How to Set Up an SSH Bastion Host for Secure Access
In today’s digital world, security is a top priority, especially when managing multiple servers across different networks. One of the most effective ways to safeguard access to these servers is by using an SSH bastion host. In this guide, we’ll explore what an SSH bastion host is, why it’s essential, and how to set one up step by step.
What Is an SSH Bastion Host?
An SSH bastion host, also known as a jump host or jump server, is a dedicated server that acts as a gateway between your external users and your internal network. It is designed to control and manage SSH access to other servers, ensuring that only authorized users can connect. Instead of connecting directly to the target server, users must first authenticate to the bastion host, which then forwards their connection to the target server.
Why Use an SSH Bastion Host?
Using a bastion host offers several security benefits:
- Centralized Access Control: By funneling all SSH connections through a single point, you can manage and monitor access more efficiently.
- Enhanced Security: The bastion host serves as a buffer between the internet and your internal servers, reducing the attack surface.
- Logging and Auditing: You can configure the bastion host to log every SSH session, helping in auditing and tracking unauthorized access attempts.
- Reduced Exposure: Only the bastion host needs to be publicly accessible, while your internal servers can remain isolated.
Setting Up an SSH Bastion Host
Let’s dive into the steps to set up an SSH bastion host on a Linux server.
Step 1: Select a Secure Server
Choose a secure server to act as your bastion host. This server should have a public IP address and be placed in a DMZ (Demilitarized Zone) network, isolated from the rest of your internal infrastructure. Make sure to keep the operating system and software updated regularly to mitigate vulnerabilities.
Step 2: Install SSH and Configure Basic Security
On your chosen bastion host, install the OpenSSH server if it is not already installed:
sudo apt update
sudo apt install openssh-server
You should also configure SSH to enhance security. Edit the SSH configuration file:
sudo nano /etc/ssh/sshd_config
Make the following changes:
Disable Root Login:
PermitRootLogin no
Limit SSH to Specific Users:
AllowUsers yourusername
- Disable Password Authentication (Optional): For increased security, you can disable password authentication and use SSH key pairs.
PasswordAuthentication no
Restart the SSH service to apply the changes:
sudo systemctl restart ssh
Step 3: Configure Firewall Rules
To ensure that only necessary traffic can reach the bastion host, configure your firewall. Limit SSH access to the bastion host from specific IP addresses, such as those of your administrators. Using ufw (Uncomplicated Firewall), you can enable and configure rules like this:
sudo ufw allow from to any port 22
sudo ufw enable
Step 4: Create SSH Key Pairs for Secure Access
SSH key pairs offer a more secure way of authenticating than passwords. Generate an SSH key pair on your local machine:
ssh-keygen -t rsa -b 4096 -C “[email protected]”
This will create a public key (id_rsa.pub) and a private key (id_rsa). Copy the public key to your bastion host:
ssh-copy-id yourusername@bastion_host_ip
Step 5: Enable SSH Agent Forwarding
If you need to connect to internal servers through the bastion host, enable SSH agent forwarding. This will allow you to authenticate with your internal servers using your local SSH keys without copying them to the bastion host.
To enable SSH agent forwarding, use the -A option when connecting to the bastion host:
ssh -A yourusername@bastion_host_ip
Make sure to disable AgentForwarding on the bastion host to prevent other users from forwarding their keys:
AllowAgentForwarding no
Step 6: Configure Internal Server Access
On the internal servers, restrict SSH access to connections coming from the bastion host’s IP address. You can do this by modifying the /etc/hosts.allow and /etc/hosts.deny files:
Add this to /etc/hosts.allow:
sshd: bastion_host_ip
Add this to /etc/hosts.deny:
sshd: ALL
Step 7: Monitor and Audit SSH Access
Setting up logging on the bastion host is crucial for monitoring and auditing purposes. You can use tools like rsyslog or journalctl to keep track of who accesses the bastion host and when. For more detailed logging, consider enabling session recording with tmux or screen.
Step 8: Implement Multi-Factor Authentication (Optional)
For added security, you can enable multi-factor authentication (MFA) on your bastion host. This involves setting up an additional layer of authentication, such as Google Authenticator. You can install the necessary packages and follow the setup:
sudo apt instal libpam-google-authenticator
google-authenticator
Follow the prompts to complete the setup, and then configure SSH to use MFA.
Best Practices for Using an SSH Bastion Host
- Limit Access: Restrict SSH access to the bastion host to authorized users only. Use AllowUsers and firewall rules.
Regularly Update Software: Keep the operating system and SSH software up to date to prevent exploitation.
Use Strong Encryption: Ensure SSH is configured to use strong encryption algorithms.
Enable Session Timeouts: Set session timeouts to disconnect inactive users automatically.
ClientAliveInterval 300
ClientAliveCountMax 0
