Being security conscious (some people might call me paranoid), I would like to see an interface that allows for the creation of id_rsa keys for any user that needs ssh access.
Also, I know that Webmin can be secured using timed authentication tokens (Google authentication or Authy api), I would like to something similar in Nethserver, as well as a module that allows the use of port-knocking techniques.
Whilst I am on this topic, it would be nice to have control over apache SSL / x509 certificates (being able to create new certificates and able to import certificates that may have been purchased by Verisign, Commodo, GeoTrust etcā¦)
One more thing, I would like to create and remove more administrators for the web-based admin interface (personaly, I donāt like to have a user called root that has access to the admin panel, also I donāt like to have a user called āadminā), maybe using ACLs to control what other admins have access to.
Thank you Mark, Iām often considered ātoo security consciousā and Iād like to improve security sensitive areas. Hereāre some comments, I hope to move to the issue tracker towards an implementation we could agree on.
We already have an old issue about this (http://dev.nethserver.org/issues/2908), but we never did any development because no one really asked for it, until now at least
I have incorporated a Port Knocking daemon within Nethserver (knockd) and am wondering if anybody could suggest a MS Windows and Android / Cross-platform based GUI client application.
I know I could use something like nmap to touch the relevent ports, but would like a GUI based client that allows for both UDP and TCP ports.
Just realized, Knockd just uses iptables and not shorewall (I am attempting to setup shorewall based on the shorewall guide - http://shorewall.net/PortKnocking.html ).
Unfortunately I canāt find my notes on port knocking.
I think Iāve used the official shorewall docs: http://shorewall.net/Events.html#idp8774939168
I remeber itās been quick and easy.
Just wondering, is there any more consideration to allow for multiple administration accounts within NS7 UI and if so, will there be any options to specify what modules other (sub)admin / moderator / managment users can have access to?
I hope being in the subject, but, why not just offering the :980 over SSH ?
On almost all my server I managed the WebUI internet is never open throughout the Internet
And itās easy to forget
You just need to make a .ssh/config and include something like
LocalForward 9800 127.0.0.1:980
If your relay paranoid Iāll also suggest you the use ed25519 instead of rsa
or at least reshake your moduli and server key with more entropy
yum -y install haveged
ssh-keygen -G /etc/ssh/moduli -b 4096
awk ā$5 > 2000ā /etc/ssh/moduli > ā${HOME}/moduliā
wc -l ā${HOME}/moduliā # make sure there is something left
mv ā${HOME}/moduliā /etc/ssh/moduli
cd /etc/ssh
rm -Rf ssh_host_*
ssh-keygen -t ed25519 -f ssh_host_rsa_key < /dev/null
ssh-keygen -t ed25519 -f ssh_host_ed25519_key < /dev/null
so, IIUC, you have an usbkey on your server with keys to decrypt your fs on bootā¦
I guess youāre talking about physical server, that nowadays is becoming quite rare
usbkeys are prone to error
this makes no sense by a security point of view IMO: once I put my hands on your server, I have the key to decrypt your dataā¦ so no securityā¦ if I enter in your server from remote (exploiting some app) I have access to your data tooā¦
The USBKey is on my KeyRing
so if my USBKey is on the server itās probably because Iām close
In small business figure, the USBKey must be with all others keys of the company
my point is no reboot should being planned.
If itās happen, someones with authority of accessing all those keys will call the sysadmin.
Like all keys in a company you should have at least one copy of it.
But the inSecurity is to do nothing
The Best Security is the Onion Concept