Installing a server for support access

You can set up an authorization server to arrange technical support access to control panels. To ensure security, we recommend using a separate server for this purpose.

Server preparation consists of two stages:

1. Configuring access to the control panel.
2. Configuring SSH access.

This article provides the recommended installation procedure for Debian 8 Jessie OS. For other operating systems the order of installation and startup will be different. You can use your own scripts instead of ISPsystem scripts.

We recommend that you set up a firewall on the authorization server. In the firewall settings, allow incoming connections only for the support network.

Configuring access to the control panel

1. Create goserver user to access the control panel:

   adduser --disabled-password --gecos "" goserver

2. Download scripts from ISPsystem repository to that user's directory. For example, you can do this with git:
   
   1. Install git:

      apt-get update && apt-get -y install git

   2. Download the repository:

      git clone https://github.com/ispsystem/login-server /home/goserver/login-server

3. Install packets to run the scripts:

   apt-get -y install python-yaml python-paramiko gunicorn python-virtualenv gcc python-dev

   Note

   The packages gcc and python-dev are needed to install gevent module via pip. The Debian repository version of gevent can cause problems with SSL.
4. To ensure that the installed modules do not interfere with the OS, create a virtual environment:

   virtualenv /home/goserver/venv

5. Install the required packets in the created environment:

   /home/goserver/venv/bin/pip install gevent ipaddress

6. Generate SSL certificates for the web server:

   openssl req -newkey rsa:1024 -nodes -keyout /home/goserver/server.key -out /home/goserver/server.crt -x509 -days 3650 -subj \
   "/C=XX/ST=XX/L=XX/O=XX/OU=XX/CN=example.com/emailAddress="root@example.com
   

   chown goserver:goserver /home/goserver/server.key /home/goserver/server.crt

7. Create a configuration file for gunicorn:

   cat > /etc/gunicorn.d/goserver << EOF
   CONFIG = {
       'working_dir': '/home/goserver/login-server',
       'user': 'goserver',
       'group': 'goserver',
       'environment': {
           'PYTHONPATH': '/home/goserver/venv/lib/python2.7/site-packages',
       },
       'args': (
           '--bind', '1.1.1.1:8443',
           '--workers', '1',
           '--timeout', '60',
           '--reload',
           '--certfile', '/home/goserver/server.crt',
           '--keyfile', '/home/goserver/server.key',
           '--do-handshake-on-connect',
           '--ssl-version', '5',
           '--ciphers', 'TLSv1.2,TLSv1',
           '-k', 'gevent',
           'goserver:myapp',
       ),
   }
   EOF

   Comments

   1.1.1.1 — server IP address
8. Generate an SSH key without a passphrase:

   su -l goserver -c 'ssh-keygen -t dsa'

9. Provide the contents of the /home/goserver/.ssh/id_dsa.pub file to the support team.
10. Create a configuration file for the authorization server /home/goserver/login-server/config.yml:

    Example of a configuration file

    # path to the private SSH key. If the path is standard, it does not need to be specified.
    keyfile: /home/goserver/.ssh/id_dsa
    
    # Networks access from which is permitted. Use the format: network/netmask
    networks:
        - 192.168.0.0/24
    # Users in the format login: password encrypted with crypt function
    # Password can be encrypted as follows:
    # mkpasswd -m md5 -S `pwgen -s 8 1` __PASSWORD__
    users:
        user1: $1$J5hIelk6$JcTj78g3r7ddKW7ZX7j2x1
        user2: $1$gGJvd0dz$BoCItoXBq6EqdTg1m4G6D1
    
    # Log file in which transitions will be recorded. goserver user must have write permissions to this directory or the file must be created in advance.
    logfile: /var/log/goserver.log

11. Create a separate log file:

    touch /var/log/goserver.log
    

    chown goserver /var/log/goserver.log

12. Add gunicorn to the autostart and run it. If gunicorn is already running, it should be stopped beforehand:

    systemctl stop gunicorn

    systemctl enable gunicorn

    systemctl start gunicorn

Configuring SSH access

1. Create support user for SSH access:

   adduser --disabled-password --gecos "" support

2. Set go script of goserver user as the login shell for the support user:

   usermod -s /home/goserver/login-server/go support

3. Install sudo:

   apt-get -y install sudo

4. Provide the permission to run SSH for support user. Add the following line to the /etc/sudoers file:

   support ALL=(goserver) NOPASSWD: /usr/bin/ssh

   Note

   To edit the /etc/sudoers file, we recommend using the visudo command.
5. Configure go script:
   1. Create the file /home/goserver/login-server/config.sh:

      cat > /home/goserver/login-server/config.sh << EOF
      log=/var/log/gossh.log  # path to authorizations log file. support user must have write permissions to this directory or the file must be created in advance.
      logdir=/var/log/gossh  # path to the directory with stdout connection log files. support user must have write access to this directory.
      #keyfile=path_to_file  # path to the private SSH key. If the path is standard, it does not need to be specified
      sudouser=goserver  # user by which sudo will be launched
      EOF

   2. Create files and directories for the logs:

      touch /var/log/gossh.log

      chown support /var/log/gossh.log

      mkdir -p /var/log/gossh

      chown support /var/log/gossh

6. Configuring log files rotation:
   
   1. Install logrotate:

      apt-get -y install logrotate

   2. Create the file with logrotate settings:

      cat > /etc/logrotate.d/goserver << EOF
      /var/log/gossh/*.log {
              size 1M
              copytruncate
              delaycompress
              compress
      }
      /var/log/gossh.log {
              size 1M
              copytruncate
              delaycompress
              compress
      }
      /var/log/goserver.log {
              size 1M
              delaycompress
              compress
              postrotate
                      systemctl reload gunicorn
              endscript 
      EOF

Using the authorization server

Configuring authorization

To connect to the control panel:

1. Encrypt user passwords to connect to the server:

   mkpasswd -m md5 -S `pwgen -s 8 1` <pass>

   Comments to the command

   — unencrypted password
2. Add user names and encrypted passwords to the users section of the file /home/goserver/login-server/config.yml:

   Example of configuration

   users:
       user1: $1$J5hIelk6$JcTj78g3r7ddKW7ZX7j2x1
       user2: $1$gGJvd0dz$BoCItoXBq6EqdTg1m4G6D1

3. Update your web server settings:

   systemctl reload gunicorn

To connect via SSH, add the public part of the SSH key of the support representative to the file /home/support/.ssh/authorized_keys.

Example of commands

Connect via SSH

ssh -t support@1.1.1.1 go 2.2.2.2

Connect via SSH and run the command

ssh -t support@1.1.1.1 go 2.2.2.2 ps uxaw

Copy the files to the server

rsync -aPv /tmp/srv/ -e "ssh -t support@1.1.1.1 go" 2.2.2.2:/tmp/