Skadi Pack 02: Secure Networking

@AlanOrlikoski edited this page Jan 15, 2019 · 20 revisions

Purpose

This add-on pack is used to upgrade the default Skadi 2019.1 installation to use either self-signed or Letsencrypt provided TLS certificates.

The first portion of this script uses mkcert to install self-signed TLS certificates and configures the Skadi server to use TLS encryption. It then installs and configures protection from brute force authentication attacks through the use of Fail2Ban. It is configured to monitor and protect the SSH and Nginx Proxy authentication attempts.

The second portion of the script is optional. It will use Certbot to obtain Letsencrypt validated TLS certificates and then replaces the existing self-signed certificates.

This script will perform the following tasks:

  • Ask for and validate hostname to use
  • Update Nginx to use the hostname provided
  • Use mkcert to create and install self-signed certs
  • Install and configure fail2ban

Important Notes

The generation of the DHParam key takes a long time. Be patient.

Installation Walkthrough

Log Into Skadi 2019.x

This script, and these instructions, were written specifically for Skadi 2019.1. It is assumed that the user is executing the following commands on a machine either based on the Skadi 2019.1 OVA/Vagrant images or was built using the official, digitially signed, Skadi 2019.1 build script.

Use the following commands to start secure_networking.sh :

cd /opt/Skadi
sudo git pull
sudo bash /opt/Skadi/scripts/secure_networking.sh

Self Signed vs Letsencrypt Certificates

At the end of the first phase of the script it installs Self Signed certificates. This is perfectly fine for home and lab use.

Internet facing, publicly accessible machines (such as cloud instances) should continue to the second phase where valid TLS certificates are issued from Letsencrypt replace the self signed certificates.

Make a Choice

When the script is at this point choose yes or no

Would you like to install valid TLS certs using Certbot via
ACME and Letsencrypt?

CAUTION: A FQDN (example: myhost.mydomain.com) with working DNS
is required in order for Letsencrypt to access it via the Internet and
complete the installation process.

Type Yes to continue or No to stop the script: 

Choosing No

The script ends

Choosing Yes

NOTE: This script is located at /opt/Skadi/scripts/install_tls_certs.sh and can be run separately after secure_networking.sh has already been run.

cd /opt/Skadi
sudo git pull
sudo bash /opt/Skadi/scripts/install_tls_certs.sh

LetsEncrypt Questions

There will be questions to answer and provide the information to continue

Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel):

and

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o:

Successful Results <my.example.com>

If it looks anything other than like this then some troubleshooting is required

Obtaining a new certificate
Performing the following challenges:
http-01 challenge for my.example.com
Using the webroot path /var/www for all unmatched domains.
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/my.example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/my.example.com/privkey.pem
   Your cert will expire on 2019-04-14. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Stopping Nginx Docker
nginx

Updating the /etc/nginx/conf.d/ to use letsencrypt certificates
Staring nginx container
nginx
Nginx Docker container has been restarted and changes applied

Letsencrypt has been used to install valid TLS certificates
  - Certificates are stored in /etc/nginx/certs/letsencrypt/live/my.example.com/

For further info on Letsencrypt certs please see: https://letsencrypt.org/

Visit https://my.example.com to verify installation
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.