How to Create and Configure a Bastion Host in AWS

In this article, we will show you how to create a bastion host in AWS. A bastion host is an additional layer of security that can be used for remote access or administrative purposes. This type of server requires the highest level of trust because all traffic coming from it must pass through another machine before arriving at its destination. The benefits are worth it though! Read on to find out more about creating your own bastion host in AWS!

Steps to create a Bastion Host in AWS:

– Create a security group to allow traffic through the bastion host.

– Make sure you have your key pair created and available for this section! Once again, make use of our article here on how to create one .

– Go into EC’s VPC dashboard , select subnets then click edit subnets.

– Create your subnet, select the VPC you want to create it in then click Ok .

– Select routing and make sure that internet gateway is selected for “Use this route table” option under Attachments tab.

– Go into EC’s security group dashboard , then go into Inbound tab . Here, add a new rule and select SSH from the drop down menu under Source .

– Go into your EC’s VPC dashboard , go to route table section then click on routing tables. Find the main one, default for example and edit it. Select your VPC in the Destination column, check mark enable this route if not checked already. Then add 0.0.0.0/0 as an association ID with your security group that you created above (vpc_id) in destination column of the same row “default.”

– Now we need to create our key pair by going into EC’s Key Pairs Dashboard . Click Create Key Pair button , name yours bastion or whatever you want but make sure you remember it.

– Now go into EC’s VPC dashboard . Check mark your subnet that you just created then select Security Groups under the Attachment tab . Select the security group that you have previously created, click edit , open Inbound tab and add new rule with SSH as destination port.

Steps for configuring a Bastion Host:  

– Open up putty again, fill in username (root or whatever), server IP address which is bastion host’s Public DNS name from EC Dashboard > Instances section. Then input your key pair file location by clicking on session link near saved profile area under Session if not already selected automatically when you load it back up after saving it earlier.

– Once logged into your EC server, you will need to change the root password by running passwd command.

– Then run sudo apt-get update and install fail as well as nano program for editing.

– If you do not have a package installed already then type in “sudo apt-get install nmap.” After that installs we can begin configuration of our bastion host! Type in: “sudo nano /etc/ssh/sshd_config” this file is where all changes must be made (and remember Ctrl+X exits).

You should see something like what’s below after opening up your sshd config file:       # Package generated configuration file.  Do not edit.#            PermitRootLogin prohibit-password                      PermitEmptyPasswords no            AllowTcpForwarding yes

– Delete everything inside this file and paste in the below: (Ctrl+K is for pasting)

                  PasswordAuthentication yes

                  UsePAM yes

This will allow root login through ssh on port 22, enable PAM which enables support of ChallengeResponseAuthentication when using SSH keys. Enable TCP forwarding with X11 tunneling to make a VNC connection possible from your bastion host. Open up /etc/ssh/sshd_config again by running sudo nano /etc/ssh/sshd_config . Scroll down until you see “X11Forwarding” change it’s value to yes then save.

– Restart ssh server by running sudo service sshd restart or just reboot the EC instance if you prefer.

– Now you need to go back into EC dashboard and select Instances section . Click on the blue text link that says Public DNS which will take you right to your EC instance. Make sure no firewall rules are blocking traffic through port 22 by checking if there is a green dot next to Security Groups under Attachment tab of VPC Dashboard as shown in image below. If there is no green dot that means it’s blocked by default.

– Once done, go back into your putty ssh session and run sudo nano /etc/ssh/sshd_config again . Scroll down until you see “Port 22” change the value to something like 3822 or anything other than port 22 (I prefer using different ports for every service). Save file; exit; then reload configs with command below:

       sudo service sshd restart

Make sure this newly created bastion host only allows SSH login via key pairs! So make an authorized_keys text file in root folder of EC server on all hosts where you wish to connect from as a client machine without password requests ! This also applies to any servers accessible from the bastion host . So make sure you have a copy of all your client machine keys in /root directory on EC server. Hosts can be easily added and removed by editing this file:  ssh_config  file that we edited earlier.

– Now log off putty session and try to SSH into new port 3822 or whatever number you chose above (don’t forget to add -p 3822 at the end when typing command). If everything worked correctly, it should ask for key pair login! You might want to use something like winscp/plink as SCP client which is much easier than using standard Linux filezilla utility included with Ubuntu Server if you’re not very familiar with linux CLI commands, but I will not cover that here.

– Now try to SSH into port 22 (or whatever number you had chosen earlier) if it asks for key pair login again then congratulations! Everything is configured properly and working fine. You also successfully created a bastion host in AWS cloud !

Conclusion

Bastion Hosts are very important in security. These hosts act as a gateway to your servers via SSH, SCP and other protocols. The bastion host should only accept key pairs for login in order to make it more secure and to make sure only authorized hosts can access this host.