~15 min · bastion, jump-host, proxyjump, audit-point
Bastion host(jump host) 가 인터넷에 노출된 유일한 단일, 무거운 hardened 머신. 다른 모든 머신이 사설 IP 가짐; bastion SSH 후에야 도달. 공격 surface 가 N 에서 1 로 — 모든 머신을 public 인터넷 표준으로 hardening 대신 bastion hardening.
Track 3 가 ProxyJump — bastion 패턴의 SSH 클라이언트 쪽 — 다뤘어. 풀 그림 — bastion 이 public IP 가짐, 나머지 X. Bastion 이 keys-only, fail2ban, port-changed, key-only access (per-key ProxyJump 제한) 으로 설정된 sshd. Internal 머신이 bastion IP 에서만 SSH 받음.
Internet ─→ [bastion (only public IP)] ─→ Internal machines (private IPs)
│
├─ keys only, no passwords
├─ non-default port
├─ fail2ban aggressive
├─ minimal software
└─ logged + monitored# The bastion
Host bastion
HostName bastion.example.com
Port 2222
User you_username
IdentityFile ~/.ssh/id_ed25519
# Internal machines, only reachable through bastion
Host office server music
User you_username
ProxyJump bastion
Host office
HostName 10.0.0.10
Host server
HostName 10.0.0.11
Host music
HostName 10.0.0.12# All on the bastion:
# PasswordAuthentication no
# KbdInteractiveAuthentication no
# PubkeyAuthentication yes
# PermitRootLogin no
# AllowUsers you_username # only specific accounts
# MaxAuthTries 3
# ClientAliveInterval 300
# Port 2222 (or whatever)
# X11Forwarding no
# PermitEmptyPasswords no
# fail2ban with aggressive thresholds
# Firewall: ufw allow 2222/tcp from <known sources only>
# Audit logging: ship to a central log host or off-box S3
# Minimal packages: nothing on the bastion that doesn't need to be there아직 댓글이 없어요. 첫 댓글을 남겨보세요.