First, let’s talk about why we decided to move away from the legacy ways of accessing the servers. When we say legacy server access methods, most organizations and companies still use password-based and key-based authentications, and it’s not that outdated. In fact, we are still using SSH key-based authentications to connect client servers to our automation platforms. But for our technicians to access the servers, we thought we needed something better and advanced because the number of servers that we manage and maintain keeps increasing day by day. Also, we wanted to provide few more layers of security for our customers, better logging, screen recordings of server activities that we perform, work collaboration, and also a uniform and more secured access using SHConnect agent.
SHConnect – Our new and advanced way to access servers securely.
SHConnect is an advanced and more secured server authentication method that our team uses to remotely access servers, web applications, Kubernetes clusters, and databases across all the environments.
The features offered by this new authentication method are:
- This new approach is more secure than the commonly used SSH key-based and password-based authentication methods.
- There is no need for clients to provide server root passwords or add our keys to the client’s server.
- The ServerHealers team will create a sudo user by running a script, and all the access to the server will be through this dedicated sudo user. No direct root access is allowed in the servers.
- This method also requires minimal installation with less than 100M size. A SHConnect agent will be running on a custom port in the server to provide us access to the server. ( We will be connecting to your server using this SHConnect agent and won’t use the default SSH service installed in your server. )
- All staff-level activities are logged on our system, along with access logs, the reason for connecting to the server, ticket ID, and even video screen recordings of all the server activities that we perform.
- The staff-level access is set up through our gateway system with limited session validity and two-factor authentication (2FA) for better security.
- Connections to the servers are only allowed through the ServerHealers office IPs and secured VPN servers.
“SH Connection Enabler” Script
You will need to log in to your Linux-based server as the root user and execute the “SH Connection Enabler” script given below to make your server ready to connect with the ServerHealers Ansible-based automation platform. ( After running the script given below, please proceed and complete the order and that’ll complete the connection process. )
curl -s scripts.serverhealers.com/shconnect/shce | bash
This script will modify a few files on your server. Those are given below and the reason for the modification.
|/home/shconnect||Create a home directory for the ServerHealers dedicated user.|
|/etc/passwd||Add the newly created dedicated user in this file.|
|/etc/groups||Add the newly created dedicated user in this file.|
|/etc/sudoers.d/serverhealers||Add sudo privileges to the created dedicated user.|
|/home/shconnect/.ssh/authorized_keys||Add ServerHealers system backup keys to this file.|
|/etc/ssh/sshd_config||Modify this file only if the below entry/restriction exists:|
AllowUsers variable adjustment
|/etc/hosts.allow||Modify this file only if the below entry/restriction exists:|
Host Access Control adjustment
|/var/log/serverhealers_connect.log||Create this log file to store the ServerHealers Connection Enabler script.|
|Whitelist ServerHealers IP address (CSF/APF/Imunify360/UFW/Firewalld)||Whitelist the ServerHealers office/system IP addresses on the firewall.|
The “SH Connection Enabler” will install SHConnect agent in your server, open the custom port, and will also validate the connection to our platform. ( Please also make sure you don’t have any external firewalls blocking port 3022.)
“SH Connection Remover” Script
Log in to your Linux-based server as the root user and execute the “SH Connection Remover” script below to remove and disconnect your server from all ServerHealers platforms. This script will also revert all the changes made by the “SH Connection Enabler” script.
curl -s scripts.serverhealers.com/shconnect/shcr | bash
We hope this article was helpful, and do reach out to us if you have any queries or suggestions.