•   2 min read

Private Git Server for Pentests

I participate in bug bounties and pentests in my spare time. I save my code to a private git server that I host on AWS. This post describes the rationale and process I use for this.

Problem

When working with these programs, it is often part of the NDA to handle client data securely. This includes using encryption, no 3rd party hosting (Dropbox, Pastebin, etc.), no public disclosure, and similar reasonable requests.

Given that I like to write code during my pentests, and sometimes that code is very specific to the client/project, I wouldn’t even be able to push it to a private repo on a 3rd party site like GitHub/Gitab/Bitbucket. Backing up to Dropbox is out of the question. This leaves me in a tough spot if I want to back up code I’ve written or even possibly share it with other people on the project.

Solution

Enter gitolite, which “allows you to setup git hosting on a central server, with fine-grained access control and many more powerful features.” According to their website, it is used by some pretty well-known organizations:

  • kernel.org
  • Fedora Project
  • KDE project
  • Gentoo Linux

While I could have simply set up a stock Ubuntu system and used bare git repositories over SSH, I wanted a bit more control over permissions should the need arise to share code. This is the result:

The server state is maintained on an EBS volume so that redeployments don’t totally destroy any repositories hosted on the server. Additionally, it maintains the the /home/git/.ssh directory across redeployments so that the same SSH host key is always used.

If I want to update the server to get the latest patches (I do this every few weeks), I just run the following scripts:

# Build the base image using Packer.
cd boxes/base
bash build.sh

# Build the git image using Packer.
cd ../git
bash build.sh

# Deploy the git image using Terraform.
cd ../../terraform/ec2/git
bash configure-state.sh
bash deploy.sh

For those who are interested, I follow a similar process for my blog. See here for the Packer files and here for the Terraform files.

Ease of use

Administration of the git server is incredibly simple. It is designed to be configured using a git repo. I’ve found this to be very customizable and intuitive. User management is as simple as adding a pub file to a keydir directory. Design decisions like that make using it quite easy to use.