Security Best Practices

Production deployments need additional hardening beyond the secure defaults. This guide covers certificate management, system hardening, and incident response.

The three most important things:

Protect your CA private key - if stolen, unauthorized parties can create valid certificates
Enable mTLS - only agents with your certificates can connect
Disable unused features - shell and file transfer are disabled by default for a reason

Certificate Management

Protect CA Private Key

If someone gets your CA key, they can create certificates that your mesh will trust.

Secure storage options:

Hardware Security Module (HSM)
Cloud KMS (AWS KMS, GCP KMS, Azure Key Vault)
HashiCorp Vault
Encrypted disk with strong passphrase

Never:

Store in version control
Leave on shared systems
Transmit over unencrypted channels

Certificate Validity

Use short validity periods to limit exposure if keys are compromised:

Certificate	Recommended Validity
CA certificate	1-3 years
Agent certificates	90 days

# Generate CA with 1-year validity
muti-metroo cert ca --days 365

# Generate agent cert with 90-day validity
muti-metroo cert agent --days 90 --ca ./ca.crt --ca-key ./ca.key

Automate Certificate Rotation

Example rotation script:

#!/bin/bash
# rotate-cert.sh - run via cron
CERT_DIR="/etc/muti-metroo/certs"
CA_DIR="/etc/muti-metroo/ca"

# Calculate days until expiration
DAYS_LEFT=$(( ($(date -d "$(openssl x509 -enddate -noout -in $CERT_DIR/agent.crt | cut -d= -f2)" +%s) - $(date +%s)) / 86400 ))

if [ $DAYS_LEFT -lt 30 ]; then
    muti-metroo cert agent --cn "$(hostname)" \
      --ca "$CA_DIR/ca.crt" \
      --ca-key "$CA_DIR/ca.key" \
      -o "$CERT_DIR"
    systemctl restart muti-metroo
fi

Monitor Certificate Expiration

#!/bin/bash
# check-cert-expiry.sh - run daily via monitoring
CERT="/etc/muti-metroo/certs/agent.crt"
DAYS_LEFT=$(( ($(date -d "$(openssl x509 -enddate -noout -in $CERT | cut -d= -f2)" +%s) - $(date +%s)) / 86400 ))

if [ $DAYS_LEFT -lt 14 ]; then
    echo "WARNING: Certificate expires in $DAYS_LEFT days"
    exit 1
fi

Signing Key Management

If you use sleep mode in untrusted environments, protect your signing keys with the same care as CA private keys.

Key Distribution

Operator Station      Remote Agents
(has private key)     (public key only)
      |                    |
      | Signed commands    |
      |------------------->|
      |                    | (can verify)

Public key: Distribute to ALL agents
Private key: Keep ONLY on operator machines

Generate Keys Securely

# Generate on secure machine
muti-metroo signing-key generate > signing-keys.txt

# Extract and store private key securely
# Delete signing-keys.txt after distribution

Key Rotation

To rotate signing keys:

Generate new keypair
Update public key on all agents (deploy via config management)
Update private key on operator nodes
Restart agents to pick up new keys
Securely delete old private key

What to Protect

Key	Protection Level	Storage Recommendations
Signing private key	High	Encrypted vault, password manager
Signing public key	Low	Can be in config files, version control

Run as Non-Root

Muti Metroo doesn't require root privileges. Create a dedicated user:

# Create dedicated user
useradd -r -s /sbin/nologin muti-metroo

# Set ownership
chown -R muti-metroo:muti-metroo /var/lib/muti-metroo

Limit Capabilities (systemd)

[Service]
User=muti-metroo
NoNewPrivileges=yes
ProtectSystem=strict
ProtectHome=yes
PrivateTmp=yes
ReadWritePaths=/var/lib/muti-metroo

File Permissions

chmod 700 /var/lib/muti-metroo          # Data dir - owner only
chmod 640 /etc/muti-metroo/config.yaml  # Config - owner + group
chmod 600 /etc/muti-metroo/certs/*.key  # Private keys - owner only
chmod 644 /etc/muti-metroo/certs/*.crt  # Certificates - world readable

Secure Secrets

Use Environment Variables

Never hardcode secrets in configuration files:

socks5:
  auth:
    users:
      - username: "${SOCKS5_USER}"
        password_hash: "${SOCKS5_PASSWORD_HASH}"

shell:
  password_hash: "${SHELL_PASSWORD_HASH}"

Secret Storage Options

HashiCorp Vault
AWS Secrets Manager
Docker Secrets
systemd credentials

Never:

Commit secrets to git
Log secrets
Store in plain text files

Logging and Monitoring

Structured Logging

Enable JSON logging for aggregation:

agent:
  log_level: "info"
  log_format: "json"

Key Events to Monitor

Authentication failures
Connection rejections
Certificate errors
Route changes

Log Retention

Keep logs for compliance and forensics:

# Archive logs periodically
journalctl -u muti-metroo --since "30 days ago" > /archive/muti-metroo-$(date +%Y%m%d).log

Incident Response

Prepare for Compromise

Have backups of configuration and certificates
Document certificate rotation procedure
Know how to revoke certificates quickly
Have contacts for security team

If CA is Compromised

Generate new CA immediately
Generate new certificates for all agents
Deploy new certificates to all agents
Update all configurations
Restart all agents
Investigate how compromise occurred

If Agent is Compromised

Disconnect agent from mesh
Revoke agent's certificate
Investigate compromised host
Re-image or clean host
Generate new identity and certificates
Reconnect to mesh

Security Checklists

Pre-Deployment

CA key stored securely (HSM, Vault, or encrypted)
mTLS enabled for peer connections
SOCKS5 authentication enabled (if network-accessible)
Shell disabled or whitelist-restricted
File transfer disabled or path-restricted
Exit routes minimized to required networks
Services bound to appropriate interfaces
Signing keys configured (if using sleep mode in untrusted environments)

Post-Deployment

Firewall rules configured
Monitoring and alerting set up
Log aggregation configured
Certificate expiration monitoring active
Running as non-root user
Incident response plan documented

Regular Maintenance

Quick Reference

Security Control	Configuration
Enable mTLS	TLS Configuration
Restrict routes	Exit Configuration
Limit shell commands	Shell Configuration
Restrict file paths	File Transfer Configuration
SOCKS5 authentication	SOCKS5 Configuration

Next Steps

TLS/mTLS - Certificate security concepts
Authentication - Password security
Access Control - Restrict what users can do

Certificate Management​

Protect CA Private Key​

Certificate Validity​

Automate Certificate Rotation​

Monitor Certificate Expiration​

Signing Key Management​

Key Distribution​

Generate Keys Securely​

Key Rotation​

What to Protect​

Run as Non-Root​

Limit Capabilities (systemd)​

File Permissions​

Secure Secrets​

Use Environment Variables​

Secret Storage Options​

Logging and Monitoring​

Structured Logging​

Key Events to Monitor​

Log Retention​

Incident Response​

Prepare for Compromise​

If CA is Compromised​

If Agent is Compromised​

Security Checklists​

Pre-Deployment​

Post-Deployment​

Regular Maintenance​

Quick Reference​

Next Steps​