If you have Virtual Private Cloud (VPC) at any service provider like AWS, GCP, Azure, or similar, then you must secure your SSH access. This document will cover some of SSH Security best practices to secure your systems. If you want to harden SSH for VPS instance with Public IP (DigitalOcean, Linode, or similar) then please refer to Part-1. If you have Virtual Private Cloud (VPC) at any service provider like AWS, GCP, Azure, or similar, and don't want to use shared ssh private key-based access then please refer to Part-3.
This is a simple one, where we use a fixed/shared ssh private key to configure all instances like key-pair (.pem file) is used in AWS instances. Now in the case of VPC, normally we architect different subnets to place instances. Public subnet to host external-facing services (like Bastion host, Load-balancers, NAT instances, etc. ) and private subnet to host application and database instances.
A bastion host is a proxy instance to provide SSH access to a private network from an external network, such as the Internet. The main function of the bastion host is to protect unauthorized SSH ingress and minimize the chances of penetration. This is the entry point for the entire VPC for SSH login and we must secure it. So we should not host any key-pair (.pem file) on it.
So now, we can easily ssh to bastion-host as we have the ssh private key (key-pair.pem) and bastion-host has the ssh public key in ~/.ssh/authorized_keys file. Now, the question is how to ssh login to private instances directly from our workstation? The answer is ~/.ssh/config.
Create a file and configure entries like below :
Host <bastion-identifire>
Hostname <Public-IP-of-Bastion-Host>
User ec2-user
IdentityFile ~/.ssh/key-pair.pem
ForwardAgent yesHost <private-host-identifire>
Hostname <Private-IP-of-Instance-in-Private-Subnet>
User ec2-user
IdentityFile ~/.ssh/key-pair.pem
ProxyCommand ssh <bastion-identifire> -W %h:%pHost <subnet-pattern>
User ec2-user
IdentityFile ~/.ssh/key-pair.pem
ProxyCommand ssh <bastion-identifire> -W %h:%p
Note: Please refer “PATTERNS” section in ssh_config manpage to understand how to write syntactically <subnet-pattern>. For IdentityFile, I’m assuming the name of the private key is key-pair.pem and it is placed at ~/.ssh/. Again change the User as per default user of instances like “ubuntu” in case of Ubuntu AMI’s and “hadoop” in case of EMR nodes.
Now, ssh login to private instances just as normal.
$ ssh <private-host-identifire> # This is for single node access
$ ssh <private-ip> # If specified in <subnet-pattern>Now, to avoid StrictHostKeyChecking mention below settings end of ~/.ssh/config file :
Host *
StrictHostKeyChecking no
UserKnownHostsFile /dev/null
LogLevel QUIET
ServerAliveInterval 30
ServerAliveCountMax 2
TCPKeepAlive=yesFurther, please refer to Part-1 for configuring the fail2ban kind of firewall software. For advance ssh configuration please refer to Part-3 of the series.
That’s all.
