What is a Bastion Host?

What is a Bastion Host?

A bastion host is a system that sits between your internal network and the Internet. It acts as a first line of defense against incoming threats, such as spam and phishing attempts. The role of this server is to protect the other servers on the private network from external attacks by “bastioning” them off. A bastion host typically uses more resources than other hosts on the same network, but it also provides protection for those hosts.

What is a Bastion Host?

A bastion host is a server that sits in front of your network and serves as an entry point into the private network. It can be configured to act like it belongs to the public Internet, but allows you to connect securely with other servers on your internal (private) network. There are different ways you can configure them depending on how they’re being used – either by opening up certain services or not, or maybe even limiting access through validating that the connecting client machine has been authenticated already with some form of two-factor authentication (such as a hardware token) before it’s allowed through. The benefit of using one is that it provides extra protection for those systems by acting as an additional layer between them and potential threats from outside sources.

The Benefits of Using a Bastion Host:

  • Extra Protection for your other servers and systems on the internal network.
  • A single system that serves as a central point of access into your private network from outside sources.
  • The ability to limit the services you allow through, such as which ports can be accessed via protocol (TCP/UDP), etc.
  • Ability to limit access by validating clients have been authenticated with a two-factor authentication system before allowing them through.
  • Ability to add an extra layer of protection such as with the use of a VPN.
  • You can use more than one to segment your private network into different zones, for example; DMZ (Demilitarized Zone) and Internal.

The Drawbacks:

  • Uses more system resources compared to other hosts on a private network.
  • May require some special configuration or third party software in order for you to be able to connect securely from the private network side of things through it, such as with a VPN client.
  • You’ll need to ensure your bastion host is as secure as possible, so you might want to have a dedicated server for it.

How to Set up Your Own Bastion Host?

There are a few different ways to set up your own bastion host.

  • You can use a linux system as the bastion host and install ssh on it, then configure sshd_config with access from outside systems allowed only from certain source IP addresses or make them jump through some other hoops before they’re given SSH access.
  • If you have an Ubuntu server already configured for remote administration via SSH keys (see this guide  for details), you could simply disable password authentication altogether in /etc/ssh/sshd_config and restart the service so that users cannot login using passwords anymore. When connecting from external systems, SSH will now ask if you want to add these servers’ public key fingerprints to ~/.ssh/known_hosts. Once you do this, ssh will no longer warn you when connecting to the host from that particular IP address since it’s already been authenticated.
  • You could also use a commercial service like Amazon’s AWS EC² to create your own bastion host. This is probably the easiest solution, but it will cost you some money depending on how much traffic you need to allow through this server.

Examples of How They Are Used in the Real World:

A bastion host is usually used to provide access into remote networks that don’t have public IP addresses. It’s also useful for allowing remote users or systems within your private network (which do not have global/local firewall rules configured) to be able allow outgoing connections through it, such as with FTP or email servers for example.

  •  If you had an internal web server which wasn’t accessible from outside sources and wanted to make some updates, you would need a way of doing this without having the fear of being compromised by someone trying different usernames and passwords in order to find one that works on the system. You could set up port forwarding rule(s) in iptables so that only certain ports are forwarded via protocol (TCP/UDP) to the internal web server, or you could use a VPN to connect securely from somewhere else.
  • If you needed to connect from within your network to a remote system which only had an SSH daemon running on it and didn’t allow connections via other protocols, you could use the bastion host as a jump point so that you can securely forward TCP port 22 (SSH) traffic through it. You would first need to configure the sshd_config file with Port X forwarding rules where X is whatever number or name of the specific rule(s) needs to be used for this purpose, then restart the ssh service afterwards. This way incoming connections attempted by valid users will now be able to securely access those systems behind those firewalls without issue.
  • You could also use a bastion host to add an extra layer of protection in the event that your VPN server was compromised and used as a conduit for unauthorised access back into your private network.
  • You might also want to have an extra layer of security on your private network in order to limit what users can do once they’re inside it. For example, only allowing SSH connections through port 22 and limiting which directories within user home folders are accessible by using chroot jails for system services that require local file access via bind mounts (see this page here ). This is not specific just to Linux systems either; some routers offer similar functionality with OpenWrt . It’s often recommended that if you don’t need remote administration capabilities over TCP ports such as 80 (web), 443 (SSL) and 21 (FTP), you should close them off to the internet. This is because recent statistics show that these ports are the most common targets for attackers to exploit in order to gain access into your network.

Common Types of Attacks on Servers And What kind of Protection a Bastion Host Can Offer Against Them:

  • Attacks on the SSH service are usually done by trying different username and password combinations in order to find one that works. If you don’t use password authentication anymore, then this is not an issue for you as long as your private key hasn’t been stolen or leaked somehow. Otherwise it’s recommended that if none of your users have local administration access over ssh, they should create their own keys instead so that they can login without needing to enter another username/password combination which could be compromised .
  • DNS spoofing attacks won’t work either since most clients will check against the server hostname configured within /etc/ssh_known_hosts first before attempting a connection to it.
  • Brute force attacks usually consist of an automated script that tries different combinations in order find one combination which works on the target host, but if your private network has implemented egress filtering , then this won’t be possible since any remote systems attempting access would have their IP address(es) flagged as being suspicious and blocked from making outbound connections towards them by ISP’s . This is because hackers tend to use bots (sometimes called zombies ) in order to perform brute force attempts against servers with open ports listening for outside connections. Hence why we recommend configuring outbound access on your servers to be limited and only allow traffic which you intend for it to use.
  • The Bastion Host would also protect against DDoS attacks which consist of attackers flooding a target host with superfluous requests in order to take it offline or make it unresponsive for legitimate users/clients trying to connect to it by either:  a) initiating SYN floods (which is what happens when you close an application like Firefox, but forget that there’s still some downloads going on within the browser; then try opening up another webpage while this one hasn’t finished yet), or b) sending UDP packets towards port 53 (DNS). However if such malicious traffic was sent over TCP instead, the firewall rules protecting the server could be configured so as not allow incoming connections on port 22 (ssh) in order to prevent it being used as an entry point for attackers into the network.

Recent Posts