I am setting up AWS stuff and wondering how to setup a secure bastion host. They all say to only allow access to your IP address, but how can I do that if my IP address is changing every few hours or days (just in my house wifi, or going to coffee shops, etc.). What is best practice here, for SSHing into a bastion host and limiting access somehow to only specific IP addresses. If not possible, what is the next best alternative?
Trying to install Bastion on Ubuntu 19.04 gives me the following errors:
$ sudo dpkg -i bastion_1.4-0ubuntu1_amd64.deb Selecting previously unselected package bastion. (Reading database ... 368522 files and directories currently installed.) Preparing to unpack bastion_1.4-0ubuntu1_amd64.deb ... Unpacking bastion (1.4-0ubuntu1) ... dpkg: dependency problems prevent configuration of bastion: bastion depends on libalut0; however: Package libalut0 is not installed. bastion depends on libsdl-mixer1.2; however: Package libsdl-mixer1.2 is not installed. bastion depends on libsdl-ttf2.0-0; however: Package libsdl-ttf2.0-0 is not installed. bastion depends on libsdl-net1.2; however: Package libsdl-net1.2 is not installed. bastion depends on libsmpeg0; however: Package libsmpeg0 is not installed. bastion depends on libsdl-gfx1.2-4; however: Package libsdl-gfx1.2-4 is not installed. bastion depends on libtxc-dxtn-s2tc0; however: Package libtxc-dxtn-s2tc0 is not installed. dpkg: error processing package bastion (--install): dependency problems - leaving unconfigured Processing triggers for gnome-menus (3.32.0-1ubuntu1) ... Processing triggers for desktop-file-utils (0.23-4ubuntu1) ... Processing triggers for mime-support (3.60ubuntu1) ... Processing triggers for hicolor-icon-theme (0.17-2) ... Errors were encountered while processing: bastion
How can I fix this?
My team uses a Bastion Server as a tunnel server to secure our AWS EC2 instances. The connection to Bastion was configured based on this article.
To the best of my understanding, the Bastion server is created as a gateway to the instances I want secure. I connect to Bastion using:
ssh -A ubuntu@<BASTION SERVER>
so that when I connect from Bastion to my secure EC2 it will use the
pem file on my local as configured by running:
ssh-add -K myPrivateKey.pem
(Hope I’m on point so far).
My question is – Can anyone connect to the Bastion server? Obviously one will not be able to connect to secure EC2’s without the pem file, but if the PasswordAuthentication in Bastion is on no, can anyone connect?
We have bastion server B. We need to SSH from A through B to C, using private key (we use keepass with keeAgent).
In the bastion I have:
I tried to use
Host app Hostname *.*.*.* User my-user Port 22 ProxyCommand ssh -W %h:%p bast Host bast Hostname *.*.*.* # ForwardAgent no User my-user
ssh app manages to enter the bastion server and falls when trying to connect the private server. The error is:
channel 0: open failed: connect failed: Connection timed out stdio forwarding failed ssh_exchange_identification: Connection closed by remote host
/var/log/secure log in bastion I see:
error: connect_to *.*.*.* port 22: failed.
We have bastion server B. We need to SSH from A through B to C, using private key.
What is the better option:
Put the private SSH key on server B. We read that it’s a bad idea to do that in a production environment.
Never place your SSH private keys on the bastion instance. Instead, use SSH agent forwarding to connect first to the bastion and from there to other instances in private subnets. This lets you keep your SSH private key just on your computer.
Use TCP (SSH) Forwarding. When we set up agent forwarding, a socket file is created on the forwarding host, which is the mechanism by which the key can be forwarded to your destination. In the Bastion settings at AWS:
TCP forward: Setting this value to true will enable TCP forwarding (SSH tunneling). This can be very useful but it is also a security risk, so we recommend that you keep the default (disabled) setting unless required
Also from here:
SSH Agent Forwarding considered harmful
What is better? What about the alternative from the second link: ProxyCommand?
The Iron monk text makes no mention of the Bastion Stance being treated as a combat style feat. I am questioning it though because the Iron Limb Defense mentions complementing the Bastion Stance almost as if it were.
If I were to take Pummeling Style, would I have to switch to a Pummeling stance from my Bastion Stance and choose one over the other? Or Is it possible to have both?