Securely file SSH periods on RHEL in a non-public VPC community


On this weblog submit, you’ll learn to file SSH periods on a Pink Hat Endeavor Linux (RHEL) VSI in a non-public VPC community the use of inbuilt applications. The VPC inner most community is provisioned via Terraform and the RHEL applications are put in the use of Ansible automation. Moreover, you’ll learn to arrange a extremely to be had bastion host.

What’s consultation recording and why is it required?

A bastion host and a bounce server are each safety mechanisms utilized in community and server environments to regulate and strengthen safety when connecting to far off methods. They serve equivalent functions however have some variations of their implementation and use instances. The bastion host is positioned in entrance of the non-public community to take SSH requests from public visitors and move the request to the downstream system. Bastion host and bounce servers are liable to intrusion as a result of they’re uncovered to public visitors.

Consultation recording is helping an administrator of a gadget to audit person SSH periods and ensure they agree to regulatory necessities. Within the match of a safety breach, the administrator will wish to audit and analyze the person periods. That is important for a security-sensitive gadget.

What’s a non-public VPC community?

A digital inner most cloud is totally inner most if there’s no public ingress or outgress community visitors. In easy technical phrases, it’s inner most if there are not any public gateways at the subnets (inner most subnets) and no floating IPs at the Digital Server Circumstances (VSIs).

How do I hook up with the non-public VPC community?

Shopper-to-site VPN for VPC is likely one of the two VPN choices to be had on IBM Cloud, and it permits customers to connect with IBM Cloud sources via safe, encrypted connections.

The buyer-to-site VPN is very to be had, with two VPN servers which are created in two other availability zones in the similar area. The bastions are extremely to be had as smartly.

Must haves

Provision the non-public VPC community the use of Terraform

export TF_VAR_ibmcloud_api_key=<IBM_CLOUD_API_KEY>

export TF_VAR_secrets_manager_certificate_crn=<SECRET_CRN>
git clone

cd terraform
  • Run the Terraform instructions to provision the VPC sources (e.g., subnets, bastion hosts (VSIs), VPN, and many others.):
terraform init

terraform plan

terraform observe

Connect with client-to-site VPN

  • As soon as the VPC sources are effectively provisioned, you wish to have to obtain the VPN Jstomer profile by way of navigating to VPN servers web page on IBM Cloud.
  • Click on the Shopper-to-site servers tab after which at the title of the VPN:
  • Obtain the profile from the Purchasers tab.
  • The VPN provisioned via Terraform makes use of certificate. Practice the directions right here to connect with the OpenVPN Shopper.
  • You must see the a hit connection to your OpenVPN Shopper:

Check the SSH connection

  • On a terminal, upload the SSH inner most key to the SSH agent with the next command:
  • Instance: ssh-add ~/.ssh/<NAME_OF_THE_PRIVATE_KEY>
  • Run the next command to SSH into the RHEL VSI via a bastion host. You are going to be the use of the non-public IP cope with of the bastion in Zone 1:
ssh -J root@ root@
  • Take into accout, you must be attached to the client-to-site VPN to get right of entry to the RHEL VSI during the bastion host.
  • After SSH, You must see directions to permit SSH consultation recording the use of the TLOG package deal on RHEL.

Deploy consultation recording the use of Ansible

To deploy the consultation recording answer, you wish to have to have the next applications put in at the RHEL VSI:

  • tlog
  • SSSD
  • cockpit-session-recording

The applications can be put in via Ansible automation on the entire VSIs—each bastion hosts and RHEL VSI.

  • Transfer to the Ansible folder:
cd ansible
  • Create hosts.ini from the template record:
cp hosts_template.ini hosts.ini
  • Run the Ansible playbook to put in the applications from an IBM Cloud inner most replicate/repository:
ansible-playbook main_playbook.yml -i hosts.ini --flush-cache

You’ll see in Determine 1 that once you SSH into the RHEL system, you are going to see a observe pronouncing: ATTENTION! Your consultation is being recorded!

Take a look at the consultation recordings, logs and studies

For those who intently apply the messages post-SSH, you are going to see a URL to the internet console that may be accessed the use of the system title or inner most IP over port 9090. To permit visitors on port 9090, within the Terraform code, alternate the price of allow_port_9090 variable to true and run terraform observe. The newest terraform observe will upload ACL and safety team laws to permit visitors on port 9090.

  • Now, open a browser and navigate to To get right of entry to the use of the VSI title, you wish to have to arrange a non-public DNS (out of scope for this newsletter). You wish to have a root password to get right of entry to the internet console:
  • Navigate to Consultation Recording at the left-hand facet to look the checklist of consultation recordings. In conjunction with consultation recordings, you’ll be able to test the logs, diagnostic studies, and many others.:

Really helpful studying


This newsletter coated why consultation recording is needed in bastion hosts for auditing and compliance and the way consultation recording will also be arrange with the integrated RHEL applications the use of Ansible Automation.

Whilst designing a secured digital inner most cloud community, you discovered the most efficient practices in architecting a VPC inner most community. We additionally coated the want to construct extremely to be had VPN servers and bastion hosts. With the provisioning of cloud infrastructure the use of Terraform and Ansible for consultation recording, you were given hands-on enjoy.

Be informed extra about IBM Cloud VPC

When you have any queries, be at liberty to succeed in out to me on Twitter or on LinkedIn



Please enter your comment!
Please enter your name here

Share post:


More like this

C-V2X commercialisation will have to get started small, says Harman

Fresh checking out means that mobile vehicle-to-everything (C-V2X)...

Rosie Eccles: Boxing gold bid in Paris fuelled through Olympic heartbreak

Rosie Eccles has mentioned the heartbreak of lacking...