Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »

Quick overview of testing IPSEC under Linux RH8


Looking for a solution to prevent MiTM attacks against services that use IP address based trust (for example NFS). 

Goal: Mesh CA based solution that protects against MiTM attacks. 

Target: RedHat systems, but should work for any Linux varianet

Solution:


Create CA and Certs
#Install certutil and ipsec
#Create CA/certs in the DB directory
#CA Name, anything you want
CA=BastionCA
#Validatity dats
VALID=120
rm -rf db
mkdir db
certutil -N -d sql:./db
#certsigning/crlsighning might not be needed
certutil -S -x -n "$CA" -s "O=EDU,O=UTEXAS,O=GEO,CN=$CA" -k rsa -g 4096 -v $VALID -d ./db/ -t "CT,," -2 --keyUsage  certSigning,crlSigning

#Your hosts, probably FQDN
for HOST in host1 host2 host3 
do
  	IP=`getent hosts $HOST| awk '{ print $1 }'`
	certutil -S -c "$CA" -n HOST -s "O=EDU,O=UTEXAS,O=GEO,CN=$HOST" -k rsa -g 4096 -v $VALID -d ./db/ -t ",," --keyUsage "keyEncipherment,nonRepudiation,digitalSignature" --extKeyUsage "serverAuth,clientAuth" --extSAN "ip:$IP,dns:$HOST " -z ./urandom





  • No labels

Confluence Documentation | Web Privacy Policy | Web Accessibility