version

Secure and harden SSH Bastion host?

shape
shape
shape
shape
shape
shape
shape
shape

Secure and harden SSH Bastion host?

 

ssh jump server

1. Enable a firewall and by default block all  IP access to the SSH Port and enable only your staff ips or dynamic ip ranges that you trust.

2. Disable direct root login. Its always better to login as a non privileged user first and the switch to the root user. This is the norm if you are looking for PCI DSS Compliance.                 Edit /etc/sshd/sshd_config

				
					
PermitRootLogin no
				
			

Ezeelogin SSH Gateway has a feature called ‘AUTO SU or SUDO’ which would automatically does the switching part  so you would not waste your time retrieving password of the ‘admin’ user and then entering the root password.

3. Disable password based authentication and enable only Key based authentication in the  sshd configuration file. I would rate this as the most important of all.

				
					PasswordAuthentication no
				
			

4. Enable Key based authentication. RSA is know to be more secure than DSA keys.

				
					RSAAuthentication yes

PubkeyAuthentication yes

allowtcpforwarding no
				
			

5. Change the sshd default listening port from 22 to something like 22656 since its hard to guess and attackers would have to scan.Use custom SSH Port and Listening IPs.

				
					Port 22656
ListenAddress 192.xx.xx.xx.xx
				
			

6. Configure a VPN and having your server behind a VPN is good idea. This would really improve the security and harden the server.

Leave a Reply

Your email address will not be published. Required fields are marked *