Security Best Practices
Production hardening guide for Muti Metroo deployments.
Certificate Management
Protect CA Private Key
The CA private key is the most critical secret:
# Secure storage options:
# 1. Hardware Security Module (HSM)
# 2. Cloud KMS (AWS KMS, GCP KMS, Azure Key Vault)
# 3. HashiCorp Vault
# 4. Encrypted disk with strong passphrase
# Never:
# - Store in version control
# - Leave on shared systems
# - Transmit over unencrypted channels
Short Certificate Validity
# CA: 1-3 years
muti-metroo cert ca --days 365
# Agent certificates: 90 days
muti-metroo cert agent --days 90
Automate Certificate Rotation
#!/bin/bash
# rotate-cert.sh
CERT_DIR="/etc/muti-metroo/certs"
DAYS_LEFT=$(( ($(date -d "$(openssl x509 -enddate -noout -in $CERT_DIR/agent.crt | cut -d= -f2)" +%s) - $(date +%s)) / 86400 ))
if [ $DAYS_LEFT -lt 30 ]; then
muti-metroo cert agent -n "$(hostname)" -o "$CERT_DIR"
systemctl restart muti-metroo
fi
Monitor Certificate Expiration
# Prometheus alert rule
- alert: CertificateExpiringSoon
expr: probe_ssl_earliest_cert_expiry - time() < 86400 * 14
for: 1h
labels:
severity: warning
annotations:
summary: "Certificate expires in less than 14 days"
Authentication Hardening
Strong Passwords
# Generate strong random password
import secrets
import string
alphabet = string.ascii_letters + string.digits + string.punctuation
password = ''.join(secrets.choice(alphabet) for _ in range(24))
print(password)
High bcrypt Cost
# Use cost factor 12+ for production
htpasswd -bnBC 12 "" "$password" | tr -d ':\n'
Enable All Authentication
# Always enable auth when network-accessible
socks5:
address: "0.0.0.0:1080" # Network accessible
auth:
enabled: true # Must be authenticated
# RPC should always require password
rpc:
enabled: true
password_hash: "$2a$12$..." # Strong hash
whitelist: # Minimal commands
- whoami
- hostname
Network Security
Bind to Appropriate Interfaces
# Internal only - bind to private interface
listeners:
- address: "10.0.0.5:4433"
# SOCKS5 for local use only
socks5:
address: "127.0.0.1:1080"
# API for monitoring
http:
address: "127.0.0.1:8080"
Use Firewall Rules
# Allow only necessary ports
iptables -A INPUT -p udp --dport 4433 -j ACCEPT # QUIC
iptables -A INPUT -p tcp --dport 1080 -s 127.0.0.1 -j ACCEPT # SOCKS5 local
iptables -A INPUT -p tcp --dport 8080 -s 10.0.0.0/8 -j ACCEPT # API internal
Enable mTLS
# Always use mTLS in production
listeners:
- tls:
cert: "/etc/muti-metroo/certs/agent.crt"
key: "/etc/muti-metroo/certs/agent.key"
client_ca: "/etc/muti-metroo/certs/ca.crt" # Require client cert
Access Control
Restrict Exit Routes
# Principle of least privilege
exit:
routes:
- "10.0.1.0/24" # Only needed subnet
# NOT 0.0.0.0/0 # Never allow everything
Minimal RPC Whitelist
rpc:
whitelist:
- whoami # Safe commands only
- hostname
- uptime
# NOT: sh, bash, python, cat, rm, etc.
Restrict File Paths
file_transfer:
allowed_paths:
- /tmp/transfers # Dedicated directory
max_file_size: 10485760 # 10 MB limit
Disable Unused Features
# Only enable what you need
rpc:
enabled: false # Disable if not needed
file_transfer:
enabled: false # Disable if not needed
# If you don't need exit
exit:
enabled: false
Secure Secrets
Use Environment Variables
socks5:
auth:
users:
- username: "${SOCKS5_USER}"
password_hash: "${SOCKS5_PASSWORD_HASH}"
rpc:
password_hash: "${RPC_PASSWORD_HASH}"
Secure Secret Storage
# Use secret management tools:
# - HashiCorp Vault
# - AWS Secrets Manager
# - Kubernetes Secrets
# - Docker Secrets
# Never:
# - Commit secrets to git
# - Log secrets
# - Store in plain text files
Monitoring and Logging
Enable Structured Logging
agent:
log_level: "info"
log_format: "json" # For log aggregation
Monitor Security Metrics
# Alert on suspicious activity
alerts:
- auth_failures_high:
expr: rate(muti_metroo_socks5_auth_failures_total[5m]) > 10
severity: warning
- rpc_rejections_high:
expr: rate(muti_metroo_rpc_calls_total{result="rejected"}[5m]) > 5
severity: warning
Retain Audit Logs
# Keep logs for compliance/forensics
journalctl -u muti-metroo --since "30 days ago" > /archive/muti-metroo-$(date +%Y%m%d).log
System Hardening
Run as Non-Root
# Create dedicated user
useradd -r -s /sbin/nologin muti-metroo
# Set ownership
chown -R muti-metroo:muti-metroo /var/lib/muti-metroo
Limit Capabilities
# systemd unit
[Service]
NoNewPrivileges=yes
ProtectSystem=strict
ProtectHome=yes
PrivateTmp=yes
File Permissions
chmod 700 /var/lib/muti-metroo # Data dir
chmod 640 /etc/muti-metroo/config.yaml # Config
chmod 600 /etc/muti-metroo/certs/*.key # Private keys
chmod 644 /etc/muti-metroo/certs/*.crt # Certificates
Incident Response
Prepare for Compromise
- Have backups of configuration and certificates
- Document certificate rotation procedure
- Know how to revoke certificates
- Have contacts for security team
If CA is Compromised
- Generate new CA immediately
- Generate new certificates for all agents
- Deploy new certificates to all agents
- Update all configurations
- Restart all agents
- Investigate how compromise occurred
If Agent is Compromised
- Disconnect agent from mesh
- Revoke agent's certificate
- Investigate compromised host
- Re-image or clean host
- Generate new identity and certificates
- Reconnect to mesh
Security Checklist
Pre-Deployment
- CA key stored securely (not in repo)
- All certificates have appropriate SANs
- mTLS enabled
- SOCKS5 authentication enabled
- RPC disabled or whitelist-restricted
- File transfer disabled or path-restricted
- Exit routes minimized
Post-Deployment
- Firewall rules configured
- Monitoring and alerting set up
- Log aggregation configured
- Certificate expiration monitoring
- Regular security reviews scheduled
- Incident response plan documented
Regular Maintenance
- Rotate certificates before expiration
- Review access controls quarterly
- Update to latest version
- Review security logs
- Test failover procedures
Next Steps
- TLS/mTLS - Certificate security
- Authentication - Password security
- Access Control - Restrict access
- Troubleshooting - Security issues