ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Linux Lab Project: Building a Linux Jump Box

    Scheduled Pinned Locked Moved IT Discussion
    centos 7sshserverjumpboxprojectsjump serverlinuxjump stationntg labscale hc3centosunixscale
    56 Posts 14 Posters 19.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • scottalanmillerS
      scottalanmiller @NerdyDad
      last edited by

      @NerdyDad said in Linux Lab Project: Building a Linux Jump Box:

      With a JumpBox instead of a VPN, you would still be able to administer systems remotely, as if you were in front of the console. But, you would not be able to download files or stream media with a jump box. Am I understanding this correctly?

      That's correct. And that's an important part of the gapping.

      1 Reply Last reply Reply Quote 1
      • scottalanmillerS
        scottalanmiller
        last edited by

        Ideally, as an admin, you would not want to hear audio from a server, or copy a file from your desktop to a server.

        JaredBuschJ 1 Reply Last reply Reply Quote 2
        • A
          Alex Sage
          last edited by

          I understand that theory is that you setup all your security on the jumpbox and don't worry as much about the other systems... but doesn't a jumpbox provide a single target for penetration? Can't someone who gains access to the jumpbox access every other system that user has access too? I understand that your using keys, and not passwords...

          scottalanmillerS 2 Replies Last reply Reply Quote 0
          • scottalanmillerS
            scottalanmiller @Alex Sage
            last edited by

            @aaronstuder said in Linux Lab Project: Building a Linux Jump Box:

            I understand that theory is that you setup all your security on the jumpbox and don't worry as much about the other systems... but doesn't a jumpbox provide a single target for penetration? Can't someone who gains access to the jumpbox access every other system that user has access too? I understand that your using keys, and not passwords...

            The general theory should not be Jump security instead of others. It should be in addition to.

            1 Reply Last reply Reply Quote 1
            • scottalanmillerS
              scottalanmiller @Alex Sage
              last edited by

              @aaronstuder said in Linux Lab Project: Building a Linux Jump Box:

              I understand that your using keys, and not passwords...

              You can use both. Of course if you use the Jump box solely to easy access and not to enhance it, you carry the risk of the Jump box being compromised. But you can mitigate this by increasing the security of the Jump box, adding security between the Jump box and the other hosts or both.

              1 Reply Last reply Reply Quote 1
              • JaredBuschJ
                JaredBusch @scottalanmiller
                last edited by

                @scottalanmiller said in Linux Lab Project: Building a Linux Jump Box:

                Ideally, as an admin, you would not want to hear audio from a server, or copy a file from your desktop to a server.

                As an admin, I upload new firmware to the /tftpboot folder all the time. Or I want to download, mass update, and re up config files. So if I cannot transfer files with SCP, how does this help me?

                scottalanmillerS 1 Reply Last reply Reply Quote 0
                • scottalanmillerS
                  scottalanmiller @JaredBusch
                  last edited by

                  @JaredBusch said in Linux Lab Project: Building a Linux Jump Box:

                  @scottalanmiller said in Linux Lab Project: Building a Linux Jump Box:

                  Ideally, as an admin, you would not want to hear audio from a server, or copy a file from your desktop to a server.

                  As an admin, I upload new firmware to the /tftpboot folder all the time. Or I want to download, mass update, and re up config files. So if I cannot transfer files with SCP, how does this help me?

                  You can use SCP, SCP is just an extension of the SSH protocol. The Jump box would be an SSH proxy. So you can do that trivially. Is it the recommend way to do this? Not normally, no. Do a lot of us do it because it is easy, yes. But ideally you want your file server to not be the jump box. You can easily make a non-jump file server for that task in another VM.

                  JaredBuschJ 1 Reply Last reply Reply Quote 0
                  • JaredBuschJ
                    JaredBusch @scottalanmiller
                    last edited by JaredBusch

                    @scottalanmiller said in Linux Lab Project: Building a Linux Jump Box:

                    @JaredBusch said in Linux Lab Project: Building a Linux Jump Box:

                    @scottalanmiller said in Linux Lab Project: Building a Linux Jump Box:

                    Ideally, as an admin, you would not want to hear audio from a server, or copy a file from your desktop to a server.

                    As an admin, I upload new firmware to the /tftpboot folder all the time. Or I want to download, mass update, and re up config files. So if I cannot transfer files with SCP, how does this help me?

                    You can use SCP, SCP is just an extension of the SSH protocol. The Jump box would be an SSH proxy. So you can do that trivially. Is it the recommend way to do this? Not normally, no. Do a lot of us do it because it is easy, yes. But ideally you want your file server to not be the jump box. You can easily make a non-jump file server for that task in another VM.

                    Who said anything about a file server? Each PBX is a unique system with nothing tying them together except me managing them.

                    Korora Desktop in Chicago -> Jump box -> Vultr node 1 (PBX A )
                    Korora Desktop in Chicago -> Jump box -> Vultr node 2 (PBX B )
                    Korora Desktop in Chicago -> Jump box -> Internal Node 1 (PBX C )

                    scottalanmillerS 1 Reply Last reply Reply Quote 0
                    • scottalanmillerS
                      scottalanmiller @JaredBusch
                      last edited by

                      @JaredBusch said in Linux Lab Project: Building a Linux Jump Box:

                      @scottalanmiller said in Linux Lab Project: Building a Linux Jump Box:

                      @JaredBusch said in Linux Lab Project: Building a Linux Jump Box:

                      @scottalanmiller said in Linux Lab Project: Building a Linux Jump Box:

                      Ideally, as an admin, you would not want to hear audio from a server, or copy a file from your desktop to a server.

                      As an admin, I upload new firmware to the /tftpboot folder all the time. Or I want to download, mass update, and re up config files. So if I cannot transfer files with SCP, how does this help me?

                      You can use SCP, SCP is just an extension of the SSH protocol. The Jump box would be an SSH proxy. So you can do that trivially. Is it the recommend way to do this? Not normally, no. Do a lot of us do it because it is easy, yes. But ideally you want your file server to not be the jump box. You can easily make a non-jump file server for that task in another VM.

                      Who said anything about a file server? Each PBX is a unique system with nothing tying them together except me managing them.

                      Korora Desktop in Chicago -> Jump box -> Vultr node 1 (PBX A )
                      Korora Desktop in Chicago -> Jump box -> Vultr node 2 (PBX B )
                      Korora Desktop in Chicago -> Jump box -> Internal Node 1 (PBX C )

                      Oh, I misunderstood. You are uploading to the TFTP folder of the individual servers, not a central one on your jump box that you are using the jump box to push out. TFTP is a file server, but you have many of them that your jump is sending to, not one that they all pull from.

                      1 Reply Last reply Reply Quote 0
                      • black3dynamiteB
                        black3dynamite
                        last edited by

                        How would a jump box used when access a Windows environment? Would I need to setup a jump box with a desktop environment like xfce or windows manager like i3. And then use something like Remmina to remote into a Windows Admin box to manage Servers and such.

                        RamblingBipedR scottalanmillerS 2 Replies Last reply Reply Quote 0
                        • RamblingBipedR
                          RamblingBiped @black3dynamite
                          last edited by RamblingBiped

                          @black3dynamite said in Linux Lab Project: Building a Linux Jump Box:

                          How would a jump box used when access a Windows environment? Would I need to setup a jump box with a desktop environment like xfce or windows manager like i3. And then use something like Remmina to remote into a Windows Admin box to manage Servers and such.

                          You could setup SSH tunneling and just do secure RDP sessions over SSH. No desktop environment required on your jumpbox.

                          http://www.linuxjournal.com/content/ssh-tunneling-poor-techies-vpn

                          black3dynamiteB scottalanmillerS 2 Replies Last reply Reply Quote 3
                          • black3dynamiteB
                            black3dynamite @RamblingBiped
                            last edited by

                            @RamblingBiped said in Linux Lab Project: Building a Linux Jump Box:

                            @black3dynamite said in Linux Lab Project: Building a Linux Jump Box:

                            How would a jump box used when access a Windows environment? Would I need to setup a jump box with a desktop environment like xfce or windows manager like i3. And then use something like Remmina to remote into a Windows Admin box to manage Servers and such.

                            You could setup SSH tunneling and just do secure RDP sessions over SSH. No desktop environment required on your jumpbox.

                            Thanks. That setup is a lot straight forward and less of a headache to manage.

                            1 Reply Last reply Reply Quote 1
                            • wirestyle22W
                              wirestyle22
                              last edited by wirestyle22

                              @scottalanmiller said in Linux Lab Project: Building a Linux Jump Box:

                              Correct, that's one option. Or you could use it in additional to the other security layers for even more security. By having the jump box layer of security you can, for example, restrict all remote access to protocols like SSH or RDP to have to originate from a single source.

                              Would the jumpbox also be a single point of failure though?

                              travisdh1T scottalanmillerS 2 Replies Last reply Reply Quote 0
                              • travisdh1T
                                travisdh1 @wirestyle22
                                last edited by

                                @wirestyle22 said in Linux Lab Project: Building a Linux Jump Box:

                                @scottalanmiller said in Linux Lab Project: Building a Linux Jump Box:

                                Correct, that's one option. Or you could use it in additional to the other security layers for even more security. By having the jump box layer of security you can, for example, restrict all remote access to protocols like SSH or RDP to have to originate from a single source.

                                Would the jumpbox also be a single point of failure though?

                                Well sure, but how long is it going to take to restore? A jumpbox should be a minimal install of "pick your favorite distribution". Shouldn't be more than a couple minutes to restore it.

                                wirestyle22W JaredBuschJ 2 Replies Last reply Reply Quote 2
                                • wirestyle22W
                                  wirestyle22 @travisdh1
                                  last edited by

                                  @travisdh1 said in Linux Lab Project: Building a Linux Jump Box:

                                  @wirestyle22 said in Linux Lab Project: Building a Linux Jump Box:

                                  @scottalanmiller said in Linux Lab Project: Building a Linux Jump Box:

                                  Correct, that's one option. Or you could use it in additional to the other security layers for even more security. By having the jump box layer of security you can, for example, restrict all remote access to protocols like SSH or RDP to have to originate from a single source.

                                  Would the jumpbox also be a single point of failure though?

                                  Well sure, but how long is it going to take to restore? A jumpbox should be a minimal install of "pick your favorite distribution". Shouldn't be more than a couple minutes to restore it.

                                  Yeah. Figured I'd ask though to see how people responded

                                  1 Reply Last reply Reply Quote 0
                                  • JaredBuschJ
                                    JaredBusch @travisdh1
                                    last edited by

                                    @travisdh1 said in Linux Lab Project: Building a Linux Jump Box:

                                    @wirestyle22 said in Linux Lab Project: Building a Linux Jump Box:

                                    @scottalanmiller said in Linux Lab Project: Building a Linux Jump Box:

                                    Correct, that's one option. Or you could use it in additional to the other security layers for even more security. By having the jump box layer of security you can, for example, restrict all remote access to protocols like SSH or RDP to have to originate from a single source.

                                    Would the jumpbox also be a single point of failure though?

                                    Well sure, but how long is it going to take to restore? A jumpbox should be a minimal install of "pick your favorite distribution". Shouldn't be more than a couple minutes to restore it.

                                    Well, assuming you have all your private keys backed up and such.

                                    Better solution would be to have backups and restore one.

                                    1 Reply Last reply Reply Quote 2
                                    • scottalanmillerS
                                      scottalanmiller @black3dynamite
                                      last edited by

                                      @black3dynamite said in Linux Lab Project: Building a Linux Jump Box:

                                      How would a jump box used when access a Windows environment? Would I need to setup a jump box with a desktop environment like xfce or windows manager like i3. And then use something like Remmina to remote into a Windows Admin box to manage Servers and such.

                                      • SSH same as Linux if you want.
                                      • PowerShell Remoting
                                      • or RDP on the OS of your choice. Jump box could be Windows too.
                                      1 Reply Last reply Reply Quote 0
                                      • scottalanmillerS
                                        scottalanmiller @RamblingBiped
                                        last edited by

                                        @RamblingBiped said in Linux Lab Project: Building a Linux Jump Box:

                                        @black3dynamite said in Linux Lab Project: Building a Linux Jump Box:

                                        How would a jump box used when access a Windows environment? Would I need to setup a jump box with a desktop environment like xfce or windows manager like i3. And then use something like Remmina to remote into a Windows Admin box to manage Servers and such.

                                        You could setup SSH tunneling and just do secure RDP sessions over SSH. No desktop environment required on your jumpbox.

                                        http://www.linuxjournal.com/content/ssh-tunneling-poor-techies-vpn

                                        Or use Guacamole which handles that for you.

                                        1 Reply Last reply Reply Quote 0
                                        • scottalanmillerS
                                          scottalanmiller @wirestyle22
                                          last edited by

                                          @wirestyle22 said in Linux Lab Project: Building a Linux Jump Box:

                                          @scottalanmiller said in Linux Lab Project: Building a Linux Jump Box:

                                          Correct, that's one option. Or you could use it in additional to the other security layers for even more security. By having the jump box layer of security you can, for example, restrict all remote access to protocols like SSH or RDP to have to originate from a single source.

                                          Would the jumpbox also be a single point of failure though?

                                          For access, yes. But loss of access is not a production impact. And jump boxes are stateless so totally trivial to make redundant.

                                          1 Reply Last reply Reply Quote 1
                                          • JaredBuschJ
                                            JaredBusch @scottalanmiller
                                            last edited by JaredBusch

                                            @scottalanmiller said in Linux Lab Project: Building a Linux Jump Box:

                                            First you would create users and SSH keys and then deploy them to the other boxes that you wish to connect to. This is the core of what makes the Jump Box a Jump Box. This is standard SSH key setup, nothing unique to a Jump Box.

                                            Did you ever make a good write up on creating users and SSH keys? If so, I cannot find it.

                                            I mean, I know how to make and use keys in general. But detail here would be good.

                                            1. Write up for creating the users on the jump box and getting their SSH keys.
                                            2. Write up for pushing users and keys to other systems that said jump box will be allowing access.
                                            3. Write up for control of said access.
                                              1. Bob and Jill have access to Jump Box.
                                              2. Bob has Access to servers 1 & 2.
                                              3. Jill has access to server 2 & 3.
                                            JaredBuschJ 1 Reply Last reply Reply Quote 1
                                            • 1
                                            • 2
                                            • 3
                                            • 1 / 3
                                            • First post
                                              Last post