Working with a lot of VPS and securing them

When you are reaching a point of tens or even hundreds of servers, you are going to need some management system. There are some obvious choices to be made like Ansible, Chef, Puppet etc etc. I have no problems setting up 100 servers in a few minutes. That being said, I still have colleagues who might need to access such server or even maintain it for something special.

There is a choice to be made on how you are letting people into such server. Now-days people luckily use SSH rather than an insecure password. Changing the SSH ports and/or limiting the usage of it. This is how we did it;

Securing multiple VPS

We created a “tower”, “jump-tower” or whatever you want to call it. It is the ONLY server in the ‘stack’ which has the possibility to accept a SSH connection from a remote host (more on that later). So instead of having 100 webservers with SSH, you limited this to just 1. Via this tower you can SSH to the rest of the servers.

We limited this by adding firewall rules. The setup is pretty basic:

  • All servers have all the inbound ports closed by default.
  • You open specific ports for its purpose; webservers: open port 80 (http) and port 443 (https).
  • We open port 22 (ssh) for ONLY the jump tower.

Obviously we can adjust for our needs. Sometimes we want to open the mysql port (3306) for the internal network for that specific webserver which needs to connect to this server.

  • The tower allows ssh (22) again for our internal company network.
  • Each employee has its own accounts with his/hers public key attached to it.
  • We have included the users tower public key to every VPS so they can also login on the VPS under their own name (and privileges)

To sum it all up:

If one want to do us harm, they are required to:

  • Have access to our company network
  • Have a SSH key on that specific server

It is not possible to abuse open ports, only those who are actually required are open.

Making it user (aka employee) friendly

So, not everyone is the real Linux guru nor does one remember all the bloody servers in the park. We have simplified this by making a really simple bash script which reads our Ansible inventory file. We provision our servers based on this Ansible server file. It has the VPS-name like vps00xxx and includes the domain names, type of server etc.

So, now someone can search on a vps number, domain name or whatever is in our inventory file.

Ive put this simple script on github so you can see what Ive done: https://github.com/wiardvanrij/Ansible-Inventory-jumpscript/blob/master/jump

Or just check it here:

#!/bin/bash

DIR=/usr/local/bin/jumping
SEARCH=$1
string=()

while read -r line; do
  string+=($line "$(grep 'name:' $DIR/host_vars/$line | tr -d '\n';)" )
done < <( grep -lr $SEARCH $DIR/host_vars | rev | cut -d"/" -f1 | rev | sort ) HOST=$(dialog --menu "Pick the server you want to jump to:" 60 160 60 "${string[@]}" 3>&2 2>&1 1>&3)

clear

if [ $? -eq 0 ]; then
    if [[ $HOST != '' ]]; then
    		ssh $USER@$HOST
    	else
    		echo "Canceled";
    	fi
fi

Leave a Reply

Your email address will not be published. Required fields are marked *