6/29/2026 at 8:16:06 PM
I've been in the industry for a long, long time, and I would say that use of bastion hosts ranks #2 on my list of things that tell me your environment is not secure (right behind "we use fail2ban to protect us" as the #1 clue).I've bought a bunch of companies and seriously evaluated hundreds of them, and the ones where people had a bastion host set up commonly seemed to act as if it protected them from everything, to the point where they just stopped worrying about security otherwise.
It gives a false sense of security and makes people put their guard down - like "OK, we have everything secured behind the firewall and only people who can log in to the bastion host, so there's no need for firewall rules or policies on the servers inside our firewall perimeter". Which inevitably breaks down over time as things get opened up to the internet, employees come and go, etc.
I can't tell you the number of companies where I look at their setup and their bastion host itself is root owned - since those hosts are always being used (and are tied to everything so you can't easily reboot or replace them), and are considered nothing more than a "tool" that you rarely actually have to look at, they don't get updated nearly enough and are neglected.
Not saying that bastion hosts are a bad idea - but just like any easy to use, easy to forget, high risk part of the stack, they are often a sign of inexperience and neglect elsewhere in the architecture.
(Yes, I know that there are plenty of big companies that use jump boxes without issue, and this jumpserver product is different, but I'm specifically talking about the idea of having one little machine that is open to SSH and then you bounce off of that to get into the "secured" machines, and all of this just based on my own experience and may not reflect yours)
by jasongill
6/29/2026 at 8:48:13 PM
At one of the top tier 1 ISPs in the world, there was a bastion host that allowed 2 teams of network engineers unfettered access to everything; once your permissions allowed you access to the bastion, you had everything. 50 some people with trivial credentialed access to network infrastructure that the world ran on; fatfinger a bgp config and you could take down countries. Swathes of cities were regular casualities of config mistakes, and if you locked yourself out without setting a reload in 5, it'd take an hour to get someone deployed.That experience shattered my idea that the world was being operated by competent engineers and technicians, governed by sane policies, under the watchful care of good, knowledgable people.
The world is held together by beliefs and expectations and bubblegum and duct tape, and a few thousand people madly scrambling to keep it all running.
by observationist
6/30/2026 at 5:48:43 AM
> That experience shattered my idea that the world was being operated by competent engineers and technicians, governed by sane policies, under the watchful care of good, knowledgable people.Reminds me the amount of debt that exists only as an entry in an excel spreadsheets somewhere. No database with high availability and regular backups and audit logs and access control and all of that, just a spreadsheet.
by nextaccountic
6/29/2026 at 10:27:08 PM
Sounds like the 90’s early ISP experience scaled up. No firewalls, everything on public IPs, text files with global credentials in clear text…by icedchai
6/29/2026 at 11:13:14 PM
I have been transported back to the days of `conf t`, `enable password hunter2`, `show run`, `copy run start`by jasongill
6/30/2026 at 12:52:20 AM
And the days of hubs, not switches, telnet and rlogin, not SSH. A hacked host could potentially compromise your whole LAN.by icedchai
6/30/2026 at 1:48:57 AM
A lot of that is still there in various ways.by esseph
6/29/2026 at 9:04:38 PM
> The world is held together by beliefs and expectations and bubblegum and duct tape, and a few thousand people madly scrambling to keep it all running.Sounds like the AWS experience
by htrp
6/30/2026 at 5:28:58 PM
Would you see using a vpn as the better alternative to a bastion host?I've worked at a couple places where prod is air-gapped except for the bastion host that allows access to prod. But the bastion itself is still behind a vpn. And of course each user still has separate user accounts on both the bastion box and prod boxes.
I can definitely see your point though that a bastion/jumpbox isn't enough by itself.
by johntash
6/30/2026 at 3:36:52 PM
This is a nice summary of bastion boxes when they're at the edge of your capability, or worse, you stop learning about securing your environment moving forward.For the OP/others, it would be great if folks can share what they do to secure their environments, with or without a jump box.
by j45
6/30/2026 at 12:48:42 AM
Did most of the companies have external facing jump servers? I'd hope at least companies have internal-only and even then with strict internal network access policies (+VPN etc) and ldap authorization etc. Can't imagine that any competent orgs would have externally-facing ssh or windows bastion hosts.by indigodaddy
6/30/2026 at 3:04:41 AM
> Can't imagine that any competent orgs would have externally-facing ssh or windows bastion hosts.I have seen shit that would turn you white.
by jasongill
6/30/2026 at 12:52:22 AM
I mean this earnestly: I greatly envy your ignorance.by xyzzy_plugh
6/30/2026 at 12:53:56 AM
Ignorance? I did say "competent" didn't I?by indigodaddy
6/30/2026 at 2:11:18 AM
There's a somewhat related article from the UK NCSC here, for anyone interested: https://www.ncsc.gov.uk/paper/security-architecture-anti-pat...by glassofbees
6/30/2026 at 12:47:35 AM
Seriously "let's just put every single person thru one server unencrypted" is IDEAL place to attack.At least in case of VPN you only tunnel then-encrypted (in most cases) traffic to servers - so at worst case you at least have protection of ssh/https
by PunchyHamster
6/30/2026 at 12:59:12 AM
Every "jump host" I've seen in the past 25+ years has used SSH externally.by icedchai