Skip to content

Instantly share code, notes, and snippets.

@paulfermoreyes

paulfermoreyes/bastion.md

Last active November 10, 2020 16:20
Show Gist options
  • Save paulfermoreyes/44fa53f7d53d5c7c5753b22b9c2e3fc4 to your computer and use it in GitHub Desktop.
Save paulfermoreyes/44fa53f7d53d5c7c5753b22b9c2e3fc4 to your computer and use it in GitHub Desktop.
Download ZIP
Setup Bastion host in cloud
Raw
bastion.md

Bastion Setup

  1. Create an instance. I have used Ubuntu 20.04 for the following steps

  2. Connect to your instance

  3. Disable short module

    awk '$5 >= 3071' /etc/ssh/moduli > /etc/ssh/moduli.tmp && mv /etc/ssh/moduli.tmp /etc/ssh/moduli`

  4. Configure /etc/ssh/sshd_config and add the following lines:

    # Supported HostKey algorithms by order of preference.
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_rsa_key

# Password based logins are disabled - only public key based logins are allowed.
AuthenticationMethods publickey

# LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear audit track of which key was using to log in.
LogLevel VERBOSE

PermitRootLogin no

# Log sftp level file access (read/write/etc.) that would not be easily logged otherwise.
Subsystem sftp  /usr/lib/ssh/sftp-server -f AUTHPRIV -l INFO

  5. Additionally, since we’re not allowing shell access, we also want to prohibit all forwarding except TCP forwarding, which ssh -J uses to support bastions. Carefully add these lines at the end of the configuration

    AllowAgentForwarding no
AllowStreamLocalForwarding no
X11Forwarding no

Match User *,!ubuntu
    ForceCommand /bin/echo 'This bastion does not support interactive commands.'
	
# This will limit the port that can be forwarded by bastion
PermitOpen *:22

  6. Verify your SSHD configuration and correct warnings by running sshd -t

  7. Restart the SSHD service with service sshd restart

Firewall / Security Group

  • Allow only SSH connection from external going to the bastion host
  • Allow SSH connection from bastion to your internal servers
  • Note: For AWS, you can create a security group that allows inbound to itself (allows connection to hosts in SG)

Client Setup

  1. Edit your SSH configuration in ~/.ssh/config

  2. Add UpdateHostKeys yes - this will always accept key offered by known hosts

  3. Add SSH configuration going to Bastion host

    Host my-bastion-server
	HostName 123.123.123.123
	IdentityFile /home/ubuntu/.ssh/my-ssh-key

  4. Add SSH configuration for your internal server

    Host *.internal
	ProxyJump jumper@my-bastion-server

Adding SSH new keys If you don't want to use a single SSH key for all your users, you may need to add each of the user's key

  1. Generate a new ssh key 
    ssh-keygen -t rsa -b 4096
  2. Copy the contents of your new SSH public key 
    cat ~/.ssh/my-new-key.pub
  3. Add the public key inside the ~/.ssh/authorized_keys of your bastion user and in your internal server

Reference: https://smallstep.com/blog/diy-ssh-bastion-host/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment