> On 2 Jul 2018, at 11:42, Jeroen Massar <jer...@massar.ch> wrote: > If you have to run a jumpbox style host: For SSH, it is also heavily > suggested to disable any form of password-auth, that way, only public > key authentication is accepted and guess what the scanner scripts do not > support as they do not have a key which thus makes guessing impossible...
+1 for "jumphosts" as an alternative to VPNs. I can highly recommend Teleport - https://gravitational.com/teleport/ - as a potential jumphost. It is an SSH CA with 2FA out of the box, and if you need it the enterprise (paid for) version will integrate with various authentication endpoints (SAML, etc). There are other features which are very suitable to out-of-band management (e.g. run Teleport as as node on a Raspberry Pi behind NAT on an OOB connection from a third party; it will connect out to your Teleport jumphost, allowing you to "get behind the NAT"). Disclosure: I gave a ~10 minute "lightning talk" at UKNOF about Teleport, but I am not getting paid by them ;) Slides: http://faelix.link/uknof40 Video: https://www.youtube.com/watch?v=l-fYg0B7c00&index=9&list=PLjzK5ZtLlc91p159dFRC7EpEvWuCWSOPw&t=0s fail2ban on a jumphost is an excellent idea - lock your bastion down as much as you can. Marek Isalski Technical Director, Faelix Limited, https://faelix.net/ _______________________________________________ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
