Lead Image © Amy Walters, 123RF.com
Hardening network services with DNS
Defenders
The Domain Name System (DNS) was specified way back in 1983, eliminating the need for a locally maintained HOSTS file with name resolution entries and thus contributing significantly to the success of the Internet. The decentralized approach to resolving domain names into IP addresses began, as with almost all protocols of the Internet, without a focus on security. A good 10 years later, work began on the DNS Security Extensions (DNSSEC), which today allow the operation of a reliable and cryptographically secure DNS infrastructure.
In addition to secure name resolution, DNS has established itself as a universal protocol for hardening network protocols. The best known application is probably secure email communication with Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and a combination of the two in the form of Domain-based Message Authentication, Reporting, and Conformance (DMARC).
Checking SSH Fingerprints
The first time you establish an SSH connection, you are confronted with viewing and verifying the server fingerprint. Although a reliable check is required for security reasons, the displayed fingerprints are often approved without a second thought. As a security-aware administrator, you can reliably remedy this situation thanks to SSH fingerprinting (SSHFP). When you create the required DNS entries for your server, you can run the command
ssh-keygen -r <hostname>
to output the hashes. The two digits before the fingerprint encode the algorithm and hash method used [1]. Digits 1 to 4 on the left stand for (in ascending order) RSA, DSA, ECDSA, and Ed25519. No algorithm has been assigned for 5 yet, and 6 stands for Ed448. The values 1 and 2 in the second position stand for the SHA-1 and SHA-256 hash methods.
Since version 6.6, OpenSSH has let users query fingerprints when
...
Buy this article as PDF
(incl. VAT)
Buy ADMIN Magazine
US / Canada
UK / Australia
Related content
-
Secure SSH connections the right way
Admins use SSH, the proverbial Swiss army knife of system management, for many of their daily tasks, but no matter how powerful the tool might be, it typically does not offer adequate protection. We look at ways to tighten SSH security. -
Securing the TLS ecosystem with Certificate Transparency
With the need for home offices during the pandemic lockdown, provisional solutions instituted on the fly during the transition from office to home require more permanent solutions, especially for securing TLS connections on the Internet. -
Certificate security
Use public key pinning to map certificates to specific domains. -
Transport Encryption with DANE and DNSSEC
Those who think that enabling STARTTLS in the mail client will make their mail traffic more secure are wrong. Only those who bank on DANE can be sure that a mail server or a firewall will not switch off encryption in transit. -
Securing email communication with GnuPG
We look at certificate management with a Web Key Directory and a directory service and investigate automated authentication with GnuPG actium.
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Most Popular
Support Our Work
ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.
