Difference between revisions of "Sshbastion"
| Line 34: | Line 34: | ||
==PAM== | ==PAM== | ||
Secure bastionhost | Secure bastionhost | ||
| − | harden passwords | + | * harden passwords |
| − | * apt install libpam-pwquality | + | ** apt install libpam-pwquality |
| − | * add password requisite pam_pwquality.so minlen=12 retry=3 | + | ** add password requisite pam_pwquality.so minlen=12 retry=3 |
| − | * to /etc/pam.d/common- | + | ** to /etc/pam.d/common-passwdi |
| − | + | * geoip | |
| − | * apt install geoip-database-extra libpam-geoip | + | ** apt install geoip-database-extra libpam-geoip |
| − | * see https://github.com/vetinari/pam_geoip/blob/master/geoip.conf and modify /etc/security/geoip.conf | + | ** see https://github.com/vetinari/pam_geoip/blob/master/geoip.conf and modify /etc/security/geoip.conf |
| − | * add account required pam_geoip.so geoip_db=/usr/share/GeoIP/GeoIPCity.dat | + | ** add account required pam_geoip.so geoip_db=/usr/share/GeoIP/GeoIPCity.dat |
| − | * to /etc/pam.d/common-account | + | ** to /etc/pam.d/common-account |
Revision as of 22:16, 28 October 2017
ref
- https://aws.amazon.com/blogs/security/how-to-record-ssh-sessions-established-through-a-bastion-host/
- if using this script use
- chattr +a /var/log/bastion/
sshd basic
- make sure ssh root is cert only or disabled
- PermitRootLogin prohibit-password
- AllowTcpForwarding no
- X11Forwarding no
- Only allow certain group to ssh
- AllowGroups sshusers
proc
Make sure users can't see other users processes:
- proc /proc proc defaults,hidepid=2 0 0
firewall to restrict outgoing traffic from bastion
#!/bin/bash iptables --flush OUTPUT iptables --append OUTPUT -d security.debian.org -j ACCEPT iptables --append OUTPUT -d ftp.dk.debian.org -j ACCEPT iptables --append OUTPUT -d 192.168.12.1 -p tcp --dport 22 -j DROP iptables --append OUTPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT iptables --append OUTPUT -m state -d 192.168.12.1 -p udp --dport 53 -j ACCEPT iptables --append OUTPUT -m state -d 192.168.12.1 -p tcp --dport 53 -j ACCEPT iptables --append OUTPUT -m -d 192.168.12.1 -p udp --dport 67:68 -j ACCEPT iptables --append OUTOUT -p icmp -j ACCEPT iptables --append OUTPUT -m state --state NEW -j REJECT
PAM
Secure bastionhost
- harden passwords
- apt install libpam-pwquality
- add password requisite pam_pwquality.so minlen=12 retry=3
- to /etc/pam.d/common-passwdi
- geoip
- apt install geoip-database-extra libpam-geoip
- see https://github.com/vetinari/pam_geoip/blob/master/geoip.conf and modify /etc/security/geoip.conf
- add account required pam_geoip.so geoip_db=/usr/share/GeoIP/GeoIPCity.dat
- to /etc/pam.d/common-account
