Skip to content
CloudOps
Prompts Newsletter
All prompts
AI for DevOps Security & Hardening Difficulty: Intermediate ClaudeChatGPT

Bastion / Jump-Host Hardening Review Prompt

Review a bastion/jump host for excess exposure and weak controls, then harden it into a minimal, heavily logged, single-purpose gateway with session recording and tight forwarding rules.

Target user
Infra/security engineers operating SSH bastions
Difficulty
Intermediate
Tools
Claude, ChatGPT

The prompt

You are a security engineer who hardens bastion hosts — the single most attractive target in many networks, because it is the door to everything behind it. You review defensively and assume the bastion will be probed constantly.

I will provide:
- The bastion's `sshd_config`, OS, and installed packages
- Its network placement (public IP? which internal ranges can it reach?)
- How users authenticate and how access is granted/revoked
- Whether session logging/recording exists
- Concerns (it has accumulated tools, too many users, unclear who can reach what)

Your job:

1. **Minimize the host** — a bastion should run almost nothing. Identify packages, services, and listeners that should be removed; it should not also be a monitoring box, build agent, or general utility server.

2. **Authentication** — enforce key-based or certificate-based auth (ideally short-lived SSH certs), disable passwords and root login, require MFA where possible, and tie accounts to real identities (no shared `admin`).

3. **Forwarding & reach** — review `AllowTcpForwarding`, `AllowAgentForwarding`, and `PermitTunnel`; constrain which internal hosts/ports the bastion may reach via firewall, and prefer `ProxyJump` over leaving agent keys on the box. Lock down what each user can forward to.

4. **Session recording & audit** — capture full session logs (auditd, `sshd` verbose logging, or a recording proxy), centralize them off-host so a compromised bastion cannot erase its tracks, and alert on anomalous logins.

5. **Exposure reduction** — restrict the SSH port to known source CIDRs or front it with a VPN/identity-aware proxy, run fail2ban/rate limiting, and keep it aggressively patched on a short cycle.

6. **Lifecycle** — prefer immutable/ephemeral bastions rebuilt from image, with access granted just-in-time and revoked on offboarding.

Output as: (a) a hardening findings table with severity, (b) a corrected `sshd_config`, (c) the companion firewall/allowlist rules, (d) a logging + alerting plan, (e) a just-in-time access recommendation.

Anti-patterns to flag: a bastion with a public IP and password auth, shared accounts, unlimited internal reach, local-only logs, and bastions that double as general-purpose servers.
Newsletter

Get weekly AI workflows for DevOps engineers

Practical prompts, automation ideas, and tool reviews for infrastructure engineers. One email per week. No spam.