Creating a Bastion Host

Definition – What does Bastion Host mean?

A bastion host is a specialized computer that is deliberately exposed on a public network. From a secured network perspective, it is the only node exposed to the outside world and is therefore very prone to attack. It is placed outside the firewall in single firewall systems or, if a system has two firewalls, it is often placed between the two firewalls or on the public side of a demilitarized zone (DMZ).

The bastion host processes and filters all incoming traffic and prevents malicious traffic from entering the network, acting much like a gateway. The most common examples of bastion hosts are mail, domain name system, Web and File Transfer Protocol (FTP) servers. Firewalls and routers can also become bastion hosts.

Now that we’ve gotten past what a Bastion host is, I am going to go through setting up a really basic Bastion host.
Before proceeding, you will need to have the following up and running already:
* An instance that you will use as a Bastion host.
* A node/instance that you will connect to through your Bastion host.
* The security group for the target instance should have the security group rule set to on port 22 which can be tied down after the excercise.
* And ofcourse, you should have both keypairs saved for both these instances.
Now lets get creating and making!!!!!

The steps are as follows :

  • ssh into bastion host:


– I used putty to connect to by Bastion instance.

  • create file name after the keypair name but ending in .pem.
  • Under /home/ubuntu run the following command to create the file>

#touch keypairname.pem

  • touch command
  • copy contents from .pem file into the file you created ( use the text editor vi)

-This step could be confusing but here’s what you will need to do:

Lets first get to what a keypair is for those who don’t know, and theres quite a few out there.  When you created your instance, you were given the option to create a keypair and then download the keypair for the instance. Think of it as an actual key for your house, and the the instance represents your house. Without a key, you cant gain access to your house, the same applies to your instance. Without the keypair, you cant gain access to your instance.

Okay back to BASTION, so what you will need to do it copy the actual contents of the .pem file which should look like the following:

root@u6451065280be55957b25: -home-local-ANT-iabraham_008.png_020

I’ve blacked out most of the contents my my .pem file because as you know, this information is quite sensitive.

Now on the terminal, run the following command and hit enter :

back to old screen

What is vi? Well vi is a Linux text editor that allows you add text to a newly created file which is what we doing or edit text on existing files on your machine. For this exercise, there are five keys on your keyboard that we will be using. They are the following:

  • ESC – takes us out of inset mode
  • : used before typing command
  • w – write ( writes changes just made, that it adding contents from .pem)
  • q – quit ( which takes us out of vi )

Well its actually four, I counted enter as one but nobody cares right? Okay, lets move on.

So after hitting enter for the command (vi yourkeypair.pem), you will be presented with the following bank screen:

vi output

Next, you will press “i” on the keyboard which takes you to insert mode.

Now you will paste the contents from the .pem file. It should look like this:

ubuntu@ip-10-0-0-245: ~_013.png_021

-Now we will have to confirm the changes and then exit the vi text editor. This will be done using the following keys:

So the sequence you will follow is , after pasting contents from .pem PRESS :

ESC, then shift : and the wq and hit enter.

I’ve added an example below of what it should look like :

ubuntu@ip-10-0-0-245: ~_013.png_021

After hitting enter, your take back to the directory you were in:

  • So now you have created a .pem file named after your keypair, and added the contents of the .pem file to the file you created using the vi text editor.
  • Now we will need to change permissions to 400 on the .pem file created, which will make it a read only file.
  • chmod command
  • Hit enter and run the command ls -l to confirm that the permissions for the .pem file is read only.
  • ls -l

Now we will need to ssh into our instance through the bastian host we just created using the following command :

  • output after ssh

And there you go, you just created a bastion host and managed to SSH into one of your other machines making access to the machine more secure. Well not really secure but I’ll leave that for you to do.