Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Quick overview of testing IPSEC under Linux RH8


Looking for a solution to prevent MiTM attacks against services that use IP address based trust (for example NFS). 

Goal: Mesh CA based solution that protects against MiTM attacks. 

Target: RedHat systems, but should work for any Linux varianet

Solution:


Code Block
languagebash
titleCreate CA and Certs
#Install certutil and ipsec
#Create CA/certs in the DB directory
#CA Name, anything you want
CA=BastionCA
#Validatity dats
VALID=120
rm -rf db
mkdir db
certutil -N -d sql:./db
#certsigning/crlsighning might not be needed
certutil -S -x -n "$CA" -s "O=EDU,O=UTEXAS,O=GEO,CN=$CA" -k rsa -g 4096 -v $VALID -d ./db/ -t "CT,," -2 --keyUsage  certSigning,crlSigning

#Your hosts, probably FQDN
for HOST in host1 host2 host3 
do
  	IP=`getent hosts $HOST| awk '{ print $1 }'`
	certutil -S -c "$CA" -n HOST -s "O=EDU,O=UTEXAS,O=GEO,CN=$HOST" -k rsa -g 4096 -v $VALID -d ./db/ -t ",," --keyUsage "keyEncipherment,nonRepudiation,digitalSignature" --extKeyUsage "serverAuth,clientAuth" --extSAN "ip:$IP,dns:$HOST " -z ./urandom