In cloud environments, ensuring secure access to critical systems and data is a top priority. One of the most effective ways to enhance this security is by setting up a bastion host. A bastion host acts as a secure gateway, allowing authorized users to access your cloud infrastructure while keeping potential attackers at bay. In this guide, we’ll explore how to create a bastion host, and why it’s essential for security.
What is a Bastion Host?
A bastion host (also known as a jump box) is a special-purpose server that serves as a secure access point for administrators and other authorized personnel to access private networks. It acts as a middleman between external users and sensitive internal resources, reducing the need to expose multiple services to the public internet. Typically, the bastion host is the only server in a private network that has direct access from the internet, and all connections to internal servers must pass through it.
Why Use a Bastion Host?
Using a bastion host has several benefits:
- Enhanced Security: By limiting access to a single entry point, the attack surface of your network is significantly reduced.
- Controlled Access: A bastion host allows you to control and monitor access to sensitive resources by restricting who can connect to your internal network.
- Logging and Auditing: Since all connections go through the bastion host, it serves as a single point for logging and auditing access, making it easier to track and respond to suspicious activities.
- Compliance: Many regulatory frameworks require organizations to monitor and control access to sensitive data. A bastion host helps organizations meet these requirements by providing secure, monitored access.
Prerequisites for Creating a Bastion Host
Before creating a bastion host, ensure that you have the following:
- Cloud Account: An account with a cloud provider, such as AWS, Azure, or Google Cloud Platform (GCP).
- Network Setup: A virtual private cloud (VPC) with subnets to isolate your private resources.
- Access Management: A user account with administrative privileges to set up and configure the bastion host.
- SSH Key Pair: A key pair for secure SSH access. Ensure you create and store the private key securely.
Step 1: Choose a Cloud Provider and Launch an Instance
- Select a Cloud Provider: Log in to your cloud provider’s console. The steps here will be similar across providers so creating a bastion host in GCP is not very different from creating a bastion host in AWS. We’ll use the AWS bastion host’s example.
- Launch an EC2 Instance: To create a AWS bastion host, in the AWS Console, go to the EC2 dashboard and select “Launch Instance.”
- Choose an appropriate Amazon Machine Image (AMI) for your needs, such as an Ubuntu or Amazon Linux AMI.
- Select an instance type based on your expected usage. Generally, a t2.micro instance is sufficient for a bastion host in a small environment.
- Configure Network Settings: Assign the instance to a public subnet in your VPC and enable a public IP address so you can access it from the internet.
Step 2: Set Up Security Groups and Network Rules
- Create a Security Group: Set up a security group to define network access for the bastion host.
- Inbound Rules: Allow inbound SSH traffic (typically port 22) from trusted IP addresses. Restrict access to specific IP ranges to prevent unauthorized access.
- Outbound Rules: Configure outbound rules to allow access to the private IP range of your internal network.
- Limit Access to Internal Resources: Ensure that internal instances only allow SSH access from the bastion host’s IP. This creates a secure pathway where only the bastion host can access internal resources.
Step 3: Configure SSH Access and Key Pair
- Generate an SSH Key Pair: If you don’t already have an SSH key pair, generate one using a tool like OpenSSH or PuTTY.
- On Linux or macOS, you can use the following command: ssh-keygen -t rsa -b 2048 -f ~/.ssh/bastion_key
- On Windows, you can use PuTTYgen to generate an SSH key pair.
- Upload the Public Key: During the instance launch or afterward, associate the public key with the bastion host so that only users with the private key can connect.
- Disable Password Authentication: For added security, disable password authentication on the bastion host to enforce SSH key-based access only.
- To do this, open the SSH configuration file: sudo nano /etc/ssh/sshd_config
- Set PasswordAuthentication no, then save and exit the file.
- Restart the SSH service to apply changes: sudo systemctl restart sshd
Step 4: Secure and Configure the Bastion Host
- Install Security Updates: Run system updates to ensure the host has the latest security patches.
- For Ubuntu: sudo apt update && sudo apt upgrade
- Configure Logging: Set up detailed logging for all SSH sessions. Logs will provide a record of all access attempts and commands executed on the bastion host.
- You can monitor SSH logs in the auth log file: tail -f /var/log/auth.log
- Install Monitoring Tools: Consider installing monitoring and intrusion detection tools to keep an eye on the bastion host.
- For instance, you can install Fail2Ban to block repeated failed login attempts and monitor suspicious activity.
- Limit Access with SSH ProxyCommand: You can further enhance security by using SSH’s ProxyCommand option to require users to connect to internal instances through the bastion host.
- This involves configuring users’ SSH config files to automatically route connections through the bastion host.
Step 5: Use Multi-Factor Authentication (Optional but Recommended)
To further enhance security, consider setting up multi-factor authentication (MFA) for access to the bastion host. Some providers, like AWS, offer additional services (e.g., AWS IAM with MFA) to enforce MFA when connecting to EC2 instances. Adding an MFA layer makes it harder for unauthorized users to gain access, even if they have access to the private key.
Step 6: Limit Access to the Bastion Host
- Create User Accounts: Create individual user accounts for each person who will access the bastion host. Avoid using the default ec2-user or root account for all users.
- You can create a user with: sudo adduser username
- Manage User Access: Assign each user a unique SSH key and remove their access once they no longer require it.
- Use Sudo Privileges with Caution: Limit access to sudo privileges on the bastion host. Users should only have the necessary permissions for their role.
Step 7: Monitor and Maintain the Bastion Host
- Regular Updates: Keep the bastion host’s operating system and software packages up to date.
- Monitor Logs: Regularly review SSH logs and audit logs to identify any unauthorized access attempts.
- Back Up Configuration: Make backups of any custom configurations you make on the bastion host so that they can be quickly restored if needed.
Conclusion
A bastion host plays a critical role in securing access to your cloud infrastructure by acting as a controlled gateway between external users and internal resources. Following this AWS bastion host step-by-step creation guide, which is similar to other cloud platforms, will help you set up a bastion host that meets your organization’s security requirements while ensuring streamlined access for authorized users. With a bastion host in place, you can maintain a strong security posture in your cloud environment, enabling controlled and monitored access to sensitive systems. Secure your cloud environment with Trio’s comprehensive mobile device management solutions. Start your free trial today and take control of your digital assets like never before!