SSH Bastion Setup
Bastion IP:PUBLIC IP ADDRESS
Bastion Tailnet IP: 100.64.1.1
Implementation
1. Root Access
root is setup to only allow specific admins for management purposes.
/root/.ssh/authorized_keys
2. Jump User
Setupjump user for ssh jumping and ssh jumping only.
useradd -m -s /usr/sbin/nologin jump
3. SSHD Hardening
/etc/ssh/sshd_config4. Jump Wrapper Script
/usr/local/bin/ssh-jump-wrapper5. Banner
/etc/ssh/banner6. Firewall (UFW)
7. Fail2Ban
/etc/fail2ban/jail.d/sshd-custom.conf8. System Hardening
/etc/audit/rules.d/ssh.rules9. Adding New VPS
To add a new server to the jump list:- Modify
/usr/local/bin/ssh-jump-wrapperon Bastion. - Add:
ALLOWED_HOSTS["new-host-name"]="<TAILNET-IP>" - Secure the new VPS SSHD config using the standard template.