Bastion Host Setup for Remote Administration

TL;DR

To set up a bastion host for secure remote administration on Debian 13, follow these key steps:

1. Install OpenSSH Server: Ensure the SSH server is installed and running.

   sudo apt update && sudo apt install openssh-server  # Install OpenSSH
   sudo systemctl enable ssh  # Enable SSH to start on boot
   sudo systemctl start ssh   # Start SSH service
   

2. Configure SSH for Security: Edit the SSH configuration to enhance security.

   sudo nano /etc/ssh/sshd_config
   

   • Set PermitRootLogin no to prevent root login.
   • Use PasswordAuthentication no to disable password logins; use SSH keys instead.
   • Change the default port from 22 to a non-standard port (e.g., 2222).

3. Set Up Firewall Rules: Use ufw to restrict access to the bastion host.

   sudo apt install ufw  # Install UFW if not already installed
   sudo ufw allow 2222/tcp  # Allow SSH on the custom port
   sudo ufw enable  # Enable the firewall
   

4. Create User Accounts: Add non-root users for SSH access.

   sudo adduser adminuser  # Create a new user
   sudo usermod -aG sudo adminuser  # Add user to the sudo group
   

5. Set Up SSH Key Authentication: Generate SSH keys and copy them to the bastion host.

   ssh-keygen -t rsa -b 4096  # Generate SSH key pair
   ssh-copy-id -p 2222 adminuser@your.bastion.host  # Copy public key to bastion
   

6. Regular Updates: Keep the system updated to mitigate vulnerabilities.

   sudo apt update && sudo apt upgrade -y  # Update packages
   

Caution: Always back up configuration files before making changes. Ensure that your firewall rules are tested to avoid locking yourself out.

Understanding Bastion Hosts

A bastion host, also known as a jump server, is a critical component in securing remote access to your network. It acts as a gateway between an external network and your internal servers, providing a controlled entry point for administrators. By funneling all remote administrative traffic through a bastion host, you can enforce stricter security policies and monitor access more effectively.

When setting up a bastion host, it is essential to minimize its attack surface. This can be achieved by installing only the necessary software and services. For a typical bastion host, you might only need SSH for remote access. Ensure that the SSH service is configured securely:

sudo apt update
sudo apt install openssh-server

# Start and enable the SSH service
sudo systemctl start ssh
sudo systemctl enable ssh

Next, configure the SSH daemon to enhance security. Edit the SSH configuration file:

# Open the SSH configuration file
sudo nano /etc/ssh/sshd_config

Make the following changes to improve security:

# Disable root login
PermitRootLogin no

# Allow only specific users
AllowUsers admin_user

# Change the default SSH port (optional but recommended)
Port 2222

After making changes, restart the SSH service:

# Restart SSH to apply changes
sudo systemctl restart ssh

Caution: Changing the default SSH port can lead to confusion if not documented properly. Ensure that all administrators are aware of the new port.

Additionally, consider implementing firewall rules to restrict access to the bastion host. Use ufw (Uncomplicated Firewall) to allow only specific IP addresses:

# Install UFW if not already installed
sudo apt install ufw

# Allow SSH from a specific IP
sudo ufw allow from YOUR_IP_ADDRESS to any port 2222

# Enable the firewall
sudo ufw enable

By following these practices, you can create a robust bastion host that significantly enhances the security of your remote administration setup.

Prerequisites

To successfully set up a bastion host for remote administration on Debian 13, ensure you have the following prerequisites in place:

1. Debian 13 Server: You should have a fresh installation of Debian 13. Ensure that your system is up to date by running:

   sudo apt update && sudo apt upgrade -y  # Update package lists and upgrade installed packages
   

2. Root or Sudo Access: You must have root access or a user account with sudo privileges to install and configure necessary packages.

3. SSH Installed: The SSH server should be installed and running. You can check its status with:

   sudo systemctl status ssh  # Check if SSH service is active
   

   If SSH is not installed, you can install it using:

   sudo apt install openssh-server -y  # Install OpenSSH server
   

4. Firewall Configuration: A firewall should be configured to restrict access to the bastion host. Install ufw (Uncomplicated Firewall) if it’s not already installed:

   sudo apt install ufw -y  # Install UFW for firewall management
   

   Enable the firewall with:

   sudo ufw enable  # Enable UFW
   

   Ensure that SSH traffic is allowed:

   sudo ufw allow ssh  # Allow SSH connections
   

5. Public IP Address: The bastion host should have a public IP address to facilitate remote access. Ensure that your network configuration allows for this.

6. Secure Passwords and Keys: Use strong passwords for user accounts and consider setting up SSH key-based authentication for enhanced security. Generate SSH keys with:

   ssh-keygen -t rsa -b 4096 -C "your_email@example.com"  # Generate a secure SSH key pair
   

7. Backup: Always back up your current configuration and important data before making significant changes to the server.

By ensuring these prerequisites are met, you will create a solid foundation for your bastion host setup.

Installing and Configuring the Bastion Host

To set up a bastion host on your Debian 13 server, follow these steps to ensure secure remote administration.

First, install the OpenSSH server if it’s not already installed:

sudo apt update && sudo apt install openssh-server -y  # Install OpenSSH server

Next, configure the SSH daemon to enhance security. Open the SSH configuration file:

sudo nano /etc/ssh/sshd_config  # Edit the SSH configuration

Make the following changes:

1. Disable root login: Prevent direct root access.

   PermitRootLogin no
   

2. Change the default SSH port: This reduces the risk of automated attacks.

   Port 2222  # Change to a non-standard port
   

3. Limit user access: Specify which users can log in.

   AllowUsers yourusername  # Replace with your actual username
   

4. Enable public key authentication: Ensure password authentication is disabled for better security.

   PasswordAuthentication no
   PubkeyAuthentication yes
   

After making these changes, save and exit the editor. Restart the SSH service to apply the new configuration:

sudo systemctl restart ssh  # Restart SSH service

Next, set up a firewall using ufw (Uncomplicated Firewall) to allow only necessary traffic:

sudo apt install ufw -y  # Install UFW
sudo ufw allow 2222/tcp  # Allow SSH on the new port
sudo ufw enable  # Enable the firewall

Finally, ensure that your bastion host is regularly updated to protect against vulnerabilities:

sudo apt update && sudo apt upgrade -y  # Update system packages

Caution: Always test your SSH configuration before closing existing sessions to avoid being locked out. Use a secondary terminal to verify connectivity after changes.

Implementing Security Best Practices

To enhance the security of your Bastion Host, implementing best practices is crucial. Here are several key measures to consider:

1. Regular Updates: Keep your system and packages up to date to protect against vulnerabilities. Use the following commands to update your Debian 13 system:

   sudo apt update && sudo apt upgrade -y  # Update package lists and upgrade installed packages
   

   Schedule regular updates using a cron job or systemd timer.

2. Firewall Configuration: Use ufw (Uncomplicated Firewall) to restrict access to essential ports only. By default, deny all incoming connections and allow only SSH:

   sudo ufw default deny incoming  # Deny all incoming connections
   sudo ufw default allow outgoing  # Allow all outgoing connections
   sudo ufw allow 22/tcp           # Allow SSH connections
   sudo ufw enable                  # Enable the firewall
   

   Always verify your firewall rules with sudo ufw status.

3. SSH Hardening: Modify the SSH configuration to enhance security. Edit /etc/ssh/sshd_config and implement the following settings:

   PermitRootLogin no       # Disable root login
   PasswordAuthentication no # Disable password authentication
   AllowUsers yourusername   # Restrict SSH access to specific users
   

   After making changes, restart the SSH service:

   sudo systemctl restart sshd  # Restart SSH service to apply changes
   

4. Fail2Ban Installation: Protect against brute-force attacks by installing Fail2Ban:

   sudo apt install fail2ban  # Install Fail2Ban
   

   Configure it to monitor SSH attempts by editing /etc/fail2ban/jail.local and enabling the SSH jail.

5. Log Monitoring: Regularly check logs for unauthorized access attempts. Use the following command to view SSH logs:

   sudo less /var/log/auth.log  # View authentication logs
   

   Set up logwatch or similar tools for automated reporting.

By following these best practices, you can significantly enhance the security posture of your Bastion Host, ensuring a safer remote administration environment.

Verification

To ensure that your bastion host is configured correctly and securely, perform the following verification steps:

1. Check SSH Configuration: Verify that the SSH daemon is running with the correct settings. Use the following command to check the status:

   sudo systemctl status ssh
   

   Ensure that the service is active and running. If it is not, start it with:

   sudo systemctl start ssh
   

2. Review SSH Configuration File: Inspect the SSH configuration file for security settings. Open the file with:

   sudo nano /etc/ssh/sshd_config
   

   Look for the following settings and ensure they are configured as recommended:

   PermitRootLogin no        # Prevent root login via SSH
   PasswordAuthentication no  # Disable password authentication
   AllowUsers yourusername    # Restrict access to specific users
   

   After making any changes, restart the SSH service:

   sudo systemctl restart ssh
   

3. Test SSH Access: From a remote machine, attempt to connect to the bastion host using SSH. Use the following command:

   ssh yourusername@your.bastion.host
   

   Ensure that you can connect without issues. If you encounter problems, check the firewall settings.

4. Firewall Verification: Confirm that the firewall is correctly configured to allow only necessary traffic. Use the following command to check the status of ufw:

   sudo ufw status verbose
   

   Ensure that only the required ports (e.g., port 22 for SSH) are open. If needed, adjust the rules:

   sudo ufw allow 22/tcp  # Allow SSH traffic
   

5. Log Review: Finally, review the SSH logs for any unauthorized access attempts. Use:

   sudo less /var/log/auth.log
   

   Look for any suspicious activity and take appropriate action if necessary. Regularly monitoring these logs is crucial for maintaining security.

• Linux
• Security
• Smb