CloudOps At Scale: Secure access patterns using Bastion Host and Transfer.Sh

Bhuvanesh
Mar 4 · 6 min read

In the Cloud world, security is paramount. Many cloud providers are still coming up with new features to make the infra secure. In this post, Here we are going to setup a bastion server to secure the SSH access on any Cloud infra like AWS, GCP, and Azure.

Is Bastion same as Jump host?

Actually not. Jump hosts are living in the same network as you want to connect. But the Bastion host is located somewhere else and need additional security options to access other networks.

At Searce, we manage cloud infrastructure for multiple customers across AWS, GCP and Azure on 24*7 basis. When have to provide access to our CloudOps teams — it’s not efficient making writing multiple firewall rules / security groups, hop on to customer’s bastion host etc. So we have deployed our own bastion Server to access all the customer's infra.

What’s new here?

Its just bastion host setup, why we need to blog about it? There are so many blogs and documentation about setting up a bastion server. But here we have added few ingredients to the recipe.

  1. SSH session recording
  2. 2Factor authentication enabled.
  3. Transfer.sh for sharing the files between any servers.
  4. Automated user management.
  5. Easy to restore the users on the new bastion server.

Enable SSH Session Recording:

This option will track every command that an user executed along the command results. With the help of this, we can easily find out if someone did something wrong. This is already published in AWS Blog, but we have done this on GCP.

Create the directory for session recording log files.

Here out admin user is sqladmin. So make this user to own this bastion log directory.

Make OpenSSH execute a custom script on logins.

Remove some features from SSH and make it more restricted.

Create a shell script to capture the user's session.

Prevent bastion host users from viewing processes owned by other users, because the log file name is one of the scipt execution parameters.

Restart the SSH service to apply /etc/ssh/sshd_config modifications.

You can sync the logs files which are in /var/log/bastion/* to S3, GCS or Azure Blob.

To verify this session recording, we can login to the bastion server and we’ll get the below welcome message.

Also we can find the log files.

Configure SMTP with Postfix and integrate AWS SES:

Before installing google authenticator and other things, we are going to install postfix mail agent and integrate with AWS SES. (if you have any own mail servers then you can ignore this part)

Send the test message:

Enable 2FA with Google Authenticator:

Install Google authenticator:

Setup Google Authentication in SSH Config

Save the config file and restart it.

Automate User Creation:

This shell script will help to create the user with google authenticator along with the Publickey authentication. Then automatically then send the private key and Google authenticator’s QR code in email.

Also it’ll sync the user’s public/private keys and google authenticator files to GCS bucket. (you can modify this script to sync this information to S3 or Azure blob.

  1. Username: Name of the user
  2. Email: email address to send the private key and google QR code.
  3. Super User: Does this user need root access? If yes 'Y' else 'N'

Create an user and test the MFA:

Configure Transfer.sh on bastion:

Now we are going to setting up transfer.sh via docker.

I have a 100G volume and attached it to /transfer and I want all the uploaded files should go to this mount point.

  • tmp dir: /transfer/tmp
  • upload files location: /transfer/uploads

Open your browser and hit the IP of the bastion server.

You can use the custom port, SSL and etc in this Docker container. From our setup this port is only opened to customer’s jump host. So we’ll transfer the files from our computers to the bastion server and download it from customer’s jump box.

Conclusion:

This is our current setup, but you can do a lot of customizations. This bastion server only helps you to switch to Linux servers, not windows. Use custom port for bastion server’s SSH or restrict SSH port from the security group. You can take advantage of login page for transfer.sh web interface and many things.

We used the below lines inside the user creation shell script to transfer files in one command.

Searce Engineering

We identify better ways of doing things!

Bhuvanesh

Written by

Bhuvanesh

BigData | Database & Cloud Architect | blogger thedataguy.in

Searce Engineering

We identify better ways of doing things!