Add bastion host and file integrity checker idea

pull/7509/merge
Kamran Ahmed 19 hours ago
parent 902aa1c7a6
commit f629987064
  1. 2
      .astro/settings.json
  2. 81
      src/data/projects/bastion-host.md
  3. 56
      src/data/projects/file-integrity-checker.md

@ -3,6 +3,6 @@
"enabled": false "enabled": false
}, },
"_variables": { "_variables": {
"lastUpdateCheck": 1731065649795 "lastUpdateCheck": 1732419746256
} }
} }

@ -0,0 +1,81 @@
---
title: 'Bastion Host'
description: 'Setup a bastion host for managing access to private infrastructure.'
isNew: true
sort: 1601
difficulty: 'intermediate'
nature: 'Networking'
skills:
- 'devops'
- 'security'
- 'linux'
seo:
title: 'Bastion Host Setup'
description: 'Learn how to set up a bastion host to securely manage access to your private infrastructure.'
keywords:
- 'bastion host'
- 'linux'
- 'security'
- 'devops'
roadmapIds:
- 'devops'
---
The goal of this project is to learn and practice how to set up a **bastion host**—a secure entry point that enables authorized users to access private infrastructure or internal systems without exposing them to the public internet.
A **bastion host** is a server specifically designed to act as a secure gateway between external users and a private network. It reduces the attack surface of your infrastructure by being the only publicly accessible server, ensuring that all external connections go through a single, well-secured entry point. Typically, bastion hosts are configured to allow secure SSH or RDP access and are heavily monitored.
---
## Requirements
You will set up a bastion host in a cloud environment and configure it to securely allow access to a private server.
- Choose a cloud provider (e.g., AWS, DigitalOcean, GCP, Azure) and create **two servers**:
- **Bastion Host** (publicly accessible).
- **Private Server** (accessible only from the bastion host IP address and not publicly).
- Configure both the servers to allow SSH connection and configure SSH in a way that you can SSH into the private server by jumping through the bastion host
```bash
Host bastion
HostName <bastion-ip>
User <bastion-user>
IdentityFile <path-to-bastion-private-key>
Host private-server
HostName <private-server-ip>
User <private-server-user>
ProxyJump bastion
IdentityFile <path-to-private-server-private-key>
```
- Connect to the bastion host using:
```bash
ssh bastion
```
- From the bastion host, connect to the private server:
```bash
ssh private-server
```
- Alternatively, connect directly using your local machine:
```bash
ssh private-server
```
- Optionally set up basic monitoring for SSH access attempts using tools like `fail2ban` for example.
## Stretch Goals
- **Harden Security**: Configure multi-factor authentication (MFA) for the bastion host. Use `iptables` or similar tools for more granular traffic filtering.
- **Automate Setup**: Use Terraform or Ansible to automate the deployment and configuration of your bastion host and private server.
---
## Important Note for Solution Submission
**Do not share sensitive information (e.g., private keys, IP addresses) in public repositories.** Your submission should contain a `README.md` file describing the steps and configurations you used to complete the project.
---
After completing this project, you will have a strong understanding of how to set up a bastion host and securely manage access to private infrastructure. This foundational knowledge will prepare you for more advanced projects in network and infrastructure security.

@ -0,0 +1,56 @@
---
title: 'File Integrity Checker'
description: 'Verify the integrity of application log files to detect tampering.'
isNew: false
sort: 1602
difficulty: 'intermediate'
nature: 'Security'
skills:
- 'Bash'
- 'Python'
- 'Linux'
- 'Cyber Security'
seo:
title: 'Build A File Integrity Checking Tool'
description: 'Learn how to build a CLI tool that validates the integrity of a file using hashes.'
keywords:
- 'integrity'
- 'hashing'
- 'security'
- 'devops'
- 'cyber security'
roadmapIds:
- 'devops'
---
You are required to develop a tool that verifies the integrity of log files to detect tampering. This tool can be used to enhance security measures by using techniques such as file integrity monitoring and hashing to ensure that no unauthorized changes have been made to the log files.
## Requirements
The tool should be capable of the following:
- Accept a directory or a single log file as input.
- Utilize a cryptographic hashing algorithm, such as SHA-256, to compute hashes for each log file provided.
- On first use, store the computed hashes in a secure location.
- For subsequent uses, compare the newly computed hashes against the previously stored ones.
- Clearly report any discrepancies found as a result of the hash comparison, indicating possible file tampering.
- Allow for manual re-initialization of log file integrity.
Here is the example of how it might look like
```bash
> ./integrity-check init /var/log # Initializes and stores hashes of all log files in the directory
> Hashes stored successfully.
> ./integrity-check check /var/log/syslog
> Status: Modified (Hash mismatch)
# Optionally report the files where hashes mismatched
> ./integrity-check -check /var/log/auth.log
> Status: Unmodified
> ./integrity-check update /var/log/syslog
> Hash updated successfully.
```
After completing this project you will get the idea of hashing algorithms, security and writing scripts.
Loading…
Cancel
Save