How to secure SSH jump server / SSH bastion host / SSH gateway
Article ID: 103 | Rating: Unrated | Last Updated: Fri, Feb 1, 2019 at 5:38 AM
Here are some of the basic security measures to harden the security of our Linux SSH Jumphost server.
- Two factor authentication - Enforce 2 factor authentication like Google 2factor Auth or Yubikey or DUO Security so that both the Ezeelogin web gui and ssh interface has an additional layer of protection.
- SSL For HTTPS - Enable ssl and access your web gui using https only. You would need to install your ssl certificate for the gui and then enable ssl mode in ezeelogin settings. Once the ssl certificates are installed, refer How to enable or force ssl or disable ssl
- Enable Captcha - Enable reCaptcha for the web gui in the ezeelogin settings
- Enable Firewall and Lockdown access - Always, restrict the ips from which staffs are allowed to ssh from. You should be allowing only your ips, employees ips and the default rule should block ssh for everyone and should be granted explicitly. You can achieve this using iptables or setting up rules in host.allow/hosts.deny files.
- SSH Gateway behind VPN is Very Good - Having your SSH gateway behind a VPN is very good as it prevents unauthorized traffic. This is highly recommended.
- Enable htaccess - Setup .htaccess authentication to protect the folder where you have installed the web gui. Never leave the web gui publically accessible. This needs be done manually on the ssh jump server.
- Dedicated Server Environment - Always install Ezeelogin on a dedicated server environment and would never recommend installing it on a shared hosting environment as shared environment is more vulnerable as it allows other shared users to snoop around or probe around.