building a moat bastion server

Report

Post on 05-Dec-2014

706 Views

Category:

Documents

1 Downloads

Preview:

Click to see full reader

DESCRIPTION

 

TRANSCRIPT

Building a Moat

actually, a bastion server

What does it do?

Provides a secure, single point of entry to your application servers

Why do you care?

What’s it look like?

Service Requests SSH

Bastion System Setup

Uninstall everything!

xorg*

Mail Server

ruby*

*X11

php*

MySQL*

DNS Name Server

net-snmp-libs

wgetcurl

ftp

telnet

neon

fetchmail

jasper-libs

automake

finger

postgresql*

monit

nginx

gcc

*devel*net-snmp-libs

Bastion System Setup

install netcat

Bastion System Setup

update everything that remains!

sudo yum upgrade

Bastion SSH Config

Change Port from 22Port 2222

Disable password logins/authPasswordAuthentication no

Disable PAMUsePAM no

Bastion IPTABLES

/etc/sysconfig/iptables...

*filter:INPUT DROP [0:0]:FORWARD DROP [0:0]:OUTPUT ACCEPT [237:32957]-A INPUT -i lo -j ACCEPT-A INPUT -m state --state ESTABLISHED -j ACCEPT-A INPUT -m state --state INVALID -j DROP-A INPUT -p icmp -j ACCEPT-A INPUT -p tcp -m tcp --dport 2222 -j ACCEPTCOMMIT

DENY!!!!!

Bastion User

Create a secure user groupsudo /usr/sbin/groupadd moat

Create a “keymaster”

Generate and upload an SSH key

Other Users

sudo /usr/sbin/useradd -G moat -m new_user sudo mkdir -p /home/new_user/.ssh sudo mv ~/.new_user_ssh.pub /home/new_user/.ssh/authorized_keys sudo chmod -R 700 /home/new_user/.ssh sudo chown -R new_user:new_user /home/new_user/.ssh echo Any_r@nd0m_p@55w04D | sudo passwd new_user --stdin

Generate ssh-keys, use passphrases!

Protected Server Iptables

...

*filter:INPUT DROP [0:0]:FORWARD DROP [0:0]...-A INPUT -s <moat’s IP address> -p tcp -m tcp --dport 22 -j ACCEPT

# HTTP and HTTPS-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT-A INPUT -p tcp -m tcp --dport 443 -j ACCEPTCOMMIT

SSH

Host app001 Hostname app-001.blackboxservers.com User app_user ProxyCommand ssh -q -p 2222 $MOAT_USER@moat-001.blackboxservers.com nc %h 22

Proxy through moat to access remote machines

To SSH, just export your name and go!$> export MOAT_USER=george$> ssh app001george@app-001.blackboxservers.com's password:

mailto:TRACKER_USER@moat-prod3.c44903.blueboxgrid.com
mailto:TRACKER_USER@moat-prod3.c44903.blueboxgrid.com
mailto:deploy@demo.c44903.blueboxgrid.com
mailto:deploy@demo.c44903.blueboxgrid.com

top related

merged with a historic bastion
Documents
bastion - ugodna vrata
Documents
camp bastion ice article
Documents
(1926) bastion brothers class emblems
Documents
companies with moat
Documents
bastion - europa
Documents
oracle buys moat · –moat will add attention analytics to...
Documents
maria theresa bastion
Documents
morningstar - econ moat
Documents
bastion walk through
Documents
configure ssh-tunnel on jump server or bastion host
Documents
brigham's bastion: “winsor castle”
Documents
moat ke sodagar part 1
Documents
el club bastion · 2013-12-31 · 9 788408 114079 royce...
Documents
measuring the moat
Documents
bastion 2.0
Documents
moat homes ltd - housingcare.org · moat homes ltd...
Documents
buren bastion : office 2 catzenellenbogen bastion : german...
Documents
pkutm experiments in ntcir 8 moat...
Documents
nicosia walls (between mula bastion and roccas...
Documents