How to exchange public keys between two servers in a secure way?

I have 2 servers with pair of RSA public and private keys.

I need to establish a trust between 2 servers: I need to copy a public key form the first server to the second server and the public key from the second server to the first server.

Note that it is not Diffie–Hellman key exchange (that explained very well here "Diffie-Hellman Key Exchange" in plain English).

The simplest way is just manually copy the public keys from one server to another. Additional option is to use the following homegrown flow:

  1. Generate a one-time token on the first server
  2. Copy the token manually to the second server
  3. The first servers accesses the second server via API. Ase the token for the API authentication. The API implementation exchanges public keys between servers

Any suggestions to improve the flow?

Do we have some best practices flow since homegrown flows usually bad for security?

Find information about host/user by his public key?

Say, I was reviewing my log files and noticed that someone with certain public key tried to connect to my server and got access denied (because his public key is not in my authorized_keys file).

May I somehow gather more information about user/host with this associated public keys? For example, this key may be attached to Github profile and I can filter Github users by public keys and find the one that used to attempt to login into my server?

Thanks!

Is identity certificate same as public key?

I’m new to public key infrastructure. I think I understand how public key encryption works, conceptually. So public key is, by definition, public and not a secret. Recently when I came across the term identity certificate and read about it, it sounded very similar to public key of an entity. But, it was not explicitly stated whether they are same or different.

My questions are…

Is identity certificate same as public key? If no, then is identity cert considered a secret?

How are they related?

What if an attacker gets access to public key through an insecure media in digital signature?

If A encrpyts the message and creates signature using his private key and sends through the network then only B with the public key of A can decrypt that message.

But what if the attacker gets access to the public key of A and the encrypted message through the network? Will he be able to decrypt the message?

(Public) IP address [x.x.x.x] of Synology has been blocked by SSH

For the past few months I regularly see alerts on my Synology about SSH connection being blocked. Somebody (here a nice Chinese guy from 222.186.15.158) was attempting to connect to my NAS with the root account (Fortunately PermitRootLogin is disabled).

What I am a bit worried because if I see a public address here, it means my NAS is somehow reachable from the internet. However all ports are closed on my front router, NAT is disabled, DMZ is disabled.

When I try to nmap my router from the outside I get this :

$   nmap -Pn x.x.x.x  Starting Nmap 7.60 ( https://nmap.org ) at 2020-05-17 01:07 CEST Nmap scan report for x.x.x.x Host is up (0.012s latency). Not shown: 997 filtered ports PORT     STATE  SERVICE 113/tcp  closed ident 2000/tcp open   cisco-sccp 5060/tcp open   sip  Nmap done: 1 IP address (1 host up) scanned in 8.23 seconds 

So there is no SSH entry point.

How would it be technically possible to see a public IPv4 address attempting to connect to my LAN NAS?

How to prevent configuration of Public IP on an interface

I have recently identified a security risk with some of the machines (primarily Windows 10 and MacOS laptops) my company issues to users. Specifically, a small subset of the users are regularly placing their device “directly on the Internet” when working remotely.

I suspect that this is primarily caused by plugging the Ethernet of the machine directly into a cable/DSL modem provided by the ISP for their home Internet connection. And that ISP is issuing a public IP address to our machine when it makes a DHCP request. This has publically exposed RDP, SSH, and other remote services only meant to be accessible from LAN networks.

The people/process solution to this problem will be user education, and I do intend to pursue this route. However, this will always be purely reactive–waiting for users to plug in to the Internet and chasing them down to ask them to stop doing so. I am currently only able to run periodic search queries to find these machines and would not seem to have a way to get automated, immediate alerting when it occurs.

I am wondering if there could be a more proactive, technical solution to this problem. I think that the ideal solution would be one that (a) prevents the configuration of a public IP address onto any of the NICs, especially via DHCP; (b) provides a pop-up message to the user informing them of what has occurred and whom to contact for assistance (i.e., our corporate help desk); and (c) immediately alerts our support staff that this has occurred, if possible.

The machines have various endpoint agents and technologies in place for management, including GPO policies, SCCM, and CrowdStrike. I do not have enough experience with any of these tools to know if it is feasible to create a technical solution using one of them, and I am not personally an administrator of any of these tools in my environment.

I have not yet attempted any particular implementation. It is within my skill set to create a Python script/executable that could check the configured IP addresses every X number of minutes; give the user a pop-up message; remove/change any public IP addresses; and/or possibly send back an alert. However, I’m highly doubtful that I could get approval to deploy this.

I certainly do not have the skill to create a full-time, inline monitoring/blocking agent, so the truly desired implementation would have to come from an existing tool. Is anybody aware of whether GPO, CrowdStrike, or other common endpoint management tools might be able to accomplish this technical solution?

Further, does anybody have any other guidance (people, process, or technology) that they feel might be useful in addressing this risk?