MDQyMjEyMzM1OVoXDTI3MDQyMjEy
MzM1OVowETEPMA0GA1UEAwwGYXBhY2hlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEA0Ij7MhebnZUVQqWzIA4nGr2qEGpZnBhAy4GAcDMaIjQIb5QMlxxo
1GlZflBlwUYq/Z1OlhNHWNqHhg6sra1IrdGxbmEr3gTBX89g9aa9Pf2z66Dbj59n
W5F2qqWHmoNXGoQ9EcKzcYRRSNM4jg7yxZZVtW6GTPAinRkTriMh6tX+5B2c+0I6
hIFDAy7Fve0LfkhQg+ALFYe9ZZsN0H5VjQLpA6/+fRko70ZrLAIEMwUuc5QQrlQl
0oJVECJ0e0R8xtPlNV4Qr55nSQof/rsAYCao7ktmL330diQ+c4HkeVM8MOYlAID7
0gz659sBFVJOxOyflbQdoOd6oll3wCQTqQIDAQABo0IwQDAdBgNVHQ4EFgQUE59k
v8teL334CyaU2xed9FnOeSAwHwYDVR0jBBgwFoAUrM15zIAXqo0WzJex6TZeACq9
W9UwDQYJKoZIhvcNAQELBQADggEBAKQkjaK4tNpcpuB1KuBxqgM16LRkSZC58wmm
xpkMZAReZeYJchMR6EwppJnF3Wf/SftfirPPOuW3HKCKWcoQqd0mwz0lx4K4DduR
/kXRO6yAHRFJhRObwob9F4Fd46TRZC0nDMl3CCqJ7X4urNKG9dX93qbEXRgz7Hih
ys9kaMsaJR6jz+UoC6L4Rb22mVQXYgnwq7rSONy8ex248lHl0wwdjaM+V8IN75Nd
OZzuUPHj+Pv/lIgsN/c5R5cs/HEniCGz2mis9MagdwAlN2fq7tGoRAH2QHloSpQk
2BrZB31zC4ywgN20qUk/M3N+TVq28FGURrKBo8uBotl/3TJguow=
-----END CERTIFICATE-----

77
ca/1003.pem
View File

@@ -1,77 +0,0 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4099 (0x1003)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=PT, ST=Coimbra, L=Coimbra, O=UC, CN=CoimbraVPN
Validity
Not Before: Apr 22 14:14:59 2026 GMT
Not After : Apr 22 14:14:59 2027 GMT
Subject: CN=apache.coimbra
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d0:88:fb:32:17:9b:9d:95:15:42:a5:b3:20:0e:
27:1a:bd:aa:10:6a:59:9c:18:40:cb:81:80:70:33:
1a:22:34:08:6f:94:0c:97:1c:68:d4:69:59:7e:50:
65:c1:46:2a:fd:9d:4e:96:13:47:58:da:87:86:0e:
ac:ad:ad:48:ad:d1:b1:6e:61:2b:de:04:c1:5f:cf:
60:f5:a6:bd:3d:fd:b3:eb:a0:db:8f:9f:67:5b:91:
76:aa:a5:87:9a:83:57:1a:84:3d:11:c2:b3:71:84:
51:48:d3:38:8e:0e:f2:c5:96:55:b5:6e:86:4c:f0:
22:9d:19:13:ae:23:21:ea:d5:fe:e4:1d:9c:fb:42:
3a:84:81:43:03:2e:c5:bd:ed:0b:7e:48:50:83:e0:
0b:15:87:bd:65:9b:0d:d0:7e:55:8d:02:e9:03:af:
fe:7d:19:28:ef:46:6b:2c:02:04:33:05:2e:73:94:
10:ae:54:25:d2:82:55:10:22:74:7b:44:7c:c6:d3:
e5:35:5e:10:af:9e:67:49:0a:1f:fe:bb:00:60:26:
a8:ee:4b:66:2f:7d:f4:76:24:3e:73:81:e4:79:53:
3c:30:e6:25:00:80:fb:d2:0c:fa:e7:db:01:15:52:
4e:c4:ec:9f:95:b4:1d:a0:e7:7a:a2:59:77:c0:24:
13:a9
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
IP Address:10.60.0.1, DNS:apache
X509v3 Subject Key Identifier:
13:9F:64:BF:CB:5E:2F:7D:F8:0B:26:94:DB:17:9D:F4:59:CE:79:20
X509v3 Authority Key Identifier:
AC:CD:79:CC:80:17:AA:8D:16:CC:97:B1:E9:36:5E:00:2A:BD:5B:D5
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
9c:7e:99:3c:10:22:23:cd:d6:c7:96:be:82:5e:e5:7f:69:16:
5c:57:e1:68:e2:04:26:74:e9:72:ea:3b:03:5c:81:bd:21:15:
a3:e8:86:4d:93:6f:a4:d8:a1:47:de:e0:b5:a3:bb:aa:5b:24:
e9:9d:f7:9d:7d:e3:ba:38:39:af:c6:8b:36:5c:a8:3d:37:af:
79:be:8f:bf:ba:76:a5:d5:62:8e:37:c8:2e:6d:7e:24:fc:56:
d2:91:01:9e:05:4d:26:16:52:75:3d:28:7f:20:d0:88:25:96:
2a:d3:3a:8f:27:3d:99:46:4d:de:e2:a7:11:07:84:ff:ac:55:
54:4a:25:1b:b3:05:47:b5:d5:db:b9:69:e5:f6:d7:28:c9:54:
45:9c:a5:9a:86:74:37:33:7c:47:75:5a:dd:bf:50:23:be:95:
8e:cd:2c:ba:72:cc:41:95:1f:a0:67:78:61:de:38:89:18:c4:
0c:df:e0:be:f3:9d:3e:e7:72:9f:3c:a3:e0:06:9a:6c:28:d1:
e2:1d:d2:14:76:89:8a:d4:ca:e1:38:9c:b3:31:81:bb:ca:11:
ba:78:36:01:e5:db:bf:a0:82:36:d2:b4:65:01:60:bf:63:c2:
a8:86:54:cb:ac:59:52:31:bd:a2:cc:94:47:cc:0a:cc:d3:87:
db:7b:fa:1a
-----BEGIN CERTIFICATE-----
MIIDQzCCAiugAwIBAgICEAMwDQYJKoZIhvcNAQELBQAwUzELMAkGA1UEBhMCUFQx
EDAOBgNVBAgMB0NvaW1icmExEDAOBgNVBAcMB0NvaW1icmExCzAJBgNVBAoMAlVD
MRMwEQYDVQQDDApDb2ltYnJhVlBOMB4XDTI2MDQyMjE0MTQ1OVoXDTI3MDQyMjE0
MTQ1OVowGTEXMBUGA1UEAwwOYXBhY2hlLmNvaW1icmEwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQDQiPsyF5udlRVCpbMgDicavaoQalmcGEDLgYBwMxoi
NAhvlAyXHGjUaVl+UGXBRir9nU6WE0dY2oeGDqytrUit0bFuYSveBMFfz2D1pr09
/bProNuPn2dbkXaqpYeag1cahD0RwrNxhFFI0ziODvLFllW1boZM8CKdGROuIyHq
1f7kHZz7QjqEgUMDLsW97Qt+SFCD4AsVh71lmw3QflWNAukDr/59GSjvRmssAgQz
BS5zlBCuVCXSglUQInR7RHzG0+U1XhCvnmdJCh/+uwBgJqjuS2YvffR2JD5zgeR5
Uzww5iUAgPvSDPrn2wEVUk7E7J+VtB2g53qiWXfAJBOpAgMBAAGjWzBZMBcGA1Ud
EQQQMA6HBAo8AAGCBmFwYWNoZTAdBgNVHQ4EFgQUE59kv8teL334CyaU2xed9FnO
eSAwHwYDVR0jBBgwFoAUrM15zIAXqo0WzJex6TZeACq9W9UwDQYJKoZIhvcNAQEL
BQADggEBAJx+mTwQIiPN1seWvoJe5X9pFlxX4WjiBCZ06XLqOwNcgb0hFaPohk2T
b6TYoUfe4LWju6pbJOmd951947o4Oa/GizZcqD03r3m+j7+6dqXVYo43yC5tfiT8
VtKRAZ4FTSYWUnU9KH8g0IgllirTOo8nPZlGTd7ipxEHhP+sVVRKJRuzBUe11du5
aeX21yjJVEWcpZqGdDczfEd1Wt2/UCO+lY7NLLpyzEGVH6BneGHeOIkYxAzf4L7z
nT7ncp88o+AGmmwo0eId0hR2iYrUyuE4nLMxgbvKEbp4NgHl27+ggjbStGUBYL9j
wqiGVMusWVIxvaLMlEfMCszTh9t7+ho=
-----END CERTIFICATE-----

77
ca/apache.crt
View File

@@ -1,77 +0,0 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4099 (0x1003)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=PT, ST=Coimbra, L=Coimbra, O=UC, CN=CoimbraVPN
Validity
Not Before: Apr 22 14:14:59 2026 GMT
Not After : Apr 22 14:14:59 2027 GMT
Subject: CN=apache.coimbra
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d0:88:fb:32:17:9b:9d:95:15:42:a5:b3:20:0e:
27:1a:bd:aa:10:6a:59:9c:18:40:cb:81:80:70:33:
1a:22:34:08:6f:94:0c:97:1c:68:d4:69:59:7e:50:
65:c1:46:2a:fd:9d:4e:96:13:47:58:da:87:86:0e:
ac:ad:ad:48:ad:d1:b1:6e:61:2b:de:04:c1:5f:cf:
60:f5:a6:bd:3d:fd:b3:eb:a0:db:8f:9f:67:5b:91:
76:aa:a5:87:9a:83:57:1a:84:3d:11:c2:b3:71:84:
51:48:d3:38:8e:0e:f2:c5:96:55:b5:6e:86:4c:f0:
22:9d:19:13:ae:23:21:ea:d5:fe:e4:1d:9c:fb:42:
3a:84:81:43:03:2e:c5:bd:ed:0b:7e:48:50:83:e0:
0b:15:87:bd:65:9b:0d:d0:7e:55:8d:02:e9:03:af:
fe:7d:19:28:ef:46:6b:2c:02:04:33:05:2e:73:94:
10:ae:54:25:d2:82:55:10:22:74:7b:44:7c:c6:d3:
e5:35:5e:10:af:9e:67:49:0a:1f:fe:bb:00:60:26:
a8:ee:4b:66:2f:7d:f4:76:24:3e:73:81:e4:79:53:
3c:30:e6:25:00:80:fb:d2:0c:fa:e7:db:01:15:52:
4e:c4:ec:9f:95:b4:1d:a0:e7:7a:a2:59:77:c0:24:
13:a9
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
IP Address:10.60.0.1, DNS:apache
X509v3 Subject Key Identifier:
13:9F:64:BF:CB:5E:2F:7D:F8:0B:26:94:DB:17:9D:F4:59:CE:79:20
X509v3 Authority Key Identifier:
AC:CD:79:CC:80:17:AA:8D:16:CC:97:B1:E9:36:5E:00:2A:BD:5B:D5
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
9c:7e:99:3c:10:22:23:cd:d6:c7:96:be:82:5e:e5:7f:69:16:
5c:57:e1:68:e2:04:26:74:e9:72:ea:3b:03:5c:81:bd:21:15:
a3:e8:86:4d:93:6f:a4:d8:a1:47:de:e0:b5:a3:bb:aa:5b:24:
e9:9d:f7:9d:7d:e3:ba:38:39:af:c6:8b:36:5c:a8:3d:37:af:
79:be:8f:bf:ba:76:a5:d5:62:8e:37:c8:2e:6d:7e:24:fc:56:
d2:91:01:9e:05:4d:26:16:52:75:3d:28:7f:20:d0:88:25:96:
2a:d3:3a:8f:27:3d:99:46:4d:de:e2:a7:11:07:84:ff:ac:55:
54:4a:25:1b:b3:05:47:b5:d5:db:b9:69:e5:f6:d7:28:c9:54:
45:9c:a5:9a:86:74:37:33:7c:47:75:5a:dd:bf:50:23:be:95:
8e:cd:2c:ba:72:cc:41:95:1f:a0:67:78:61:de:38:89:18:c4:
0c:df:e0:be:f3:9d:3e:e7:72:9f:3c:a3:e0:06:9a:6c:28:d1:
e2:1d:d2:14:76:89:8a:d4:ca:e1:38:9c:b3:31:81:bb:ca:11:
ba:78:36:01:e5:db:bf:a0:82:36:d2:b4:65:01:60:bf:63:c2:
a8:86:54:cb:ac:59:52:31:bd:a2:cc:94:47:cc:0a:cc:d3:87:
db:7b:fa:1a
-----BEGIN CERTIFICATE-----
MIIDQzCCAiugAwIBAgICEAMwDQYJKoZIhvcNAQELBQAwUzELMAkGA1UEBhMCUFQx
EDAOBgNVBAgMB0NvaW1icmExEDAOBgNVBAcMB0NvaW1icmExCzAJBgNVBAoMAlVD
MRMwEQYDVQQDDApDb2ltYnJhVlBOMB4XDTI2MDQyMjE0MTQ1OVoXDTI3MDQyMjE0
MTQ1OVowGTEXMBUGA1UEAwwOYXBhY2hlLmNvaW1icmEwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQDQiPsyF5udlRVCpbMgDicavaoQalmcGEDLgYBwMxoi
NAhvlAyXHGjUaVl+UGXBRir9nU6WE0dY2oeGDqytrUit0bFuYSveBMFfz2D1pr09
/bProNuPn2dbkXaqpYeag1cahD0RwrNxhFFI0ziODvLFllW1boZM8CKdGROuIyHq
1f7kHZz7QjqEgUMDLsW97Qt+SFCD4AsVh71lmw3QflWNAukDr/59GSjvRmssAgQz
BS5zlBCuVCXSglUQInR7RHzG0+U1XhCvnmdJCh/+uwBgJqjuS2YvffR2JD5zgeR5
Uzww5iUAgPvSDPrn2wEVUk7E7J+VtB2g53qiWXfAJBOpAgMBAAGjWzBZMBcGA1Ud
EQQQMA6HBAo8AAGCBmFwYWNoZTAdBgNVHQ4EFgQUE59kv8teL334CyaU2xed9FnO
eSAwHwYDVR0jBBgwFoAUrM15zIAXqo0WzJex6TZeACq9W9UwDQYJKoZIhvcNAQEL
BQADggEBAJx+mTwQIiPN1seWvoJe5X9pFlxX4WjiBCZ06XLqOwNcgb0hFaPohk2T
b6TYoUfe4LWju6pbJOmd951947o4Oa/GizZcqD03r3m+j7+6dqXVYo43yC5tfiT8
VtKRAZ4FTSYWUnU9KH8g0IgllirTOo8nPZlGTd7ipxEHhP+sVVRKJRuzBUe11du5
aeX21yjJVEWcpZqGdDczfEd1Wt2/UCO+lY7NLLpyzEGVH6BneGHeOIkYxAzf4L7z
nT7ncp88o+AGmmwo0eId0hR2iYrUyuE4nLMxgbvKEbp4NgHl27+ggjbStGUBYL9j
wqiGVMusWVIxvaLMlEfMCszTh9t7+ho=
-----END CERTIFICATE-----

74
ca/apache.crt.old
View File

@@ -1,74 +0,0 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4098 (0x1002)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=PT, ST=Coimbra, L=Coimbra, O=UC, CN=CoimbraVPN
Validity
Not Before: Apr 22 12:33:59 2026 GMT
Not After : Apr 22 12:33:59 2027 GMT
Subject: CN=apache
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d0:88:fb:32:17:9b:9d:95:15:42:a5:b3:20:0e:
27:1a:bd:aa:10:6a:59:9c:18:40:cb:81:80:70:33:
1a:22:34:08:6f:94:0c:97:1c:68:d4:69:59:7e:50:
65:c1:46:2a:fd:9d:4e:96:13:47:58:da:87:86:0e:
ac:ad:ad:48:ad:d1:b1:6e:61:2b:de:04:c1:5f:cf:
60:f5:a6:bd:3d:fd:b3:eb:a0:db:8f:9f:67:5b:91:
76:aa:a5:87:9a:83:57:1a:84:3d:11:c2:b3:71:84:
51:48:d3:38:8e:0e:f2:c5:96:55:b5:6e:86:4c:f0:
22:9d:19:13:ae:23:21:ea:d5:fe:e4:1d:9c:fb:42:
3a:84:81:43:03:2e:c5:bd:ed:0b:7e:48:50:83:e0:
0b:15:87:bd:65:9b:0d:d0:7e:55:8d:02:e9:03:af:
fe:7d:19:28:ef:46:6b:2c:02:04:33:05:2e:73:94:
10:ae:54:25:d2:82:55:10:22:74:7b:44:7c:c6:d3:
e5:35:5e:10:af:9e:67:49:0a:1f:fe:bb:00:60:26:
a8:ee:4b:66:2f:7d:f4:76:24:3e:73:81:e4:79:53:
3c:30:e6:25:00:80:fb:d2:0c:fa:e7:db:01:15:52:
4e:c4:ec:9f:95:b4:1d:a0:e7:7a:a2:59:77:c0:24:
13:a9
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
13:9F:64:BF:CB:5E:2F:7D:F8:0B:26:94:DB:17:9D:F4:59:CE:79:20
X509v3 Authority Key Identifier:
AC:CD:79:CC:80:17:AA:8D:16:CC:97:B1:E9:36:5E:00:2A:BD:5B:D5
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
a4:24:8d:a2:b8:b4:da:5c:a6:e0:75:2a:e0:71:aa:03:35:e8:
b4:64:49:90:b9:f3:09:a6:c6:99:0c:64:04:5e:65:e6:09:72:
13:11:e8:4c:29:a4:99:c5:dd:67:ff:49:fb:5f:8a:b3:cf:3a:
e5:b7:1c:a0:8a:59:ca:10:a9:dd:26:c3:3d:25:c7:82:b8:0d:
db:91:fe:45:d1:3b:ac:80:1d:11:49:85:13:9b:c2:86:fd:17:
81:5d:e3:a4:d1:64:2d:27:0c:c9:77:08:2a:89:ed:7e:2e:ac:
d2:86:f5:d5:fd:de:a6:c4:5d:18:33:ec:78:a1:ca:cf:64:68:
cb:1a:25:1e:a3:cf:e5:28:0b:a2:f8:45:bd:b6:99:54:17:62:
09:f0:ab:ba:d2:38:dc:bc:7b:1d:b8:f2:51:e5:d3:0c:1d:8d:
a3:3e:57:c2:0d:ef:93:5d:39:9c:ee:50:f1:e3:f8:fb:ff:94:
88:2c:37:f7:39:47:97:2c:fc:71:27:88:21:b3:da:68:ac:f4:
c6:a0:77:00:25:37:67:ea:ee:d1:a8:44:01:f6:40:79:68:4a:
94:24:d8:1a:d9:07:7d:73:0b:8c:b0:80:dd:b4:a9:49:3f:33:
73:7e:4d:5a:b6:f0:51:94:46:b2:81:a3:cb:81:a2:d9:7f:dd:
32:60:ba:8c
-----BEGIN CERTIFICATE-----
MIIDIjCCAgqgAwIBAgICEAIwDQYJKoZIhvcNAQELBQAwUzELMAkGA1UEBhMCUFQx
EDAOBgNVBAgMB0NvaW1icmExEDAOBgNVBAcMB0NvaW1icmExCzAJBgNVBAoMAlVD
MRMwEQYDVQQDDApDb2ltYnJhVlBOMB4XDTI2MDQyMjEyMzM1OVoXDTI3MDQyMjEy
MzM1OVowETEPMA0GA1UEAwwGYXBhY2hlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEA0Ij7MhebnZUVQqWzIA4nGr2qEGpZnBhAy4GAcDMaIjQIb5QMlxxo
1GlZflBlwUYq/Z1OlhNHWNqHhg6sra1IrdGxbmEr3gTBX89g9aa9Pf2z66Dbj59n
W5F2qqWHmoNXGoQ9EcKzcYRRSNM4jg7yxZZVtW6GTPAinRkTriMh6tX+5B2c+0I6
hIFDAy7Fve0LfkhQg+ALFYe9ZZsN0H5VjQLpA6/+fRko70ZrLAIEMwUuc5QQrlQl
0oJVECJ0e0R8xtPlNV4Qr55nSQof/rsAYCao7ktmL330diQ+c4HkeVM8MOYlAID7
0gz659sBFVJOxOyflbQdoOd6oll3wCQTqQIDAQABo0IwQDAdBgNVHQ4EFgQUE59k
v8teL334CyaU2xed9FnOeSAwHwYDVR0jBBgwFoAUrM15zIAXqo0WzJex6TZeACq9
W9UwDQYJKoZIhvcNAQELBQADggEBAKQkjaK4tNpcpuB1KuBxqgM16LRkSZC58wmm
xpkMZAReZeYJchMR6EwppJnF3Wf/SftfirPPOuW3HKCKWcoQqd0mwz0lx4K4DduR
/kXRO6yAHRFJhRObwob9F4Fd46TRZC0nDMl3CCqJ7X4urNKG9dX93qbEXRgz7Hih
ys9kaMsaJR6jz+UoC6L4Rb22mVQXYgnwq7rSONy8ex248lHl0wwdjaM+V8IN75Nd
OZzuUPHj+Pv/lIgsN/c5R5cs/HEniCGz2mis9MagdwAlN2fq7tGoRAH2QHloSpQk
2BrZB31zC4ywgN20qUk/M3N+TVq28FGURrKBo8uBotl/3TJguow=
-----END CERTIFICATE-----

17
ca/apache.csr
View File

@@ -1,17 +0,0 @@
-----BEGIN CERTIFICATE REQUEST-----
MIICxjCCAa4CAQAwVzELMAkGA1UEBhMCUFQxEDAOBgNVBAgMB0NvaW1icmExEDAO
BgNVBAcMB0NvaW1icmExCzAJBgNVBAoMAlVDMRcwFQYDVQQDDA5hcGFjaGUuY29p
bWJyYTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANCI+zIXm52VFUKl
syAOJxq9qhBqWZwYQMuBgHAzGiI0CG+UDJccaNRpWX5QZcFGKv2dTpYTR1jah4YO
rK2tSK3RsW5hK94EwV/PYPWmvT39s+ug24+fZ1uRdqqlh5qDVxqEPRHCs3GEUUjT
OI4O8sWWVbVuhkzwIp0ZE64jIerV/uQdnPtCOoSBQwMuxb3tC35IUIPgCxWHvWWb
DdB+VY0C6QOv/n0ZKO9GaywCBDMFLnOUEK5UJdKCVRAidHtEfMbT5TVeEK+eZ0kK
H/67AGAmqO5LZi999HYkPnOB5HlTPDDmJQCA+9IM+ufbARVSTsTsn5W0HaDneqJZ
d8AkE6kCAwEAAaAqMCgGCSqGSIb3DQEJDjEbMBkwFwYDVR0RBBAwDocECjwAAYIG
YXBhY2hlMA0GCSqGSIb3DQEBCwUAA4IBAQBzs+QEnIvT5ArumDP7/7TeEcOeTmfh
GkLMHKn2+lRH055KE+sv2k2l+PW4zrPLdEWw82CW7zy4ilpXjzywGIXZY0dCAWWH
wc/mRqbE6b4gdatU+LEqkcUiiCKkAh+stG1QOYB4yhISR0N/KWC4GIBsNIen8jjO
+qQunBa/wb7XRvHWCl4ihLMSA4PjijkxPOAjnGe6swPCo8gl39477bdAYL2Qrrr2
FxkZRZMZG1cSX2lV8DhBV4/AZAzZMGFHc4GOzcyzPNJ3PWFotv+jNQ1DxbTFmOYI
m6A0coUdCw87lYuWlH8J3s0CUUb7Swd1dKrTjk7UDOTG1VK7q7xYaMkJ
-----END CERTIFICATE REQUEST-----

28
ca/apache.key
View File

@@ -1,28 +0,0 @@
-----BEGIN PRIVATE KEY-----
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDQiPsyF5udlRVC
pbMgDicavaoQalmcGEDLgYBwMxoiNAhvlAyXHGjUaVl+UGXBRir9nU6WE0dY2oeG
DqytrUit0bFuYSveBMFfz2D1pr09/bProNuPn2dbkXaqpYeag1cahD0RwrNxhFFI
0ziODvLFllW1boZM8CKdGROuIyHq1f7kHZz7QjqEgUMDLsW97Qt+SFCD4AsVh71l
mw3QflWNAukDr/59GSjvRmssAgQzBS5zlBCuVCXSglUQInR7RHzG0+U1XhCvnmdJ
Ch/+uwBgJqjuS2YvffR2JD5zgeR5Uzww5iUAgPvSDPrn2wEVUk7E7J+VtB2g53qi
WXfAJBOpAgMBAAECggEAC8SDGlVLNoYEbF2h4U/zJHbp+yGpO14CAAnnh81WbvIt
PLCn0jor7zqfrnlWeKTfRa8EEYN2ffzc83NuCqHx7T8dSluI6G8vw1qWP96AJNil
d8k8wprN8BSiE+ih4ZYCSxCFyrQIQMJk/N1QfnG5AO3mGcYqJXrSlTdmTSgV4KTH
HMhcbE3oBi5sixfYuhz7JmoN2MtvUH7T1XQ93IK/EDANCHeOYfVDlQMv+VKqUsEA
4tB1j2Mk+MENIbxg2vswsDzi4X3geU9kDkZ+V/ahzQSKnoUJtC81QftGst7gia7i
Kl51DWvw3SXclDn//5ZSaWd6T0a0Gc8f73yC0vzKIQKBgQD9TVBrSTZTvJcJhhMQ
Tk7Epe96nWPw3PwKPntAaCcWaNi+AXOWw5oKX1Okilrsbxz5P6yH/jTvFZF33zpT
nhS30ew41GTSL0j3gCWK25I0SJOeth2dycyjd/yljotOGOz667vTGHleso7NYthD
s+iU6ceb7EuU9T0JjhHDsrVK8QKBgQDSwZmOwMAq0evNFgKB0QiipABIWhm7As1n
O0M439zA2bVo8Z3UAQb7YOBG/EoH+I/1HakJBM0BVyGRzkg4Krq0Dd8iL4gESj8E
niCtIC874AjhemVjHDPNwI/m93Czg8tqfd3r82rOa5HJWW4WYGeHPTjvd0puS8/6
SWTyBgSkOQKBgANxmKVMwoNS7g7AFuRC3ElKJD5bg29T4c1V2iEfCWEBnei/Zk3n
bOG1OBLlmqTaQd+VoQfcSeXyOh8SFt3qKUfyf66qHJDK+cf7owcHQy6YygD/Ytmx
U6npSLMLhBNUvWwP5mbRT10dOlnKfTw2ZvQXVZJmHQTybJkDqHQrqtFRAoGAA1t6
Kr//T69QZk/3ckH2NUEPkBd/WW9N/lr/UySdy6SsMyPGM95gUhjU+cyDEWVwRaNX
UgF1kpPkwQHcPKjRmJSv/Udsj0TvhA9QzfE5T2bePVlJzC5i1OBAapl+fh2XW/bt
Vhjmlqs4A1EdY9XdUFY1Vfs8gE1M3tvUc9aMtGECgYA3ebYLBwDB48gbYfnv8o3P
rY2hBfBsvfSKeYT/NPxG/XR035h9BnBcNG2L7U7GKmbxdULYZ2nEOSjqTxTvlHUO
ncGr7M00D9hpzTX+Yfr3em+lGsZxVfU7sKq1fWF/BdF7gCf8cdHk66gR19kYhi38
cEB0Z02sLDDP2AYOawrliA==
-----END PRIVATE KEY-----

21
ca/ca.crt
View File

@@ -1,21 +0,0 @@
-----BEGIN CERTIFICATE-----
MIIDhzCCAm+gAwIBAgIUHeUZwwOlaXM3yPbokh5CjXEFw/YwDQYJKoZIhvcNAQEL
BQAwUzELMAkGA1UEBhMCUFQxEDAOBgNVBAgMB0NvaW1icmExEDAOBgNVBAcMB0Nv
aW1icmExCzAJBgNVBAoMAlVDMRMwEQYDVQQDDApDb2ltYnJhVlBOMB4XDTI2MDQy
MjEwNDgwMloXDTI3MDQyMjEwNDgwMlowUzELMAkGA1UEBhMCUFQxEDAOBgNVBAgM
B0NvaW1icmExEDAOBgNVBAcMB0NvaW1icmExCzAJBgNVBAoMAlVDMRMwEQYDVQQD
DApDb2ltYnJhVlBOMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs1ft
wTq/HG1SavpgkRSP/ZO3hvW8lCR8e8ica/w7ogJwMoTAHz0axMpY9MQ6SmXXvXEh
/DY0wwM60jJ8f332fk3otcWzHznEK+EC2xrZSvnikWYSWcaDe6PzPtu0w9//y/Cl
Jt8ocvC1qyN20skhCP8nuTCW7o0nO+glPEHAl1fSuHuA/0tXbpROsxpi3cqzWypB
ufnDyIg4vxKbhQdtJn0UMvA2g92gTpxl9Dvt4L68L2e/Oz5B2l+USEIHxfkS+N1v
p8O22H+KV4+4Le76RJ/DOzV+pAieY4/bWIFQ5CsB6SvcHwP0CxOa1KOeHZbdyyDe
TBCmDTR3K4ZBy/ii2wIDAQABo1MwUTAdBgNVHQ4EFgQUrM15zIAXqo0WzJex6TZe
ACq9W9UwHwYDVR0jBBgwFoAUrM15zIAXqo0WzJex6TZeACq9W9UwDwYDVR0TAQH/
BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAlkndsM3ikWZibO3l5UBBVSQjgjdf
8CdE3UyrzuTOTFGWW8ALD1PTMjZ/uFR6mX5pn3Afd6CcRvm/SP/ybh4q+7oBlJCT
hjJo/r8NAsaN1TubFSaLsQTzilZDCK6Go+WvcNgar0pwgMunqphBycuLOkT3cxli
ubGzplv33gA6EPwZ7LaSfMRf/mVeLutUyP0SKyos3/Je1lAz8Wel245JPJ2mI8fT
HopjnVWScOPedFKt/nh//RVTjZDvPGH5Lvglg9ko+Lc62JF/5XIqIS25TwcUskXK
KfotGiwJM1VHyi49PWEC1Asu7C9ljMbHy/UsISPGxUOq/oy3OQoj7DXEng==
-----END CERTIFICATE-----

28
ca/ca.key
View File

@@ -1,28 +0,0 @@
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCzV+3BOr8cbVJq
+mCRFI/9k7eG9byUJHx7yJxr/DuiAnAyhMAfPRrEylj0xDpKZde9cSH8NjTDAzrS
Mnx/ffZ+Tei1xbMfOcQr4QLbGtlK+eKRZhJZxoN7o/M+27TD3//L8KUm3yhy8LWr
I3bSySEI/ye5MJbujSc76CU8QcCXV9K4e4D/S1dulE6zGmLdyrNbKkG5+cPIiDi/
EpuFB20mfRQy8DaD3aBOnGX0O+3gvrwvZ787PkHaX5RIQgfF+RL43W+nw7bYf4pX
j7gt7vpEn8M7NX6kCJ5jj9tYgVDkKwHpK9wfA/QLE5rUo54dlt3LIN5MEKYNNHcr
hkHL+KLbAgMBAAECggEAPpkTUJ3LtQVnfhWUfS87LxxPM9k0EFVH6gDUsFBjFCJb
vRZe5Mh0PnoOYKjZW7x+eA4z+Y+GDQdkkZezouB5mA5jiobOBbkpAtPQJmARtjzQ
W0XQY+uJWy+XqLoRN0lJRIrjalT8Dlp8XpbLU7mGQVimKdqO5Ab6ycs2q/ibW3dj
am9L/AaV8YW99xWeRVi8OKn1Oyhpaplnb7IDdeDx8/nCSplVx1EggsV7XPStfL2R
us8/sE525OCo7mriXBLph62r7C1oFxxeASIjpPD5+gh09CCoMcodETlCBKPia7Q4
ha/nnsjXRPZIq4b2y4BYzlCVnCldwKzr+QW+s0EZKQKBgQDZRV2kR4k9ytF1kG85
DCW8ogk03BZ2x9Wk6sEU3lUtR3YfyHe3zFrZ2lDynknVAxXABPQ8XG8i24O0ZQ/h
oiRu9LtUIf+rYVrZke8DiPEuGUdTMLeLMBUhWtSpG5kNrpr/hdt/lXnnszTd5Xon
YGpa2qQAB2eki+uxnJMbAHopRQKBgQDTT9V2FEUa+GG5mbQXClbXqbd7+8LoKH7l
VYzQxaWSWgW1o9/0NOBY5Jw6PoWdhbf0IzA2bYeKIChp6IwhEh9+A+Vdp0Hupz/Z
tDlHThWXUBqYTPM1mXX1KyEoNjGQiMMpeuOc0sUJZvMfFWrzkn0kG8VsB9u8n1ND
CQ+O3MaNnwKBgEQJ5+ApEr5KBDvnphzcQ/kFWRK3lUVPIQVLCnnpggzy4vfjBDKH
iS/NoSnJDd/p3mbKZl18qMTmryDPwSBscTJZ60vWdcUKcLPPcmTN/pDsE5zmlaO9
w/A1DIGEhfJ16k34chtLCOjZAsY2NYGdPNEExPTJXNh3hLCTErIS/S5tAoGAITum
A6sObz5vCCSPOSxsGgDcFYizz5VG18SLn+3lq02zJiz+tMZ4HiLeGx7oHq0AEEpU
c8roDSYflQB4wV67SzNLqF38tY7iMNfyRi+Wn7R+akN34I8hCQzeaxeS1ftcTjLA
h1JyoJbrV5Ejv+ji+4HOm73kphacnqdXJg28wFsCgYEAs4VbAruXv3thxJ8a7Y4n
8FRwdDV2nJRGYRR6WdE8qCLFi5rhoI2/sqblp2i/j8e419YWzj+pRqDMCWlePg+i
7Ne5swH3UQXb+3sS/q0BUnYuJDnpmae/qJ4gDU1NvHZnrqz047hfvHw9gAcCh4a2
IZGzyqYAUSqhzm9epjEZ9+w=
-----END PRIVATE KEY-----

12
ca/cheese.cfg
View File

@@ -1,12 +0,0 @@
[ ca ]
default_ca = CA_default
[ CA_default ]
default_days = 365
database = index.txt
serial = serial
copy_extensions = copy
new_certs_dir = .
default_md = sha256
policy = policy_any
[ policy_any ]
commonName = supplied

22
ca/create_all_keys.sh
View File

@@ -1,22 +0,0 @@
#!/bin/bash
cert_ca="/C=PT/ST=Coimbra/L=Coimbra/O=UC/CN=CoimbraVPN"
cert_vpn="/C=PT/ST=Coimbra/L=Coimbra/O=UC/CN=gateway"
cert_user="/C=PT/ST=Coimbra/L=Coimbra/O=UC/CN=warrior"
cert_apache="/C=PT/ST=Coimbra/L=Coimbra/O=UC/CN=apache.coimbra"
[[ -e "serial" ]] || echo 1000 > serial
[[ -e "index.txt" ]] || touch index.txt
[[ -e "ca.key" ]] || openssl genrsa -out "ca.key" 2048
[[ -e "ca.crt" ]] || openssl req -x509 -nodes -days 365 -key "ca.key" -out "ca.crt" -subj "$cert_ca"
[[ -e "vpn.key" ]] || openssl genrsa -out "vpn.key" 2048
[[ -e "vpn.csr" ]] || openssl req -new -key "vpn.key" -out "vpn.csr" -subj "$cert_vpn"
[[ -e "vpn.crt" ]] || openssl ca -batch -in "vpn.csr" -cert "ca.crt" -keyfile "ca.key" -out "vpn.crt" -config cheese.cfg
[[ -e "dh2048.pem" ]] || openssl dhparam -out "dh2048.pem" 2048
[[ -e "ta.key" ]] || openvpn --genkey secret "ta.key"
[[ -e "user.key" ]] || openssl genrsa -out user.key
[[ -e "user.csr" ]] || openssl req -new -key user.key -out user.csr -subj "$cert_user"
[[ -e "user.crt" ]] || openssl ca -batch -in "user.csr" -cert "ca.crt" -keyfile "ca.key" -out "user.crt" -config cheese.cfg
[[ -e "apache.key" ]] || openssl genrsa -out apache.key
[[ -e "apache.csr" ]] || openssl req -new -key apache.key -out apache.csr -subj "$cert_apache" -addext "subjectAltName = IP:10.60.0.1,DNS:apache"
[[ -e "apache.crt" ]] || openssl ca -batch -in "apache.csr" -cert "ca.crt" -keyfile "ca.key" -out "apache.crt" -config cheese.cfg

8
ca/dh2048.pem
View File

@@ -1,8 +0,0 @@
-----BEGIN DH PARAMETERS-----
MIIBDAKCAQEAvqMnND0GPZb1287Irc8grekth4JCb5Mfz4iig9GR0AJNzIj+/hf6
Cnz3+5F6OD7XDyY7Prgq/dZ6KhZAnKOSQ4r6rDbgcVqPoU5g8ykKuhI3daAOr/Ut
EauKJN4kcTDARvdk9gebWNIDRrbuV0wv7QDsO3TIznn24MTnYUm3ReExv58fmqX6
Ttr74clxnUC660HX084sxhxAA9Mfewy+8KCxy1MF2MttZP6DY3IWEVokfK2W/ZlE
UsFIMNlblKK/JBn7Y/6/FZN/V8zwxFCQBhuvOvaNbtraejkeUnl7VdqQ6T4Rmvid
0jN5ddbuyyu+pm7WPU94ilLyPQECexnx7wIBAgICAOE=
-----END DH PARAMETERS-----

4
ca/index.txt
View File

@@ -1,4 +0,0 @@
V 270422105026Z 1000 unknown /CN=gateway
V 270422105026Z 1001 unknown /CN=warrior
V 270422123359Z 1002 unknown /CN=apache
V 270422141459Z 1003 unknown /CN=apache.coimbra

1
ca/index.txt.attr
View File

@@ -1 +0,0 @@
unique_subject = yes

1
ca/index.txt.attr.old
View File

@@ -1 +0,0 @@
unique_subject = yes

3
ca/index.txt.old
View File

@@ -1,3 +0,0 @@
V 270422105026Z 1000 unknown /CN=gateway
V 270422105026Z 1001 unknown /CN=warrior
V 270422123359Z 1002 unknown /CN=apache

2
ca/revoke_user.sh
View File

@@ -1,2 +0,0 @@
#!/bin/bash
openssl ca -revoke user.crt -config cheese.cfg -keyfile ca.key -cert ca.crt

1
ca/serial
View File

@@ -1 +0,0 @@
1004

1
ca/serial.old
View File

@@ -1 +0,0 @@
1003

21
ca/ta.key
View File

@@ -1,21 +0,0 @@
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
8ab6c529070f93ad262f6ba5ec506c5e
3e89f24851df40259a2e5fce5b98117c
4ccba0c1c5a045d802ee4638c1f047fb
f2537cb038f1faf976e1cf05ad2c5cc2
23be82d9bdd89180ff235bc995116c83
f08bc102313dd043fa3dcb924665fc36
408fd7bc620c6939e0a42f90e37a9ea7
078e323acbe6b844405b929fecbcc539
e5022c1e9a2b76503b63d35aeeb70cb4
cf260ac014c5914b30ee0020a737bcc5
d08a810e512769245993d9075572f1c0
4971992ba8782b2b7e6189b03c8e1448
842e42983c9af8c32d007237e9b597db
2c6cf399d16f153136307605297e3bbb
cb1b9b1cc9c4cb2f2684ad5d50dd0448
3480fb0a4cc3af1553e5b40645eae3f0
-----END OpenVPN Static key V1-----

74
ca/user.crt
View File

@@ -1,74 +0,0 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4097 (0x1001)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=PT, ST=Coimbra, L=Coimbra, O=UC, CN=CoimbraVPN
Validity
Not Before: Apr 22 10:50:26 2026 GMT
Not After : Apr 22 10:50:26 2027 GMT
Subject: CN=warrior
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d8:5e:36:38:85:bb:f8:15:29:90:2a:03:47:26:
36:ad:47:b8:80:c2:1c:b2:35:53:34:a3:c8:79:73:
1a:7b:c5:06:f9:0e:fb:61:e9:16:81:81:4d:55:ac:
25:7d:96:f4:a4:1a:46:d0:0a:af:48:65:b7:1e:9b:
02:4a:4a:af:53:64:20:4f:af:d8:ab:f7:99:c2:b7:
80:b2:80:24:00:7c:a7:43:f7:35:69:47:fc:bc:ce:
fa:1a:8e:81:c3:2b:55:ea:57:c8:ec:76:3b:1b:58:
e9:65:c1:66:97:c5:39:62:1f:c7:f2:64:b3:6a:31:
41:a9:66:00:f5:48:3c:31:9b:70:a7:ca:f0:b8:28:
d3:cf:fb:86:25:f0:93:17:ad:3f:c8:60:dd:a7:a1:
be:b4:e8:fc:79:47:53:68:ed:eb:21:b5:f7:aa:f5:
bf:22:45:d9:10:5a:db:be:41:c3:09:47:72:f4:6b:
d6:21:65:77:43:79:89:0d:cd:72:58:14:e2:25:55:
0b:17:e8:97:d4:d0:0e:9c:7d:9c:38:6e:52:50:cb:
25:a5:00:fc:cb:69:bb:09:f0:3a:f1:8a:83:e7:7c:
95:07:46:58:11:41:25:8d:5c:91:02:ec:d2:83:4c:
98:d0:aa:ad:b0:fa:67:6c:22:79:87:de:5a:f5:01:
8f:59
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
30:84:32:04:21:19:F0:A6:B7:C1:32:4C:1B:9F:7E:EF:EC:3C:D3:79
X509v3 Authority Key Identifier:
AC:CD:79:CC:80:17:AA:8D:16:CC:97:B1:E9:36:5E:00:2A:BD:5B:D5
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
60:76:03:78:46:0e:db:33:a4:1a:13:67:11:66:b6:7e:bf:ba:
23:4e:01:9e:6b:28:dc:46:9c:5e:e8:a9:2a:72:d2:ae:c0:c7:
b7:68:6f:92:55:43:b7:cd:8f:6b:78:ad:86:d1:8a:bb:ba:7a:
a7:3b:fa:53:8f:1d:ec:75:0b:36:05:6b:14:91:c4:79:51:b2:
d0:2f:b9:17:0c:f1:6b:88:4d:24:6b:ae:15:36:2b:ac:4b:94:
67:04:f8:93:49:cc:c1:d7:ec:ae:a2:dc:32:c8:d1:f4:ee:4b:
0c:11:ad:4c:84:5d:96:97:31:d6:9f:c5:a7:79:b2:f1:b8:42:
5b:79:b8:12:d2:a3:56:a0:ae:3b:ba:7f:56:25:d4:ad:a7:fa:
39:52:e0:57:af:4f:d2:c6:3c:24:5d:d6:07:84:b0:a5:5f:d2:
3c:8b:36:2a:1f:24:55:cd:89:22:94:b7:f2:93:69:01:89:6e:
a4:67:2d:8b:d9:cd:af:29:70:09:83:69:e5:46:35:51:59:90:
71:c0:0a:8a:00:5c:55:c6:12:34:1a:b7:3d:a9:67:9c:0b:2f:
71:32:cb:87:92:b0:18:ff:fe:ec:f0:3e:cc:e3:1c:65:c8:24:
a9:bd:c9:8f:96:f7:19:af:95:a6:e0:e5:21:65:50:ad:69:da:
d3:09:27:84
-----BEGIN CERTIFICATE-----
MIIDIzCCAgugAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwUzELMAkGA1UEBhMCUFQx
EDAOBgNVBAgMB0NvaW1icmExEDAOBgNVBAcMB0NvaW1icmExCzAJBgNVBAoMAlVD
MRMwEQYDVQQDDApDb2ltYnJhVlBOMB4XDTI2MDQyMjEwNTAyNloXDTI3MDQyMjEw
NTAyNlowEjEQMA4GA1UEAwwHd2FycmlvcjCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBANheNjiFu/gVKZAqA0cmNq1HuIDCHLI1UzSjyHlzGnvFBvkO+2Hp
FoGBTVWsJX2W9KQaRtAKr0hltx6bAkpKr1NkIE+v2Kv3mcK3gLKAJAB8p0P3NWlH
/LzO+hqOgcMrVepXyOx2OxtY6WXBZpfFOWIfx/Jks2oxQalmAPVIPDGbcKfK8Lgo
08/7hiXwkxetP8hg3aehvrTo/HlHU2jt6yG196r1vyJF2RBa275BwwlHcvRr1iFl
d0N5iQ3NclgU4iVVCxfol9TQDpx9nDhuUlDLJaUA/MtpuwnwOvGKg+d8lQdGWBFB
JY1ckQLs0oNMmNCqrbD6Z2wieYfeWvUBj1kCAwEAAaNCMEAwHQYDVR0OBBYEFDCE
MgQhGfCmt8EyTBuffu/sPNN5MB8GA1UdIwQYMBaAFKzNecyAF6qNFsyXsek2XgAq
vVvVMA0GCSqGSIb3DQEBCwUAA4IBAQBgdgN4Rg7bM6QaE2cRZrZ+v7ojTgGeayjc
Rpxe6KkqctKuwMe3aG+SVUO3zY9reK2G0Yq7unqnO/pTjx3sdQs2BWsUkcR5UbLQ
L7kXDPFriE0ka64VNiusS5RnBPiTSczB1+yuotwyyNH07ksMEa1MhF2WlzHWn8Wn
ebLxuEJbebgS0qNWoK47un9WJdStp/o5UuBXr0/SxjwkXdYHhLClX9I8izYqHyRV
zYkilLfyk2kBiW6kZy2L2c2vKXAJg2nlRjVRWZBxwAqKAFxVxhI0Grc9qWecCy9x
MsuHkrAY//7s8D7M4xxlyCSpvcmPlvcZr5Wm4OUhZVCtadrTCSeE
-----END CERTIFICATE-----

16
ca/user.csr
View File

@@ -1,16 +0,0 @@
-----BEGIN CERTIFICATE REQUEST-----
MIIClTCCAX0CAQAwUDELMAkGA1UEBhMCUFQxEDAOBgNVBAgMB0NvaW1icmExEDAO
BgNVBAcMB0NvaW1icmExCzAJBgNVBAoMAlVDMRAwDgYDVQQDDAd3YXJyaW9yMIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2F42OIW7+BUpkCoDRyY2rUe4
gMIcsjVTNKPIeXMae8UG+Q77YekWgYFNVawlfZb0pBpG0AqvSGW3HpsCSkqvU2Qg
T6/Yq/eZwreAsoAkAHynQ/c1aUf8vM76Go6BwytV6lfI7HY7G1jpZcFml8U5Yh/H
8mSzajFBqWYA9Ug8MZtwp8rwuCjTz/uGJfCTF60/yGDdp6G+tOj8eUdTaO3rIbX3
qvW/IkXZEFrbvkHDCUdy9GvWIWV3Q3mJDc1yWBTiJVULF+iX1NAOnH2cOG5SUMsl
pQD8y2m7CfA68YqD53yVB0ZYEUEljVyRAuzSg0yY0KqtsPpnbCJ5h95a9QGPWQID
AQABoAAwDQYJKoZIhvcNAQELBQADggEBAKBuw6o5zucZ3cULpuQBZiBtvodrV1ht
V7NCqQe5UoFP0wywUCQyB1A4rAT+Of3yJxKLYiBrq8u9/ra6zGfXTOxZSSpm+1cN
iZMVb3c57Hir3cS3sG/tLi147168GpBxiV87WLgBozw2ki0x9fApx5crLZY9/FlM
qCwTF8g/Pu6c/gXf+y/aGzcElx0tTpR5FvJopFJ/PNNJSmJZ22Mtbynvztnk8xB6
vzX3+0lp9eNv7X1IwcaDk45B1Fv+7OiyVZ57hOrsUsr4whmb7jctpEm5UzL4cHuE
nMjY5Eqe9Gsct5g7PO+LVH8CF1joBLShgqOIH+1k797iS5maYWHdYW0=
-----END CERTIFICATE REQUEST-----

28
ca/user.key
View File

@@ -1,28 +0,0 @@
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDYXjY4hbv4FSmQ
KgNHJjatR7iAwhyyNVM0o8h5cxp7xQb5Dvth6RaBgU1VrCV9lvSkGkbQCq9IZbce
mwJKSq9TZCBPr9ir95nCt4CygCQAfKdD9zVpR/y8zvoajoHDK1XqV8jsdjsbWOll
wWaXxTliH8fyZLNqMUGpZgD1SDwxm3CnyvC4KNPP+4Yl8JMXrT/IYN2nob606Px5
R1No7eshtfeq9b8iRdkQWtu+QcMJR3L0a9YhZXdDeYkNzXJYFOIlVQsX6JfU0A6c
fZw4blJQyyWlAPzLabsJ8DrxioPnfJUHRlgRQSWNXJEC7NKDTJjQqq2w+mdsInmH
3lr1AY9ZAgMBAAECggEAaYNcDqlM9pifWbHbQl2kyVDR7Vx78P3nMyLx1yQmFJiL
I3bGaUNpWcNMCsz1xW6Ro9s6kCa9vuD3cYHnFoKgSFrqFOIsmAQZZCbnqGSr6d7g
FNlfnxVfb1XCCqRXLG2cKrkffwzTGy17OEedt8KSjsLv10l7YvxdSHY5XmQZEpkU
l9O6olSvhaPQxx3RynR0rTdyESZMLMj2SqHpSlHg6TVvTjRH5EspMTpJiU/cNiqv
b57OH02gh1huS0DKV3aPvR8+6jlP0Ec0djcwXatQxzesFjHutVR1f5RBh36O6zJ0
9Nx2wxppFPsFVB5olJWzIkMH2MalYyIK5+0Lpl3PDwKBgQD04wRGe+EZrCcfLJy+
wpsBqoUeclhDtfz1aMlmhCurWdIQKiEn1lYVMopxn+FvZy3pyE9ymn7aSsmb6PT4
f1j3rOjYcWKceyUCdEsYDRq8ciW7bhKVwXd+763CI485x63ZkKcKe2b7v1GIhkII
7Kp/Nwh5tXxCp6ta+0hJO9nEqwKBgQDiL+CDlgkEVM0MsjuSS2arHwfolXEaoApy
CwX6abCOkV3RiMmuMGKidQJ3v0K+vI3WlG/fW9s6ZRe9mSj/Qu3hq3el5ozzSpW9
FOI41cTOHdvKDpN21Cgk9gMBt0Slp2+qrv+OT4zCheQV29mGZ0dudr5/fMzrAxnk
nbhkXlpUCwKBgQC5mgHYhfVypraz+vUF46rl1V61V8ar8xe4zGWwzEXoxdffJn8g
mWN/B2JEgf+zlokG4inM22l/eyVYhHR+js5YUXXc7frmTLMdLBTqMqxr3TvZ1bBC
TnKKA5A3TwozqbKK7gacfDDuZu+dwNv1taH3bzd+P13hiwDloQQFdVY0pwKBgEC1
S7i5apj3nbXdI5fFxHh+JygN4M6qLHLV3n72T5Fp2vo/9NrFcuJhMTSK3hBtJvLV
gm/W+o/pLfKK56SnRCDEijVHENnlY5M1b0atOWFyP1e99cgQB/ATBWcvRA9UKGkf
KXNQJMfdwBPU0pVV5KSgif00+fbd60FxMbhdGeBjAoGBAO4GIfg1FgIixd3BjuW8
vCcYqqyRphtiHUeZMoVeIVO+CwD4tm7Rj7mRux/3lU8qRFdD/5O5oFE5MR6gvyno
aBt/fPzA40/zjsDMdILaL6IoJUw1B3OsRUoNTupHxqkBl3gJV1WUnWMQftzNAYuy
GJzEUr6jpE6MJyt3osZwfurm
-----END PRIVATE KEY-----

74
ca/vpn.crt
View File

@@ -1,74 +0,0 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4096 (0x1000)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=PT, ST=Coimbra, L=Coimbra, O=UC, CN=CoimbraVPN
Validity
Not Before: Apr 22 10:50:26 2026 GMT
Not After : Apr 22 10:50:26 2027 GMT
Subject: CN=gateway
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:bc:46:6b:0e:12:3f:c2:64:0d:dd:36:e7:86:a2:
f6:98:04:86:21:73:85:3b:cc:ce:7d:c5:74:f9:8d:
97:f8:c9:01:1c:e9:88:db:10:fc:40:a8:2a:44:76:
de:07:bd:39:58:c3:ba:b3:9a:d2:01:91:12:c8:7f:
0e:7a:51:56:f6:a4:ad:4e:63:92:8e:05:b9:9d:5a:
76:37:60:58:60:0a:10:f2:6e:15:6b:76:a1:34:91:
c5:cf:c7:86:00:cd:3f:53:c2:e9:45:8c:86:49:c2:
a1:36:f9:ca:3b:a5:30:76:92:ff:a6:e5:fa:40:67:
d9:91:ea:24:90:a5:a4:e0:15:2a:da:ce:1b:4e:f9:
86:7e:9f:33:de:e9:24:dc:b9:60:fa:c9:f0:e0:79:
83:a3:d3:b3:c9:61:37:9d:26:ab:e9:bd:21:68:74:
51:02:e0:a2:36:24:9e:c6:5d:22:f3:f6:76:8d:17:
ab:e3:46:a2:dc:a3:e4:f8:bc:a2:4b:59:8b:76:f4:
91:7e:2f:48:79:b6:72:1b:d5:45:e2:9f:d3:8d:b2:
f6:45:53:07:95:4d:8e:76:73:b8:54:10:17:63:c4:
07:bf:bf:a6:72:4f:ea:be:b7:1d:38:37:3a:95:26:
8f:36:81:a0:53:07:d3:49:32:7a:de:3c:7f:61:b6:
7c:21
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
96:52:2F:9E:1C:51:4D:A7:91:73:93:1B:E6:69:6C:06:99:28:2D:0B
X509v3 Authority Key Identifier:
AC:CD:79:CC:80:17:AA:8D:16:CC:97:B1:E9:36:5E:00:2A:BD:5B:D5
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
9a:fd:c0:13:d2:8a:7d:8d:d6:79:d0:35:1f:a6:75:ea:ff:1b:
73:1a:4b:30:d9:c8:3b:9d:96:e5:a8:28:eb:74:26:0d:13:fa:
e1:89:ad:eb:38:d4:57:d1:72:af:c5:93:ab:ce:07:35:3a:b5:
34:9f:72:af:71:b7:79:23:c8:88:99:af:a9:bf:72:8f:01:f2:
cf:f8:a1:57:8e:2a:05:e7:05:c2:0e:ac:92:df:db:f4:fd:64:
16:01:28:5a:7b:8b:c1:e3:8b:49:48:58:b4:36:28:ed:a3:99:
60:9c:a7:a6:3b:eb:07:3d:42:36:29:f2:d2:ff:07:86:34:3c:
0a:b0:70:cb:23:d2:f3:f1:f7:88:74:a5:a6:c3:ee:4e:5f:d7:
6d:ba:a6:83:09:76:f5:e4:1a:3b:d5:58:e9:be:a8:80:cf:68:
13:82:95:b3:da:75:43:4b:e7:f3:fb:6b:0d:b3:d5:07:5e:1b:
7a:69:f4:77:1b:59:eb:c5:a1:84:fb:cc:3e:5c:26:f5:b3:b3:
4d:36:8d:40:d2:53:f9:1e:bd:cf:b9:4b:c3:a8:40:29:97:58:
48:c2:94:94:28:9d:3f:e7:e3:d2:a3:db:32:8d:fb:a9:bb:c3:
32:a5:b3:c0:8b:c5:e3:56:45:55:2d:fb:62:5a:c0:36:f1:df:
b6:00:f9:b9
-----BEGIN CERTIFICATE-----
MIIDIzCCAgugAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwUzELMAkGA1UEBhMCUFQx
EDAOBgNVBAgMB0NvaW1icmExEDAOBgNVBAcMB0NvaW1icmExCzAJBgNVBAoMAlVD
MRMwEQYDVQQDDApDb2ltYnJhVlBOMB4XDTI2MDQyMjEwNTAyNloXDTI3MDQyMjEw
NTAyNlowEjEQMA4GA1UEAwwHZ2F0ZXdheTCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBALxGaw4SP8JkDd0254ai9pgEhiFzhTvMzn3FdPmNl/jJARzpiNsQ
/ECoKkR23ge9OVjDurOa0gGREsh/DnpRVvakrU5jko4FuZ1adjdgWGAKEPJuFWt2
oTSRxc/HhgDNP1PC6UWMhknCoTb5yjulMHaS/6bl+kBn2ZHqJJClpOAVKtrOG075
hn6fM97pJNy5YPrJ8OB5g6PTs8lhN50mq+m9IWh0UQLgojYknsZdIvP2do0Xq+NG
otyj5Pi8oktZi3b0kX4vSHm2chvVReKf042y9kVTB5VNjnZzuFQQF2PEB7+/pnJP
6r63HTg3OpUmjzaBoFMH00kyet48f2G2fCECAwEAAaNCMEAwHQYDVR0OBBYEFJZS
L54cUU2nkXOTG+ZpbAaZKC0LMB8GA1UdIwQYMBaAFKzNecyAF6qNFsyXsek2XgAq
vVvVMA0GCSqGSIb3DQEBCwUAA4IBAQCa/cAT0op9jdZ50DUfpnXq/xtzGksw2cg7
nZblqCjrdCYNE/rhia3rONRX0XKvxZOrzgc1OrU0n3Kvcbd5I8iIma+pv3KPAfLP
+KFXjioF5wXCDqyS39v0/WQWAShae4vB44tJSFi0Nijto5lgnKemO+sHPUI2KfLS
/weGNDwKsHDLI9Lz8feIdKWmw+5OX9dtuqaDCXb15Bo71VjpvqiAz2gTgpWz2nVD
S+fz+2sNs9UHXht6afR3G1nrxaGE+8w+XCb1s7NNNo1A0lP5Hr3PuUvDqEApl1hI
wpSUKJ0/5+PSo9syjfupu8MypbPAi8XjVkVVLftiWsA28d+2APm5
-----END CERTIFICATE-----

16
ca/vpn.csr
View File

@@ -1,16 +0,0 @@
-----BEGIN CERTIFICATE REQUEST-----
MIIClTCCAX0CAQAwUDELMAkGA1UEBhMCUFQxEDAOBgNVBAgMB0NvaW1icmExEDAO
BgNVBAcMB0NvaW1icmExCzAJBgNVBAoMAlVDMRAwDgYDVQQDDAdnYXRld2F5MIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvEZrDhI/wmQN3TbnhqL2mASG
IXOFO8zOfcV0+Y2X+MkBHOmI2xD8QKgqRHbeB705WMO6s5rSAZESyH8OelFW9qSt
TmOSjgW5nVp2N2BYYAoQ8m4Va3ahNJHFz8eGAM0/U8LpRYyGScKhNvnKO6UwdpL/
puX6QGfZkeokkKWk4BUq2s4bTvmGfp8z3ukk3Llg+snw4HmDo9OzyWE3nSar6b0h
aHRRAuCiNiSexl0i8/Z2jRer40ai3KPk+LyiS1mLdvSRfi9IebZyG9VF4p/TjbL2
RVMHlU2OdnO4VBAXY8QHv7+mck/qvrcdODc6lSaPNoGgUwfTSTJ63jx/YbZ8IQID
AQABoAAwDQYJKoZIhvcNAQELBQADggEBAAqV168ZttquI1P85iodBEo4pkefV9g7
DNOtjf/BQ4SZUmtMBSH95aH1o+EjhYy+522IJ7yTOke5uTsr4R0uD/D7EX9hKnp5
Qx2t/QZc+q3VKzOMV687VfBfq2RErMGSvJmk7cH40HyDlh4Ts5NZO3CAwaiIovKc
ddcZfrO3naktT8jwayWA16pk+vxf0G3jwJqbeizyS0hl12+dwPr/+ESRHCQoSkUH
wG5mL4eRW5E0NyuH9iGvOHms6WDrPU0qp2Rztql+FYZB+qGPJ3pdsajCIjJG7n4E
n3D5ofg5q3dlLHAwueMcMLGL9hpjXRGLZturgB5JdUp9+1fMhgxYfFY=
-----END CERTIFICATE REQUEST-----

28
ca/vpn.key
View File

@@ -1,28 +0,0 @@
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC8RmsOEj/CZA3d
NueGovaYBIYhc4U7zM59xXT5jZf4yQEc6YjbEPxAqCpEdt4HvTlYw7qzmtIBkRLI
fw56UVb2pK1OY5KOBbmdWnY3YFhgChDybhVrdqE0kcXPx4YAzT9TwulFjIZJwqE2
+co7pTB2kv+m5fpAZ9mR6iSQpaTgFSrazhtO+YZ+nzPe6STcuWD6yfDgeYOj07PJ
YTedJqvpvSFodFEC4KI2JJ7GXSLz9naNF6vjRqLco+T4vKJLWYt29JF+L0h5tnIb
1UXin9ONsvZFUweVTY52c7hUEBdjxAe/v6ZyT+q+tx04NzqVJo82gaBTB9NJMnre
PH9htnwhAgMBAAECggEABIq6WGuOSDU7tGN3sGLMChzJ05LC2w90x8n0qXSF/wVy
Vm031PkS7MhhxKcNcihZcs+9+Ek62bjTOC0Af2jo7ShJ2gNC7NQshyRAh9N2LlLv
17laIO6Kswb1O673h5tr9KxWDkx2jN76HqZl/4xbn/Cp5C/WGqmmsQNyAF9Om+08
M/5jB3aVT4PFBoyOXd3WDkuxG1wEfFZPrrbOu7T06duzMH8yYnxFX42UyDOVNT73
iqZsxLzlOjLiAaVEZE+2WpZICnwaa04OaOimGHgYEcr4DFQwgUvkVQBvg6sDHVk2
R9GpBsf7BJceimpOAzw3zQaJ/BftFgli6/gHCZpJAQKBgQDgxxbBIxyVHYeaddAJ
cDMHTCr2wsk63gUxdqilDC/HZWpCtB1AI02IyxjPVQ87FxtQrCrGXAeztrqYRbKB
7bPu4UbYP1XCm8o0jNIsFObrMKv1KFLTycZEmvhjivFrQMXLunyPmciV1HKoPg1w
fZqJjn6X6nJyYEZBYDX6XmaX8QKBgQDWbVNxMEw4cpEdpl9lMTpry87XS1SpOKSR
YLqa5yhXMC+5l54B3a/xxoo3wY8YJLixWy67PXakKZ4iWhmAxzQocAJ4ML0ztLep
Z6fGjmE4XyBKQRIz4NaHZ76bh3SwSc07XirTahib6CPjpVc4b5h7+4JNcnmpIiq7
yFs0RfjXMQKBgAOQRHUVaGuYx0CUo5Kyu6xe8cNtvSD4yh5JokzTj6Jaoj+ieWA9
7wm/JoqK763hJOa3hAoXBWw89mJZoIXczeB4o9Xj0yk9rQv+O4rFXg/WerNtSzre
VQ1bY5q4ZjFsGnarYzQnnP17G8I9EZt58kxB/RHNfrj/e72nl9N7UacRAoGBAKeS
/t/5X8fJeTFTwT+i7kYqG/bTL1GkK7BViN/gAP3KcbG4FMrehk8L2x7hzMOQhypL
2USJLzvyLlwoT7/9bfygNL3bUTGkbNgeYtbglIfqh6CgI+qZLu7ZG/QOMxpGQva/
i/Z29s545/tTTsuTIvbZwqZl7UBJrF3eobBDcsoxAoGAbtIHtMulH7WJYu57DdC2
AD/xc0YBESCDN8wV73XZrOTluuCXDGOiQow4jWZM9SgFosVY0DrAM4pu6JWso93x
xAPexrca18YxCs2UwT66AYzDXOcijl1F9fUitf3WC/sZWmO3sd1FVFuLRGlq8mXY
kGgsbmgiuKROuuMqB2fHgWo=
-----END PRIVATE KEY-----

65
chave-pgp-do-rogerio.txt
View File

@@ -1,65 +0,0 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: SKS 1.1.1
mQGNBGmLZjwBDACvUK1m3UikneSbyYrP0vbHMz3Dt5u0+1+/UoFHKrcIF0TeLMmeOL6s3iRW
JoSuB0YEmiO01BMEtUHC3Bt6/fu1TjMTLGEwo4dltw/hakvjELfpKPecIo7NAX1XCmiw7f+M
2kTfRXGlu0F0kKc+AD+xPC0tunfpacPX/xGtquPz0xp2XbKktNkj8NoUBO7BRtwrfjBXL7ZV
irlVofs6j7w8Ka9SRtP8GLqsW+LFDQrbsDM2exvp7u61mKvTpuafOUqkqIIrXw4aDOIxjwON
gjunZ4k38kZADxR+uzzwNFnn15qtLNECUMpOJDPplBDg0uVRQjn1BJ44AkcdwLM3unMp9BvO
8DKg2Q6kmd5+qu3OH+BVaqDAD+5sED/LC+QGeTIEHGNbTP3hs6dGyeCcNQnORvn5JoMImUk0
mmV/KV+qpGhi9PSxN44Kau4fWsaWIO33w1vMSnPf/s77dBT0uLT45G/1/b1N3WbD6eKTt+iC
/+Ovp+MmWv6Fd2fPXEvwedUAEQEAAbQeUm9nZXJpbyBDIDxyb2djb3N0YUBkZWkudWMucHQ+
iHUEEBYKAB0WIQTzZrv2P/XfDSKZTqn605rfvJqhwQUCaZMIVAAKCRD605rfvJqhwW/8AQDq
k4kNVJOuOjHiq+F9K7X/QFJp3+z109x/ZpVGtP6aGgD6AlzWjGubsavImEMVN9QKr7tYEOWy
NHldePm87lnDuQSJAbMEEAEIAB0WIQSORfJtzGpnilRlTysk/REF2WdojAUCaZL1XwAKCRAk
/REF2WdojPPkC/40CesTUAcCnvKe/UHTbn483zcW8RSsXRzQZDE4iaOZQ2jCS9uzT+SaVNy5
J8n3PNfghq19yZeyfWZrBHQBCqFwEvYqXZ/z1Qmz8wFvtDX+B5o15kuGO28/epXR7iqx/v53
+le7VmuBR6ri2kq6uT1xzotd6NYcmZpRprnzaGvCUWtuPWhG7SHjZ1TZIJuJ5cmGG8bq/wu/
n+fcSwa3evCUR0ErkqpcC+Z9Ll8wGuSioov5A3B9UW+QWoC68VyC53RSyanNAYI3czJu5Ltq
qXNxOv1xC1gew8FvBuxCF/3z++h2W+E5HO02zRwtqglr5ZBr4UmI0E4s8xWq0DWBU+iLwwXq
GVNZFiJ+fNVHW6cu4deMOMVNrGJlVmlki+GkIFanlrVOwWq2+vsJFYYvHa5zBwjRRqhK5tRk
OOa0qD3KLsCzKpiCSNb+g7TEjHqmpB/h3/MFf5mVlIiOnGYTDWBlMwZLllpLMc/3/mFm5nfX
ofuPGl2BHUv0kdSKSa6QiEOJAbMEEAEIAB0WIQSTCl6/mmEFADoHYKEIKzRkXO0zjQUCaZMV
9QAKCRAIKzRkXO0zjZoDC/9fcB7uDf3QSrIGm+zO//sALNCe0FSOQ5Rn8ZzMOTn3HBI5i7ct
dZntTZuYFLa0HHWUxHBoCSwMnP5oNG91xpRTxsYpucFkKMljSiSKPgoOGxEaJDW2rK39CbzY
xDSa9bhnbXzLWn4laTI8n6iip95IWXuqfIqYc6jfVC3YOBg+8rJ8nAJr6CWIX/6k4bavKVQQ
4bWeuICqUlbNRhZF1BZtCPrFbrChcB+n7CqK0EGkOoySekMr/6VzwgNmuCa2m8Gi9YqzrLLd
AzPl0mfruNHhHLBrnM0rNMMOaR39/+0xSl6c3JcsQWmgBUM1lt0th1n/yKHJMM802IyQefhR
aJhg++xjP61vOLuJa7pb5UWiyupstKemX+8f6X970bvYPj0OaSwy4ewgxU2D5Paqd7qonnct
eYosMnB87ZfS67LcK6YRdqjJeThaQmFujta2hUM6ZczlqGaTsOmZ/GBxIvXGYBrcrnv4d6cj
nSGwXKKSHD2EWSNsxfIBILkQDEotD5uJAbMEEAEIAB0WIQS/yqosJXwrVXFgqQa1WXCyNLIK
ZQUCaZMSBAAKCRC1WXCyNLIKZeU7C/4t2QA7MGNJC+uDk4p/VMfqLFz4yoJOQmAyqI+jbJwn
T+cu2airiE74Nt77kEHjDzyD47LSGjsFe/ynK+Ey/9SeRrzA/NBngP919LW2nSwonfAIiDZ4
dHD/aeRVCdX6Ni6PY/dc5b5ztMEgu0XBlUtWMkrrPaTmiCQ1wX5IuxrSLwldbgA8ME2TZYh7
XQ1LUt1n15FipmdBaXxTK5FrqqWeLLxfPdntZVMQnh2nyaqAF6aEZBRj47UrcbJEIM399G8P
nVExdvOqcCi/CDY15BVBmx/EkWTnudta7fOQgiJiOJ3WLDXvMTEEG06I/dw+eZgGLwl7Ep/x
zrTP65tF032dxbNy1RONOijlj+l/NuOM7pFofx6yCzmRprbydyb9uM1ysRSV0GI1YW2krFzj
ZZosZvPB470svviF8adgIQBV5TZQCzWBY+Bc5gimpZwcWCI+ByQfRAimerOgPqz/r2jQglgP
u4PwnChSTrfNMKyAfpHIKgXAj2ar6X3IvHCkv/OJAdgEEwEIAEIWIQQ3eZDCVL86W7QFeUkd
N5xZDJkDjwUCaYtmPAIbAwUJA8JnAAULCQgHAgMiAgEGFQoJCAsCBBYCAwECHgcCF4AACgkQ
HTecWQyZA49onAv9GbcIpT9a52ZfSLfoXUWAVsYrCwfPb6OG+7NwJXwUPf69gK2ZSWZLrcPl
7gLYKkWsQ2LS9Pb+kirfENk9Xvw+DMBk0KKlvsC3dOFl4srkdvuAoWvR4x5lCKBBusjM2ByR
kRtN68a3xhLrNIHF7uxFefMIyetCJhGl1Z4rgRzslFjsjeZqv5hs7lYBtodrKXvWOfyEvZRw
Zpibyu3v+6YgpZKdq/YQd/DNMBgCWJZOUvKbj/XiCVQ+zKBDEZpjM56TqSyqaTs7OyTXlZGX
WRYXbtOeEf5NFlUT57FetrSszStJKow7AlLBfPlcwFgDEEKNiLf0asfdnfHepR3MT5ULNdut
hLniGbN8HItqY94dipc0D2l3q/REY7VrsZa3vBmWdMecCLMDLO37CzIqjUO+tIGWOFhXpH86
ARRb3C4mi39aTk8XlAQ6nUctrQSHd+oRFKRqXznAGIHHo83L7z5XvRwZ/ehZww+h0QL4JEgm
Jaja3SZFkqf1/yGwT1EyqfVzuQGNBGmLZjwBDAC7UT7SgI/lKTAP5fyrDXDaIsVKCPZ0K+ui
BqR+Po765zZyuZnCd8IMaeGJZipa4Jc2HRBfb2t/4drDWChhjiMtSk2jA+Ke+z/Gg8yCskg2
aSjhiKb4dZkCWwg0+Avca3ad8F3G+pbP/aubTH2FydrJP0dQW7sPChKPEhDH83g4ek7w3CXs
tSLQ8f3orxxqNvDr3BuVK4Lej1zgXMhSUWcTNqFje1jUwG+V03FoHfvM67HTGmnOngu9fCX0
QbIc0x++zJg3MvPZ+hsSnJ3EemVMc5SMH/GCwIUTufEdpkCLmjETvCFT9JaVwBtgFvsF6adq
7JMD7wcogGMVXDqrWMONZJPhiLPK9AI57zi7a31AFJEfyMMaBT3io5KdzfM0LCkpI/VT/tsO
tM/adnID1cFt47WjeQQ0Ed0kH4fk91/wZaMAlgYeN2TSaYjb0v4RkSIWlYz2KyZ2XPaUtYyS
Md6CmOHchTUTJ9x/qvXD53FYjnkX309c1a9Z++76R+QU6IkAEQEAAYkBvAQYAQgAJhYhBDd5
kMJUvzpbtAV5SR03nFkMmQOPBQJpi2Y8AhsMBQkDwmcAAAoJEB03nFkMmQOPy/EL/2NTDXEI
6ZshBZgK1UOxIWLaKuK4LwMimz3IpfWH6E1acSV4oEn5S+kGCzCeWwbOqhjFP5YYlcN3IMJX
KddpFVn+LiN178qJZM+WxbJdRlc3n9+F2693zGMxmNtgjJ9TDCjar8nyoxWcpKXOtjxf204T
HZAq/r2l/NHvrqZ4KJ5RU5I1Gb43UcarxZHBHy6N1Z323Zt5UMgA3WWMeXB+r374IBg4g5/l
WCfhytvZtwVIDDERFMqpyikhlrOzLJQgVoPHUt7PCslvAaVlz1Mkj7JkF+gwizJ+zsCIkJ2Z
YYk5nfVtDf2xEasrZgs3XF6yhXKHIS1DyIELaLzr6UkLz0H/pwgjHGG9G6pcuMeuS4vR7MEE
7OssNRo43LjtGT9WglRhMqjqiqAIZUM6NFZ2AQQci5tOj3nNQQHovVaPm0PcC1fv99eMsDBX
o7LiabG3y38e2q2TzbNl7v3zTXimQKtYzoff6kGr9JnKr1pD/63qZlrTrVEq/SyMrKmWN3Aq
Rw==
=as3M
-----END PGP PUBLIC KEY BLOCK-----

19
conf/client.conf
View File

@@ -1,19 +0,0 @@
client
dev tun
proto udp
remote 193.136.212.1 1194 # ip da vpn gateway
persist-tun
persist-key
# certificados
ca /etc/openvpn/client/ca.crt
cert /etc/openvpn/client/user.crt
key /etc/openvpn/client/user.key
# auth
cipher AES-256-GCM
auth SHA256
auth-user-pass
tls-auth /etc/openvpn/client/ta.key 1
reneg-sec 0

3
conf/httpd-totp
View File

@@ -1,3 +0,0 @@
auth required pam_google_authenticator.so forward_pass secret=/home/${USER}/.google_authenticator user=apache
auth required pam_unix.so use_first_pass
account required pam_unix.so

1
conf/httpd.conf
View File

@@ -1 +0,0 @@
# LoadModule authnz_pam_module modules/mod_authnz_pam.so

32
conf/ocsp-verify.sh
View File

@@ -1,32 +0,0 @@
#!/bin/bash
depth=$1
env >> /etc/openvpn/server/ocsp_env.log
if [ "$depth" -eq 0 ]; then
echo "Checking OCSP for serial=$tls_serial_0" >> /etc/openvpn/server/ocsp.log
if [ -n "$tls_serial_0" ]; then
# é preciso converter o serial para hexadecimal porque o openssl espera em hex
hex_serial=$(printf '%x' "$tls_serial_0")
status=$(openssl ocsp -issuer /etc/openvpn/server/ca.crt -serial "0x$hex_serial" -url http://10.60.0.1:8888 -CAfile /etc/openvpn/server/ca.crt 2>>/etc/openvpn/server/ocsp.log)
echo "OCSP Status: $status" >> /etc/openvpn/server/ocsp.log
if echo "$status" | grep -q "revoked"; then
echo "Result: REVOKED" >> /etc/openvpn/server/ocsp.log
exit 1
fi
if echo "$status" | grep -q "good"; then
echo "Result: GOOD" >> /etc/openvpn/server/ocsp.log
exit 0
fi
echo "Result: UNKNOWN/ERROR" >> /etc/openvpn/server/ocsp.log
exit 1
else
echo "tls_serial_0 is empty!" >> /etc/openvpn/server/ocsp.log
exit 1
fi
fi
echo "ERROR: depth > 0" >> /etc/openvpn/server/ocsp.log
exit 0

0
conf/openssl.cnf
View File

29
conf/ssl.conf
View File

@@ -1,29 +0,0 @@
Listen 443 https
<VirtualHost *:443>
ServerName 10.60.0.1
DocumentRoot /var/www/html
SSLEngine on
SSLCertificateFile /etc/httpd/ssl/apache.crt
SSLCertificateKeyFile /etc/httpd/ssl/apache.key
SSLCACertificateFile /etc/httpd/ssl/ca.crt
# Mutual Authentication (Client Cert)
SSLVerifyClient require
SSLVerifyDepth 1
# OCSP Validation against CA
SSLOCSPEnable on
SSLOCSPDefaultResponder "http://10.60.0.1:8888"
SSLOCSPOverrideResponder on
SSLOCSPUseRequestNonce off
# PAM + TOTP Authentication
<Location "/">
AuthType Basic
AuthName "Enter UNIX Password + Google Authenticator Code"
AuthBasicProvider PAM
AuthPAMService httpd-totp
Require valid-user
</Location>
</VirtualHost>

3
conf/totp
View File

@@ -1,3 +0,0 @@
auth required pam_google_authenticator.so forward_pass
auth required pam_unix.so use_first_pass
account required pam_unix.so

29
conf/vpn.conf
View File

@@ -1,29 +0,0 @@
local 193.136.212.1
port 1194
proto udp
dev tun
# Bro is too honorable
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/vpn.crt
key /etc/openvpn/server/vpn.key
dh /etc/openvpn/server/dh2048.pem
server 10.8.0.0 255.255.255.0
verb 4
topology subnet
push "route 10.60.0.0 255.255.255.0"
# OCSP and Revocation
script-security 2
tls-verify /etc/openvpn/server/ocsp-verify.sh
# auth
cipher AES-256-GCM
auth SHA256
# plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so login
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so totp
tls-auth /etc/openvpn/server/ta.key 0

BIN
enunciado.pdf
View File

Binary file not shown.

143
enunciado.txt
View File

@@ -1,143 +0,0 @@
FSI 2025/2026
Practical Assignment #2
1. Goals
Configure a VPN tunnel in the “road warrior” scenario.
Enable two-factor user authentication with OpenVPN and Apache services.
Manage PKI: certification authorities, X.509 certificates, revocation and OCSP.
2. General description
Figure 1 illustrates the scenario considered for our practical assignment. As illustrated, secure communications are
supported by a VPN tunnel established between a remote client (road warrior) and the VPN gateway, with the purpose of
enabling accesses to services in the Internal Network, particularly a web server running Apache. To enable the VPN tunnel,
we will use OpenVPN (https://openvpn.net).
Figure 1 Scenario for the Practical Assignment #1
Regarding authentication, the two communication entities participating in the VPN tunnel (road warrior and the VPN
gateway) should possess valid X.509 certificates, which are created with a private Certification Authority (CA). Users
establishing remote connections to the VPN gateway (road warriors), as well as users connecting to the Apache server, will
also use two-factor authentication, as described below. Apache must also implement client authentication via X.509
certificates. Figure 2 provides an illustration of the interactions between all the entities involved in this setup.
Figure 2 X.509 mutual authentication and OCSP
As we can observe in Figure 2, the VPN gateway and the Apache web server must verify the status of validity of certificates
using OCSP (Online Certificate Status Protocol) and revocation information from the CA. OCSP verification in not
required for the road warrior. Next, we describe the configuration requirements for the various components of the
assignment.
3. Configuration requirements
VPN tunnel for remote access (road warriors)
As illustrated in Figure 1, remote clients (road warriors) are able to connect to the Coimbra VPN gateway, and using the
tunnel remotely access hosts in the Internal network. The following configuration requirements should be considered:
In order to establish a VPN tunnel with the Coimbra gateway, the road warrior must be in the possession of a valid
X.509 certificate, issued by the private CA of the scenario.
The road warrior and the Coimbra VPN gateway must perform mutual authentication using X.509 digital certificates.
The Coimbra VPN gateway should verify the validity of the X.509 certificate presented by the road warrior using OCSP
and, in case the certificate is revoked, the gateway should refuse the connection.
In order to authorize the remote user, the Coimbra gateway should also enforce two other authentication steps: the user
must present a valid username and password, plus a one-time password (OTP, or an authentication token).
Web server
2
The road warrior user should be able to contact the Apache web server with HTTPS through the VPN tunnel. The
following configuration requirements should be considered:
Apache should enforce two-factor authentication in order to authorize accesses from clients: the client (browser) should
present a valid X.509 certificate (issued with the private CA of the scenario) and the user should also present a valid onetime password (or authentication token).
As in the VPN, the validity of the X.509 certificate presented by the client should be checked in the CA using OCSP.
Two-factor user authentication
As previously discussed, VPN establishment and HTTPS accesses to Apache make use of one-time passwords
(authentication tokens), which may be generated by an appropriate application. One-time passwords may be generated using
the TOTP (Time-based One-time Password Algorithm). This algorithm employs a secret key shared between the user
(client) and the remote service, plus a timestamp (obtained from the current system time), to obtain a one-time password.
In order to generate a one-time password, the user may use an application such as Google Authenticator, illustrated in
Figure 3. This application periodically generates a new one-time password that can be used to authenticate the user with the
remote service. This application is available for iOS and Android 1.
Certification authority
As already discussed, the goal is to use OpenSSL to configure a private Certification Authority, as well as to issue and revoke
X.509 digital certificates for the VPN gateways and remote users. The following configuration requirements should be
considered:
The Certification Authority is used to issue certificates for the VPN gateway, VPN client and Apache web server.
The Certification Authority allows the revocation of certificates previously issued.
The Certification Authority also supports a OCSP responder.
For Android: https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=en and
for Apple iOS: https://itunes.apple.com/us/app/google-authenticator/id388497605?mt=8
1
3
Figure 3 Google Authenticator app, to generate a one-time password to access services enabled with two-factor authentication
4. Delivery of the Practical Assignment
With the assignment, please deliver also a report, containing the following information:
Descriptions of the configurations for the implementation of the previous requirements.
A description of how the private Certification Authority was created using OpenSSL.
A description of how X.509 certificates were issued and revoked using the private Certification Authority.
A description of the tests performed to validate the functionalities implemented.
Remaining information considered relevant.
For the delivery of the assignment, put your report, as well as the relevant configuration files, in a single archive. This archive
should be signed using your PGP key and encrypted using the PGP key of your PL teacher.
Note: Assignments without PGP will be accepted, although with a discount of 5% in the final grade.
Delivery deadline:
The deadline for the delivery of the assignment (configuration files and report) is May 3rd 2026.
Submission via Inforestudante.
4

13
assignment1/relatorio.aux → relatorio.aux
View File

@@ -5,9 +5,10 @@
\babel@aux{portuguese}{} \babel@aux{portuguese}{}
\@writefile{toc}{\contentsline {section}{\numberline {1}Introduction}{2}{}\protected@file@percent } \@writefile{toc}{\contentsline {section}{\numberline {1}Introduction}{2}{}\protected@file@percent }
\@writefile{toc}{\contentsline {section}{\numberline {2}Firewall}{2}{}\protected@file@percent } \@writefile{toc}{\contentsline {section}{\numberline {2}Firewall}{2}{}\protected@file@percent }
\@writefile{toc}{\contentsline {subsection}{\numberline {2.1}Packet fileter without NAT}{2}{}\protected@file@percent } \@writefile{toc}{\contentsline {subsection}{\numberline {2.1}Packet fileter with NAT}{2}{}\protected@file@percent }
\@writefile{toc}{\contentsline {subsection}{\numberline {2.2}Packet filtering with NAT}{3}{}\protected@file@percent } \@writefile{toc}{\contentsline {subsection}{\numberline {2.2}Packet filtering without NAT}{2}{}\protected@file@percent }
\@writefile{toc}{\contentsline {section}{\numberline {3}Intrusion Detection}{4}{}\protected@file@percent } \@writefile{toc}{\contentsline {subsection}{\numberline {2.3}External Network}{2}{}\protected@file@percent }
\@writefile{toc}{\contentsline {section}{\numberline {4}Tests utilizados}{5}{}\protected@file@percent } \@writefile{toc}{\contentsline {subsection}{\numberline {2.4}Internal Network}{2}{}\protected@file@percent }
\@writefile{toc}{\contentsline {section}{\numberline {5}Conclusion}{5}{}\protected@file@percent } \@writefile{toc}{\contentsline {section}{\numberline {3}Intrusion Detection}{2}{}\protected@file@percent }
\gdef \@abspage@last{5} \@writefile{toc}{\contentsline {section}{\numberline {4}Conclusion}{2}{}\protected@file@percent }
\gdef \@abspage@last{2}

137
assignment1/relatorio.log → relatorio.log
View File

@@ -1,4 +1,4 @@
This is pdfTeX, Version 3.141592653-2.6-1.40.27 (TeX Live 2026/dev/Arch Linux) (preloaded format=pdflatex 2026.1.17) 22 MAR 2026 22:27 This is pdfTeX, Version 3.141592653-2.6-1.40.27 (TeX Live 2026/dev/Arch Linux) (preloaded format=pdflatex 2026.1.17) 16 MAR 2026 16:24
entering extended mode entering extended mode
\write18 enabled. \write18 enabled.
%&-line parsing enabled. %&-line parsing enabled.
@@ -89,80 +89,52 @@ LaTeX Info: Redefining \textulc on input line 49.
LaTeX Info: Redefining \oldstylenums on input line 163. LaTeX Info: Redefining \oldstylenums on input line 163.
LaTeX Info: Redefining \textsw on input line 173. LaTeX Info: Redefining \textsw on input line 173.
) )
(/usr/share/texmf-dist/tex/latex/listings/listings.sty
\lst@mode=\count273
\lst@gtempboxa=\box52
\lst@token=\toks19
\lst@length=\count274
\lst@currlwidth=\dimen143
\lst@column=\count275
\lst@pos=\count276
\lst@lostspace=\dimen144
\lst@width=\dimen145
\lst@newlines=\count277
\lst@lineno=\count278
\lst@maxwidth=\dimen146
(/usr/share/texmf-dist/tex/latex/listings/lstpatch.sty
File: lstpatch.sty 2024/09/23 1.10c (Carsten Heinz)
)
(/usr/share/texmf-dist/tex/latex/listings/lstmisc.sty
File: lstmisc.sty 2024/09/23 1.10c (Carsten Heinz)
\c@lstnumber=\count279
\lst@skipnumbers=\count280
\lst@framebox=\box53
)
(/usr/share/texmf-dist/tex/latex/listings/listings.cfg
File: listings.cfg 2024/09/23 1.10c listings configuration
))
Package: listings 2024/09/23 1.10c (Carsten Heinz)
LaTeX Font Info: Trying to load font information for OT1+EBGaramond-LF on in LaTeX Font Info: Trying to load font information for OT1+EBGaramond-LF on in
put line 28. put line 11.
(/usr/share/texmf-dist/tex/latex/ebgaramond/OT1EBGaramond-LF.fd (/usr/share/texmf-dist/tex/latex/ebgaramond/OT1EBGaramond-LF.fd
File: OT1EBGaramond-LF.fd 2023/03/19 (autoinst) Font definitions for OT1/EBGara File: OT1EBGaramond-LF.fd 2023/03/19 (autoinst) Font definitions for OT1/EBGara
mond-LF. mond-LF.
) )
LaTeX Font Info: Font shape `OT1/EBGaramond-LF/m/n' will be LaTeX Font Info: Font shape `OT1/EBGaramond-LF/m/n' will be
(Font) scaled to size 12.0pt on input line 28. (Font) scaled to size 12.0pt on input line 11.
(/usr/share/texmf-dist/tex/latex/l3backend/l3backend-pdftex.def (/usr/share/texmf-dist/tex/latex/l3backend/l3backend-pdftex.def
File: l3backend-pdftex.def 2024-05-08 L3 backend support: PDF output (pdfTeX) File: l3backend-pdftex.def 2024-05-08 L3 backend support: PDF output (pdfTeX)
\l__color_backend_stack_int=\count281 \l__color_backend_stack_int=\count273
\l__pdf_internal_box=\box54 \l__pdf_internal_box=\box52
) )
(/home/vasco/EngenhariaInformatica/3ano/sem2/fsi/trabalho/relatorio.aux) (/home/vasco/EngenhariaInformatica/3ano/sem2/fsi/trabalho/relatorio.aux)
\openout1 = `relatorio.aux'. \openout1 = `relatorio.aux'.
LaTeX Font Info: Checking defaults for OML/cmm/m/it on input line 28. LaTeX Font Info: Checking defaults for OML/cmm/m/it on input line 11.
LaTeX Font Info: ... okay on input line 28. LaTeX Font Info: ... okay on input line 11.
LaTeX Font Info: Checking defaults for OMS/cmsy/m/n on input line 28. LaTeX Font Info: Checking defaults for OMS/cmsy/m/n on input line 11.
LaTeX Font Info: ... okay on input line 28. LaTeX Font Info: ... okay on input line 11.
LaTeX Font Info: Checking defaults for OT1/cmr/m/n on input line 28. LaTeX Font Info: Checking defaults for OT1/cmr/m/n on input line 11.
LaTeX Font Info: ... okay on input line 28. LaTeX Font Info: ... okay on input line 11.
LaTeX Font Info: Checking defaults for T1/cmr/m/n on input line 28. LaTeX Font Info: Checking defaults for T1/cmr/m/n on input line 11.
LaTeX Font Info: ... okay on input line 28. LaTeX Font Info: ... okay on input line 11.
LaTeX Font Info: Checking defaults for TS1/cmr/m/n on input line 28. LaTeX Font Info: Checking defaults for TS1/cmr/m/n on input line 11.
LaTeX Font Info: ... okay on input line 28. LaTeX Font Info: ... okay on input line 11.
LaTeX Font Info: Checking defaults for OMX/cmex/m/n on input line 28. LaTeX Font Info: Checking defaults for OMX/cmex/m/n on input line 11.
LaTeX Font Info: ... okay on input line 28. LaTeX Font Info: ... okay on input line 11.
LaTeX Font Info: Checking defaults for U/cmr/m/n on input line 28. LaTeX Font Info: Checking defaults for U/cmr/m/n on input line 11.
LaTeX Font Info: ... okay on input line 28. LaTeX Font Info: ... okay on input line 11.
\c@mv@tabular=\count282 \c@mv@tabular=\count274
\c@mv@boldtabular=\count283 \c@mv@boldtabular=\count275
\c@lstlisting=\count284
LaTeX Font Info: Font shape `OT1/EBGaramond-LF/m/n' will be LaTeX Font Info: Font shape `OT1/EBGaramond-LF/m/n' will be
(Font) scaled to size 20.74pt on input line 29. (Font) scaled to size 20.74pt on input line 12.
LaTeX Font Info: Font shape `OT1/EBGaramond-LF/m/n' will be LaTeX Font Info: Font shape `OT1/EBGaramond-LF/m/n' will be
(Font) scaled to size 14.4pt on input line 29. (Font) scaled to size 14.4pt on input line 12.
LaTeX Font Info: External font `cmex10' loaded for size LaTeX Font Info: External font `cmex10' loaded for size
(Font) <14.4> on input line 29. (Font) <14.4> on input line 12.
LaTeX Font Info: External font `cmex10' loaded for size LaTeX Font Info: External font `cmex10' loaded for size
(Font) <7> on input line 29. (Font) <7> on input line 12.
LaTeX Font Info: Font shape `OT1/EBGaramond-LF/m/n' will be LaTeX Font Info: Font shape `OT1/EBGaramond-LF/m/n' will be
(Font) scaled to size 17.28pt on input line 30. (Font) scaled to size 17.28pt on input line 13.
LaTeX Font Info: Font shape `OT1/EBGaramond-LF/b/n' will be LaTeX Font Info: Font shape `OT1/EBGaramond-LF/b/n' will be
(Font) scaled to size 17.28pt on input line 30. (Font) scaled to size 17.28pt on input line 13.
(/home/vasco/EngenhariaInformatica/3ano/sem2/fsi/trabalho/relatorio.toc (/home/vasco/EngenhariaInformatica/3ano/sem2/fsi/trabalho/relatorio.toc
LaTeX Font Info: Font shape `OT1/EBGaramond-LF/b/n' will be LaTeX Font Info: Font shape `OT1/EBGaramond-LF/b/n' will be
@@ -183,62 +155,31 @@ LaTeX Font Info: External font `cmex10' loaded for size
{/var/lib/texmf/fonts/map/pdftex/updmap/pdftex.map}{/usr/share/texmf-dist/fonts {/var/lib/texmf/fonts/map/pdftex/updmap/pdftex.map}{/usr/share/texmf-dist/fonts
/enc/dvips/ebgaramond/ebg_dacnth.enc}] /enc/dvips/ebgaramond/ebg_dacnth.enc}]
(/usr/share/texmf-dist/tex/latex/listings/lstlang1.sty
File: lstlang1.sty 2024/09/23 1.10c listings language file
)
(/usr/share/texmf-dist/tex/latex/listings/lstlang1.sty
File: lstlang1.sty 2024/09/23 1.10c listings language file
)
LaTeX Font Info: Font shape `OT1/EBGaramond-LF/m/n' will be
(Font) scaled to size 10.0pt on input line 37.
Overfull \hbox (7.49481pt too wide) in paragraph at lines 42--44
\OT1/EBGaramond-LF/m/n/12 As tr[]es re-des tem va-rios servi[]os, o DMZ tem dns
(23.214.219.130), mail(23.214.219.134),
[]
LaTeX Font Info: Font shape `OT1/EBGaramond-LF/b/n' will be LaTeX Font Info: Font shape `OT1/EBGaramond-LF/b/n' will be
(Font) scaled to size 14.4pt on input line 45. (Font) scaled to size 14.4pt on input line 19.
[2] [2] (/home/vasco/EngenhariaInformatica/3ano/sem2/fsi/trabalho/relatorio.aux)
[3]
LaTeX Font Info: Font shape `OT1/cmtt/bx/n' in size <10> not available
(Font) Font shape `OT1/cmtt/m/n' tried instead on input line 93.
[4{/usr/share/texmf-dist/fonts/enc/dvips/cm-super/cm-super-ts1.enc}]
Overfull \hbox (23.24622pt too wide) in paragraph at lines 125--126
\OT1/EBGaramond-LF/m/n/12 Ao realizar-mos este pro-jeto apren-de-mos so-bre a c
ria[][]ao de sce-na-rios em VMs, a configura[][]ao
[]
[5] (/home/vasco/EngenhariaInformatica/3ano/sem2/fsi/trabalho/relatorio.aux)
*********** ***********
LaTeX2e <2024-11-01> patch level 2 LaTeX2e <2024-11-01> patch level 2
L3 programming layer <2025-01-18> L3 programming layer <2025-01-18>
*********** ***********
) )
Here is how much of TeX's memory you used: Here is how much of TeX's memory you used:
4439 strings out of 474546 2577 strings out of 474546
72779 string characters out of 5749982 48289 string characters out of 5749982
968296 words of memory out of 5000000 436453 words of memory out of 5000000
27469 multiletter control sequences out of 15000+600000 25628 multiletter control sequences out of 15000+600000
573916 words of font info for 59 fonts, out of 8000000 for 9000 572213 words of font info for 55 fonts, out of 8000000 for 9000
352 hyphenation exceptions out of 8191 352 hyphenation exceptions out of 8191
57i,7n,99p,546b,1693s stack positions out of 10000i,1000n,20000p,200000b,200000s 57i,7n,65p,220b,231s stack positions out of 10000i,1000n,20000p,200000b,200000s
</usr/share/texmf-dist/fonts/type1/public/ebgaramond/EBGaramond-Bold.pfb></us </usr/share/texmf-dist/fonts/type1/public/ebgaramond/EBGaramond-Bold.pfb></us
r/share/texmf-dist/fonts/type1/public/ebgaramond/EBGaramond-Regular.pfb></usr/s r/share/texmf-dist/fonts/type1/public/ebgaramond/EBGaramond-Regular.pfb>
hare/texmf-dist/fonts/type1/public/amsfonts/cm/cmtt10.pfb></usr/share/texmf-dis
t/fonts/type1/public/cm-super/sftt1000.pfb>
Output written on /home/vasco/EngenhariaInformatica/3ano/sem2/fsi/trabalho/rela Output written on /home/vasco/EngenhariaInformatica/3ano/sem2/fsi/trabalho/rela
torio.pdf (5 pages, 78451 bytes). torio.pdf (2 pages, 42851 bytes).
PDF statistics: PDF statistics:
42 PDF objects out of 1000 (max. 8388607) 22 PDF objects out of 1000 (max. 8388607)
26 compressed objects within 1 object stream 13 compressed objects within 1 object stream
0 named destinations out of 1000 (max. 500000) 0 named destinations out of 1000 (max. 500000)
1 words of extra memory for PDF output out of 10000 (max. 10000000) 1 words of extra memory for PDF output out of 10000 (max. 10000000)

BIN
relatorio.pdf Normal file
View File

Binary file not shown.

BIN
relatorio.synctex.gz Normal file
View File

Binary file not shown.

29
relatorio.tex Normal file
View File

@@ -0,0 +1,29 @@
\documentclass[12pt,a4paper]{article}
\usepackage[portuguese]{babel}
\usepackage[lining]{ebgaramond}
\title{Practical Assignment \#1}
\author{
João Neto -- \\[1em]
Vasco Alves -- 2022228207
}
\begin{document}
\maketitle
\tableofcontents
\newpage
\section{Introduction}
\section{Firewall}
Sigmasigmaboy123
\subsection{Packet fileter with NAT}
\subsection{Packet filtering without NAT}
\subsection{External Network}
\subsection{Internal Network}
\section{Intrusion Detection}
\section{Conclusion}
\end{document}

9
relatorio.toc Normal file
View File

@@ -0,0 +1,9 @@
\babel@toc {portuguese}{}\relax
\contentsline {section}{\numberline {1}Introduction}{2}{}%
\contentsline {section}{\numberline {2}Firewall}{2}{}%
\contentsline {subsection}{\numberline {2.1}Packet fileter with NAT}{2}{}%
\contentsline {subsection}{\numberline {2.2}Packet filtering without NAT}{2}{}%
\contentsline {subsection}{\numberline {2.3}External Network}{2}{}%
\contentsline {subsection}{\numberline {2.4}Internal Network}{2}{}%
\contentsline {section}{\numberline {3}Intrusion Detection}{2}{}%
\contentsline {section}{\numberline {4}Conclusion}{2}{}%

14
relatorio/relatorio.aux
View File

@@ -1,14 +0,0 @@
\relax
\providecommand \babel@aux [2]{\global \let \babel@toc \@gobbletwo }
\@nameuse{bbl@beforestart}
\catcode `"\active
\babel@aux{portuguese}{}
\@writefile{toc}{\contentsline {section}{\numberline {1}Introdução}{2}{}\protected@file@percent }
\@writefile{toc}{\contentsline {section}{\numberline {2}Criação de certificados}{2}{}\protected@file@percent }
\@writefile{toc}{\contentsline {section}{\numberline {3}Configuração da \textit {Gateway} VPN}{3}{}\protected@file@percent }
\@writefile{toc}{\contentsline {section}{\numberline {4}Configurar TOTP}{3}{}\protected@file@percent }
\@writefile{toc}{\contentsline {subsection}{\numberline {4.1}Aceder ao código}{3}{}\protected@file@percent }
\@writefile{toc}{\contentsline {section}{\numberline {5}Revocation e OCSP}{3}{}\protected@file@percent }
\@writefile{toc}{\contentsline {subsection}{\numberline {5.1}Testar OSCP via revoke}{3}{}\protected@file@percent }
\@writefile{toc}{\contentsline {section}{\numberline {6}Conclusion}{4}{}\protected@file@percent }
\gdef \@abspage@last{4}

272
relatorio/relatorio.log
View File

@@ -1,272 +0,0 @@
This is pdfTeX, Version 3.141592653-2.6-1.40.29 (TeX Live 2026/Arch Linux) (preloaded format=pdflatex 2026.4.13) 24 APR 2026 10:42
entering extended mode
\write18 enabled.
%&-line parsing enabled.
**/home/raw/uni/fsi/trabalho/relatorio/relatorio
(/home/raw/uni/fsi/trabalho/relatorio/relatorio.tex
LaTeX2e <2025-11-01>
L3 programming layer <2026-01-19>
(/usr/share/texmf-dist/tex/latex/base/article.cls
Document Class: article 2025/01/22 v1.4n Standard LaTeX document class
(/usr/share/texmf-dist/tex/latex/base/size11.clo
File: size11.clo 2025/01/22 v1.4n Standard LaTeX file (size option)
)
\c@part=\count275
\c@section=\count276
\c@subsection=\count277
\c@subsubsection=\count278
\c@paragraph=\count279
\c@subparagraph=\count280
\c@figure=\count281
\c@table=\count282
\abovecaptionskip=\skip49
\belowcaptionskip=\skip50
\bibindent=\dimen148
)
(/usr/share/texmf-dist/tex/generic/babel/babel.sty
Package: babel 2026/02/14 v26.3 The multilingual framework for LuaLaTeX, pdfLaT
eX and XeLaTeX
\babel@savecnt=\count283
LaTeX Encoding Info: Redeclaring text command \ij (encoding OT1) on input li
ne 2078.
LaTeX Encoding Info: Redeclaring text command \IJ (encoding OT1) on input li
ne 2080.
LaTeX Encoding Info: Redeclaring text command \ij (encoding T1) on input lin
e 2082.
LaTeX Encoding Info: Redeclaring text command \IJ (encoding T1) on input lin
e 2083.
LaTeX Encoding Info: Ignoring declaration for text command \ij (encoding ?)
on input line 2084.
LaTeX Encoding Info: Ignoring declaration for text command \IJ (encoding ?)
on input line 2086.
LaTeX Encoding Info: Ignoring declaration for text command \SS (encoding ?)
on input line 2111.
\U@D=\dimen149
\l@unhyphenated=\language4
(/usr/share/texmf-dist/tex/generic/babel/txtbabel.def)
\bbl@readstream=\read2
\bbl@dirlevel=\count284
(/usr/share/texmf-dist/tex/generic/babel/locale/pt/babel-portuguese.tex)
Package babel Info: Importing font and identification data for portuguese
(babel) from babel-pt.ini. Reported on input line 4330.
(/usr/share/texmf-dist/tex/generic/babel-portuges/portuguese.ldf
Language: portuges 2026/01/24 v1.2u Portuguese support from the babel system
Package babel Info: Making " an active character on input line 132.
))
(/usr/share/texmf-dist/tex/latex/ebgaramond/ebgaramond.sty
Package: ebgaramond 2024/04/23 (Bob Tennent and autoinst) Style file for EB Gar
amond fonts.
(/usr/share/texmf-dist/tex/generic/iftex/ifxetex.sty
Package: ifxetex 2019/10/25 v0.7 ifxetex legacy package. Use iftex instead.
(/usr/share/texmf-dist/tex/generic/iftex/iftex.sty
Package: iftex 2024/12/12 v1.0g TeX engine tests
))
(/usr/share/texmf-dist/tex/generic/iftex/ifluatex.sty
Package: ifluatex 2019/10/25 v1.5 ifluatex legacy package. Use iftex instead.
)
(/usr/share/texmf-dist/tex/latex/xkeyval/xkeyval.sty
Package: xkeyval 2025/11/04 v2.10 package option processing (HA)
(/usr/share/texmf-dist/tex/generic/xkeyval/xkeyval.tex
(/usr/share/texmf-dist/tex/generic/xkeyval/xkvutils.tex
\XKV@toks=\toks17
\XKV@tempa@toks=\toks18
\XKV@tempb@toks=\toks19
(/usr/share/texmf-dist/tex/generic/xkeyval/keyval.tex))
\XKV@depth=\count285
File: xkeyval.tex 2014/12/03 v2.7a key=value parser (HA)
))
(/usr/share/texmf-dist/tex/latex/base/textcomp.sty
Package: textcomp 2024/04/24 v2.1b Standard LaTeX package
)
(/usr/share/texmf-dist/tex/latex/base/fontenc.sty
Package: fontenc 2025/07/18 v2.1d Standard LaTeX package
)
(/usr/share/texmf-dist/tex/latex/fontaxes/fontaxes.sty
Package: fontaxes 2026-01-02 v2.0.2 Font selection axes (deprecated)
Applying: [2024-11-01] Use figureversions if present on input line 74.
(/usr/share/texmf-dist/tex/latex/figureversions/figureversions.sty
Package: figureversions 2025-04-29 v1.0.1 Figure versions
)
Already applied: [0000-00-00] Fall back to v1 on input line 76.
)
LaTeX Info: Redefining \oldstylenums on input line 163.
LaTeX Info: Redefining \textsw on input line 173.
)
(/usr/share/texmf-dist/tex/latex/listings/listings.sty
\lst@mode=\count286
\lst@gtempboxa=\box53
\lst@token=\toks20
\lst@length=\count287
\lst@currlwidth=\dimen150
\lst@column=\count288
\lst@pos=\count289
\lst@lostspace=\dimen151
\lst@width=\dimen152
\lst@newlines=\count290
\lst@lineno=\count291
\lst@maxwidth=\dimen153
(/usr/share/texmf-dist/tex/latex/listings/lstpatch.sty
File: lstpatch.sty 2025/11/14 1.11b (Carsten Heinz)
)
(/usr/share/texmf-dist/tex/latex/listings/lstmisc.sty
File: lstmisc.sty 2025/11/14 1.11b (Carsten Heinz)
\c@lstnumber=\count292
\lst@skipnumbers=\count293
\lst@framebox=\box54
)
(/usr/share/texmf-dist/tex/latex/listings/listings.cfg
File: listings.cfg 2025/11/14 1.11b listings configuration
))
Package: listings 2025/11/14 1.11b (Carsten Heinz)
==> First Aid for listings.sty no longer applied!
Expected:
2024/09/23 1.10c (Carsten Heinz)
but found:
2025/11/14 1.11b (Carsten Heinz)
so I'm assuming it got fixed.
(/usr/share/texmf-dist/tex/latex/booktabs/booktabs.sty
Package: booktabs 2020/01/12 v1.61803398 Publication quality tables
\heavyrulewidth=\dimen154
\lightrulewidth=\dimen155
\cmidrulewidth=\dimen156
\belowrulesep=\dimen157
\belowbottomsep=\dimen158
\aboverulesep=\dimen159
\abovetopsep=\dimen160
\cmidrulesep=\dimen161
\cmidrulekern=\dimen162
\defaultaddspace=\dimen163
\@cmidla=\count294
\@cmidlb=\count295
\@aboverulesep=\dimen164
\@belowrulesep=\dimen165
\@thisruleclass=\count296
\@lastruleclass=\count297
\@thisrulewidth=\dimen166
)
LaTeX Font Info: Trying to load font information for OT1+EBGaramond-LF on in
put line 34.
(/usr/share/texmf-dist/tex/latex/ebgaramond/OT1EBGaramond-LF.fd
File: OT1EBGaramond-LF.fd 2023/03/19 (autoinst) Font definitions for OT1/EBGara
mond-LF.
)
LaTeX Font Info: Font shape `OT1/EBGaramond-LF/m/n' will be
(Font) scaled to size 10.95pt on input line 34.
(/usr/share/texmf-dist/tex/latex/l3backend/l3backend-pdftex.def
File: l3backend-pdftex.def 2025-10-09 L3 backend support: PDF output (pdfTeX)
\l__color_backend_stack_int=\count298
)
(/home/raw/uni/fsi/trabalho/relatorio/relatorio.aux
Package babel Info: 'portuguese' activates 'portuges' shorthands.
(babel) Reported on input line 5.
)
\openout1 = `relatorio.aux'.
LaTeX Font Info: Checking defaults for OML/cmm/m/it on input line 34.
LaTeX Font Info: ... okay on input line 34.
LaTeX Font Info: Checking defaults for OMS/cmsy/m/n on input line 34.
LaTeX Font Info: ... okay on input line 34.
LaTeX Font Info: Checking defaults for OT1/cmr/m/n on input line 34.
LaTeX Font Info: ... okay on input line 34.
LaTeX Font Info: Checking defaults for T1/cmr/m/n on input line 34.
LaTeX Font Info: ... okay on input line 34.
LaTeX Font Info: Checking defaults for TS1/cmr/m/n on input line 34.
LaTeX Font Info: ... okay on input line 34.
LaTeX Font Info: Checking defaults for OMX/cmex/m/n on input line 34.
LaTeX Font Info: ... okay on input line 34.
LaTeX Font Info: Checking defaults for U/cmr/m/n on input line 34.
LaTeX Font Info: ... okay on input line 34.
\c@mv@tabular=\count299
\c@mv@boldtabular=\count300
\c@lstlisting=\count301
LaTeX Font Info: Font shape `OT1/EBGaramond-LF/m/n' will be
(Font) scaled to size 17.28pt on input line 35.
LaTeX Font Info: Font shape `OT1/EBGaramond-LF/m/n' will be
(Font) scaled to size 12.0pt on input line 35.
LaTeX Font Info: External font `cmex10' loaded for size
(Font) <12> on input line 35.
LaTeX Font Info: External font `cmex10' loaded for size
(Font) <8> on input line 35.
LaTeX Font Info: External font `cmex10' loaded for size
(Font) <6> on input line 35.
LaTeX Font Info: Font shape `OT1/EBGaramond-LF/m/n' will be
(Font) scaled to size 14.4pt on input line 36.
LaTeX Font Info: Font shape `OT1/EBGaramond-LF/b/n' will be
(Font) scaled to size 14.4pt on input line 36.
(/home/raw/uni/fsi/trabalho/relatorio/relatorio.toc
LaTeX Font Info: Font shape `OT1/EBGaramond-LF/b/n' will be
(Font) scaled to size 10.95pt on input line 2.
LaTeX Font Info: Font shape `OT1/EBGaramond-LF/b/it' will be
(Font) scaled to size 10.95pt on input line 4.
LaTeX Font Info: External font `cmex10' loaded for size
(Font) <10.95> on input line 6.
)
\tf@toc=\write3
\openout3 = `relatorio.toc'.
[1
{/var/lib/texmf/fonts/map/pdftex/updmap/pdftex.map}{/usr/share/texmf-dist/fonts
/enc/dvips/ebgaramond/ebg_dacnth.enc}{/usr/share/texmf-dist/fonts/enc/dvips/ebg
aramond/ebg_3uowis.enc}]
Overfull \hbox (16.09543pt too wide) in paragraph at lines 54--61
[][]
[]
(/usr/share/texmf-dist/tex/latex/listings/lstlang1.sty
File: lstlang1.sty 2025/11/14 1.11b listings language file
)
(/usr/share/texmf-dist/tex/latex/listings/lstlang1.sty
File: lstlang1.sty 2025/11/14 1.11b listings language file
)
LaTeX Font Info: Font shape `OT1/EBGaramond-LF/m/n' will be
(Font) scaled to size 9.0pt on input line 67.
LaTeX Font Info: Font shape `OT1/cmtt/bx/n' in size <9> not available
(Font) Font shape `OT1/cmtt/m/n' tried instead on input line 76.
[2{/usr/share/texmf-dist/fonts/enc/dvips/cm-super/cm-super-ts1.enc}]
LaTeX Font Info: Font shape `OT1/EBGaramond-LF/b/it' will be
(Font) scaled to size 14.4pt on input line 93.
LaTeX Font Info: Font shape `OT1/EBGaramond-LF/b/n' will be
(Font) scaled to size 12.0pt on input line 106.
[3] [4]
(/home/raw/uni/fsi/trabalho/relatorio/relatorio.aux)
***********
LaTeX2e <2025-11-01>
L3 programming layer <2026-01-19>
***********
)
Here is how much of TeX's memory you used:
4481 strings out of 469495
74067 string characters out of 5470098
852951 words of memory out of 5000000
33120 multiletter control sequences out of 15000+600000
646339 words of font info for 65 fonts, out of 8000000 for 9000
16 hyphenation exceptions out of 8191
62i,7n,99p,223b,1810s stack positions out of 10000i,1000n,20000p,200000b,200000s
</usr/share/texmf-dist/fonts/type1/public/ebgaramond/EBGaramond-Bold.pfb></us
r/share/texmf-dist/fonts/type1/public/ebgaramond/EBGaramond-BoldItalic.pfb></us
r/share/texmf-dist/fonts/type1/public/ebgaramond/EBGaramond-Regular.pfb></usr/s
hare/texmf-dist/fonts/type1/public/amsfonts/cm/cmtt10.pfb></usr/share/texmf-dis
t/fonts/type1/public/amsfonts/cm/cmtt9.pfb></usr/share/texmf-dist/fonts/type1/p
ublic/cm-super/sftt0900.pfb>
Output written on /home/raw/uni/fsi/trabalho/relatorio/relatorio.pdf (4 pages,
94582 bytes).
PDF statistics:
50 PDF objects out of 1000 (max. 8388607)
31 compressed objects within 1 object stream
0 named destinations out of 1000 (max. 500000)
1 words of extra memory for PDF output out of 10000 (max. 10000000)

BIN
relatorio/relatorio.pdf
View File

Binary file not shown.

BIN
relatorio/relatorio.synctex.gz
View File

Binary file not shown.

176
relatorio/relatorio.tex
View File

@@ -1,176 +0,0 @@
\documentclass[11pt,a4paper]{article}
\usepackage[portuguese]{babel}
\usepackage[lining]{ebgaramond}
\usepackage{listings}
\usepackage{booktabs}
% \usepa
\lstdefinestyle{mystyle}{
basicstyle=\ttfamily\footnotesize,
breakatwhitespace=false,
breaklines=true,
captionpos=b,
keepspaces=true,
numbers=left,
numbersep=5pt,
showspaces=false,
showstringspaces=false,
showtabs=false,
tabsize=2
}
\lstset{style=mystyle}
\setlength{\parindent}{0em}
\setlength{\parskip}{2ex}
\title{Practical Assignment \#2}
\author{
João Neto -- 2023234004\\[1em]
Vasco Alves -- 2022228207
}
\begin{document}
\maketitle
\tableofcontents
\newpage
\section{Introdução}
Este projecto tem como âmbito implementar, uma rede virtual privada (VPN) num cenário de road-warrior,
configurar two-factor authentication com os serviços OpenVPN e Apache, e gerir certificados X.509 utilizando OCSP.
O nosso cenario vai envolver três maquinas, o cliente (road warrior), a gateway que utiliza OpenVPN e um servidor interno com OpenSSL e Apache. O OpenVPN utiliza two-factor authentication, recebendo o utilizador, e uma password que é uma junção de uma fixa, e de uma gerada pelo plugin google-authenticator. O servidor de Apache implementa a mesma authenticação.
Temos então três máquinas virtuais:
\begin{tabular}{l l l}
{\bf Nome} & {\bf Script} & {\bf Rede} \\\toprule
Road Warrior & VM\_ROAD\_WARRIOR.sh & Rede Externa 193.168.0.0/24 \\
VPN Gateway & VM\_OPENVPN\_GATEWAY.sh & Router \\
OpenSSL / Apache & VM\_OPENSSL\_APACHE.sh & Reder Interna 10.60.0.0/24 \\
\end{tabular}
Os certificados utilizados foram certificados por uma autoridade central que não está no nosso cenario. A gestão da lista de revogação está a ser gerido pelo serviço OpenSSL que está na mesma maquina que o Apache. Num cenario real seria melhor dividir estes serviços por outras maquinas, mas os computadores que temos acesso estão limitados na quantidade de maquinas virtuais que consegue simular simultaniamente.
\section{Criação de certificados}
Criar chaves com 2048 bits.
Todas as chaves foram criadas no mesmo computador, com as variaveis que está neste codigo, aspetos importantes para mais tarde serão os parametros de CN que precisam de ser passados mais tarde para aceder ao Apache e ao gateway. Numa situação normal teriamos uma autoridade de certificação para enviar e no fundo gerir todos, mas para este cenario podemos inicializar as maquinas com as chaves, requests e certificados necessarios.
O codigo para gerar os certificados X.509:
\begin{lstlisting}[language=bash]
cert_ca="/C=PT/ST=Coimbra/L=Coimbra/O=UC/CN=CoimbraVPN"
cert_vpn="/C=PT/ST=Coimbra/L=Coimbra/O=UC/CN=gateway"
cert_user="/C=PT/ST=Coimbra/L=Coimbra/O=UC/CN=warrior"
cert_apache="/C=PT/ST=Coimbra/L=Coimbra/O=UC/CN=apache.coimbra"
openssl genrsa -out "ca.key" 2048
openssl req -x509 -nodes -days 365 -key "ca.key" -out "ca.crt" -subj "$cert_ca"
openssl genrsa -out "vpn.key" 2048
openssl req -new -key "vpn.key" -out "vpn.csr" -subj "$cert_vpn"
openssl ca -batch -in "vpn.csr" -cert "ca.crt" -keyfile "ca.key" -out "vpn.crt" -config cheese.cfg
openssl dhparam -out "dh2048.pem" 2048
openvpn --genkey secret "ta.key"
openssl genrsa -out user.key
openssl req -new -key user.key -out user.csr -subj "$cert_user"
openssl ca -batch -in "user.csr" -cert "ca.crt" -keyfile "ca.key" -out "user.crt" -config cheese.cfg
openssl genrsa -out apache.key
openssl req -new -key apache.key -out apache.csr -subj "$cert_apache" -addext "subjectAltName = IP:10.60.0.1,DNS:apache"
openssl ca -batch -in "apache.csr" -cert "ca.crt" -keyfile "ca.key" -out "apache.crt" -config cheese.cfg
\end{lstlisting}
Porque é que precisamos de uma chave secreta?
Criar chave secreta.
\begin{lstlisting}[language=bash]
openssl --genkey secret ta.key
\end{lstlisting}
\section{Configuração geral}
Para configurar as VM's era preciso introduzir os mesmos comandos varias vezes, o que levava muitas vezes a erros de escrita, ou a correr o mesmo comando varias vezes, por isso criamos varios ficheiros .sh para conseguir facilitar o processo. A utilização de ficheiros .sh também vem com outros positivos pois facilita a testagem, e a recriação do cenario rapidamente.
No entanto para os serviços que configuramos, instalar, desativar e dar flush ás iptables não foi suficiente, tivemos que criar pastas e sincronizar os relogios de todas as VMs visto que elas estarem ligeiramente atrasadas nunca conseguiamos acertar na password do google-authenticator que utiliza o tempo local para calcular a sua chave.
\begin{lstlisting}[language=bash]
yum install -y epel-release
yum install -y openvpn iptables-services dhcp-client
systemctl stop firewalld
systemctl disable firewalld
systemctl mask firewalld
systemctl enable iptables
iptables -F
CA_DIR="/etc/pki/CA"
mkdir -p "${CA_DIR}/newcerts"
mkdir -p "${CA_DIR}/private"
touch "${CA_DIR}/index.txt"
cp ca/serial "${CA_DIR}/serial"
mkdir -p /etc/openvpn/server
mkdir -p /etc/openvpn/client
# NOTE(vasco): tive problemas com a sincronização de tempo
# se nao tiver sincronizado, o TOTP nao funciona
systemctl stop chronyd
ntpdate pool.ntp.org
systemctl start chronyd
\end{lstlisting}
\section{Configuração da \textit{Gateway} VPN}
\section{Configurar TOTP}
Foi criado o ficheiro \texttt{totp} com a configuração de autenticação a
ser utilizada pelo plugin de PAM para o openvpn.
\begin{lstlisting}[language=bash]
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so totp
\end{lstlisting}
\subsection{Aceder ao código}
Primeiro, na gateway, entramos como o utilizador desejado e obtemos a chave
do gerador de palavras passes temporarias. Ao inserir a chave no
\texttt{google authenticator} podemos obter a nossa primeira chave de 6 digitos.
\begin{lstlisting}[language=bash]
su john
google-authenticator
\end{lstlisting}
\section{Revocation e OCSP}
\subsection{Testar OSCP via revoke}
\begin{enumerate}
\item Conectar ao VPN e ver que funciona
\item Na maquina host, nao nas vms, na repo mesmo.
\item revogar o certificado via openssl -revoke user.crt -config cheese.cfg -keyfile ca.key -cert ca.crt
\item Fechae OSCP e correr VM\_OPENSSL novamente (copiar index.txt e serial?)
\item Tentar outra vez e ver que de facto falha
\end{enumerate}
\section{Conclusion}
Conclusão!!!
Atingimos o objetivo deste trabalho, conseguimos configurar o VPN tunnel, o two-factor authentication e conseguimos criar e retirar acesso aos certificados que emitimos. Utilizar mais maquinas para simular um cenario maior seria redundante, teriamos que emitir mais certificados mas não iamos aprender muito mais. Para aprofundar (???)
\end{document}
Para tal, foi implementado um servidor e um cliente OpenVPN, certificados por uma autoriadade central (CA)
que em si é self-signed. Para além disto, foi implementado um sistema de autenticação de dois factores
através do plugin google-authenticator para o OpenVPN.
Existe ainda um servidor Apache e um servidro de OpenSSL OCSP. Para simpliflicar, a elaboração do
projecto foram colocados na mesma maquina virtual, mas por razoes de seguranca poderia querer ter
estes serviços separados.

9
relatorio/relatorio.toc
View File

@@ -1,9 +0,0 @@
\babel@toc {portuguese}{}\relax
\contentsline {section}{\numberline {1}Introdução}{2}{}%
\contentsline {section}{\numberline {2}Criação de certificados}{2}{}%
\contentsline {section}{\numberline {3}Configuração da \textit {Gateway} VPN}{3}{}%
\contentsline {section}{\numberline {4}Configurar TOTP}{3}{}%
\contentsline {subsection}{\numberline {4.1}Aceder ao código}{3}{}%
\contentsline {section}{\numberline {5}Revocation e OCSP}{3}{}%
\contentsline {subsection}{\numberline {5.1}Testar OSCP via revoke}{3}{}%
\contentsline {section}{\numberline {6}Conclusion}{4}{}%

0
ucstudent/pl-presentation#1.pdf → ucstudent/pl-apresentação#1 (1).pdf
View File

BIN
ucstudent/pl-apresentação#1.pdf Normal file
View File

Binary file not shown.

0
ucstudent/pl-practical-exercises-#2-resolution-notes.pdf → ucstudent/pl-practical exercises #2-resolution notes.pdf
View File

0
ucstudent/pl-practical-exercises-#2.pdf → ucstudent/pl-practical exercises #2.pdf
View File

0
ucstudent/pl-practical-exercises-#3-resolution-notes.pdf → ucstudent/pl-practical exercises #3-resolution notes.pdf
View File

0
ucstudent/pl-practical-exercises-#3.pdf → ucstudent/pl-practical exercises #3.pdf
View File

0
ucstudent/pl-practical-exercises-#4-resolution-notes.pdf → ucstudent/pl-practical exercises #4-resolution notes.pdf
View File

0
ucstudent/pl-practical-exercises-#4.pdf → ucstudent/pl-practical exercises #4.pdf
View File

BIN
ucstudent/pl-practical-exercises-#5.pdf
View File

Binary file not shown.

BIN
ucstudent/pl-practical-exercises-#6.pdf
View File

Binary file not shown.

BIN
ucstudent/pl-presentation#5.pdf
View File

Binary file not shown.

BIN
ucstudent/pl-presentation#6.pdf
View File

Binary file not shown.

0
ucstudent/pl-suricata-on-centos-installation-notes.txt → ucstudent/pl-suricata on centos - installation notes.txt
View File

BIN
ucstudent/practical assignment 1.pdf Normal file
View File

Binary file not shown.

0
ucstudent/t2-firewalls-and-intrusion-detection.pdf → ucstudent/t2-firewalls and intrusion detection.pdf
View File

0
ucstudent/t3-data-integrity.pdf → ucstudent/t3-data integrity.pdf
View File

0
ucstudent/t4-symmetric-encryption.pdf → ucstudent/t4-symmetric encryption.pdf
View File

BIN
ucstudent/t5-assymetric-ciphers.pdf
View File

Binary file not shown.

BIN
ucstudent/t6-key-management-and-user-authentication.pdf
View File

Binary file not shown.

BIN
user.p12
View File

Binary file not shown.

BIN
user2.p12
View File

Binary file not shown.