Connecting to remote hosts through a bastion host using ssh

In today’s digital world where everything is connected.So making sure that only the right people can access private network stuff is really important. So lots of organizations use strong security stuff like special gateway computers called bastion hosts to protect the resources.So I will discuss about what is a bastion host,purpose of it and how to create it and connect to remote hosts through this.

What is a bastion server?

• A bastion server, also known as proxy or intermediary server strategically positioned between a user’s local system and a remote server. It functions as a bridge, enabling the redirection of device requests through this intermediary server to reach the remote server. This setup facilitates a secure and controlled pathway for data transmission, where the bastion server acts as a protective gateway, managing and regulating the flow of information between the user’s device and the remote server.

Purposes of bastion server

Major purposes of a bastion servers are anonymity,content filtering and security.So let’s discuss these things briefly.

• Anonymity: Proxies can mask your IP address, making it appear as if the request is coming from the proxy server rather than your actual device. This can help in maintaining privacy and anonymity.
• Content Filtering: Proxies can be used by organizations to control or filter the content accessed by their network users. For example, restricting access to certain websites.
• Security: Proxies can act as an additional security layer by filtering out potentially harmful content or traffic, providing a buffer between the user’s device and the internet.

How to create a bastion server?

Creating a bastion server means setting up a server that acts as a secure gateway to access other servers in a private network.Following are the steps to create a bastion server.

1. Set up a server: You’ll need to provision a server instance with a cloud service provider or set up a local virtual machine. This server will serve as the bastion host.
2. Install an SSH server: Ensure that the bastion host has an SSH server installed and properly configured. This will allow you to establish SSH connections to the bastion host.
3. Configure security: Secure the bastion host by configuring firewall rules or security groups to only allow SSH access from specific IP addresses or a restricted range of IP addresses. This helps enhance security by limiting who can connect to the bastion host.
4. Network configuration: The bastion host should have access to the servers in the private network you want to reach. This might involve setting up Virtual Private Cloud (VPC) configurations to enable communication between the bastion host and the other servers.
5. SSH key setup: Set up SSH key-based authentication for accessing the bastion host. Ensure that the public keys of authorized users are added to the bastion host’s ~/.ssh/authorized_keys file.

We aim to connect to a remote server by jumping on the bastion server using the following command.

ssh -J bastionhost remotehost

The -J option in ssh allows you to create a connection through a bastion or jump host to reach a remote host.So now you will able to Jump into remote using an SSH connection and create a TCP forwarding from bastion to achieve the connection to remote.

But suppose there are multiple bastion servers.Then writing a jumping command can be tedious, especially if you have multiple bastions servers.For an example you will need to write a long command.

you@localhost$ ssh -J user@bastion1,user@bastion2,user@bastion3 user@web

So for a solution it is easy to define it in a separate configuration file. This configuration file (by default: ~/.ssh/config) is an excellent way to order your path.

Host bastion1
    HostName bastion1.example.com
    User username1

Host bastion2
    HostName bastion2.example.com
    User username2

Host bastion3
    HostName bastion3.example.com
    User username3

# Target Host Configuration through Bastion Hosts
Host remote
    HostName remoteserver.example.com
    User username
    ProxyJump bastion1,bastion2,bastion3

And Use following simple command to connect to the remote server through multiple bastion hosts.

ssh remote

Security is an everyday concern and must be adapted to each situation.So Connecting through a bastion server enhances security by controlling access to internal resources and reducing exposure to potential threats.

~Dinuka Ekanayake~