Why Remote Access is Still the #1 Attack Vector
Every penetration tester says the same: the quickest win is remote access. Misconfigured VPNs, exposed RDP, and weak SSH bastions give attackers exactly what they need. With hybrid work the default, clients can’t afford sloppy access models.
VPN Best Practices
- Use modern protocols: OpenVPN or WireGuard; avoid PPTP/L2TP.
- Enforce MFA: Tokens or mobile apps for all VPN logins.
- Segment traffic: Split-tunnel only where risk-assessed.
- Regularly rotate certificates/keys.
Bastion Host Checklist
- Deploy a hardened jump box (Linux preferred).
- Limit inbound access strictly (e.g. VPN IPs only).
- Require SSH key + MFA to log in.
- Enable full command logging.
Applied Example
A consulting client left SSH open to the internet. Within 2 hours of provisioning, it was brute-forced. Moving access behind a VPN + bastion cut exposure surface by 99%.
Why Clients Care
- Compliance: PCI DSS requires encrypted remote admin.
- Audit trail: Bastion logging provides forensic records.
- Reduced risk: Eliminates “open SSH to the world” scenarios.
Security gaps in Linux and cloud systems risk downtime, data compromise, lost business — and compliance failures.
With 20+ years’ experience and active UK Security Check (SC) clearance, I harden Linux and cloud platforms for government, corporate, and academic sectors — ensuring secure, compliant, and resilient infrastructure.