
Show HN: Werbot – a product for easy audit and control of access to servers - shurco
https://www.werbot.com
======
shurco
From my work experience (such as software development and daily work with all
kind of servers) I know that the most of companies (not only me) are
constantly facing the following problems:

1\. How to give access to an employee or a freelancer to the server and
monitor their work?

2\. How to provide one-time server access to outsourced developers so that
they can perform the work and never use this access again?

3\. How to restrict access to the server by time or by place?

4\. How to be sure that any person having access to the server will not harm
or install unnecessary software on it?

5\. How to prevent storing server access in tasks, emails or tables that are
not the safest storage place?

6\. How quickly and safely give access to all employees if it has been
changed?

7\. How to protect the server resources from hacker attacks?

There are many more problems indeed, so I started to develop a platform that
solves these problems and allows developers to do useful work and not use
their time worrying about these problems. Having more than 16 years of
experience in software development and an extensive customer database, I can
state that almost all IT companies, banks, educational institutions, and even
government agencies have the same problems. All the contacted companies
(banks, outsource developing company, games developing, web and application
developing companies) are interested in a simple solution to these problems.

~~~
pondidum
I like the UI of this product, but how does it differ from using Vault's[1]
SSH secret engine?

[1][https://www.vaultproject.io/api/secret/ssh/index.html](https://www.vaultproject.io/api/secret/ssh/index.html)

~~~
shurco
SSH Secrets Engine most likely acts as an API and uses a different work model
than we do. An important fact about Werbot is that there is no need to install
additional software on a local machine or a remote server.

Werbot passes all the traffic through itself and all verifications take place
directly in the core of the system. We do not change the way you are used to
work on servers, we change the way you connect to them. Each connection is
made with a single sign on (for example, user@werbot.com if using our SaaS
version) and a user's private key. Once the user is signed on, a list of all
available servers is displayed to him and he can automatically connect to one
of them by just selecting the needed item on the list.

In the user's profile you can see the user's activity and the working time.
Additional server access settings can be also managed through user's profile,
for example you can set different access limitations by geolocation, IP,
country or time schedule.

------
nif2ee
It's very hard to trust some random new company with your comany's servers.
Even if we trust YOU, a single bug that leads to leak your certificate, the
keys or the stored sessions (which are literally everything! they are
literally the company itself) would be a disaster for all your customers,
especially when the whole product is managed and closed source. Also
Gravitational's Teleport does the same thing and it's FOSS. It's just hard for
me to see a serious business that would trust you and proxy their entire SSH
sessions through you just for the sake of authentication/authorization while
there are many alternative FOSS and more trusted alternatives.

~~~
shurco
No problems! Use the Enterprise version on your servers.

~~~
nif2ee
Why would I pay $12,000/year for a self-hosted closed source SSH proxy+SSO
while Teleport, a FOSS and battle tested alternative exists? Also something
like Pritunl can does the same functionality along with a zillion more
features while being more scalable and supports any protocol since it's a real
VPN while only paying $50/month.

UPDATE: It seems also that Cloudflare's Access supports SSH and SSO.

~~~
shurco
Let me suppose that you do not exactly know the price of 1 sever maintenance
provided by Symantec, CyberArk or CheckPoint. The VPN or Cloudflare's Access
solutions you are talking about, are designed for other purposes. Teleport is
working in another way at all. I understand that you are supporting FOSS and
it's very good! I do not exclude the possibility to become a FOSS product one
day. The most important thing is that you don't need to install any additional
software on the client machine or server!

~~~
nif2ee
>Symantec, CyberArk or CheckPoint

These are huge and public companies and are lots of regulation and scrutiny by
the government and investors and are a big target for hackers and adversary
governments and that's why they spend a fortune to keep their reputation
clean. I don't think you should compare yourself to them.

>VPN or Cloudflare's Access solutions you are talking about, are designed for
other purposes

What other purposes? please enlighten me

>The most important thing is that you don't need to install any additional
software on the client machine or server

so your product works by authenticating uses via your webapp's SSO for example
and then the client has to manually download the private keys and certificates
and use them with the ssh command?

------
truz
The prices are way too high. We run about 50 servers (the number varies
between 30 and 70). As a small team we rely a lot on freelancers to handle
peaks. Such a tool would be very cool, but is not priced right. In addition,
we would have to pay 1000 $ per month, but often dont need all of it. A pay as
you use variant would be the minimum. In addition, at least some parts of such
a product should be open source. Possibly under strict licenses, but auditable
and usable in all versions on your own server. This does not exclude a
complementary SaaS offer. Btw: Free trail without CC would be nice. Not giving
you any data without showing me something...

------
samber
A similar tool with seamless integration with Github+Gitlab =>
[http://github.com/samber/sync-ssh-keys](http://github.com/samber/sync-ssh-
keys)

------
jimmeh89
I came across this on IndieHackers a while back, seems like it's doing a
similar thing but is free [https://serverauth.com](https://serverauth.com)

~~~
shurco
No, it's not exactly what we are doing.

Our interaction with servers is different. Every server session is recorded
and can be replayed in the user profile. Also the server owner can see in real
time who is working on the server.

I have already left a comment here above giving some details that differ us
from other existing solutions.

------
gvv
Does it work for containers as well? I can imagine it'll be pretty expensive
if you need to pay by the number of servers.

~~~
shurco
I am testing it on containers. If a container has an ssh server - everything
works without any problem.

Maybe I will update the start tariff.

------
tim--
How is the screen recorded, and where are those sessions stored?

~~~
shurco
An important note - it doesn't require to install additional software on the
server!

Werbot passes the entire user session through itself and records it in
asciinema format. All records are stored in the database. In the future, it
will be possible to download each session in SVG or mp4 format.

~~~
tim--
What happens then when werbot is down? I'm assuming this is a hosted service?
What happens when a session is a day long, and the output is a verbose
compilation of Firefox? Is that still all stored in the database?

