How do you get a secure bastion host if your IP address is constantly changing?

I am setting up AWS stuff and wondering how to setup a secure bastion host. They all say to only allow access to your IP address, but how can I do that if my IP address is changing every few hours or days (just in my house wifi, or going to coffee shops, etc.). What is best practice here, for SSHing into a bastion host and limiting access somehow to only specific IP addresses. If not possible, what is the next best alternative?

Can’t install Bastion on Ubuntu 19.04

Trying to install Bastion on Ubuntu 19.04 gives me the following errors:

$   sudo dpkg -i bastion_1.4-0ubuntu1_amd64.deb Selecting previously unselected package bastion. (Reading database ... 368522 files and directories currently installed.) Preparing to unpack bastion_1.4-0ubuntu1_amd64.deb ... Unpacking bastion (1.4-0ubuntu1) ... dpkg: dependency problems prevent configuration of bastion:  bastion depends on libalut0; however:   Package libalut0 is not installed.  bastion depends on libsdl-mixer1.2; however:   Package libsdl-mixer1.2 is not installed.  bastion depends on libsdl-ttf2.0-0; however:   Package libsdl-ttf2.0-0 is not installed.  bastion depends on libsdl-net1.2; however:   Package libsdl-net1.2 is not installed.  bastion depends on libsmpeg0; however:   Package libsmpeg0 is not installed.  bastion depends on libsdl-gfx1.2-4; however:   Package libsdl-gfx1.2-4 is not installed.  bastion depends on libtxc-dxtn-s2tc0; however:   Package libtxc-dxtn-s2tc0 is not installed.  dpkg: error processing package bastion (--install):  dependency problems - leaving unconfigured Processing triggers for gnome-menus (3.32.0-1ubuntu1) ... Processing triggers for desktop-file-utils (0.23-4ubuntu1) ... Processing triggers for mime-support (3.60ubuntu1) ... Processing triggers for hicolor-icon-theme (0.17-2) ... Errors were encountered while processing:  bastion 

How can I fix this?

Is connection to Bastion Server Open to Anyone

My team uses a Bastion Server as a tunnel server to secure our AWS EC2 instances. The connection to Bastion was configured based on this article.

To the best of my understanding, the Bastion server is created as a gateway to the instances I want secure. I connect to Bastion using:

ssh -A ubuntu@<BASTION SERVER> 

so that when I connect from Bastion to my secure EC2 it will use the pem file on my local as configured by running:

ssh-add -K myPrivateKey.pem 

(Hope I’m on point so far).

My question is – Can anyone connect to the Bastion server? Obviously one will not be able to connect to secure EC2’s without the pem file, but if the PasswordAuthentication in Bastion is on no, can anyone connect?

SSH through bastion host gives: open failed: connect failed: Connection timed out

We have bastion server B. We need to SSH from A through B to C, using private key (we use keepass with keeAgent).

In the bastion I have: AllowTcpForwarding yes.

I tried to use proxyCammand:

Host app     Hostname *.*.*.*     User my-user     Port 22     ProxyCommand ssh -W %h:%p bast  Host bast      Hostname *.*.*.*      # ForwardAgent no      User my-user 

ssh app manages to enter the bastion server and falls when trying to connect the private server. The error is:

channel 0: open failed: connect failed: Connection timed out stdio forwarding failed ssh_exchange_identification: Connection closed by remote host 

On the /var/log/secure log in bastion I see:

error: connect_to *.*.*.* port 22: failed.

Bastion server: use TCP forwarding VS placing private key on server

We have bastion server B. We need to SSH from A through B to C, using private key.

What is the better option:

  • Put the private SSH key on server B. We read that it’s a bad idea to do that in a production environment.

    From here:

    Never place your SSH private keys on the bastion instance. Instead, use SSH agent forwarding to connect first to the bastion and from there to other instances in private subnets. This lets you keep your SSH private key just on your computer.

  • Use TCP (SSH) Forwarding. When we set up agent forwarding, a socket file is created on the forwarding host, which is the mechanism by which the key can be forwarded to your destination. In the Bastion settings at AWS:

    TCP forward: Setting this value to true will enable TCP forwarding (SSH tunneling). This can be very useful but it is also a security risk, so we recommend that you keep the default (disabled) setting unless required

    Also from here:

    SSH Agent Forwarding considered harmful

What is better? What about the alternative from the second link: ProxyCommand?

Does the Iron Monks Bastion Stance conflict with Pummeling Style?

The Iron monk text makes no mention of the Bastion Stance being treated as a combat style feat. I am questioning it though because the Iron Limb Defense mentions complementing the Bastion Stance almost as if it were.

If I were to take Pummeling Style, would I have to switch to a Pummeling stance from my Bastion Stance and choose one over the other? Or Is it possible to have both?

Style Feats

Iron Monk