Quick overview of testing IPSEC under Linux RH8
Looking for a solution to prevent MiTM attacks against services that use IP address based trust (for example NFS).
Goal: Mesh CA based solution that protects against MiTM attacks.
Target: RedHat systems, but should work for any Linux varianet
Solution:
Create CA and Certs
#Install certutil and ipsec #Create CA/certs in the DB directory #CA Name, anything you want CA=BastionCA #Validatity dats VALID=120 rm -rf db mkdir db certutil -N -d sql:./db #certsigning/crlsighning might not be needed certutil -S -x -n "$CA" -s "O=EDU,O=UTEXAS,O=GEO,CN=$CA" -k rsa -g 4096 -v $VALID -d ./db/ -t "CT,," -2 --keyUsage certSigning,crlSigning #Your hosts, probably FQDN for HOST in host1 host2 host3 do IP=`getent hosts $HOST| awk '{ print $1 }'` certutil -S -c "$CA" -n HOST -s "O=EDU,O=UTEXAS,O=GEO,CN=$HOST" -k rsa -g 4096 -v $VALID -d ./db/ -t ",," --keyUsage "keyEncipherment,nonRepudiation,digitalSignature" --extKeyUsage "serverAuth,clientAuth" --extSAN "ip:$IP,dns:$HOST " -z ./urandom