Linux Lab Project: Building a Linux Jump Box
-
Jump servers are one of the easier projects to tackle and a great starting place on your Linux journey as they are easy to make, very useful, have little to no external dependencies and are often a foundation point for starting a UNIX infrastructure. In this lab project we will build a very basic Linux Jump Server using CentOS 7.
For a Jump Server we can do a very basic install, we can easily get away with a single vCPU and 1GB of RAM. We need only the most minimal local storage so 8GB should be more than enough. Once we have the settings ready, we can do a minimal install option and accept all of the defaults. No special needs here.
As always we start by patching up to current...
yum -y update yum -y install epel-release yum -y install fail2ban
And truly, this is enough to have a starter Jump Box. Very basic, of course, and probably not where we would want to stop. Where do we go from here?
First you would create users and SSH keys and then deploy them to the other boxes that you wish to connect to. This is the core of what makes the Jump Box a Jump Box. This is standard SSH key setup, nothing unique to a Jump Box.
Additional steps that are often interesting are to add two factor authentication to the Jump Box, such as Google Authenticator.
-
Nice post Scott, quick and to the point. UI looks super easy to use :)... Maybe I'll capture the process of standing up a Puppet Master.
~Shane
-
CentOS works great as a basic jump box. If you want something with a great graphical interface, I highly recommend Linux Mint which handles this very well. For our Scale cluster in our lab we decided that Mint made more sense for us because of the mix of use cases. CentOS, Suse, Fedora, Ubuntu, Mint and more, many good options that are very flexible.
-
Why is a graphical interface on a Jump box relevant?
-
@scottalanmiller I noted that this example used the 1406 Minimal ISO. As we determined yesterday. this means the firewall is not running. Well unless installing
fail2ban
kicksfirewalld
as a prereq. -
Does this thread in 2017 require any updates?
-
@FATeknollogee said in Linux Lab Project: Building a Linux Jump Box:
Does this thread in 2017 require any updates?
No. CentOS has not updated.
-
@scottalanmiller said in Linux Lab Project: Building a Linux Jump Box:
No. CentOS has not updated.
My question was more about the "Jump Box" & whether is an updated/better way to do this in 2017 (since any of the popular *nix o/s's can be used)
-
@FATeknollogee said in Linux Lab Project: Building a Linux Jump Box:
@scottalanmiller said in Linux Lab Project: Building a Linux Jump Box:
No. CentOS has not updated.
My question was more about the "Jump Box" & whether is an updated/better way to do this in 2017 (since any of the popular *nix o/s's can be used)
Well State Systems are the "new" way to replace Jump Boxes. But that's a big leap (excuse the pun).
-
@scottalanmiller said in Linux Lab Project: Building a Linux Jump Box:
Well State Systems are the "new" way to replace Jump Boxes. But that's a big leap (excuse the pun).
Have you done this on your systems?
-
@FATeknollogee said in Linux Lab Project: Building a Linux Jump Box:
@scottalanmiller said in Linux Lab Project: Building a Linux Jump Box:
Well State Systems are the "new" way to replace Jump Boxes. But that's a big leap (excuse the pun).
Have you done this on your systems?
Of course
-
@scottalanmiller This might deserve a new thread, but what type of system resources are taken by a typical agent? (specifically, a saltstack minion)
-
@fuznutz04 said in Linux Lab Project: Building a Linux Jump Box:
@scottalanmiller This might deserve a new thread, but what type of system resources are taken by a typical agent? (specifically, a saltstack minion)
A few, it's not none. But that's Salt. It's heavy on the agent side and is always connected and has to manage the message bus. If you move to something like Ansible you can get that down to not just approaching zero, but to actual zero (when not applying state) because there doesn't have to be an agent. Salt will do agentless as well, but it defeats much of the benefits. If you want that, I'd go Ansible.
-
@scottalanmiller said in Linux Lab Project: Building a Linux Jump Box:
d is always connected and has to manage the message bus. If you move to something like Ansible you can get that down to not just ap
I usually have enough overhead for additional things like this. Just wanted to make sure that it's not a "crazy" amount of memory/CPU usage.
-
@fuznutz04 said in Linux Lab Project: Building a Linux Jump Box:
@scottalanmiller said in Linux Lab Project: Building a Linux Jump Box:
d is always connected and has to manage the message bus. If you move to something like Ansible you can get that down to not just ap
I usually have enough overhead for additional things like this. Just wanted to make sure that it's not a "crazy" amount of memory/CPU usage.
Not crazy, but uses more than top.
-
@scottalanmiller Good to know. Thanks.
-
@scottalanmiller said in Linux Lab Project: Building a Linux Jump Box:
@fuznutz04 said in Linux Lab Project: Building a Linux Jump Box:
@scottalanmiller said in Linux Lab Project: Building a Linux Jump Box:
d is always connected and has to manage the message bus. If you move to something like Ansible you can get that down to not just ap
I usually have enough overhead for additional things like this. Just wanted to make sure that it's not a "crazy" amount of memory/CPU usage.
Not crazy, but uses more than top.
Would that be more than top but less than glances?
-
So, help me understand the use-case scenarios where a jump box is more beneficial than VPN to the environment. I've read other threads on this forum dating back to 2015 about building and using a jump box but I never truly understood why one would prefer this over VPN. The assumption at this point is that I'm missing some critical element that would explain why this over VPN.
What are the scenarios where one would chose this setup?
-
@NashBrydges said in Linux Lab Project: Building a Linux Jump Box:
So, help me understand the use-case scenarios where a jump box is more beneficial than VPN to the environment. I've read other threads on this forum dating back to 2015 about building and using a jump box but I never truly understood why one would prefer this over VPN. The assumption at this point is that I'm missing some critical element that would explain why this over VPN.
What are the scenarios where one would chose this setup?
We use a Jump box for a number of reasons....
On PBX systems we can access the back in faster than using the GUI. And for some tasks it's really the only way. You update the kernel via SSH.
So in our case, @scottalanmiller has set up the security ring for the systems, I connect one box and jump to the others with little else. it's faster, more secure and easier to manage
Also, you can run the command (shutdown or other) ON the jump box and not sign into the other system.... saving steps
-
@gjacobse said in Linux Lab Project: Building a Linux Jump Box:
@NashBrydges said in Linux Lab Project: Building a Linux Jump Box:
So, help me understand the use-case scenarios where a jump box is more beneficial than VPN to the environment. I've read other threads on this forum dating back to 2015 about building and using a jump box but I never truly understood why one would prefer this over VPN. The assumption at this point is that I'm missing some critical element that would explain why this over VPN.
What are the scenarios where one would chose this setup?
We use a Jump box for a number of reasons....
On PBX systems we can access the back in faster than using the GUI. And for some tasks it's really the only way. You update the kernel via SSH.
So in our case, @scottalanmiller has set up the security ring for the systems, I connect one box and jump to the others with little else. it's faster, more secure and easier to manage
Also, you can run the command (shutdown or other) ON the jump box and not sign into the other system.... saving steps
Hmmmm, so is the use-case then to have 1 single very secured entry point and then not require sign-on for other systems? While that may make it easier to traverse the security layers, this would essentially remove one of those layers (the second system sign-on). Am I misunderstanding this?