Stop opening Port 22 to the world. 🛑
In the world of infrastructure, we’ve long accepted a "security tax." If you want your servers to be accessible, you either open holes in your firewall, maintain a complex VPN, or pay thousands for enterprise PAM (Privileged Access Management) tools.
I felt there was a massive gap for a lightweight, developer-centric tool that follows Zero Trust principles without the enterprise bloat. That’s why I built Orion-Belt.
Orion-Belt in Action
Seeing is believing. Here is a quick look at osh (the Orion-Belt SSH client) connecting to a machine that has zero inbound ports open, while the gateway handles the heavy lifting of authentication and recording.
The "Security Tax" of Traditional Access
Most teams handle remote server access in one of three ways, and all of them have a "catch":
- Static SSH Keys: Great until a laptop is stolen or an employee leaves. Auditing "who did what" is nearly impossible.
- The "Jump Box" (Bastion): A single point of failure. If your bastion is compromised, your whole network is exposed.
- VPNs: They give "flat" network access. Once a user is on the VPN, they can often see everything, violating the Principle of Least Privilege.
I wanted something that felt like a modern SaaS (like Teleport or Boundary) but remained self-hosted, open-source, and dead simple.
Feature Comparison: Why Orion-Belt?
How does Orion-Belt stack up against the status quo?
| Feature | Orion-Belt (Open Source) | Traditional SSH/VPN | Enterprise Gateways |
|---|---|---|---|
| Inbound Firewall Rules | ❌ No (Reverse Tunnel) | ✅ Yes (Port 22/VPN) | ❌ No (Agent/Tunnel) |
| Session Recording | ✅ Yes (Built-in) | ❌ No (Hard to config) | ✅ Yes (Built-in) |
| Access Control | ReBAC (Fine-Grained) | Coarse-Grained | RBAC/ABAC |
| Temporary Access | ✅ Yes (JIT Approval) | ❌ No | ✅ Yes |
| Protocol Support | SSH, SCP | SSH, SCP (VPN allows more) | SSH, Kubernetes, Databases, HTTP |
| Cost | Free (Self-Hosted) | Free | $$$ High |
| Architecture | Lightweight Go Binary | Standard Utilities | Complex Microservices |
How it Works (Under the Hood)
Orion-Belt is built on a Reverse SSH Tunnel architecture. Instead of you reaching into your private network, your servers reach out to the Orion-Belt gateway.
- The Agent: A small Go binary runs on your target VMs. It creates an outbound connection to your Orion-Belt server.
- The Gateway: The "Brain." It handles authentication, ReBAC (Relationship-Based Access Control), and session recording.
- The Client (
osh/ocp): CLI tools that feel like standard SSH/SCP but verify permissions with the gateway’s API first.
Because the connection is outbound from the server to the gateway, you can keep Port 22 closed. This effectively hides your infrastructure from automated bot scans and 0-day SSH exploits.
Key Features for Modern Teams
1. ReBAC (Relationship-Based Access Control)
Orion-Belt checks the relationship between the user and the resource. This allows for fine-grained permissions that scale as your team grows.
2. Session DVR-Style Replay
Compliance (SOC2/HIPAA) requires seeing what happened during a session. Orion-Belt records every keystroke at the gateway level. You can replay the entire session later to see exactly what commands were run.
3. JIT (Just-In-Time) Temporary Access
Need a developer to debug a production issue for one hour?
osh --request-access prod-db-01 --duration 1h --reason "Investigating latency"
Admins get a notification, approve the request, and the access automatically expires. No "orphaned" keys left behind.
The Architecture
Client (osh/ocp)
│
▼
Orion-Belt Gateway Server (ReBAC + Session Recording)
│
▼ (Reverse SSH Tunnel)
Agent (on your locked-down servers)
Quick Start
1. Build from source:
git clone https://github.com/zrougamed/orion-belt.git
cd orion-belt && make build
2. Start the Server:
The server acts as your central hub. It uses PostgreSQL to store sessions and permissions.
3. Deploy the Agent:
Drop the agent binary on any server behind a firewall. Once it connects to the gateway, that server is accessible via osh.
I need your feedback!
Orion-Belt is currently in Alpha. It’s functional and stable, but I’m looking for early adopters to help shape the roadmap.
- Does this architecture fit your current workflow?
- What notification plugins would you like to see (Slack, Discord, Email)?
Check out the repo, leave a ⭐ if you like the concept, and let's discuss in the comments!
GitHub: https://github.com/zrougamed/orion-belt
Final Thoughts
Infrastructure access doesn't need to be a choice between "easy" and "secure." By combining Go's performance with a Zero-Trust architecture, Orion-Belt makes high-end security accessible to everyone.
Top comments (0)