Skip to main content

6 Protection Rules for securing your Bastion Host on OCI

 

Today's post is fundamentally cover 6 aspects on securing your bastion hosts for any Cloud environment. Please note that use-case performed in the later stage of this post is focused on Oracle Cloud. 


1. Ingress Rule

OS Level - firewall to accept connections only from On-prem CPE Public IP. This will straight away reject connections to your Public subnet from outside network and help you channelize incoming connections.  



2. Protocol and Ports


1. TCP/22 -- ssh connectivity
2. ICMP type 8 -- ping



3. Disable irrelevant user ids at OS


You can get list of users from /etc/passwd file and users can be set to /sbin/nologin like as follows -

demouser:x:1000:1000:demouser:/home/demouser:/sbin/nologin



4. Enabling 2-factor authentication for bastion server

This has been explained in my earlier post -

Implementing 2-factor authentication for Bastion server on OCI with Google Authenticator



5. Packages installed -

Remove irrelevant packages. Keep bastion host as 'lite' as possible by avoiding unnecessary packages being installed as this will result in services running and eventually leading to attackers trying to hack into the system.



6. Disclaimer Banner for ssh logins. 


Sample -




Use-case -


Below use case will cover 3 layers of security to logon to bastion host setup on a public ip over Public subnet on OCI. 


1. Private-public key pair

2. Security List on OCI.

3. 2-FA using Google Authenticator




We can also add OS-level firewall rules to the list. Hope this helps!!





Comments

Post a Comment

Popular posts from this blog

Logfile locations in EBS r12.1 and EBS r12.2

Startup/shutdown Apps tier services are started and stopped frequently and we must know logfiles when troubleshooting startup/shutdown issues. $INST_TOP/logs/appl/admin/log $INST_TOP/logs/appl/admin/log Apache OHS being part of opmn in r12.1 has continued in r12.2. Logfile locations for troubleshooting have been changed $INST_TOP/logs/ora/10.1.3/Apache/error_log[timestamp] $INST_TOP/logs/ora/10.1.3/opmn/HTTP_Server~1.log $IAS_ORACLE_HOME/instances/*/diagnostics/logs/OHS/*/*log*   OPMN Logfile locations for r12.1 and r12.2 have been changed $INST_TOP/logs/ora/10.1.3/opmn/opmn* $IAS_ORACLE_HOME/instances/*/diagnostics/logs/OPMN/opmn/* Oacore oacore in r12.1 is oc4j component and part of 10gAS. However, in r12.2, oacore is now a managed server for weblogic server $LOG_HOME/ora/10.1.3/j2ee/oacore/oacore*/ $LOG_HOME/ora/10.1.3/j2ee/oacore/oacore*/ $LOG_HOME/ora/10.1.3/opmn/oacore*/oacor...
1 comment
Read more

Compile all JSP files in Oracle ebs r12.2

Before you start compiling jsps and following below steps, I recommend understanding some key differences between 11i, r12.1 and r12.2 when it comes to compiling jsps. Please follow below link and then proceed further - One-stop shop to Compile JSPs in 11i, r12.1 and r12.2 1. Take a backup of _pages directory that will be modified due to jsp compilation - $ cd $EBS_APPS_DEPLOYMENT_DIR/oacore/html/WEB-INF/classes/ $ cp -R _pages _pages29dec2019 $ ls -ld _pages* drwxr-xr-x 5 applmgr oinstall 249856 Dec 29 16:36 _pages drwxr-xr-x 5 applmgr oinstall 249856 Dec 29 16:56 _pages29dec2019 2. Stop apache, oacore and oafm services - adapcctl.sh stop admanagedsrvctl.sh stop oacore_server1 admanagedsrvctl.sh stop oafm_server1 3. Compile the jsps manually using the below command - $ cd $FND_TOP/patch/115/bin/ $ perl $FND_TOP/patch/115/bin/ojspCompile.pl --compile --flush -p              4. Check class file last mo...
Post a Comment
Read more
Defragment workflow related tables in r12   References- 1.     How to Reorganize Workflow Tables? (Doc ID 388672.1) 2.     EBS Workflow (WF) Analyzer (Doc ID 1369938.1) Points to Remember –     Some workflow tables are associated to queues so that it is necessary to use the advance queuing instructions to reorganize them. For tables other than queue tables, please refer to different notes created by RDBMS team to reorganize tables. This activity depends on the RDBMS version.       Defragment tables in workflow r12 Verify tables are not associated to queues – SQL> select queue_table from dba_queue_tables   2   where queue_table like '%WF%'; QUEUE_TABLE ------------------------------ WF_CONTROL WF_DEFERRED WF_DEFERRED_TABLE_M WF_ERROR WF_IN WF_INBOUND_TABLE WF_JAVA_DEFERRED WF_JAVA_ERROR WF_JMS_IN WF_JMS_JMS_OUT WF_JMS_OUT WF_NOTIFICATION_IN WF...
Post a Comment
Read more