How to exchange public keys between two servers in a secure way?

I have 2 servers with pair of RSA public and private keys.

I need to establish a trust between 2 servers: I need to copy a public key form the first server to the second server and the public key from the second server to the first server.

Note that it is not Diffie–Hellman key exchange (that explained very well here "Diffie-Hellman Key Exchange" in plain English).

The simplest way is just manually copy the public keys from one server to another. Additional option is to use the following homegrown flow:

  1. Generate a one-time token on the first server
  2. Copy the token manually to the second server
  3. The first servers accesses the second server via API. Ase the token for the API authentication. The API implementation exchanges public keys between servers

Any suggestions to improve the flow?

Do we have some best practices flow since homegrown flows usually bad for security?

SSH Public key synchonization acros several servers, how to automate it?

Hello,

im working on a script which will allow several folders synchronization acros multiple servers.
On each server the script will download data from rest of the servers via rsync via ssh (rsync have archive and update attribute).
For this transfer ssh public access key is needed.

When i add new server to the group, i need to:
1) run ssh-keygen on new server and via ssh-copy-id add key it to rest of servers so i can download data from them…
2) do the same on all old servers so each of…

SSH Public key synchonization acros several servers, how to automate it?

Will carrier servers allow the ISP to see anything I’m doing even on a VPN?

AFAIK, if the connection to the VPN server is properly set up, the ISP is not able to see any of the traffic.

Nevertheless, I just found a worrying comment to this blog post:

https://www.stealth-phones-guide.com/blog/anonymous-sim-card-scam

I Just wanted to double check with the experts of this website: is it true what the guy states in his comment?

That is, if I am routing all my traffic through a mobile hotspot with a prepaid sim card, using a VPN on both devices (say a laptop and the mobile phone acting as hotspot), will the ISP be able to see anything but a connection getting into the VPN?

The answer to this question would have been a sound NO, but this guy adding the details of a “carrier server” and a prepaid SIM made me doubtful, as he seems to know more than me.

Rsyslog not saving logs from another servers into custom directories [migrated]

I am receving logs on UDP 514 from another server and i have configured rsyslog.conf to save the logs to another custom directory but i am unable to do so, i confirmed through tcpdump logs are getting on 514 but not getting saved. Any thing i’ve missed?

Here’s the config i’ve made in rsyslog.conf

$  umask 0000  # ownership and permissions $  FileOwner punk $  FileGroup punk $  FileCreateMode 0640 $  DirCreateMode 0755   # save that when possible $  PreserveFQDN on   # local ruleset (to control local syslogging) $  RuleSet local $  template CustomFormat,"%TIMESTAMP:::date-rfc3339% %HOSTNAME% %syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n" $  ActionFileDefaultTemplate CustomFormat  $  template prod1,"/ab/cs/edl/172.x.x.x/%$  now%.log"    if $  fromhost-ip == '172.x.x.x' then ?prod1   

Using gpg to encrypt backups stored on remote untrusted servers

I need to encrypt daily backups, then upload them to untrusted cloud storage (s3, dropbox, etc.)

I received help on security.se and crypto.se to formulate this approach:

  • tar and xz the backup file
  • create random 32 byte (symmetric) “session” key (head -c 32 /dev/urandom)
  • encrypt backups using session key
  • encrypt session key using my “master” (asymmetric) keypair’s public key
  • upload encrypted backup file and encrypted session key

Result:

  1. Every backup has unique symmetric session key
  2. Only my master keypair’s private key can decrypt session keys
  3. My private key is stored locally only
  4. Encryption process is completely automated; no passphrases required

However then I tried to implement this with gpg and stumbled over some items.

Once I generate a session key, how do I use it? I thought it was supposed to be the passphrase in gpg --symmetric --passphrase $ SESSION_KEY ..., but apparently that’s not how it’s done.

I did more digging and discovered that gpg does almost everything symmetrically, and that a session key is already generated and included in each encrypted file automatically (in the header). So most of the above is done automatically for me.

So, how do I use the session key (if at all)? I understand the theory, but not how to implement it with gpg.

Shared Hosting From $0.50/month -RAID 10 HDD Servers- Free SSL – Instant Setup!

Hostpoco is a PROFESSIONAL and RELIABLE shared hosting provider and also a free web hosting provider. Our servers have FIRST CLASS hardware quality and are managed by skillful technical staff. You can rest assured that websites on our servers have practically zero downtime since our 24/7 monitoring system triggers alerts immediately if any server starts behaving abnormally. We also have backup storage for security purposes.

Our support staffs are available ALL THE TIME to promptly assist any customer and any problem. We own our web servers, which helps to resolve problems for our customers the fastest possible and at any level of management. We can also instantly install custom software if requested by customers. If you are looking for a long term, reliable, and professional shared hosting server, do give us a try. We have 30-day money back policy applied to all cutomers. You are absolutely safe when signing up with us.

Our shared hosting plans:$0.5 /Monthly

– Single Domain Hosting
– Unlimited Web Space
– Unlimited Bandwidth
– 10 Email Accounts
– 2 Parked Domains
– 2 MySQL Databases
– 10 Sub Domains
– FREE cPanel Control Panel
– FREE PHP MyAdmin
– FREE AwStats
– FREE Auto SSL
– FREE Virus Scanner
– DDOS Protection
– 99.99% uptime
– Softacolous Supported
– Tier 1 Technical Support

Order Now: https://hostpoco.com/

#Hostpoco.com: $1 unlimited hosting | $1 web hosting | $1 hosting | 1 dollar hosting | $1 web host | one dollar hosting | $1 CPanel hosting | half dollar hosting | cheap reseller hosting | $1 SSD hosting | cheaper reseller hosting | money back hosting | lifetime free hosting | easy web hosting | Cpanel web hosting | refund web hosting | free hosting | free web hosting | best seller hosting | free trial hosting | Unlimited web hosting

Thank you.

Is it safe to assume that a JWT is valid if it can be decrypted with the server’s private key?

This is my first time using JWT. I’m using the jwcrypto library as directed, and the key I’m using is an RSA key I generated with OpenSSL.

My initial inclination was to store the JWT in the database with the user’s row, and then validate the token’s claims against the database on every request.

But then it occurred to me that the token payload is signed with my server’s private key.

Assuming my private key is never compromised, is it safe to assume that all data contained in the JWT, presented as a Bearer token by the user, is tamper-proof? I understand that it is potentially readable by third parties, since I’m not encrypting.

What I want to know is, is there anything I need to do to validate the user’s JWT besides decrypt it and let the library tell me if there’s anything wrong?

Proxy servers sources

I’m new to cyber security and I need to find a reliable list of proxy servers (preferably socks5) that actually work. I’ve tried https://www.socks-proxy.net/ and http://spys.one/en/socks-proxy-list/ but I haven’t managed to find a working one. Any help is appreciated, thanks