T Telekom Security

Hint Cheatsheet

Kompakte Hilfe fuer Setup, TLS und Wireshark. Fuer komplette Aufgaben siehe das Challenge Board und fuer Korrekturhilfe das Solutions Board.

Deploy & Reset

Start

./scripts/bootstrap.sh
./scripts/compose.sh ps

Windows PowerShell: ./scripts/workshop.ps1 -Action bootstrap

Neu deployen

./scripts/lab.sh redeploy
./scripts/lab.sh proxy-reload

PowerShell: ./scripts/workshop.ps1 -Action redeploy

Reset

./scripts/lab.sh reset
./scripts/lab.sh bootstrap

PowerShell: ./scripts/workshop.ps1 -Action reset

Easy-RSA & CA Import

PKI Quickstart

mkdir -p certs/easyrsa
cp -r /usr/share/easy-rsa/* certs/easyrsa/
cd certs/easyrsa
./easyrsa init-pki
./easyrsa build-ca nopass
./easyrsa gen-req localhost nopass
./easyrsa --subject-alt-name="DNS:localhost,IP:127.0.0.1" sign-req server localhost

Nur Runtime-Certs mounten (z. B. certs/live), nicht die komplette PKI.

Fedora CA Import

sudo cp certs/easyrsa/pki/ca.crt \
  /etc/pki/ca-trust/source/anchors/htl-workshop-root-ca.crt
sudo update-ca-trust

HTTPS Check

curl https://localhost:8443/service/a
curl -I https://localhost:8443/service/a
openssl s_client -connect localhost:8443 -servername localhost

Bei TLS-Haertung auf Strict-Transport-Security im Header achten.

Komplettes TLS-Beispiel: proxy/nginx.tls.example.conf

Security Header Baseline

add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "DENY" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
add_header Cross-Origin-Opener-Policy "same-origin" always;
add_header Cross-Origin-Resource-Policy "same-origin" always;

Wireshark Quick Hints

Filter

http
tcp.port == 8443
tls.handshake
tls.handshake.type == 11

TLS Decrypt (optional)

export SSLKEYLOGFILE="$HOME/sslkeys.log"

Browser aus derselben Shell starten und Datei in Wireshark als TLS Key Log setzen.