Skip to main content

6 Protection Rules for securing your Bastion Host on OCI

 

Today's post is fundamentally cover 6 aspects on securing your bastion hosts for any Cloud environment. Please note that use-case performed in the later stage of this post is focused on Oracle Cloud. 


1. Ingress Rule

OS Level - firewall to accept connections only from On-prem CPE Public IP. This will straight away reject connections to your Public subnet from outside network and help you channelize incoming connections.  



2. Protocol and Ports


1. TCP/22 -- ssh connectivity
2. ICMP type 8 -- ping



3. Disable irrelevant user ids at OS


You can get list of users from /etc/passwd file and users can be set to /sbin/nologin like as follows -

demouser:x:1000:1000:demouser:/home/demouser:/sbin/nologin



4. Enabling 2-factor authentication for bastion server

This has been explained in my earlier post -

Implementing 2-factor authentication for Bastion server on OCI with Google Authenticator



5. Packages installed -

Remove irrelevant packages. Keep bastion host as 'lite' as possible by avoiding unnecessary packages being installed as this will result in services running and eventually leading to attackers trying to hack into the system.



6. Disclaimer Banner for ssh logins. 


Sample -




Use-case -


Below use case will cover 3 layers of security to logon to bastion host setup on a public ip over Public subnet on OCI. 


1. Private-public key pair

2. Security List on OCI.

3. 2-FA using Google Authenticator




We can also add OS-level firewall rules to the list. Hope this helps!!





Comments

Post a Comment

Popular posts from this blog

Logfile locations in EBS r12.1 and EBS r12.2

Startup/shutdown Apps tier services are started and stopped frequently and we must know logfiles when troubleshooting startup/shutdown issues. $INST_TOP/logs/appl/admin/log $INST_TOP/logs/appl/admin/log Apache OHS being part of opmn in r12.1 has continued in r12.2. Logfile locations for troubleshooting have been changed $INST_TOP/logs/ora/10.1.3/Apache/error_log[timestamp] $INST_TOP/logs/ora/10.1.3/opmn/HTTP_Server~1.log $IAS_ORACLE_HOME/instances/*/diagnostics/logs/OHS/*/*log*   OPMN Logfile locations for r12.1 and r12.2 have been changed $INST_TOP/logs/ora/10.1.3/opmn/opmn* $IAS_ORACLE_HOME/instances/*/diagnostics/logs/OPMN/opmn/* Oacore oacore in r12.1 is oc4j component and part of 10gAS. However, in r12.2, oacore is now a managed server for weblogic server $LOG_HOME/ora/10.1.3/j2ee/oacore/oacore*/ $LOG_HOME/ora/10.1.3/j2ee/oacore/oacore*/ $LOG_HOME/ora/10.1.3/opmn/oacore*/oacor...
1 comment
Read more

Query to Check AD and TXK code levels in your EBS environment

Below query can be very handy in finding out current AD and TXK code levels. col ABBREVIATION for a10 set lines 1000 col NAME for a50 col CODELEVEL for a20 SELECT ABBREVIATION,NAME,codelevel FROM AD_TRACKABLE_ENTITIES WHERE abbreviation in ('txk','ad'); ABBREVIATI NAME                                                CODELEVEL ---------- -------------------------------------------------- ------------ ad           Oracle Applications DBA                             C.11 txk         Oracle Applications Technology Stack    ...
1 comment
Read more

Compile all JSP files in Oracle ebs r12.2

Before you start compiling jsps and following below steps, I recommend understanding some key differences between 11i, r12.1 and r12.2 when it comes to compiling jsps. Please follow below link and then proceed further - One-stop shop to Compile JSPs in 11i, r12.1 and r12.2 1. Take a backup of _pages directory that will be modified due to jsp compilation - $ cd $EBS_APPS_DEPLOYMENT_DIR/oacore/html/WEB-INF/classes/ $ cp -R _pages _pages29dec2019 $ ls -ld _pages* drwxr-xr-x 5 applmgr oinstall 249856 Dec 29 16:36 _pages drwxr-xr-x 5 applmgr oinstall 249856 Dec 29 16:56 _pages29dec2019 2. Stop apache, oacore and oafm services - adapcctl.sh stop admanagedsrvctl.sh stop oacore_server1 admanagedsrvctl.sh stop oafm_server1 3. Compile the jsps manually using the below command - $ cd $FND_TOP/patch/115/bin/ $ perl $FND_TOP/patch/115/bin/ojspCompile.pl --compile --flush -p              4. Check class file last mo...
Post a Comment
Read more