I was at a meetup the other night and a student mentioned that they were learning about bastion hosts and wanted to learn more. So I thought I would do a deep dive on what they are and why to use them.
What
Bastion hosts are instances that sit within your public subnet and are typically accessed using SSH or RDP. Once remote connectivity has been established with the bastion host, it then acts as a ‘jump’ server, allowing you to use SSH or RDP to log in to other instances.
https://cloudacademy.com/blog/aws-bastion-host-nat-instances-vpc-peering-security/
Why
Bastion hosts act as a gateway or ‘jump’ host into a secure network. The servers in the secure network will ONLY accept SSH connections from bastion hosts. This helps limit the number of points where you can SSH into servers from and limit it to a trusted set of hosts. This also significantly helps auditing of SSH connections in the secure network.
Bastion hosts typically have more strigent security postures. This includes more regular patching, more detailed logging and auditing.
How
Bastion setups are rather quiet simple, here are a few simple steps to set one up:
- Provision a new server(s) that are ONLY dedicated for the purpose of bastion access
- Install any additional security measures (see the cyberciti reference below for specific recommendations
- Ensure that all servers in the secure network ONLY accept SSH connections from the bastion server(s)
- Configure your SSH client to talk to hosts in your private network. Replace the
IdentityFile and domain-names to suit your network:
$ cat ~/.ssh/config
Host *.secure.example.com
IdentityFile %d/.ssh/keyname.extension
ProxyCommand ssh bastion.corp.example.com -W %h:%p
Host bastion.corp.example.com
IdentityFile %d/.ssh/keyname.extension
Host *
PubkeyAuthentication yes
References
