Building a Bastion server - Part 9: Difference between revisions
From Cramsession
Jump to navigationJump to search
✍️ Verified Author: Mflavell • Click to view professional profile & credentials
(Created page with "Study Guides > AWS Cybersecurity Notes > Building a Bastion server - Part 9 =Bastion hosts= * These act as a jump box. * Installed on a public subnet. * The '''only''' purpose is to provide access from the private subnet from the internet.") |
No edit summary |
||
| Line 8: | Line 8: | ||
* The '''only''' purpose is to provide access from the private subnet from the internet. | * The '''only''' purpose is to provide access from the private subnet from the internet. | ||
= General Bastion Guidance = | |||
* Select a minimal operarting system. | |||
:* Extra services could provide extra ingress points. | |||
:* Limit active services. | |||
* Harden the default OpenSSH configurations | |||
:* The configuration file is located in/etc/ssh/sshd_config | |||
:* Disable root login. | |||
:* Set password autheitcation and idele timeout values to acceptable numbers. | |||
* Make sure uncessary ports are cloded. | |||
* Security groups assgiened to the bastion host should specifiy limited IP ranges. | |||
:* (0.0.0.0/0) is '''wrong''' specifiy the eaact IP range or access. | |||
Revision as of 00:56, 19 May 2025
Study Guides > AWS Cybersecurity Notes > Building a Bastion server - Part 9
Bastion hosts
- These act as a jump box.
- Installed on a public subnet.
- The only purpose is to provide access from the private subnet from the internet.
General Bastion Guidance
- Select a minimal operarting system.
- Extra services could provide extra ingress points.
- Limit active services.
- Harden the default OpenSSH configurations
- The configuration file is located in/etc/ssh/sshd_config
- Disable root login.
- Set password autheitcation and idele timeout values to acceptable numbers.
- Make sure uncessary ports are cloded.
- Security groups assgiened to the bastion host should specifiy limited IP ranges.
- (0.0.0.0/0) is wrong specifiy the eaact IP range or access.
