Installing a server for support access
You can set up an authorization server to arrange technical support access to control panels. To ensure security, we recommend using a separate server for this purpose.
Server preparation consists of two stages:
- Configuring access to the control panel.
- Configuring SSH access.
This article provides the recommended installation procedure for Debian 8 Jessie OS. For other operating systems the order of installation and startup will be different. You can use your own scripts instead of ISPsystem scripts.
We recommend that you set up a firewall on the authorization server. In the firewall settings, allow incoming connections only for the support network.
Configuring access to the control panel
Create goserver user to access the control panel:
adduser --disabled-password --gecos "" goserver
CODE- Download scripts from ISPsystem repository to that user's directory. For example, you can do this with git:
Install git:
apt-get update && apt-get -y install git
CODEDownload the repository:
git clone https://github.com/ispsystem/login-server /home/goserver/login-server
CODE
Install packets to run the scripts:
apt-get -y install python-yaml python-paramiko gunicorn python-virtualenv gcc python-dev
CODENote
The packages gcc and python-dev are needed to install gevent module via pip. The Debian repository version of gevent can cause problems with SSL.
To ensure that the installed modules do not interfere with the OS, create a virtual environment:
virtualenv /home/goserver/venv
CODEInstall the required packets in the created environment:
/home/goserver/venv/bin/pip install gevent ipaddress
CODEGenerate SSL certificates for the web server:
openssl req -newkey rsa:1024 -nodes -keyout /home/goserver/server.key -out /home/goserver/server.crt -x509 -days 3650 -subj \ "/C=XX/ST=XX/L=XX/O=XX/OU=XX/CN=example.com/emailAddress="root@example.com
CODEchown goserver:goserver /home/goserver/server.key /home/goserver/server.crt
CODECreate a configuration file for gunicorn:
cat > /etc/gunicorn.d/goserver << EOF CONFIG = { 'working_dir': '/home/goserver/login-server', 'user': 'goserver', 'group': 'goserver', 'environment': { 'PYTHONPATH': '/home/goserver/venv/lib/python2.7/site-packages', }, 'args': ( '--bind', '1.1.1.1:8443', '--workers', '1', '--timeout', '60', '--reload', '--certfile', '/home/goserver/server.crt', '--keyfile', '/home/goserver/server.key', '--do-handshake-on-connect', '--ssl-version', '5', '--ciphers', 'TLSv1.2,TLSv1', '-k', 'gevent', 'goserver:myapp', ), } EOF
CODEComments1.1.1.1 — server IP address
Generate an SSH key without a passphrase:
su -l goserver -c 'ssh-keygen -t dsa'
CODEProvide the contents of the /home/goserver/.ssh/id_dsa.pub file to the support team.
Create a configuration file for the authorization server /home/goserver/login-server/config.yml:
Example of a configuration file
# path to the private SSH key. If the path is standard, it does not need to be specified. keyfile: /home/goserver/.ssh/id_dsa # Networks access from which is permitted. Use the format: network/netmask networks: - 192.168.0.0/24 # Users in the format login: password encrypted with crypt function # Password can be encrypted as follows: # mkpasswd -m md5 -S `pwgen -s 8 1` __PASSWORD__ users: user1: $1$J5hIelk6$JcTj78g3r7ddKW7ZX7j2x1 user2: $1$gGJvd0dz$BoCItoXBq6EqdTg1m4G6D1 # Log file in which transitions will be recorded. goserver user must have write permissions to this directory or the file must be created in advance. logfile: /var/log/goserver.log
CODECreate a separate log file:
touch /var/log/goserver.log
CODEchown goserver /var/log/goserver.log
CODEAdd gunicorn to the autostart and run it. If gunicorn is already running, it should be stopped beforehand:
systemctl stop gunicorn
CODEsystemctl enable gunicorn
CODEsystemctl start gunicorn
CODE
Configuring SSH access
Create support user for SSH access:
adduser --disabled-password --gecos "" support
CODESet go script of goserver user as the login shell for the support user:
usermod -s /home/goserver/login-server/go support
CODEInstall sudo:
apt-get -y install sudo
CODEProvide the permission to run SSH for support user. Add the following line to the /etc/sudoers file:
support ALL=(goserver) NOPASSWD: /usr/bin/ssh
CODENote
To edit the /etc/sudoers file, we recommend using the visudo command.
Configure go script:
Create the file /home/goserver/login-server/config.sh:
cat > /home/goserver/login-server/config.sh << EOF log=/var/log/gossh.log # path to authorizations log file. support user must have write permissions to this directory or the file must be created in advance. logdir=/var/log/gossh # path to the directory with stdout connection log files. support user must have write access to this directory. #keyfile=path_to_file # path to the private SSH key. If the path is standard, it does not need to be specified sudouser=goserver # user by which sudo will be launched EOF
CODECreate files and directories for the logs:
touch /var/log/gossh.log
CODEchown support /var/log/gossh.log
CODEmkdir -p /var/log/gossh
CODEchown support /var/log/gossh
CODE
- Configuring log files rotation:
Install logrotate:
apt-get -y install logrotate
CODECreate the file with logrotate settings:
cat > /etc/logrotate.d/goserver << EOF /var/log/gossh/*.log { size 1M copytruncate delaycompress compress } /var/log/gossh.log { size 1M copytruncate delaycompress compress } /var/log/goserver.log { size 1M delaycompress compress postrotate systemctl reload gunicorn endscript EOF
CODE
Using the authorization server
Configuring authorization
To connect to the control panel:
Encrypt user passwords to connect to the server:
mkpasswd -m md5 -S `pwgen -s 8 1` <pass>
CODEComments to the command<pass> — unencrypted password
Add user names and encrypted passwords to the users section of the file /home/goserver/login-server/config.yml:
Example of configuration
users: user1: $1$J5hIelk6$JcTj78g3r7ddKW7ZX7j2x1 user2: $1$gGJvd0dz$BoCItoXBq6EqdTg1m4G6D1
CODEUpdate your web server settings:
systemctl reload gunicorn
CODE
To connect via SSH, add the public part of the SSH key of the support representative to the file /home/support/.ssh/authorized_keys.
Example of commands
Connect via SSH
ssh -t support@1.1.1.1 go 2.2.2.2
1.1.1.1 — authorization server IP address
2.2.2.2 — control panel server IP address
Connect via SSH and run the command
ssh -t support@1.1.1.1 go 2.2.2.2 ps uxaw
1.1.1.1 — authorization server IP address
2.2.2.2 — control panel server IP address
ps uxaw — executable command
Copy the files to the server
rsync -aPv /tmp/srv/ -e "ssh -t support@1.1.1.1 go" 2.2.2.2:/tmp/
1.1.1.1 — authorization server IP address
2.2.2.2 — control panel server IP address
/tmp/srv/ — directory with the files to be copied
/tmp/ — directory on the server, where you need to write the files