We use cookies from third party services for marketing activities and to offer you a better experience. Read about how we use cookies and how you can control them by clicking "Privacy Preferences".


Privacy Preferences

Privacy Preferences

When you visit any website, it may store or retrieve information through your browser, usually in the form of cookies. Since we respect your right to privacy, you can choose not to permit data collection from certain types of services. However, not allowing these services may impact your experience.

  • Privacy Policy
    Lorem ipsum dolor sit amet, consectetur adipisicing elit. Assumenda, dolorum, vero ipsum molestiae minima odio quo voluptate illum excepturi quam cum voluptates doloribus quae nisi tempore necessitatibus dolores ducimus enim libero eaque explicabo suscipit animi at quaerat aliquid ex expedita perspiciatis? Saepe, aperiam, nam unde quas beatae vero vitae nulla.
    REQUIRED
  • Content Delivery Network
    Lorem ipsum dolor sit amet, consectetur adipisicing elit. Assumenda, dolorum, vero ipsum molestiae minima odio quo voluptate illum excepturi quam cum voluptates doloribus quae nisi tempore necessitatibus dolores ducimus enim libero eaque explicabo suscipit animi at quaerat aliquid ex expedita perspiciatis? Saepe, aperiam, nam unde quas beatae vero vitae nulla.
    REQUIRED
  • Youtube (Hosting Video Platform by Google Inc.)
    Lorem ipsum dolor sit amet, consectetur adipisicing elit. Assumenda, dolorum, vero ipsum molestiae minima odio quo voluptate illum excepturi quam cum voluptates doloribus quae nisi tempore necessitatibus dolores ducimus enim libero eaque explicabo suscipit animi at quaerat aliquid ex expedita perspiciatis? Saepe, aperiam, nam unde quas beatae vero vitae nulla.
  • Vimeo (Hosting Video Platform)
    Lorem ipsum dolor sit amet, consectetur adipisicing elit. Assumenda, dolorum, vero ipsum molestiae minima odio quo voluptate illum excepturi quam cum voluptates doloribus quae nisi tempore necessitatibus dolores ducimus enim libero eaque explicabo suscipit animi at quaerat aliquid ex expedita perspiciatis? Saepe, aperiam, nam unde quas beatae vero vitae nulla.
  • Google Ads (Advertisement Delivery Network)
    Lorem ipsum dolor sit amet, consectetur adipisicing elit. Assumenda, dolorum, vero ipsum molestiae minima odio quo voluptate illum excepturi quam cum voluptates doloribus quae nisi tempore necessitatibus dolores ducimus enim libero eaque explicabo suscipit animi at quaerat aliquid ex expedita perspiciatis? Saepe, aperiam, nam unde quas beatae vero vitae nulla.
  • Dailymotion (Hosted Video Platform)
    Lorem ipsum dolor sit amet, consectetur adipisicing elit. Assumenda, dolorum, vero ipsum molestiae minima odio quo voluptate illum excepturi quam cum voluptates doloribus quae nisi tempore necessitatibus dolores ducimus enim libero eaque explicabo suscipit animi at quaerat aliquid ex expedita perspiciatis? Saepe, aperiam, nam unde quas beatae vero vitae nulla.
  • Facebook & Instagram (Social Media)
    Lorem ipsum dolor sit amet, consectetur adipisicing elit. Assumenda, dolorum, vero ipsum molestiae minima odio quo voluptate illum excepturi quam cum voluptates doloribus quae nisi tempore necessitatibus dolores ducimus enim libero eaque explicabo suscipit animi at quaerat aliquid ex expedita perspiciatis? Saepe, aperiam, nam unde quas beatae vero vitae nulla.
Save Preferences
Privacy Policy





  1. Home
  2. https:
  3. www.indivar.com
  4. blog
  5. how to setup teleport to securely access your servers

How to setup Teleport to securely access your servers

How to setup Teleport to securely access your servers

How to setup Teleport to securely access your servers

This tutorial will explain why you should use Teleport instead of SSH to manage your servers and how to install it.

What is Teleport

Gravitational Teleport is a gateway for managing access to clusters of Linux servers via SSH or the Kubernetes API. It is intended to be used instead of traditional OpenSSH for organizations that need to:

  • Secure their infrastructure and comply with security best-practices and regulatory requirements.
  • Have complete visibility into activity happening across their infrastructure.
  • Reduce the operational overhead of privileged access management across both traditional and cloud-native infrastructure.

Teleport aims to be a cloud-native SSH solution, i.e. it makes it natural to think of environments, not servers. Below is a list of the most popular Teleport features:

Teleport diagram

  • Single SSH/Kubernetes access gateway for an entire organization.
  • SSH certificate based authentication instead of static keys.
  • Avoid key distribution and trust on first use issues by using auto-expiring keys signed by a cluster certificate authority (CA).
  • Enforce 2nd factor authentication.
  • Connect to clusters located behind firewalls without direct Internet access via SSH bastions.
  • Collaboratively troubleshoot issues through session sharing.
  • Discover online servers and Docker containers within a cluster with dynamic node labels.
  • The ability to manage trust between teams, organizations and data centers.
  • SSH/Kubernetes access into behind-firewall environments without any open ports.
  • Role-based access control (RBAC) for SSH.
  • A single tool (“pane of glass”) to manage RBAC for both SSH and Kubernetes.
  • Audit log with session recording/replay.
  • Kubernetes audit log, including the recording of interactive commands executed via kubectl.
  • The same workflows and ease of use that devs get with familiar ssh / kubectl commands.
  • Ability to run in “agentless” mode, i.e. most Teleport features are available on clusters with pre-existing SSH daemons, usually sshd.

Why use Teleport

Definitions

CONCEPTDESCRIPTION
NodeSynonym to “server” or “computer”, something one can “SSH to”. A node must be running the teleport daemon with “node” role/service turned on.
Certificate Authority (CA)A pair of public/private keys Teleport uses to manage access. A CA can sign a public key of a user or node, establishing their cluster membership.
Teleport ClusterA Teleport Auth Service contains two CAs. One is used to sign user keys and the other signs node keys. A collection of nodes connected to the same CA is called a “cluster”.
Cluster NameEvery Teleport cluster must have a name. If a name is not supplied via teleport.yaml configuration file, a GUID will be generated. IMPORTANT: renaming a cluster invalidates its keys and all certificates it had created.
Trusted ClusterTeleport Auth Service can allow 3rd party users or nodes to connect if their public keys are signed by a trusted CA. A “trusted cluster” is a pair of public keys of the trusted CA. It can be configured via teleport.yaml file.

Get the software

To install, download the official binaries from the Teleport Downloads section and run:

$ tar -xzf teleport-v4.2.8-linux-amd64-bin.tar.gz
$ sudo ./install

This will install teleport but will not run it

Get SSL cert from Let’s Encrypt

This is used to secure the website connection.

Add Certbot PPA

You’ll need to add the Certbot PPA to your list of repositories. To do so, run the following commands on the command line on the machine:

sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository universe
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update

Install Certbot

Run this command on the command line on the machine to install Certbot.

sudo apt-get install certbot

Run certbot

Make sure the port 80 is not being used by any other application and then run

sudo certbot certonly --standalone

and answer the prompts that follow

The certs will be stored in /etc/letsencrypt/live/ directory

Test automatic renewal

The Certbot packages on your system come with a cron job or systemd timer that will renew your certificates automatically before they expire. You will not need to run Certbot again, unless you change your configuration. You can test automatic renewal for your certificates by running this command:

sudo certbot renew --dry-run

Create teteport data directory

Teleport stores data in /var/lib/teleport. Make sure that regular/non-admin users do not have access to this folder on the Auth server.

sudo mkdir /var/lib/teleport

systemd unit file

Create the systemd unit file to start the teleport daemon via the init system. This file should be saved at /etc/systemd/system/teleport.service

[Unit]
Description=Teleport SSH Service
After=network.target

[Service]
Type=simple
Restart=on-failure
ExecStart=/usr/local/bin/teleport start --config=/etc/teleport.yaml  --pid-file=/var/run/teleport.pid
ExecReload=/bin/kill -HUP $MAINPID
PIDFile=/run/teleport.pid

[Install]
WantedBy=multi-user.target

Configure teleport

teleport can be run using default setting usign teleport start. This is useful for demo or testing but not for production. For production configure etc\teleport.yaml properly.

For this you can use get the default settings file from teleport by running teleport configure which dumps a sample configuration file in YAML format into standard output. Take this output and make changes as required.

Our teleport configuration

Sample configuration is located at https://gist.github.com/vairisingh/ed9028a2403bb2b328cc2ceee8becbf8

Enable ufw

sudo ufw status

sudo ufw allow ssh
sudo ufw allow http
sudo ufw allow 3022
sudo ufw allow 3023
sudo ufw allow 3024
sudo ufw allow 3025
sudo ufw allow 3026
sudo ufw allow 3080

sudo ufw enable

sudo ufw status verbose

Start teleport

Use the following commands to start teleport

sudo systemctl daemon-reload
sudo systemctl enable teleport
sudo systemctl start teleport


# check whether teleport is running
sudo systemctl status
sudo systemctl status teleport
journalctl -fu teleport
How to System Admin Docker Setup
⇐ How to setup and secure Ubuntu Server 18.04 …
Indivar - SAP Impact Partner of Year 2019⇒
Posted by Varinder Singh
Varinder Singh
  1. Indivar Software Solutions Pvt Limited, India and New Zealand: Co-Founder and CTO
  2. Credence Medicure Corporation: Co-Founder & Director - IT
  3. Stakteck Limited: Co-Founder and CTO

Related Posts:

How to setup Traefik 2.2 and Portainer on Ubuntu 18.04

How to setup Traefik 2.2 and Portainer on Ubuntu 18.04

  • Apr 29, 2020
How to setup and secure Ubuntu Server 18.04 in 6 steps

How to setup and secure Ubuntu Server 18.04 in 6 steps

  • Apr 30, 2020
Cloud Migration

Cloud Migration

  • Aug 03, 2019
comments powered by Disqus

RECENT POSTS

How to Install SAP B1 version 10 on SAP HANA 2.0

How to Install SAP B1 version 10 on SAP HANA 2.0

Dec 12, 2020
How to Install Windows Server 2016 on Proxmox

How to Install Windows Server 2016 on Proxmox

Dec 10, 2020
How to Setup SUSE 15 SP1 for SAP

How to Setup SUSE 15 SP1 for SAP

Dec 08, 2020
How to Setup Proxmox on Hetzner Dedicated Server

How to Setup Proxmox on Hetzner Dedicated Server

Dec 04, 2020

RANDOM POSTS

Indivar - SAP Impact Partner of Year 2019

Indivar - SAP Impact Partner of Year 2019

Sep 09, 2020
Advantages of an ERP Partner Over an ERP Professional

Advantages of an ERP Partner Over an ERP Professional

Aug 01, 2019
Setup New Dedicated Hetzner Server

Setup New Dedicated Hetzner Server

Dec 02, 2020
What is ERP software

What is ERP software

Nov 19, 2020

CATEGORIES

TAG CLOUD

HOW TO SYSTEM ADMIN SETUP HETZNER SAP B1 ERP SECURITY DOCKER RED PIRANHA AUCKLAND AUTOMATION AWARD DEVOPS ERP IMPLEMENTATION IDS LAUNCH PHARMACEUTICAL PROXMOX SAP HANA SURICATA SUSE 15 UBUNTU WINDOWS SERVER 2016