Creating SSL Certificate for File Server

[Windows7ge]

A few weeks ago I bought the ASRock EP2C602-4L/D16 Server Motherboard. Nice board, lots of I/O.

I want to be able to remote manage it over the internet because I want to use it as a dual boot system. (FreeBSD for a strong file server, Windows 7 64-Bit just so I can screw around with a heap ton of resources (16 cores, 32 threads, 128GB of RAM, currently 9TB of storage space will be upgrading to 25TB relatively soon) Anyways getting side tracked. I know it's very bad to have a completely unsecured everything sent in plain text session over the internet. The motherboard has built-in IPMI with the ability to remote desktop the server. I could just open a port on my router point it at the IPMI and boom, done, manage the server at a hardware level from almost anywhere in the world...No security though. I learned that the IPMI has the option to configure SSL Certificates which (to my knowledge) are required to encrypt web sessions and allow you to use HTTPS (port 443). This certificate wants information that I don't know how to configure:

Common Name(CN):

Organization(O):

Organization Unit(OU):

City or Locality(L):

State or Province(ST):

Country(C):

Email Address:

Valid for: (Input number of days) Days

Key Length: 512 or 1024 bits

 

About 50% of this I understand and can fill out but even if I fill in the spaces I don't understand trying to access the server via HTTPS it tells me insecure site and that the certificate was signed by the site itself...not entirely sure what that means. The site signed its own certificate. It then gives me the "Not recommended" option to continue to the site using HTTP.

 

In conclusion I'd appreciate the help if anyone knows how to configure a SSL certificate and get Google Chrome to accept it so I can remote manage my server more securely. Or if there is an adequate workaround.

[Electronics Wizardy]

Don't shove impi over wan. Its very insecure. Your much better off letting you ssh in or rdp in.

 

Also id just setup a vpn server.

 

Making a cert won't make it any more secure. You can add the cert your system and it won't bug you or you can pay for a signed cert.

[leadeater]

Yep never publish IPMI to the internet, just do a quick google of IPMI security breach and you'll see why.

[Windows7ge]

11 minutes ago, Electronics Wizardy said:

Don't shove impi over wan. Its very insecure. Your much better off letting you ssh in or rdp in.

 

Also id just setup a vpn server.

 

Making a cert won't make it any more secure. You can add the cert your system and it won't bug you or you can pay for a signed cert.

I figured as much. Using the SSH though that'd only give me control in the OS. RDP in Windows respectively but if windows was running, froze, and I wanted to access my file server on FreeBSD. I couldn't do anything while remote. The IPMI would let me recover the system without having to physically be there.

 

I haven't the knowledge to do that. I know what a VPN is but to setup a server dedicated as one I wouldn't know where to start. 

 

I figured it might not if I start up a desktop session using jviewer. I get the feeling it's not encrypted. I don't fully understand certificates so I'm not going to try and buy one but I don't know how to add one either.

[Windows7ge]

9 minutes ago, leadeater said:

Yep never publish IPMI to the internet, just do a quick google of IPMI security breach and you'll see why.

I brushed through an article and it quite quickly shut down my desire to use the IPMI over the internet...this sucks, the IPMI is so useful and cool. Why isn't the security up to date enough to let us use it over the internet without worry? I'd say a lot of the IPMI's purpose is defeated if it can't securely be used remotely. If you're on location then it's just a leisure to not have to get out of your chair to physically look at the server while remote access could be a seriously useful tool if nobody on location knows how to fix the server.

[leadeater]

1 minute ago, Windows7ge said:

I brushed through an article and it quite quickly shut down my desire to use the IPMI over the internet...this sucks, the IPMI is so useful and cool. Why isn't the security up to date enough to let us use it over the internet without worry? I'd say a lot of the IPMI's purpose is defeated if it can't securely be used remotely. If you're on location then it's just a leisure to not have to get out of your chair to physically look at the server while remote access could be a seriously useful tool if nobody on location knows how to fix the server.

You can use IPMI remotely if you setup VPN access, either using a different computer (server rebooting) or on a router/firewall that supports VPN server.

[Windows7ge]

7 minutes ago, leadeater said:

You can use IPMI remotely if you setup VPN access, either using a different computer (server rebooting) or on a router/firewall that supports VPN server.

Looking at my own router nothing says VPN server so that's not an option. I do have a very low power Mini-ITX server motherboard that I could slap a system together using. I've never built a VPN server. Is it like a proxy?

[leadeater]

9 minutes ago, Windows7ge said:

Looking at my own router nothing says VPN server so that's not an option. I do have a very low power Mini-ITX server motherboard that I could slap a system together using. I've never built a VPN server. Is it like a proxy?

Sort of, it just a secure connection back to your network. It creates a tunnel between you and the VPN server which you can allow routing of traffic in to your main network. This means IPMI isn't publicly available but you can still get to it.

 

Have a look in to OpenVPN or for a very simple setup use something like Sophos XG Home Edition on the mini-ITX server, by simple I mean nice easy to use web interface. Sophos XG is a full firewall, like pfsense but in my opinion better,

[Windows7ge]

6 minutes ago, leadeater said:

Sort of, it just a secure connection back to your network. It creates a tunnel between you and the VPN server which you can allow routing of traffic in to your main network. This means IPMI isn't publicly available but you can still get to it.

 

Have a look in to OpenVPN or for a very simple setup use something like Sophos XG Home Edition on the mini-ITX server, by simple I mean nice easy to use web interface. Sophos XG is a full firewall, like pfsense but in my opinion better,

So I imagine I'd open a router port. Point it to the VPN server. Then from the VPN server I'd authenticate in some manor and if configured how I want it it'll point me to the IPMI of my main server? Would the VPN server provide encryption?

[leadeater]

2 minutes ago, Windows7ge said:

So I imagine I'd open a router port. Point it to the VPN server. Then from the VPN server I'd authenticate in some manor and if configured how I want it it'll point me to the IPMI of my main server? Would the VPN server provide encryption?

Yes that is correct, and yes that is the fundamental purpose of a VPN. To provide a secure and encrypted connection.

[Windows7ge]

24 minutes ago, leadeater said:

Yes that is correct, and yes that is the fundamental purpose of a VPN. To provide a secure and encrypted connection.

Well alright, I think I have all the hardware necessary for a mini-vpn server. It'd also be a good learning experience. Thank you for the help. I don't plan on making it complicated so I'll look into Sophos XG Home Edition first and see how it works for my application.

 

I see why you said a VPN server is "kind of" a proxy. It's not a very good proxy when it's on the same private network as the server you want to access.

[Electronics Wizardy]

1 hour ago, Windows7ge said:

I brushed through an article and it quite quickly shut down my desire to use the IPMI over the internet...this sucks, the IPMI is so useful and cool. Why isn't the security up to date enough to let us use it over the internet without worry? I'd say a lot of the IPMI's purpose is defeated if it can't securely be used remotely. If you're on location then it's just a leisure to not have to get out of your chair to physically look at the server while remote access could be a seriously useful tool if nobody on location knows how to fix the server.

here i s the lazy way to do it.

 

Get a old computer or a vm.

 

Chunk team viewer on it.

 

No router config, and you can access it anywhere, and they use impi and other things from there.

[Windows7ge]

32 minutes ago, Electronics Wizardy said:

here i s the lazy way to do it.

 

Get a old computer or a vm.

 

Chunk team viewer on it.

 

No router config, and you can access it anywhere, and they use impi and other things from there.

That's another option if things don't turn out as well as I hope. Correct me if I'm wrong but I don't think team viewer encrypts sessions though.

[Electronics Wizardy]

2 minutes ago, Windows7ge said:

That's another option if things don't turn out as well as I hope. Correct me if I'm wrong but I don't think team viewer encrypts sessions though.

teamviewer is encyrpted.

[Windows7ge]

33 minutes ago, Electronics Wizardy said:

teamviewer is encyrpted.

That'll be my backup plan but for right now educating myself on VPNs seems like a good idea. I'm young and I've chosen a profession in the technical field so I can use this as a learning opportunity.

[LAwLz]

3 hours ago, Windows7ge said:

About 50% of this I understand and can fill out but even if I fill in the spaces I don't understand trying to access the server via HTTPS it tells me insecure site and that the certificate was signed by the site itself...not entirely sure what that means. The site signed its own certificate. It then gives me the "Not recommended" option to continue to the site using HTTP.

That means it is working correctly.

 

Think of it like this. You walk up to a person on the street. You need to know who this person is, so you ask them. They want to be trusted so they show you their driver's license. Since the driver's license is issued by the government you can be confident that the information such as name is correct.

This is how it works on things like LinusTechTips.com. They have an SSL certificate provided to them by COMODO. Your browser knows who COMODO are, so they trust that if COMODO says this certificate belongs to LTT, then it really is LTT that you are visiting.

 

However, signing your own certificate is like handing over a piece of paper which says "I am definitely the person I claim to be" and then a photo super glued to the paper. Since that piece of paper doesn't come from someone you trust, unlike the driver's license, you have no way of actually knowing if the info is correct or not. This might just be a person pretending to be someone else.

This is what a self-signed certificate is, and that's what you are using. Your computer has no way of knowing if this certificate is legit or not since it hasn't been verified.

I don't know how you do it in Chrome, but in Firefox you have a button which says "add exception". Google Chrome should have something similar. What this does is basically say "yes, I know this is self-signed and can't be trusted, but I as the user will verify that it is the right one.".

To go back to the driver's license vs piece of paper analogy. Clicking on "add exception" is like going:

"OK, I know this is just a piece of paper, but I will take a copy of this and then remember it. From now on, I will remember that you are the person you claim to be on this piece of paper. To me personally, your piece of paper is as much evidence that you are the person you claim to be, as a real driver's license would be".

 

 

2 hours ago, leadeater said:

Yes that is correct, and yes that is the fundamental purpose of a VPN. To provide a secure and encrypted connection.

If we're going to be pedantic, secure and encrypted connections is not a fundamental part of VPNs. The main purpose was to just make network resources appear as local, even if you were connected over the Internet.

I think this is worth pointing out because a study found that 18% of the ~300 tested free VPN apps for Android did not encrypt the traffic at all.

Most people seem to have a fundamentally wrong idea of what a VPN is and how it works, so I think it is very important to give out correct information to not spread a false sense of security.

 

But yes, this is definitely a situation where you would want to use a VPN. But it's important to know how certificates work because he will (or at least should) get a security warning when connecting with his VPN too, since that will also use a self-signed cert.

[leadeater]

4 hours ago, LAwLz said:

I think this is worth pointing out because a study found that 18% of the ~300 tested free VPN apps for Android did not encrypt the traffic at all.

Most people seem to have a fundamentally wrong idea of what a VPN is and how it works, so I think it is very important to give out correct information to not spread a false sense of security.

Quite true, however for a self installed VPN server you have to go out of your way to setup an unencrypted tunnel. I don't really class a VPN application and service you can just sign up for an use as quite the same thing, but yes generalizing like that does set a false assumption.

 

Most of the unencrypted tunnel types are used more for site-to-site connections rather than client server and would use IPSec to encrypt the traffic traversing the tunnel, GRE or L2TP for example.

 

Using free ones wouldn't even come to mind for me. It's only the fact that you mentioned them that it is a thing people use actually made me stop and think about those. Can often be hard to remove yourself from your own IT world bubble, particularly when your deep in to thinking about setting up VPN servers etc lol.

 

Even @Electronics Wizardy suggestion is so damn obvious and easy.

[Windows7ge]

8 hours ago, LAwLz said:

But yes, this is definitely a situation where you would want to use a VPN. But it's important to know how certificates work because he will (or at least should) get a security warning when connecting with his VPN too, since that will also use a self-signed cert.

Even though I'm a default Chrome user due to college things and Chrome ditching Java support I have both Mozilla Firefox and Chrome installed on my desktop & laptop so if I locate this Firefox setting I can use Firefox when remoting into the servers IPMI

 

I liked your analogy, besides being informative and easy to understand I also found it amusing. This raises another question though. After setting up the VPN if it's going to force me to use HTTP won't that defeat the whole purpose of it? Or in the background unbenounced to me will it use its own method of encryption? Besides the Firefox over-ride if I can figure that out.

[Electronics Wizardy]

20 minutes ago, Windows7ge said:

Even though I'm a default Chrome user due to college things and Chrome ditching Java support I have both Mozilla Firefox and Chrome installed on my desktop & laptop so if I locate this Firefox setting I can use Firefox when remoting into the servers IPMI

The main problem with impi is that the security is horrible. They aren't often updates and provide a very easy backdoor for someone on the network.

 

You really should put all the impi on there own managment vlan that has no access to the pulic internet at all and requires a vpn to access.

[Windows7ge]

10 minutes ago, Electronics Wizardy said:

The main problem with impi is that the security is horrible. They aren't often updates and provide a very easy backdoor for someone on the network.

 

You really should put all the impi on there own managment vlan that has no access to the pulic internet at all and requires a vpn to access.

As someone previously mentioned I'm going to build a VPN server and put it in between the router and the server MNGT port. If it works then great if not then I'm out of luck.

[LAwLz]

6 hours ago, Windows7ge said:

This raises another question though. After setting up the VPN if it's going to force me to use HTTP won't that defeat the whole purpose of it? Or in the background unbenounced to me will it use its own method of encryption? Besides the Firefox over-ride if I can figure that out.

A VPN won't force you to use HTTP, because if you use something like OpenVPN then it won't use HTTP at all.

The VPN will tunnel all your traffic, HTTP, HTTPS, whatever, over an encrypted tunnel.

[Windows7ge]

9 hours ago, LAwLz said:

A VPN won't force you to use HTTP, because if you use something like OpenVPN then it won't use HTTP at all.

The VPN will tunnel all your traffic, HTTP, HTTPS, whatever, over an encrypted tunnel.

So simply put regardless of what protocols I'm using it'll all get encrypted during the session? If this is true I have a greater more difficult (in my opinion more difficult) question. The IPMI for the ASRock server motherboards allow remote desktop sessions using (to my knowledge) Java based software called jviewer. I know Java isn't renound for their security and the jviewer uses its own port numbers for keyboard/mouse/monitor controls. How can I tell if the jviewer session is encrypted? Or because of this "VPN tunnel" does it not matter? All traffic going through the VPN server is encrypted regardless?"

 

If there's no serious explained objections I plan to try out Sophos XG Home Edition first and see how it works. If I can't get it working in my exact application then I'll try OpenVPN and see if it makes a difference.

[leadeater]

2 hours ago, Windows7ge said:

Or because of this "VPN tunnel" does it not matter? All traffic going through the VPN server is encrypted regardless?"

Correct, if your using an encrypted VPN tunnel then anything within it is encrypted. VPNs are a great way to secure insecure communication protocols/traffic as the VPN is operating at a layer above traffic using the tunnel.

 

Just remember only traffic using the VPN tunnel will be encrypted, seems obvious but your general internet traffic will not be.

[LAwLz]

2 hours ago, Windows7ge said:

So simply put regardless of what protocols I'm using it'll all get encrypted during the session?

Yes, but only between your device and the VPN server.

 

So if you are at school and connect to your VPN at home, the traffic will be encrypted as it travels from your school to your home, where it is decrypted by your VPN server and then forwarded to whatever thing you tried to access.

 

 

2 hours ago, Windows7ge said:

If this is true I have a greater more difficult (in my opinion more difficult) question. The IPMI for the ASRock server motherboards allow remote desktop sessions using (to my knowledge) Java based software called jviewer. I know Java isn't renound for their security and the jviewer uses its own port numbers for keyboard/mouse/monitor controls. How can I tell if the jviewer session is encrypted? Or because of this "VPN tunnel" does it not matter? All traffic going through the VPN server is encrypted regardless?"

All traffic going though the VPN tunnel will be encrypted (assuming that your VPN tunnel is encrypted).

[Windows7ge]

7 hours ago, LAwLz said:

Yes, but only between your device and the VPN server.

 

So if you are at school and connect to your VPN at home, the traffic will be encrypted as it travels from your school to your home, where it is decrypted by your VPN server and then forwarded to whatever thing you tried to access.

 

 

All traffic going though the VPN tunnel will be encrypted (assuming that your VPN tunnel is encrypted).

Does this require any special application or will a web browser such as Mozilla Firefox or Chrome support the encryption algorithm to encrypt and decrypt the communications?