Setup an OpenBSD Bastion Host
Introduction
We are going to be setting up a Bastion Host (or colloquially a 'Jumpbox') for our cloud infrastructure.
This should be the entry point for all future server, database, and load balancing systems.
The purpose of Bastion Hosts is simple and for one reason: to only allow the ability to SSH into your cloud infrastructure from ONE secure location. No other computers in the world will be allowed to access the rest of your machines, only this one.
Classically, you would SSH into each part of your infrastructure (DB, web server, load balancers etc.) and work on them. Most guides are set up so that you directly connect to your production server from your desktop. However, this adds a secure step in the process, stopping the greater internet from even really seeing these important parts of your setup.
How are we going to do this?
Via the most secure OS in the world - OpenBSD
Let's begin!
OpenBSD Setup:
Go into Vultr - use my promo code to save some money (and give me a little kickback, thank you!) and create an OpenBSD instance. From here, you will ssh into it from your main computer and begin the process of a basic setup
1. Setup SSH keys
Setup your ssh keys on your local computer by:
ssh-keygen -t rsa -b 4096 -f ~/ssh/whateverKeyNameYouWant.key -C "Jumpbox key"
This will give you two files in your .ssh directory: whateverKeyNameYouWant.key AND whateverKeyNameYouWant.key.pub
You will add that .pub key to your OpenBSD installation
2. Change root password
Get into your bastion host via:
ssh root@yourserverIP
using the password on your Vultr server details page
You’re in!
Now, first thing first is we will change that root password:
passwd
And enter whatever root password you want.
3. Add packages
We can add packages to our new OpenBSD installation via the following:
pkg_add packageName
pkg_add neovim
I generally add neovim to all my servers, and this is no exception.
4. Create a new user
Enter as the root user:
adduser
and you will get an interactive script allowing you to name and create a new user
4.1 Add that user to wheel group
Edit /etc/group file as the root user:
and add the following:
wheel:*:0:root,john_doe
or in the terminal:
sudo useradd -G wheel john_doe
4.2 Enable doas:
nvim /etc/doas.conf as the root user And put the following in the file:
permit :wheel
4.3 Make sure your private key is in that USER’s .ssh/authorizedkeys
As the user you created:
cat .ssh/authorized_keys
or as root:
cat /home/user/.ssh/authorized_keys
The file should look like the following:
ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAACAQC2SPcjFIXET7ij8LqkmuxF87HbMmnHRBlajbLPBjjIeHp7A/i8B8KY2F8ze5iZUM
kpdrObuZ+zeKymuKixeb//K1zBHGercYJYhl9UJ9r03haFuYGj033BTut9m6qFO/ytyW5njTQDIfVWyXjm5988RMAdTZR+QZugFYx/
8v4VE83DX53wNdiQlpsp+hWwPj6FgA8QT9xdsEYABywqO08+MfLVP3xOaCxtpN3PnCin6N1ZEC
t+S35h61TOiujRYRvIIJOh896AtjWTJrKd+W4WcQFj0SbWcMD3+V7Wn0pMNLJBHZT9mJLLl1r7WU5Kbnlk3l7VRqkY5F8UBtTQ2dNxAY8nICtXXkcGY
FpcvcSYoOpphGiAYvBapLiLmlW7cLyKgxS5wyDnN3NT1baYOlDcNJkvkf3X4CQTVbDx2Pxk1B
9+I7PFhZHIoqyRi+qF58ZhmRSvjaAgrvhMJmgo60Iw5inqcSGY3rqQpFip6dXxiCgqX72ON++7Gyi7TWPp0LkVeGMiRz3i+iuu3bb5OvBlS5zK2dvBgLv4Ot
meGrZm74GsOIWr+Tjojw7ksMGzpdcussYdOwjIzRKHctLeBU18nH9zroqcC0hQnHeTBoDyjyPY0Z
n/iXFKYpnm1v8K6Kme9LcKE7H9bbPHBlNFnq3G+RNVxLY1dldKXkS2IA86FQ== throwaway
5. Security and remove ability to ssh into root user:
inside /etc/ssh/sshdconfig from root:
Change the following lines and UNCOMMENT them:
PermitRootLogin -> no
AuthorizedKeysFile -> .ssh/authorized_keys
PasswordAuthentication -> no
Then run:
/etc/rc.d/sshd restart
Now to get into remote server you must run:
ssh -i .ssh/private_key.key user@33.33.333.33
Congratulations! You now have a tremendously secure Jump-in point for your cloud infrastructure that only you can access via your ssh private key.
Next, we will configure a load balancing machine.
I hope you liked this first technical post I’ve made, and I plan on doing many more in the future for the sake of documenting the journey of developing applications that are portable and scalable.