← Docs
Recipe

Recipe: SSH bastion host hardening

Lock down your jump box with kernel-level hardening, minimal attack surface, and Meridian's continuous integrity monitoring.

Ingredients

  • Debian 12 minimal install (no desktop, no print server)
  • OpenSSH 9.2+ with ed25519 keys only
  • Meridian agent binary + license key
  • UFW or nftables ruleset (allow 22/tcp from trusted CIDRs)
  • auditd for supplemental logging

Steps

  1. sshd_config: disable password auth, root login, and agent forwarding. Permit only key-based access withAllowUsers.
  2. Install Meridian agent. The loader self-verifies its Authenticode signature before unpacking the payload into a guarded memory region.
  3. Configure Meridian to watch/etc/ssh/and/etc/pam.d/. Any unauthorized modification triggers an alert and optional auto-rollback.
  4. Enable kernel hardening:kernel.kptr_restrict=2,kernel.dmesg_restrict=1, and disable unused kernel modules.
  5. Set up Meridian's ETW-equivalent syscall monitor to detect anomalous process injection patterns targeting the SSH daemon.
  6. Test: attempt unauthorized access from outside the trusted CIDR range. Confirm UFW drops the packet and Meridian logs the event.

Verification

Runmeridian verify --target sshdto confirm the running binary matches the signed baseline. The dashboard atgetnimbus.net/dashboardshows a green shield when all integrity checks pass.

Pro tip: Pair this with the port-knocking recipe for defense-in-depth. SSH never listens until the correct sequence is received.