version-new-1.png

Bastion host – How to secure and harden the ssh server on it?

shape
shape
shape
shape
shape
shape
shape
shape

  1. Enable a firewall and by default block all  IP access to the SSH Port and enable only your staff ips or dynamic ip ranges that you trust.
  2. Disable direct root login. Its always better to login as a non privileged user first and the switch to the root user. This is the norm if you are looking for PCI DSS Compliance.Edit /etc/sshd/sshd_config
    PermitRootLogin noEzeelogin SSH Gateway has a feature called ‘AUTO SU or SUDO’ which would automatically does the switching part  so you would not waste your time retrieving password of the ‘admin’ user and then entering the root password.
  3. Disable password based authentication and enable only Key based authentication in the  sshd configuration file. I would rate this as the most important of all.

    PasswordAuthentication no

  4. Enable Key based authentication. RSA is know to be more secure than DSA keys.

    RSAAuthentication yes

    PubkeyAuthentication yes

    allowtcpforwarding no

  5. Change the sshd default listening port from 22 to something like 22656 since its hard to guess and attackers would have to scan.Use custom SSH Port and Listening IPs.
    Port 22656
    ListenAddress 192.168.5.6.123
  6. Configure a VPN and having your server behind a VPN is good idea. This would really improve the security and harden the server.

 

Leave a Reply

Your email address will not be published. Required fields are marked *

Features

Others