Bastion Host Recommended Practices
- bastion host, server security
Bastion host, as per defined by Wikipedia, it is a special purpose computer on a network specifically designed and configured to withstand attacks.
The bastion host usually only provide specific service or hosting single application, while the other services are being removed (not just disabled, for security purpose). Some of the bastion host example that we found nowadays in IT environment such as DNS server, Proxy server, Email server, FTP server, Web server, that most of those are usually located within the DMZ area (for those who have two firewalls configuration, one facing the Internet and the other one facing the Internal network), otherwise it will be placed outside the Firewall and directly facing the Internet.
In order to reduce the attack vectors and limit the vulnerabilities against this bastion host, several recommended practices that can be applied on developing the bastion host are as per the following:
- Remove unneeded services or daemons
- Remove unneeded user accounts, including guest account (if it cannot be removed then it should be disabled)
- Removed any unneeded network protocols
- Use secure protocols instead of un-secure option, such as SSH against Telnet, SFTP against FTP, etc.
- Log management and periodic review
- Deployment of the Host Intrusion Detection System
- Update management against the host, including security patches, OS updates, any application updates (by governing standard practices prior to deploy all updates)
- Lock down user accounts as much as possible, especially root or administrator accounts.
- Disable all unused ports, by using deny all as default and open ports as per needed (please ensure the validity of each opened port to avoid the system compromised)
- Multi-factor authentication and encryption implementation for any log in attempt into the host (please ensure the security policy applied properly on this host to optimize the breach attempt protection)