A simple bastion host setup designed for cloud-hosted and on-premises lab environments.
The easiest way to get started is to use our community AMI.
We recommend a t2.small
instance for general use.
ami-0223eaf7dcb180393
To launch the BastionBox in other AWS regions, you'll need to copy the AMI.
This is currently the only tested/supported OS, though other debian based operating systems are likely to just work.
-
Clone Repository
git clone https://github.com/snaplabsio/BastionBox
-
Run Install Script
chmod +x ./BastionBox/install.sh sudo ./BastionBox/install.sh
The BastionBox web interface will be accessible on port 80 after launch or install.
The default username is admin
.
If you use the prebuilt AMI, the admin password will be set to the InstanceId.
A manual install will prompt for a password.
The username and password can be changed in the BastionBox/API/config.json
file. Run pm2 restart 0
or reboot for web API changes to take affect.
By default, EC2 instances are assigned dyanmic public IP addresses. In order for VPN configs to work across power on/off cycles, your BastionBox needs a static IP. In AWS, this means allocating and associating an elastic IP address with your instance.
BastionBox will otherwise work fine without a static IP; you'll just need to generate new VPN configs any time the IP address changes.
If you want to initiate network connections with VPN clients from within your lab environment, you will need to add a route directing the vpn client IP range (default: 172.19.253.0/24) to the BastionBox. This could be required for things such as command and control (C2) callbacks.
You could do this locally on each system in the lab, but it is likely easier to do it at the router/default gateway level.
In AWS this means:
- Disabling the source/destination check on the BastionBox network interface
- Adding a route to the VPC/subnet's route table directing the vpn range to the BastionBox network interface
The AMI will use your VPC CIDR range to push a route directing traffic through the VPN. The manual install will attempt to query AWS for the VPC CIDR, and if unavailable, use the subnet visible on the local interface.
You can manually modify this route or add more in the VPN server config /etc/openvpn/server.conf
. Restart the vpn service systemctl start openvpn@server
for changes to take affect.
We recommend limiting access to this application to known IP addresses. In AWS, security groups are an easy way to do this.
All of the web connections are proxied through Apache. To enable SSL/TLS, generate or upload your certificates and then uncomment the SSL options in /etc/apache2/sites-enabled/000-default.conf
(or BastionBox/Resources/apache.conf
pre-install).
You can adjust the session length of the web interface by ediitng "sessionLength" (measured in hours) in BastionBox/API/config.json
. Run pm2 restart 0
or reboot for web API changes to take affect.