SSH bastion hosts are an indispensable security enforcement stack for secure infrastructure access. Every security compliance standard that deals with

SSH Bastion Host Best Practices

submited by
Style Pass
2022-01-13 18:00:07

SSH bastion hosts are an indispensable security enforcement stack for secure infrastructure access. Every security compliance standard that deals with remote infrastructure access (e.g., FedRAMP AC-17 - Remote Access, HIPAA §164.312(a)(1) - Access control, SOC2 CC6.1 - Manage Points of Access) mandates preventing direct network access to the servers and APIs. Although it is relatively easy to deploy a bastion host in your infrastructure, it should be noted that securing a bastion host requires careful consideration from design to deployment. After all, bastion hosts are the first target for attackers looking to compromise access to infrastructure.

This blog post focuses on following best practices on building and deploying a secure SSH bastion server based on OpenSSH. If you are looking for a quick guide on creating an SSH bastion, check our previous blog post on setting up an SSH Bastion.

Adversaries can either compromise a bastion host (e.g. OS and network exploitation) or find a network policy misconfiguration that allows bypassing the bastion host entirely. Thus, security of both the server deployed as a bastion host and the network in which the bastion host will be placed must be carefully considered as an attack surface for bastion host exploitation.

Leave a Comment