Guides ยท Engineering
SSH Bastion Setup Basics
Use a bastion for SSH access
This guide describes setting up an SSH bastion: restrict SSH to one entry point, use short-lived certificates or keys, enforce MFA, and log/alert on access attempts.
- ssh bastion
- jump host
- certificates
- mfa
- logging
Centralize entry
Allow SSH only via the bastion IP; block direct access to private hosts.
Use short-lived creds
Issue SSH certs or time-limited keys; avoid long-lived static keys.
Add MFA and logging
Require MFA at bastion login; log sessions and alert on anomalies.
Harden the host
Patch regularly, limit sudo, and monitor config integrity.