SSH Keys and VPN for Extended Security on 1&1 CloudServers
You have your Database server hosted inside the 1&1 Cloud and your Boss wants you to lock it down from everything except MySQL, and we mean really lock it down so we already know the Cloud Panel’s Firewall is coming into play and SSH is basically out the window. So you set up the Firewall, add only port 3306 and call it a day. Then the phone rings and your boss is sitting on the other line saying “Wow….I don’t want to use the KVM, I like Putty”. Obviously this is a fictional Boss, our boss can’t turn on the monitor without help, but in this fictional world, your boss wants to SSH.
So you say, “Okay, what’s your IP, I’ll add an exception to the Firewall for your IP to be allowed.
Your Boss, being the busy guy he is tells you that not only doesn’t he know it, he wants to be able to connect from any location long as he has a computer he controls. He’s also tired of typing in the long password, and he’d rather get rid of it for sake of
security convenience, instead wants to use one of those “key things” he read about somewhere.
The Technical Breakdown
So we have 1 Linux server (CentOS6) running our MySQL Database. We’re going to configure the username “Boss” to SSH into the server via SSH Keys, but we’re going to keep the Firewall in place to block port 22. To circumvent the firewall, we’re going to create a VPN connection in our server’s Data Center (USA).
- DB Server
- Firewall Policy
- VPN Created
- openVPN client
This is probably the simpliest part, just go into your CloudPanel and choose “Network” => “Firewall Policies” => Click “Create” and add only 1 rule for port 3306. Then go to “Infrastructure” => “Servers” => Choose your DB Server => Scroll down the “Features” until you reach “Firewall” => Click the Firewall and change it to our new Firewall Policy.
Similarly, creating a VPN is just as easy as the Firewall. “Network” => “VPN” => “Create”. After it’s processed, you can download the Configuration file as seen in the referenced image below. With it, you’ll follow 1&1’s Guide here https://whstatic.1and1.com/help/CloudServer/EN-US/d851538.html for downloading and configuring openVPN.
CONNECT TO THE VPN BEFORE CONTINUING!!!
SSH Key Generation and Assignment
There’s plenty of guides and ways to create your SSH Keys. Rather than re-create the wheel, here’s a guide from hostgator which is pretty generic (outside of their “Reseller port 2222”).
The main take-away is to use PuttyGen if you’re on a Windows local machine, generate your SSH Key, and upload it to your server. For our tutorial, we’re adding it to the user “Boss”, so do the following inliu of HostGator’s step 5:
[email protected]# mkdir /home/Boss/.ssh [email protected]# chmod 700 /home/Boss/.ssh [email protected]# vi /home/Boss/.ssh/authorized_keys2 IN THE VI EDITOR Press the key i for INSERT mode Shift + Insert to paste your SSH Key Press ESC, then the keys :wq so that's : and wq
Why it works
So the VPN, as discussed here: https://timgarrity.me/1and1-ngcs-free-vpn/ , the VPN puts you in the relative area of your Servers, directly past the Firewall. You’re not connected to any one server, but instead each server in that datacenter that’s assigned to you has been added to your IP Routing Table in such a way that traffic to them gets tunneled through the Data Center and towards your server. Since we’re using this VPN, we don’t need port 22 open at all on the Hardware Firewall in the CloudPanel. Because of this, the only way we can SSH into this server with this Firewall the way it is, is activate the VPN every time we want a connection, or configure an additional component by adding a Private Network. The Private Network would then open up the benefit of Nested SSH connections (SSH into Webserver, then SSH from Webserver to DB Server).