Closed chrislgarry closed 6 years ago
Sorry, there's a bit more to it than I initially explained. We should remove default ec2-user since botnets will brute force ssh login for that account. Instead, each user should have an account on the bastion via useradd <username>
and then we each SSH to the bastion host under our own accounts with our own SSH key. After that, we will add MFA via google-authenticator for each user (different issue), after which we will need to pass the SSH key plus a one-time password generated by the google authenticator app on our phones to log into the bastion.
Looks like this is done. Good work!
Still need to set it up with google-auth on seoul, but yeah pretty much done 👌
Move away from SSH'ing directly to the instance. We should instead setup an SSH bastion: https://aws.amazon.com/blogs/security/securely-connect-to-linux-instances-running-in-a-private-amazon-vpc/