bastion.md 6.1 KB
% Bastion
Installation sur Raspberry-PI3 rpi3 maison
Mises à jour automatiques
How to Configure Unattended Upgrades on Debian 12/11/10 Linux - LinuxCapable
sudo apt update && sudo apt upgrade
sudo apt install unattended-upgrades
sudo apt install apt-config-auto-update
sudo unattended-upgrades --dry-run --debug
systemctl status unattended-upgrades
less /etc/apt/apt.conf.d/50unattended-upgrades
sudo nano /etc/apt/apt.conf.d/50unattended-upgrades
The Bastion OVH
Basic Installation — The Bastion 3.22.00 documentation
Création de l'utilisateur superviseur supv
/opt/bastion/bin/admin/setup-first-admin-account.sh supv auto
Finalisation de l'installation
Advanced Installation — The Bastion 3.22.00 documentation
Modification de la configuration du backup
Édition du fichier /etc/bastion/osh-backup-acl-keys.conf
Après avoir créé les clés, on lance les commandes suivantes et on place les valeurs récupérées dans le champ du fichier ci-dessus correspondant:
gpg --list-keys
On récupère la valeur (ici DD8A5D59EDBD3259B66D6B8B8B8B8B8B8B8B8B8) que l'on placera dans GPGKEYS
gpg: checking the trustdb
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 2u
/root/.gnupg/pubring.kbx
------------------------
pub ed25519 2025-10-21 [SC]
CECECECECECECECECECECECECECECECECECECE
uid [ultimate] Bastion signing key ed25519 <root@rpi3>
pub ed25519 2025-10-21 [SC]
DD8A5D59EDBD3259B66D6B8B8B8B8B8B8B8B8B8
uid [ultimate] Laurent HUBERT <lauhub@gmail.com>
sub cv25519 2025-10-21 [E]
sub cv25519 2025-10-21 [E]
Idem pour gpg --list-secret-keys
/root/.gnupg/pubring.kbx
------------------------
sec ed25519 2025-10-21 [SC]
CECECECECECECECECECECECECECECECECECECE
uid [ultimate] Bastion signing key ed25519 <root@rpi3>
Installation sur ecaz
Installation en cours: Devuan
ssh bastion
Provisoire
- set up a ssh tunnel only user for ssh proxy jump · GitHub
- How to restrict a jump user (into openSSH jumpbox) to only SSH to another server? - Unix & Linux Stack Exchange
- unix - Allow user to set up an SSH tunnel, but nothing else - Stack Overflow
- Building a Jump Host | SSH Handbook
lauhub@ecaz:~$ sudo -u mat nano /home/mat/.bashrc
lauhub@ecaz:~$ sudo -u mat tail -1 /home/mat/.bashrc
PATH=/opt/restricted/bin
lauhub@ecaz:~$ sudo mkdir /opt/restricted/bin
mkdir: cannot create directory ‘/opt/restricted/bin’: No such file or directory
lauhub@ecaz:~$ sudo mkdir -p /opt/restricted/bin
lauhub@ecaz:~$ cd /opt/restricted/bin
lauhub@ecaz:/opt/restricted/bin$ ln -s $(which ssh)
ln: failed to create symbolic link './ssh': Permission denied
lauhub@ecaz:/opt/restricted/bin$ sudo ln -s $(which ssh)
lauhub@ecaz:/opt/restricted/bin$ ll
total 0
lrwxrwxrwx 1 root root 12 Sep 21 02:23 ssh -> /usr/bin/ssh
lauhub@ecaz:/opt/restricted/bin$ cd -
/home/lauhub
sshd_config
Match User mat
AllowAgentForwarding no
AllowTcpForwarding yes
X11Forwarding no
PermitTunnel no
GatewayPorts no
ForceCommand echo 'This account can only be used for ProxyJump (ssh -J)'
TODO
- linux - Limit SSH access to specific clients by IP address - Unix & Linux Stack Exchange
- Using iptables to prevent SSH brute force attacks and DDOS attacks
- https://goteleport.com/blog/ssh-bastion-host/
- https://goteleport.com/blog/security-hardening-ssh-bastion-best-practices/
- https://goteleport.com/blog/ssh-key-management/
Sécurisation (ajouts possibles)
- Sécurisation d'un serveur Linux sous debian - HackMD
- Hardening - Debian Wiki
- Welcome to The Bastion documentation! — The Bastion 3.20.00 documentation
Webographie
- (1) Option for double bastion Terraform setup? | Proxmox Support Forum
- (1) Best practices for having a SSH jumphost | Proxmox Support Forum
- What is an SSH Bastion? | SSH Bastion host setup
- ssh - SSHFS over a jumphost - Server Fault
Certificats
Autres solutions
Comment configurer un serveur Bastion avec Warpgate sur Debian