Hacker News new | ask | show | jobs
by aborsy 1583 days ago
The same question applies to oracle VPS: how to allow only few IPs?

A compromise of oracle VPS and attacking AWS VPS is same as attacking AWS VPS from internet. If oracle VPS is not compromised, neither will be AWS.

Don’t see the point in this case.
1 comments
dx034 1583 days ago
The advantage is that you only need to harden one instance. The others are safe as they're basically in an "internal" network (firewall blocks all other IPs). With that bastion host, you'd do anything to make it as secure as possible (fail2ban or the like, authkey, block countries you won't access from, etc). For small projects, it's also reasonable to check logs from one host, but not to do so for 10 hosts.
link
aborsy 1583 days ago
Sorry I am missing your point. That makes sense if first VPS is serving multiple ssh servers; so you harden one instance. In this case, the person has only one instance. Instead of hardening oracle VPs, they could harden aws instance.

Bastion makes sense if it’s locked down more than destination. This doesn’t apply if there is only one destination and one public service (SSH).

I suggest using AWS AMS or putting it behind vpn.

link
indigodaddy 1583 days ago
If his AWS instance is running internet facing applications and services, then it makes sense to have the AWS firewall lock down port 22 to a single IP or two (eg your bastions), and also have that AWS firewall only allow all access to those specific internet facing ports for any relevant applications. Yes you can and should also harden at the OS level. But it’s smart to utilize AWS’ security as well as much as possible on any instance that you need to be in production and available. You want to limit it’s exposure in any way you can.

So back to the bastion. You have the bastion open to all IPs for port 22 because you want to be able to connect to it from anywhere. Yes you also of course lock it down and use best practice sshd config measures. But you only have ssh running and you use keys with passphrase for your outbound ssh connections for increased security. You keep it updated.

Your bastion will not be as locked down as your AWS instance though because it won’t have that AWS security in front of it, but you’re not concerned that much about your bastion, because it only has ssh listening, and you’ve disabled root ssh and password login, you keep it regularly updated, and the only thing you ever do with it is ssh to it and then ssh again to your important endpoints using a key WITH a passphrase.

Your AWS instance is your primary concern and is the important thing that you care about the most here. So you put the most protection in front of that in front of key services. Like OP said, ssh to the AWS instance sort of becomes “internal” so to speak, as you can only come in from the bastion with a key and passphrase.

link
aborsy 1583 days ago
Yes. Thank you for expanding my answer :)

Even better, no open port anywhere is actually needed.

link
indigodaddy 1582 days ago
I’m definitely not following you..
link