I would like to set up an ssh bastion service, with public ip, through which I can reach machines running on my "secure" network behind the firewall. This will be the only publicly exposed port - non-standard port also.
I have been considering Alpine linux for this - but it seems to be used mostly for containers, rather than VMs. Not necessarily a problem and there is no real reason why it cannot be run as a VM. Here is an example set up that creates a minimal chroot for each user connection that reflects quite well the sort of tight environment I would like to run as my bastion: https://github.com/JustinTimperio/secure-shell-bastion/tree/master. Alpine can be a good choice due to musl.
Should I be considering other distributions instead? Or even a different OS?
As far as Proxmox is concerned, is there a preference for running this in a VM or container? Is there anything particular that I can do to ensure my bastion is as isolated as possible from the rest of the machine? I have only 1 server running proxmox, running quite a few vms that I would like to keep secure, whilst also running the bastion on the same hardware. That means I am open to any kind of CPU bug that might ruin the day. Is it possible to pin a VM to a particular core for example, and does this make any difference?
This is for my private network, and the small amount of sensitive data that I have is encrypted. Its not going to be fort knox, but its also not a high value corporate network either; I would like to learn and make as good a job of securing it as I can with what I have.
Thoughts, criticism, advice most welcome, thank you.
I have been considering Alpine linux for this - but it seems to be used mostly for containers, rather than VMs. Not necessarily a problem and there is no real reason why it cannot be run as a VM. Here is an example set up that creates a minimal chroot for each user connection that reflects quite well the sort of tight environment I would like to run as my bastion: https://github.com/JustinTimperio/secure-shell-bastion/tree/master. Alpine can be a good choice due to musl.
Should I be considering other distributions instead? Or even a different OS?
As far as Proxmox is concerned, is there a preference for running this in a VM or container? Is there anything particular that I can do to ensure my bastion is as isolated as possible from the rest of the machine? I have only 1 server running proxmox, running quite a few vms that I would like to keep secure, whilst also running the bastion on the same hardware. That means I am open to any kind of CPU bug that might ruin the day. Is it possible to pin a VM to a particular core for example, and does this make any difference?
This is for my private network, and the small amount of sensitive data that I have is encrypted. Its not going to be fort knox, but its also not a high value corporate network either; I would like to learn and make as good a job of securing it as I can with what I have.
Thoughts, criticism, advice most welcome, thank you.