Securely file SSH periods on RHEL in a personal VPC community

On this weblog put up, you’ll discover ways to file SSH periods on a Pink Hat Enterprise Linux (RHEL) VSI in a personal VPC community utilizing built-in packages. The VPC personal community is provisioned through Terraform and RHEL packages are put in utilizing Ansible automation. Moreover, you’ll discover ways to configure a extremely out there bastion host.

What’s session recording and why is it required?

Each a bastion host and a leap server are safety mechanisms utilized in community and server environments to manage and enhance safety when connecting to distant programs. They serve comparable functions however have some variations of their implementation and use instances. The bastion host is positioned in entrance of the personal community to take SSH requests from public visitors and ahead the request to the downstream machine. The Bastion host and leap servers are susceptible to intrusions as a result of they’re uncovered to public visitors.

Session recording helps a system administrator audit customers’ SSH periods and be certain that they adjust to regulatory necessities. Within the occasion of a safety breach, the administrator will need to audit and analyze person periods. That is important for a security-sensitive system.

What’s a personal VPC community?

A virtual private cloud is totally personal if there isn’t a ingress or egress public community visitors. In easy technical phrases, it’s personal if there are not any public gateways on the subnets (personal subnets) or floating IP addresses on the digital server situations (VSI).

How do I connect with the personal VPC community?

Consumer-to-Website VPN for VPC is considered one of two VPN choices out there on IBM Cloud and permits customers to connect with IBM Cloud sources over safe, encrypted connections.

Consumer-to-site VPN is extremely out there, with two VPN servers created in two totally different Availability Zones of the identical area. Strongholds are additionally extremely out there.


Provision the personal VPC community utilizing Terraform

After getting the IBM Cloud Secrets Manager secret with the certificates, launch your terminal and set the next Terraform variables: export TF_VAR_ibmcloud_api_key= export TF_VAR_secrets_manager_certificate_crn= git clone cd terraform Run Terraform instructions to provision VPC sources (e.g. subnets, bastion hosts (VSI), VPN, and so on.): terraform init terraform plan terraform apply

Hook up with the Consumer-Website VPN

As soon as the VPC sources are efficiently provisioned, that you must obtain the VPN shopper profile by navigating to IBM Cloud VPN Servers Page. Click on it Consumer-to-Website Servers Tab then on the identify of the VPN: Obtain the profile from the Buyer base tongue. The VPN offered by means of Terraform makes use of certificates. Observe the instructions here to connect with the OpenVPN shopper. It is best to see the profitable connection in your OpenVPN shopper:

Test the SSH connection

On a terminal, add the SSH personal key to the SSH agent with the next command: ssh-add Instance: ssh-add ~/.ssh/ Run the next command to SSH into the RHEL VSI by means of a bastion. host. You’ll use the personal IP handle of the bastion in zone 1: ssh -J [email protected] [email protected] Do not forget that you should be related to the client-site VPN to entry the RHEL VSI by means of the bastion. host. After SSH, you must see directions for enabling SSH session recording utilizing the TLOG bundle on RHEL.

Deploy session recording utilizing Ansible

To deploy the session recording answer, you should have the next packages put in on the RHEL VSI:

tlog SSSD cockpit session recording

Packages can be put in through Ansible automation on all VSIs, each bastion hosts and RHEL VSIs.

Transfer to the Ansible folder: cd ansible Create hosts.ini from the template file: cp hosts_template.ini hosts.ini Run the Ansible playbook to put in the packages from a personal IBM Cloud mirror/repository: ansible-playbook main_playbook.yml -i hosts .ini –flush-cache

You possibly can see in Determine 1 that after SSHing into the RHEL machine, you will note a observe saying: ATTENTION! Your session is being recorded!

Test session recordings, logs and reviews

Should you look intently on the post-SSH messages, you will note a URL to the net console accessible utilizing the machine identify or personal IP handle on port 9090. To permit visitors on port 9090, in Terraform code, change the allow_port_9090 variable worth to true and run Terraform Apply. The newest Terraform software will add ACL and safety group guidelines to permit visitors on port 9090.

Now open a browser and navigate to To entry utilizing the VSI identify, you should configure personal DNS (out of scope of this text). You want a root password to entry the net console: go to Session recording on the left aspect to see the checklist of session recordings. In addition to session recordings, you’ll be able to view logs, diagnostic reviews, and so on. :

Beneficial studying


This text explains why session recording is required in bastion hosts for auditing and compliance functions and the way session recording could be configured with built-in RHEL packages utilizing Ansible Automation.

Whereas designing a safe digital personal cloud community, you realized finest practices for architecting a VPC personal community. We additionally mentioned the necessity to create extremely out there VPN servers and bastion hosts. With the supply of cloud infrastructure utilizing Terraform and Ansible for session recording, you may have gained hands-on expertise.

Learn more about IBM Cloud VPC

If in case you have any questions, please don’t hesitate to contact me at Twitter Or on LinkedIn.

Senior Options Architect and Cloud Deployment Chief

Similar Items

Leave a Comment