Record SSH Session

record ssh sessions
Record SSH Session

Record ssh sessions on Linux server, Amazon EC2  instances for Security Compliance

It is mandatory to record ssh sessions to be PCI DSS Complaint when system administrator, system engineers or devops engineers login via ssh into your Linux machines or cloud instances, . It is also a must to maintain a log of all ssh activities on your Linux servers. This is tedious task for any Linux system administrator as deploying a improvised solution has often turned to be useless in the hour of need.

Why you should record ssh session of your staff /employees on a bastion host ?

Imagine that you have 100 Linux servers or cloud instances. You have 100  users  having access to these server via SSH with some system admins having privileged access or root access. If a user deletes a critical files or a database record which leads to a serious downtime and million of dollar lost in revenue,  following are some of the questions that you would have to answer as the security officer of your Linux infrastructure

  • Which user did it ? How will you find out who is responsible when you have so many of your employees accessing your servers?
  • How did it happen? When did it happen?
  • What is the extent of damage?
  • How will you prevent this in the future?
  • Is it possible to track  ssh server activities of employees?
  • Is it possible to do a forensic investigation when somebody does something bad like opening a backdoor?
  • How to monitor a staff in ssh in real time?
  • Has any Linux  server been breached?
  • How  to ensure that your employees password typed in on STDIN are not recorded as required by security compliances ?
    Enabling the SSH Session recording feature in the Ezeelogin SSH jump server would help you achieve this very quickly and easily so you have a complete record of what was done on your server at any point of time by which jump server user. This is very useful for forensic audits or for maintaining an audit trail for pci compliance.
    The solution records every ssh activity.  It includes the user input and the output with timestamps.  There is provision to search through the recorded ssh logs as well.

Bastion host – How to secure and harden the ssh server on it?

  1. Enable a firewall and by default block all  IP access to the SSH Port and enable only your staff ips or dynamic ip ranges that you trust.
  2. Disable direct root login. Its always better to login as a non privileged user first and the switch to the root user. This is the norm if you are looking for PCI DSS Compliance.Edit /etc/sshd/sshd_config
    PermitRootLogin noEzeelogin SSH Gateway has a feature called ‘AUTO SU or SUDO’ which would automatically does the switching part  so you would not waste your time retrieving password of the ‘admin’ user and then entering the root password.
  3. Disable password based authentication and enable only Key based authentication in the  sshd configuration file. I would rate this as the most important of all.

    PasswordAuthentication no

  4. Enable Key based authentication. RSA is know to be more secure than DSA keys.

    RSAAuthentication yes

    PubkeyAuthentication yes

     

  5. Change the sshd default listening port from 22 to something like 22656 since its hard to guess and attackers would have to scan.Use custom SSH Port and Listening IPs.
    Port 22656
    ListenAddress 192.168.5.6.123
  6. Configure a VPN and having your server behind a VPN is good idea. This would really improve the security and harden the server.