New cloudstack' VMs security and password management

I happen to work with cloud infrastructure and use to create lots of virtual machines to test and develop new puppet modules.

Since the target is to finalize cloud templates and correct installation of the modules often these VMs stay up a few days to allow refining and so on.

I start from a very basic template, and all is installed by puppet, security has to be managed by the cloud and these machines are destined to stay in the internal private network exposing just the services they offer (whether they are a moodle machine or a JBoss server or whatever).

So no particular attention has been made in securing the host, but to be able to work with ease I just opened the 22 port of SSH server to connect and to the configurations.

Unfortunately the password was a simple one and since the work sometimes take more than a couple of days some machine were compromised; brute force attack to SSH server.

This to learn to use a good password: so since using a different password for each VM in the cloud could be difficult to remember (especially if you want to use non simple ones) I decided to use a nice feature of keepass: the ability to execute PUTTY as a URL action; in this way I do not have to bother to remember or type complex passwords anymore.

Here the code to insert in keepass:

cmd://PuTTY.exe -ssh {USERNAME}@{URL:HOST} {URL:PORT} -pw {PASSWORD}

cmd://WinSCP.exe scp://{USERNAME}:{PASSWORD}@{URL}

The first is for opening ssh URL the second to create a "scp" URL.  Mind that there is already an "ssh" URL scheme, but if you have SSH on another port you have to follow the command above to manage to connect.  This command works with the latest keepass 2.x version

To add it go to Tools -> Options...    press "URL Scheme Overrides"

Keepass options dialog

Create a new Scheme pressing "Add..."

URL Override

Adding "ssh" to scheme and the command above in the URL Override.

This way you can start PUTTY from keepass using secure complex passwords with ease.

To solve the problem of unsecure new machines I also added the installation of fail2ban to the puppet node description: no more brute force attack allowed.

Will work on automatically changing the root password and creating a CSV file to send to administrator to add info to central keepass DB.

Yii framework and CloudStack and Flex and ...

For the Open-DAI project I need to create a quick and dirty consolle (I hope it will become something more sophisticated, but for now I need something functional).

The target is to manage to pilot CloudStack to create VMs. I cannot use the CloudStack interface since it does not allow for adding "user data" so I need to use API calls to di the job

The problem is that I need to do this job cross CloudStack domains.

So have to get the list of API key and secret key and other CloudStack related data and write down a small program to issue the calls.

Obviously since you need to manage creation you need to be able to see what is going on in time so a small DB will be needed and also since the architecture of Open-DAI require to create management VMs in a precise order There will be the need to manage a simple workflow.

I also like to present the user with a view of the architectural deploy model describing the state of the deployed VMs.

Since I want to do things in a fast way without having to install too many things I decided to use PHP, a SQLite DB, Flex for the "toppings".

Since I believe that reinventing the wheel is not advisable I looked over to some of the PHP frameworks around ... at firts looked at Zend 2.0 ... really nice but ... damn complicated, you surely manage to do a lot but have to overcome a steep learning curve, so after few hours of hacking I looked somewhere else and ... landed on Yii.

Well I can say I'm surprised. It took more or less three hours (following the tutorial) to have a first scratch of application, integrated with the CloudStack library and ready to receive some of the code I already prepared in the last days (tomorrow will be a day of cut and paste and fix).

I can advice to look at it.