Understanding Bastion Host Architecture
Understanding Bastion Host Architecture
A bastion host serves as a single point of entry for SSH access to internal networks, creating a security chokepoint where all remote access can be monitored and controlled. This architectural pattern significantly reduces the attack surface by eliminating direct SSH access to internal servers from untrusted networks. Instead, users first authenticate to the bastion host, which then provides controlled access to internal resources.
The security benefits of bastion hosts extend beyond simple access control. By concentrating SSH access through a dedicated system, organizations can implement enhanced authentication mechanisms, detailed logging, session recording, and sophisticated access policies. This centralization also simplifies security updates, as only the bastion host requires exposure to external networks, while internal servers can disable direct SSH access entirely.
Design a secure bastion host architecture:
#!/bin/bash
# bastion-architecture-setup.sh
# Configure secure bastion host architecture
# Network architecture configuration
configure_network_architecture() {
cat > /etc/netplan/01-bastion-network.yaml << 'EOF'
network:
version: 2
ethernets:
# External interface (Internet-facing)
eth0:
dhcp4: no
addresses:
- 203.0.113.10/24
gateway4: 203.0.113.1
nameservers:
addresses: [8.8.8.8, 8.8.4.4]
# Internal interface (Private network)
eth1:
dhcp4: no
addresses:
- 10.0.0.10/24
routes:
- to: 10.0.0.0/8
via: 10.0.0.1
EOF
# Apply network configuration
netplan apply
# Enable IP forwarding for ProxyJump functionality
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.d/99-bastion.conf
sysctl -p /etc/sysctl.d/99-bastion.conf
}
# Firewall configuration for bastion
configure_bastion_firewall() {
# Reset firewall rules
iptables -F
iptables -X
# Default policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# Allow loopback
iptables -A INPUT -i lo -j ACCEPT
# Allow established connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow SSH from specific networks only
iptables -A INPUT -i eth0 -p tcp --dport 22 -s 192.168.0.0/16 -j ACCEPT # Corporate network
iptables -A INPUT -i eth0 -p tcp --dport 22 -s 203.0.113.100/32 -j ACCEPT # VPN endpoint
# Rate limiting for SSH
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP
# Allow internal SSH forwarding
iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Log dropped packets
iptables -A INPUT -j LOG --log-prefix "BASTION-DROP: " --log-level 4
# Save rules
iptables-save > /etc/iptables/rules.v4
}
# SELinux configuration for bastion
configure_selinux_bastion() {
# Install SELinux if not present
yum install -y selinux-policy-targeted policycoreutils-python-utils
# Create custom SELinux policy for bastion
cat > bastion_ssh.te << 'EOF'
module bastion_ssh 1.0;
require {
type sshd_t;
type user_home_t;
type admin_home_t;
class file { read write create unlink };
class dir { read write add_name remove_name };
}
# Allow SSH daemon to manage session recordings
allow sshd_t user_home_t:dir { read write add_name remove_name };
allow sshd_t user_home_t:file { read write create unlink };
allow sshd_t admin_home_t:dir { read write add_name remove_name };
allow sshd_t admin_home_t:file { read write create unlink };
EOF
# Compile and install policy
checkmodule -M -m -o bastion_ssh.mod bastion_ssh.te
semodule_package -o bastion_ssh.pp -m bastion_ssh.mod
semodule -i bastion_ssh.pp
# Set SELinux contexts
semanage fcontext -a -t sshd_exec_t '/usr/local/bin/bastion-shell'
restorecon -Rv /usr/local/bin/
}
# Initialize bastion architecture
echo "Configuring bastion host architecture..."
configure_network_architecture
configure_bastion_firewall
configure_selinux_bastion
echo "Bastion architecture configuration complete"