Monitoring and protecting SSH sessions with eBPF — Guillaume Fournier
Date : 04 June 2021 à 10:15 — 15 min.
Secure Shell (SSH) is a network protocol that provides users with a secure way to access a host over an unsecured network. Multiple actors in an organisation usually require this access:
- Developers use it to debug applications in a staging or sometimes production environment.
- Software Reliability Engineering (SRE) teams and system administrators often perform maintenance and system configuration tasks over SSH.
- Security administrators often require access to machines in production environments to perform security investigations and incident response.
In theory, the principle of least privileges should be applied, and each actor should be granted the bare minimum access required to perform its tasks. Although SRE teams and security engineers are likely to require privileged access, developers might not always need it. Regardless of the level of access on a machine, developers should also have access only to the hosts that run the services they work on.
Unfortunately, those principles are often hard to follow. First, debugging an application often means using runtime performance monitoring tools to understand why a service is not performing as expected. For example, you might want to analyse the ext4 operations latency distribution using a tool like ext4dist. Some of those performance monitoring tools require root access, which means that many developers will eventually request permanent root access. Moreover, with the growing adoption of container orchestration tools like Kubernetes, hosts are no longer necessarily dedicated to specific services. Many developers will eventually require root access to some of the nodes of the infrastructure, thus also granting them access to some pods of services they do not own. As companies grow and engineering teams expand, the number of privileged users on the infrastructure skyrockets, making it particularly hard for the security team to monitor SSH sessions and contain the blast radius of leaked credentials.
This paper explores how eBPF can provide a solution to monitor SSH sessions, while providing your security team with a new access control layer. This new access control grants temporary access to scoped resources, and only for the active session. In other words, the “all or nothing” access usually granted to Linux users no longer applies: a sudoer user might be able to become root, its access will still be restricted to the access granted to the SSH session.