| On your ssh bastion make sure to at the very least: - have minimal services running, preferably only ssh - if you have other services running then use iptables or a firewall frontend to block all incoming ports except for the ones you specifically need/want open - disable root ssh login - disable password login (eg use ssh keys and preferably with a passphrase too) - you can also use something like fail2ban or denyhosts but it’s not really necessary if you’ve also done all the above - yum or apt update it frequently - For your ssh connection from the bastion to your AWS instance or any other important ssh destinations from the bastion, use a key with a passphrase for increased security (on the off chance your bastion gets compromised) - Don’t do anything else too important on your ssh bastion.. eg don’t have any important stuff or work laying around on it or other services/applications running. Just use it as a jumphost only. |
that way i would not need to keep the keys in the bastion server at all.