commit c8a9101e73289364a172b5846fe6d425f4c5f32d
parent 671a4412d33d28c85e7fd16fb2c0aeb249cde9b7
Author: pyratebeard <root@pyratebeard.net>
Date: Tue, 30 Aug 2022 23:44:36 +0100
a_well-fortified_position
Diffstat:
1 file changed, 14 insertions(+), 11 deletions(-)
diff --git a/entry/a_well-fortified_position.md b/entry/a_well-fortified_position.md
@@ -1,8 +1,8 @@
-After a [previous post](20220512-distrust,_but_verify.html) contemplating losing access to my phone and therefore to all my servers while on the move, I have been working on a solution. My new setup is not complete however I felt I should provide an update.
+After a [previous post](20220512-distrust,_but_verify.html) contemplating losing access to my phone and therefore to all my servers while on the move, I have been working on a solution.
-Parts of this little project I had been meaning to do for a while. My previous post was a catalyst to get it all sorted.
+Parts of this little project I had been meaning to do for a while, my previous post was a catalyst to get it all sorted.
-The first thing I did was build an SSH bastion or jump server. This is a small server that I will use to proxy all my SSH connections to my other servers. This is easily done with SSH, add the following to ~/.ssh/config
+The first thing I did was build an SSH bastion, or "jump server", a small server that I will use to proxy all my SSH connections to my other servers. This is easily done with SSH, add the following to ~/.ssh/config
```
Host *
ProxyJump bastion
@@ -13,22 +13,25 @@ In order to secure all my other servers I restrict SSH connections to only be al
sudo iptables -A INPUT -p tcp -s <ip_address>/<subnet> --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
```
-Along with some further hardening this setup works well yet what if, as mentioned in the previous post, I don't have access to one of my devices? I looked into hardware tools like [Yubikey](https://www.yubico.com/){target="_blank" rel="noreferrer"}, so far I haven't decided which to go with. Instead, for the time being at least, I have put a single SSH private key on a small flash drive I can put on my keys. This particular flash drive also has a USB-C connection so can be used on a lot of modern mobile devices. In principle this means all I need to access my bastion is a device capable of SSH.
+Along with some further hardening this setup works well; yet what if, as mentioned in the previous post, I don't have access to one of my devices? I looked into hardware tools like [Yubikey](https://www.yubico.com/){target="_blank" rel="noreferrer"}, so far I haven't decided which to go with. Instead, for the time being at least, I have put a single, passphrase protected,, SSH private key on a small flash drive I can put on my keys. This particular flash drive also has a USB-C connection so can be used on a lot of modern mobile devices. In principle this means all I need to access my bastion is my flash drive and a device capable of SSH.
-This key only grants access to the bastion, I didn't want to allow connections through to my other servers. On the bastion I have another key pair which can access my other servers. Even if my first key is compromised and used before I can remove the key from the bastion, a second key will be required to get any further.
+The flash drive key only grants access to the bastion, I didn't want to allow connections through to my other servers. On the bastion I have another passphrase protected key pair which can access my other servers. Even if my first key is compromised and used before I can remove the key from the bastion, a second key will be required to get any further.
-As mentioned in the previous post I also have a VPN running on my home network. This allows me to remote in to my home network on my phone and laptop when away. In the event I didn't have access to either I have put a certificate on my bastion so I can remote home.
+As mentioned in the previous post I also have a VPN running on my home network, allowing me to remote in to my home network on my phone and laptop when away. In the event I don't have access to either I have put a certificate on my bastion so I can remote home.
-Accessing my home VPN relies on knowing the IP address my ISP assigns me. On rare occasions this IP changes, and it has caught me out in the past. For a long time I have been using a script on a Pi at home which routinely checks the external IP, then notifies me if it changes. To check the external IP incant
+Accessing my home VPN relies on knowing the IP address my ISP assigns me. On rare occasions this IP changes, and it has caught me out in the past. For a long time I have been using a script on a Pi at home which routinely checks the external IP, then sends a [notification](20220104-notify,_only_smaller.html) and an email if it changes. To check the external IP incant
```
dig +short myip.opendns.com @resolver1.opendns.com
```
-This script worked well although it isn't ideal. My updated setup now has a domain pointed at my home network configured to use Dynamic DNS. I then run [ddclient](https://github.com/ddclient/ddclient){target="_blank" rel="noreferrer"} on my Pi at home so if the IP ever changes the domain DNS _should_ be updated. I now have all my VPN certs pointing to the domain name.
+Up to now the script worked well but I felt like the setup could be improved. My updated setup now has a domain pointed at my home network configured to use Dynamic DNS. I run [ddclient](https://github.com/ddclient/ddclient){target="_blank" rel="noreferrer"} on my Pi at home so if the IP ever changes the domain DNS _should_ be updated. I now have all my VPN certs pointing to the domain name.
-There are more improvements I will probably make to this new setup. I am still looking at hardware authentication tools so that will probably be the next step. In the event I lose my flash drive, and my phone, and my laptop, I have been thinking of putting a fallback ssh key on my Mega storage account. I don't use my Mega account for anything important so disabling MFA wouldn't be so bad. This would mean all I need to access my bastion is a web browser to download the key, then SSH. That should be achievable from anywhere.
+Without using my VPN I can also clone my `pass` git repository directly onto the bastion, giving me access to my passwords and backup codes in an emergency.
-It may also be worth adding a secondary bastion in the event my current one disappears. This wouldn't be too difficult, it merely costs money. I may also add Dynamic DNS to my bastion in case of an IP change. This is unlikely to happen, nevertheless it is a good idea to cover all scenarios.
+There are still more improvements I can make to this new setup. I am still looking at hardware authentication tools so that will most likely be the next step. In the event I lose my flash drive, and my phone, and my laptop, I have been thinking of putting a fallback ssh key on my Mega storage account. I don't use my Mega account for anything important so disabling MFA wouldn't be so bad (it actually has to be disabled for use with [rclone](https://rclone.org/){target="_blank" rel="noreferrer"}). Meaning all I need to access my bastion is a web browser to download the key, then SSH. That should be achievable from anywhere.
-The next big step is to test this solution. I know the SSH access works as required, and I know my flash drive key works, so now I need to go out into the wild to test from a completely random system.
+It may also be worth adding a secondary bastion in the event my current one disappears or is compromised and needs to be destroyed. Another bastion wouldn't be too difficult, it merely costs money. I may also add Dynamic DNS to my bastion in case of an IP change. It is unlikely to happen, nevertheless I want to cover all scenarios.
+The next big step is to test this solution. I know the SSH access works as required, and I know my flash drive key works, so now I need to go out into the wild to test from a completely random system. Testing the Dynamic DNS for my VPN will need to be done sooner rather than later, I don't want to get caught out again.
+
+So far this solution has given me a little relief knowing that I should be able to access my servers, my passwords and backup codes, and even my home network if I am stranded without my phone or laptop.