With everything that has been going on in the last couple of months, have you been having dark anxious thoughts ? I know I have, and not because of the pandemic, well yes that helped a lot to fuel my anxiety driven over control and over reaction to simple stuff to the full metal pedal but that is the world we live in now. With more than half the population in quarantine the strain on everything is pushing the limits, as we have seen YouTube, Netflix, Microsoft Teams etc… have all had trouble with their app’s because of enormous surge in usage.
That is a great opportunity for any hacker out there that is trying out something, or even worse. The ones that know what they’re doing.
You want to stay as protected as possible and avoid getting a middle of the night doomsday call that all of your servers have been hacked and all backups deleted (this scares me more than a plane crash)
It’s important to think about this, although nobody wants to assume this will happen to them, if you think about security at all, that putting together a command and control server Ansible for example, but any tool that can roll out applications to a collection of servers will create a big target for any hacker that gets into your infrastructure.
We have to think about systems and architectures for safety early on and spend some time patching things up if needed, because the more we build the more work you need to do in order to properly secure it.
As a first measure of defense it is important to severely limit access to the command and control machine, It should be on a managed subnet/VLAN and accessible with only a few access points, and the servers it is managing should never have access back to the command and control server, because if they have access it doesn’t matter which of them is getting controlled it will provide a smooth pathway to all of them getting overtaken.
There shouldn’t be any one generic user like “ansibledeploy” which is used by the team to deploy scripts. there should be an individual user for each team member running them and that way if one of them is compromised you know a more rapid response which is much better than using a generic user.
Important to note, we have to learn and develop the security measures already available for applications we use, Ansible for example offer Ansible Vault which allows the encryption of playbooks, since many of the playbooks require root access, encryption allows these playbooks to hide root access.There is many great tutorials and we plan on doing some of our own in the future about this very topic, so keep following us if you are not already.
We are a devoted team of professionals with a passion for technology, if you are interested more into securing your servers or have any other questions at all please do not hesitate to contact us.