StackX Bastion is the StackX product for secure bastion hosts for operations, whether for our own operations or for a bastion dedicated to a client.
It centralizes SSH access, server inventory, operational tasks, batch execution, logging, and selected technical checks in a hardened, auditable entry point.
For a client, the benefit is practical: their servers can restrict SSH access to the bastion even when operators do not have fixed IP addresses. Users connect to the bastion, then access authorized machines with StackX tools and a higher level of security.
This model makes sense even with a single server when the machine is sensitive, several people work on it, or direct access should not be scattered across multiple locations. It becomes even more important for a multi-server fleet, a PRD / DRS architecture, or an environment operated by several teams.
What StackX Bastion Provides
Bastion Baseline
Bastion Baseline
Component
Role
Hardened SSH
Dedicated StackX port, restricted configuration, and a reduced exposure surface
sxconnect
SSH connections through inventoried aliases, controlled remote execution, and append-only recording of interactive sessions
sxparallel
Batch operations on selected hosts, with dry-run, batches, retries, and a conservative PRD/DRS policy
sxwall / firewall
Local StackX firewall, controlled reloads, and structured access lists
SSH Fail2ban
Limits abusive attempts within the bastion scope
Audit & diagnostics
StackX tools for auditing, postchecks, networking, integrity, and local operations
Secure Client AccessClient SSH access through a dedicated bastion
Secure Client Access
Requirement
StackX Bastion Response
Dedicated client bastion
Entry point reserved for the client to access their own machines
No fixed IP on the user side
Servers can allow the bastion instead of changing personal IP addresses
Server SSH restrictions
Direct SSH access can be limited to the bastion and explicitly authorized flows
Multiple operators
Centralized access, accounts, operational practices, and audit trails
StackX tooling
Access to StackX commands, diagnostics, inventories, and procedures from the bastion
Operator WorkflowsInventory, maintenance work, and batch operations
Operator Workflows
Function
Benefit
Local inventory
Hosts are described in auditable configuration files, with no dependency on a cloud API
Operation logs
Local history, central audit, and optional notifications depending on configuration
Interactive sessions
Transcripts enabled by default and protected as append-only on the operator side
Batch commands
Maintenance, checks, or remediation across a selected group of hosts
PRD / DRS caution
Operations can process roles in a safer order: DRS, single, then PRD
Dedicated accounts
StackX operations accounts are retained, with a standardized shell environment
Bastion-Specific HardeningSSH, logging, and bastion-specific protections
Bastion-Specific Hardening
Measure
Description
Kernel hardening
Kernel surface reduction and mitigations based on the StackX profile
Mount hardening
/tmp hardening with options such as nodev, nosuid, and noexec when appropriate
Auditd
Logging of critical system and StackX paths
Append-only transcripts
Session directory and recordings protected against truncation or deletion by an unprivileged account
Anti-enumeration
Optional stronger permissions on /, /home, and /etc, depending on the selected policy
SELinux
Minimal bastion profile when SELinux is enabled
File backup
Backup of the elements required to operate the bastion
StackX Bastion is useful whenever access must remain under control. Even with one server, it avoids multiplying direct SSH access paths, fragile whitelists, and local practices that are difficult to audit.
StackX conventions and templates: The role, naming, and installation template principles are summarized on the StackX Conventions page.
When to Choose StackX Bastion
When to Choose StackX Bastion
Context
Benefit
One sensitive server
Reduce direct SSH exposure and retain a controlled access point
Clients without fixed IP addresses
Allow a stable bastion instead of changing user addresses
Multiple operators
Centralize access, audit trails, and operational practices
Managed server fleet
Operate multiple machines cleanly without scattered SSH scripts
PRD / DRS architecture
Orchestrate checks, maintenance, and failovers with greater control
Auditability requirement
Retain usable records of sensitive access and actions
Need a secure bastion host for operations? We can define the bastion’s role, operator or client access, inventory, notifications, and associated maintenance procedures. Define Your Bastion Scope