In an earlier post, we talked about how we implemented centralized authentication at Threat Stack. This project initially allowed us to create clearer access control for our servers. A side benefit of this work has allowed us to write tooling around common authentication processes.
One thing we’ve wanted to do is create an alert when folks are using a VPN to connect to one of our environments. In the event of a stolen laptop and stolen credentials, a user could be alerted to someone logging in with their credentials. With OpenVPN, performing actions on a client connect is possible using a client-connect script, so in the tradition of writing small Go applications to improve visibility, we did just that.
For the last few months our Slack bot VPN Notifier has been letting our engineers know when they connect into a Threat Stack environment. We’ve now done the work to open source the tool so that others can use and improve on it. We specifically mention improve, because our tool has limitations: The current version does extremely basic environment checking, and extremely basic alert suppression. Our hope is that we can collaborate with others who want to take this tool the extra mile.
Using VPNNotify Our README.md has full instructions on using the tool, along with requirements. In summary, you will:
- Use a configuration management tool to place a configuration file (/etc/vpnnotify.json is the default) on your OpenVPN host.
- Use a configuration management tool to distribute a VPNnotify package. (We use FPM to make our own.)
- Set the client-connect option in your OpenVPN Server configuration to where you installed VPNNotify — it will read in the VPN/user details over environment variables that OpenVPN provides.
This was originally posted on the Threat Stack blog.
2017-09-17 16:00 +0000
cfb04ec @ 2020-07-26