pyratelog

personal blog
git clone git://git.pyratebeard.net/pyratelog.git
Log | Files | Refs | README
commit 671a4412d33d28c85e7fd16fb2c0aeb249cde9b7
parent 3d3b9b2c3685ac188bce06994bf8552c6b33d308
Author: pyratebeard <root@pyratebeard.net>
Date:   Tue, 30 Aug 2022 09:04:26 +0100

a_well-fortified_position

Diffstat:

Mentry/a_well-fortified_position.md | 36++++++++++++++++++++++++++++++++----


1 file changed, 32 insertions(+), 4 deletions(-)

diff --git a/entry/a_well-fortified_position.md b/entry/a_well-fortified_position.md
@@ -1,6 +1,34 @@
-After a [previous post](20220512-distrust,_but_verify.html) contemplating losing access to my phone and therefore to all my servers while on the move, I have been working on a solution.  My new setup is not complete but I felt I should provide an update.
+After a [previous post](20220512-distrust,_but_verify.html) contemplating losing access to my phone and therefore to all my servers while on the move, I have been working on a solution.  My new setup is not complete however I felt I should provide an update.
 
-* ssh bastion
-* ssh key on flashdrive
-* dynamic dns for vpn
+Parts of this little project I had been meaning to do for a while.  My previous post was a catalyst to get it all sorted.
+
+The first thing I did was build an SSH bastion or jump server.  This is a small server that I will use to proxy all my SSH connections to my other servers.  This is easily done with SSH, add the following to ~/.ssh/config
+```
+Host *
+	ProxyJump bastion
+```
+
+In order to secure all my other servers I restrict SSH connections to only be allowed from my bastion, in `iptables` this can be achieved by incanting
+```
+sudo iptables -A INPUT -p tcp -s <ip_address>/<subnet> --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
+```
+
+Along with some further hardening this setup works well yet what if, as mentioned in the previous post, I don't have access to one of my devices?  I looked into hardware tools like [Yubikey](https://www.yubico.com/){target="_blank" rel="noreferrer"}, so far I haven't decided which to go with.  Instead, for the time being at least, I have put a single SSH private key on a small flash drive I can put on my keys.  This particular flash drive also has a USB-C connection so can be used on a lot of modern mobile devices.  In principle this means all I need to access my bastion is a device capable of SSH.
+
+This key only grants access to the bastion, I didn't want to allow connections through to my other servers.  On the bastion I have another key pair which can access my other servers.  Even if my first key is compromised and used before I can remove the key from the bastion, a second key will be required to get any further.
+
+As mentioned in the previous post I also have a VPN running on my home network.  This allows me to remote in to my home network on my phone and laptop when away.  In the event I didn't have access to either I have put a certificate on my bastion so I can remote home.
+
+Accessing my home VPN relies on knowing the IP address my ISP assigns me.  On rare occasions this IP changes, and it has caught me out in the past.  For a long time I have been using a script on a Pi at home which routinely checks the external IP, then notifies me if it changes.  To check the external IP incant
+```
+dig +short myip.opendns.com @resolver1.opendns.com
+```
+
+This script worked well although it isn't ideal.  My updated setup now has a domain pointed at my home network configured to use Dynamic DNS.  I then run [ddclient](https://github.com/ddclient/ddclient){target="_blank" rel="noreferrer"} on my Pi at home so if the IP ever changes the domain DNS _should_ be updated.  I now have all my VPN certs pointing to the domain name.
+
+There are more improvements I will probably make to this new setup.  I am still looking at hardware authentication tools so that will probably be the next step.  In the event I lose my flash drive, and my phone, and my laptop, I have been thinking of putting a fallback ssh key on my Mega storage account.  I don't use my Mega account for anything important so disabling MFA wouldn't be so bad.  This would mean all I need to access my bastion is a web browser to download the key, then SSH.  That should be achievable from anywhere.
+
+It may also be worth adding a secondary bastion in the event my current one disappears.  This wouldn't be too difficult, it merely costs money.  I may also add Dynamic DNS to my bastion in case of an IP change.  This is unlikely to happen, nevertheless it is a good idea to cover all scenarios.
+
+The next big step is to test this solution.  I know the SSH access works as required, and I know my flash drive key works, so now I need to go out into the wild to test from a completely random system.