Skip to main content

6 Protection Rules for securing your Bastion Host on OCI

 

Today's post is fundamentally cover 6 aspects on securing your bastion hosts for any Cloud environment. Please note that use-case performed in the later stage of this post is focused on Oracle Cloud. 


1. Ingress Rule

OS Level - firewall to accept connections only from On-prem CPE Public IP. This will straight away reject connections to your Public subnet from outside network and help you channelize incoming connections.  



2. Protocol and Ports


1. TCP/22 -- ssh connectivity
2. ICMP type 8 -- ping



3. Disable irrelevant user ids at OS


You can get list of users from /etc/passwd file and users can be set to /sbin/nologin like as follows -

demouser:x:1000:1000:demouser:/home/demouser:/sbin/nologin



4. Enabling 2-factor authentication for bastion server

This has been explained in my earlier post -

Implementing 2-factor authentication for Bastion server on OCI with Google Authenticator



5. Packages installed -

Remove irrelevant packages. Keep bastion host as 'lite' as possible by avoiding unnecessary packages being installed as this will result in services running and eventually leading to attackers trying to hack into the system.



6. Disclaimer Banner for ssh logins. 


Sample -




Use-case -


Below use case will cover 3 layers of security to logon to bastion host setup on a public ip over Public subnet on OCI. 


1. Private-public key pair

2. Security List on OCI.

3. 2-FA using Google Authenticator




We can also add OS-level firewall rules to the list. Hope this helps!!





Comments

Post a Comment

Popular posts from this blog

Logfile locations in EBS r12.1 and EBS r12.2

Startup/shutdown Apps tier services are started and stopped frequently and we must know logfiles when troubleshooting startup/shutdown issues. $INST_TOP/logs/appl/admin/log $INST_TOP/logs/appl/admin/log Apache OHS being part of opmn in r12.1 has continued in r12.2. Logfile locations for troubleshooting have been changed $INST_TOP/logs/ora/10.1.3/Apache/error_log[timestamp] $INST_TOP/logs/ora/10.1.3/opmn/HTTP_Server~1.log $IAS_ORACLE_HOME/instances/*/diagnostics/logs/OHS/*/*log*   OPMN Logfile locations for r12.1 and r12.2 have been changed $INST_TOP/logs/ora/10.1.3/opmn/opmn* $IAS_ORACLE_HOME/instances/*/diagnostics/logs/OPMN/opmn/* Oacore oacore in r12.1 is oc4j component and part of 10gAS. However, in r12.2, oacore is now a managed server for weblogic server $LOG_HOME/ora/10.1.3/j2ee/oacore/oacore*/ $LOG_HOME/ora/10.1.3/j2ee/oacore/oacore*/ $LOG_HOME/ora/10.1.3/opmn/oacore*/oacor...
1 comment
Read more

Query to Check AD and TXK code levels in your EBS environment

Below query can be very handy in finding out current AD and TXK code levels. col ABBREVIATION for a10 set lines 1000 col NAME for a50 col CODELEVEL for a20 SELECT ABBREVIATION,NAME,codelevel FROM AD_TRACKABLE_ENTITIES WHERE abbreviation in ('txk','ad'); ABBREVIATI NAME                                                CODELEVEL ---------- -------------------------------------------------- ------------ ad           Oracle Applications DBA                             C.11 txk         Oracle Applications Technology Stack    ...
2 comments
Read more

Query to fetch Function assigned to which responsibility

1. Check for which function needs to be assigned to which responsibility. 2. Check for responsibility's menu sytem administrator-> Secutiry -> responsibilty -> Define 3. Search for responsiblity (% Inventory User) 4. Get default Menu name and search for that menu System Administrator -> Application->Menu 5.Once you get Function name, go for function short name as follows - System Administrator -> Application->Function Enter Function Short code for below query SELECT frtl.responsibility_name,        fr.responsibility_key,        fm.menu_id,        fm.menu_name,        menu.function_id,        menu.prompt,        menu.grant_flag,        fffv.user_function_name,        fffv.function_name,      ...
Post a Comment
Read more