This document describes how to set up a bastion server or "moat" to provide a secure single point of entry to application servers. It involves installing necessary packages on the bastion server like SSH, updating packages, changing the SSH port, disabling password logins, setting up firewall rules to only allow SSH from the bastion server, creating a special user group and keymaster user for access, and configuring SSH proxying through the bastion to access other servers securely.
It's my works portfolio! Advance SSH, FTP DHCP server installing command.and FirewallD. I hope you guys need to import to this presentation! Linux RED HAT ENTERPRISE 7.1 version server config!
take it enjoy
It's my works portfolio! Advance SSH, FTP DHCP server installing command.and FirewallD. I hope you guys need to import to this presentation! Linux RED HAT ENTERPRISE 7.1 version server config!
take it enjoy
Quick Start Guide using Virtuozzo 7 (β) on AWS EC2Kentaro Ebisawa
Virtuozzo 7 was open sourced and available on Amazon EC2 since October 2015.
This document aims to give you a quick overview of steps to setup Virtuozzo on Amazon EC2.
Docker 1.11 Meetup: Containerd and runc, by Arnaud Porterie and Michael Crosby Michelle Antebi
In this talk, Michal Crosby will present on runC and Containerd, the internals and how they work together to start and manage containers in Docker. Afterwards, Arnaud Porterie will touch on about what was shipped in 1.11 and how it will enable some of the things we are working on for 1.12.
SELF 2014: PBI v10: Application Management Made EasyKen Moore
SouthEast LinuxFest 2014 Presentation:
This talk covers the new changes to the PBI system for PC-BSD that are available in version 10.0.2 as well as shows how the AppCafe becomes the central application for managing system applications in all forms (local system as well as jail installations).
Introduction to FreeNAS development by John HixsoniXsystems
At SCALE 12x, John Hixson, Senior Software Developer at iXsystems, gave a his talk, "Introduction to FreeNAS development". FreeNAS has been around for several years now but development on it has been by very few people. Even with corporate sponsorshipt and a team of full time developers, outside interest has been minimal. Not a week goes by when a bug report or feature request is not filed. Documentation on how to develop on FreeNAS simply does not exist. Currently, the only way to come up to speed on FreeNAS development is to obtain the source code, read through it, modify it and verify it works. The goal of this paper is to create a simple FreeNAS application to demonstrate some of the common methods used when dealing with FreeNAS development, as well as showcase some of the API.
Quick Start Guide using Virtuozzo 7 (β) on AWS EC2Kentaro Ebisawa
Virtuozzo 7 was open sourced and available on Amazon EC2 since October 2015.
This document aims to give you a quick overview of steps to setup Virtuozzo on Amazon EC2.
Docker 1.11 Meetup: Containerd and runc, by Arnaud Porterie and Michael Crosby Michelle Antebi
In this talk, Michal Crosby will present on runC and Containerd, the internals and how they work together to start and manage containers in Docker. Afterwards, Arnaud Porterie will touch on about what was shipped in 1.11 and how it will enable some of the things we are working on for 1.12.
SELF 2014: PBI v10: Application Management Made EasyKen Moore
SouthEast LinuxFest 2014 Presentation:
This talk covers the new changes to the PBI system for PC-BSD that are available in version 10.0.2 as well as shows how the AppCafe becomes the central application for managing system applications in all forms (local system as well as jail installations).
Introduction to FreeNAS development by John HixsoniXsystems
At SCALE 12x, John Hixson, Senior Software Developer at iXsystems, gave a his talk, "Introduction to FreeNAS development". FreeNAS has been around for several years now but development on it has been by very few people. Even with corporate sponsorshipt and a team of full time developers, outside interest has been minimal. Not a week goes by when a bug report or feature request is not filed. Documentation on how to develop on FreeNAS simply does not exist. Currently, the only way to come up to speed on FreeNAS development is to obtain the source code, read through it, modify it and verify it works. The goal of this paper is to create a simple FreeNAS application to demonstrate some of the common methods used when dealing with FreeNAS development, as well as showcase some of the API.
This was done about three years ago by two former students. I figured I would post it on our class web site so kids could use it as notes for our Ages of Warfare unit.
The lecture by Norman Feske for Summer Systems School'12.
Genode Compositions
SSS'12 - Education event, organized by ksys labs[1] in 2012, for students interested in system software development and information security.
Genode[2] - The Genode operating-system framework provides a uniform API for applications on top of 8 existing microkernels/hypervisors: Linux, L4ka::Pistachio, L4/Fiasco, OKL4, NOVA, Fiasco.OC, Codezero, and a custom kernel for the MicroBlaze architecture.
1. http://ksyslabs.org/
2. http://genode.org
OSDC 2014: Jan-Piet Mens - Configuration Management with Ansible NETWAYS
Ansible is a simple configuration management and command execution framework for push and pull deployments for Unix/Linux systems using an existing SSH infrastructure. It's particularly easy to deploy because neither does it require an agent on managed nodes (a newish implementation of Python suffices) nor does it require a complex PKI. We show you how to quickly get started using Ansible for ad-hoc tasks, discuss some of its modules and introduce you to Ansible's playbooks and variables. We show you how to run Ansible as a normal user (non-root), how to configure inventory data, and give you sundry tips on using Ansible effectively. If you prefer a pull-based setup, we show you how to implement that as well. We'll discuss roles, use of variables and lookup plugins.
9. Bastion SSH Config
Change Port from 22
Port 2222
Disable password logins/auth
PasswordAuthentication no
Disable PAM
UsePAM no
10. Bastion IPTABLES
DENY!!!!!
/etc/sysconfig/iptables
...
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [237:32957]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT -p icmp -j ACCEPT
-A INPUT -p tcp -m tcp --dport 2222 -j ACCEPT
COMMIT
11. Bastion User
Create a secure user group
sudo /usr/sbin/groupadd moat
Create a “keymaster”
Generate and
upload an SSH key
13. Protected Server
Iptables
...
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
...
-A INPUT -s <moat’s IP address> -p tcp -m tcp --dport 22 -j ACCEPT
# HTTP and HTTPS
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
COMMIT
14. SSH
Proxy through moat to access remote machines
Host app001
Hostname app-001.blackboxservers.com
User app_user
ProxyCommand ssh -q -p 2222 $MOAT_USER@moat-001.blackboxservers.com nc %h 22
To SSH, just export your name and go!
$> export MOAT_USER=george
$> ssh app001
george@app-001.blackboxservers.com's password: