How to secure SSH jump server / SSH bastion host / SSH gateway

Security measures to harden Ezeelogin Linux SSH Jump server

 

  • Two factor authentication Enforce 2 factor authentication like Google 2FA Auth or Yubikey 2FA  or DUO Security so that both the Ezeelogin web gui and ssh interface has an additional layer of protection. 

  • SSL For HTTPS - Enable ssl and access your web gui using https only. You would need to install your ssl certificate for the gui and then enable ssl mode in ezeelogin settings. Once the ssl certificates are installed, refer How to enable or force ssl or disable ssl

  • Enable Captcha - Enable reCaptcha for the web gui in the ezeelogin settings

  • Hardening SSH Server Daemon configuration file.
    Disable password authentication, Disable AllowTCPForwarding, Disable Password Authentication as Public key based authentication is recommended 

    root@jump#~ vi /etc/sshd/sshd_config

     

    #Allow Key based authentication as its harder to bruteforce or sniff than a password

    Pubkeyauthentication yes

     

    #Disable password authentication to the jump server as key based authentication is much more secure.Make sure to enable this under localhost section below.
    #Make sure to add in your SSH Public key before you disable password authentication to prevent lock outs.

    PasswordAuthentication no

     

    #Disable Tcp Forwarding on the jump server

    AllowTcpForwarding no 

    #Disable direct root logins to servers and instead login as non privileged user and switch to root
    #Make sure that a non privileged user can ssh and switch to become a root user before disabling direct root login.

    PermitRootLogin no

     

    #SSHD localhost settings. ( Note the rules under the following section will apply only to localhost ( 127.0.0.1) )

    Match Address 127.0.0.1 

    PermitRootLogin yes 

    PubkeyAuthentication yes 
    PasswordAuthentication yes

     

     

    #Do a syntax check of sshd configuration file as shown below

    root@jump:~  sshd -T 

    # restart sshd daemon

    root@jump:# service sshd restart

    Disallow view server password field in Ezeelogin GUI.
    view password disable ezeelogin

  • Enable Firewall and Lockdown access - Always, restrict the ips from which staffs are allowed to ssh from. You should be allowing only your ips, employees ips and the default rule should block ssh for everyone and should be granted explicitly. You can achieve this using iptables or setting up rules in host.allow/hosts.deny files.

  • SSH Gateway behind VPN is Very Good - Having the SSH Jump server behind a VPN is very good as it prevents unauthorized traffic. This is highly recommended.



 

5 (1)
Article Rating (1 Votes)
Rate this article
    Attached Files
    There are no attachments for this article.
    Related Articles RSS Feed
    Enable SSH Key based authentication and Disable Password Authentication in ssh
    Viewed 924 times since Tue, Apr 21, 2020
    What operating systems and platforms are supported to install jump server?
    Viewed 4438 times since Wed, Jun 14, 2017
    Install slave / secondary node for high availability in jump server
    Viewed 5126 times since Wed, Jun 14, 2017
    The IP field must contain a valid public IP or how to install Ezeelogin on a machine in lan
    Viewed 4355 times since Wed, Jun 14, 2017
    How to install Ezeelogin with a standalone license ?
    Viewed 687 times since Tue, Mar 10, 2020
    How to install ioncube on jump server?
    Viewed 33749 times since Wed, Jun 14, 2017
    Configure ezeelogin on aws RDS
    Viewed 66 times since Thu, Mar 11, 2021
    Install ezeelogin without internet access on Centos 7
    Viewed 103 times since Wed, Dec 30, 2020
    Installing Jump server or Bastion host on a linux host in Google or AWS instance ?
    Viewed 20817 times since Thu, Sep 21, 2017