Pages

Showing posts with label poly1305. Show all posts
Showing posts with label poly1305. Show all posts

Tuesday, May 25, 2021

Configuring OpenVPN with Ed25519 certificates and TLS 1.3

Creating certificates with Elliptic Curves: 

Requirements: OpenSSL 1.1.x, OpenVPN 2.5.x, EasyRSA 3.0.x

Initializing PKI environment

# easyrsa init-pki

Creating the Certificate of Authority (CA)

# easyrsa --use-algo=ed --curve=ed25519 build-ca

Creating Certificate Request

# easyrsa --use-algo=ed --curve=ed25519 --req-c=BG --req-city=Gabrovo --req-org=Horizon9 --req-email=geroy@horizon9.org --dn-mode=org gen-req horizon9

Singning the CA request

# easyrsa sign-req server horizon9
Creating OpenVPN server keys
# easyrsa build-server-full horizon9 nopass

Creating OpenVPN client keys

# easyrsa build-client-full client1 nopass

 

OpenVPN config file:

local 10.1.1.1 # put your IP address here
port 1194
proto tcp
dev tun
ca /path/to/ca.crt
cert /path/to/horizon9.crt
key /path/to/horizon9.key
server 10.1.11.0 255.255.255.0 # your OpenVPN network IP addresses
push "route 10.1.12.0 255.255.255.0" # your local network here
push "dhcp-option DNS 10.1.12.1"
keepalive 5 120
comp-lzo
persist-key
persist-tun
status /var/log/openvpn-status.log
log-append  /var/log/openvpn.log
verb 4

#data channel cipher
cipher AES-128-GCM

#don't negotiate ciphers, we know what we want
ncp-disable

# TLS 1.3 encryption settings
tls-ciphersuites TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256

# TLS 1.2 encryption settings
tls-cipher TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256:TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256

#disable static Diffie-Hellman parameters since we're using ECDHE
dh none

# use this curve
ecdh-curve secp384r1

#this tells OpenVPN which side of the TLS handshake it is
tls-server

#tls-client # uncomment this on the client side

Posted by at No comments:
Labels: , , , , , , , ,

Tuesday, February 13, 2018

How to filter 99.99% of ssh brute force attacks

Recently I've decided to experiment with ssh ciphers / key exchange algorithms to raise the security of my servers. This is the /etc/ssh/sshd_config I've got:

HostKey /etc/ssh/ssh_host_ed25519_key
Ciphers chacha20-poly1305@openssh.com
KexAlgorithms curve25519-sha256@libssh.org

If you don't have HostKey for Ed25519 generate it:

# ssh-keygen -t ed25519

You need to use recent version of ssh / pyTTY to be able to login to this server.
It seems that using only this Cipher/Kex filters all brute force scanners probably because they do not support it. I see only this kind of messages:

Feb 13 14:41:39 horizon9 sshd[22849]: SSH: Server;Ltype: Version;Remote: xxx.x.xx.xxx-53810;Protocol: 2.0;Client: libssh2_1.7.0
Feb 13 14:41:39 horizon9 sshd[22849]: fatal: ssh_dispatch_run_fatal: no matching cipher found [preauth]

More information about ciphers/algorithms read here:

https://cr.yp.to/ecdh.html#curve25519-paper
https://en.wikipedia.org/wiki/Salsa20
https://en.wikipedia.org/wiki/Poly1305


Posted by at No comments:
Labels: , , , , , , , , , ,
Subscribe to: Posts (Atom)