pyratelog

personal blog
git clone git://git.pyratebeard.net/pyratelog.git
Log | Files | Refs | README

commit 671a4412d33d28c85e7fd16fb2c0aeb249cde9b7
parent 3d3b9b2c3685ac188bce06994bf8552c6b33d308
Author: pyratebeard <root@pyratebeard.net>
Date:   Tue, 30 Aug 2022 09:04:26 +0100

a_well-fortified_position

Diffstat:
Mentry/a_well-fortified_position.md | 36++++++++++++++++++++++++++++++++----
1 file changed, 32 insertions(+), 4 deletions(-)

diff --git a/entry/a_well-fortified_position.md b/entry/a_well-fortified_position.md @@ -1,6 +1,34 @@ -After a [previous post](20220512-distrust,_but_verify.html) contemplating losing access to my phone and therefore to all my servers while on the move, I have been working on a solution. My new setup is not complete but I felt I should provide an update. +After a [previous post](20220512-distrust,_but_verify.html) contemplating losing access to my phone and therefore to all my servers while on the move, I have been working on a solution. My new setup is not complete however I felt I should provide an update. -* ssh bastion -* ssh key on flashdrive -* dynamic dns for vpn +Parts of this little project I had been meaning to do for a while. My previous post was a catalyst to get it all sorted. + +The first thing I did was build an SSH bastion or jump server. This is a small server that I will use to proxy all my SSH connections to my other servers. This is easily done with SSH, add the following to ~/.ssh/config +``` +Host * + ProxyJump bastion +``` + +In order to secure all my other servers I restrict SSH connections to only be allowed from my bastion, in `iptables` this can be achieved by incanting +``` +sudo iptables -A INPUT -p tcp -s <ip_address>/<subnet> --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT +``` + +Along with some further hardening this setup works well yet what if, as mentioned in the previous post, I don't have access to one of my devices? I looked into hardware tools like [Yubikey](https://www.yubico.com/){target="_blank" rel="noreferrer"}, so far I haven't decided which to go with. Instead, for the time being at least, I have put a single SSH private key on a small flash drive I can put on my keys. This particular flash drive also has a USB-C connection so can be used on a lot of modern mobile devices. In principle this means all I need to access my bastion is a device capable of SSH. + +This key only grants access to the bastion, I didn't want to allow connections through to my other servers. On the bastion I have another key pair which can access my other servers. Even if my first key is compromised and used before I can remove the key from the bastion, a second key will be required to get any further. + +As mentioned in the previous post I also have a VPN running on my home network. This allows me to remote in to my home network on my phone and laptop when away. In the event I didn't have access to either I have put a certificate on my bastion so I can remote home. + +Accessing my home VPN relies on knowing the IP address my ISP assigns me. On rare occasions this IP changes, and it has caught me out in the past. For a long time I have been using a script on a Pi at home which routinely checks the external IP, then notifies me if it changes. To check the external IP incant +``` +dig +short myip.opendns.com @resolver1.opendns.com +``` + +This script worked well although it isn't ideal. My updated setup now has a domain pointed at my home network configured to use Dynamic DNS. I then run [ddclient](https://github.com/ddclient/ddclient){target="_blank" rel="noreferrer"} on my Pi at home so if the IP ever changes the domain DNS _should_ be updated. I now have all my VPN certs pointing to the domain name. + +There are more improvements I will probably make to this new setup. I am still looking at hardware authentication tools so that will probably be the next step. In the event I lose my flash drive, and my phone, and my laptop, I have been thinking of putting a fallback ssh key on my Mega storage account. I don't use my Mega account for anything important so disabling MFA wouldn't be so bad. This would mean all I need to access my bastion is a web browser to download the key, then SSH. That should be achievable from anywhere. + +It may also be worth adding a secondary bastion in the event my current one disappears. This wouldn't be too difficult, it merely costs money. I may also add Dynamic DNS to my bastion in case of an IP change. This is unlikely to happen, nevertheless it is a good idea to cover all scenarios. + +The next big step is to test this solution. I know the SSH access works as required, and I know my flash drive key works, so now I need to go out into the wild to test from a completely random system.