Welcome to Centmin Mod Community
Register Now

Server admin without ssh holes?

Discussion in 'System Administration' started by Colin, Sep 14, 2020.

Tags:
  1. Colin

    Colin Premium Member Premium Member

    160
    44
    28
    Oct 7, 2015
    Sheffield UK
    Ratings:
    +121
    Local Time:
    2:53 AM
    1.19.#
    MariaDB 10.1.#
    Hi all,

    I've evolved my thinking over the years of how to access multiple servers for sys admin over ssh. Way back when the internet was 'safer', we used to leave a port open for ssh, and sleep without nightmares. How about a nice game of chess?

    The last few years I've had a bastion on standby while using wireguard as my daily source of a fixed ip, open the hole for that ip etc... Wireguard is on a vps via the streisand project; what centmin is to serveradmin, streisand is to setting up a vpn.

    I just took delivery of a pine book pro, seeing if I can make this arm laptop my boot of the car/weekend emergency laptop. I'm also setting up some new vps servers and wanted to finally drop the bastion plan.

    For a totally different project, I'd stumbled on tailscale. They offer a vpn mesh, built on wireguard. Each connected resource has it's own ip and no need to leave an ssh hole open for any ip, vpn or not. So not only can I get away with dropping the bastion, but also the fixed ip vpn. Which is great as I have the proton vpn which I hardly ever use.

    Sadly I can't make my pine book work with it. No worries the old thinkpad 230 still has a place in my go bag :D

    Take a look at tailscale, it's darn interesting and has been easy to configure and setup.

    Appreciate your thoughts...

    Tailscale

    Solutions
     
  2. tininho

    tininho Active Member

    131
    34
    28
    May 22, 2019
    Nordic
    Ratings:
    +95
    Local Time:
    4:53 AM
    Streisand project seems interesting, but last update on April? These may be better choices:

    trailofbits/algo
    Nyr/wireguard-install

    It seems Algo VPN is the most robust and up-to-date?
     
  3. Colin

    Colin Premium Member Premium Member

    160
    44
    28
    Oct 7, 2015
    Sheffield UK
    Ratings:
    +121
    Local Time:
    2:53 AM
    1.19.#
    MariaDB 10.1.#
    Don't get old, I forgot I'd switched from striesland to algo... :D
     
  4. tininho

    tininho Active Member

    131
    34
    28
    May 22, 2019
    Nordic
    Ratings:
    +95
    Local Time:
    4:53 AM
    Still, the settings page generated by Streisand Project is well formatted by default: STREISAND

    I might check it out, there is a slightly updated fork here (seems to have a fix for outdated OpenVPN key): thiras/streisand
     
  5. eva2000

    eva2000 Administrator Staff Member

    45,971
    10,443
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,205
    Local Time:
    12:53 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    Last edited: Sep 15, 2020
  6. Mari2000

    Mari2000 Premium Member Premium Member

    6
    1
    3
    Jul 12, 2020
    Ratings:
    +2
    Local Time:
    8:53 PM
    Have you ever heard of port knocking. Old school concept... I'm surprised it didn't take off more.

    Basically you hit a server with a secret sequence of ports in a certain time limit, and then the server opens up your ssh port for listening. Without knowing the exact secret ports and in what sequence, the port remains closed to scanners. Doesn't obviate the need to use ssh certs.

    https://www.howtogeek.com/442733/how-to-use-port-knocking-on-linux-and-why-you-shouldnt/
     
  7. eva2000

    eva2000 Administrator Staff Member

    45,971
    10,443
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,205
    Local Time:
    12:53 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    Yeah probably just too much work especially for beginners or the type of folks who would be using Centmin Mod with not much networking know how.

    Even using SSH Keys can be dangerous if the user has no idea how to re-gain SSH access if they're lost their SSH keys and would be reliant on whether the web host provider has other means of access i.e. out of band console/KVM/VNC access. Regaining access would be similar to what I wrote about if use accidentally flushes their IPTable rules and need to regain access at https://blog.centminmod.com/2020/11...er-being-locked-out-by-iptables-csf-firewall/.

    Many online guides outline the how to set something up i.e. SSH keys or port knocking, but rarely do the follow up with how to re-gain access if something goes wrong. What's worse have less secure access or inadvertently loosing all access to your server as you don't know how to fix when something went wrong i.e. loosing SSH keys or port-knocking not working/configured incorrectly ?