Disable SSH access to all servers.
This sounds crazy, I know, but port 22 should be disallowed for everyone in your security group. If there's one thing you take away from this post, this should be it: If you have to SSH into your servers, then your automation has failed. Disabling it at the firewall level (rather than on the servers themselves) will help the transition to this frame of thinking, as it will highlight any areas you need to automate, while still letting you easily re-instate access to solve immediate issues. It's incredibly freeing to know that you never need to SSH into an instance. This is both the most frightening and yet most useful thing I've learned.
Someone who runs clusters told me that fixing things via SSH -- rather than putting the fix into Puppet or CFEngine and exporting it -- was a firing offense. Makes a fair amount of sense for when you go from Puppies to Cattle.
This sounds crazy, I know, but port 22 should be disallowed for everyone in your security group. If there's one thing you take away from this post, this should be it: If you have to SSH into your servers, then your automation has failed. Disabling it at the firewall level (rather than on the servers themselves) will help the transition to this frame of thinking, as it will highlight any areas you need to automate, while still letting you easily re-instate access to solve immediate issues. It's incredibly freeing to know that you never need to SSH into an instance. This is both the most frightening and yet most useful thing I've learned.
Someone who runs clusters told me that fixing things via SSH -- rather than putting the fix into Puppet or CFEngine and exporting it -- was a firing offense. Makes a fair amount of sense for when you go from Puppies to Cattle.
No comments:
Post a Comment