Hacker News new | past | comments | ask | show | jobs | submit login
Show HN: Werbot – a product for easy audit and control of access to servers (werbot.com)
20 points by shurco 9 days ago | hide | past | web | favorite | 17 comments

From my work experience (such as software development and daily work with all kind of servers) I know that the most of companies (not only me) are constantly facing the following problems:

1. How to give access to an employee or a freelancer to the server and monitor their work?

2. How to provide one-time server access to outsourced developers so that they can perform the work and never use this access again?

3. How to restrict access to the server by time or by place?

4. How to be sure that any person having access to the server will not harm or install unnecessary software on it?

5. How to prevent storing server access in tasks, emails or tables that are not the safest storage place?

6. How quickly and safely give access to all employees if it has been changed?

7. How to protect the server resources from hacker attacks?

There are many more problems indeed, so I started to develop a platform that solves these problems and allows developers to do useful work and not use their time worrying about these problems. Having more than 16 years of experience in software development and an extensive customer database, I can state that almost all IT companies, banks, educational institutions, and even government agencies have the same problems. All the contacted companies (banks, outsource developing company, games developing, web and application developing companies) are interested in a simple solution to these problems.

I like the UI of this product, but how does it differ from using Vault's[1] SSH secret engine?


SSH Secrets Engine most likely acts as an API and uses a different work model than we do. An important fact about Werbot is that there is no need to install additional software on a local machine or a remote server.

Werbot passes all the traffic through itself and all verifications take place directly in the core of the system. We do not change the way you are used to work on servers, we change the way you connect to them. Each connection is made with a single sign on (for example, user@werbot.com if using our SaaS version) and a user's private key. Once the user is signed on, a list of all available servers is displayed to him and he can automatically connect to one of them by just selecting the needed item on the list.

In the user's profile you can see the user's activity and the working time. Additional server access settings can be also managed through user's profile, for example you can set different access limitations by geolocation, IP, country or time schedule.

It's very hard to trust some random new company with your comany's servers. Even if we trust YOU, a single bug that leads to leak your certificate, the keys or the stored sessions (which are literally everything! they are literally the company itself) would be a disaster for all your customers, especially when the whole product is managed and closed source. Also Gravitational's Teleport does the same thing and it's FOSS. It's just hard for me to see a serious business that would trust you and proxy their entire SSH sessions through you just for the sake of authentication/authorization while there are many alternative FOSS and more trusted alternatives.

No problems! Use the Enterprise version on your servers.

Why would I pay $12,000/year for a self-hosted closed source SSH proxy+SSO while Teleport, a FOSS and battle tested alternative exists? Also something like Pritunl can does the same functionality along with a zillion more features while being more scalable and supports any protocol since it's a real VPN while only paying $50/month.

UPDATE: It seems also that Cloudflare's Access supports SSH and SSO.

Let me suppose that you do not exactly know the price of 1 sever maintenance provided by Symantec, CyberArk or CheckPoint. The VPN or Cloudflare's Access solutions you are talking about, are designed for other purposes. Teleport is working in another way at all. I understand that you are supporting FOSS and it's very good! I do not exclude the possibility to become a FOSS product one day. The most important thing is that you don't need to install any additional software on the client machine or server!

>Symantec, CyberArk or CheckPoint

These are huge and public companies and are lots of regulation and scrutiny by the government and investors and are a big target for hackers and adversary governments and that's why they spend a fortune to keep their reputation clean. I don't think you should compare yourself to them.

>VPN or Cloudflare's Access solutions you are talking about, are designed for other purposes

What other purposes? please enlighten me

>The most important thing is that you don't need to install any additional software on the client machine or server

so your product works by authenticating uses via your webapp's SSO for example and then the client has to manually download the private keys and certificates and use them with the ssh command?

The prices are way too high. We run about 50 servers (the number varies between 30 and 70). As a small team we rely a lot on freelancers to handle peaks. Such a tool would be very cool, but is not priced right. In addition, we would have to pay 1000 $ per month, but often dont need all of it. A pay as you use variant would be the minimum. In addition, at least some parts of such a product should be open source. Possibly under strict licenses, but auditable and usable in all versions on your own server. This does not exclude a complementary SaaS offer. Btw: Free trail without CC would be nice. Not giving you any data without showing me something...

A similar tool with seamless integration with Github+Gitlab => http://github.com/samber/sync-ssh-keys

I came across this on IndieHackers a while back, seems like it's doing a similar thing but is free https://serverauth.com

No, it's not exactly what we are doing.

Our interaction with servers is different. Every server session is recorded and can be replayed in the user profile. Also the server owner can see in real time who is working on the server.

I have already left a comment here above giving some details that differ us from other existing solutions.

Does it work for containers as well? I can imagine it'll be pretty expensive if you need to pay by the number of servers.

I am testing it on containers. If a container has an ssh server - everything works without any problem.

Maybe I will update the start tariff.

How is the screen recorded, and where are those sessions stored?

An important note - it doesn't require to install additional software on the server!

Werbot passes the entire user session through itself and records it in asciinema format. All records are stored in the database. In the future, it will be possible to download each session in SVG or mp4 format.

What happens then when werbot is down? I'm assuming this is a hosted service? What happens when a session is a day long, and the output is a verbose compilation of Firefox? Is that still all stored in the database?

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact