Building a Bastion server - Part 9: Difference between revisions
From Cramsession
Jump to navigationJump to search
✍️ Verified Author: Mflavell • Click to view professional profile & credentials
| (One intermediate revision by the same user not shown) | |||
| Line 33: | Line 33: | ||
:* (0.0.0.0/0) is '''wrong''' specifiy the exact IP range or access. | :* (0.0.0.0/0) is '''wrong''' specifiy the exact IP range or access. | ||
= Other Options = | |||
* AWS Session mannager provides bastion as a service. | |||
:* No need to install a physical server. | |||
:* requires the SSM agent to be registered. | |||
== AWS Session Manager == | |||
* Provides a more stramiled approach than using a bastion server. | |||
* Offers a web interface. | |||
* Reduces the complexity of installing and securing another server. | |||
Latest revision as of 01:10, 19 May 2025
Study Guides > AWS Cybersecurity Notes > Building a Bastion server - Part 9
Bastion hosts
- These act as a jump box.
- Installed on a public subnet.
- The only purpose is to provide access from the private subnet from the internet.
General Bastion Guidance
- Select a minimal operarting system.
- Extra services could provide extra ingress points.
- Limit active services.
- Harden the default OpenSSH configurations
- The configuration file is located in/etc/ssh/sshd_config
- Disable root login.
- Set password autheitcation and idele timeout values to acceptable numbers.
- Make sure uncessary ports are cloded.
- Security groups assgiened to the bastion host should specifiy limited IP ranges.
- (0.0.0.0/0) is wrong specifiy the exact IP range or access.
Other Options
- AWS Session mannager provides bastion as a service.
- No need to install a physical server.
- requires the SSM agent to be registered.
AWS Session Manager
- Provides a more stramiled approach than using a bastion server.
- Offers a web interface.
- Reduces the complexity of installing and securing another server.
