SlideShare a Scribd company logo

Building a moat bastion server

N
nseemiller

This document describes how to set up a bastion server or "moat" to provide a secure single point of entry to application servers. It involves installing necessary packages on the bastion server like SSH, updating packages, changing the SSH port, disabling password logins, setting up firewall rules to only allow SSH from the bastion server, creating a special user group and keymaster user for access, and configuring SSH proxying through the bastion to access other servers securely.

1 of 14
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
Building a Moat
actually, a bastion server
What does it do? Provides a secure, single point of entry to your application servers
Why do you care?
What’s it look like? Service Requests SSH
Bastion System Setup wget ruby* MySQL* curl postgresql* xorg* nginx net-snmp-libs jasper-libs Uninstall telnet everything! php* automake *X11 monit gcc DNS Name Server Mail Server ftp neon *devel* finger fetchmail net-snmp-libs
Bastion System Setup install netcat
Bastion System Setup update everything that remains! sudo yum upgrade
Bastion SSH Config Change Port from 22 Port 2222 Disable password logins/auth PasswordAuthentication no Disable PAM UsePAM no
Bastion IPTABLES DENY!!!!! /etc/sysconfig/iptables ... *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [237:32957] -A INPUT -i lo -j ACCEPT -A INPUT -m state --state ESTABLISHED -j ACCEPT -A INPUT -m state --state INVALID -j DROP -A INPUT -p icmp -j ACCEPT -A INPUT -p tcp -m tcp --dport 2222 -j ACCEPT COMMIT
Bastion User Create a secure user group sudo /usr/sbin/groupadd moat Create a “keymaster” Generate and upload an SSH key
Other Users Generate ssh-keys, use passphrases! sudo /usr/sbin/useradd -G moat -m new_user sudo mkdir -p /home/new_user/.ssh sudo mv ~/.new_user_ssh.pub /home/new_user/.ssh/authorized_keys sudo chmod -R 700 /home/new_user/.ssh sudo chown -R new_user:new_user /home/new_user/.ssh echo Any_r@nd0m_p@55w04D | sudo passwd new_user --stdin
Protected Server Iptables ... *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] ... -A INPUT -s <moat’s IP address> -p tcp -m tcp --dport 22 -j ACCEPT # HTTP and HTTPS -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT COMMIT
SSH Proxy through moat to access remote machines Host app001 Hostname app-001.blackboxservers.com User app_user ProxyCommand ssh -q -p 2222 $MOAT_USER@moat-001.blackboxservers.com nc %h 22 To SSH, just export your name and go! $> export MOAT_USER=george $> ssh app001 george@app-001.blackboxservers.com's password:

More Related Content

PPT
Linux Server Start
Gavin Quan
 
PDF
Configuration of BIND DNS Server On CentOS 8
Kaan Aslandağ
 
PDF
Configuration Firewalld On CentOS 8
Kaan Aslandağ
 
PDF
Sistemas operacionais 8
Nauber Gois
 
PPTX
Presentation Linux Server setup Advance Networking
Tariqul Islam Shohag
 
PDF
CentOS Server Gui Initial Configuration
Kaan Aslandağ
 
PDF
Firewalld LAB
Kaan Aslandağ
 
PDF
Ftp configuration in rhel7
Balamurugan M
 
Linux Server Start
Gavin Quan
 
Configuration of BIND DNS Server On CentOS 8
Kaan Aslandağ
 
Configuration Firewalld On CentOS 8
Kaan Aslandağ
 
Sistemas operacionais 8
Nauber Gois
 
Presentation Linux Server setup Advance Networking
Tariqul Islam Shohag
 
CentOS Server Gui Initial Configuration
Kaan Aslandağ
 
Firewalld LAB
Kaan Aslandağ
 
Ftp configuration in rhel7
Balamurugan M
 

What's hot (20)

PDF
Configuration of NTP Server on CentOS 8
Kaan Aslandağ
 
PPTX
Quick Start Guide using Virtuozzo 7 (β) on AWS EC2
Kentaro Ebisawa
 
PDF
OpenVPN
Emil CHERICHEȘ
 
PDF
DevOps Braga #6
DevOps Braga
 
PDF
RHCSA
Łukasz Jarzyński
 
PDF
Configuration of Smtp Server On CentOS 8
Kaan Aslandağ
 
PDF
Configuration of SFTP Server on CentOS 8.pdf
Kaan Aslandağ
 
PDF
Cloud Compt
Kanchilug
 
ODP
Puppet
Łukasz Jagiełło
 
PDF
CentOS Server CLI Configuration (Nmcli & Hosts)
Kaan Aslandağ
 
PPTX
Introduction to Docker
Kevin Littlejohn
 
PDF
Docker 1.11 Meetup: Containerd and runc, by Arnaud Porterie and Michael Crosby
Michelle Antebi
 
PDF
nouka inventry manager
Toshiaki Baba
 
PDF
SELF 2014: PBI v10: Application Management Made Easy
Ken Moore
 
PPTX
От sysV к systemd
Denis Kovalev
 
PDF
Openvpn
mato2012
 
PDF
Linux Kernel Parameter Tuning
Ryo Sasaki
 
PDF
Introduction to FreeNAS development by John Hixson
iXsystems
 
PDF
Nginx
Shaopeng He
 
PPT
Glomosim
barodia_1437
 
Configuration of NTP Server on CentOS 8
Kaan Aslandağ
 
Quick Start Guide using Virtuozzo 7 (β) on AWS EC2
Kentaro Ebisawa
 
OpenVPN
Emil CHERICHEȘ
 
DevOps Braga #6
DevOps Braga
 
RHCSA
Łukasz Jarzyński
 
Configuration of Smtp Server On CentOS 8
Kaan Aslandağ
 
Configuration of SFTP Server on CentOS 8.pdf
Kaan Aslandağ
 
Cloud Compt
Kanchilug
 
Puppet
Łukasz Jagiełło
 
CentOS Server CLI Configuration (Nmcli & Hosts)
Kaan Aslandağ
 
Introduction to Docker
Kevin Littlejohn
 
Docker 1.11 Meetup: Containerd and runc, by Arnaud Porterie and Michael Crosby
Michelle Antebi
 
nouka inventry manager
Toshiaki Baba
 
SELF 2014: PBI v10: Application Management Made Easy
Ken Moore
 
От sysV к systemd
Denis Kovalev
 
Openvpn
mato2012
 
Linux Kernel Parameter Tuning
Ryo Sasaki
 
Introduction to FreeNAS development by John Hixson
iXsystems
 
Nginx
Shaopeng He
 
Glomosim
barodia_1437
 
Ad

Viewers also liked (19)

DOCX
Sten
yhiskond1
 
PPT
Totalitaarsete riikide kunst. elin lepik. 12b
jpg12b
 
PPTX
Muutused igapäevaelus varauusajal
Mihhail Sorokin
 
PPTX
Organizac..
Miguel Rivera Espinoza
 
ODP
The Seven Wonders Of The Ancient Worls
Andre Kaasik
 
PPT
Euroopa riigid
jaanikapr
 
ODP
Uusaeg1 - varauusaeg konspekt
kristel84
 
PDF
Musket age of warfare 2010
Mr.J
 
PDF
Industrial age1850 1900 spring 2011
Mr.J
 
PPTX
10 ptk sojandus uusajal
Märt Männik
 
PPTX
Valgustus, Prantsuse revolutsioon, Napoleon gümnaasiumile
Dagmar Seljamäe
 
PPTX
The musket age
Mr.J
 
PPT
Euroopa riigid ja rahvad. Absolutism.
Natalja Dovgan
 
PPTX
Natsionaalsotsialistlik Saksamaa
Sander Saks
 
PPTX
Inglise kodusõda 1642 1660
Katri Silla
 
PPTX
Natsionaalsotsialistlik Saksamaa
Inga Zemit
 
PPTX
Talupoeg ja maaisand
Dagmar Seljamäe
 
PPTX
Slidashare
Nancy Soledad Ruiz Nuñez
 
PPTX
Vana-Egiptus
Dagmar Seljamäe
 
Sten
yhiskond1
 
Totalitaarsete riikide kunst. elin lepik. 12b
jpg12b
 
Muutused igapäevaelus varauusajal
Mihhail Sorokin
 
Organizac..
Miguel Rivera Espinoza
 
The Seven Wonders Of The Ancient Worls
Andre Kaasik
 
Euroopa riigid
jaanikapr
 
Uusaeg1 - varauusaeg konspekt
kristel84
 
Musket age of warfare 2010
Mr.J
 
Industrial age1850 1900 spring 2011
Mr.J
 
10 ptk sojandus uusajal
Märt Männik
 
Valgustus, Prantsuse revolutsioon, Napoleon gümnaasiumile
Dagmar Seljamäe
 
The musket age
Mr.J
 
Euroopa riigid ja rahvad. Absolutism.
Natalja Dovgan
 
Natsionaalsotsialistlik Saksamaa
Sander Saks
 
Inglise kodusõda 1642 1660
Katri Silla
 
Natsionaalsotsialistlik Saksamaa
Inga Zemit
 
Talupoeg ja maaisand
Dagmar Seljamäe
 
Slidashare
Nancy Soledad Ruiz Nuñez
 
Vana-Egiptus
Dagmar Seljamäe
 
Ad

Similar to Building a moat bastion server (20)

PDF
Tested install-isp config3-ubuntu-16-04
SANTIAGO HERNÁNDEZ
 
PDF
Nginx2
kantohibi
 
PPTX
Kubernetes BateMetal Installation and Practice
wonyong hwang
 
PDF
Provisioning on Libvirt with Foreman
Nikhil Kathole
 
PPTX
kubernetes baremetal installation and practice
wonyong hwang
 
PDF
Genode Compositions
Vasily Sartakov
 
PPT
Razor, the Provisioning Toolbox - PuppetConf 2014
Puppet
 
PPTX
Vagrant, Ansible, and OpenStack on your laptop
Lorin Hochstein
 
PDF
How to turn any dynamic website into a static site | 24.01.2018 | Artem Danil...
LumoSpark
 
ODP
LSA2 - 02 Namespaces
Marian Marinov
 
PDF
Cobbler, Func and Puppet: Tools for Large Scale Environments
ViSenze - Artificial Intelligence for the Visual Web
 
PDF
Cobbler, Func and Puppet: Tools for Large Scale Environments
Michael Zhang
 
DOCX
Kickstart
Dhananjayan Ezhumalai
 
PDF
Implementation of DNS Anycast - a case study
A. S. M. Shamim Reza
 
PDF
Automação do físico ao NetSecDevOps
Raul Leite
 
PDF
Linux Containers From Scratch
joshuasoundcloud
 
PDF
Instalando Cacti no CentOS 5
Carlos Eduardo
 
DOCX
Component pack 6006 install guide
Roberto Boccadoro
 
PDF
Linux sever building
Edmond Yu
 
PDF
OSDC 2014: Jan-Piet Mens - Configuration Management with Ansible
NETWAYS
 
Tested install-isp config3-ubuntu-16-04
SANTIAGO HERNÁNDEZ
 
Nginx2
kantohibi
 
Kubernetes BateMetal Installation and Practice
wonyong hwang
 
Provisioning on Libvirt with Foreman
Nikhil Kathole
 
kubernetes baremetal installation and practice
wonyong hwang
 
Genode Compositions
Vasily Sartakov
 
Razor, the Provisioning Toolbox - PuppetConf 2014
Puppet
 
Vagrant, Ansible, and OpenStack on your laptop
Lorin Hochstein
 
How to turn any dynamic website into a static site | 24.01.2018 | Artem Danil...
LumoSpark
 
LSA2 - 02 Namespaces
Marian Marinov
 
Cobbler, Func and Puppet: Tools for Large Scale Environments
ViSenze - Artificial Intelligence for the Visual Web
 
Cobbler, Func and Puppet: Tools for Large Scale Environments
Michael Zhang
 
Kickstart
Dhananjayan Ezhumalai
 
Implementation of DNS Anycast - a case study
A. S. M. Shamim Reza
 
Automação do físico ao NetSecDevOps
Raul Leite
 
Linux Containers From Scratch
joshuasoundcloud
 
Instalando Cacti no CentOS 5
Carlos Eduardo
 
Component pack 6006 install guide
Roberto Boccadoro
 
Linux sever building
Edmond Yu
 
OSDC 2014: Jan-Piet Mens - Configuration Management with Ansible
NETWAYS
 

Building a moat bastion server

  • 3. What does it do? Provides a secure, single point of entry to your application servers
  • 4. Why do you care?
  • 5. What’s it look like? Service Requests SSH
  • 6. Bastion System Setup wget ruby* MySQL* curl postgresql* xorg* nginx net-snmp-libs jasper-libs Uninstall telnet everything! php* automake *X11 monit gcc DNS Name Server Mail Server ftp neon *devel* finger fetchmail net-snmp-libs
  • 7. Bastion System Setup install netcat
  • 8. Bastion System Setup update everything that remains! sudo yum upgrade
  • 9. Bastion SSH Config Change Port from 22 Port 2222 Disable password logins/auth PasswordAuthentication no Disable PAM UsePAM no
  • 10. Bastion IPTABLES DENY!!!!! /etc/sysconfig/iptables ... *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [237:32957] -A INPUT -i lo -j ACCEPT -A INPUT -m state --state ESTABLISHED -j ACCEPT -A INPUT -m state --state INVALID -j DROP -A INPUT -p icmp -j ACCEPT -A INPUT -p tcp -m tcp --dport 2222 -j ACCEPT COMMIT
  • 11. Bastion User Create a secure user group sudo /usr/sbin/groupadd moat Create a “keymaster” Generate and upload an SSH key
  • 12. Other Users Generate ssh-keys, use passphrases! sudo /usr/sbin/useradd -G moat -m new_user sudo mkdir -p /home/new_user/.ssh sudo mv ~/.new_user_ssh.pub /home/new_user/.ssh/authorized_keys sudo chmod -R 700 /home/new_user/.ssh sudo chown -R new_user:new_user /home/new_user/.ssh echo Any_r@nd0m_p@55w04D | sudo passwd new_user --stdin
  • 13. Protected Server Iptables ... *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] ... -A INPUT -s <moat’s IP address> -p tcp -m tcp --dport 22 -j ACCEPT # HTTP and HTTPS -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT COMMIT
  • 14. SSH Proxy through moat to access remote machines Host app001 Hostname app-001.blackboxservers.com User app_user ProxyCommand ssh -q -p 2222 $MOAT_USER@moat-001.blackboxservers.com nc %h 22 To SSH, just export your name and go! $> export MOAT_USER=george $> ssh app001 george@app-001.blackboxservers.com's password: