Your SlideShare is downloading. ×
Building a moat   bastion server
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Building a moat bastion server

379
views

Published on


0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
379
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
3
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Building a Moat
  • 2. actually,a bastion server
  • 3. What does it do?Provides a secure, single point of entry to your application servers
  • 4. Why do you care?
  • 5. What’s it look like?Service Requests SSH
  • 6. Bastion System Setup wget ruby* MySQL* curl postgresql*xorg* nginx net-snmp-libs jasper-libs Uninstalltelnet everything! php* automake *X11 monit gcc DNS Name Server Mail Server ftp neon *devel* finger fetchmail net-snmp-libs
  • 7. Bastion System Setup install netcat
  • 8. Bastion System Setupupdate everything that remains! sudo yum upgrade
  • 9. Bastion SSH ConfigChange Port from 22 Port 2222 Disable password logins/auth PasswordAuthentication no Disable PAM UsePAM no
  • 10. Bastion IPTABLES DENY!!!!!/etc/sysconfig/iptables...*filter:INPUT DROP [0:0]:FORWARD DROP [0:0]:OUTPUT ACCEPT [237:32957]-A INPUT -i lo -j ACCEPT-A INPUT -m state --state ESTABLISHED -j ACCEPT-A INPUT -m state --state INVALID -j DROP-A INPUT -p icmp -j ACCEPT-A INPUT -p tcp -m tcp --dport 2222 -j ACCEPTCOMMIT
  • 11. Bastion UserCreate a secure user group sudo /usr/sbin/groupadd moatCreate a “keymaster” Generate and upload an SSH key
  • 12. Other Users Generate ssh-keys, use passphrases!sudo /usr/sbin/useradd -G moat -m new_usersudo mkdir -p /home/new_user/.sshsudo mv ~/.new_user_ssh.pub /home/new_user/.ssh/authorized_keyssudo chmod -R 700 /home/new_user/.sshsudo chown -R new_user:new_user /home/new_user/.sshecho Any_r@nd0m_p@55w04D | sudo passwd new_user --stdin
  • 13. Protected Server Iptables...*filter:INPUT DROP [0:0]:FORWARD DROP [0:0]...-A INPUT -s <moat’s IP address> -p tcp -m tcp --dport 22 -j ACCEPT# HTTP and HTTPS-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT-A INPUT -p tcp -m tcp --dport 443 -j ACCEPTCOMMIT
  • 14. SSH Proxy through moat to access remote machinesHost app001 Hostname app-001.blackboxservers.com User app_user ProxyCommand ssh -q -p 2222 $MOAT_USER@moat-001.blackboxservers.com nc %h 22To SSH, just export your name and go!$> export MOAT_USER=george$> ssh app001george@app-001.blackboxservers.coms password: