I've been rebuilding my home servers/storage and am mostly done. As part of this, I decided to move my SSH external server off of my main file server onto something low power and easy-to-use.
Background:
I used to ssh in and hop right onto the fileserver... wasn't too much of a problem since I had ssh keys and throttling, but I got annoyed by the number of attacks filling my logs. There are other ports open for other services, but those are to dedicated VMs and relatively secured off.
Possible Solutions:
There were two choices, either a) create a VM and have that be the host, or b) set up a low-powered computer. We voted at work and everyone agreed that option B was ideal for one reason, it's standalone so if my VMs or fileserver died, I can still get in to troubleshoot or do other things.
I had a spare LivaPC that could run Ubuntu so it got wiped and reconfigured. There's just a local account, (could also export read-only NFS to keep ssh keys in sync...) and I threw it behind Duo Security Two-Factor authenticaiton as they have a free plan for up to 10 accounts. Duo is nicer than Google Auth because when you connect in, you are presented with multiple authentication options, including a push-to-phone. This pops up a dialog that you hit OK for and you're in, the auth token goes back to the login session. This is instead of a random string of characters fro the other auth systems. I think you can set up multiple devices and have the list of options be even longer for convenience. The Duo install is about 5 steps that you cut and paste.
So after configuring the firewall to the new system, done. New bastion host, less risk, and a nice 2FA system in place. Duo is nice as it can integrate into other applications pretty easily as well if I ever wanted to throw more behind it. In addition, 10 users is more than enough for this simple task.
Just a fun story.
Background:
I used to ssh in and hop right onto the fileserver... wasn't too much of a problem since I had ssh keys and throttling, but I got annoyed by the number of attacks filling my logs. There are other ports open for other services, but those are to dedicated VMs and relatively secured off.
Possible Solutions:
There were two choices, either a) create a VM and have that be the host, or b) set up a low-powered computer. We voted at work and everyone agreed that option B was ideal for one reason, it's standalone so if my VMs or fileserver died, I can still get in to troubleshoot or do other things.
I had a spare LivaPC that could run Ubuntu so it got wiped and reconfigured. There's just a local account, (could also export read-only NFS to keep ssh keys in sync...) and I threw it behind Duo Security Two-Factor authenticaiton as they have a free plan for up to 10 accounts. Duo is nicer than Google Auth because when you connect in, you are presented with multiple authentication options, including a push-to-phone. This pops up a dialog that you hit OK for and you're in, the auth token goes back to the login session. This is instead of a random string of characters fro the other auth systems. I think you can set up multiple devices and have the list of options be even longer for convenience. The Duo install is about 5 steps that you cut and paste.
So after configuring the firewall to the new system, done. New bastion host, less risk, and a nice 2FA system in place. Duo is nice as it can integrate into other applications pretty easily as well if I ever wanted to throw more behind it. In addition, 10 users is more than enough for this simple task.
Just a fun story.