Today's post is fundamentally cover 6 aspects on securing your bastion hosts for any Cloud environment. Please note that use-case performed in the later stage of this post is focused on Oracle Cloud.
1. Ingress Rule
OS Level - firewall to accept connections only from On-prem CPE Public IP. This will straight away reject connections to your Public subnet from outside network and help you channelize incoming connections.
2. Protocol and Ports
1. TCP/22 -- ssh connectivity
2. ICMP type 8 -- ping
3. Disable irrelevant user ids at OS
You can get list of users from /etc/passwd file and users can be set to /sbin/nologin like as follows -
demouser:x:1000:1000:demouser:/home/demouser:/sbin/nologin
4. Enabling 2-factor authentication for bastion server
This has been explained in my earlier post -
Implementing 2-factor authentication for Bastion server on OCI with Google Authenticator
5. Packages installed -
Remove irrelevant packages. Keep bastion host as 'lite' as possible by avoiding unnecessary packages being installed as this will result in services running and eventually leading to attackers trying to hack into the system.
6. Disclaimer Banner for ssh logins.
Sample -
Use-case -
Below use case will cover 3 layers of security to logon to bastion host setup on a public ip over Public subnet on OCI.
1. Private-public key pair
2. Security List on OCI.
3. 2-FA using Google Authenticator
We can also add OS-level firewall rules to the list. Hope this helps!!
No comments:
Post a Comment