Bastion Host Setup

on April 27, 2015, 8:35 p.m.

This setup is assuming you have a default minimal server install of Centos 7. First, update the system:
yum -y update
Next, install epel repo:
yum install -y epel-release
Next, install fail2ban to stop the script kiddies:
yum install -y fail2ban
Next, install the tools to configure selinux:
yum install policycoreutils-python
Next, we need to setup the selinux policies to allow fail2ban to write syslogs:
vi fail2ban-syslog.te


module fail2ban-syslog 1.0;
require {
type syslogd_var_run_t;
type fail2ban_t;
class dir read;
class file read;
class file open;
class file getattr;
}

#============= fail2ban_t ==============
allow fail2ban_t syslogd_var_run_t:dir read;
allow fail2ban_t syslogd_var_run_t:file read;
allow fail2ban_t syslogd_var_run_t:file open;
allow fail2ban_t syslogd_var_run_t:file getattr;


checkmodule -M -m -o fail2ban-syslog.mod fail2ban-syslog.te
semodule_package -o fail2ban-syslog.pp -m fail2ban-syslog.mod
semodule -i fail2ban-syslog.pp

Next, setup the selinux policy to allow log rotating:
vi fail2ban-logrotate.te


module logrotate-fail2ban 1.7;
require {
type fail2ban_client_exec_t;
type logrotate_t;
type init_var_lib_t;
class file { open read execute getattr write create execute_no_trans setattr unlink ioctl rename};
}

#============= logrotate_t ==============
allow logrotate_t fail2ban_client_exec_t:file execute_no_trans;
allow logrotate_t fail2ban_client_exec_t:file { open read execute ioctl };
allow logrotate_t init_var_lib_t:file { open read getattr write create unlink setattr rename };


checkmodule -M -m -o fail2ban-logrotate.mod fail2ban-logrotate.te
semodule_package -o fail2ban-logrotate.pp -m fail2ban-logrotate.mod
semodule -i fail2ban-logrotate.pp

Next, setup fail2ban configuration:
vi /etc/fail2ban/jail.d/sshd.local


[sshd]
enabled = true
#action = firewallcmd-ipset
bantime = 86400

Next, enable fail2ban on startup and start the service:
systemctl enable fail2ban
systemctl start fail2ban

Next, let's harden the ssh server a bit. First, let's limit logins to ssh key authentication only:
vi /etc/ssh/sshd_config


...
PermitRootLogin without-password
...
PasswordAuthentication no
...

Most people still lockout direct login to root but honestly this is a mentality left over from telnet days.

Next, limit your Kex, Ciphers, and MACs. Ideally, you would want to do the following but this is only really going to work if you use linux and not a Macbook or Putty:


KexAlgorithms [email protected],diffie-hellman-group-exchange-sha256
Ciphers [email protected],aes256-gcm[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
MACs [email protected],[email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,[email protected]

But more than likely, this will work a little better for you:


KexAlgorithms diffie-hellman-group-exchange-sha256
MACs [email protected],[email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,[email protected]
Ciphers aes256-ctr,aes192-ctr,aes128-ctr

After thought; maybe you mistakingly got yourself blocked. Here is how to remove a block. First issue this command to figure out the IP blocked:
fail2ban-client status sshd
fail2ban-client set sshd unbanip 192.168.1.100