Hilton D's questions

I was rotating my AWS X.509 certificate and private key (not to be confused with ssh private / public key pair) today and decided I wanted to set a pass-phrase on my private key to better protect it. So I did a bit of research and ran :

openssl rsa -in awsprivatekey.pem -des3 -out awsprivatekey.pem.new

and entered a pass-phrase for the private key. After I attempted to use the ec2 api tools I got an error :

java.io.IOException: DER length more than 4 bytes

This became obvious when I researched the topic and found out this link ec2 api tools don't support a private key with a password

I'm troubled by the lack of information about this and the status-quo of having un-protected private keys with something as crucial as Amazon EC2.

Any suggestions on how to better protect my private key?

I am hosting a site off of Amazon S3 and hence can't point the root record, ie: domain.com to an Alias. The www.domain.com points to the S3 endpoint.

Do I have to have a root record and does it have to be an A record?

Scenario :

2 Certification Authorities used for Openvpn - one CA for client certs and another CA for server certs.

Question :

Say the CA handing out client certificates is compromised - assuming a mitm captures the traffic can the clients information be decrypted considering the CA giving out server certs (along with the server crt/key) is still confidential?

I have created a CA and an intermediate CA using easy-rsa 2.0. On the Openvpn server I use the intermediate certificate export_ca (as per the easy-rsa spec). When I revoke a certificate on my intermediate CA and copy the new crl.pem file to the openvpn server I get this message :

CRL: CRL /etc/openvpn/crl.pem is from a different issuer than the issuer of certificate

I have read through all the openvpn doco but nothing talks about revoking a cert/user with an intermediate CA. Functionally the CRL works - ie the revoked cert/user isn't able to connect.

I am pretty sure that openvpn is complaining cuz it doesn't have the entire CA chain but am not entirely sure - can anyone explain why I get this?

I have an ubuntu 8.04 LTS server that runs openvpn. The openvpn server writes to a standard logfile under /var/log and prior to a month ago logrotate would automatically rotate the files and compress them.

The files are still being rotated however the new logfile (ovpn.log) is empty. Restarting the openvpn daemon fixes the issue (ie: openvpn writes status events to the file) but after about 10 days the file is rotated again openvpn can't write to the logfile again. This is also strange because logrotate is set to rotate every 6 months.

Openvpn runs as nobody and the logfiles are owned by root and admin which is strange because it should either work at all times or not work at all if the permissions are the cause, unless openvpn runs as root temporarily and then drops down to nobody after initializing ?

I have two servers on a subnet, one server running Windows 2003 R2 (call it s1) and one running Windows 2008 R2 (call is s2). Both servers are members of the same domain.

• I can rdp into S2 but not S1

• I can telnet to S1 and S2 on port 3389 (RDP) and I can successfully connect.

• I can connect to all OTHER services on S1 BUT not RDP!

• I tried using IPs instead of FQDNs but no luck either.

  This used to work before I P2V'd my Exchange / Domain controller (client's choice).

Confused.

I was running a routine security check of the machines I manage today and found in my nmap scans that TCP/554 is open, although when I run 'netstat -an' on the machine itself it doesn't show up, same result if I nmap the host locally.

I then tried connecting to www.google.com on tcp/554 and it is open and it seems all hosts 'have the port open'.

Obviously my ISP is doing something here but then I tried the same on my iphone via a 3G connection and it returns the same results. My ISP is a satellite ISP and my phone/3G connection is with a totally separate provider. Any ideas ?

I am having an issue configuring a standard USB HDD for use with CA Arcserve Brightstor 11.5 SP2 :

Under the device list it shows a USB device category but none of my USB drives are listed underneath. I have attempted to "scan devices" but it makes no difference.

I have also tried restarting the tape engine to no avail! Is anyone successfully using USB drives with Brightstor?

Does anyone know if it is possible to configure pam to require both radius AND ssh-key to successfully authenticate ?

I want to lock down my centos box using iptables so that it can only make http connections to a valid centos mirror - my concern is that the IPs for the mirror sites is likely to change.

Any suggestions ?