In this blog post, you’ll learn how to record SSH sessions on a Red Hat Enterprise Linux (RHEL) VSI in a private VPC network using in-built packages. The VPC private network is provisioned through Terraform and the RHEL packages are installed using Ansible automation. Additionally, you’ll learn how to set up a highly available bastion host.
What is session recording and why is it required?
A bastion host and a jump server are both security mechanisms used in network and server environments to control and enhance security when connecting to remote systems. They serve similar purposes but have some differences in their implementation and use cases. The bastion host is placed in front of the private network to take SSH requests from public traffic and pass the request to the downstream machine. Bastion host and jump servers are vulnerable to intrusion because they are exposed to public traffic.
Session recording helps an administrator of a system to audit user SSH sessions and make sure they comply with regulatory requirements. In the event of a security breach, the administrator will want to audit and analyze the user sessions. This is critical for a security-sensitive system.
What is a private VPC network?
A virtual private cloud is completely private if there is no public ingress or outgress network traffic. In simple technical terms, it’s private if there are no public gateways on the subnets (private subnets) and no floating IPs on the Virtual Server Instances (VSIs).
How do I connect to the private VPC network?
Client-to-site VPN for VPC is one of the two VPN options available on IBM Cloud, and it allows users to connect to IBM Cloud resources through secure, encrypted connections.
The client-to-site VPN is highly available, with two VPN servers that are created in two different availability zones in the same region. The bastions are highly available as well.
You can see in Figure 1 that after you SSH into the RHEL machine, you will see a note saying: ATTENTION! Your session is being recorded!
Check the session recordings, logs and reports
If you closely observe the messages post-SSH, you will see a URL to the web console that can be accessed using the machine name or private IP over port 9090. To allow traffic on port 9090, in the Terraform code, change the value of allow_port_9090 variable to true and run terraform apply. The latest terraform apply will add ACL and security group rules to allow traffic on port 9090.
Now, open a browser and navigate to http://10.10.128.13:9090. To access using the VSI name, you need to set up a private DNS (out of scope for this article). You need a root password to access the web console:
Navigate to Session Recording on the left-hand side to see the list of session recordings. Along with session recordings, you can check the logs, diagnostic reports, etc.:
This article covered why session recording is required in bastion hosts for auditing and compliance and how session recording can be set up with the built-in RHEL packages using Ansible Automation.
While designing a secured virtual private cloud network, you learned the best practices in architecting a VPC private network. We also covered the need to build highly available VPN servers and bastion hosts. With the provisioning of cloud infrastructure using Terraform and Ansible for session recording, you got hands-on experience.