SlideShare a Scribd company logo
Building a Moat
actually,
a bastion server
What does it do?




Provides a secure, single point of entry to your
              application servers
Why do you care?
What’s it look like?



Service Requests     SSH
Bastion System Setup
         wget                          ruby*
                                                                    MySQL*
                             curl           postgresql*
xorg*
                                                         nginx          net-snmp-libs
               jasper-libs       Uninstall
telnet                          everything!                php*         automake


        *X11       monit                                  gcc           DNS Name Server
                                    Mail Server

                  ftp                                            neon
                                               *devel*
                                                                             finger
 fetchmail                 net-snmp-libs
Bastion System Setup


     install netcat
Bastion System Setup

update everything that remains!

          sudo yum upgrade
Bastion SSH Config
Change Port from 22
      Port 2222



      Disable password logins/auth
                  PasswordAuthentication no



                                Disable PAM
                                     UsePAM no
Bastion IPTABLES

                                             DENY!!!!!
/etc/sysconfig/iptables
...

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [237:32957]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT -p icmp -j ACCEPT
-A INPUT -p tcp -m tcp --dport 2222 -j ACCEPT
COMMIT
Bastion User
Create a secure user group
     sudo /usr/sbin/groupadd moat



Create a “keymaster”

    Generate and
 upload an SSH key
Other Users

 Generate ssh-keys, use passphrases!


sudo   /usr/sbin/useradd -G moat -m new_user
sudo   mkdir -p /home/new_user/.ssh
sudo   mv ~/.new_user_ssh.pub /home/new_user/.ssh/authorized_keys
sudo   chmod -R 700 /home/new_user/.ssh
sudo   chown -R new_user:new_user /home/new_user/.ssh
echo   Any_r@nd0m_p@55w04D | sudo passwd new_user --stdin
Protected Server
          Iptables
...

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
...
-A INPUT -s <moat’s IP address> -p tcp -m tcp --dport 22 -j ACCEPT

# HTTP and HTTPS
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
COMMIT
SSH
  Proxy through moat to access remote machines
Host app001
 Hostname app-001.blackboxservers.com
 User app_user
 ProxyCommand ssh -q -p 2222 $MOAT_USER@moat-001.blackboxservers.com nc %h 22


To SSH, just export your name and go!
$> export MOAT_USER=george
$> ssh app001
george@app-001.blackboxservers.com's password:

More Related Content

What's hot

Configuration of NTP Server on CentOS 8
Configuration of NTP Server on CentOS 8Configuration of NTP Server on CentOS 8
Configuration of NTP Server on CentOS 8
Kaan Aslandağ
 
Quick Start Guide using Virtuozzo 7 (β) on AWS EC2
Quick Start Guide using Virtuozzo 7 (β) on AWS EC2Quick Start Guide using Virtuozzo 7 (β) on AWS EC2
Quick Start Guide using Virtuozzo 7 (β) on AWS EC2
Kentaro Ebisawa
 
OpenVPN
OpenVPNOpenVPN
DevOps Braga #6
DevOps Braga #6DevOps Braga #6
DevOps Braga #6
DevOps Braga
 
Configuration of Smtp Server On CentOS 8
Configuration of Smtp Server On CentOS 8Configuration of Smtp Server On CentOS 8
Configuration of Smtp Server On CentOS 8
Kaan Aslandağ
 
Configuration of SFTP Server on CentOS 8.pdf
Configuration of SFTP Server on CentOS 8.pdfConfiguration of SFTP Server on CentOS 8.pdf
Configuration of SFTP Server on CentOS 8.pdf
Kaan Aslandağ
 
Puppet
PuppetPuppet
CentOS Server CLI Configuration (Nmcli & Hosts)
CentOS Server CLI Configuration (Nmcli & Hosts)CentOS Server CLI Configuration (Nmcli & Hosts)
CentOS Server CLI Configuration (Nmcli & Hosts)
Kaan Aslandağ
 
Introduction to Docker
Introduction to DockerIntroduction to Docker
Introduction to Docker
Kevin Littlejohn
 
Docker 1.11 Meetup: Containerd and runc, by Arnaud Porterie and Michael Crosby
Docker 1.11 Meetup: Containerd and runc, by Arnaud Porterie and Michael Crosby Docker 1.11 Meetup: Containerd and runc, by Arnaud Porterie and Michael Crosby
Docker 1.11 Meetup: Containerd and runc, by Arnaud Porterie and Michael Crosby
Michelle Antebi
 
nouka inventry manager
nouka inventry managernouka inventry manager
nouka inventry manager
Toshiaki Baba
 
SELF 2014: PBI v10: Application Management Made Easy
SELF 2014: PBI v10: Application Management Made EasySELF 2014: PBI v10: Application Management Made Easy
SELF 2014: PBI v10: Application Management Made Easy
Ken Moore
 
От sysV к systemd
От sysV к systemdОт sysV к systemd
От sysV к systemd
Denis Kovalev
 
Linux Kernel Parameter Tuning
Linux Kernel Parameter TuningLinux Kernel Parameter Tuning
Linux Kernel Parameter Tuning
Ryo Sasaki
 
Introduction to FreeNAS development by John Hixson
Introduction to FreeNAS development by John HixsonIntroduction to FreeNAS development by John Hixson
Introduction to FreeNAS development by John Hixson
iXsystems
 
Nginx
NginxNginx
Glomosim
GlomosimGlomosim
Glomosim
barodia_1437
 

What's hot (20)

Configuration of NTP Server on CentOS 8
Configuration of NTP Server on CentOS 8Configuration of NTP Server on CentOS 8
Configuration of NTP Server on CentOS 8
 
Quick Start Guide using Virtuozzo 7 (β) on AWS EC2
Quick Start Guide using Virtuozzo 7 (β) on AWS EC2Quick Start Guide using Virtuozzo 7 (β) on AWS EC2
Quick Start Guide using Virtuozzo 7 (β) on AWS EC2
 
OpenVPN
OpenVPNOpenVPN
OpenVPN
 
DevOps Braga #6
DevOps Braga #6DevOps Braga #6
DevOps Braga #6
 
RHCSA
RHCSARHCSA
RHCSA
 
Configuration of Smtp Server On CentOS 8
Configuration of Smtp Server On CentOS 8Configuration of Smtp Server On CentOS 8
Configuration of Smtp Server On CentOS 8
 
Configuration of SFTP Server on CentOS 8.pdf
Configuration of SFTP Server on CentOS 8.pdfConfiguration of SFTP Server on CentOS 8.pdf
Configuration of SFTP Server on CentOS 8.pdf
 
Cloud Compt
Cloud ComptCloud Compt
Cloud Compt
 
Puppet
PuppetPuppet
Puppet
 
CentOS Server CLI Configuration (Nmcli & Hosts)
CentOS Server CLI Configuration (Nmcli & Hosts)CentOS Server CLI Configuration (Nmcli & Hosts)
CentOS Server CLI Configuration (Nmcli & Hosts)
 
Introduction to Docker
Introduction to DockerIntroduction to Docker
Introduction to Docker
 
Docker 1.11 Meetup: Containerd and runc, by Arnaud Porterie and Michael Crosby
Docker 1.11 Meetup: Containerd and runc, by Arnaud Porterie and Michael Crosby Docker 1.11 Meetup: Containerd and runc, by Arnaud Porterie and Michael Crosby
Docker 1.11 Meetup: Containerd and runc, by Arnaud Porterie and Michael Crosby
 
nouka inventry manager
nouka inventry managernouka inventry manager
nouka inventry manager
 
SELF 2014: PBI v10: Application Management Made Easy
SELF 2014: PBI v10: Application Management Made EasySELF 2014: PBI v10: Application Management Made Easy
SELF 2014: PBI v10: Application Management Made Easy
 
От sysV к systemd
От sysV к systemdОт sysV к systemd
От sysV к systemd
 
Openvpn
OpenvpnOpenvpn
Openvpn
 
Linux Kernel Parameter Tuning
Linux Kernel Parameter TuningLinux Kernel Parameter Tuning
Linux Kernel Parameter Tuning
 
Introduction to FreeNAS development by John Hixson
Introduction to FreeNAS development by John HixsonIntroduction to FreeNAS development by John Hixson
Introduction to FreeNAS development by John Hixson
 
Nginx
NginxNginx
Nginx
 
Glomosim
GlomosimGlomosim
Glomosim
 

Viewers also liked

Totalitaarsete riikide kunst. elin lepik. 12b
Totalitaarsete riikide kunst. elin lepik. 12bTotalitaarsete riikide kunst. elin lepik. 12b
Totalitaarsete riikide kunst. elin lepik. 12bjpg12b
 
Muutused igapäevaelus varauusajal
Muutused igapäevaelus varauusajalMuutused igapäevaelus varauusajal
Muutused igapäevaelus varauusajal
Mihhail Sorokin
 
The Seven Wonders Of The Ancient Worls
The Seven Wonders Of The Ancient WorlsThe Seven Wonders Of The Ancient Worls
The Seven Wonders Of The Ancient WorlsAndre Kaasik
 
Euroopa riigid
Euroopa riigidEuroopa riigid
Euroopa riigidjaanikapr
 
Uusaeg1 - varauusaeg konspekt
Uusaeg1 - varauusaeg konspektUusaeg1 - varauusaeg konspekt
Uusaeg1 - varauusaeg konspektkristel84
 
Musket age of warfare 2010
Musket age of warfare 2010Musket age of warfare 2010
Musket age of warfare 2010Mr.J
 
Industrial age1850 1900 spring 2011
Industrial age1850 1900 spring 2011Industrial age1850 1900 spring 2011
Industrial age1850 1900 spring 2011
Mr.J
 
10 ptk sojandus uusajal
10 ptk sojandus uusajal10 ptk sojandus uusajal
10 ptk sojandus uusajal
Märt Männik
 
Valgustus, Prantsuse revolutsioon, Napoleon gümnaasiumile
Valgustus, Prantsuse revolutsioon, Napoleon gümnaasiumileValgustus, Prantsuse revolutsioon, Napoleon gümnaasiumile
Valgustus, Prantsuse revolutsioon, Napoleon gümnaasiumile
Dagmar Seljamäe
 
The musket age
The musket ageThe musket age
The musket age
Mr.J
 
Euroopa riigid ja rahvad. Absolutism.
Euroopa riigid ja rahvad. Absolutism.Euroopa riigid ja rahvad. Absolutism.
Euroopa riigid ja rahvad. Absolutism.Natalja Dovgan
 
Natsionaalsotsialistlik Saksamaa
Natsionaalsotsialistlik  SaksamaaNatsionaalsotsialistlik  Saksamaa
Natsionaalsotsialistlik SaksamaaSander Saks
 
Inglise kodusõda 1642 1660
Inglise kodusõda 1642   1660Inglise kodusõda 1642   1660
Inglise kodusõda 1642 1660Katri Silla
 
Natsionaalsotsialistlik Saksamaa
Natsionaalsotsialistlik SaksamaaNatsionaalsotsialistlik Saksamaa
Natsionaalsotsialistlik SaksamaaInga Zemit
 
Talupoeg ja maaisand
Talupoeg ja maaisandTalupoeg ja maaisand
Talupoeg ja maaisand
Dagmar Seljamäe
 
Vana-Egiptus
Vana-EgiptusVana-Egiptus
Vana-Egiptus
Dagmar Seljamäe
 

Viewers also liked (19)

Sten
StenSten
Sten
 
Totalitaarsete riikide kunst. elin lepik. 12b
Totalitaarsete riikide kunst. elin lepik. 12bTotalitaarsete riikide kunst. elin lepik. 12b
Totalitaarsete riikide kunst. elin lepik. 12b
 
Muutused igapäevaelus varauusajal
Muutused igapäevaelus varauusajalMuutused igapäevaelus varauusajal
Muutused igapäevaelus varauusajal
 
Organizac..
Organizac..Organizac..
Organizac..
 
The Seven Wonders Of The Ancient Worls
The Seven Wonders Of The Ancient WorlsThe Seven Wonders Of The Ancient Worls
The Seven Wonders Of The Ancient Worls
 
Euroopa riigid
Euroopa riigidEuroopa riigid
Euroopa riigid
 
Uusaeg1 - varauusaeg konspekt
Uusaeg1 - varauusaeg konspektUusaeg1 - varauusaeg konspekt
Uusaeg1 - varauusaeg konspekt
 
Musket age of warfare 2010
Musket age of warfare 2010Musket age of warfare 2010
Musket age of warfare 2010
 
Industrial age1850 1900 spring 2011
Industrial age1850 1900 spring 2011Industrial age1850 1900 spring 2011
Industrial age1850 1900 spring 2011
 
10 ptk sojandus uusajal
10 ptk sojandus uusajal10 ptk sojandus uusajal
10 ptk sojandus uusajal
 
Valgustus, Prantsuse revolutsioon, Napoleon gümnaasiumile
Valgustus, Prantsuse revolutsioon, Napoleon gümnaasiumileValgustus, Prantsuse revolutsioon, Napoleon gümnaasiumile
Valgustus, Prantsuse revolutsioon, Napoleon gümnaasiumile
 
The musket age
The musket ageThe musket age
The musket age
 
Euroopa riigid ja rahvad. Absolutism.
Euroopa riigid ja rahvad. Absolutism.Euroopa riigid ja rahvad. Absolutism.
Euroopa riigid ja rahvad. Absolutism.
 
Natsionaalsotsialistlik Saksamaa
Natsionaalsotsialistlik  SaksamaaNatsionaalsotsialistlik  Saksamaa
Natsionaalsotsialistlik Saksamaa
 
Inglise kodusõda 1642 1660
Inglise kodusõda 1642   1660Inglise kodusõda 1642   1660
Inglise kodusõda 1642 1660
 
Natsionaalsotsialistlik Saksamaa
Natsionaalsotsialistlik SaksamaaNatsionaalsotsialistlik Saksamaa
Natsionaalsotsialistlik Saksamaa
 
Talupoeg ja maaisand
Talupoeg ja maaisandTalupoeg ja maaisand
Talupoeg ja maaisand
 
Slidashare
SlidashareSlidashare
Slidashare
 
Vana-Egiptus
Vana-EgiptusVana-Egiptus
Vana-Egiptus
 

Similar to Building a moat bastion server

Tested install-isp config3-ubuntu-16-04
Tested install-isp config3-ubuntu-16-04Tested install-isp config3-ubuntu-16-04
Tested install-isp config3-ubuntu-16-04
SANTIAGO HERNÁNDEZ
 
Nginx2
Nginx2Nginx2
Nginx2
kantohibi
 
Provisioning on Libvirt with Foreman
Provisioning on Libvirt with ForemanProvisioning on Libvirt with Foreman
Provisioning on Libvirt with Foreman
Nikhil Kathole
 
Genode Compositions
Genode CompositionsGenode Compositions
Genode Compositions
Vasily Sartakov
 
Razor, the Provisioning Toolbox - PuppetConf 2014
Razor, the Provisioning Toolbox - PuppetConf 2014Razor, the Provisioning Toolbox - PuppetConf 2014
Razor, the Provisioning Toolbox - PuppetConf 2014
Puppet
 
Vagrant, Ansible, and OpenStack on your laptop
Vagrant, Ansible, and OpenStack on your laptopVagrant, Ansible, and OpenStack on your laptop
Vagrant, Ansible, and OpenStack on your laptop
Lorin Hochstein
 
How to turn any dynamic website into a static site | 24.01.2018 | Artem Danil...
How to turn any dynamic website into a static site | 24.01.2018 | Artem Danil...How to turn any dynamic website into a static site | 24.01.2018 | Artem Danil...
How to turn any dynamic website into a static site | 24.01.2018 | Artem Danil...
LumoSpark
 
LSA2 - 02 Namespaces
LSA2 - 02  NamespacesLSA2 - 02  Namespaces
LSA2 - 02 Namespaces
Marian Marinov
 
Cobbler, Func and Puppet: Tools for Large Scale Environments
Cobbler, Func and Puppet: Tools for Large Scale EnvironmentsCobbler, Func and Puppet: Tools for Large Scale Environments
Cobbler, Func and Puppet: Tools for Large Scale Environments
Michael Zhang
 
Cobbler, Func and Puppet: Tools for Large Scale Environments
Cobbler, Func and Puppet: Tools for Large Scale EnvironmentsCobbler, Func and Puppet: Tools for Large Scale Environments
Cobbler, Func and Puppet: Tools for Large Scale Environments
ViSenze - Artificial Intelligence for the Visual Web
 
Implementation of DNS Anycast - a case study
Implementation of DNS Anycast - a case studyImplementation of DNS Anycast - a case study
Implementation of DNS Anycast - a case study
A. S. M. Shamim Reza
 
Automação do físico ao NetSecDevOps
Automação do físico ao NetSecDevOpsAutomação do físico ao NetSecDevOps
Automação do físico ao NetSecDevOps
Raul Leite
 
Linux Containers From Scratch
Linux Containers From ScratchLinux Containers From Scratch
Linux Containers From Scratch
joshuasoundcloud
 
Instalando Cacti no CentOS 5
Instalando Cacti no CentOS 5Instalando Cacti no CentOS 5
Instalando Cacti no CentOS 5Carlos Eduardo
 
Component pack 6006 install guide
Component pack 6006 install guideComponent pack 6006 install guide
Component pack 6006 install guide
Roberto Boccadoro
 
Linux sever building
Linux sever buildingLinux sever building
Linux sever buildingEdmond Yu
 
OSDC 2014: Jan-Piet Mens - Configuration Management with Ansible
OSDC 2014: Jan-Piet Mens - Configuration Management with Ansible OSDC 2014: Jan-Piet Mens - Configuration Management with Ansible
OSDC 2014: Jan-Piet Mens - Configuration Management with Ansible
NETWAYS
 
Using Service Oriented Operation and Provisioning at Financial Times
Using Service Oriented Operation and Provisioning at Financial TimesUsing Service Oriented Operation and Provisioning at Financial Times
Using Service Oriented Operation and Provisioning at Financial TimesEmeka Mosanya
 

Similar to Building a moat bastion server (20)

Tested install-isp config3-ubuntu-16-04
Tested install-isp config3-ubuntu-16-04Tested install-isp config3-ubuntu-16-04
Tested install-isp config3-ubuntu-16-04
 
Nginx2
Nginx2Nginx2
Nginx2
 
Provisioning on Libvirt with Foreman
Provisioning on Libvirt with ForemanProvisioning on Libvirt with Foreman
Provisioning on Libvirt with Foreman
 
Genode Compositions
Genode CompositionsGenode Compositions
Genode Compositions
 
Razor, the Provisioning Toolbox - PuppetConf 2014
Razor, the Provisioning Toolbox - PuppetConf 2014Razor, the Provisioning Toolbox - PuppetConf 2014
Razor, the Provisioning Toolbox - PuppetConf 2014
 
Vagrant, Ansible, and OpenStack on your laptop
Vagrant, Ansible, and OpenStack on your laptopVagrant, Ansible, and OpenStack on your laptop
Vagrant, Ansible, and OpenStack on your laptop
 
How to turn any dynamic website into a static site | 24.01.2018 | Artem Danil...
How to turn any dynamic website into a static site | 24.01.2018 | Artem Danil...How to turn any dynamic website into a static site | 24.01.2018 | Artem Danil...
How to turn any dynamic website into a static site | 24.01.2018 | Artem Danil...
 
LSA2 - 02 Namespaces
LSA2 - 02  NamespacesLSA2 - 02  Namespaces
LSA2 - 02 Namespaces
 
Cobbler, Func and Puppet: Tools for Large Scale Environments
Cobbler, Func and Puppet: Tools for Large Scale EnvironmentsCobbler, Func and Puppet: Tools for Large Scale Environments
Cobbler, Func and Puppet: Tools for Large Scale Environments
 
Cobbler, Func and Puppet: Tools for Large Scale Environments
Cobbler, Func and Puppet: Tools for Large Scale EnvironmentsCobbler, Func and Puppet: Tools for Large Scale Environments
Cobbler, Func and Puppet: Tools for Large Scale Environments
 
Kickstart
KickstartKickstart
Kickstart
 
Implementation of DNS Anycast - a case study
Implementation of DNS Anycast - a case studyImplementation of DNS Anycast - a case study
Implementation of DNS Anycast - a case study
 
Automação do físico ao NetSecDevOps
Automação do físico ao NetSecDevOpsAutomação do físico ao NetSecDevOps
Automação do físico ao NetSecDevOps
 
Linux Containers From Scratch
Linux Containers From ScratchLinux Containers From Scratch
Linux Containers From Scratch
 
Instalando Cacti no CentOS 5
Instalando Cacti no CentOS 5Instalando Cacti no CentOS 5
Instalando Cacti no CentOS 5
 
Component pack 6006 install guide
Component pack 6006 install guideComponent pack 6006 install guide
Component pack 6006 install guide
 
Linux sever building
Linux sever buildingLinux sever building
Linux sever building
 
OSDC 2014: Jan-Piet Mens - Configuration Management with Ansible
OSDC 2014: Jan-Piet Mens - Configuration Management with Ansible OSDC 2014: Jan-Piet Mens - Configuration Management with Ansible
OSDC 2014: Jan-Piet Mens - Configuration Management with Ansible
 
Using Service Oriented Operation and Provisioning at Financial Times
Using Service Oriented Operation and Provisioning at Financial TimesUsing Service Oriented Operation and Provisioning at Financial Times
Using Service Oriented Operation and Provisioning at Financial Times
 
Puppetconf2012
Puppetconf2012Puppetconf2012
Puppetconf2012
 

Building a moat bastion server

  • 3. What does it do? Provides a secure, single point of entry to your application servers
  • 4. Why do you care?
  • 5. What’s it look like? Service Requests SSH
  • 6. Bastion System Setup wget ruby* MySQL* curl postgresql* xorg* nginx net-snmp-libs jasper-libs Uninstall telnet everything! php* automake *X11 monit gcc DNS Name Server Mail Server ftp neon *devel* finger fetchmail net-snmp-libs
  • 7. Bastion System Setup install netcat
  • 8. Bastion System Setup update everything that remains! sudo yum upgrade
  • 9. Bastion SSH Config Change Port from 22 Port 2222 Disable password logins/auth PasswordAuthentication no Disable PAM UsePAM no
  • 10. Bastion IPTABLES DENY!!!!! /etc/sysconfig/iptables ... *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [237:32957] -A INPUT -i lo -j ACCEPT -A INPUT -m state --state ESTABLISHED -j ACCEPT -A INPUT -m state --state INVALID -j DROP -A INPUT -p icmp -j ACCEPT -A INPUT -p tcp -m tcp --dport 2222 -j ACCEPT COMMIT
  • 11. Bastion User Create a secure user group sudo /usr/sbin/groupadd moat Create a “keymaster” Generate and upload an SSH key
  • 12. Other Users Generate ssh-keys, use passphrases! sudo /usr/sbin/useradd -G moat -m new_user sudo mkdir -p /home/new_user/.ssh sudo mv ~/.new_user_ssh.pub /home/new_user/.ssh/authorized_keys sudo chmod -R 700 /home/new_user/.ssh sudo chown -R new_user:new_user /home/new_user/.ssh echo Any_r@nd0m_p@55w04D | sudo passwd new_user --stdin
  • 13. Protected Server Iptables ... *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] ... -A INPUT -s <moat’s IP address> -p tcp -m tcp --dport 22 -j ACCEPT # HTTP and HTTPS -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT COMMIT
  • 14. SSH Proxy through moat to access remote machines Host app001 Hostname app-001.blackboxservers.com User app_user ProxyCommand ssh -q -p 2222 $MOAT_USER@moat-001.blackboxservers.com nc %h 22 To SSH, just export your name and go! $> export MOAT_USER=george $> ssh app001 george@app-001.blackboxservers.com's password: