This image contains an Alpine Linux system (data mode) embeding an hardened SSH server configured to be used as a bastion/jump server.
In addition to an SSH server, this image also contains the following services:
iptables
(configured to avoid floods and only answer to connections on SSH port)logrotate
- (
fail2ban
can be enabled by adding the 02fail2ban.sh script to Packer's provider)
By default, there is only 2 users: an admin user that can open interactive sessions and install packages and a jump user that can only use the SSH service as a proxy (no interactive sessions allowed).
The images are configured using LBU so you have to boot them using the installation CDROM (cf. grep iso_urls alpine-ssh-bastion.json
) and be sure you save your configuration using lbu commit
before restarting.
Note: for the QEMU
image you'll have to precise the -boot d
option to be sure the VM boots from the CDROM.
$ qemu-system-x86_64 \
-enable-kvm -smp cores=1 \
-m 512 -balloon virtio \
-device virtio-net,netdev=user0 -netdev user,id=user0 \
-device virtio-scsi-pci,id=scsi0 -device scsi-hd,bus=scsi0.0,drive=drive0 \
-drive if=none,id=drive0,file=alpine-ssh-bastion_datamode.qcow2 \
-boot d -cdrom alpine-virt-VERSION-x86_64.iso
$ VBoxManage import alpine-ssh-bastion_datamode.ovf
$ VBoxManage storageattach alpine-ssh-bastion_datamode \
--storagectl "IDE controller" --port 0 --device 0 --type dvddrive \
--medium alpine-virt-VERSION-x86_64.iso
$ VBoxManage startvm alpine-ssh-bastion_datamode
You can configure each template to match your requirements by setting the following user variables.
User Variable | Default Value | Description |
---|---|---|
alpine_version |
3.8.2 | The version of Alpine Linux |
hostname |
bastion | The machine's hostname (see setup-hostname) |
keymap |
us us | The machine's keyboard mapping (see setup-keymap) |
timezone |
UTC | The machine's timezone (see setup-timezone) |
name_servers |
1.1.1.1 8.8.8.8 | The machine's name servers (see setup-dns) |
http_proxy |
none | The machine's HTTP proxy (see setup-proxy) |
sshd_port |
1234 | The port the SSH server is listening to |
jump_user |
jump | The user that has to be used to jump |
root_password |
I'm too lazy to change the root password :( |
The default password for the root user |
admin_password |
I'm too lazy to change the admin password :( |
The default password for the admin user |
Note: see the README file to get the generic config fields
Important: in order to make this images testable, the default SSH credentials are versioned in this repository.
Always rebuild the images with your SSH credentials (see config/) before using them in a production environment.