It's a good practice to lock down the servers behind a firewall and only allow access via VPN. Specially the control ports like SSH, Control Panel etc. That would require you to always connect to the VPN before connecting to the server.
It's good security, but sometimes it comes with extra inconvenience. All your traffic will be routed through the VPN (normally. Specially if the VPN is not in your region, it might cause some issues, like Google complaining about it!
Without connecting the VPN, if you want to connect to the server, there's another way. You can first SSH into the VPN/intermediate server and then SSH into your main box from there. The intermediate server will act as a proxy. Example:
# First login into the interim server ssh [email protected] # SSH into main box ssh [email protected]
It achieves the same security level. But it introduces another layer of inconvenience. You have to always ssh into interim server. Also if you want to run any deployment script (like Capistrano <3), it'll break.
What if we could automate this? Meet
ProxyCommand option of OpenSSH, with it you won't have to manually SSH into the middle server. Here you go in one line:
ssh -o ProxyCommand='ssh [email protected] -W %h:%p' [email protected]
You can now just login directly into the app server with this command. The command is quite long, so just save it into the
Host app HostName app.server User deploy ProxyCommand ssh [email protected] -W %h:%p
Now just login as usual from the first step:
Aaaand, you're innn!
Please let us know if you use any other tricks to secure your servers!