Protect computer network with Bastion host (fortress server) in just 3 steps

Do you have computers on your local network that need to be accessed from outside? Using a bastion host - bastion host - as a "gatekeeper" - the gatekeeper for your network can be a good solution.

What is Bastion host ?

Bastion literally translates as an enhanced place. Regarding computer terminology, it is a machine on the network that can be the gatekeeper for incoming and outgoing connections.

Wikipedia definition: Fortress host is a special purpose computer on the network, designed and configured separately to withstand attacks. Fortress servers usually only store a single application, such as a proxy server, other services will be deleted or limited to minimize the threat to the computer. The reason, bastion hosts are set up so hard is because of their special location and purpose, often located outside the firewall or in the DMZ area (a neutral network area between the internal network and the Internet) and often relating to access from unreliable networks or computers.

You can set bastion host as the only machine to accept connection from the Internet. Then, in turn, set up all other machines on the network to receive only connections from this bastion host.

The benefit of this setup is security. Bastion host can be very secure. It will be the first security defense against any intruder and make sure the remaining computers are protected. In addition, it also makes network setup easier. Instead of forwarding ports on the router, you just need to forward a port to the bation host, from there, you can branch to other machines that need to access the private network. Details of the issue will be covered in the next section.

Network setup diagram

This is an example of a typical network setup. If you need to access the home network from outside, you can do it via the Internet. The router will forward that connection to bastion host. After connecting to bastion host, you can access any other computer on the network. Likewise, there will be no direct access to the Internet from computers other than bastion hosts.

1. Dynamic Domain Name System ( Dynamic DNS )

Many people are wondering how to access the router at home via the Internet. Most Internet service providers (ISPs) give users a temporary IP address that changes frequently. Internet service providers often charge extra if they want a static IP address. The good news is that today's routers often have dynamic domain names in their settings.

The domain name system dynamically updates the server name with a new IP address at a certain time, ensuring users can always access their home network. There are many providers with such services as Noip.com, there is even a free tier. Free tier note will require confirmation of the server name every 30 days.

After logging in, just create a server name, this server name must be unique. If you own a Netgear router, they provide a free dynamic DNS service and will not require monthly confirmation.

Now log into your router and search for dynamic DNS settings. Different routers will have different settings, see the router's user guide for how to set up. Usually you will need to enter the information in the following four settings:

1. Supplier
2. Domain name (host name just created)
3. Username (email address used to create dynamic DNS)
4. password

If the router does not have a dynamic DNS setting, No-IP provides software that can be installed on the computer. Note that the computer must always be online to update dynamic DNS.

2. Forward or redirect the port

Current routers need to know where to forward incoming connections, based on the number of ports on the incoming connection. Users should not use the default SSH port of 22 because hackers have tools that can check common ports and can easily access your home network. Once they realize that the router is accepting connections on a default port, they will start sending connection requests with a common username and password.

Although selecting random ports does not prevent this problem completely, it can reduce the number of requests to the router. If your router can only forward the same port, set up bastion host using SSH key authentication but not user name and password.

Install the router as shown below:

1. The service name may be SSH
2. Protocol (should set to TCP)
3. Public port (should be a high port, not 22, use 52739)
4. Private IP address (IP of bastion host)
5. Private port (default SSH port is 22)

Bastion

The only thing bastion needs is SSH. If the installation has not selected SSH, just type:

Once you've installed SSH, make sure to set up the SSH server to authenticate with the key instead of the password, the IP address of the bastion host is the same as the IP address set in the forwarding rule above.

You can do a quick experiment to make sure everything works well. To simulate outside the home network, you can use smart devices to use mobile data hotspots. Open a terminal window and enter, replace with the username of an account on bastion host and set the address in the above step:

If everything is set correctly, you will see the terminal window of bastion host.

3. Create tunnel

You create tunnel via SSH. For example, if you want to access the SMB share on the home network from the Internet, connect to the bastion host and open a tunnel to share the SMB by running the following command:

For example, the above command will become

ssh - L 15445: 10.1.2.250: 445 -p 52739 yusuf@makeuseof.ddns.net

The above command connects to the account on your server via the SSH port outside the router 52739. Any traffic sent to port 15445 (an arbitrary port) will be sent through the tunnel, then forwarded to the server. IP address 10.1.2.250 and SMB port 445.

You also anonymize the entire command by typing:

alias sss = 'ssh - L 15445: 10.1.2.250: 445 -p 52739 yusuf@makeuseof.ddns.net'

Once connected, you can access the SMB share with the address:

This means that you will be able to browse the local share from the Internet as if you were on an intranet.

I wish you all success!

See more:

1. Instructions for use and security of Wifi network
2. Network security and the need to know
3. Instructions on how to protect WiFi network from KRACK