On your ssh bastion make sure to at the very least:
- have minimal services running, preferably only ssh
- if you have other services running then use iptables or a firewall frontend to block all incoming ports except for the ones you specifically need/want open
- disable root ssh login
- disable password login (eg use ssh keys and preferably with a passphrase too)
- you can also use something like fail2ban or denyhosts but it’s not really necessary if you’ve also done all the above
- yum or apt update it frequently
- For your ssh connection from the bastion to your AWS instance or any other important ssh destinations from the bastion, use a key with a passphrase for increased security (on the off chance your bastion gets compromised)
- Don’t do anything else too important on your ssh bastion.. eg don’t have any important stuff or work laying around on it or other services/applications running. Just use it as a jumphost only.
- have minimal services running, preferably only ssh
- if you have other services running then use iptables or a firewall frontend to block all incoming ports except for the ones you specifically need/want open
- disable root ssh login
- disable password login (eg use ssh keys and preferably with a passphrase too)
- you can also use something like fail2ban or denyhosts but it’s not really necessary if you’ve also done all the above
- yum or apt update it frequently
- For your ssh connection from the bastion to your AWS instance or any other important ssh destinations from the bastion, use a key with a passphrase for increased security (on the off chance your bastion gets compromised)
- Don’t do anything else too important on your ssh bastion.. eg don’t have any important stuff or work laying around on it or other services/applications running. Just use it as a jumphost only.