SSH Bastion Flavour

Star 0
Version 1.4.1
SSH Bastion Flavour
Repository
Maintainers
support[at]europeanweather.cloud
License
MIT License
Support level
EWC
Category
Remote Access & Desktop
Technology
Ansible Playbook

SSH Bastion Flavour

The SSH bastion or proxy server is a barrier between your internal machines (which lack a public or floating IP address) and the public internet. With the SSH proxy, you'll have an extra layer of security on top of your instances. It's equipped with Fail2ban, intrusion prevention software designed to prevent brute-force attacks.

This template is for tenant admins wishing to hardening the way tenant users connect to the European Weather Cloud (EWC), as well as tenant users whom are mindful about safe-keeping the compute resources or data withing their work environments.

Functionality

The template is designed to:

  • Configure a pre-existing virtual machine running RockyLinux, with public IP address, and a minimum recommended 4GB of RAM, as entrypoint for users who wish to reach private EWC networks, from the public internet, via SSH.

Prerequisites

  • Install git (version 2.0 or higher )
  • Install python (version 3.9 or higher)
  • Install ansible (version 2.15 or higher)
  • If you plan to configure an existing VM, jump to the Usage section below
  • If you have not yet provisioned a VM, it is required to do so. You may choose one of the following approaches:

Usage

1. Clone the repository

git clone https://github.com/ewcloud/ewc-ansible-playbook-flavours-and-provisioning.git

1.1. Change to the specific Item's subdirectory

cd playbooks/ssh-bastion-flavour

1.2. (Optional) Checkout an specific Item's version

⚠️ Make sure to replace x.y.z in the command below, with your version of preference.

git checkout x.y.z

2. Download Ansible dependencies

💡 By default, Ansible Roles are installed under the ~/.ansible/roles directory within your working environment.

Download the correct version of the Ansible dependencies, if you haven't done so already:

ansible-galaxy role install -r requirements.yml

3. Specify the target host and SSH credentials

Create an inventory file to specify address/credentials that Ansible should use to reach the virtual machine you wish to configure:

# inventory.yml
---
ewcloud:
  hosts:
    ssh_bastion:
      ansible_python_interpreter: /usr/bin/python3
      ansible_host: <add the IPV4 address of the target host>
      ansible_ssh_private_key_file: <add the path to local SSH private key file>
      ansible_user: cloud-user
      ansible_ssh_common_args: -o StrictHostKeyChecking=accept-new

4. Configure and apply the template

4.1. Interactive Mode

By running the following command, you can trigger an interactive session that prompts you for the necessary user inputs, and then applies changes to your target EWC environment:

ansible-playbook -i inventory.yml ssh-bastion-flavour.yml

4.2. Non-Interactive Mode

💡 To learn more about defining variables at runtime, checkout the official Ansible documentation.

You can also run in non-interactive mode by passing the --extra-vars or -e flag, followed by a map of key-value pairs; one for each and every available input (see inputs section below). For example:

ansible-playbook \
  -i inventory.yml \
  -e '{"fail2ban_whitelisted_ip_ranges":""}' \
  ssh-bastion-flavour.yml

Inputs

Name Description Type Default Required
fail2ban_whitelisted_ip_ranges IPv4 ranges (in CIDR format) to be whitelisted in Fail2ban configuration. When in doubt, do not set. Example: ['10.0.0.0/24','192.168.1.0/24'] list(string) '' no

Dependencies

⚠️ Only RockyLinux 9.5 and RockyLinux 8.10 instances are currently supported due to constrains imposed by the required ewc-ansible-role-ssh-bastion Ansible Role.

💡 A VM plan with at least 4GB of RAM is recommended for successful setup and stable operation.

Name Version License Home URL
ewc-ansible-role-ssh-bastion 1.4 MIT https://github.com/ewcloud/ewc-ansible-role-ssh-bastion
Other
Deployable
EWCCLI-compatible