building a moat bastion server
DESCRIPTION
TRANSCRIPT
Building a Moat
actually, a bastion server
What does it do?
Provides a secure, single point of entry to your application servers
Why do you care?
What’s it look like?
Service Requests SSH
Bastion System Setup
Uninstall everything!
xorg*
Mail Server
ruby*
*X11
php*
MySQL*
DNS Name Server
net-snmp-libs
wgetcurl
ftp
telnet
neon
fetchmail
jasper-libs
automake
finger
postgresql*
monit
nginx
gcc
*devel*net-snmp-libs
Bastion System Setup
install netcat
Bastion System Setup
update everything that remains!
sudo yum upgrade
Bastion SSH Config
Change Port from 22Port 2222
Disable password logins/authPasswordAuthentication no
Disable PAMUsePAM no
Bastion IPTABLES
/etc/sysconfig/iptables...
*filter:INPUT DROP [0:0]:FORWARD DROP [0:0]:OUTPUT ACCEPT [237:32957]-A INPUT -i lo -j ACCEPT-A INPUT -m state --state ESTABLISHED -j ACCEPT-A INPUT -m state --state INVALID -j DROP-A INPUT -p icmp -j ACCEPT-A INPUT -p tcp -m tcp --dport 2222 -j ACCEPTCOMMIT
DENY!!!!!
Bastion User
Create a secure user groupsudo /usr/sbin/groupadd moat
Create a “keymaster”
Generate and upload an SSH key
Other Users
sudo /usr/sbin/useradd -G moat -m new_user sudo mkdir -p /home/new_user/.ssh sudo mv ~/.new_user_ssh.pub /home/new_user/.ssh/authorized_keys sudo chmod -R 700 /home/new_user/.ssh sudo chown -R new_user:new_user /home/new_user/.ssh echo Any_r@nd0m_p@55w04D | sudo passwd new_user --stdin
Generate ssh-keys, use passphrases!
Protected Server Iptables
...
*filter:INPUT DROP [0:0]:FORWARD DROP [0:0]...-A INPUT -s <moat’s IP address> -p tcp -m tcp --dport 22 -j ACCEPT
# HTTP and HTTPS-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT-A INPUT -p tcp -m tcp --dport 443 -j ACCEPTCOMMIT
SSH
Host app001 Hostname app-001.blackboxservers.com User app_user ProxyCommand ssh -q -p 2222 [email protected] nc %h 22
Proxy through moat to access remote machines
To SSH, just export your name and go!$> export MOAT_USER=george$> ssh [email protected]'s password: