×
Community Blog Protecting ECS Instances with Bastionhost - Friday Blog, Week 54

Protecting ECS Instances with Bastionhost - Friday Blog, Week 54

Learn how you can use Bastion Host to secure logon to your ECS instances and keep records of what your ops team is up to.

By: Jeremy Pedersen

Bastionhost: Access Control For Your Ops Team

Securing servers is tough. Anyone who has tried it has run up against the following questions:

  • Who should get access, and to which servers?
  • How do I rotate credentials?
  • How do I grant access without opening my servers up to the public Internet?
  • How can I see what users are doing?
  • How can I control which commands users can (and cannot) execute?

...and lots more.

One of the more common approaches to this problem is to set up a Bastion Host.

This usually involves setting up and configuring yet another server, and that server itself inevitably becomes its own security headache.

But there's a better way.

Alibaba Cloud Bastionhost: Make RDP And SSH Access Easy And Secure

Alibaba Cloud has a built-in Bastionhost Service which saves you the trouble of setting up your own server to do the job.

Better, Bastionhost provides:

  • A unified web portal for managing users and permissions
  • Fine-grained user and group permissions
  • The ability to block high-risk commands (or require approval)
  • A full audit trail for each user logon, showing what commands were executed, and in what order
  • Support for both HA and non-HA Bastionhost deployments, with the HA version offering an SLA of 99.95%

Testing It Out

I'll be using the paid version for today's test because I have an Alibaba Cloud test account. However, there is a free trial you can apply for if you'd like to try it out yourself.

Setting Up A Test Environment

Since I want to test Bastionhost's SSH and RDS functionality, my minimum test environment consists of:

  1. An Alibaba Cloud VPC network group
  2. An ECS instance running Ubuntu 20.xx
  3. An ECS instance running Windows Server 2022

Setting up VPC network groups and ECS instances is straightforward, so I'll skip over those details and show the final setup.

I have created a new VPC group in Singapore:

vpc_details

And created two ECS instances (one running Windows, one running Linux) inside that VPC:

ecs_details

Note that neither ECS instance has a public IP, meaning these instances won't be reachable from the Internet (except indirectly through Bastionhost).

Setting Up Bastionhost

Next, we need to enable Bastionhost. I'll run my tests in Singapore, so I need to purchase a Bastionhost instance in the Singapore region:

get_bastionhost

I'm using a test account, so I'll choose the more expensive HA edition, which has built-in redundancy. As configured here, I can use my Bastionhost instance with up to 50 ECS instances, and can store 5 TB of log data:

get_bastionhost_2

Before I can start using Bastionhost, I have to start the instance by clicking "Run" from the console:

run_bastionhost

This will open a setup pane, which prompts me to choose the VPC group and VSwitch the Bastionhost instance should attach to, as well as any Security Groups it should have access to:

run_setup_1

run_setup_2

It may take a few minutes for the Bastionhost instance to boot up:

creating

Managing The Bastionhost Instance

We can now click on "Manage" to open up the Bastionhost instance's management pane:

manage

Let's start playing around!

Step 1: Attach some ECS instances

We can start by attaching our ECS instances to Bastionhost. To do this, navigate to "Assets -> Hosts":

import_1

Choose the Singapore region:

import_2

Add both ECS instances:

import_3

Clicking "Import" at the top of that dialog will attach both ECS instances to Bastionhost and take us back to the Instance list:

instances_added

Step 2: Add Some Users

Prerequisite: We need to set up some RAM users via the Alibaba Cloud RAM console. Instructions on creating RAM users can be found here. I have created three:

  1. win_ram (Windows access only)
  2. lin_ram (Linux access only)
  3. all_ram (access to both Windows and Linux)

Note that these three users have not been given any permissions, and have not been given Access Keys.

Why? Because they don't need any. Permissions to access the ECS instances will be granted through Bastionhost itself.

We can add our users from "Identities -> Users":

users_1

users_2

After clicking "Import", all 3 users now show up in the Bastionhost console:

users_3

Step 3: Authorize Those Users

Looking closely at the above screenshot, you'll notice there's a little (0) next to "Authorize Hosts" in the "Actions" column.

This is because none of our RAM users have permission to access any of our ECS instances. Let's fix that.

First, I'll click on "Authorize Hosts" in the first row, for the "lin_ram" user. I'll authorize this user to access the Linux ECS instance I created earlier:

authorizations

I'll repeat this process for "win_ram" and "all_ram", giving "win_ram" access to the Windows instance only, and "all_ram" access to both instances.

Returning to the user list, I can now see that each RAM user is authorized to access one or more ECS instances:

auth_results

Tip: For working with larger sets of users, I can also create user groups. Users added to a user group will automatically gain access to any ECS instances associated with the group.

Step 4: Limiting User Actions With Control Policies

We can also write control policies limiting what actions a user can perform. As an example, let's create a control policy that prevents the "lin_ram" user from executing the rm command. Any time the user enters a command starting with rm, a Bastionhost administrator will be required to approve the command from the Bastionhost console.

First, click "Create Control Policy":

policy_1

Creating the control policy is a 6-step process:

policy_2

We will skip the "Command Control" step. We want to force approval for rm commands, not disable them entirely:

policy_3

On the next screen, enter rm* to block the execution of any command starting with the prefix "rm":

policy_4

We don't need to limit the rule to particular protocols or hosts, so we can just click "Create Control Policy", skipping steps 4 and 5. This takes us straight to step 6, where we can associate the policy with one or more users or hosts:

policy_5

Clicking on "Associate Host/User" gives us the option to apply the police to one or more hosts and/or one or more users.

We'll associate the policy with the "lin_ram" user:

policy_6

I also scroll up and make sure the policy is attached to the "linux-test" host, as well.

Logging In (SSH)

We've configured our hosts and users. Now let's try logging in, and seeing what happens!

Returning to the "overview" page, we see the login information for the Bastionhost instance:

overview

Important Note*: First-time users of Bastionhost are often surprised that access via the default SSH and RDP ports (22 and 3389) doesn't work. This is because Bastionhost uses non-standard port numbers. Specifically:

  • 60022 for SSH
  • 63389 for RDP

When logging on, you need to make sure you are using these port numbers, rather than the default ones! This is documented here.

Let's test SSH login for the user "lin_ram", first. I'll use the Internet endpoint for my Bastionhost, which is lxuysfevgk-public.bastionhost.aliyuncs.com:

lin_logon

Note that my logon password is my RAM user password. You can enable key-based login or MFA for extra security if needed.

Once logged on, I can see a list of all hosts I have access rights for (in this case, only one):

host_list

If there were more than one host available, hitting the arrow keys would allow me to move up and down the list. Hitting the enter key while a host is highlighted will initiate a logon, like this:

log_1

Of course, I then need to specify a valid username and password on the ECS instance itself!

log_2

log_3

log_4

We are now logged in and can execute commands:

exec_1

Executing A "Forbidden" Command

We set up a policy for the "lin_ram" user which should block access to commands starting with rm unless they are approved by an admin. Let's try this out!

First, I'll try and remove a text file I have just created:

exec_2

The system tells me that the command is "waiting for confirmation". If I open "Command Approval" in the console, I can see that - as a Bastionhost administrator - I have the ability to accept or reject the command. In this case, I accept:

exec_3

exec_4

Going back to the terminal, I see the command has been run and my text file is gone!

exec_5

A Word Of Warning...

Bastionhost can only prohibit commands it can recognize, meaning clever users can always find another way. You'll need to use other security best practices like limiting the permissions of your users from Windows or Linux, to achieve a truly secure environment.

Just to demonstrate this, here's one way I could remove that text file without Bastionhost noticing...

tricky

See what I did there?

Logging In (RDP)

Let's try an RDP logon, from the "all_ram" account, and see what happens. I'll use Microsoft's Remote Desktop tool for macOS:

rdp_1

During logon, you'll need to enter your RAM user's username and password:

rdp_2

After logging on, Bastionhost will give you a list of (Windows) hosts you are authorized to log into:

rdp_3

Let's try logging into our Windows ECS instance:

rdp_4

rdp_5

And that's it! We're logged in:

rdp_6

Checking Audit Logs

Now we're getting to the cool bit!

From the console, we can see a video replay of every RDP or SSH session, for every user. We can also see - at least for SSH logins - a chronological listing of all commands executed.

Here are examples of the video replays for Linux and Windows, respectively:

lin_session

win_session

With some larger (still) screenshots for reference:

lin_screen

win_screen

Next Steps

We've just scratched the surface here: Bastionhost can do a lot more, including support federated login via LDAP and other logon services.

If you want to try it out for yourself, take a look at this page, which explains how to apply for a free trial.

That's all for this week: happy administrating!

I've Got A Question!

Great! Reach out to me at jierui.pjr@alibabacloud.com and I'll do my best to answer in a future Friday Q&A blog.

You can also follow the Alibaba Cloud Academy LinkedIn Page. We'll re-post these blogs there each Friday.

Not a LinkedIn person? We're also on Twitter and YouTube.

0 0 0
Share on

JDP

72 posts | 121 followers

You may also like

Comments

JDP

72 posts | 121 followers

Related Products