[kwlug-disc] Stronger SSH keys and SSL certificates

Jonathan Poole jpoole at digitaljedi.ca
Sun Apr 20 21:42:15 EDT 2014


My general rule of thumb these days is, no root password, no passwords at all actually.  Keys for everything, no root ssh logins allowed.  I’ve even gone as far as port knocking with just a set of iptables rules, not with knockd.

I generally have bastion hosts that are used to bridge between src and dst.  DST hosts only allow ssh from bastion hosts, and bastion hosts are locked down as best as one can get.   Bastion hosts are audited, with  multiple syslog locations.  This can be achieved in the cloud  as well as on bare metal.  Key changing is done when any employee leaves, and frequent use of ‘scanners’ are used to keep an eye out for vulnerabilities.   

I maybe a bit weird, in using my CI system to run these scanners, vulnerability checks, to not only keep and eye on things, but as a good check and baseline.  Not sure if a CI system is best used for this, but I like to see if we’re making any progress from day to day when we find and address issues, while new issues pop up.

In the cloud the heart bleed bug was pretty easily addressed in my environment.  I consider all instances in the cloud ‘throwaway’, so I just rekey’ed and scorched the earth, rebuilt within a few minutes (My infrastructure is not that big right now,. so it was pretty easy).

Regards, 
Jonathan D. Poole


On Apr 20, 2014, at 5:18 PM, Khalid Baheyeldin <kb at 2bits.com> wrote:

> For SSH
> 
> My question was mainly about SSH keys, which I am thinking of replacing just in case, and want to know what are the best hardening practices. 
> 
> Number of bits is one factor, yes. What about cipher choices, ...etc.?
> 
> For SSL ...
> 
> The self signed SSL certificate example is for internal use, mainly testing and experimenting. It is not meant to be exposed to real site visitors, since people will freak out if their browser says "hey, this is not vouched for". So don't worry about that. The question is mainly for when a real SSL certificate is needed.
> 
> 
> -- 
> Khalid M. Baheyeldin
> 2bits.com, Inc.
> Fast Reliable Drupal
> Drupal optimization, development, customization and consulting.
> Simplicity is prerequisite for reliability. --  Edsger W.Dijkstra
> Simplicity is the ultimate sophistication. --   Leonardo da Vinci
> For every complex problem, there is an answer that is clear, simple, and wrong." -- H.L. Mencken
> _______________________________________________
> kwlug-disc mailing list
> kwlug-disc at kwlug.org
> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20140420/d3e5e485/attachment.htm>


More information about the kwlug-disc mailing list