Protect computer network with Bastion host (fortress server) in just 3 steps
Do you have computers on your local network that need to be accessed from outside? Using a bastion host - bastion host - as a "gatekeeper" - the gatekeeper for your network can be a good solution.
What is Bastion host ?
Bastion literally translates as an enhanced place. Regarding computer terminology, it is a machine on the network that can be the gatekeeper for incoming and outgoing connections.
Wikipedia definition: Fortress host is a special purpose computer on the network, designed and configured separately to withstand attacks. Fortress servers usually only store a single application, such as a proxy server, other services will be deleted or limited to minimize the threat to the computer. The reason, bastion hosts are set up so hard is because of their special location and purpose, often located outside the firewall or in the DMZ area (a neutral network area between the internal network and the Internet) and often relating to access from unreliable networks or computers.
You can set bastion host as the only machine to accept connection from the Internet. Then, in turn, set up all other machines on the network to receive only connections from this bastion host.
The benefit of this setup is security. Bastion host can be very secure. It will be the first security defense against any intruder and make sure the remaining computers are protected. In addition, it also makes network setup easier. Instead of forwarding ports on the router, you just need to forward a port to the bation host, from there, you can branch to other machines that need to access the private network. Details of the issue will be covered in the next section.
Network setup diagram
This is an example of a typical network setup. If you need to access the home network from outside, you can do it via the Internet. The router will forward that connection to bastion host. After connecting to bastion host, you can access any other computer on the network. Likewise, there will be no direct access to the Internet from computers other than bastion hosts.
1. Dynamic Domain Name System ( Dynamic DNS )
Many people are wondering how to access the router at home via the Internet. Most Internet service providers (ISPs) give users a temporary IP address that changes frequently. Internet service providers often charge extra if they want a static IP address. The good news is that today's routers often have dynamic domain names in their settings.
The domain name system dynamically updates the server name with a new IP address at a certain time, ensuring users can always access their home network. There are many providers with such services as Noip.com, there is even a free tier. Free tier note will require confirmation of the server name every 30 days.
After logging in, just create a server name, this server name must be unique. If you own a Netgear router, they provide a free dynamic DNS service and will not require monthly confirmation.
Now log into your router and search for dynamic DNS settings. Different routers will have different settings, see the router's user guide for how to set up. Usually you will need to enter the information in the following four settings:
- Supplier
- Domain name (host name just created)
- Username (email address used to create dynamic DNS)
- password
If the router does not have a dynamic DNS setting, No-IP provides software that can be installed on the computer. Note that the computer must always be online to update dynamic DNS.
2. Forward or redirect the port
Current routers need to know where to forward incoming connections, based on the number of ports on the incoming connection. Users should not use the default SSH port of 22 because hackers have tools that can check common ports and can easily access your home network. Once they realize that the router is accepting connections on a default port, they will start sending connection requests with a common username and password.
Although selecting random ports does not prevent this problem completely, it can reduce the number of requests to the router. If your router can only forward the same port, set up bastion host using SSH key authentication but not user name and password.
Install the router as shown below:
- The service name may be SSH
- Protocol (should set to TCP)
- Public port (should be a high port, not 22, use 52739)
- Private IP address (IP of bastion host)
- Private port (default SSH port is 22)
Bastion
The only thing bastion needs is SSH. If the installation has not selected SSH, just type:
sudo apt install OpenSSH-client
sudo apt install OpenSSH-server
Once you've installed SSH, make sure to set up the SSH server to authenticate with the key instead of the password, the IP address of the bastion host is the same as the IP address set in the forwarding rule above.
You can do a quick experiment to make sure everything works well. To simulate outside the home network, you can use smart devices to use mobile data hotspots. Open a terminal window and enter, replace with the username of an account on bastion host and set the address in the above step:
ssh -p 52739 @
If everything is set correctly, you will see the terminal window of bastion host.
3. Create tunnel
You create tunnel via SSH. For example, if you want to access the SMB share on the home network from the Internet, connect to the bastion host and open a tunnel to share the SMB by running the following command:
ssh -L 15445 :: 445 -p 52739 @
For example, the above command will become
ssh - L 15445: 10.1.2.250: 445 -p 52739 yusuf@makeuseof.ddns.net
The above command connects to the account on your server via the SSH port outside the router 52739. Any traffic sent to port 15445 (an arbitrary port) will be sent through the tunnel, then forwarded to the server. IP address 10.1.2.250 and SMB port 445.
You also anonymize the entire command by typing:
alias sss = 'ssh - L 15445: 10.1.2.250: 445 -p 52739 yusuf@makeuseof.ddns.net'
Once connected, you can access the SMB share with the address:
smb: // localhost: 15445
This means that you will be able to browse the local share from the Internet as if you were on an intranet.
I wish you all success!
See more:
- Instructions for use and security of Wifi network
- Network security and the need to know
- Instructions on how to protect WiFi network from KRACK
You should read it
- What is a computer host file and how to edit a host file?
- What is DHCP or dynamic host configuration protocol?
- Deploy KMS activation on Windows Server 2008
- KMS activation deployment for Windows 10, Windows 8.1, Windows Server 2012 R2, Windows Server 2016
- Fix Service Host Local System status using multiple CPUs in Windows 10
- Instructions for installing Ubuntu Web Server on remote host
- How to host different SSL on an IP address using IIS 8 SNI?
- How to host your own website on Raspberry Pi
May be interested
- KMS activation deployment for Windows 10, Windows 8.1, Windows Server 2012 R2, Windows Server 2016if your network environment supports the dynamic dns update protocol and allows computers to automatically export services, deploying kms hosts will probably require very little effort.
- Minecraft: Top 5 notes when finding Bastion Remnantbastion remnants are giant structures added to minecraft since version 1.16 and are always sought after for providing players with a lot of rare loot.
- How to Install, Configure, and Test Windows Server 2012 R2 Single Subnet DHCP Serverdynamic host configuration protocol (dhcp) offers several benefits for managing network properties, such as assigning an ip address to a dhcp client, and when the client no longer exists on the network, the dhcp server may assign the...
- Simple and fast steps to edit Host File on Windows 10file host helps manage access to websites on computers and laptops. however, file host can make you inaccessible, or you want to block a certain website.
- Some tips for system administratorsadministrator of a computer network is a very important task. tipsmake.com this time will introduce you some simple network management tips, how to protect your computer network and instructions on fixing some basic errors, management tools, processing tips
- How to Install Ubuntu Serverthis wikihow teaches you how to install ubuntu server on a windows computer. ubuntu server is a free, linux-based server operating system that you can use to host your web services. open the ubuntu server download page. go to...
- Host-based intrusion preventionlayered security is a widely accepted principle in computer and network security. the basic premise of this principle is that it requires multiple layers of defense to protect resources and data against multiple attacks,
- How to build Linux web server with an old computerif you are interested in building a home web server, the easiest way is to install linux on the backup computer. doing this is simple and gives you a logical way to host a website or blog.
- How to set up your own Git server on Linuxwhile you can count on globally renowned git hosting services like github, in some cases it is better to host a personal git server for enhanced privacy, customizability, and security.
- How to protect DNS server against hackersour network is usually protected by a firewall software. but my predecessor put both the primary / secondary dns server, responsible for dealing with domains outside the network world that are protected by firewalls. c&a