Security Basics mailing list archives
Re: How to setup a secure SSL certificate authority machine
From: Brad Edmondson <brad.edmondson () tufts edu>
Date: Tue, 19 May 2009 11:07:52 -0400
You can also look at FWKnOp (firewall knock operator) to protect your ssh instance. It can be used to allow IPs with iptables only after receiving a single signed (client cert, anti-replay), encrypted packet. No ports need to be open to the world as fwknop listens with libpcap and not as a service.
http://www.cipherdyne.org/fwknop/ You may as well use denyhosts or fail2ban as well as d-i-d for your ssh. http://denyhosts.sourceforge.net/ http://www.fail2ban.org/ Regards, Brad Edmondson Lars wrote:
Hi I'm currently in the work on setting up something similar. Something on the top of my head...: - An https admin page which you will need a client certificate to access, and an opie (one time password) OR yubikey.. - When you are logged in, you can tell the server to generate an iptables rules to allow your ip to access SSH. - Log into SSH with an ssh key with password. - Generate the certificate.. The cert server wont have any ports listening as standard, except ssh, but that will be blocked until you allow it from your secure web page. And, use encrypted hdd, so noone can steal the remote machine :) Regards Lars On Wed, May 13, 2009 at 9:53 PM, <sabatorg () gmail com> wrote:I am working for a company that has several internal CA's which are used to sign internal certificates. We use a laptop which has no network connectivity and is stored in a lock-box while not in use for all of our key management. SSL keys are transported with a USB stick which is also stored along with the key machine. This makes it impossible for the security engineers to do any key management while they are not at the office (after hours, weekends, vacation, etc). I would like to make the key machine accessible remotely but put some heavy restrictions on it. Some of the thoughts that I had were: 1. Have a server in a raised floor environment with physical security as well as a server rack lock. 2. Run some variant of Linux and require SSH key authentication to the host. This way I can enforce multi-factor authentication (ssh key and pass-phrase on the key). I can also make remote management be tunneled through the SSH connection. 3. Have a VirtualBox guest be the keymachine. 4. Setup an encrypted partition with a password on it for the Guest machine files and not have the partition mounted when the key machine is not in use. Any feedback would be great! ------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain a laser like insight into what is covered on the exam, with zero fluff! http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html ------------------------------------------------------------------------------------------------------------------------------------------------ This list is sponsored by: InfoSec InstituteNeed to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain a laser like insight into what is covered on the exam, with zero fluff!http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: InfoSec InstituteNeed to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain a laser like insight into what is covered on the exam, with zero fluff!
http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html ------------------------------------------------------------------------
Current thread:
- How to setup a secure SSL certificate authority machine sabatorg (May 18)
- Re: How to setup a secure SSL certificate authority machine Lars (May 19)
- Re: How to setup a secure SSL certificate authority machine Brad Edmondson (May 19)
- RE: How to setup a secure SSL certificate authority machine Cisternas Marquez, Gonzalo (May 19)
- Re: How to setup a secure SSL certificate authority machine Lars (May 19)