How to secure SSH jump server / SSH bastion host / SSH gateway

Here are some of the basic security measures to harden the security of our Linux SSH Jumphost server.

 

  • Two factor authentication Enforce 2 factor authentication like Google 2factor Auth or Yubikey or DUO Security so that both the Ezeelogin web gui and ssh interface has an additional layer of protection. 

  • SSL For HTTPS - Enable ssl and access your web gui using https only. You would need to install your ssl certificate for the gui and then enable ssl mode in ezeelogin settings. Once the ssl certificates are installed, refer How to enable or force ssl or disable ssl

  • Enable Captcha - Enable reCaptcha for the web gui in the ezeelogin settings

  • Disable password authentication, AllowTCPForwarding in SSHD configuration file on the jump server.

    PasswordAuthentication no

    AllowTcpForwarding no


  • Enable Firewall and Lockdown access - Always, restrict the ips from which staffs are allowed to ssh from. You should be allowing only your ips, employees ips and the default rule should block ssh for everyone and should be granted explicitly. You can achieve this using iptables or setting up rules in host.allow/hosts.deny files.
  •  
  • SSH Gateway behind VPN is Very Good - Having your SSH gateway behind a VPN is very good as it prevents unauthorized traffic. This is highly recommended.

  • Enable htaccess - Setup .htaccess authentication to protect the folder where you have installed the web gui. Never leave the web gui publically accessible. This needs be done manually on the ssh jump server. 

  • Dedicated Server Environment - Always install Ezeelogin on a dedicated server environment and would never recommend installing it on a shared hosting environment  as shared environment is more vulnerable as it allows other shared users to snoop around or probe around.

 

5 (1)
Article Rating (1 Votes)
Rate this article
    Attached Files
    There are no attachments for this article.
    Related Articles RSS Feed
    Installing Jump server or Bastion host on a linux host in Google or AWS instance ?
    Viewed 20288 times since Thu, Sep 21, 2017
    How to install Ezeelogin with a standalone license ?
    Viewed 388 times since Tue, Mar 10, 2020
    How to install ioncube on jump server?
    Viewed 22173 times since Wed, Jun 14, 2017
    Install slave / secondary node for high availability in jump server
    Viewed 4352 times since Wed, Jun 14, 2017
    The IP field must contain a valid public IP or how to install Ezeelogin on a machine in lan
    Viewed 3816 times since Wed, Jun 14, 2017
    Upgrade Ezeelogin Jump server to the latest version
    Viewed 23182 times since Thu, Aug 24, 2017
    How to renew/update standalone license ?
    Viewed 852 times since Thu, Feb 27, 2020
    What operating systems and platforms are supported to install jump server?
    Viewed 3891 times since Wed, Jun 14, 2017
    Enable SSH Key based authentication and Disable Password Authentication in ssh
    Viewed 532 times since Tue, Apr 21, 2020