Securing zookeeper, where to start? - security

I feel lost trying to figure out what my options are. Apache's programmers guide and administrators guide do not detail anything substantial. My O'Reilly Zookeeper book barely talks about security... did I miss something? I was hoping to find tutorials through google about authenticating client connections, authorizing actions, and encrypting messages sent between zookeepers and client.

I had a lot of trouble but I figured it out and the links at the bottom where a huge help to me.
This code (using Curator) was something hard to figure out:
List<ACL> myAclList = new ArrayList<ACL>();
aclList.add(new ACL(ZooDefs.Perms.ALL, ZooDefs.Ids.AUTH_IDS));
client.create(withACL(myAclList)).forPath(myPath);
If I setup the zookeeper configuration correctly, then it will enforce that only the AUTH_IDS will be allowed to access my ZNode.
Ofiicial documentation, My mailing list Q1, My mailing list Q2, JIRA that I found useful, but some items are out of date

Since zookeeper version 3.5.4-beta, you are able to enable using client certificates to secure communication to a remote zookeeper server:
Client
ZooKeeper client can use Netty by setting Java system property:
zookeeper.clientCnxnSocket="org.apache.zookeeper.ClientCnxnSocketNetty"
In order to do secure communication on client, set this Java system property:
zookeeper.client.secure=true
Note that with "secure" property set the client could and should only connect to server’s “secureClientPort” which will be described shortly.
Then set up keystore and truststore environment by setting the following Java system properties:
zookeeper.ssl.keyStore.location="/path/to/your/keystore"
zookeeper.ssl.keyStore.password="keystore_password"
zookeeper.ssl.trustStore.location="/path/to/your/truststore"
zookeeper.ssl.trustStore.password="truststore_password"
Server
ZooKeeper server can use Netty by setting this Java system property:
zookeeper.serverCnxnFactory="org.apache.zookeeper.server.NettyServerCnxnFactory"
ZooKeeper server also needs to provide a listening port to accept secure client connections. This port is different from and running in parallel with the known “clientPort”. It should be added in “zoo.cfg”:
secureClientPort=2281
All secure clients (mentioned above) should connect to this port.
Then set up keystore and truststore environment like what client does.
More info here:
https://cwiki.apache.org/confluence/display/ZOOKEEPER/ZooKeeper+SSL+User+Guide

Related

NodeJS how to secure socket.io sessions across different countries

I'm making a nodejs application that will act a server for other sites in different countries as the data being transmitted will be business related data. I would like to know how I can safely/securely send this data.
I am currently using socket.io to act as my main server (Master) on other sites there are (Slave) servers that handle the data from the master server.
I have got this working in a local environment but want to deploy this in the other sites.
I have tried to Google this to see if anyone else has done this but came across socket.io sessions but I don't know if this will fit with (Server->Server) connections.
Any help or experience would be grateful.
For server-server communication where you control both ends of the communication you can use WebSocket over HTTPS, you can use TCP over SSH tunnel or any other encrypted tunnel. You can use a PubSub service, a queue service etc. There are a lot of ways you can do it. Just make sure that the communication is encrypted either natively by the protocols you use or with VPN or tunnels that connect your servers in remote locations.
Socket.io is usually used as a replacement for WebSocket where there is no native support in the browser. It is rarely used for server to server communication. See this answer for more details:
Differences between socket.io and websockets
If you want a higher level framework with focus on real-time data then see ActionHero:
https://www.actionherojs.com/
For other options of sending real-time data between servers you can use some shared resource like a Redis database or some pub/sub service like Faye or Kafka, or a queue service like ZeroMQ or RabbitMQ. This is what is usually done to make things like that work across multiple instances of the server or multiple locations. You could also use a CouchDB changes feed, or a similar feature of RethinkDB to make sure that all of your instances get all the data as soon as it is posted by any one of them. See:
http://docs.couchdb.org/en/2.0.0/api/database/changes.html
https://rethinkdb.com/docs/changefeeds/javascript/
https://redis.io/topics/pubsub
https://faye.jcoglan.com/
https://kafka.apache.org/
Everything that uses HTTP is easy to encrypt with HTTPS. Everything else can be encrypted with a tunnel or VPN.
Good tools that can add encryption for protocols that are not encrypted themselves (like e.g. the Redis protocol) are:
http://www.tarsnap.com/spiped.html
https://www.stunnel.org/index.html
https://openvpn.net/
https://forwardhq.com/help/ssh-tunneling-how-to
See also:
https://en.wikipedia.org/wiki/Tunneling_protocol
Note that some hosting services may give you preconfigured tunnels or internal network interfaces that pass data encrypted between your servers located in different data centers of that provider. Some providers give you tools and tutorials to that easily as well.

Celery - RabbitMQ as a Service - Broker Secure Connection (TSL/SSL) - Message Signing

I am trying to configure Celery on my Django web server securely and I can figure out two alternatives on achieving this. Either securing the broker or signing the messages.
Celery, needs a message broker in which case is RabbitMQ.
I am using a "RabbitMQ as a service" implementation, which means that the RabbitMQ server is reached through the internet using the amqp protocol.
The service provider distributes an amqp uri, and also supports amqps:
The "amqps" URI scheme is used to instruct a client to make an secured connection to the server.
Apparently, this is what I need, otherwise all my messages will be circulating around the net, naked on the wire.
In order to use amqps, celery needs the following configuration:
import ssl
BROKER_USE_SSL = {
'keyfile': '/var/ssl/private/worker-key.pem',
'certfile': '/var/ssl/amqp-server-cert.pem',
'ca_certs': '/var/ssl/myca.pem',
'cert_reqs': ssl.CERT_REQUIRED
}
Question:
Where can I find those .pem files?
According to RabbitMQ docs, I have to create them myself and configure the RabbitMQ server to use them.
However, I am not running the server. As stated above I have a "RabbitMQ as a service" provider who supports amqps. Should I ask him to provide me with those .pem files?
Celery, can also sign messages.
(Trying this approach, I get a No encoder installed for auth error which I reported.)
Question: Does this mean that I can use my certificates to secure the connection as an alternative configuration to BROKER_USE_SSL?
There is also a note regarding message signing:
auth serializer won’t encrypt the contents of a message, so if needed
this will have to be enabled separately.
Subquestion: Does encrypting the contents of a message protect me from the "current" RabbitMQ server administrator while "message signing" only protects me while on the wire towards that server?
Apparently I am somehow confused but I would not like to create any kind of insecure traffic over the internet for any reason. I would appreciate your help.
When configuring for CloudAMQP, you need to set BROKER_USE_SSL to True and the BROKER_URL as shown below:
BROKER_USE_SSL = True
BROKER_URL = 'amqp://user:pass#hostname:5671/vhost'
Note the port number 5671, and keep 'amqp'.
If you are running your own Rabbit setup checkout this to make it secure.
https://www.rabbitmq.com/ssl.html

Logstash security

I am wondering if it is possible to implement something like mutual handshake authorization between logstash and logstash-forwarder?
At the moment, I know that logstash provides ssl certificates
for security, but I am not sure if this is the best way to protect my logs flow.
The certificates are not safe enough in my case. If they will get stolen then you are in danger.. Looking for something else that may help. Thanks!
The Logstash forwarder project has been deprecated in favor of the Filebeat project.
Generally, you should now prefer using Filebeat over Logstash forwarder. Moreover, Filebeat allows you to set up TLS client authentication, which is what you're after.
Well, seems like I was looking for mutual authentication between LSF (or FileBeat) and Logstash.
Here is what I found - there is an open issue, while it is opened, the problem is not solved.
Here is some discussion on this topic:
filebeat has same support as logstash-forwarder used to have, plus some more fine-grained TLS configs (e.g. choose TLS version or configure ciphers). Connection can encrypted via TLS + server certificated is validated. Filebeat itself supports TLS client-auth, BUT logstash must enforce (ask for certificate) client authentication, which is not implemented yet (see github issue).

Understanding Openstack noVNC security

I'm trying to get a deeper understanding of the architecture and design of Openstack noVNC security. I found this document. It makes sense but missing details. Can somebody confirm my understanding is right, or correct me if I'm wrong.
0) noVNC allows VNC clients in web browsers, good for clients without java or vnc client installed.
1) VNC server is provided by the hypervisor, Every VM has its own VNC server, at port 59xx, not accessible from outside.
2) Websocket proxy bridges to VNC server and provide service for noVNC client (javascript in browser), say at port 6080.
3) Simple security: Security could alternatively be guaranteed by VNC password, but it's not convenient to type every time and not easy to change. Every VM on the same hypervisor has to share the same password. Different compute nodes may use different VNC passwords.
4) To provide better access control, consoleauth is introduced. We can now use Openstack authentication for VNC. When a new request for remote console comes, a dynamic access URL (with a token) is generated, cached/registered, and sent back to client. Later, only previously registered connections are accepted.
I would like to know more about whether/how dynamic firewall rules are created, and whether/when the tokens are invalidated. I know the best way is to read the source code, but a high level description is also valuable. Thanks.

.NET Remoting over SSL with TCPChannel

I need to secure my .NET Remoting by SSL.
I'm using TCPChannel and I can't switch to HTTPChannel and use IIS to add the SSL.
Thus, what I figured out, I need to create my own Sink that will encrypt the streams going to/from Client/Server. For that, I found good article at MSDN: http://msdn.microsoft.com/en-us/magazine/cc300447.aspx. However, that article is developing the crypt, handshake, etc.
I do not want to "reinvent the wheel". I'm afraid of making mistakes when developing this logic on my own. I would rather like to use some SSL implementation (e.g. SslStream or OpenSSL) that will do that stuff for me.
Can I use SslStream or OpenSSL in .NET Remoting with the TCPChannel?
Would you suggest a simple usage?
Thank you for your help.
Consider switching over to WCF.
Alternatively, Remoting should be able to do the equivalent of using WCF with ClientCredentialType set to Windows, if you specify secure='true' in your remoting configuration on both client and server side. TcpChannel will start using SSL under the hood to encrypt the communication, using user credentials for key material. On client side, this also has the implied effect of setting tokenImpersonationLevel='identify' which means that the server will not impersonate the user account under which the client is executing, but it will know who connected to it (assuming the client and the server run in the same AD domain). For performance reasons, set useAuthenticatedConnectionSharing to true on the client side.

Resources