base-de-connaissances/gnu-linux/serveurs/securisation/bastion.md

% Bastion

Installation

Installation en cours: Devuan

ssh bastion

Provisoire

• set up a ssh tunnel only user for ssh proxy jump · GitHub
• How to restrict a jump user (into openSSH jumpbox) to only SSH to another server? - Unix & Linux Stack Exchange
• unix - Allow user to set up an SSH tunnel, but nothing else - Stack Overflow

lauhub@ecaz:~$ sudo -u mat nano /home/mat/.bashrc
lauhub@ecaz:~$ sudo -u mat tail -1 /home/mat/.bashrc
PATH=/opt/restricted/bin

lauhub@ecaz:~$ sudo mkdir /opt/restricted/bin
mkdir: cannot create directory ‘/opt/restricted/bin’: No such file or directory
lauhub@ecaz:~$ sudo mkdir -p /opt/restricted/bin
lauhub@ecaz:~$ cd /opt/restricted/bin
lauhub@ecaz:/opt/restricted/bin$ ln -s $(which ssh)
ln: failed to create symbolic link './ssh': Permission denied
lauhub@ecaz:/opt/restricted/bin$ sudo ln -s $(which ssh)
lauhub@ecaz:/opt/restricted/bin$ ll
total 0
lrwxrwxrwx 1 root root 12 Sep 21 02:23 ssh -> /usr/bin/ssh
lauhub@ecaz:/opt/restricted/bin$ cd -
/home/lauhub

sshd_config

Match User mat
   AllowAgentForwarding no
   AllowTcpForwarding yes
   X11Forwarding no
   PermitTunnel no
   GatewayPorts no
   ForceCommand echo 'This account can only be used for ProxyJump (ssh -J)'

TODO

• linux - Limit SSH access to specific clients by IP address - Unix & Linux Stack Exchange
• Using iptables to prevent SSH brute force attacks and DDOS attacks
  • How to Block Brute-Force Attacks on SSH: Step by Step guide
• https://goteleport.com/blog/ssh-bastion-host/
• https://goteleport.com/blog/security-hardening-ssh-bastion-best-practices/
• https://goteleport.com/blog/ssh-key-management/
  • 14.3. Using OpenSSH Certificate Authentication | Deployment Guide | Red Hat Enterprise Linux | 6 | Red Hat Documentation

Sécurisation (ajouts possibles)

• Sécurisation d'un serveur Linux sous debian - HackMD
• Hardening - Debian Wiki
• Welcome to The Bastion documentation! — The Bastion 3.20.00 documentation

Webographie

• (1) Option for double bastion Terraform setup? | Proxmox Support Forum
• (1) Best practices for having a SSH jumphost | Proxmox Support Forum
• What is an SSH Bastion? | SSH Bastion host setup
• ssh - SSHFS over a jumphost - Server Fault

Certificats

• How to use Let's Encrypt with an SSH Bastion

Autres solutions

Comment configurer un serveur Bastion avec Warpgate sur Debian