Federated-Reserve / Operations

Operations related wikis, issues, and tools
1 stars 0 forks source link

Setup SSH bastion #2

Closed chrislgarry closed 6 years ago

chrislgarry commented 6 years ago

Move away from SSH'ing directly to the instance. We should instead setup an SSH bastion: https://aws.amazon.com/blogs/security/securely-connect-to-linux-instances-running-in-a-private-amazon-vpc/

chrislgarry commented 6 years ago

Sorry, there's a bit more to it than I initially explained. We should remove default ec2-user since botnets will brute force ssh login for that account. Instead, each user should have an account on the bastion via useradd <username> and then we each SSH to the bastion host under our own accounts with our own SSH key. After that, we will add MFA via google-authenticator for each user (different issue), after which we will need to pass the SSH key plus a one-time password generated by the google authenticator app on our phones to log into the bastion.

chrislgarry commented 6 years ago

Looks like this is done. Good work!

qimingfang commented 6 years ago

Still need to set it up with google-auth on seoul, but yeah pretty much done 👌