Follow Island in the Net on WordPress.com

Tag: Cyber Security

Ed25519 Keys for SSH

A technical article detailing how I switched my SSH login on a remote Linux server to use Ed25519 keys.

I changed my SSH login to my remote Linux server to use Ed25519 keys. This is one of the few technical articles I wrote this year. Writing these articles helps me better understand the technologies I use.

Ed25519 is a widely-used public-key signature algorithm based on elliptic curve cryptography (ECC). It was designed by Daniel J. Bernstein, Niels Duif, Tanja Lange, Peter Schwabe, and Bo-Yin Yang. The "ed" in its name stands for the Edwards curve, which is the elliptic curve used in the algorithm.

Ed25519 is designed to provide high security while maintaining excellent performance. It offers 128-bit security, which means it is resistant to known cryptographic attacks. The algorithm is specifically optimised for speed, making it efficient for various applications.

Ed25519 is based on the twisted Edwards curve known as Curve25519, which Daniel J. Bernstein also developed. The choice of this curve offers several advantages, including resistance against certain types of side-channel attacks and efficient implementation across different platforms.

Ed25519 uses elliptic curve key pairs for signing and verification. Key generation involves selecting a random 256-bit secret scalar, which is used to compute the corresponding public key. The secret scalar should be generated using a cryptographically secure random number generator.

To create a signature using Ed25519, the signer uses their secret scalar and the message they want to sign. The algorithm applies a series of mathematical operations to produce a 64-byte signature. This signature can be verified using the corresponding public key.

Signature verification involves using the signer's public key, the received message, and the signature. The verification process applies a set of mathematical operations to confirm the authenticity and integrity of the message. If the verification is successful, the signature is valid, and the message hasn't been tampered with.

Ed25519 has gained significant adoption in various domains, including cryptography libraries, protocols, and applications. It is commonly used for secure communications, digital signatures, key exchange, and other cryptographic operations. Many popular libraries and frameworks, such as OpenSSL, libsodium, and GnuPG, support Ed25519.

Ed25519 offers advantages over older signature algorithms like RSA and DSA. It has shorter key lengths, making it more efficient in terms of computation and storage. Additionally, Ed25519 is resistant to many types of attacks, including those based on side-channel information leakage.

Ed25519 has been widely recognised as a reliable and secure signature algorithm and has found extensive use in various cryptographic applications due to its performance and security characteristics.

To generate an Ed25519 key pair on macOS for logging into my Linux server, I followed these steps:

  1. Open the Terminal application on macOS.
  2. The ssh-keygen command generates the Ed25519 key pair. In the Terminal, type the following command:ssh-keygen -t ed25519 -f linux_server_key
  3. This command generates a new Ed25519 key pair with the specified filename (linux_server_key in this example).
  4. You will be prompted to provide a passphrase for the key pair. I recommend entering a strong passphrase to protect your private key. Press Enter if you want to leave it empty (not recommended).
  5. Two files will be generated in the current directory: linux_server_key (private key) and linux_server_key.pub (public key).
  6. Copy the public key to your Linux server. I used the ssh-copy-id command to copy the public key to the server. In the Terminal, type the following command:ssh-copy-id -i linux_server_key.pub username@server_ip
  7. Replace username with your username on the Linux server and server_ip with the IP address or hostname of the Linux server. This command will copy the public key to the appropriate location on the server and enable key-based authentication.
  8. If the ssh-copy-id command is not available on your macOS, you can manually copy the contents of the linux_server_key.pub file and append it to the ~/.ssh/authorized_keys file on the Linux server.
  9. Once the public key is copied, you can use SSH to log in to the Linux server using your private key. In the Terminal, type the following command: ssh -i linux_server_key username@server_ip
  10. Replace username with your username on the Linux server and server_ip with the IP address or hostname of the Linux server. This command will use the specified private key for authentication when connecting to the server.
  11. If you set a passphrase for the private key, you will be prompted to enter it before establishing the SSH connection.

That's it! You have now generated an Ed25519 key pair on macOS and configured it for logging into a Linux server using SSH.

Web Application Firewall Summary

Web Application Firewall (WAF) is a security solution that protects web applications from various online threats and attacks. It sits between the user and the web server, analysing incoming traffic to filter out malicious requests and protect the application from potential vulnerabilities. The WAF helps safeguard against common web-based attacks like SQL injection, cross-site scripting (XSS), and other application-layer exploits.

A Web Application Firewall employs a set of specific firewall rules to block complex attacks. These rules are based on known attack patterns and anomalies and are designed to detect and prevent attacks. Some examples of specific firewall rules that can block complex attacks include:

  • Signature-based Rules: These rules identify known attack patterns and malicious payloads, such as specific SQL injection strings or XSS scripts, and block traffic that matches these patterns.
  • Behavioral Rules: These rules analyse traffic behaviour and block requests that exhibit suspicious or abnormal patterns, even if they don't match a specific attack signature.
  • Rate Limiting Rules: These rules restrict the number of requests from a single IP address within a given time frame, mitigating the impact of brute-force and DDoS attacks.
  • Session Management Rules: These rules monitor and enforce session-related behaviours to prevent session hijacking and token manipulation attacks.
  • Geolocation Rules: These rules block or allow traffic based on the IP address's geographic location, helping filter out traffic from known malicious regions.

My WordPress WAF has all of these types of rules enabled.

The WAF Summary below displays the count of attacks the Web application firewall prevents on my WordPress website. The summary comprises three categories of attacks: Complex Attacks, Brute Force Attacks, and Blacklist Blocks.

  • Complex Attacks occur when a visitor requests the website with malicious intent to exploit the website or find a vulnerability that can be exploited later. The firewall rules block these types of attacks.
  • Brute Force Attacks are attempts to guess usernames and passwords to gain access to the WordPress admin.
  • Blacklist Blocks indicate the number of times an IP has been blocked from accessing the site as a preventive measure.

Determining which IP addresses to blacklist usually involves analysing various factors to identify potentially malicious sources. Some common methods include:

  • Intrusion Detection/Prevention Systems (IDS/IPS): These systems monitor network traffic and identify suspicious or malicious behaviour. If an IP address is involved in malicious activities, it can be added to the blacklist.

  • Threat Intelligence Feeds: WAFs may use threat intelligence feeds from reputable sources that maintain lists of IP addresses associated with cyber threats. IP addresses from these feeds can be automatically added to the blacklist.

  • Anomaly Detection: The firewall may identify IP addresses that deviate significantly from typical traffic patterns or show patterns consistent with malicious activities, leading to blacklisting.

  • User Reports and Reputation Services: WAFs can consider user reports and reputation services that track and rate IP addresses' trustworthiness. Repeatedly flagged IP addresses may end up on the blacklist.

  • Manually Curated Lists: Security administrators can manually add suspicious IP addresses to the blacklist based on their analysis or incident reports.

My Web Application Firewall (WAF) utilises a combination of methods to dynamically update its blacklist, effectively blocking traffic from potentially harmful IP addresses. This proactive approach helps safeguard my WordPress website from malicious activities and ensures enhanced security.

Block Type Complex Brute Force Blacklist Total
Today 0 0 166 166
Week 63 193 963 1219
Month 112 193 4323 4628