# Create a new folder for the log files
mkdir /var/log/bastion

# Allow ec2-user only to access this folder and its content
chown ec2-user:ec2-user /var/log/bastion
chmod -R 770 /var/log/bastion
setfacl -Rdm other:0 /var/log/bastion

# Make OpenSSH execute a custom script on logins
echo -e “\nForceCommand /usr/bin/bastion/shell” >> /etc/ssh/sshd_config

# Block some SSH features that bastion host users could use to circumvent
# the solution
awk ‘!/AllowTcpForwarding/’ /etc/ssh/sshd_config > temp && mv temp /etc/ssh/sshd_config
awk ‘!/X11Forwarding/’ /etc/ssh/sshd_config > temp && mv temp /etc/ssh/sshd_config
echo “AllowTcpForwarding no” >> /etc/ssh/sshd_config
echo “X11Forwarding no” >> /etc/ssh/sshd_config

mkdir /usr/bin/bastion

cat > /usr/bin/bastion/shell << ‘EOF’

# Check that the SSH client did not supply a command
if [[ -z $SSH_ORIGINAL_COMMAND ]]; then

# The format of log files is /var/log/bastion/YYYY-MM-DD_HH-MM-SS_user
LOG_FILE=”`date –date=”today” “+%Y-%m-%d_%H-%M-%S”`_`whoami`”

# Print a welcome message
echo “”
echo “NOTE: This SSH session will be recorded”
echo “”

# I suffix the log file name with a random string. I explain why
# later on.

# Wrap an interactive shell into “script” to record the SSH session
script -qf -t $LOG_DIR$LOG_FILE$SUFFIX.time $LOG_DIR$LOG_FILE$ -c /bin/bash


# The “script” program could be circumvented with some commands
# (e.g. bash, nc). Therefore, I intentionally prevent users
# from supplying commands.

echo “This bastion supports interactive sessions only. Do not supply a command”
exit 1



# Make the custom script executable
chmod a+x /usr/bin/bastion/shell

# Bastion host users could overwrite and tamper with an existing log file
# using “script” if they knew the exact file name. I take several measures
# to obfuscate the file name:
# 1. Add a random suffix to the log file name.
# 2. Prevent bastion host users from listing the folder containing log
# files.
# This is done by changing the group owner of “script” and setting GID.
chown root:ec2-user /usr/bin/script
chmod g+s /usr/bin/script

# 3. Prevent bastion host users from viewing processes owned by other
# users, because the log file name is one of the “script”
# execution parameters.
mount -o remount,rw,hidepid=2 /proc
awk ‘!/proc/’ /etc/fstab > temp && mv temp /etc/fstab
echo “proc /proc proc defaults,hidepid=2 0 0” >> /etc/fstab

# Restart the SSH service to apply /etc/ssh/sshd_config modifications.
service sshd restart




Fill in your details below or click an icon to log in: 徽标

You are commenting using your account. Log Out /  更改 )

Google+ photo

You are commenting using your Google+ account. Log Out /  更改 )

Twitter picture

You are commenting using your Twitter account. Log Out /  更改 )

Facebook photo

You are commenting using your Facebook account. Log Out /  更改 )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.