# BR-CESSA Server — Access Notes

> **Do NOT store passwords in this file or in git.** The `adm1` password is sent in a separate
> email and should be kept in a password manager only.

## The virtual machine (HKUST ITSO VaaS)

| Field | Value |
|---|---|
| DNS name | **br-cessa.ust.hk** |
| IP address | **143.89.208.14** (subnet 143.89.208.0/24, GW 143.89.208.254) |
| OS | Ubuntu Linux (HKUST VaaS catalog) |
| Department | ENVR |
| Administrative owner | zhining@ust.hk (Prof. Zhi NING) |
| Technical contact | huangw@ust.hk, nkgali@ust.hk |
| Created by | huangw@ust.hk |
| Login account | **adm1** (password sent separately) |
| Self-service portal | https://vra.ust.hk (manage power, firewall, snapshots, lease) |

## 1. Connect to the server (SSH)

By default the VM firewall **only allows SSH from the HKUST VaaS VPN subnet**, so you must be on
the HKUST SSL VPN first.

1. Connect the **HKUST SSL VPN**: open the SSL VPN client → server `remote.ust.hk` → sign in →
   approve the DUO 2FA prompt. (Install guide: ITSO "Secure Remote Access (VPN)".)
2. SSH in:
   ```
   ssh 143.89.208.14 -l adm1
   ```
   (Windows users can use PuTTY with host `143.89.208.14`, user `adm1`.)
3. Enter the `adm1` password (from the separate email). On first login, change it:
   ```
   passwd
   ```

## 2. Managing the VM (self-service portal)

Sign in to **https://vra.ust.hk** (VPN required) to:
- Power on/off / reset the server, take **snapshots** before big changes.
- Configure **firewall rules** and **firewall tags** (see deployment — needed to make the site public).
- **Change the lease** — the VM has a **1-year lease**; it is auto powered-off at expiry and
  deleted after a 90-day grace period. Renew the lease before it expires. Email alerts go to the
  owner (zhining@ust.hk) and the department CSC.

## 3. Backups

All VaaS servers have **daily backups**. To restore a file or the server, email
`vm-restore@lists.ust.hk` with the VM name, the backup date and what to restore.

## 4. Good security hygiene

- Keep SSH access restricted to the VPN subnet (default) — do **not** open SSH to the Internet.
- Only open HTTP/HTTPS to the Internet (via the "Internet Web" firewall tag) for the website.
- Use a strong, unique `adm1` password and the admin-area password; store both in a password manager.
- Auto-updates run nightly 00:00–06:00 (HKUST VaaS default).