Docs / Server Management / How to Set Up a Bastion Host for Secure Server Access

How to Set Up a Bastion Host for Secure Server Access

By Admin · Mar 1, 2026 · Updated Apr 23, 2026 · 32 views · 2 min read

What Is a Bastion Host?

A bastion host (or jump box) is a hardened server that acts as the single entry point to your private network. Instead of exposing SSH on every Breeze, administrators connect to the bastion first, then hop to internal servers. This dramatically reduces your attack surface.

Step 1: Deploy the Bastion

Provision a minimal Breeze with only SSH access. Disable all unnecessary services:

sudo apt update && sudo apt install -y openssh-server
sudo systemctl disable --now apache2 nginx 2>/dev/null
sudo ufw default deny incoming
sudo ufw allow 22/tcp
sudo ufw enable

Step 2: Harden SSH on the Bastion

Edit /etc/ssh/sshd_config:

PermitRootLogin no
PasswordAuthentication no
MaxAuthTries 3
ClientAliveInterval 300
ClientAliveCountMax 2
AllowUsers jumpuser
sudo systemctl restart sshd

Step 3: Configure SSH ProxyJump

On your local machine, edit ~/.ssh/config to route connections through the bastion:

Host bastion
    HostName 203.0.113.10
    User jumpuser
    IdentityFile ~/.ssh/bastion_key

Host internal-web
    HostName 10.0.1.5
    User deploy
    ProxyJump bastion
    IdentityFile ~/.ssh/internal_key

Now connect directly:

ssh internal-web

Step 4: Lock Down Internal Servers

Configure firewalls on internal Breezes to accept SSH only from the bastion IP:

sudo ufw allow from 10.0.0.2 to any port 22
sudo ufw deny 22

Security Tips

  • Enable two-factor authentication on the bastion
  • Log all sessions with auditd or session recording tools
  • Rotate SSH keys regularly and revoke access for departed team members

Was this article helpful?

Related Articles