Chapter 3. Security

Table of Contents

3.1. Server certificates
3.2. Firewall
3.3. Limiting SSH access
3.4. Intrusion detection

For securing our Debian box, we are going to use a firewall and an intrusion detection system called OSSEC.

We are also going to create server certificates which we will later use to secure communication coming to and from our server (emails, passwords, ...).

3.1. Server certificates

First, we are goint to create a Private key.

root@atlantis:~# openssl genrsa -des3 -out server.key 1024
Generating RSA private key, 1024 bit long modulus
e is 65537 (0x10001)
Enter pass phrase for server.key: your-password-here

Now that we have a private key, we are going to create what is called a Certificate Signing Request.

root@atlantis:~# openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:HR
State or Province Name (full name) [Some-State]:Grad Zagreb
Locality Name (eg, city) []:Zagreb
Organization Name (eg, company) [Internet Widgits Pty Ltd]:N/A 
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []
Email Address []

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Make sure that the Common name matches your fully qualified domain name.

Now we need to remove the passphrase from the key. If we do not do this, the server will ask you for the passphrase every time you reboot the service (Apache, Postfix or Courier).

root@atlantis:~# cp server.key
root@atlantis:~# openssl rsa -in -out server.key
Enter pass phrase for
writing RSA key

server.key now does not contain a passphrase.

Now, we are goint to create a self signed certificate. You can change the validity period from 365 days if you like.

root@atlantis:~# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Signature ok
subject=/C=HR/ST=Grad Zagreb/L=Zagreb/O=N/A/
Getting Private key

server.crt is the name of the self signed certificate.

To create a server.pem file you need to concatenate server.crt and server.key.

cat server.crt server.key > server.pem

Since server.key and server.pem contain a private server key without a passphrase you have to make sure regular users on your server can not access these files.

You can store all of the files to /root/keys as we will need them later.

root@atlantis:~# mkdir /etc/ssl/self-signed
root@atlantis:~# mv server.* /etc/ssl/self-signed/
root@atlantis:~# chown -R root:root /etc/ssl/self-signed/
root@atlantis:~# chmod -R 644 /etc/ssl/self-signed/

If you want to understand a little bit more about the whole process. Take a look here.

Since we moved the keys to the /etc folder we should commit the changes.

etckeeper commit "Added server keys"