Debops or the NSA for complete devops solution to network security

bastion debops

Production Ready Configuration Management Suites

As far as I know, in the entire world, there are two open source, production-based, bespoke configuration management systems.

In other words, if you want to run a full data center, network, production system and you want a system that has been designed and built and TESTED in production already to work, you only have two options.

Sure you can make your own system and test everything together, you can make a bricolage of existing roles and custom roles and make it work. But there will always be a long tail of implementation issues.

One such project comes from the US federal government, the NSA, SIMP, is based on Redhat and uses Puppet. There is excellent documentation and its compliant with the highest security standards (docs).

The other comes from a medical university in Europe and is based on Debian. Being an Ubuntu user, I’ll start with the Debian system. The second system is called Debops, the Debian data center in a box.

Debops is a Debian Data Center in a Box

Debops is based on the concept of an Ansible controller, i.e. a desktop or laptop which acts as the controller for the entire network.

I am going to install a bastion server, a VMware based VM which will be encrypted and also act as the bastion server for the entire network. This way my laptop does not become the weakest link in the entire chain.

I am running the VMware bastion VM from the RAID drive, and will give it a static IP, from within the VM and also at the router. My Comcast business router has annoying IP reassignment settings that kick in at very unfortunate times, such as after a power out etc. I force them to stick with dedicated IP.

Bastion set-up

I installed the operating system on the server, configure bridged, static public and private IP, setup DNS with Cloudflare, VNC access and openssh-server. I also install Ubuntu Desktop, 1, because I have loads of RAM and 2 I want the flexibility of using VNC if needed. I know, shell purists roll their eyes now.

Install openssh-server, keygens, and then allow root login with keys, create a root password, and then connect locally and remotely ssh [email protected] This is super important as otherwise you will be locked out of ssh from remote and can only use VNC. Also when you run debops for the first time you debops adds root to the users for remote logins. I also had to su devekko to change from root to my main sudo user to run the debops python scripts.


ssh-copy-id [email protected]
ssh-copy-id [email protected]

Debops Install

Debops has excellent, if dense, docs, and we use the Install docs


sudo -H apt install python-pip

let’s also upgrade pip


sudo -H pip install --upgrade pip

Next we install Debops itself with PIP


sudo -H pip install debops

Install Ansible

Debops uses Ansible and we need that installed now, but let’s install the latest development version via GIT and run from source


cd /home/devekko
sudo apt install -y git wget curl
sudo apt install -y build-essential libssl-dev libffi-dev python-dev
sudo -H pip install paramiko PyYAML Jinja2 httplib2 six
git clone git://github.com/ansible/ansible.git --recursive
cd ./ansible
source /home/devekko/ansible/hacking/env-setup

now we have a Ansible running from source


ansible --version
ansible 2.3.0 (devel bd036c15e0) last updated 2017/02/19 16:06:37 (GMT -700)
config file =
configured module search path = Default w/o overrides

Starting Debops project

Now we begin our Debops project. Debops is designed to have separate projects for separate networks of servers and applications. From Getting Started installs the Debops roles, playbooks and some handy Python scripts for shortcuts to standard verbose Ansible


cd /home/devekko

debops-update
DebOps playbooks have not been found, installing into /home/devekko/.local/share/debops/debops-playbooks

for a total of 107 playbooks

Initiate Project


debops-init /home/devekko/devekko-io
Creating new DebOps project in /home/devekko/devekko-io ...

Inventory

We now add our bastion server to the inventory


cd devekko-io
vi ansible/inventory/hosts
[debops_all_hosts]
bastion ansible_connection=local

Now we run Debops on our Bastion server


debops
....

PLAY RECAP ******************************************************************************************
bastion : ok=218 changed=124 unreachable=0 failed=0

TASK: debops.dhparam : Generate Diffie-Hellman params on Ansible Controller - 224.43s
TASK: debops.apt : Update APT cache ------------------------------------ 19.12s
TASK: debops.apt_install : Install requested APT packages -------------- 13.19s
TASK: debops.core : Install required core packages --------------------- 12.88s
TASK: debops.sshd : Ensure OpenSSH support is installed ---------------- 10.40s
TASK: debops.ferm : Configure ip(6)tables rules ------------------------- 8.98s
TASK: debops.ferm : Ensure ferm is installed ---------------------------- 7.39s
TASK: debops.nullmailer : Install required packages --------------------- 6.48s
TASK: debops.auth : Install auth-related packages ----------------------- 5.56s
TASK: debops.atd : Install atd ------------------------------------------ 5.09s

now, Debops runs 107 playbooks and bootstraps your Bastion server as the Ansible controller

we now have Debops installed as a Bastion server which we can encrypt and backup and access from across the network

bastion debops
bastion debops

Use sed to remove an old known_host

When doing system and network administration on Linux (aka DevOps) its common to make an IP change to the server you are working on and get a known_host man in the middle kind of warning.

ssh [email protected]
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:ghghghhhhhgghhkiugh+g5sVWs16pTYWbH3O82c.
Please contact your system administrator.
Add correct host key in /home/devekko/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /home/devekko/.ssh/known_hosts:34
remove with:
Host key verification failed.

 

An easy way to remove a bad known_hosts line on say line x

sed -i 'xd' ~/.ssh/known_hosts