Linux Lab Project: Building a Linux Jump Box

black3dynamite

How would a jump box used when access a Windows environment? Would I need to setup a jump box with a desktop environment like xfce or windows manager like i3. And then use something like Remmina to remote into a Windows Admin box to manage Servers and such.

RamblingBiped

@black3dynamite said in Linux Lab Project: Building a Linux Jump Box:

How would a jump box used when access a Windows environment? Would I need to setup a jump box with a desktop environment like xfce or windows manager like i3. And then use something like Remmina to remote into a Windows Admin box to manage Servers and such.

You could setup SSH tunneling and just do secure RDP sessions over SSH. No desktop environment required on your jumpbox.

http://www.linuxjournal.com/content/ssh-tunneling-poor-techies-vpn

black3dynamite

@RamblingBiped said in Linux Lab Project: Building a Linux Jump Box:

@black3dynamite said in Linux Lab Project: Building a Linux Jump Box:

How would a jump box used when access a Windows environment? Would I need to setup a jump box with a desktop environment like xfce or windows manager like i3. And then use something like Remmina to remote into a Windows Admin box to manage Servers and such.

You could setup SSH tunneling and just do secure RDP sessions over SSH. No desktop environment required on your jumpbox.

Thanks. That setup is a lot straight forward and less of a headache to manage.

wirestyle22

@scottalanmiller said in Linux Lab Project: Building a Linux Jump Box:

Correct, that's one option. Or you could use it in additional to the other security layers for even more security. By having the jump box layer of security you can, for example, restrict all remote access to protocols like SSH or RDP to have to originate from a single source.

Would the jumpbox also be a single point of failure though?

travisdh1

@wirestyle22 said in Linux Lab Project: Building a Linux Jump Box:

@scottalanmiller said in Linux Lab Project: Building a Linux Jump Box:

Correct, that's one option. Or you could use it in additional to the other security layers for even more security. By having the jump box layer of security you can, for example, restrict all remote access to protocols like SSH or RDP to have to originate from a single source.

Would the jumpbox also be a single point of failure though?

Well sure, but how long is it going to take to restore? A jumpbox should be a minimal install of "pick your favorite distribution". Shouldn't be more than a couple minutes to restore it.

wirestyle22

@travisdh1 said in Linux Lab Project: Building a Linux Jump Box:

@wirestyle22 said in Linux Lab Project: Building a Linux Jump Box:

@scottalanmiller said in Linux Lab Project: Building a Linux Jump Box:

Correct, that's one option. Or you could use it in additional to the other security layers for even more security. By having the jump box layer of security you can, for example, restrict all remote access to protocols like SSH or RDP to have to originate from a single source.

Would the jumpbox also be a single point of failure though?

Well sure, but how long is it going to take to restore? A jumpbox should be a minimal install of "pick your favorite distribution". Shouldn't be more than a couple minutes to restore it.

Yeah. Figured I'd ask though to see how people responded

JaredBusch

@travisdh1 said in Linux Lab Project: Building a Linux Jump Box:

@wirestyle22 said in Linux Lab Project: Building a Linux Jump Box:

@scottalanmiller said in Linux Lab Project: Building a Linux Jump Box:

Correct, that's one option. Or you could use it in additional to the other security layers for even more security. By having the jump box layer of security you can, for example, restrict all remote access to protocols like SSH or RDP to have to originate from a single source.

Would the jumpbox also be a single point of failure though?

Well sure, but how long is it going to take to restore? A jumpbox should be a minimal install of "pick your favorite distribution". Shouldn't be more than a couple minutes to restore it.

Well, assuming you have all your private keys backed up and such.

Better solution would be to have backups and restore one.

scottalanmiller

@black3dynamite said in Linux Lab Project: Building a Linux Jump Box:

How would a jump box used when access a Windows environment? Would I need to setup a jump box with a desktop environment like xfce or windows manager like i3. And then use something like Remmina to remote into a Windows Admin box to manage Servers and such.

• SSH same as Linux if you want.
• PowerShell Remoting
• or RDP on the OS of your choice. Jump box could be Windows too.

scottalanmiller

@RamblingBiped said in Linux Lab Project: Building a Linux Jump Box:

@black3dynamite said in Linux Lab Project: Building a Linux Jump Box:

How would a jump box used when access a Windows environment? Would I need to setup a jump box with a desktop environment like xfce or windows manager like i3. And then use something like Remmina to remote into a Windows Admin box to manage Servers and such.

You could setup SSH tunneling and just do secure RDP sessions over SSH. No desktop environment required on your jumpbox.

http://www.linuxjournal.com/content/ssh-tunneling-poor-techies-vpn

Or use Guacamole which handles that for you.

scottalanmiller

@wirestyle22 said in Linux Lab Project: Building a Linux Jump Box:

@scottalanmiller said in Linux Lab Project: Building a Linux Jump Box:

Correct, that's one option. Or you could use it in additional to the other security layers for even more security. By having the jump box layer of security you can, for example, restrict all remote access to protocols like SSH or RDP to have to originate from a single source.

Would the jumpbox also be a single point of failure though?

For access, yes. But loss of access is not a production impact. And jump boxes are stateless so totally trivial to make redundant.

JaredBusch

@scottalanmiller said in Linux Lab Project: Building a Linux Jump Box:

First you would create users and SSH keys and then deploy them to the other boxes that you wish to connect to. This is the core of what makes the Jump Box a Jump Box. This is standard SSH key setup, nothing unique to a Jump Box.

Did you ever make a good write up on creating users and SSH keys? If so, I cannot find it.

I mean, I know how to make and use keys in general. But detail here would be good.

1. Write up for creating the users on the jump box and getting their SSH keys.
2. Write up for pushing users and keys to other systems that said jump box will be allowing access.
3. Write up for control of said access.
   1. Bob and Jill have access to Jump Box.
   2. Bob has Access to servers 1 & 2.
   3. Jill has access to server 2 & 3.

JaredBusch

Additional steps that are often interesting are to add two factor authentication to the Jump Box, such as Google Authenticator.

Anyone know a solid guide for adding Google auth to Fedora before I just google one up in the morning?

black3dynamite

@JaredBusch said in Linux Lab Project: Building a Linux Jump Box:

Additional steps that are often interesting are to add two factor authentication to the Jump Box, such as Google Authenticator.

Anyone know a solid guide for adding Google auth to Fedora before I just google one up in the morning?

This might help getting you started. Although it's based on CentOS using yum instead dnf.
https://mangolassi.it/topic/6174/lab-project-2fa-with-google-authenticator/2

NerdyDad

@black3dynamite That's because Centos is still using yum and not dnf yet.

JaredBusch

@JaredBusch said in Linux Lab Project: Building a Linux Jump Box:

@scottalanmiller said in Linux Lab Project: Building a Linux Jump Box:

First you would create users and SSH keys and then deploy them to the other boxes that you wish to connect to. This is the core of what makes the Jump Box a Jump Box. This is standard SSH key setup, nothing unique to a Jump Box.

Did you ever make a good write up on creating users and SSH keys? If so, I cannot find it.

I mean, I know how to make and use keys in general. But detail here would be good.

1. Write up for creating the users on the jump box and getting their SSH keys.
2. Write up for pushing users and keys to other systems that said jump box will be allowing access.
3. Write up for control of said access.
   1. Bob and Jill have access to Jump Box.
   2. Bob has Access to servers 1 & 2.
   3. Jill has access to server 2 & 3.

I know that @scottalanmiller has mentioned in another thread that he has a script to push this all out (question 2). I can only assume that the script has some controls to tell you which server so shove the key and user logon to (question 3).