SOLVED: Securing a home network

lenhuppe · 2019-02-25 21:19:49

SOLUTION:

I followed the instructions in a PKI tutorial located here: https://pki-tutorial.readthedocs.io/en/ … index.html

After completing all three exercises, adapting the expert PKI to my needs was a straight forward process.

- OP

***

My latest project is deploying a Nextcloud server on my home network using Nginx.

I have been advised to get HTTP/2 running on this system with GnuTLS.

I am trying to run follow the instructions here: https://wiki.archlinux.org/index.php/GnuTLS

And here: https://www.howtoforge.com/how-to-enabl … -in-nginx/

When I run "certtool -s ..." I get a lot of questions that I don't have the answers for.

A closer look at GnuTLS revealed that there are numerous ways to use it.

It has been 15 years since I worked in IT and I have no experience with SSL or TLS.

What is the best way to secure a home network and maybe even get HTTP/2 running?

Last edited by lenhuppe (2019-05-08 01:40:50)

graysky · 2019-02-25 21:28:50

It's been done: https://wiki.archlinux.org/index.php/Nextcloud

lenhuppe · 2019-02-25 22:11:23

graysky wrote:

It's been done: https://wiki.archlinux.org/index.php/Nextcloud

Are you referring to the Certbot package?

loqs · 2019-02-25 22:54:35

lenhuppe wrote:

My latest project is deploying a Nextcloud server on my home network using Nginx.
I have been advised to get HTTP/2 running on this system with GnuTLS.

Why GnuTLS in particular?

lenhuppe wrote:

When I run "certtool -s ..." I get a lot of questions that I don't have the answers for.

See man 1 certtool FILES section.
If you require a certificate signed by a Certificate Authority then Certbot would be relevant (would also need a domain issued by a Domain Registrar)

lenhuppe · 2019-02-25 23:03:22

loqs wrote:

lenhuppe wrote:
My latest project is deploying a Nextcloud server on my home network using Nginx.
I have been advised to get HTTP/2 running on this system with GnuTLS.
Why GnuTLS in particular?
lenhuppe wrote:
When I run "certtool -s ..." I get a lot of questions that I don't have the answers for.
See man 1 certtool FILES section.
If you require a certificate signed by a Certificate Authority then Certbot would be relevant (would also need a domain issued by a Domain Registrar)

GnuTLS is just what was recommended.

Certbot looks like a better solution for users like me.

I will register with a Domain Registrar and give that a try.

I will also look at the certtool man pages as you suggest.

Its time for me to learn how to secure my home network.

loqs · 2019-02-25 23:10:19

I would save the expense for now start start with creating a certificate authority key then a server key signed by the certificate authority.
Edit:
https://stackoverflow.com/questions/101 … th-openssl

openssl req -x509 -newkey rsa:4096 -sha256 -nodes -keyout key.pem -out cert.pem -days 365 -subj "/C=US/ST=Oregon/L=Portland/O=Company Name/OU=Org/CN=www.example.com"

Last edited by loqs (2019-02-25 23:18:59)

lenhuppe · 2019-02-25 23:15:05

loqs wrote:

I would save the expense for now start start with creating a certificate authority key then a server key signed by the certificate authority.

I created my own certificate authority and used that to create a server key and server certificate.

certtool --generate-privkey --outfile ca-key.pem

certtool --generate-self-signed \
  --load-privkey ca-key.pem \
  --outfile ca-cert.pem \
  --template ca.cfg

certtool --generate-privkey --outfile server.key

certtool --generate-certificate \
  --load-privkey server.key \
  --outfile server.crt \
  --load-ca-certificate ca-cert.pem \
  --load-ca-privkey ca-key.pem \
  --template ca.cfg

I can connect with Firefox and several other web browsers.

In every case I had to add a security exception and trust the certificate.

If that is normal then I am up and running for now.

Last edited by lenhuppe (2019-02-26 12:45:33)

loqs · 2019-02-26 11:28:53

Yes this is expected behavior as the certificate authority you created has not been added to the certificate store of the client attempting to connect.

qinohe · 2019-02-26 14:37:14

While this is solved @lenhuppe, did you add the CA to the store (system wide or your browser?
Accepting/trusting certificates yourself is considered a security risk.
If you went for loqs "this is expected behavior" , your not ready yet...

loqs · 2019-02-26 16:05:59

qinohe wrote:

Accepting/trusting certificates yourself is considered a security risk.

Please provide more details of the risk.
Edit:
Provided the certificate added to the store was the public key lenhuppe generated.
Edit2:
Please also expand on.

qinohe wrote:

If you went for loqs "this is expected behavior" , your not ready yet...

Last edited by loqs (2019-02-26 16:10:32)

qinohe · 2019-02-26 16:32:39

Well, there is no sensible way for human to determine if that certificate is the one you expect to be the one from your server, you need a CA to check that for you, there should never be any user interaction regarding certificates, this should all be setup in the first place.
If you are on an intranet you would distribute the CA/sub- on your net, you shouldn't let your users trust them, man in the middle... Always use a chain and subordinate CA if possible, create it. In case your server was in fact compromised local/remote, your CA would still be safe.

With not ready I mean: create a sufficient chain and export CA cert or sub- and import it system wide or in your browser, you did say that, I just wanted to make that abundantly clear;)

lenhuppe · 2019-03-02 02:52:13

qinohe wrote:

Well, there is no sensible way for human to determine if that certificate is the one you expect to be the one from your server, you need a CA to check that for you, there should never be any user interaction regarding certificates, this should all be setup in the first place.
If you are on an intranet you would distribute the CA/sub- on your net, you shouldn't let your users trust them, man in the middle... Always use a chain and subordinate CA if possible, create it. In case your server was in fact compromised local/remote, your CA would still be safe.
With not ready I mean: create a sufficient chain and export CA cert or sub- and import it system wide or in your browser, you did say that, I just wanted to make that abundantly clear;)

Please excuse my ignorance but what do you mean by "sufficient chain" ?

lenhuppe · 2019-03-02 03:20:38

qinohe wrote:

While this is solved @lenhuppe, did you add the CA to the store (system wide or your browser?
Accepting/trusting certificates yourself is considered a security risk.
If you went for loqs "this is expected behavior" , your not ready yet...

I fully appreciate what you are saying. If this were any setting other than a home network with me as the sole user I would not go the route of a self-signed certificate. Simply telling my Arch desktop to trust the certificate is effective, but it is also sloppy and I know it. I have told myself that this setup must be only temporary and once I get my Nextcloud server running I must secure it properly. That is a learning process that I look forward to. I feel confident installing just about any Linux package but security is completely new teritory for me.

qinohe · 2019-03-02 19:48:05

lenhuppe wrote:

Please excuse my ignorance but what do you mean by "sufficient chain" ?

a sufficiant chain is 'anything' but a single certificate.
To make that clear:
a single cert. - not sufficient
root CA -> cert. - sufficient
root CA -> intermediate CA -> server cert. - sufficient
The last one prevents the root CA to become malicious in case of a compromise.

lenhuppe wrote:

I fully appreciate what you are saying. If this were any setting other than a home network with me as the sole user I would not go the route of a self-signed certificate. Simply telling my Arch desktop to trust the certificate is effective, but it is also sloppy and I know it. I have told myself that this setup must be only temporary and once I get my Nextcloud server running I must secure it properly. That is a learning process that I look forward to. I feel confident installing just about any Linux package but security is completely new teritory for me.

Well, even on my home network I like things to be okay and don't use single certs. only chains. Using 1 certificate is just about the same as doing nothing, there's no check at all.
While you're still busy learning about security and trust I'd say try and do it well the first time makes it a lot easier because most guides will lead you in that direction, if they don't they're mostly wrong...

progandy · 2019-03-02 20:26:18

Well, even on my home network I like things to be okay and don't use single certs. only chains. Using 1 certificate is just about the same as doing nothing, there's no check at all.

Why is one certificate the same as doing nothing? If you manually check the fingerprint before accepting the certificate, then you have a trusted connection as well. A CA just allows you to accept and trust a single certificate and then extend that trust to other certificates signed by this CA.
Of course, it is much more convenient to set up the trust on each device once and be able to add new network services with a new signed certificate. Otherwise you'd have to do the trust verification each and every time and that is very easily skipped if you are not in the mood.

Last edited by progandy (2019-03-02 20:31:54)

qinohe · 2019-03-03 00:02:38

progandy wrote:

Well, even on my home network I like things to be okay and don't use single certs. only chains. Using 1 certificate is just about the same as doing nothing, there's no check at all.
Why is one certificate the same as doing nothing? If you manually check the fingerprint before accepting the certificate, then you have a trusted connection as well. A CA just allows you to accept and trust a single certificate and then extend that trust to other certificates signed by this CA.
Of course, it is much more convenient to set up the trust on each device once and be able to add new network services with a new signed certificate. Otherwise you'd have to do the trust verification each and every time and that is very easily skipped if you are not in the mood.

Haha, have you ever met anyone diffing their certs?, probably not, I know I don't...
Have you met anyone just accepting the connection?, I know I do:(

It's just common sense to tell people starting with certs. they should use a chain, and not make that an user task, that simply doesn't make sense...

lenhuppe · 2019-03-03 02:18:19

qinohe wrote:

lenhuppe wrote:
Please excuse my ignorance but what do you mean by "sufficient chain" ?
a sufficiant chain is 'anything' but a single certificate.
To make that clear:
a single cert. - not sufficient
root CA -> cert. - sufficient
root CA -> intermediate CA -> server cert. - sufficient
The last one prevents the root CA to become malicious in case of a compromise.
lenhuppe wrote:
I fully appreciate what you are saying. If this were any setting other than a home network with me as the sole user I would not go the route of a self-signed certificate. Simply telling my Arch desktop to trust the certificate is effective, but it is also sloppy and I know it. I have told myself that this setup must be only temporary and once I get my Nextcloud server running I must secure it properly. That is a learning process that I look forward to. I feel confident installing just about any Linux package but security is completely new teritory for me.
Well, even on my home network I like things to be okay and don't use single certs. only chains. Using 1 certificate is just about the same as doing nothing, there's no check at all.
While you're still busy learning about security and trust I'd say try and do it well the first time makes it a lot easier because most guides will lead you in that direction, if they don't they're mostly wrong...

I will heed your advice and search for a guide that starts at the beginning.

lenhuppe · 2019-03-04 02:15:10

qinohe wrote:

While you're still busy learning about security and trust I'd say try and do it well the first time makes it a lot easier because most guides will lead you in that direction, if they don't they're mostly wrong...

I have googled on certificates and chains and found very little practical information.

Most web sites assume that you know what you are doing and have a plan.

I would know what I am doing if the information I need were not kept secret.

What practical guides are there for a newbee like me to learn from?

bugsmanagement · 2019-03-04 02:28:06

Hello there,

Wouldn't IDS/HIDS/SIEM be more appropriate for a small network than compromise CAs/MITM attacks? Would a compromise host be more urgent that securing traffic? You could also look into switches that support VLANs as additional layer of keeping traffic separately? I could understand if this was enterprise network spanning the globe where chain certificates would be vital for network security? I use Chain certificates here simply to better organize servers and clients trust. I have IDS at my edge server, HIDS/SIEM/Security scanning is on my Todo list.

Regards

bugsmanagement · 2019-03-04 02:40:04

lenhuppe wrote:

What practical guides are there for a newbee like me to learn from?

Running a PKI at home is a learning a curve to know the best practices and produces. Google for PKI, that should hopefully point you to some pointers.

Additionally, I use 'xca' here, it's a pretty neat application if you don't want to go with easy_rsa or doing everything by hand.

Regards

Last edited by bugsmanagement (2019-03-04 02:40:30)

qinohe · 2019-03-04 12:23:08

lenhuppe wrote:

qinohe wrote:
While you're still busy learning about security and trust I'd say try and do it well the first time makes it a lot easier because most guides will lead you in that direction, if they don't they're mostly wrong...
I have googled on certificates and chains and found very little practical information.
Most web sites assume that you know what you are doing and have a plan.
I would know what I am doing if the information I need were not kept secret.
What practical guides are there for a newbee like me to learn from?

Yeah, it may be a problem for a starter to find what is needed for a chain.
There may be good guides out there but I would need to shop around to grab one, openssl.org and jamielinux.com may be good start-points.
I must be honest, if you want to dig in there is a curve and the best place to start is 'man openssl'
The 'SEE ALSO' at the bottom for your specific goals like ca.
The first few times I created a chain I did that with the CLI tools already available on the system.
I never used the tools that bugsmanagement is advertising.
Since half a decade now, first used pfSense and now OPNsense to create my chains, hence I even wrote a guide for them that's in their wiki;)
To summarize, if you want to get a good understanding of what certs. do and how to create them, dig in and do the reading and don't let go

lenhuppe · 2019-03-04 13:15:39

qinohe wrote:

lenhuppe wrote:
qinohe wrote:
While you're still busy learning about security and trust I'd say try and do it well the first time makes it a lot easier because most guides will lead you in that direction, if they don't they're mostly wrong...
I have googled on certificates and chains and found very little practical information.
Most web sites assume that you know what you are doing and have a plan.
I would know what I am doing if the information I need were not kept secret.
What practical guides are there for a newbee like me to learn from?
Yeah, it may be a problem for a starter to find what is needed for a chain.
There may be good guides out there but I would need to shop around to grab one, openssl.org and jamielinux.com may be good start-points.
I must be honest, if you want to dig in there is a curve and the best place to start is 'man openssl'
The 'SEE ALSO' at the bottom for your specific goals like ca.
The first few times I created a chain I did that with the CLI tools already available on the system.
I never used the tools that bugsmanagement is advertising.
Since half a decade now, first used pfSense and now OPNsense to create my chains, hence I even wrote a guide for them that's in their wiki;)
To summarize, if you want to get a good understanding of what certs. do and how to create them, dig in and do the reading and don't let go

There are a lot of pages stating that TLS deprecates SSL and is backwards compatible with it.
That may be true but SSL is still out there and most of the guides I am finding use it.
I need to back up and read through the docs for sure.
Only then can I decide on a game plan.
Meanwhile I did find this: https://kashyapc.fedorapeople.org/gnutls-pki-setup.txt
I am the only user so a simple albeit sloppy setup will work for starters.

I am dug in on this one!

/@
\ \
___> \
(__O) \
(____@) \
(____@) \
(__o)_ \
\ \

Last edited by lenhuppe (2019-03-04 13:17:14)

qinohe · 2019-03-04 13:37:54

Nice asci @lenhuppe;) Yes , there are probably protocols you'd like to disable but that will become clearer.
Once you started creating a few chains you will find guides that handle this subject very well.
At first you may not need to worry too much about this, see this as part of the process you'll be fine on a local network..
May the trust be with U

edit: I don't want to decide for you what protocols you should use on your servers, use common sense, read which protocols are used now , which are unsafe/compromised etc. and change your servers to use the ones you like.

Last edited by qinohe (2019-03-04 14:08:12)

bugsmanagement · 2019-03-04 17:25:37

Right now, the industry standard is TLS 1.3, and for does who haven't caught up should be using SSLv3. Ciphers is tricky, one have to pick a set of ciphers that most clients understand.

qinohe wrote:

I never used the tools that bugsmanagement is advertising.

Not advertising, suggesting. easy_rsa is brought to you by openssl team, for those who prefer working with CLI, are using mostly these days. When dealing with a few dozen certificates, I find 'xca' makes things allot easier to maintain. Nevertheless, to eachs own.

@lenhuppe

You should also look into hosting crl.pem on a internet accessible domain and/or OCSP. And include them in your certificates. Good luck.

qinohe · 2019-03-04 18:19:00

bugsmanagement wrote:

Right now, the industry standard is TLS 1.3, and for does who haven't caught up should be using SSLv3. Ciphers is tricky, one have to pick a set of ciphers that most clients understand.
qinohe wrote:
I never used the tools that bugsmanagement is advertising.
Not advertising, suggesting. easy_rsa is brought to you by openssl team, for those who prefer working with CLI, are using mostly these days. When dealing with a few dozen certificates, I find 'xca' makes things allot easier to maintain. Nevertheless, to eachs own.

It wasn't meant as an attack if you look at post #21 you see I use tools too and I do think OP should use them once the process is known, though it isn't a must.

Arch Linux

#1 2019-02-25 21:19:49

SOLVED: Securing a home network

#2 2019-02-25 21:28:50

Re: SOLVED: Securing a home network

#3 2019-02-25 22:11:23

Re: SOLVED: Securing a home network

#4 2019-02-25 22:54:35

Re: SOLVED: Securing a home network

#5 2019-02-25 23:03:22

Re: SOLVED: Securing a home network

#6 2019-02-25 23:10:19

Re: SOLVED: Securing a home network

#7 2019-02-25 23:15:05

Re: SOLVED: Securing a home network

#8 2019-02-26 11:28:53

Re: SOLVED: Securing a home network

#9 2019-02-26 14:37:14

Re: SOLVED: Securing a home network

#10 2019-02-26 16:05:59

Re: SOLVED: Securing a home network

#11 2019-02-26 16:32:39

Re: SOLVED: Securing a home network

#12 2019-03-02 02:52:13

Re: SOLVED: Securing a home network

#13 2019-03-02 03:20:38

Re: SOLVED: Securing a home network

#14 2019-03-02 19:48:05

Re: SOLVED: Securing a home network

#15 2019-03-02 20:26:18

Re: SOLVED: Securing a home network

#16 2019-03-03 00:02:38

Re: SOLVED: Securing a home network

#17 2019-03-03 02:18:19

Re: SOLVED: Securing a home network

#18 2019-03-04 02:15:10

Re: SOLVED: Securing a home network

#19 2019-03-04 02:28:06

Re: SOLVED: Securing a home network

#20 2019-03-04 02:40:04

Re: SOLVED: Securing a home network

#21 2019-03-04 12:23:08

Re: SOLVED: Securing a home network

#22 2019-03-04 13:15:39

Re: SOLVED: Securing a home network

#23 2019-03-04 13:37:54

Re: SOLVED: Securing a home network

#24 2019-03-04 17:25:37

Re: SOLVED: Securing a home network

#25 2019-03-04 18:19:00

Re: SOLVED: Securing a home network

Board footer