Master jump box to access your network resources

  • Perform base box securing (i.e. firewall, key only login, ban failed ssh attempts, preparation for further provisioning)
  • Optional install of the PPTP VPN service
  • Optional install of the OpenVPN VPN service
  • Optional install of the SoftEther VPN as an alternative to OpenVPN VPN service.
  • If you want to be even more secure, you can add additional level of security via port knocking. This will make harder for portscanners to detect services on your box, althouth it would be more tricky to get in.

Base box securing

my_deploy_user: slavko
my_deploy_authorized_keys:
- "~/.ssh/id_rsa.pub"
# revise port list for your use , consider securing by custom_ufw_rules_allow_from_hosts
custom_ports_allow:
- {
port: 22,
proto: tcp
}
- {
port: 500,
proto: udp
}
- {
port: 4500,
proto: udp
}
- {
port: 1194,
proto: tcp
}
- {
port: 1723,
proto: tcp
}
roles:
- {
role: "sa-box-bootstrap",
deploy_user: "{{my_deploy_user}}",
deploy_user_authorized_keys: "{{my_deploy_authorized_keys}}",
ufw_rules_allow: "{{custom_ports_allow}}"
}

Optional PPTP VPN

custom_pptp_vpn_users:
- {
name: "my_user",
password: "my_password"
}
roles:
- {
role: "sa-vpn-pptp",
pptp_vpn_users: "{{custom_pptp_vpn_users}}",
firewall_used: "ufw",
when: option_jumpbox_pptp
}

Optional OpenVPN VPN

custom_openvpn_vpn_users:
- {
name: "my_user"
}
roles:
- {
role: "sa-vpn-openvpn",
openvpn_vpn_users: "{{custom_openvpn_vpn_users}}",
firewall_used: "ufw",
when: option_jumpbox_openvpn
}

Optional SoftEther VPN

custom_softether_vpn_users:
- {
name: "my_user",
password: "my_password"
}
custom_softether_ipsec_presharedkey: "[1KH;+r-X#cvhpv7Y6=#;[{u"
roles:
- {
role: "sa-vpn-softether",
softether_vpn_users: "{{custom_softether_vpn_users}}",
softether_ipsec_presharedkey: "{{custom_softether_ipsec_presharedkey}}",
firewall_used: "ufw",
when: option_jumpbox_softether
}

Optional port knocking

custom_knock_ports:
- {
"name": "ssh",
"sequence": "16000, 15000, 17000",
"seq_timeout": 5,
"port": 22,
"protocol": "tcp",
"tcpflags": "syn",
"cmd_timeout": 10
}
roles:
- {
role: "sa-port-knock",
knock_ports: "{{custom_knock_ports}}",
when: option_jumpbox_port_knock
}

Full code in action

option_jumpbox_pptp: true     # install classic PPTP serveroption_jumpbox_openvpn: true  # install OpenVPN serveroption_jumpbox_softether: false # install openvpn SoftEther server (+ few more targeting windows)option_jumpbox_port_knock: false # configure portknocking

Points of interest

--

--

--

Software engineer, with project management background. Founder @ softasap.com — cool automation for the people :) — have a problem that needs to be solved?

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Vyacheslav Voronenko

Vyacheslav Voronenko

Software engineer, with project management background. Founder @ softasap.com — cool automation for the people :) — have a problem that needs to be solved?

More from Medium

Cracking a Weak Password

NIKTO THE SCANNING TOOL

Nikto web scanner

Tool for making zip files with malicious content

5 best Android emulators for Linux — TotalDrivers.net