% Bastion # Installation sur Raspberry-PI3 rpi3 maison ## Mises à jour automatiques [How to Configure Unattended Upgrades on Debian 12/11/10 Linux - LinuxCapable](https://linuxcapable.com/how-to-configure-unattended-upgrades-on-debian-linux/) ```bash sudo apt update && sudo apt upgrade sudo apt install unattended-upgrades sudo apt install apt-config-auto-update sudo unattended-upgrades --dry-run --debug systemctl status unattended-upgrades less /etc/apt/apt.conf.d/50unattended-upgrades sudo nano /etc/apt/apt.conf.d/50unattended-upgrades ``` ## The Bastion OVH [Basic Installation — The Bastion 3.22.00 documentation](https://ovh.github.io/the-bastion/installation/basic.html) ### Création de l'utilisateur superviseur `supv` ```bash /opt/bastion/bin/admin/setup-first-admin-account.sh supv auto ``` ### Finalisation de l'installation [Advanced Installation — The Bastion 3.22.00 documentation](https://ovh.github.io/the-bastion/installation/advanced.html) #### Modification de la configuration du backup Édition du fichier `/etc/bastion/osh-backup-acl-keys.conf` Après avoir créé les clés, on lance les commandes suivantes et on place les valeurs récupérées dans le champ du fichier ci-dessus correspondant: ```bash gpg --list-keys ``` On récupère la valeur (ici `DD8A5D59EDBD3259B66D6B8B8B8B8B8B8B8B8B8`) que l'on placera dans `GPGKEYS` ``` gpg: checking the trustdb gpg: marginals needed: 3 completes needed: 1 trust model: pgp gpg: depth: 0 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 2u /root/.gnupg/pubring.kbx ------------------------ pub ed25519 2025-10-21 [SC] CECECECECECECECECECECECECECECECECECECE uid [ultimate] Bastion signing key ed25519 pub ed25519 2025-10-21 [SC] DD8A5D59EDBD3259B66D6B8B8B8B8B8B8B8B8B8 uid [ultimate] Laurent HUBERT sub cv25519 2025-10-21 [E] sub cv25519 2025-10-21 [E] ``` Idem pour `gpg --list-secret-keys` ``` /root/.gnupg/pubring.kbx ------------------------ sec ed25519 2025-10-21 [SC] CECECECECECECECECECECECECECECECECECECE uid [ultimate] Bastion signing key ed25519 ``` # Installation sur ecaz Installation en cours: Devuan ```bash ssh bastion ``` ## Provisoire - [set up a ssh tunnel only user for ssh proxy jump · GitHub](https://gist.github.com/smoser/3e9430c51e23e0c0d16c359a2ca668ae) - [How to restrict a jump user (into openSSH jumpbox) to only SSH to another server? - Unix & Linux Stack Exchange](https://unix.stackexchange.com/questions/691514/how-to-restrict-a-jump-user-into-openssh-jumpbox-to-only-ssh-to-another-server) - [unix - Allow user to set up an SSH tunnel, but nothing else - Stack Overflow](https://stackoverflow.com/questions/8021/allow-user-to-set-up-an-ssh-tunnel-but-nothing-else) - [Building a Jump Host | SSH Handbook](https://web.archive.org/web/20250615224631/https://www.sshhandbook.com/building-a-jump-host/) - ```bash lauhub@ecaz:~$ sudo -u mat nano /home/mat/.bashrc lauhub@ecaz:~$ sudo -u mat tail -1 /home/mat/.bashrc PATH=/opt/restricted/bin lauhub@ecaz:~$ sudo mkdir /opt/restricted/bin mkdir: cannot create directory ‘/opt/restricted/bin’: No such file or directory lauhub@ecaz:~$ sudo mkdir -p /opt/restricted/bin lauhub@ecaz:~$ cd /opt/restricted/bin lauhub@ecaz:/opt/restricted/bin$ ln -s $(which ssh) ln: failed to create symbolic link './ssh': Permission denied lauhub@ecaz:/opt/restricted/bin$ sudo ln -s $(which ssh) lauhub@ecaz:/opt/restricted/bin$ ll total 0 lrwxrwxrwx 1 root root 12 Sep 21 02:23 ssh -> /usr/bin/ssh lauhub@ecaz:/opt/restricted/bin$ cd - /home/lauhub ``` ### sshd_config ``` Match User mat AllowAgentForwarding no AllowTcpForwarding yes X11Forwarding no PermitTunnel no GatewayPorts no ForceCommand echo 'This account can only be used for ProxyJump (ssh -J)' ``` ## TODO - [ ] [linux - Limit SSH access to specific clients by IP address - Unix & Linux Stack Exchange](https://unix.stackexchange.com/questions/406245/limit-ssh-access-to-specific-clients-by-ip-address) - [ ] [Using iptables to prevent SSH brute force attacks and DDOS attacks](https://serverfault.com/questions/847755/using-iptables-to-prevent-ssh-brute-force-attacks-and-ddos-attacks) - [ ] [How to Block Brute-Force Attacks on SSH: Step by Step guide](https://codenotary.com/blog/how-to-block-brute-force-attacks-on-ssh) - [ ] [https://goteleport.com/blog/ssh-bastion-host/](https://goteleport.com/blog/ssh-bastion-host/) - [ ] [https://goteleport.com/blog/security-hardening-ssh-bastion-best-practices/](https://goteleport.com/blog/security-hardening-ssh-bastion-best-practices/) - [ ] [https://goteleport.com/blog/ssh-key-management/](https://goteleport.com/blog/ssh-key-management/) - [ ] [14.3. Using OpenSSH Certificate Authentication | Deployment Guide | Red Hat Enterprise Linux | 6 | Red Hat Documentation](https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/deployment_guide/sec-using_openssh_certificate_authentication#sec-Introduction_to_SSH_Certificates) ### Sécurisation (ajouts possibles) * [Sécurisation d'un serveur Linux sous debian - HackMD](https://hackmd.io/@Ben-Rahiti-Romain/SkciYWMWj) * [Hardening - Debian Wiki](https://wiki.debian.org/Hardening) * [Welcome to The Bastion documentation! — The Bastion 3.20.00 documentation](https://ovh.github.io/the-bastion/index.html) # Webographie * [(1) Option for double bastion Terraform setup? | Proxmox Support Forum](https://forum.proxmox.com/threads/option-for-double-bastion-terraform-setup.94418/) * [(1) Best practices for having a SSH jumphost | Proxmox Support Forum](https://forum.proxmox.com/threads/best-practices-for-having-a-ssh-jumphost.112357/) * [What is an SSH Bastion? | SSH Bastion host setup](https://goteleport.com/blog/ssh-bastion-host/) * [ssh - SSHFS over a jumphost - Server Fault](https://serverfault.com/questions/941934/sshfs-over-a-jumphost) ## Certificats - [How to use Let's Encrypt with an SSH Bastion](https://goteleport.com/blog/letsencrypt-teleport-ssh/) ## Autres solutions [Comment configurer un serveur Bastion avec Warpgate sur Debian](https://fr.linux-console.net/?p=30725)