To connect to a remote machine, my public key needs to be added to its authorized_keys. By that logic, the public key for bastion would have an entry in authorized_keys of an EC2. Doesn't that mean if someone gets access to my bastion they will automatically have access to my EC2 provided they have the right host and user? How did Bastion then enhance the security of my EC2? Wouldn't it be equally difficult for a hacker to get his public key added to either the Bastion or EC2?
You are quite correct. It is not a good idea to store keys on a Bastion host.
The purpose of a Bastion is to be the part of your architecture that "sticks out" onto the Internet, with the other resources hidden behind the "wall".
In fact, the Bastion name refers to "a projecting part of a fortification built at an angle to the line of a wall, so as to allow defensive fire in several directions.".
Just as a castle has a defensive bastion, you should also be defensive with your bastion by not storing keys on it.
Instead, you can use Agent Forwarding. This allows you to SSH to the bastion, then use the same keypair to login to another computer without having to store the keypair on the bastion.
There's plenty of information online to explain Agent Forwarding, such as: How to use SSH properly and what is SSH Agent Forwarding - DEV Community
Related
Google Cloud Platform Compute Engine
When I created the VM within the VPC network, I set up a static internal IP.
The firewall allowed the personal computer IP.
In this situation, the VM's SSH could not be reached.
Once logged in to the Google Cloud platform, metadata I generated using the keigen command to access the VM in a terminal in local environment.
e.g) ssh email ID#IP
Why can't I access that VM's SSH from the console on the Google Cloud platform?
Thank you for reading it. :)
If we read the following GCP documentation ... https://cloud.google.com/solutions/connecting-securely#external
we find the following statement:
When instances do not have external IP addresses (including VMs that are backends for HTTPS and SSL proxy load balancers) they can only be reached by other instances on the network, Identity-Aware Proxy's TCP forwarding feature, or by using managed VPN gateway.
The key phrase to me is that they can only be reached .... It would thus appear that you can only reach a VM without a public IP using the recipes described in the article. If it were me, I'd consider actually giving the machine a public IP address and then following the recipes described in the article to only allow access to the machine through secured means. Google is promoting a story it called Beyond Corp which basically summarizes down to trust nothing. Every attempt to access any resource will be validated on a request by request basis and don't assume that lack of network access is enough to secure a resource. Instead, consider the notion that the VM can be publicly reachable but only authorized requests should be satisfied.
I have a database set up (use RDS) in a private subnet, and a bastion is set up in front of it in a public subnet. The traditional way to access this database from local laptops is to set up an ssh tunnel on that bastion/jumpbox and map the database port to local. But this is not convenient to development because we need to set up that tunnel everytime before we want to connect. I am looking for a way to access this database without setting up an ssh tunnel first. I have seen a case where the local laptop directly uses that bastion's ip and its 3306 port to connect to the database behind. I have no idea how it is done.
BTW, in that case I saw, they don't use port forwarding because I didn't find any special rules in the bastion's iptable.
There are several ways to accomplish what you are trying to do, but without understanding the motivation fully it is hard to say which is the "Best Solution".
SSH Tunneling is the defacto standard of accessing a resource in a private subnet behind a public bastion host. I will agree that SSH Tunnels are not very convenient, fortunately, some ide's and many apps are available to make this as easy as a click of a button once configured.
Alternatively, you can set up a client to site VPN to your EC2 environment which would also provide access to the private subnet.
I would caution anything you do which proxies or exposes the DB cluster to the outside world in a naked way such as using IP tables, Nginx, etc. should be avoided. If your goal is this, then the correct solution is to just make the DB instance publicly exposed. But be aware any of these solutions which do not make use of tunneling in (such as VPN or SSH Tunnel) would be an auditory finding, and open your database to various attack vectors. To mitigate it would be recommended that your security groups should restrict port 3306 to the public IP's of your corporate network.
I am trying to set up a bastion host in AWS in order to perform administrative options on an RDS instance in a private subnet. I am following the instructions from the official documentation (https://docs.aws.amazon.com/quickstart/latest/linux-bastion/step1.html), but there it is not clear how the bastion will know which RDS instance to connect to. How would I make sure that it can 'talk to' my intended RDS? (as far as I understand, the key pair is just something I can create anytime and enter to connect to the bastion itself, but not the RDS, or am I wrong?)
The documentation you linked uses an AWS CloudFormation stack to deploy the Bastion. I'm not sure exactly what configuration it is using, so my answer will be generic, rather than applying to this specific situation.
The normal configuration is:
A database in a private subnet
A Bastion server (EC2 instance) in a public subnet
A connection is made to the Bastion, which then allows an on-connection to the database
There are a number of ways of connecting to the database through the Bastion. Here's one that I use:
ssh -i key.pem ec2-user#BASTION-IP -L 3306:DATABASE-DNS-NAME:3306
This tells the SSH connection to forward any traffic sent to my local port 3306 (the first number), through the SSH connection, but then send it to DATABASE-DNS-NAME:3306 (the database server). Any response from the database will come back the same way.
Then, when I wish to refer to the database from my computer, I reference:
localhost:3306
It appears that the database is on my own computer, but the traffic is actually sent across SSH to the Bastion, then onto the database.
There are newer and better ways of doing this forwarding that other people might (hopefully) add as a comment or another answer, but this is the way I make my connections through a Bastion.
Fun fact: A Bastion is the bit of a castle wall that sticks out, allowing defenders to shoot arrows at attackers attempting to climb the wall. In a similar way, the Bastion Server sticks out into the Internet, beyond the protected part of the network.
I have a EC2 machine in public Subnet, In Security group I have only opened 22 port for my public static IP. How safe is it?
As per your comment
if i keep open security group for certain IPs, I am quite unsure
whether it is safe or not because there are multiple Hops b/w that IPs
and AWS IPs(packet data travels through it). am i correct ? and that
application can be accessible from that Hops?
It is absolutely safe to use the ssh port unless there is a vulnerability found in the future in the ssh protocol itself.
Firstly, you are restricting the access only from a static IP so no one else should be able to initiate the ssh session from any other machine.
Secondly, if you have protected your ssh private key and it is not shared then anyone else from the same static IP wouldn't be able to start an ssh connection.
Thirdly, ssh connection creates a secure encrypted data pipe between the client and servers, so even if someone tries to sniff the packets as it passes through different hops, it is hard to make any sense as all the data is encrypted.
Considering all of the above, in my opinion it is quite safe.
I have a few EC2 instances.
Only one instance is accessible (ssh port 22) from the Internet.
I want to connect to the others EC2 instances in ssh through the first one.
The public key is set on all EC2 instance.
I enable the forward agent (.ssh/config) for my first instance:
Host my-first-instance
ForwardAgent yes
I thought it was enough but when I connect to the first instance and try to connect to another one (ssh my-second-instance-private-IP), I have a "permission denied". They both use the same user.
I use the same ssh key to access Github from the first instance and it works (so the ForwardAgent works as well).
I don't want to use a VPC feature.
Any idea ?
Thanks in advance.
Jeremy
I had done similar thing earlier by changing the ip-tables of the public instance so that I can connect to different private instances by connecting on different ports. Here is the link to blog that I wrote to explain the same. Hope it helps
http://cloudpages.wordpress.com/2013/08/05/ssh-to-an-instance-in-private-subnet/
Bests,
Himanshu
You are getting permission denied probably because you may not have pub keys of your jump server in your ec2 server's authorized_keys. please do the following -
ssh to the 1st ec2 instance.
generate public and private key pair using keygen.
put the content of the public key (default is .ssh/id_rsa.pub (in case you are
using rsa)) in other ec2 instance's .ssh/authorized_keys.
Now check again.