Add labs

2026-02-03 22:29:46 +01:00
commit 8fdf5827e4
156 changed files with 23069 additions and 0 deletions
--- a/03-security/lab01/docker-compose.yml
+++ b/03-security/lab01/docker-compose.yml
@ -0,0 +1,7 @@
+services:
+  mosquitto:
+    image: eclipse-mosquitto
+    ports:
+      - "1883:1883"
+    volumes:
+      - ./mosquitto.conf:/mosquitto/config/mosquitto.conf:ro
--- a/03-security/lab01/lab.txt
+++ b/03-security/lab01/lab.txt
@ -0,0 +1,23 @@
+= Öffentliche Broker
+
+Verbinden Sie sich zu einem öffentlichen Broker, z.B. `test.mosquitto.org`, `broker.emqx.io` oder `broker.hivemq.com`
+Können Sie Nachrichten aller Topics abrufen?
+
+
+$ docker run --rm -it --init --net host eclipse-mosquitto \
+mosquitto_sub -h test.mosquitto.org -V 5 -v -t "#" -W 5
+
+$ docker run --rm -it --init --net host eclipse-mosquitto \
+mosquitto_sub -h broker.hivemq.com -V 5 -v -t "#" -W 5
+
+
+
+Geben Sie von einer 10 Sekunden Messung (`timeout 10s <command>` oder `mosquitto_sub -W 10`)
+die Top-10 Topics nach Nachrichten und Bytes aus (mosquitto_sub Ausgabeformat `%t` Topicname, `%l` Nachrichtenlänge)
+
+
+$ docker run --rm -it --init --net host eclipse-mosquitto \
+timeout 10s mosquitto_sub -h test.mosquitto.org -t "#" -F "%t %l" | \
+awk '{count[$1]++; size[$1]+=$2} END {print "Topic | Nachrichten | Bytes"; \
+for (i in count) print i, count[i], size[i]}' | \
+column -t | sort -k2 -nr | head -n 10
--- a/03-security/lab01/mosquitto.conf
+++ b/03-security/lab01/mosquitto.conf
@ -0,0 +1,4 @@
+listener 1883
+allow_anonymous true
+
+# sys_interval 3
--- a/03-security/lab02/lab.txt
+++ b/03-security/lab02/lab.txt
@ -0,0 +1,21 @@
+= Zertifikate
+
+Rufen Sie von www.tagesschau.de das Zertifikate ab, verwenden Sie Ihren Webbrowser.
+
+Je nach Browser:
+  Firefox: CTRL-I, Security, "View Certificate"
+  Chrome: kein Shortcut, klick auf "Regler" links von URL, Klick auf "Connection is secure", Klick auf "Certificate is valid"
+
+Nutzen Sie OpenSSL als Client und rufen diese Zertfikate ab:
+* www.tagesschau.de:443
+* test.mosquitto.org:8883
+
+$ openssl s_client -showcerts -connect www.tagesschau.de:443 </dev/null
+$ openssl s_client -showcerts -connect test.mosquitto.org:8883 </dev/null
+
+
+Lassen Sie sich von CyberChef das X.509 Zertifikat dekodieren:
+"https://gchq.github.io/CyberChef/#recipe=Parse_X.509_certificate('PEM')"
+
+Verdeutlichen Sie sich die wesentlichen Elemente 
+
--- a/03-security/lab03/.gitignore
+++ b/03-security/lab03/.gitignore
@ -0,0 +1,2 @@
+ca.crt
+ca.key
--- a/03-security/lab03/lab.txt
+++ b/03-security/lab03/lab.txt
@ -0,0 +1,13 @@
+= Self signed Zertifikat 
+
+Verwendung von OpenSSL um ein neues Zertifikat zu erstellen
+
+$ openssl req -new -x509 -newkey rsa:2048 -days 365 \
+ -addext 'subjectAltName=DNS:mqtt.example.com,IP:127.0.0.1' \
+ -subj "/CN=example.com" \
+ -nodes -keyout ca.key -out ca.crt
+
+
+Validieren Sie das Zertifikat mit OpenSSL 
+
+$ openssl verify -CAfile ca.crt ca.crt
--- a/03-security/lab04/.gitignore
+++ b/03-security/lab04/.gitignore
@ -0,0 +1 @@
+mosquitto.org.crt
--- a/03-security/lab04/lab.txt
+++ b/03-security/lab04/lab.txt
@ -0,0 +1,33 @@
+= Verwendung MQTT mit TLS
+
+Verwenden Sie `mosquitto_sub` mit dem Host `test.mosquitto.org` und `--tls-use-os-certs`,
+verwenden Sie einmal Port `8886` und einmal Port `8883`.
+
+$ docker run --rm -it --init --net host eclipse-mosquitto \
+ mosquitto_sub --host test.mosquitto.org --port 8886 -V 5 -W 10 --topic "#" --tls-use-os-certs --debug
+
+$ docker run --rm -it --init --net host eclipse-mosquitto \
+ mosquitto_sub --host test.mosquitto.org --port 8883 -V 5 -W 10 --topic "#" --tls-use-os-certs --debug
+
+
+Laden Sie das CA Zertifikat von https://test.mosquitto.org/ssl/mosquitto.org.crt
+und verwenden Sie es mit `--cafile` statt `--tls-use-os-certs` auf Port 8883
+
+$ wget https://test.mosquitto.org/ssl/mosquitto.org.crt
+
+$ docker run --rm -it --init --net host -v $PWD:/data eclipse-mosquitto \
+ mosquitto_sub --host test.mosquitto.org --port 8883 -V 5 -W 10 --topic "#" \
+ --cafile /data/mosquitto.org.crt --debug
+
+
+
+Was passiert, wenn Sie statt des Hostnamens die aufgelöste IP verwenden?
+
+$ host test.mosquitto.org
+$ dig in a test.mosquitto.org
+$ nslookup test.mosquitto.org
+
+
+$ docker run --rm -it --init --net host -v $PWD:/data eclipse-mosquitto \
+ mosquitto_sub --host 54.36.178.49 --port 8883 -V 5 -W 10 --topic "#" \
+ --cafile /data/mosquitto.org.crt --debug
--- a/03-security/lab05/lab.txt
+++ b/03-security/lab05/lab.txt
@ -0,0 +1,20 @@
+= Username/Password Credentials
+
+
+Verwenden Sie `mosquitto_sub` mit dem Host `test.mosquitto.org` und MQTT 5, Port `1884`,
+Usernamen "ro" und Passwort "readonly".
+
+$ docker run --rm -it --init --net host eclipse-mosquitto \
+  mosquitto_sub --host test.mosquitto.org --port 1884 -V 5 --topic "demotopic" \
+  --username ro -P readonly --debug
+
+Testen Sie, was bei einem anderen Passwort passiert.
+
+$ docker run --rm -it --init --net host eclipse-mosquitto \
+  mosquitto_sub --host test.mosquitto.org --port 1884 -V 5 --topic "demotopic" \
+  --username ro -P wrong --debug
+
+
+Analysiern Sie die Netzwerkpakete, finden Sie Usernamen und Passwort?
+
+$ sudo tshark -s 1500 -i any -n -x -O mqtt port 1884
--- a/03-security/lab06/lab.txt
+++ b/03-security/lab06/lab.txt
@ -0,0 +1,28 @@
+= TLS PSK mit OpenSSL
+
+Erzeugen Sie mit OpenSSL einen hexadecimalen PSK Key
+
+$ openssl rand -hex 16
+
+
+Starten Sie mit OpenSSL einen TLS PSK Server.
+
+$ openssl s_server -nocert -psk 7301036d7236029badbd -psk_hint Server-ID -accept 4433 -tls1_2
+
+
+Verbinden Sie sich mit OpenSSL als Client.
+
+$ openssl s_client -psk 7301036d7236029badbd -psk_identity Client_123 -connect localhost:4433 -tls1_2
+
+
+
+Analog mit TLS 1.3.
+
+Server:
+
+$ openssl s_server -nocert -psk 7301036d7236029badbd -psk_identity Client_123 -accept 4433 -tls1_3
+
+
+Client:
+
+$ openssl s_client -psk 7301036d7236029badbd -psk_identity Client_123 -connect localhost:4433 -tls1_3
--- a/03-security/lab07/.gitignore
+++ b/03-security/lab07/.gitignore
@ -0,0 +1,2 @@
+*.pem
+*.crt
--- a/03-security/lab07/lab.txt
+++ b/03-security/lab07/lab.txt
@ -0,0 +1,24 @@
+= mTLS Authentifzierung
+
+
+Laden Sie sich das CA Zertifikat von https://test.mosquitto.org/ssl/mosquitto.org.crt
+
+$ wget https://test.mosquitto.org/ssl/mosquitto.org.crt
+
+
+Verwenden Sie OpenSSL um sich ein Certificate-Signing-Request zu erstellen
+
+$ openssl genrsa -out key.pem 2048
+$ openssl req -new -key key.pem -out csr.pem -subj "/C=DE/O=trion/CN=mqttdemo"
+
+
+Erstellen Sie sich damit auf https://test.mosquitto.org/ssl ein Client Zertifikat
+Speichern Sie es als `cert.pem` im selben Verzeichnis.
+
+
+Verwenden Sie `mosquitto_sub` mit dem Host `test.mosquitto.org` Port 8884, 
+nutzen Sie CA und Client Zertifikat (`--cert`, `--key`)
+
+$ docker run --rm -it --init --net host -v $PWD:/data eclipse-mosquitto \
+  mosquitto_sub --host test.mosquitto.org --port 8884 -V 5 --topic "demotopic" \
+  --cert /data/cert.pem --key /data/key.pem --cafile /data/mosquitto.org.crt --debug
--- a/03-security/lab08/acl.txt
+++ b/03-security/lab08/acl.txt
@ -0,0 +1,8 @@
+user rw
+topic readwrite #
+
+user wo
+topic write /test
+
+user ro
+topic read #
--- a/03-security/lab08/docker-compose.yml
+++ b/03-security/lab08/docker-compose.yml
@ -0,0 +1,10 @@
+services:
+  mosquitto:
+    image: eclipse-mosquitto
+    ports:
+      - "1883:1883"
+    volumes:
+      - ./mosquitto.conf:/mosquitto/config/mosquitto.conf:ro
+      - ./users.txt:/mosquitto/config/users.txt:ro
+      - ./acl.txt:/mosquitto/config/acl.txt:ro
+      - ./dynamic-config.json:/mosquitto/config/dynamic-config.json:rw
--- a/03-security/lab08/dynamic-config.json
+++ b/03-security/lab08/dynamic-config.json
@ -0,0 +1,87 @@
+{
+  "roles": [
+    {
+        "rolename":	"admin",
+        "acls":	[{
+                "acltype":	"publishClientSend",
+                "topic":	"$CONTROL/dynamic-security/#",
+                "allow":	true
+            }, {
+                "acltype":	"publishClientReceive",
+                "topic":	"$CONTROL/dynamic-security/#",
+                "allow":	true
+            }, {
+                "acltype":	"subscribePattern",
+                "topic":	"$CONTROL/dynamic-security/#",
+                "allow":	true
+            }, {
+                "acltype":	"publishClientReceive",
+                "topic":	"$SYS/#",
+                "allow":	true
+            }, {
+                "acltype":	"subscribePattern",
+                "topic":	"$SYS/#",
+                "allow":	true
+            }, {
+                "acltype":	"publishClientReceive",
+                "topic":	"#",
+                "allow":	true
+            }, {
+                "acltype":	"subscribePattern",
+                "topic":	"#",
+                "allow":	true
+            }, {
+                "acltype":	"unsubscribePattern",
+                "topic":	"#",
+                "allow":	true
+            }]
+    },
+    {
+      "rolename": "read-write-role",
+      "acls": [
+        { "acltype": "publishClientSend", "topic": "#", "priority": 0, "allow": true },
+        { "acltype": "subscribeLiteral", "topic": "#", "priority": 0, "allow": true },
+        { "acltype": "unsubscribeLiteral", "topic": "#", "priority": 0, "allow": true }
+      ]
+    },
+    {
+      "rolename": "write-only-role",
+      "acls": [
+        { "acltype": "publishClientSend", "topic": "#", "priority": 0, "allow": true },
+        { "acltype": "subscribeLiteral", "topic": "#", "priority": 0, "allow": false },
+        { "acltype": "subscribePattern", "topic": "#", "priority": 0, "allow": false }
+      ]
+    },
+    {
+      "rolename": "read-only-role",
+      "acls": [
+        { "acltype": "subscribeLiteral", "topic": "#", "priority": 0, "allow": true },
+        { "acltype": "publishClientSend", "topic": "#", "priority": 0, "allow": false }
+      ]
+    }
+  ],
+  "clients": [
+    {
+			"username":	"admin-user",
+			"textName":	"Dynsec admin user, password  geheim",
+			"password":	"qFa1Zzq4SXwI1aGJq9rJm14m6LWiv+7p4mbDfsQK1x15NOBdZke4GO6zxSBfOXinRgVKES/tlyfmVJhq0N6rKw==",
+			"salt":	"Qv02Q1Ngia2GacTB",
+			"iterations":	101,
+			"roles":	[{
+					"rolename":	"admin"
+				}]
+    },
+    { "username": "rw", "roles": [ { "rolename": "read-write-role" } ] },
+    { "username": "wo", "roles": [ { "rolename": "write-only-role" } ] },
+    { "username": "ro", "roles": [ { "rolename": "read-only-role" } ] }
+  ],
+  "default_access": {
+    "publishClientSend": false,
+    "publishClientReceive":	true,
+    "subscribeLiteral": false,
+    "subscribePattern": false,
+    "unsubscribeLiteral": false,
+    "subscribe":	false,
+    "unsubscribe":	true
+  }
+}
--- a/03-security/lab08/lab.txt
+++ b/03-security/lab08/lab.txt
@ -0,0 +1,42 @@
+= Berechtigungen
+
+Verwenden Sie `mosquitto_sub` mit dem Host `test.mosquitto.org`, MQTT 5, 
+Port `1884`, Usernamen "ro" und Passwort (`-P`) "readonly"
+
+$ docker run --rm -it --init --net host eclipse-mosquitto \
+  mosquitto_sub --host test.mosquitto.org --port 1884 -V 5 --qos 1 --topic "demotopic" \
+  --username ro -P readonly -W 2 --debug
+
+
+Was passiert, wenn Sie "wo" und Passwort "writeonly" nutzen?
+
+$ docker run --rm -it --init --net host eclipse-mosquitto \
+  mosquitto_sub --host test.mosquitto.org --port 1884 -V 5 --qos 1 --topic "demotopic" \
+  --username wo -P writeonly -W 2 --debug
+
+
+Was passiert, wenn Sie mit den 'ro' User etwas publishen wollen?
+
+$ docker run --rm -it --init --net host eclipse-mosquitto \
+  mosquitto_pub --host test.mosquitto.org --port 1884 -V 5 --qos 1 --topic "demotopic" \
+  --username ro -P readonly --message "demo message" --debug
+
+
+
+
+
+Alternativ kann mittels `docker compose up` gleichartiges lokales Setup verwendet werden:
+
+$ docker compose up 
+
+$ docker run --rm -it --init --net host eclipse-mosquitto \
+  mosquitto_sub -V 5 --qos 1 --topic "demotopic" \
+  --username ro -P readonly -W 2 --debug
+
+$ docker run --rm -it --init --net host eclipse-mosquitto \
+  mosquitto_sub -V 5 --qos 1 --topic "demotopic" \
+  --username wo -P writeonly -W 2 --debug
+
+$ docker run --rm -it --init --net host eclipse-mosquitto \
+  mosquitto_pub -V 5 --qos 1 --topic "demotopic" \
+  --username ro -P readonly --message "demo message" --debug
--- a/03-security/lab08/mosquitto.conf
+++ b/03-security/lab08/mosquitto.conf
@ -0,0 +1,13 @@
+listener 1883
+
+allow_anonymous false
+
+# this works but does not support expected feedback,
+# see this issue comment:
+# https://github.com/eclipse-mosquitto/mosquitto/issues/2296#issuecomment-924423566
+# The ACLs in an ACL file are currently exclusively related to publishing - write indicates whether the client is allowed to send a publish to a topic, and read indicates whether a client is allowed to receive a publish on a topic.
+password_file /mosquitto/config/users.txt
+acl_file mosquitto/config/acl.txt
+
+plugin /usr/lib/mosquitto_dynamic_security.so
+plugin_opt_config_file /mosquitto/config/dynamic-config.json
--- a/03-security/lab08/users.txt
+++ b/03-security/lab08/users.txt
@ -0,0 +1,3 @@
+ro:$7$101$FPVn7s0SIqjbFLYS$wMHGMiFqSlGwHAP23kFoUgdkd8NH1J70mDdXlQPVxGxoC8wQz0lY8Wsoqf8O8JNjzZxyVmrNlG1n/mLxlf2i7g==
+rw:$7$101$nayIsCxTb05m2LY6$jIJbztZr2r/ZWUyM1Qfo2QC390OPgcd6AbtuG9wadDXex/+tWjNhVEoTRs746KIeBmNiJbnwZ9kts2L6gn3MBA==
+wo:$7$101$dIqbFuwPghjophX4$8U6EeHb7mBI4NWb9/J+wTW+WzvhN8ipWdA1UBK/ePs/Me/HfmvhiAcIpxcUsMvDjwWFc0UXlAkjFkoeEkPQ+cw==