This is a self contained bastion host which is designed to allow secure remote access to networks.
50K+
Bastion is a collection of scripts and tools to configure a Linux-based system as a secure bastion (jump) host. It is designed to run either directly on Linux (including WSL on Windows) or inside a Docker container.
You can quickly get started using the prebuilt image available on Docker Hub:
docker pull djlactose/bastion
To run:
docker run -d \
-p 22:22 \
-p 80:80 \
-p 443:443 \
-p 8000:8000 \
-v /home:/home \
-v /root/bastion:/root/bastion \
-v /etc/bastion:/etc/bastion \
-v /var/lib/bastion:/var/lib/bastion \
-v /var/log/bastion:/var/log/bastion \
--name bastion djlactose/bastion
📌 Make sure the volume paths exist to maintain persistent configuration and user data.
To build the Docker image from source:
docker build -t bastion .
Then run using the same instructions as above, replacing djlactose/bastion with bastion.
The servers.sh script is a client-side tool for connecting through the bastion host via SSH tunnels. To use it outside of Docker:
servers.sh to your local machineservers.conf configuration file will be downloaded from the bastion on first runFor proper operation and data persistence, mount the following directories:
/home — user home directories/root/bastion — SSH host keys and user account backups/etc/bastion — server configuration, TLS certificates/var/lib/bastion — web interface database and secret key/var/log/bastion — Gunicorn access and error logsUpgrading from older versions: If you previously used
/root/web/instancefor web data, it has been replaced by/var/lib/bastion. On first startup, existing data (users.db,secret_key) is automatically migrated from/root/bastion/to/var/lib/bastion/.
| Port | Purpose |
|---|---|
| 22 | SSH entry point to the bastion |
| 80 | HTTP (Nginx, only active with TLS certificates) |
| 443 | HTTPS (Nginx, only active with TLS certificates) |
| 8000 | Web interface for session access (direct, no TLS) |
To enable HTTPS via Nginx, place your TLS certificates in the /etc/bastion/certs/ volume:
fullchain.pemprivkey.pemWhen certificates are present, Nginx serves HTTPS on port 443 and the web interface binds to 127.0.0.1:8000 internally. Without certificates, the web interface is accessible directly on port 8000.
www-data, not root. Web app data is isolated in /var/lib/bastion/ with restricted ownership.Secure when TLS certificates are present.| Variable | Default | Description |
|---|---|---|
GUNICORN_WORKERS | 2 | Number of Gunicorn worker processes |
| File/Directory | Purpose |
|---|---|
Dockerfile | Docker build instructions for the bastion image |
run.sh | Container entrypoint: initializes SSH keys, starts Gunicorn and SSHD |
servers.sh | Client-side connection and tunneling script |
docker publish.ps1 | PowerShell script to build and publish Docker image |
config/ | SSH, PAM, Nginx, and sudoers configuration files |
utils/ | User management, backup/restore, and upgrade scripts |
web/ | Flask web interface application |
This project is licensed under the terms of the included LICENSE file.
Note: This project is currently under development. Features such as the web interface are in beta and subject to change.
Content type
Image
Digest
sha256:ddca34e0b…
Size
118.5 MB
Last updated
1 day ago
docker pull djlactose/bastion:sha-5376543afce1bf7f1bcb73631f56865f913c0914