You can set up an authorization server to arrange technical support access to control panels. To ensure security, we recommend using a separate server for this purpose.

Server preparation consists of two stages:

  1. Configuring access to the control panel.
  2. Configuring SSH access.

This article provides the recommended installation procedure for Debian 8 Jessie OS. For other operating systems the order of installation and startup will be different. You can use your own scripts instead of ISPsystem scripts.

We recommend that you set up a firewall on the authorization server. In the firewall settings, allow incoming connections only for the support network.

Configuring access to the control panel


  1. Create goserver user to access the control panel:

    adduser --disabled-password --gecos "" goserver
    CODE
  2. Download scripts from ISPsystem repository to that user's directory. For example, you can do this with git:
    1. Install git:

      apt-get update && apt-get -y install git
      CODE
    2. Download the repository:

      git clone https://github.com/ispsystem/login-server /home/goserver/login-server
      CODE
  3. Install packets to run the scripts:

    apt-get -y install python-yaml python-paramiko gunicorn python-virtualenv gcc python-dev
    CODE

    Note

    The packages gcc and python-dev are needed to install gevent module via pip. The Debian repository version of gevent can cause problems with SSL.

  4. To ensure that the installed modules do not interfere with the OS, create a virtual environment:

    virtualenv /home/goserver/venv
    CODE
  5. Install the required packets in the created environment:

    /home/goserver/venv/bin/pip install gevent ipaddress
    CODE
  6. Generate SSL certificates for the web server:

    openssl req -newkey rsa:1024 -nodes -keyout /home/goserver/server.key -out /home/goserver/server.crt -x509 -days 3650 -subj \
    "/C=XX/ST=XX/L=XX/O=XX/OU=XX/CN=example.com/emailAddress="root@example.com
    
    CODE
    chown goserver:goserver /home/goserver/server.key /home/goserver/server.crt
    CODE
  7. Create a configuration file for gunicorn:

    cat > /etc/gunicorn.d/goserver << EOF
    CONFIG = {
        'working_dir': '/home/goserver/login-server',
        'user': 'goserver',
        'group': 'goserver',
        'environment': {
            'PYTHONPATH': '/home/goserver/venv/lib/python2.7/site-packages',
        },
        'args': (
            '--bind', '1.1.1.1:8443',
            '--workers', '1',
            '--timeout', '60',
            '--reload',
            '--certfile', '/home/goserver/server.crt',
            '--keyfile', '/home/goserver/server.key',
            '--do-handshake-on-connect',
            '--ssl-version', '5',
            '--ciphers', 'TLSv1.2,TLSv1',
            '-k', 'gevent',
            'goserver:myapp',
        ),
    }
    EOF
    CODE
    Comments

    1.1.1.1 — server IP address

  8. Generate an SSH key without a passphrase:

    su -l goserver -c 'ssh-keygen -t dsa'
    CODE
  9. Provide the contents of the /home/goserver/.ssh/id_dsa.pub file to the support team.

  10. Create a configuration file for the authorization server /home/goserver/login-server/config.yml:

    Example of a configuration file

    # path to the private SSH key. If the path is standard, it does not need to be specified.
    keyfile: /home/goserver/.ssh/id_dsa
    
    # Networks access from which is permitted. Use the format: network/netmask
    networks:
        - 192.168.0.0/24
    # Users in the format login: password encrypted with crypt function
    # Password can be encrypted as follows:
    # mkpasswd -m md5 -S `pwgen -s 8 1` __PASSWORD__
    users:
        user1: $1$J5hIelk6$JcTj78g3r7ddKW7ZX7j2x1
        user2: $1$gGJvd0dz$BoCItoXBq6EqdTg1m4G6D1
    
    # Log file in which transitions will be recorded. goserver user must have write permissions to this directory or the file must be created in advance.
    logfile: /var/log/goserver.log
    CODE
  11. Create a separate log file:

    touch /var/log/goserver.log
    
    CODE
    chown goserver /var/log/goserver.log
    CODE
  12. Add gunicorn to the autostart and run it. If gunicorn is already running, it should be stopped beforehand:

    systemctl stop gunicorn
    CODE
    systemctl enable gunicorn
    CODE
    systemctl start gunicorn
    CODE

Configuring SSH access


  1. Create support user for SSH access:

    adduser --disabled-password --gecos "" support
    CODE
  2. Set go script of goserver user as the login shell for the support user:

    usermod -s /home/goserver/login-server/go support
    CODE
  3. Install sudo:

    apt-get -y install sudo
    CODE
  4. Provide the permission to run SSH for support user. Add the following line to the /etc/sudoers file:

    support ALL=(goserver) NOPASSWD: /usr/bin/ssh
    CODE

    Note

    To edit the /etc/sudoers file, we recommend using the visudo command.

  5. Configure go script:

    1. Create the file /home/goserver/login-server/config.sh:

      cat > /home/goserver/login-server/config.sh << EOF
      log=/var/log/gossh.log  # path to authorizations log file. support user must have write permissions to this directory or the file must be created in advance.
      logdir=/var/log/gossh  # path to the directory with stdout connection log files. support user must have write access to this directory.
      #keyfile=path_to_file  # path to the private SSH key. If the path is standard, it does not need to be specified
      sudouser=goserver  # user by which sudo will be launched
      EOF
      CODE
    2. Create files and directories for the logs:

      touch /var/log/gossh.log
      CODE
      chown support /var/log/gossh.log
      CODE
      mkdir -p /var/log/gossh
      CODE
      chown support /var/log/gossh
      CODE
  6. Configuring log files rotation:
    1. Install logrotate:

      apt-get -y install logrotate
      CODE
    2. Create the file with logrotate settings:

      cat > /etc/logrotate.d/goserver << EOF
      /var/log/gossh/*.log {
              size 1M
              copytruncate
              delaycompress
              compress
      }
      /var/log/gossh.log {
              size 1M
              copytruncate
              delaycompress
              compress
      }
      /var/log/goserver.log {
              size 1M
              delaycompress
              compress
              postrotate
                      systemctl reload gunicorn
              endscript 
      EOF
      CODE

Using the authorization server


Configuring authorization

To connect to the control panel:

  1. Encrypt user passwords to connect to the server:

    mkpasswd -m md5 -S `pwgen -s 8 1` <pass>
    CODE
    Comments to the command

    <pass> — unencrypted password

  2. Add user names and encrypted passwords to the users section of the file /home/goserver/login-server/config.yml:

    Example of configuration

    users:
        user1: $1$J5hIelk6$JcTj78g3r7ddKW7ZX7j2x1
        user2: $1$gGJvd0dz$BoCItoXBq6EqdTg1m4G6D1
    CODE
  3. Update your web server settings:

    systemctl reload gunicorn
    CODE

To connect via SSH, add the public part of the SSH key of the support representative to the file /home/support/.ssh/authorized_keys.

Example of commands

Connect via SSH

ssh -t support@1.1.1.1 go 2.2.2.2
CODE
Comments to the command

1.1.1.1 — authorization server IP address

2.2.2.2 — control panel server IP address

Connect via SSH and run the command

ssh -t support@1.1.1.1 go 2.2.2.2 ps uxaw
CODE
Comments to the command

1.1.1.1 — authorization server IP address

2.2.2.2 — control panel server IP address

ps uxaw — executable command

Copy the files to the server

rsync -aPv /tmp/srv/ -e "ssh -t support@1.1.1.1 go" 2.2.2.2:/tmp/
CODE
Comments to the command

1.1.1.1 — authorization server IP address

2.2.2.2 — control panel server IP address

/tmp/srv/ — directory with the files to be copied

/tmp/ — directory on the server, where you need to write the files