Configuring a Linux Bastion host aka Jumpbox.

Saumik Satapathy
4 min readFeb 18, 2024

A Bastion host is a special-purpose computer on a network designed and configured to withstand attacks. It acts as a gateway between an external network (such as the internet) and a more secure internal network. Bastion hosts are typically hardened, meaning they have very limited access and only allow authorized users to connect to them for tasks like remote administration or secure access to internal resources. They serve as a single point of entry that can be monitored and controlled, helping to protect the internal network from unauthorized access and potential security threats.

In a hybrid network, a Bastion host can be hosted either in the on-premises infrastructure or in the cloud, depending on the specific requirements and architecture of the network.

If the hybrid network primarily relies on on-premises resources, the Bastion host may be deployed within the organization’s own data centre or private cloud environment. This setup allows the organization to maintain full control over the Bastion host and its access policies.

Alternatively, suppose the hybrid network incorporates cloud services. In that case, the Bastion host may be hosted in a cloud environment such as Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP). In this scenario, the Bastion host acts as a secure entry point into the cloud environment, providing access to resources hosted both on-premises and in the cloud.

Regardless of where it’s hosted, the Bastion host plays a crucial role in securing the hybrid network by controlling and monitoring access to internal resources.

In the Bastion host we just need to open port 22(SSH) for the corporate gateway network range so can be accessed once we connect to the corporate VPN.

Let’s do a step-by-step configuration once our VM is ready to use.

After logging into the instance become the ‘root’ user. and update the password for it. After updating it restart the SSH service.

$ sudo su - root
# passwd
# service ssh restart
  1. Edit the ‘/etc/pam.d/su’ file.
    # vim /etc/pam.d/su
  2. Comment the below line.
    # auth sufficient pam_rootok.so
    It will not allow ‘su’ without a password.
  3. Change the file permission to 0400.
    # chmod 0400 /etc/pam.d/su
  4. Give write permission to sudoer file.
    # chmod +w /etc/sudoers
  5. Before modifying the sudoer file make a backup of it.
    # cp /etc/sudoers /etc/sudoers.bkp
  6. Edit the sudoer file. Comment on the below line.
    # vim /etc/sudoers

# %sudo ALL=(ALL:ALL) ALL

Go to the End of the file. Add the below content.

Defaults    log_host, log_year,    logfile="/var/log/sudo.log"
Cmnd_Alias SU = /bin/su, /bin/su root, /bib/su - root, /bin/su -, /usr/bin/su, /usr/bin/su root, /usr/bin/su -root, /usr/bin/su -, /bin/bash, /usr/bin/vim /etc/sudoers, /usr/bin/vi /etc/sudoers, /bin/cat /etc/sudoers, /bin/nano /etc/sudoers, /usr/bin/vim /etc/pam.d/su, /usr/bin/vi /etc/pam.d/su, /bin/cat /etc/pam.d/su /bin/nano /etc/pam.d/su, /usr/bin/vi /etc/logrotate.d/sudo, /usr/bin/vim /etc/logrotate.d/sudo, /bin/cat /etc/logrotate.d/sudo, /bin/nano /etc/logrotate.d/sudo, /usr/bin/vi /var/log/sudo.log, /usr/bin/vim /var/log/sudo.log, /bin/cat /var/log/sudo.log, /bin/nano /var/log/sudo.log
%sudo ALL=(ALL)ALL, !SU
ubuntu ALL=(ALL) NOPASSWD:ALL, !SU

Save and exit.

7. Search for all the ‘sudo’ user ids.

 # grep '^sudo:.*$' /etc/group | cut -d: -f4

8. Copy their ID’s. Open the ‘/etc/sudoers’ file. Go to the last line. Add all the sudo users. After updating save and exit.

cloud-user ALL=(ALL) NOPASSWD:ALL, !SU

9. Change the /etc/sudoers file permission. Restart the ssh service.

# chmod 0400 /etc/sudoers
# service ssh restart

10. Create a log file for storing the logs of users who are trying to do administrative tasks.

# vim /etc/logrotate.d/sudo

Add the below content.

/var/log/sudo.log {
monthly
rotate 3
size 1G
compress
delaycompress
create 0600 root root
}

11. Though we can save the logs in the system itself for security reasons we can use a third-party tool like Splunk or ELK.

12. Change the permission to 0400 of /etc/logrotate.d/sudo File and Restart the rsyslog service.

service rsyslog restart

Exit from the terminal and try to become the ‘root’ user.

We can disable to ‘root’ login but sometimes we need to be a ‘root’ user to perform certain tasks. If there are not such case then change the ‘root’ shell to /sbin/nologin.

--

--

Saumik Satapathy

A passionate software Engineer with good hands on experience in the field of DevOps/SRE. Love to share knowledge and intersted to learn from others.