Just because I am paranoid, doesn't mean they aren't hacking my servers

Being security conscious (some people might call me paranoid), I would like to see an interface that allows for the creation of id_rsa keys for any user that needs ssh access.

Also, I know that Webmin can be secured using timed authentication tokens (Google authentication or Authy api), I would like to something similar in Nethserver, as well as a module that allows the use of port-knocking techniques.

Whilst I am on this topic, it would be nice to have control over apache SSL / x509 certificates (being able to create new certificates and able to import certificates that may have been purchased by Verisign, Commodo, GeoTrust etc…)

One more thing, I would like to create and remove more administrators for the web-based admin interface (personaly, I don’t like to have a user called root that has access to the admin panel, also I don’t like to have a user called ‘admin’), maybe using ACLs to control what other admins have access to.

Thank you Mark, I’m often considered “too security conscious” and I’d like to improve security sensitive areas. Here’re some comments, I hope to move to the issue tracker towards an implementation we could agree on.

I’d offer a field on the user page to upload an ssh pub key. Now I use the shell to copy the pub key.
I implemented port knocking following this guide:
http://shorewall.net/PortKnocking.html
I use a certificate bought from a CA, support is documented here:
http://docs.nethserver.org/projects/nethserver-devel/en/latest/certificate_management.html#install-a-custom-certificate
The admin interface (server-manager) supports ACLs and delegation of roles to different users. We need to exploit the underlying support to make it easy to delegate access to sections of the interface.

Please let me know what you think.

1 Like

do you have documentation ? I can’t find it in http://docs.nethserver.org/en/latest/ and http://docs.nethserver.org/projects/nethserver-devel/en/latest/index.html

1 Like

No, it is an unused feature, still undocumented.

The base.json file defines roles by mapping to groups:

  • administrators
  • managers

That means if a group managers (or administrators) exists, its members inherit special privileges on the Server Manager.

We already have an old issue about this (http://dev.nethserver.org/issues/2908), but we never did any development because no one really asked for it, until now at least :smile:

I have incorporated a Port Knocking daemon within Nethserver (knockd) and am wondering if anybody could suggest a MS Windows and Android / Cross-platform based GUI client application.

I know I could use something like nmap to touch the relevent ports, but would like a GUI based client that allows for both UDP and TCP ports.

Just realized, Knockd just uses iptables and not shorewall (I am attempting to setup shorewall based on the shorewall guide - http://shorewall.net/PortKnocking.html ).

Hi Mark,
maybe @filippo_carletti can lend you a hand about this…
Can you share some of your developments?

1 Like

Unfortunately I can’t find my notes on port knocking.
I think I’ve used the official shorewall docs:
http://shorewall.net/Events.html#idp8774939168
I remeber it’s been quick and easy.

Just wondering, is there any more consideration to allow for multiple administration accounts within NS7 UI and if so, will there be any options to specify what modules other (sub)admin / moderator / managment users can have access to?

I strongly want this and many users ask it in the past, hope that with NS7 we can implement it finally.
@stephdl and @davidep made some work on it

1 Like

I hope being in the subject, but, why not just offering the :980 over SSH ?
On almost all my server I managed the WebUI internet is never open throughout the Internet

And it’s easy to forget
You just need to make a .ssh/config and include something like

LocalForward 9800 127.0.0.1:980

If your relay paranoid I’ll also suggest you the use ed25519 instead of rsa
or at least reshake your moduli and server key with more entropy

yum -y install haveged
ssh-keygen -G /etc/ssh/moduli -b 4096
awk ‘$5 > 2000’ /etc/ssh/moduli > "${HOME}/moduli"
wc -l “${HOME}/moduli” # make sure there is something left
mv “${HOME}/moduli” /etc/ssh/moduli
cd /etc/ssh
rm -Rf ssh_host_*
ssh-keygen -t ed25519 -f ssh_host_rsa_key < /dev/null
ssh-keygen -t ed25519 -f ssh_host_ed25519_key < /dev/null

You might also consider to use a SSH Bastion.

3 Likes

Depend on where is your server and who/how many people should have physical access to it

it would be worth to encrypt all your disk with luks
than auto open the luks on boot via keyfiles on uskey with dracut
which give something like :

yum install  dracut-fips

vi /etc/default/grub
    GRUB_CMDLINE_LINUX="crashkernel=auto rd.luks.uuid=luks-xxxxx-xxxx-xxxxx rd.luks.key=/Key.file:LABEL=USBKey rd.lvm.lv=VolumeGroup/root rd.lvm.lv=VolumeGroup/swap rhgb quiet"

vi /etc/dracut.conf
    omit_dracutmodules+="systemd"
    add_dracutmodules+="crypt lvm"
    filesystems="xfs vfat" # add ext4 if you use ext4

grub2-mkconfig > /boot/grub2/grub.conf
dracut -fv

so, IIUC, you have an usbkey on your server with keys to decrypt your fs on boot…

  1. I guess you’re talking about physical server, that nowadays is becoming quite rare
  2. usbkeys are prone to error
  3. this makes no sense by a security point of view IMO: once I put my hands on your server, I have the key to decrypt your data… so no security… if I enter in your server from remote (exploiting some app) I have access to your data too…

my 2€c

Of course you have some points

  • Should I said put a Password on your BIOS Setup

  • Remove the possibilities to boot on USB Key

  • Put a password on your Grub

  • The USBKey is on my KeyRing
    so if my USBKey is on the server it’s probably because I’m close :wink:

In small business figure, the USBKey must be with all others keys of the company
my point is no reboot should being planned.
If it’s happen, someones with authority of accessing all those keys will call the sysadmin.
Like all keys in a company you should have at least one copy of it.

But the inSecurity is to do nothing
The Best Security is the Onion Concept

1 Like

fine… it means that if your server reboots during the night and you’re away it won’t boot :slight_smile:

anyway, there are many thngs we can do to improve security and everyone here is free to adopt all the measures he feels necessary

yep I have a better sleep like that :wink:

maybe you prefer this one
it’s almost the same but your keyfile is reached through SSH