Social Icons

twitterfacebookgoogle pluslinkedinrss feedemail

Pages

Saturday, December 01, 2012

New cloudstack' VMs security and password management

I happen to work with cloud infrastructure and use to create lots of virtual machines to test and develop new puppet modules.

Since the target is to finalize cloud templates and correct installation of the modules often these VMs stay up a few days to allow refining and so on.

I start from a very basic template, and all is installed by puppet, security has to be managed by the cloud and these machines are destined to stay in the internal private network exposing just the services they offer (whether they are a moodle machine or a JBoss server or whatever).

So no particular attention has been made in securing the host, but to be able to work with ease I just opened the 22 port of SSH server to connect and to the configurations.

Unfortunately the password was a simple one and since the work sometimes take more than a couple of days some machine were compromised; brute force attack to SSH server.

This to learn to use a good password: so since using a different password for each VM in the cloud could be difficult to remember (especially if you want to use non simple ones) I decided to use a nice feature of keepass: the ability to execute PUTTY as a URL action; in this way I do not have to bother to remember or type complex passwords anymore.

Here the code to insert in keepass:


cmd://PuTTY.exe -ssh {USERNAME}@{URL:HOST} {URL:PORT} -pw {PASSWORD}

cmd://WinSCP.exe scp://{USERNAME}:{PASSWORD}@{URL}

The first is for opening ssh URL the second to create a "scp" URL.  Mind that there is already an "ssh" URL scheme, but if you have SSH on another port you have to follow the command above to manage to connect.  This command works with the latest keepass 2.x version

To add it go to Tools -> Options...    press "URL Scheme Overrides"
Keepass options dialog

Create a new Scheme pressing "Add..."

URL Override

Adding "ssh" to scheme and the command above in the URL Override.

This way you can start PUTTY from keepass using secure complex passwords with ease.

To solve the problem of unsecure new machines I also added the installation of fail2ban to the puppet node description: no more brute force attack allowed.

Will work on automatically changing the root password and creating a CSV file to send to administrator to add info to central keepass DB.

0 commenti: