You can set up an authorization server to arrange technical support access to control panels. To ensure security, we recommend using a separate server for this purpose.
Server preparation consists of two stages:
- Configuring access to the control panel.
- Configuring SSH access.
This article provides the recommended installation procedure for Debian 8 Jessie OS. For other operating systems the order of installation and startup will be different. You can use your own scripts instead of ISPsystem scripts.
We recommend that you set up a firewall on the authorization server. In the firewall settings, allow incoming connections only for the support network.
Configuring access to the control panel
-
Create goserver user to access the control panel:
adduser --disabled-password --gecos "" goserver
- Download scripts from ISPsystem repository to that user's directory. For example, you can do this with git:
-
Install git:
apt-get update && apt-get -y install git
-
Download the repository:
git clone https://github.com/ispsystem/login-server /home/goserver/login-server
-
-
Install packets to run the scripts:
apt-get -y install python-yaml python-paramiko gunicorn python-virtualenv gcc python-dev
NoteThe packages gcc and python-dev are needed to install gevent module via pip. The Debian repository version of gevent can cause problems with SSL. -
To ensure that the installed modules do not interfere with the OS, create a virtual environment:
virtualenv /home/goserver/venv
-
Install the required packets in the created environment:
/home/goserver/venv/bin/pip install gevent ipaddress
-
Generate SSL certificates for the web server:
openssl req -newkey rsa:1024 -nodes -keyout /home/goserver/server.key -out /home/goserver/server.crt -x509 -days 3650 -subj \ "/C=XX/ST=XX/L=XX/O=XX/OU=XX/CN=example.com/emailAddress="root@example.com
chown goserver:goserver /home/goserver/server.key /home/goserver/server.crt
-
Create a configuration file for gunicorn:
cat > /etc/gunicorn.d/goserver << EOF CONFIG = { 'working_dir': '/home/goserver/login-server', 'user': 'goserver', 'group': 'goserver', 'environment': { 'PYTHONPATH': '/home/goserver/venv/lib/python2.7/site-packages', }, 'args': ( '--bind', '1.1.1.1:8443', '--workers', '1', '--timeout', '60', '--reload', '--certfile', '/home/goserver/server.crt', '--keyfile', '/home/goserver/server.key', '--do-handshake-on-connect', '--ssl-version', '5', '--ciphers', 'TLSv1.2,TLSv1', '-k', 'gevent', 'goserver:myapp', ), } EOF
Comments -
Generate an SSH key without a passphrase:
su -l goserver -c 'ssh-keygen -t dsa'
- Provide the contents of the /home/goserver/.ssh/id_dsa.pub file to the support team.
-
Create a configuration file for the authorization server /home/goserver/login-server/config.yml:
Example of a configuration file# path to the private SSH key. If the path is standard, it does not need to be specified. keyfile: /home/goserver/.ssh/id_dsa # Networks access from which is permitted. Use the format: network/netmask networks: - 192.168.0.0/24 # Users in the format login: password encrypted with crypt function # Password can be encrypted as follows: # mkpasswd -m md5 -S `pwgen -s 8 1` __PASSWORD__ users: user1: $1$J5hIelk6$JcTj78g3r7ddKW7ZX7j2x1 user2: $1$gGJvd0dz$BoCItoXBq6EqdTg1m4G6D1 # Log file in which transitions will be recorded. goserver user must have write permissions to this directory or the file must be created in advance. logfile: /var/log/goserver.log
-
Create a separate log file:
touch /var/log/goserver.log
chown goserver /var/log/goserver.log
-
Add gunicorn to the autostart and run it. If gunicorn is already running, it should be stopped beforehand:
systemctl stop gunicorn
systemctl enable gunicorn
systemctl start gunicorn
Configuring SSH access
-
Create support user for SSH access:
adduser --disabled-password --gecos "" support
-
Set go script of goserver user as the login shell for the support user:
usermod -s /home/goserver/login-server/go support
-
Install sudo:
apt-get -y install sudo
-
Provide the permission to run SSH for support user. Add the following line to the /etc/sudoers file:
support ALL=(goserver) NOPASSWD: /usr/bin/ssh
NoteTo edit the /etc/sudoers file, we recommend using the visudo command. -
Configure go script:
-
Create the file /home/goserver/login-server/config.sh:
cat > /home/goserver/login-server/config.sh << EOF log=/var/log/gossh.log # path to authorizations log file. support user must have write permissions to this directory or the file must be created in advance. logdir=/var/log/gossh # path to the directory with stdout connection log files. support user must have write access to this directory. #keyfile=path_to_file # path to the private SSH key. If the path is standard, it does not need to be specified sudouser=goserver # user by which sudo will be launched EOF
-
Create files and directories for the logs:
touch /var/log/gossh.log
chown support /var/log/gossh.log
mkdir -p /var/log/gossh
chown support /var/log/gossh
-
- Configuring log files rotation:
-
Install logrotate:
apt-get -y install logrotate
-
Create the file with logrotate settings:
cat > /etc/logrotate.d/goserver << EOF /var/log/gossh/*.log { size 1M copytruncate delaycompress compress } /var/log/gossh.log { size 1M copytruncate delaycompress compress } /var/log/goserver.log { size 1M delaycompress compress postrotate systemctl reload gunicorn endscript EOF
-
Using the authorization server
Configuring authorization
To connect to the control panel:
-
Encrypt user passwords to connect to the server:
mkpasswd -m md5 -S `pwgen -s 8 1` <pass>
Comments to the command -
Add user names and encrypted passwords to the users section of the file /home/goserver/login-server/config.yml:
Example of configurationusers: user1: $1$J5hIelk6$JcTj78g3r7ddKW7ZX7j2x1 user2: $1$gGJvd0dz$BoCItoXBq6EqdTg1m4G6D1
-
Update your web server settings:
systemctl reload gunicorn
To connect via SSH, add the public part of the SSH key of the support representative to the file /home/support/.ssh/authorized_keys.
Example of commands
ssh -t support@1.1.1.1 go 2.2.2.2
ssh -t support@1.1.1.1 go 2.2.2.2 ps uxaw
rsync -aPv /tmp/srv/ -e "ssh -t support@1.1.1.1 go" 2.2.2.2:/tmp/