In an earlier post, we talked about how we implemented centralized authentication at Threat Stack. This project initially allowed us to create clearer access control for our servers. A side benefit of this work has allowed us to write tooling around common authentication processes.
One thing we’ve wanted to do is create an alert when folks are using a VPN to connect to one of our environments. In the event of a stolen laptop and stolen credentials, a user could be alerted to someone logging in with their credentials. With OpenVPN, performing actions on a client connect is possible using a client-connect script, so in the tradition of writing small Go applications to improve visibility, we did just that.
For the last few months our Slack bot VPN Notifier has been letting our engineers know when they connect into a Threat Stack environment. We’ve now done the work to open source the tool so that others can use and improve on it. We specifically mention improve, because our tool has limitations: The current version does extremely basic environment checking, and extremely basic alert suppression. Our hope is that we can collaborate with others who want to take this tool the extra mile.
Our README.md has full instructions on using the tool, along with requirements. In summary, you will:
- Use a configuration management tool to place a configuration file (/etc/vpnnotify.json is the default) on your OpenVPN host.
- Use a configuration management tool to distribute a VPNnotify package. (We use FPM to make our own.)
- Set the client-connect option in your OpenVPN Server configuration to where you installed VPNNotify — it will read in the VPN/user details over environment variables that OpenVPN provides.
Getting visibility into when VPN sessions are opened on your behalf helps you know if your credentials are being misused. VPNNotify helps you do just that. We look forward to hearing how you’ll use it!
Interested in VPNNotify? Check it out on GitHub.
Additional Open Source Tools From Threat Stack
If you’re interested in other open sources tools developed by Threat Stack, take a look at the following blog posts. Each provides information on how to use the tool along with a link to download it:
- Authkeys: Making Key-Based LDAP Authentication Faster
Authkeys performs LDAP lookups of SSH keys without the need for using scripts or other interpreted code.
- Balancing Security and Your On-Call Rotation Using Deputize
This is the tool we created and use to manage our on-call rotation at Threat Stack. Deputize uses PagerDuty’s API to get the email addresses of the engineers on call, then compares that to the named users in the on-call group, and updates accordingly.
See Threat Stack in Action
Get in touch for a demo of Threat Stack's comprehensive instrusion detection platform.