security – folc4

SSL

Crossed-signed chain

cat example.com.crt GandiStandardSSLCA2.pem USERTrustRSAAddTrustCA.crt > example.com.sha2crossed.crt

Let’s Encrypt

$ sudo apt-get install certbot -t jessie-backports
$ certbot certonly -w /var/www/example.com -d example.com --config-dir ~/letsencrypt/etc --work-dir ~/letsencrypt/lib --logs-dir ~/letsencrypt/log

$ cat /etc/nginx/sites-available/example.com | grep ssl         ssl_certificate ~/letsencrypt/etc/live/example.com/fullchain.pem;         ssl_certificate_key ~/letsencrypt/etc/live/example.com/privkey.pem;

$ certbot renew --dry-run --config-dir ~/letsencrypt/etc --work-dir ~/letsencrypt/lib --logs-dir ~/letsencrypt/log

Ref:

https://letsencrypt.org/getting-started/
https://certbot.eff.org

Password management

KeePass 2
KeeFox
KeeAgent
http://superuser.com/questions/905449/enable-ssh-keys-on-startup-in-keepass-with-keeagent-plugin

fail2ban on freebsd with pf

% sudo pkg install py27-fail2ban

% sudo vim /usr/local/etc/fail2ban/jail.local

[ssh-pf]
enabled = true
filter = sshd
action = pf
logpath = /var/log/auth.log

% sudo vim /usr/local/etc/fail2ban/action.d/pf.conf

[Definition]
actionstart =
actionstop =
actioncheck =
actionban = /sbin/pfctl -t <tablename> -T add /32
actionunban = /sbin/pfctl -t <tablename> -T delete /32

[Init]
tablename = fail2ban

% sudo vim /etc/pf.conf

table <fail2ban> persist
block in on $ext_if from <fail2ban>

% sudo vim /etc/rc.conf

fail2ban_enable="YES"

% sudo service pf reload % sudo service fail2ban restart

% sudo pfctl -t fail2ban -T show

http://www.fail2ban.org/wiki/index.php/Talk:HOWTO_use_geoiplookup

Windows Server 2008 self-signed certificate expires

A self-signed certificate is issued for web services (IIS) and it has a default validity period of 2 years. After that time, users of web services will be prompted with a dialog box asking if they still want to access a service that uses an outdated certificate. Outlook users could also be prompted with this dialog box. This box will appear every time a new connection is made.

To prevent this, we need to reissue another certificate to replace the old one. Self-signed certificates cannot be renewed.

We can easily do this using the “Fix my network” wizard. On SBS 2008, it can be accessed under Network => Connectivity in the SBS console. I think we can use this same wizard to reissue a certificate up to a month before the old one expires.

sources:
http://technet.microsoft.com/en-us/library/dd378790(WS.10).aspx
http://technet.microsoft.com/en-us/library/cc546020(v=ws.10).aspx

login to unix remote with rsa key pair from windows

On Windows client, we need:

PuTTY
PuTTYgen
Pageant

Use PuTTYgen to make key pair, save private key to file and copy public key to clipboard. Add key to Pageant.

On Unix remote, edit ~/.ssh/authorized_keys and add public key from Windows clipboard (one-line).

Use PuTTY to login to remote. WinSCP also uses Pageant when possible.

About network security and tunneling

“This paper demonstrates how to encapsulate any TCP-based protocol (SMTP, POP3, NNTP, telnet…) into HTTP”

Punching holes into firewalls

or “Why firewalls shouldn’t be considered a ultimate weapon for network security”
or “Secure TCP-into-HTTP tunnelling guide”

http://sebsauvage.net/punching/