中文 English

We provide community edition, professional edition and education edition, community edition is completely free, version differences.

This description is to introduce how to install the sshfortress system. It has a web management interface, greatfortress, which is implemented in java to visually increase functions such as accounts and assets. The backend sshfortress is a function developed on the basis of openssh. Let's see how to install and configure it.



The ssh fortress machine integrates various functions such as operation and maintenance identity authentication, account management and control, and system operation audit. Based on the implementation of the protocol Reverse Proxy, the data flow of the SSH, SCP, and SFTP protocols is recorded through Reverse Proxy. Unified operation and maintenance entrances, unified permissions between users and hosting accounts to prevent internal data leakage. Comparison chart


The bastion machine has functions such as operation audit, authority management and control, safety certification, and efficient operation and maintenance.Power group management: Establish authorization management of personnel responsibilities and resource allocation according to personnel, departmental organizations, and resource groups.

Multi-faceted operation and maintenance personnel's operation behavior is used as the basis for incident traceability and accident analysis.

Operation and maintenance operation records: Detailed records of operation errors, malicious operations, and unauthorized operations.

Linux command auditing: Extractable command character auditing.

File transfer audit: Support remote desktop file transfer, SFTP original file audit.

Terminal recording playback: Support terminal recording ssh operation process, fully compatible with the scriptreplay tool that comes with Linux for playback. Playback file storage path /var/log/sshfortress_playback, classified by year, month, and day.


#cd /var/log/sshfortress_playback/2020/03/24
# scriptreplay test-10.13.49.time test-10.13.49.log   

If you don't have much space on your hard drive, it's recommended that you only keep it for 30 days, which can be cleaned using crontab

echo "00 00 * * * root find /var/log/sshfortress_playback/ -mtime +30 -exec rm -rf {} \;" >> /etc/crontab

Through account management and authority group management, the division of powers to manage personnel and assets is achieved.

Account management and control: There is only one operation and maintenance account, which solves problems such as shared accounts, temporary accounts, and abuse of permissions.

Native implementation, does not change user usage habits as if no bastion machine was used.

C/S architecture operation and maintenance access: Supports SSH, SCP, SFTP protocols. Multi-operation and maintenance tools: Support PuTTY, SecureCRT, Xshell and other tools.


sshfortress will take over port 22, so before this you need to compile and install another openssh and listen to other ports (other than port 22) so that you can connect remotely

# wget
# tar zxvf openssh-8.1p1.tar.gz
# cd openssh-8.1p1/
# ./configure --prefix=/usr/local/openssh2233
# make -j4; make install
# sed -i '1i\Port 2233' /usr/local/openssh2233/etc/sshd_config
# sed -i '2i\PermitRootLogin yes' /usr/local/openssh2233/etc/sshd_config
# /usr/local/openssh2233/sbin/sshd

You can create a boot startup item rc-local was loaded before centos7, and then no longer loaded at boot time, now we open it

[root@centos8 tmp]# cat /usr/lib/systemd/system/rc-local.service 
ExecStart=/etc/rc.local start
# systemctl daemon-reload
# systemctl enable rc-local
# chmod +x /etc/rc.local
# echo "/usr/local/openssh2233/sbin/sshd" >> /etc/rc.local

Friendly reminder centos8 starts to enable nftables instead of iptables. If you are not familiar with the addition of rules, it is best to clear the rules

# nft flush ruleset


  1. glibc 2.17+
  2. mysql 5.6+ or MariaDB
  3. jdk 1.8
  4. tomcat 8
  5. sshfortress


Enter the resource page and download as needed, or to download

apache-tomcat-8.5.31.tar.gz                        09-Jan-2020 11:21      9M
audit_sec.sql                                      09-Jan-2020 16:07     10M
greatfortress.tar.gz                               10-Jan-2020 09:52     65M
jdk-8u172-linux-x64.tar.gz                         09-Jan-2020 11:22    182M
sshfortress-1.6.1.sha256                           09-Jan-2020 16:14     155
sshfortress-1.6.1.tar.gz                           09-Jan-2020 15:58     10M


# tar zxvf jdk-8u172-linux-x64.tar.gz -C /usr/local/
# ln -s /usr/local/jdk1.8.0_172/ /usr/local/jdk
# echo "export JAVA_HOME=/usr/local/jdk" >> /etc/profile
# echo "export JRE_HOME=/usr/local/jdk/jre" >> /etc/profile
# echo "export CLASSPATH=.:\${JAVA_HOME}/lib:\${JRE_HOME}/lib:\${CLASSPATH}" >> /etc/profile
# echo "export PATH=\${JAVA_HOME}/bin:\${JRE_HOME}/bin:/usr/local/mysql/bin:\${PATH}" >> /etc/profile
# source /etc/profile


Database support custom configuration, you can modify the /etc/ssh/sshd_config file, the default connection to this It can be configured to other addresses such as rds (tomcat connection pool should also be modified), so you don't need to install mysql.

sshfortress_host     	localhost
sshfortress_user 	audit
sshfortress_password 	audit
sshfortress_database 	audit_sec
sshfortress_port        3306
# yum -y install make gcc-c++ cmake bison-devel bison  ncurses-devel libgnomeui-devel perl-Module-Install  bzip2 libtirpc-devel

# wget
# wget
# tar jxvf boost_1_59_0.tar.bz2 -C /tmp
# tar zxvf mysql-5.7.16.tar.gz
# groupadd mysql;useradd -r -g mysql -s /bin/false -M mysql
# cd mysql-5.7.16/

# cmake . -DCMAKE_INSTALL_PREFIX=/usr/local/mysql \
    -DINSTALL_DATADIR=/usr/local/mysql/data \
    -DSYSCONFDIR=/usr/local/mysql/etc \
    -DDEFAULT_CHARSET=utf8mb4 \
    -DDEFAULT_COLLATION=utf8mb4_general_ci \
    -USER=mysql \
# make -j4; make install
# chown -R mysql.mysql /usr/local/mysql
# cp -f support-files/mysql.server /etc/init.d/mysqld
# mysqld --initialize --user=mysql  --basedir=/usr/local/mysql --datadir=/usr/local/mysql/data
# /etc/init.d/mysqld start
# Initial password, which can be seen during initialization <temporary password 'NiBMcstse9!i'>
# mysql -uroot -p'NiBMcstse9!i' --connect-expired-password -e "alter user 'root'@'localhost' identified by 'SSHfortress123@'; \
 CREATE USER 'sshfortress'@'%' IDENTIFIED BY 'SSHfortress123@'; \
 GRANT ALL PRIVILEGES ON *.* TO 'sshfortress'@'%' IDENTIFIED BY 'SSHfortress123@' WITH \ 
 flush privileges;"

# mysql -uroot -p'SSHfortress123@' -e "create database audit_sec; use mysql;create user 'audit'@'' identified by 'audit'; grant all privileges on audit_sec.* to 'audit'@'';"

# mysql -uroot -p'SSHfortress123@' -e "set global log_bin_trust_function_creators=1; set global explicit_defaults_for_timestamp=1;set global sql_mode='STRICT_TRANS_TABLES,NO_ENGINE_SUBSTITUTION';"

# mysql -uroot -p'SSHfortress123@' audit_sec  <audit_sec.sql

To prevent it from failing every restart, write it to the configuration file as follows:
#[root@centos8 local]# cat /etc/my.cnf 
# systemctl enable mysqld
# /etc/init.d/mysqld restart 

 # yum install mysql-server
 # echo "skip_ssl" >> /etc/my.cnf.d/mysql-server.cnf
 # echo "log_bin_trust_function_creators=on" >> /etc/my.cnf.d/mysql-server.cnf
 # echo "explicit_defaults_for_timestamp=on" >> /etc/my.cnf.d/mysql-server.cnf
 # echo "sql_mode=NO_ENGINE_SUBSTITUTION,STRICT_TRANS_TABLES" >> /etc/my.cnf.d/mysql-server.cnf
 # systemctl enable mysqld
 # systemctl restart mysqld
 # mysql -e "create user audit@'' identified  by 'audit'; grant all privileges on *.* to audit@'' with grant option;"
 # mysql -e "create database audit_sec;"
 # mysql audit_sec < audit_sec.sql
# apt-get install mysql-server 
# systemctl enable mariadb
# mysql -e "create user audit@'' identified  by 'audit'; grant all privileges on *.* to audit@'' with grant option;"
# mysql -e "create database audit_sec;"
# mysql audit_sec < audit_sec.sql


# tar zxvf apache-tomcat-8.5.31.tar.gz -C /usr/local/
# ln -s /usr/local/apache-tomcat-8.5.31/ /usr/local/tomcat
# rm -rf /usr/local/tomcat/webapps/*
# tar zxvf greatfortress.tar.gz -C /usr/local/tomcat/webapps
# sed -i 's/' /usr/local/tomcat/webapps/greatfortress/common/layui/layui.js
# /usr/local/tomcat/bin/ start

x.x.x.x Is your listening address
Account: fortress 
password hilookhere
After starting tomcat, the first login is a bit slow


# tar zxvf sshfortress-x.x.x.tar.gz
# cd sshfortress-x.x.x
# ./


Login name plus two minus signs plus asset number Example:

ssh name--ID@x.x.x.x 
scp ll.jpg name--ID@x.x.x.x:/tmp
sftp name--ID@x.x.x.


Demo Video


The sshfortress upgrade just needs to replace the files with changes, it doesn't need to upgrade all of them, it usually just needs to upgrade the sshd,ssh files and restart the service afterwards. /etc/init.d/sshd.init restart