Posted January 19Jan 19 You are reading Part 39 of the 57-part series: Harden and Secure Linux Servers. [Level 4]This series covers progressive security measures, from fundamental hardening techniques to enterprise-grade defense strategies. Each article delves into a specific security practice, explaining its importance and providing step-by-step guidance for implementation.To explore more security best practices, visit the main guide for a full breakdown of all levels and recommendations.A Bastion Host is a hardened server that acts as a secure gateway for accessing other internal or production servers. This reduces the attack surface by centralizing access control and monitoring.✅ Adds an extra security layer between users and production servers.✅ Prevents direct SSH access to critical infrastructure.✅ Enables detailed logging and access auditing for security monitoring.✅ Supports Multi-Factor Authentication (MFA) for enhanced security.By using a bastion host, you enforce strong access control policies and limit attack exposure.How to Set Up a Secure Bastion Host1. Deploy a Dedicated Bastion HostCreate a separate virtual or physical server in a DMZ (Demilitarized Zone) or public subnet.Use a minimal OS install (e.g., Ubuntu Server, CentOS, or Amazon Linux) to reduce attack vectors.Apply strict firewall rules to allow only SSH access from trusted IPs.For Ubuntu/Debian, install OpenSSH Server if not installed:sudo apt update && sudo apt install openssh-server -y For CentOS/RHEL:sudo yum install openssh-server -y 2. Restrict Direct SSH Access to Production ServersDeny direct SSH access to critical servers.Only allow SSH traffic via the bastion host.Modify SSH Config on Production Servers to Allow Only Bastion AccessOn each production server, edit the SSH configuration:sudo nano /etc/ssh/sshd_config Add:AllowUsers bastion-user@bastion-ip PermitRootLogin no PasswordAuthentication no Restart SSH to apply changes:sudo systemctl restart sshd Enforce SSH Access via the Bastion HostOn client machines, first connect to the bastion:ssh -J bastion-user@bastion-ip user@production-server-ip Or, configure SSH ProxyJump in ~/.ssh/config:Host production-server HostName production-server-ip User user ProxyJump bastion-user@bastion-ip Now, simply run:ssh production-server (This automatically routes through the bastion host.)3. Enforce Multi-Factor Authentication (MFA) on the Bastion HostTo add an extra layer of security, configure MFA for SSH logins on the bastion.Install Google Authenticator for 2FAsudo apt install libpam-google-authenticator -y google-authenticator Follow the prompts and save the secret key or QR code.Enable MFA in PAM AuthenticationEdit the PAM SSH configuration file:sudo nano /etc/pam.d/sshd Add:auth required pam_google_authenticator.so Require MFA for SSH LoginsEdit the SSH configuration:sudo nano /etc/ssh/sshd_config Ensure:ChallengeResponseAuthentication yes UsePAM yes Restart SSH:sudo systemctl restart sshd Now, users must enter a verification code from Google Authenticator before accessing the bastion.4. Enable Logging and Session AuditingA bastion host should log all SSH sessions for monitoring and forensic analysis.Enable Session Logging with AuditdInstall Auditd:sudo apt install auditd -y Configure Auditd to monitor SSH sessions:sudo nano /etc/audit/rules.d/audit.rules Add:-w /var/log/auth.log -p wa -k ssh_access -w /etc/ssh/sshd_config -p wa -k ssh_config_changes Restart Auditd:sudo systemctl restart auditd Record SSH Sessions with TlogInstall Tlog:sudo apt install tlog -y Configure Tlog to record SSH sessions in /var/log/tlog/.5. Implement Firewall Rules to Restrict SSH AccessUse UFW (Uncomplicated Firewall) to limit SSH access only to trusted IPs.On the Bastion Hostsudo ufw allow from your-trusted-ip to any port 22 proto tcp sudo ufw enable On Production Serverssudo ufw allow from bastion-ip to any port 22 proto tcp (Only allows SSH traffic from the bastion host.)6. Automate and Enforce Security PoliciesUse Ansible or Terraform to automate bastion setup.Apply SSH hardening guidelines (sudo nano /etc/ssh/sshd_config).Monitor SSH login attempts (sudo cat /var/log/auth.log | grep sshd).Best Practices for Bastion Host Security✅ Ensure bastion hosts are separate from production servers.✅ Use SSH key authentication instead of passwords.✅ Rotate SSH keys and enforce MFA for privileged users.✅ Monitor SSH access logs for anomalies and failed login attempts.✅ Regularly update the bastion host OS and security patches.By implementing a bastion host, you create a controlled and monitored access point for your Linux production servers, significantly enhancing security and access management.
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.