Main question: is it safe, to open a port for an openssl server? e.g.: server side - generate a self-signed cert. time openssl req -x509 -nodes -days 365 -newkey rsa:8192 -keyout mycert.pem -out mycert.pem openssl s_server -accept 52310 -cert mycert.pem Is it secure? - it could be DOSed' [DenialofService] or could it be attacked in any way? Are there any iptables rule for restricting connections to dyndns names? e.g.: only allow connection from "asdfasdf.dyndns.com" and "asdfasdf2.dyndns.com" and "asdfasdf3.dyndns.com"? How could i restrict the openssl server to only accept traffic from given clients? Please help me "think".. Or are there any "production ready" methods, that can do authentication too? [+using ssl]. "openssl s_server" and "openssl s_client" would be perfect, but the problem is it doesn't has username/password auth :\ Thank you for any help. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos/attachments/20110227/e8c42dc1/attachment.html>
On 02/27/11 1:50 AM, erikmccaskey64 wrote:> > Main question: is it safe, to open a port for an openssl server? > > e.g.: > > server side - generate a self-signed cert. > time openssl req -x509 -nodes -days 365 -newkey rsa:8192 -keyout > mycert.pem -out mycert.pem > openssl s_server -accept 52310 -cert mycert.pem > > Is it secure? - it could be DOSed' [DenialofService] or could it be > attacked in any way? > > Are there any iptables rule for restricting connections to dyndns names? > > e.g.: only allow connection from "asdfasdf.dyndns.com" and > "asdfasdf2.dyndns.com" and "asdfasdf3.dyndns.com"? >any host names used in iptables rules are looked up at the time the rule is created, and if the hostname->IP later changed, the iptables would not be aware of this until the next time they are reloaded.> How could i restrict the openssl server to only accept traffic from > given clients? Please help me "think".. > > Or are there any "production ready" methods, that can do > authentication too? [+using ssl]. > "openssl s_server" and "openssl s_client" would be perfect, but the > problem is it doesn't has username/password auth :\ >aren't those openssl s_server and s_client intended just for testing protocols? If you want to secure an application, you implement ssl in your application via libssl, or you use a vpn tunnel such as openvpn (which uses SSL itself) anyways, the whole idea of SSL is to use certificate based authentication rather than username/password.
On 27/02/2011 09:50, erikmccaskey64 wrote:> > Main question: is it safe, to open a port for an openssl server?Don't rely on this, but put it on a non-standard port. If you have sshd on the default port 22 you will get a long list of login attempts on it. This suggestion is not security, it simply cuts down hugely on the list of exceptions you need to wade through. You ought to probably use something like fail2ban to cut off repeated failed logins.