All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
What's the best way to setup a VPN to access webservers?
nqservices
Member
Hi all,
I need a secure way to restrict SSH access into my webservers and I describe my case bellow. I really need some help here to find the most secure and practical solution.
On my house, my ISP provider just gives dynamic IP addresses so a static IP for internet connection is not an option.
So my first idea is to buy 2 vps (for redundancy purposes) and setup on each one OpenVPN naming them vpn1 and vpn2. This way I could then add the VPN servers IP to the firewall of my webservers making them the only allowed IP’s to login SSH.
At this point only the 2 IP’s from the 2 VPN servers will have access to my webservers. All seems good…
But in a real case scenario, every time I need to login by SSH on a webserver I will have to connect the VPN (no problem) and all the other traffic on my Windows PC is also routed using the VPN. This is the problem.
What I need is for the VPN to only route traffic to my webservers IP’s or maybe I need some kind of different vpn or proxy setup to make only the programs like Filezilla and Putty to use the VPN servers to access my webservers, keeping all other traffic on my computer use the standard internet connection.
Any ideas or advices?
Thanks
Comments
Have you thought in change the SSH port #, disable the password authorization and install a root SSH key? This will restrict your SSH. What control panel do you have on your webserver?
VPN solution would work. You just set your firewall to only allow connections to ssh's port from the VPN.
But @vpsrus's suggestions are also safe. You could also explore port knocking and fail2ban, both will provide another obstacle for would be hackers.
you can also install csf+lfd it will harden your webserver but if your intention is the vps please take a look at our offer at https://www.lowendtalk.com/discussion/86034/intro-summer-savings-vps-openvz-from-2-10-kvm-from-3-50-and-more#latest
just ignore ads above.
if you only want to access your server via ssh, dont use vpn, just plain ssh (ssh tunnel)
from your side -> connect to your vpn (wanna be)/ssh tunnel -> your server.
Yes. But besides all that i want to restrict access even more by allowing on my server just the VPN IP.
Yes i know a VPN will work. But my problem is that everytime i need to login SSH into my webservers, all the traffic on my computer is automatic redirected to the VPN. This is the problem.
Can you explain better your idea?
Thanks
How would you deal with the situation where your VPN server(s) go down and you are locked out of your servers?
I will buy 2 different VPS servers (vpn1 + vpn2) hosted in different datacenters. This way if one is down i will have the other. The chance of both datacenters to go down at the same time is almost 0% - i think
I was also thinking of setup a Proxy instead of VPN, because with a proxy i can just route the traffic on the software i want to use the proxy (filezilla + putty) and leave all other internet traffic on my computer to go using "normal" internet.
Do you have any advice or idea? Fell free to share.
Thanks
in very simple word, get vps (let say s1), whitelist the ip on your web server.
every time you want to access your web server, first you connect to these vps/s1 (using ssh) , then connect to your web server (using ssh).
Hi @tommy
So if i understand properly the way you have recommended i don't need to install OpenVPN on the VPS (s1)? I will just connect using SSH to the VPS (s1) and then connect SSH to my webserver?
Please tell me if i understood properly.
Maybe we should take a step back and look at the REQUIREMENTS, instead of the solution first. What is the problem that @nqservices really wants to solve? What is the threat model?
I believe that @vpsrus is correct. Don't bother with the VPN and make SSH so restrictive that it solves the @nqservices' problem (meets all of his/her requirements). Here is what I do:
Remember to leave the original "root" ssh window open while you test the tightened SSH connection, in case your SSH configuration changes do not work as expected. You don't want to lock yourself out.
As long as your public/private key pair is strong (2048 bits or more), then that should be the only account that can access your web server over SSH from any IP address. Lacking any known security vulnerabilities in SSH public key authentication, this configuration will be VERY secure. Because password authentication is disabled, no amount of dictionary or brute force password attacks can break in through SSH. Furthermore, the only authorized account (your admin account) that can connect to the web server does not have a well-known username, not that it matters, because attackers will not have the private key to make the connection anyway.
I find it hard to imagine how adding a VPN would improve on this security. In fact, I think that the VPN solution you propose will reduce security due to the increased complexity and greater attack surface.
Note:
Think about which random port you want to use for SSH. Some people like the high ranges (like me, but I am the only user of the VPSs, at least for now). Others prefer an unused port in the well-known range (1-1023) for improved security.
What happens if your home PC dies and has to be reinstalled. Wouldn't you lose your SSH Keys? How would you get in then?
yup, no need openvpn.
I understand that there is a language barrier but seriously what the fuck...
No really
What
The
Fuck
Brah
Brah or no bra the fuck...
#freethetitties
Backup, obviously. Backup the public/private keypair and password/passphrase in a secure way - e.g., use a password manager such as 1Password, and backup its database.
I do keep backups, of course, but In my case, the same public/private keypair is on my desktop and laptop computers. If the home PC dies, I can still access the VPS from my laptop. Better that I should have separate public/private keypairs, but my threat model tolerates using the one keypair.
(... and yes, I keep a rotating set of backups offsite, so if the house burns down, I can still recover the data.)
To @emg and @tommy,
Thanks for your ideas and advises. Looking at all the security steps described my @emg it seems a good and secure setup.
Also i already use Lastpass, so the idea of backup the SSH keypair files on the Lastpass is a good idea for backup, in case of some problem with my computer.
So at this point from what i see i have 2 options:
a) The first and most simple is not to use any VPN server to access my webservers. Instead i should secure my SSH as @emg described.
b) I still have the VPN in my "head" because i saw that when working with my hosting provider i see that every time their support team has to login my server they always use a VPN/Proxy access. Can anyone tell me the advantages that my hosting company always use a VPN/Proxy access to SSH access servers?
Thanks
Redacted.
They use the VPN to protect the information between their computer to your server, VPN creates a encrypted tunnel between two machines but only protect the information that runs inside the VPN tunnel, now it will not protect attacks or access to your SSH, this you should do as instructed above.
Thanks for the explanation. So from what i read here, I suppose the most secure and efficient way for me to access all my webservers SSH at home/office and also when outside home/office is:
First i will secure as most as possible the SSH login on my webservers, following the tips @emg said on this post. I will not restrict my webservers login to the VPN IP.
Then when at at home and/or office I will use my regular ISP internet dynamic IP connection to login SSH my servers. I will not use my VPN at home and office.
When outside home and/or office, using my mobile Android phone or Laptop on some free public wifi, i will first connect my phone and laptop to my own VPN and only then i will login SSH my servers.
What do you guys think? Is this a good idea or should i do anything different?
My objective is to protect as most as possible the access to my webservers SSH.
Thanks again
The way I have it setup is.
2 x VPS in different datacenter both running OpenVPN.
Since my server collection and projects are growing I will also be implementing a SSH jumpgate (ezeelogin) that also will only accept connections from the VPN IP's and with keys only
Hi @Vicadan
That was my first idea, but the problem with this solution is that every time i need to connect to my webservers ssh, i have to connect the VPN and then all the traffic on my computer uses the VPN.
Imagine i'm downloading torrents or some other large content. This will very fast consume all my VPN traffic/bandwidth.
Also sometimes i'm watching TV on a different screen and if i connect using VPN i will loose the TV connection because my VPN is not in my own country and TV is only allowed for my country IPs.
How do you deal with this?
Thanks
@nqservices
First, VPNs are not an always or nothing deal. You can have them route only specific traffic. So your torrent example doesn't need to be an issue.
Second, what @emg said is exactly the way to go. Listen to him. Do what he suggested.
Third, it might be a good idea to drop the VPN idea. You seem new to this so adding another layer of complexity is probably going to make things more difficult for you. Honestly, something like OpenVPN uses public/private keys just like SSH and while each layer of security makes things harder for hackers, limiting SSH to keys really is quite secure.
In conclusion, what @emg said is exactly the way to go. Listen to him. Do what he suggested.
Why such a rush with multiple OpenVPN servers and so on.
You can configure your SSH servers to discard password authentication for root users and add your SSH keys on the server. That alone will take your security for a big step believe me.
Then I can suggest you to configure Fail2Ban for SSH to automatically ban IP's after few failed login attempts. It's a must have tool, take a look here for install and configuration examples.
And the last one, if you can't always use key-based authentication (working on the move for example or need to login from different PC's) you can configure 2-factor mobile authentication. Take a look here for article how to configure it.
All those steps will add your web servers enough security for you.
Just in case you haven't found mosh,
My solution to this problem is to install MIT mosh on all my hosts. https://mosh.org/
It handles IP changes on your client end, seamlessly. Mosh client authenticates over SSH initially with mosh-server, then switches to a UDP datastream for terminal updates.