Difference between revisions of "Sshbastion"

From HoerupWiki
Jump to: navigation, search
Line 17: Line 17:
 
Make sure users can't see other users processes:
 
Make sure users can't see other users processes:
 
* proc /proc proc defaults,hidepid=2 0 0
 
* proc /proc proc defaults,hidepid=2 0 0
 +
 +
==firewall to restrict outgoing traffic from bastion==
 +
 +
#!/bin/bash
 +
iptables --flush OUTPUT
 +
iptables --append OUTPUT -d 192.168.12.1 -p tcp --dport 22 -j DROP
 +
iptables --append OUTPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT
 +
iptables --append OUTPUT -m state -d 192.168.12.1 -p udp --dport 53 -j ACCEPT
 +
iptables --append OUTPUT -m state -d 192.168.12.1 -p tcp --dport 53 -j ACCEPT
 +
iptables --append OUTPUT -m -d 192.168.12.1 -p udp --dport 67:68 -j ACCEPT
 +
iptables --append OUTOUT -p icmp -j ACCEPT
 +
iptables --append OUTPUT -m state --state NEW -j REJECT

Revision as of 21:02, 28 October 2017

ref

sshd basic

  • make sure ssh root is cert only or disabled
  • PermitRootLogin prohibit-password
  • AllowTcpForwarding no
  • X11Forwarding no
  • Only allow certain group to ssh
  • AllowGroups sshusers


proc

Make sure users can't see other users processes:

  • proc /proc proc defaults,hidepid=2 0 0

firewall to restrict outgoing traffic from bastion

#!/bin/bash
iptables --flush OUTPUT
iptables --append OUTPUT -d 192.168.12.1 -p tcp --dport 22 -j DROP
iptables --append OUTPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT
iptables --append OUTPUT -m state -d 192.168.12.1 -p udp --dport 53 -j ACCEPT
iptables --append OUTPUT -m state -d 192.168.12.1 -p tcp --dport 53 -j ACCEPT
iptables --append OUTPUT -m -d 192.168.12.1 -p udp --dport 67:68 -j ACCEPT
iptables --append OUTOUT -p icmp -j ACCEPT
iptables --append OUTPUT -m state --state NEW -j REJECT
Retrieved from "https://wiki.t-hoerup.dk/index.php?title=Sshbastion&oldid=11870"