I am wondering if it is possible to implement something like mutual handshake authorization between logstash and logstash-forwarder?
At the moment, I know that logstash provides ssl certificates
for security, but I am not sure if this is the best way to protect my logs flow.
The certificates are not safe enough in my case. If they will get stolen then you are in danger.. Looking for something else that may help. Thanks!
The Logstash forwarder project has been deprecated in favor of the Filebeat project.
Generally, you should now prefer using Filebeat over Logstash forwarder. Moreover, Filebeat allows you to set up TLS client authentication, which is what you're after.
Well, seems like I was looking for mutual authentication between LSF (or FileBeat) and Logstash.
Here is what I found - there is an open issue, while it is opened, the problem is not solved.
Here is some discussion on this topic:
filebeat has same support as logstash-forwarder used to have, plus some more fine-grained TLS configs (e.g. choose TLS version or configure ciphers). Connection can encrypted via TLS + server certificated is validated. Filebeat itself supports TLS client-auth, BUT logstash must enforce (ask for certificate) client authentication, which is not implemented yet (see github issue).
Related
I am trying to configure Celery on my Django web server securely and I can figure out two alternatives on achieving this. Either securing the broker or signing the messages.
Celery, needs a message broker in which case is RabbitMQ.
I am using a "RabbitMQ as a service" implementation, which means that the RabbitMQ server is reached through the internet using the amqp protocol.
The service provider distributes an amqp uri, and also supports amqps:
The "amqps" URI scheme is used to instruct a client to make an secured connection to the server.
Apparently, this is what I need, otherwise all my messages will be circulating around the net, naked on the wire.
In order to use amqps, celery needs the following configuration:
import ssl
BROKER_USE_SSL = {
'keyfile': '/var/ssl/private/worker-key.pem',
'certfile': '/var/ssl/amqp-server-cert.pem',
'ca_certs': '/var/ssl/myca.pem',
'cert_reqs': ssl.CERT_REQUIRED
}
Question:
Where can I find those .pem files?
According to RabbitMQ docs, I have to create them myself and configure the RabbitMQ server to use them.
However, I am not running the server. As stated above I have a "RabbitMQ as a service" provider who supports amqps. Should I ask him to provide me with those .pem files?
Celery, can also sign messages.
(Trying this approach, I get a No encoder installed for auth error which I reported.)
Question: Does this mean that I can use my certificates to secure the connection as an alternative configuration to BROKER_USE_SSL?
There is also a note regarding message signing:
auth serializer won’t encrypt the contents of a message, so if needed
this will have to be enabled separately.
Subquestion: Does encrypting the contents of a message protect me from the "current" RabbitMQ server administrator while "message signing" only protects me while on the wire towards that server?
Apparently I am somehow confused but I would not like to create any kind of insecure traffic over the internet for any reason. I would appreciate your help.
When configuring for CloudAMQP, you need to set BROKER_USE_SSL to True and the BROKER_URL as shown below:
BROKER_USE_SSL = True
BROKER_URL = 'amqp://user:pass#hostname:5671/vhost'
Note the port number 5671, and keep 'amqp'.
If you are running your own Rabbit setup checkout this to make it secure.
https://www.rabbitmq.com/ssl.html
I feel lost trying to figure out what my options are. Apache's programmers guide and administrators guide do not detail anything substantial. My O'Reilly Zookeeper book barely talks about security... did I miss something? I was hoping to find tutorials through google about authenticating client connections, authorizing actions, and encrypting messages sent between zookeepers and client.
I had a lot of trouble but I figured it out and the links at the bottom where a huge help to me.
This code (using Curator) was something hard to figure out:
List<ACL> myAclList = new ArrayList<ACL>();
aclList.add(new ACL(ZooDefs.Perms.ALL, ZooDefs.Ids.AUTH_IDS));
client.create(withACL(myAclList)).forPath(myPath);
If I setup the zookeeper configuration correctly, then it will enforce that only the AUTH_IDS will be allowed to access my ZNode.
Ofiicial documentation, My mailing list Q1, My mailing list Q2, JIRA that I found useful, but some items are out of date
Since zookeeper version 3.5.4-beta, you are able to enable using client certificates to secure communication to a remote zookeeper server:
Client
ZooKeeper client can use Netty by setting Java system property:
zookeeper.clientCnxnSocket="org.apache.zookeeper.ClientCnxnSocketNetty"
In order to do secure communication on client, set this Java system property:
zookeeper.client.secure=true
Note that with "secure" property set the client could and should only connect to server’s “secureClientPort” which will be described shortly.
Then set up keystore and truststore environment by setting the following Java system properties:
zookeeper.ssl.keyStore.location="/path/to/your/keystore"
zookeeper.ssl.keyStore.password="keystore_password"
zookeeper.ssl.trustStore.location="/path/to/your/truststore"
zookeeper.ssl.trustStore.password="truststore_password"
Server
ZooKeeper server can use Netty by setting this Java system property:
zookeeper.serverCnxnFactory="org.apache.zookeeper.server.NettyServerCnxnFactory"
ZooKeeper server also needs to provide a listening port to accept secure client connections. This port is different from and running in parallel with the known “clientPort”. It should be added in “zoo.cfg”:
secureClientPort=2281
All secure clients (mentioned above) should connect to this port.
Then set up keystore and truststore environment like what client does.
More info here:
https://cwiki.apache.org/confluence/display/ZOOKEEPER/ZooKeeper+SSL+User+Guide
We run a nodejs https server and we noticed in one of the online SSL checker tools that we use old ciphers (And generally bad TLS options).
We don't really know much about this thing so we were wondering if there is any recommended ciphers list or specific nodejs TLS options we should pass in order to make sure we are most secured.
Thanks
P.S.
This is the online checker we use: https://www.ssllabs.com/ssltest/index.html
We would really like to get an A there
For future reference, i ended up using nginx for SSL termination, and used this guide for securing my ssl connections: https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
I need to secure my .NET Remoting by SSL.
I'm using TCPChannel and I can't switch to HTTPChannel and use IIS to add the SSL.
Thus, what I figured out, I need to create my own Sink that will encrypt the streams going to/from Client/Server. For that, I found good article at MSDN: http://msdn.microsoft.com/en-us/magazine/cc300447.aspx. However, that article is developing the crypt, handshake, etc.
I do not want to "reinvent the wheel". I'm afraid of making mistakes when developing this logic on my own. I would rather like to use some SSL implementation (e.g. SslStream or OpenSSL) that will do that stuff for me.
Can I use SslStream or OpenSSL in .NET Remoting with the TCPChannel?
Would you suggest a simple usage?
Thank you for your help.
Consider switching over to WCF.
Alternatively, Remoting should be able to do the equivalent of using WCF with ClientCredentialType set to Windows, if you specify secure='true' in your remoting configuration on both client and server side. TcpChannel will start using SSL under the hood to encrypt the communication, using user credentials for key material. On client side, this also has the implied effect of setting tokenImpersonationLevel='identify' which means that the server will not impersonate the user account under which the client is executing, but it will know who connected to it (assuming the client and the server run in the same AD domain). For performance reasons, set useAuthenticatedConnectionSharing to true on the client side.
How can I identify the cipher strength of an active https connection to a linux redhat apache webserver. I want to harden my web server by removing lower strength ciphers and would like to check if clients are even using them.
EDIT
My goal is to avoid negative impact of removal of a lower security cipher that a client relies on. Worst case scenario there is a stupid non browser (or old browser) app that is using an old insecure cipher, when I disallow the use of this cipher his/her app could break. I'm trying to proactively identify if there are any apps/browsers using any of the ciphers I'm going to disable.
You can identify unsuccessful handshakes by enabling the appropriate level of logging on mod_ssl. See the Custom Log Formats section on http://httpd.apache.org/docs/2.2/mod/mod_ssl.html, notably
CustomLog logs/ssl_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
This should enable you to make a list of ciphers requested by clients and configure Apache accordingly.
Your question and your goal aren't necessarily related. Each active connection may use a difference cipher based on the combination of: (a) the capabilities on the server (b) the capabilities of the client (c) cipher preference of the server and client. Looking at any individual connection will not tell you if your SSL configuration is optimal.
If your goal is to harden your SSL configuration, I suggest you use
the SSL Server Test from SSL labs. It grades your server configuration based on known SSL vulnerabilities and best practices.
The last time I updated my SSL configuration I used the configuration tips from this blog post. Note that understanding of SSL vulnerabilities is constantly changing so I suggest you rerun the test every once in a while to ensure your configuration is the best that is currently known.