It's a good practice to lock down the servers behind a firewall and only allow access via VPN. Specially the control ports like SSH, Control Panel etc. That would require you to always connect to the VPN before connecting to the server.

It's good security, but sometimes it comes with extra inconvenience. All your traffic will be routed through the VPN (normally. Specially if the VPN is not in your region, it might cause some issues, like Google complaining about it!

Without connecting the VPN, if you want to connect to the server, there's another way. You can first SSH into the VPN/intermediate server and then SSH into your main box from there. The intermediate server will act as a proxy. Example:

# First login into the interim server
ssh [email protected]

# SSH into main box
ssh [email protected]

It achieves the same security level. But it introduces another layer of inconvenience. You have to always ssh into interim server. Also if you want to run any deployment script (like Capistrano <3), it'll break.

What if we could automate this? Meet ProxyCommand option of OpenSSH, with it you won't have to manually SSH into the middle server. Here you go in one line:

ssh -o ProxyCommand='ssh [email protected] -W %h:%p' [email protected]

You can now just login directly into the app server with this command. The command is quite long, so just save it into the .ssh/config file!

Host app
    HostName app.server
    User deploy
    ProxyCommand ssh [email protected] -W %h:%p

Now just login as usual from the first step:

ssh app

Aaaand, you're innn!

Please let us know if you use any other tricks to secure your servers!




What's on your mind?