R15Cookie Blog

A DevOps practitioner with an appreciation for robust architectures.



SSL/TLS Information

  • Let's Encrypt: Freely available certificates for websites. Requires a client as the certficates are only valid for 90 days, but many clients exist. I currently use EFF Certbot
  • Zero SSL: Method to obtain Let's Encrypt Certificates without installation. *WARNING:- If using their website tools, you are completely trusting this site. Do not do this for any site in which sensitive information will be transmitted! Although honestly, those type of sites should probably purchase an EV certification.
    • Also supports 1 year certificates, and ACME protocol integration. I nice alternative SSL provider if needed

SSL Private CA

  • Build a CA
  • Build a new certificate
  openssl req -out mydomain.csr -new -sha256 -newkey rsa:2048 -nodes -keyout mydoamin.key
  • Parameters
    • Country: US
    • State: Michigan
    • Locality Name: Full City Name
    • Organization Name: Company
    • Organizational Unit: Department
    • Common name: fqdn.mydomain.com
    • Email: blank
    • Defaults for rest
  • Sign Certificate
  openssl ca -config openssl.cnf -in mydomain.csr -out mydomain.crt

Useful article at Open Source Replacement for Security Software Packages I found interesting (mostly untested by myself unless otherwise stated)

  • Configuration Standards
  • Security Scanners
    • GovReady Github: An entire Government sponsored site that integrates open source tools into government standards. Policies for CentOS and Ubuntu exist, as well as a lot of other resources.
    • OpenSCAP: Open source tool to read and evaluate system security based on SCAP standards
    • Lynis: Another security scanner for Linux/Unix systems, focusing around common standards and best practices. Seems far easier to install and configure than OpenSCAP. However, I have not tested either at this point.
  • Endian: Appliance for security and hotspot management
  • IPFire: Linux based firewall distro
  • MailScanner: Seems easier then attempting to roll Spamassassin, ClamAV, greylisting, etc.
  • Odessa: Alternative to Autopsy/Sleuth Kit for Open Source forensics work.
  • PFSense: Pretty solid when I last used the project a few years ago. Based on FreeBSD, so limited to whatever FreeBSD supports hardware wise.
  • Snort: Open source intrusion detection system.