Quick overview of testing IPSEC under Linux RH8
Looking for a solution to prevent MiTM attacks against services that use IP address based trust (for example NFS).
Goal: Mesh CA based solution that protects against MiTM attacks.
Target: RedHat systems, but should work for any Linux varianet
Solution:
Code Block | ||||
---|---|---|---|---|
| ||||
#Install certutil and ipsec
#Create CA/certs in the DB directory
#CA Name, anything you want
CA=BastionCA
#Validatity dats
VALID=120
rm -rf db
mkdir db
certutil -N -d sql:./db
#certsigning/crlsighning might not be needed
certutil -S -x -n "$CA" -s "O=EDU,O=UTEXAS,O=GEO,CN=$CA" -k rsa -g 4096 -v $VALID -d ./db/ -t "CT,," -2 --keyUsage certSigning,crlSigning
#Your hosts, probably FQDN
for HOST in host1 host2 host3
do
IP=`getent hosts $HOST| awk '{ print $1 }'`
certutil -S -c "$CA" -n HOST -s "O=EDU,O=UTEXAS,O=GEO,CN=$HOST" -k rsa -g 4096 -v $VALID -d ./db/ -t ",," --keyUsage "keyEncipherment,nonRepudiation,digitalSignature" --extKeyUsage "serverAuth,clientAuth" --extSAN "ip:$IP,dns:$HOST " -z ./urandom
|