LPIC 3 303 Security tmiyahar@begi.net
1. NIC IP 2. VMware Server NAT 3. OS OS CentOS 5.3 NAT NAT 10.0.0.0/8 eth0 10.0.0.10/8 4. NAT 22 1194 2
1. OS 2. OS 3. OS Web 4. OS SSH PuTTY OS WinSCP 3
OpenSSL
HTTPS 3 SSL HTTP HTTPS 1. 2. 3.
/
CA CA( ) eb CA CA
HTTPS Apache ssl CA CA
HTTPS 1. 2. CSR Certificate Signing Request 3. CA 4. Apache ssl.conf ssl.conf httpd.conf httpd.conf
OpenVPN
OpenVPN SSL VPN GPL OS Linux Windows BSD OS Solaris 12
OpenVPN VPN LAN VPN OpenVPN OpenVPN 13
OpenVPN Windows OpenVPN OpenVPN NIC 1 NIC NAT 14
tun/tap NIC tun/tap tun L3 tap L2 tap eth br tap tap eth eth OpenVPN OpenVPN 15
CA NTP OpenVPN openvpn OpenVPN 16
OpenVPN 1. 2. CA DH TLS 3. 4. OpenVPN 17
1. bridge-utils 2. RPMforge https://rpmrepo.org/rpmforge/using 3. openvpn # yum installopenvpn lzo2 18
easy-rsa 1. make /etc/openvpn/easy-rsa # cd/usr/share/doc/openvpn-*/easy-rsa/2.0/ # make installdestdir=/etc/openvpn/easyrsa 2. # cd/etc/openvpn/easy-rsa/ 19
CA 1. /etc/openvpn/easy-rsa/vars exportkey_co U N TRY="JP" exportke Y_PRO VIN CE="Tokyo" exportk E Y_CITY="Chiyodaku" exportkey_or G="LPI-Japan" exportkey_e M AIL=info@lpi.or.jp 2. CA # source vars #./clean-all #./build-ca 3. CA # cp keys/ca.crt /etc/openvpn/ 20
1. #./build-key-server server [y/n] y 2 2. # cp keys/server.crt /etc/openvpn/ # cp keys/server.key /etc/openvpn/ # chmod 600 /etc/openvpn/server.key 21
DH 1. DH #./build-dh 2. DH # cp keys/dh1024.pem /etc/openvpn/ 22
1. openssl.cnf #[ pkcs11_section ] #engine_id = pkcs11 #dynamic_path = /usr/lib/engines/engine_pkcs11.so #MODULE_PATH = $ENV::PKCS11_MODULE_PATH #PIN = $ENV::PKCS11_PIN #init = 0 2. #./build-key dummy #./revoke-full dummy 3. CRL # cp keys/crl.pem /etc/openvpn/ 23
SSL/TLS HMAC --tls-auth 1.openvpn --genkey # openvpn --genkey --secret /etc/openvpn/ta.key 24
1. # cp /usr/share/doc/openvpn-2.0.9/samplescripts/bridge-st* /etc/openvpn/ chmod +x /etc/openvpn/bridge-st* 2. bridge-start eth_ip="10.0.0.10" eth_netmask="255.0.0.0" eth_broadcast="10.255.255.255" 25
OpenVPN 1. cp /usr/share/doc/openvpn-2.0.9/sampleconfig-files/server.conf /etc/openvpn/ 2. (server.conf) TCP tap /etc/openvpn 26
OpenVPN /etc/openvpn/server.conf # udp tcp proto tcp ;proto udp #dev tap0 dev tap0 ;dev tun # (1 ) #/etc/openvpn/ccd client-config-dir ccd # client-to-client duplicate-cn # tls-auth ta.key 0 ; 0 # /etc/openvpn/ ca ca.crt cert server.crt # nobody key server.key user nobody group nobody #DH dh dh1024.pem # # status /var/log/openvpn-status.log ;server 10.8.0.0 255.255.255.0 log /var/log/openvpn.log log-append /var/log/openvpn.log # server-bridge 10.0.0.10 255.0.0.0 10.0.0.50 10.0.0.100 #CRL crl-verify crl.pem 27
OpenVPN 1. # cd /etc/openvpn #./bridge-start 2. # brctlshow eth0 tap0 br0 # ifconfig 3. OpenVPN # service openvpn start 28
OpenVPN 1. OpenVPN 2. 3. 4. 29
OpenVPN OpenVPN GUI for Windows http://openvpn.se/ Tunnelblick Mac OS X OpenVPN http://code.google.com/p/tunnelblick/ 30
1. CA # cd /etc/openvpn/easy-rsa # source vars 2. (client1 ) #./build-key-pass client1 2 [y/n] y 2 keys client1.crt client1.key 31
1. "C: Program Files OpenVPN config" CA ca.crt ta.key client1.crt client1.key 32
pull tls-client dev tap proto tcp-client remote 1194 resolv-retry infinite nobind persist-key persist-tun ca ca.crt certclient1.crt key client1.key ns-cert-type server tls-authta.key 1 comp-lzo verb 3 ca CA cert key tls-auth 1 1 OS NIC IP 33
proto UDP TCP ns-cert-type server nscerttype=server build-key-server 34
VPN 1. Windows Connect 2. View Log 3. PING 35