Topic: Project Sentinel Library (Read 7038 times)

colin012 · « **on:** July 25, 2014, 01:34:42 am »

Welcome to the library!

Here, I will list articles on NXT personal security and NXT network security. As you can see, it is kind of small! Please add to it! Remember, if you wrote something or found something helpful, tell me and I will pay you in Sentinelcoin and add your article to the list! Some articles have bounties on them; they will pay more than an article without a bounty! If you wish to add to the bounty for an article or provide a bounty for an article that does not yet have a bounty listed, please leave a reply on this thread with the bounty you wish to provide for the article and I will add it to the list! Bounties can be NXT, NXT assets, and/or anything traded on the Universal Multi-Gateway!

You can write or link to articles posted on the forums, the wiki, or anywhere everyone can access them on the internet!

Network Security

Nodes and VPSs

How make your node more resilient to DDoS: https://nxtforum.org/public-nodes-vpss/how-to-make-your-node-as-resilient-to-ddos-as-possible/

Setting up ip verify unicast reverse-path protection and collecting evidence of DDoS attacks on Cisco routers: http://www.cisco.com/c/en/us/support/docs/security-vpn/kerberos/13634-newsflash.html

Personal Security

Password Protection

Creating a strong NXT Password and registering your account: http://nxter.org/protect-your-nxt/

The NXT Safe: https://nxtforum.org/nxt-projects/the-nxtsafe/

Coin Desk Phishing Alert: http://www.coindesk.com/phishing-alert/

Cold Storage

How To Set Up NXT Cold Storage: https://nxtforum.org/security/how-to-set-up-nxt-cold-storage-%28credit-goes-to-devphp%29/ (credit goes to devphp)

SSL Protection

Setting Up SSL/Https On Port 7876: https://nxtforum.org/public-nodes-vpss/setting-up-sslhttps-on-a-public-node/ (credit goes to lyaffe)

Library Bounties!

The Project Sentinel Library provides bounties for people who can either write an original article or provide a link to useful information on the topics of NXT network security or NXT personal security. Anyone is free to (and encouraged to!) add original bounties or add to the existing bounties in NXT, NXT assets, and/or anything traded on the Universal Multi-Gateway. The bounties will be listed here by type of knowledge they require and will be added to this post as needed.

If you wish to add an original bounty or add to an existing bounty, please post here with the amount and type of bounty and send the bounty the the Project Sentinel NXT account: 6588222582139125358

PLEASE NOTE! If you have found an article that we are looking for somewhere online but can NOT prove that it was your original work or the article in NOT NXT specific, you will only be paid a quarter (1/4^th) of the advertised bounty. The remaining three quarters will remain as bounty for someone who can write an original article on the subject that is specific to NXT rather than general. Bounties advertised as NXT specific will not accept unoriginal or general articles. Thank you!

Network Security

General Node Knowledge

Instructions on setting up port forwarding on different brands of routers: 3 Sentinelcoins per brand (Covered Already: none)

Instructions on how to set up a public, hallmarked node on a virtual machine: 5 Sentinelcoins

Iptables

Improvements to the node DDoS resilience article: 2 Sentinelcoins per new iptables command, 1 Sentinelcoin per improvement to existing iptables command

Domain Name Service

An article explaining, in detail, why public nodes without a domain name are more secure: 3 Sentinelcoins

SSL Verification

A whitepaper on protecting public nodes with SSL: 12 Sentinelcoins

Router/VPS Programming

How to articles on setting up ip verify unicast reverse-path protection for different router brands and VPS hosting services: 25 Sentinelcoins per router brand or VPS hosting service (Covered Already: Cisco)

How to articles on collecting evidence of DDoS attacks to give to the authorities for different router brands and VPS hosting services: 22 Sentinelcoins per router brand or VPS hosting service (Covered Already: Cisco)

PGP Signatures

Using the NXT PGP signature to verify downloads: 20 Sentinelcoins

NXT Security Features

How NXT solves the threat of precomputation attacks: 9 Sentinelcoins

Why NXT is safe from Nothing At Stake attacks: 14 Sentinelcoins

A review of the Jetty filter: 6 Sentinelcoins

Personal Security

Password Creation and Management

Tips for building a strong NXT password: 1 Sentinelcoin Thank you apenzl!

Instructions on how to use a password manager on Linux with NXT: 5 Sentinelcoins

A review of different password managers for all OSs with ranking by security level: 15 Sentinelcoins

A white paper on how to best integrate PBKDF2 with NXT: 15 Sentinelcoins

Encryption

Detailed, step by step instructions on installing and booting SliTaz Linux on an encrypted hard drive using LUKS: 15 Sentinelcoins

SSL Verification

A how to article on setting up NXT server SSL protection: 5 Sentinelcoins Thanks lyaffe!)

apenzl · « **Reply #1 on:** July 28, 2014, 02:03:25 pm »

Hi Colin012,

if you're interested, there's a short article about choosing password and securing your Nxt acc here: http://nxter.org/protect-your-nxt/

It links to http://nxter.org/nxt-privacy-basic-security/ which is about to get updated and added to (with info about keyloggers and "tips for the paranoid".

colin012 · « **Reply #2 on:** July 28, 2014, 02:25:08 pm »

Quote from: apenzl on July 28, 2014, 02:03:25 pm

Hi Colin012,

if you're interested, there's a short article about choosing password and securing your Nxt acc here: http://nxter.org/protect-your-nxt/

It links to http://nxter.org/nxt-privacy-basic-security/ which is about to get updated and added to (with info about keyloggers and "tips for the paranoid".

Wonderful! I will send you your Sentinelcoin as soon as I can fix my VM.

P2PGuy · « **Reply #3 on:** July 28, 2014, 04:45:09 pm »

Great Colin, well done. It's a positive initiative. Smart thinking.

Riker · « **Reply #4 on:** July 29, 2014, 07:30:12 pm »

Hi Colin,

1. Regarding: "A whitepaper on protecting public nodes with SSL: 12 Sentinelcoins" as far as I can tell you can enable SSL on a public node by setting the property nxt.apiSSL=true in nxt.properties, if you need instructions for setting up a CA certified SSL node using a Java KeyStore this is publicly documented in numerous places like Verisign and it's competitors. What else are you looking for in this white paper ? Same goes for "A how to article on setting up NXT server SSL protection: 5 Sentinelcoins".

2. The SentinelC asset has 0 trades so its difficult to estimate it's value. Why don't you just provide the bounties in NXT ? I'm sure that if you'll offer 100 NXT instead of each Sentinelcoins you'll see plenty of activity in the thread.

colin012 · « **Reply #5 on:** July 29, 2014, 10:14:59 pm »

Quote from: lyaffe on July 29, 2014, 07:30:12 pm

Hi Colin,

1. Regarding: "A whitepaper on protecting public nodes with SSL: 12 Sentinelcoins" as far as I can tell you can enable SSL on a public node by setting the property nxt.apiSSL=true in nxt.properties, if you need instructions for setting up a CA certified SSL node using a Java KeyStore this is publicly documented in numerous places like Verisign and it's competitors. What else are you looking for in this white paper ? Same goes for "A how to article on setting up NXT server SSL protection: 5 Sentinelcoins".

2. The SentinelC asset has 0 trades so its difficult to estimate it's value. Why don't you just provide the bounties in NXT ? I'm sure that if you'll offer 100 NXT instead of each Sentinelcoins you'll see plenty of activity in the thread.

1. nxt.apiSSL only protects the nxt API, or port 7876. What I am talking about is securing port 7874 with SSL. "A how to on setting up NXT server SSL protection" would be related to nxt.apiSSL and nxt.uiSSL. Setting those to true does not automatically make them SSL secured. You need a certificate file and a key file associated with the IP address and the port number. The article I am looking for would cover how to obtain a key and a certificate file for your server, signing the certificate (either self signed or signed by Verisign/its competitors).

2. I tried to set up a 1 NXT sale for SentinelC but my VM was disconnected from the internet at the time and I didn't know. Since, my VM has stopped connecting to the internet all together so I am creating a new one. I will put the SentinelC on sale then. However, only 1,102 will be sold initially. The buyers can then determine the price they want in return for it themselves.

Riker · « **Reply #6 on:** July 30, 2014, 02:57:45 pm »

Quote from: colin012 on July 29, 2014, 10:14:59 pm

1. nxt.apiSSL only protects the nxt API, or port 7876. What I am talking about is securing port 7874 with SSL. "A how to on setting up NXT server SSL protection" would be related to nxt.apiSSL and nxt.uiSSL. Setting those to true does not automatically make them SSL secured. You need a certificate file and a key file associated with the IP address and the port number. The article I am looking for would cover how to obtain a key and a certificate file for your server, signing the certificate (either self signed or signed by Verisign/its competitors).

I'm willing to write about setting SSL for a VPS node and explain the necessary procedures for setting up a test certificate and a CA certified certificate.
Questions:
In what format does it makes sense to write it ?
Where do you intend to publish it ?

colin012 · « **Reply #7 on:** July 30, 2014, 03:47:57 pm »

Quote from: lyaffe on July 30, 2014, 02:57:45 pm

Quote from: colin012 on July 29, 2014, 10:14:59 pm

1. nxt.apiSSL only protects the nxt API, or port 7876. What I am talking about is securing port 7874 with SSL. "A how to on setting up NXT server SSL protection" would be related to nxt.apiSSL and nxt.uiSSL. Setting those to true does not automatically make them SSL secured. You need a certificate file and a key file associated with the IP address and the port number. The article I am looking for would cover how to obtain a key and a certificate file for your server, signing the certificate (either self signed or signed by Verisign/its competitors).

I'm willing to write about setting SSL for a VPS node and explain the necessary procedures for setting up a test certificate and a CA certified certificate.
Questions:
In what format does it makes sense to write it ?
Where do you intend to publish it ?

Well, you can write it in any format that makes sense. See https://nxtforum.org/public-nodes-vpss/how-to-make-your-node-as-resilient-to-ddos-as-possible/ as an example.

You can publish it on the forums under the Public Nodes/VPSs board!

I will print a physical copy as a backup and add duplicate the article on the wiki so it never gets lost.

Riker · « **Reply #8 on:** August 03, 2014, 10:52:57 am »

Please take a look at this https://nxtforum.org/public-nodes-vpss/setting-up-sslhttps-on-a-public-node/

colin012 · « **Reply #9 on:** August 03, 2014, 08:55:14 pm »

Quote from: lyaffe on August 03, 2014, 10:52:57 am

Please take a look at this https://nxtforum.org/public-nodes-vpss/setting-up-sslhttps-on-a-public-node/

It is good but it doesn't cover port 7875 which should be really easy to add to the article.

This gets you the "A how to article on setting up NXT server SSL protection: 5 Sentinelcoins" bounty. Cover port 7874 and you will get the "A whitepaper on protecting public nodes with SSL: 12 Sentinelcoins" bounty.

Because you are missing port 7875 I will give you 3 out of the 5 now and the remaining two when you add port 7875 to your article. Just send me your NXT address and I will send you the Sentinelcoins

Riker · « **Reply #10 on:** August 04, 2014, 12:53:04 pm »

Quote from: colin012 on August 03, 2014, 08:55:14 pm

It is good but it doesn't cover port 7875 which should be really easy to add to the article.

Fixed

Quote from: colin012 on August 03, 2014, 08:55:14 pm

This gets you the "A how to article on setting up NXT server SSL protection: 5 Sentinelcoins" bounty. Cover port 7874 and you will get the "A whitepaper on protecting public nodes with SSL: 12 Sentinelcoins" bounty.

As far as I can tell port 7874 cannot be protected with SSL at the moment since the NRS code does not support it. Take a look at the Peers.Init class the ServerConnector object does not use an SslContextFactory and therefore cannot accept SSL connections. So this is more of a feature request not an article. Nevertheless once SSL support is implemented in the code the instructions provided should be applicable for this as well.

My NXT address is NXT-HBFW-X8TE-WXPW-DZFAG

The paper for port 7874 would explain what would need to be added to the client to allow 7874 to have have SSL, how difficult it would for the devs to implement, and what benefits it would have.
Sending the SentinelC now

colin012 · « **Reply #11 on:** August 04, 2014, 03:57:51 pm »

Quote from: lyaffe on August 04, 2014, 12:53:04 pm

Quote from: colin012 on August 03, 2014, 08:55:14 pm
It is good but it doesn't cover port 7875 which should be really easy to add to the article.

Fixed

Quote from: colin012 on August 03, 2014, 08:55:14 pm
This gets you the "A how to article on setting up NXT server SSL protection: 5 Sentinelcoins" bounty. Cover port 7874 and you will get the "A whitepaper on protecting public nodes with SSL: 12 Sentinelcoins" bounty.

As far as I can tell port 7874 cannot be protected with SSL at the moment since the NRS code does not support it. Take a look at the Peers.Init class the ServerConnector object does not use an SslContextFactory and therefore cannot accept SSL connections. So this is more of a feature request not an article. Nevertheless once SSL support is implemented in the code the instructions provided should be applicable for this as well.

My NXT address is NXT-HBFW-X8TE-WXPW-DZFAG

The paper for port 7874 would explain what would need to be added to the client to allow 7874 to have have SSL, how difficult it would for the devs to implement, and what benefits it would have.
Sending the SentinelC now

I sent you the SentinelC.

As far as port 7874 goes, the paper would discuss what the code would need in order to implement it and what security advantages (if any) it would provide. Would it help protect from node spoofing? DNS Cache poisoning? Something else?

Riker · « **Reply #12 on:** August 05, 2014, 09:59:24 am »

Securing the peer server i.e. port 7874 is a sensitive issue and requires the involvement of the core devs, I imagine that this has been discussed before.
The problem is that if you simply require SSL communication on port 7874 then peers which did not upgrade or do not support SSL won't be able to connect to peer servers which implement SSL and similarly peers which connect using SSL to a peer server which do not support SSL will fail to connect.

We can try to implement a fallback approach, try SSL connection and if it fails use Http, this probably won't work since it would be too time consuming to perform this check whenever sending data to another peer.
Same goes if we define a new SSL port 7873, try it first and then fallback to 7874 in case of failure. Again I think the performance impact would be unacceptable.
Perhaps it's possible to first connect using Http to port 7874 then receive back in response if to use SSL for further connections and on which port.

The advantages would be protection against spoofing and man in the middle attacks for peer to peer communication.

Another improvement which is perhaps more important but also more difficult to implement is to switch to WebSocket protocol communication between peers. But this is a much bigger effort.

colin012 · « **Reply #13 on:** August 05, 2014, 04:43:32 pm »

Quote from: lyaffe on August 05, 2014, 09:59:24 am

Securing the peer server i.e. port 7874 is a sensitive issue and requires the involvement of the core devs, I imagine that this has been discussed before.
The problem is that if you simply require SSL communication on port 7874 then peers which did not upgrade or do not support SSL won't be able to connect to peer servers which implement SSL and similarly peers which connect using SSL to a peer server which do not support SSL will fail to connect.

We can try to implement a fallback approach, try SSL connection and if it fails use Http, this probably won't work since it would be too time consuming to perform this check whenever sending data to another peer.
Same goes if we define a new SSL port 7873, try it first and then fallback to 7874 in case of failure. Again I think the performance impact would be unacceptable.
Perhaps it's possible to first connect using Http to port 7874 then receive back in response if to use SSL for further connections and on which port.

The advantages would be protection against spoofing and man in the middle attacks for peer to peer communication.

Another improvement which is perhaps more important but also more difficult to implement is to switch to WebSocket protocol communication between peers. But this is a much bigger effort.

What if using the SSL port was optional and something put in the settings. That way people who cannot connect to SSL don't have to? Also, please expound on WebSocket... what does it offer that SSL does not and can it be used at the same time as SSL?

Riker · « **Reply #14 on:** August 05, 2014, 08:37:58 pm »

Quote from: colin012 on August 05, 2014, 04:43:32 pm

Quote from: lyaffe on August 05, 2014, 09:59:24 am
Securing the peer server i.e. port 7874 is a sensitive issue and requires the involvement of the core devs, I imagine that this has been discussed before.
The problem is that if you simply require SSL communication on port 7874 then peers which did not upgrade or do not support SSL won't be able to connect to peer servers which implement SSL and similarly peers which connect using SSL to a peer server which do not support SSL will fail to connect.

We can try to implement a fallback approach, try SSL connection and if it fails use Http, this probably won't work since it would be too time consuming to perform this check whenever sending data to another peer.
Same goes if we define a new SSL port 7873, try it first and then fallback to 7874 in case of failure. Again I think the performance impact would be unacceptable.
Perhaps it's possible to first connect using Http to port 7874 then receive back in response if to use SSL for further connections and on which port.

The advantages would be protection against spoofing and man in the middle attacks for peer to peer communication.

Another improvement which is perhaps more important but also more difficult to implement is to switch to WebSocket protocol communication between peers. But this is a much bigger effort.

What if using the SSL port was optional and something put in the settings. That way people who cannot connect to SSL don't have to? Also, please expound on WebSocket... what does it offer that SSL does not and can it be used at the same time as SSL?

The problem is that if some peers are running SSL on port 7874 and some peers don't then these peers won't be able to communicate and you'll get a fork. So a setting by itself won't do. There has to be a fallback mechanism, try SSL, not working, use Http.

Regarding WebSocket, this is a communication protocol which is aimed to improve on some of the limitations of Http. Like Http, WebSocket can be encrypted. In my view, WebSocket is a perfect fit for NXT peer communication but implementing it won't be simple.
Take a look at this discussion http://stackoverflow.com/questions/14703627/websockets-protocol-vs-http to learn a bit about the capabilities of WebSocket.

colin012 · « **Reply #15 on:** August 06, 2014, 04:25:56 pm »

Couldn't it work this way? Two peer ports are open on every public node. One port has SSL and the other is standard http. In the settings for a normal user, they could chose to connect to the SSL ports or the http ports of peers. The default, or fall back is to connect to http. If the settings say otherwise, the machine attempts to connect to a mix of both. Wouldn't that prevent a fork?

Switch to ArdorForum

News:

Author Topic: Project Sentinel Library (Read 7038 times)

colin012

Project Sentinel Library

apenzl

Re: Project Sentinel Library

colin012

Re: Project Sentinel Library

P2PGuy

Re: Project Sentinel Library

Riker

Re: Project Sentinel Library

colin012

Re: Project Sentinel Library

Riker

Re: Project Sentinel Library

colin012

Re: Project Sentinel Library

Riker

Re: Project Sentinel Library

colin012

Re: Project Sentinel Library

Riker

Re: Project Sentinel Library

colin012

Re: Project Sentinel Library

Riker

Re: Project Sentinel Library

colin012

Re: Project Sentinel Library

Riker

Re: Project Sentinel Library

colin012

Re: Project Sentinel Library