StackX Bastion StackX Bastion is the StackX product for secure bastion hosts for operations, whether for our own operations or for a bastion dedicated to a client.
 
It centralizes SSH access, server inventory, operational tasks, batch execution, logging, and selected technical checks in a hardened, auditable entry point.
 
For a client, the benefit is practical: their servers can restrict SSH access to the bastion even when operators do not have fixed IP addresses. Users connect to the bastion, then access authorized machines with StackX tools and a higher level of security.
 
This model makes sense even with a single server when the machine is sensitive, several people work on it, or direct access should not be scattered across multiple locations. It becomes even more important for a multi-server fleet, a PRD / DRS architecture, or an environment operated by several teams.

Bastion Baseline

Bastion Baseline
ComponentRole
Hardened SSHDedicated StackX port, restricted configuration, and a reduced exposure surface
sxconnectSSH connections through inventoried aliases, controlled remote execution, and append-only recording of interactive sessions
sxparallelBatch operations on selected hosts, with dry-run, batches, retries, and a conservative PRD/DRS policy
sxwall / firewallLocal StackX firewall, controlled reloads, and structured access lists
SSH Fail2banLimits abusive attempts within the bastion scope
Audit & diagnosticsStackX tools for auditing, postchecks, networking, integrity, and local operations

Secure Client AccessClient SSH access through a dedicated bastion

Secure Client Access
RequirementStackX Bastion Response
Dedicated client bastionEntry point reserved for the client to access their own machines
No fixed IP on the user sideServers can allow the bastion instead of changing personal IP addresses
Server SSH restrictionsDirect SSH access can be limited to the bastion and explicitly authorized flows
Multiple operatorsCentralized access, accounts, operational practices, and audit trails
StackX toolingAccess to StackX commands, diagnostics, inventories, and procedures from the bastion

Operator WorkflowsInventory, maintenance work, and batch operations

Operator Workflows
FunctionBenefit
Local inventoryHosts are described in auditable configuration files, with no dependency on a cloud API
Operation logsLocal history, central audit, and optional notifications depending on configuration
Interactive sessionsTranscripts enabled by default and protected as append-only on the operator side
Batch commandsMaintenance, checks, or remediation across a selected group of hosts
PRD / DRS cautionOperations can process roles in a safer order: DRS, single, then PRD
Dedicated accountsStackX operations accounts are retained, with a standardized shell environment

Bastion-Specific HardeningSSH, logging, and bastion-specific protections

Bastion-Specific Hardening
MeasureDescription
Kernel hardeningKernel surface reduction and mitigations based on the StackX profile
Mount hardening/tmp hardening with options such as nodev, nosuid, and noexec when appropriate
AuditdLogging of critical system and StackX paths
Append-only transcriptsSession directory and recordings protected against truncation or deletion by an unprivileged account
Anti-enumerationOptional stronger permissions on /, /home, and /etc, depending on the selected policy
SELinuxMinimal bastion profile when SELinux is enabled
File backupBackup of the elements required to operate the bastion

When to Choose StackX Bastion

When to Choose StackX Bastion
ContextBenefit
One sensitive serverReduce direct SSH exposure and retain a controlled access point
Clients without fixed IP addressesAllow a stable bastion instead of changing user addresses
Multiple operatorsCentralize access, audit trails, and operational practices
Managed server fleetOperate multiple machines cleanly without scattered SSH scripts
PRD / DRS architectureOrchestrate checks, maintenance, and failovers with greater control
Auditability requirementRetain usable records of sensitive access and actions