SSH Jump Server, SSH Bastion host, SSH Jump host for PCI DSS and other security compliance

ssh jump server

SSH Jump server or Bastion host would be a fortified central server or gateway server where all your staff would login in first via ssh before accessing any other servers behind it. The fortified server is also known as Bastion Host or SSH Jump Host or SSH Jump Box. The jump host assist in securing  PCI DSS and other security compliances.

Using an intermediate ssh jump server increases security and ease of managing your Linux  production servers. Ezeelogin is an ssh gateway software that would help you setup your secure jump server very quickly and comes with lots of security and automation features. The below diagram would give you a better idea of how the ssh jump server works

 

ssh Bastion host ssh Jump server ssh gateway
SSH Gateway – SSH Bastion Host – SSH Jump Host – SSH Jump Box – SSH Jump Server

Advantages in using  ssh Jump Server ( also called a ‘Bastion Host’ )?

  • Built in Identity and Access Management for your staff
  • Intuitive SSH interface to access Linux nodes
  • SSH access to Linux production servers for your staff without sharing the ssh private keys or password
  • Two factor authentication in ssh and for the panel. Yubikey , Google Authenticator, Duo Security 2FA integrated.
  • Record ssh session of your system administrator or devops engineers for performing forensic audits so that you know who does what on which server and when.
  • Privileged Access management so that you know who gets root access and who gets non privileged access.
  • SSH Key management so that you can rotate the keys easily on multiple servers.
  • Root Password management so that you can reset the root password on servers in a click.
  • Parallel Shell integrated so you can execute command on many server simultaneously.
  • Root password management for your Linux server in production
  • Access Control panel like Cpanel/WHM and more in a click
  • PCI DSS 3.2, SOX, SOC2, FFIEC, NERC CIP, ISO 27001 & HIPPA Compliance requirements can be met quickly
ssh jump server
ssh jump server interface

 

 

SSH Jump Host with Yubikey ssh two factor authentication

SSH with Yubikey 2FA authentication

SSH Yubikey based two factor  authentication is integrated into ezeelogin ssh jump host for extra security. Even if someone steals your username and password (which is on the increase) they cannot access your jump host without your physical keyThe YubiKey generates an encrypted password that can only be used once. Hackers require physical access of your YubiKey to generate the OTP.

 

 

Four Eyes authorization for Sarbanes-Oxley ( SOX ) , PCI , HIPAA Security Compliance

four eyes authorization ssh
four eyes authorization for sox compliance

The Sarbanes-Oxley Act of 2002 (SOX) is an act passed by U.S Congress in 2002 to protect investors from the possibility of fraudulent accounting activities by corporations. The SOX Act mandated strict reforms to improve financial  disclosures from corporations and prevent accounting fraud. The SOX Act was created in response to accounting malpractice in the early 2000s, when public scandals such as Enron Corporation, Tyco International plc, and WorldCom shook investor confidence in financial statements and demanded an overhaul of regulatory standards.

Sarbanes-Oxley act or the SOX compliance require that whenever critical task are executed, it should NOT be done individually, it requires the critical transactions or the task at hand to be authorized by two persons and not just one. While managing server or cloud infrastructure, critical action like viewing the ssh session recordings should be authorized by a supervisor as well.

 

SSH Key Management

 

ssh key management
ssh key management

SSH key based authentication  is the default method that any Linux admin would choose for  granting ssh access to  Linux servers or Linux cloud instances. SSH key based  authentication is the preferred method since its far more secure and more popular than password based authentication. The two commonly used   keys for authentication are RSA and DSA and RSA Keys are preferred since DSA is known to be vulnerable.

Its good to have SSH Key based authentication but imagine the amount of management that has to be done if you have 100 employees and have 1000 Linux instances and how do you  grant access to the employees to the thousand Linux servers or Linux cloud instances? How do you add the ssh keys to grant access ?  How do you remove the ssh keys when the employee leaves the company? How do you rotate the keys?

You would have to manually add the keys to all the Linux servers and cloud  instances to grant access and when an employee leaves, you would have to ensure that the employees public keys are removed from all your servers failing which it becomes a serious security issue.

Ezeelogin helps you address the following issues

  1. SSH  Key rotation
  2. Centralised ssh key management
  3. Helps to reduce the overhead that comes with managing the ssh keys to almost zero.

 

Parallel Shell

Parallel shell – Run commands on multiple Linux servers or Cloud instances   simultaneously

If you are in charge of large server farms, cluster of Linux nodes for high performance computing, or cryptocurrency mining farms then parallel shell would easily let you manage multiple Linux servers or Cloud instances easily and quickly.

Parallel shell is built into the backend shell of the Ezeelogin SSH Jump host. You can work with it as you would work on a normal bash shell and the command would be simultaneously executed on multiple Linux servers.

Imagine, that you are the security engineer in charge for fleet of linux server or aws instances. One fine morning as you are going through your daily job routine you are notified of a critical kernel vulnerability.  As a responsible security officer, you do not want to postpone patching the kernels for the next day  as the longer the delay to patch the Kernel, greater the possibility of a security breach.

In such critical scenarios, the parallel shell feature could be extremely useful as you can compile kernel  on one thousand machine at the time of compiling a kernel for one server.

This feature is a god send for many , however with great powers come great responsibilities.  The image shows a command being executed in using parallel shell.

parallel shell
parallel shell- Multiple Linux server management

Some of the benefits of this feature are

  1. Improve productivity of your system administrators and devops engineers
  2. Improve the efficiency with which Linux nodes or cloud or aws instances are managed.
  3. Easily execute command simultaneously on group of servers. There are no hard configurations to be done.
  4. Better and faster management of Linux server and cloud instances.
  5. Easily copy files across group of servers
  6. Server orchestration would be very easy if you have many Linux instances.
  7. There is no need to install agents on remote machines
  8. Faster setup
  9. Delivery faster services
  10. Runs on OpenSSH

SSH BRUTEFORCE

SSH BRUTEFORCE ATTACK: How to defend against it effectively?

ssh bruteforce attack
ssh bruteforce attack

Hackers frequently target Linux servers and try to bruteforce the ssh daemon running on it.  If the root password that you have set is weak , the hackers would quickly gain access to your Linux server and your machines could be part of wider bot network, launching ddos attacks , sniffing, and doing other nefarious activities without the system administrator knowing about it.
The best ways to defend are :

ssh bruteforce attack

  1. Disable password based authentication and use only Key based authentication which is the most effective method to beat bruteforce attacks.
  2. In case you have to enable password based authentication for some reason, do drop all ssh traffic to your server by default and Allow only the ips that you know would be accessing your server in ssh.
  3. Use the AllowUsers directive in the ssh configuration to only allow certain users or IP’s. In /etc/ssh/sshd_config, you can specify a list of allowed users like this:AllowUsers [email protected]   [email protected] This will allow only the user rick to ssh from the ip 98.122.22.2 and the user root can ssh only from 126.22.10.1
  4. Set super strong password that are more than 10 characters long. Ezeelogin ssh jumphosts password management feature would help you set 30 character long complex passwords.
  5. Frequently reset the passwords once a day. The password management feature in Ezeelogin ssh gateway would do that automatically for you at the click of a button.

SSH Two Factor Authentication

ssh jumpbox with duo two factor authentication
SSH gateway and Jumphost with DUO 2FA o

 

SSH JumpHost and SSH Gateway Ezeelogin supports DUO Security two factor authentication ( 2FA ) which means that anyone having a smartphone these days can easily use it for the second layer of authentication. With DUO, you dont have to type in complex strings or numbers, just tap on the smartphone screen and you are securely authenticated easily. No extra devices like RSA Keys or security token generating devices has to be carried since you already have a smartphone with you to authenticate into your SSH Gateway.

Bastion host with Google 2FA for PCI DSS

bastion host with 2 factor authentication
bastion host with 2 factor authentication

bastion host with 2 factor authentication ensures that ssh access to your Linux servers or aws instances or cloud instances in production via the ssh jump server or  ssh jump host  is super secure.  We have integrated Google two factor authentication in ssh. A user installs the Google  Authenticator app on a smartphone.  The app displays an additional six-digit one-time password . The user enters it, thus authenticating the user’s identity.

OpenSSH 7.0 disables DSA keys by default


The road ahead was never bright for DSA keys and the writing was clear
on the wall. Ezeelogin SSH gateway will be dropping DSA keys and would 
be using ONLY RSA keys in future releases. 
Starting with the 7.0 release of OpenSSH, support for ssh-dss keys has
been disabled by  default at runtime due to their inherit weakness.If
you rely on these key types,you will have to take corrective action or 
risk being locked out. Your best option is to generate new keys 
using strong algos such as rsa or ecdsa or ed25519.RSA keys will give
you the greatest portability with other clients/servers while ed25519
will get you the best security with OpenSSH.(but requires recent versions of
client & server).

If you are stuck with DSA keys, you can re-enable support locally by updating
 your sshd_config and ~/.ssh/config files with lines like so: 
     PubkeyAcceptedKeyTypes=+ssh-dss

Be aware though that eventually OpenSSH will drop support for DSA keys entirely, 
so this is only a stop gap solution.

More details can be found on 
OpenSSH's website: http://www.openssh.com/legacy.html

Automated root password management on Linux servers

Automatic root password management
Automatic root password management

 

Boss wants you to enable password based authentication on hundred  Linux server, he wants you to  set 30 plus character strong password on each server, share the root passwords with  developers ,  change the root passwords again once the developers logs out of the servers at the end of the day, also your boss want you to reset the root password on all the Linux server on a daily basis  as he is paranoid  when it comes to security.

Well without eating your boss alive and instead to get a promotion, here is the magic wand, use the Ezeelogin root password management feature and you will  be able to meet all his requirement and if not even better. Being a Linux system administrator you know for fact that Key based authentication are exponentially stronger even if your passwords are 100 characters long but for some unearthly reasons you need to have password based authentication enabled on your hundred Linux servers.

 

jump server password view
jump server password view

Here are the key issues that Ezeelogin root password management features addresses.

  • Automatically set and reset and strong root passwords up to 32 characters long in a click on hundreds or thousands of Linux servers
  • Schedule periodic reset of root password across all your linux servers in a click
  • Reset root passwords on all your Linux server in a click.