Linux Lab Project: Building a Linux Jump Box
-
@aaronstuder said in Linux Lab Project: Building a Linux Jump Box:
I understand that your using keys, and not passwords...
You can use both. Of course if you use the Jump box solely to easy access and not to enhance it, you carry the risk of the Jump box being compromised. But you can mitigate this by increasing the security of the Jump box, adding security between the Jump box and the other hosts or both.
-
@scottalanmiller said in Linux Lab Project: Building a Linux Jump Box:
Ideally, as an admin, you would not want to hear audio from a server, or copy a file from your desktop to a server.
As an admin, I upload new firmware to the /tftpboot folder all the time. Or I want to download, mass update, and re up config files. So if I cannot transfer files with SCP, how does this help me?
-
@JaredBusch said in Linux Lab Project: Building a Linux Jump Box:
@scottalanmiller said in Linux Lab Project: Building a Linux Jump Box:
Ideally, as an admin, you would not want to hear audio from a server, or copy a file from your desktop to a server.
As an admin, I upload new firmware to the /tftpboot folder all the time. Or I want to download, mass update, and re up config files. So if I cannot transfer files with SCP, how does this help me?
You can use SCP, SCP is just an extension of the SSH protocol. The Jump box would be an SSH proxy. So you can do that trivially. Is it the recommend way to do this? Not normally, no. Do a lot of us do it because it is easy, yes. But ideally you want your file server to not be the jump box. You can easily make a non-jump file server for that task in another VM.
-
@scottalanmiller said in Linux Lab Project: Building a Linux Jump Box:
@JaredBusch said in Linux Lab Project: Building a Linux Jump Box:
@scottalanmiller said in Linux Lab Project: Building a Linux Jump Box:
Ideally, as an admin, you would not want to hear audio from a server, or copy a file from your desktop to a server.
As an admin, I upload new firmware to the /tftpboot folder all the time. Or I want to download, mass update, and re up config files. So if I cannot transfer files with SCP, how does this help me?
You can use SCP, SCP is just an extension of the SSH protocol. The Jump box would be an SSH proxy. So you can do that trivially. Is it the recommend way to do this? Not normally, no. Do a lot of us do it because it is easy, yes. But ideally you want your file server to not be the jump box. You can easily make a non-jump file server for that task in another VM.
Who said anything about a file server? Each PBX is a unique system with nothing tying them together except me managing them.
Korora Desktop in Chicago -> Jump box -> Vultr node 1 (PBX A )
Korora Desktop in Chicago -> Jump box -> Vultr node 2 (PBX B )
Korora Desktop in Chicago -> Jump box -> Internal Node 1 (PBX C ) -
@JaredBusch said in Linux Lab Project: Building a Linux Jump Box:
@scottalanmiller said in Linux Lab Project: Building a Linux Jump Box:
@JaredBusch said in Linux Lab Project: Building a Linux Jump Box:
@scottalanmiller said in Linux Lab Project: Building a Linux Jump Box:
Ideally, as an admin, you would not want to hear audio from a server, or copy a file from your desktop to a server.
As an admin, I upload new firmware to the /tftpboot folder all the time. Or I want to download, mass update, and re up config files. So if I cannot transfer files with SCP, how does this help me?
You can use SCP, SCP is just an extension of the SSH protocol. The Jump box would be an SSH proxy. So you can do that trivially. Is it the recommend way to do this? Not normally, no. Do a lot of us do it because it is easy, yes. But ideally you want your file server to not be the jump box. You can easily make a non-jump file server for that task in another VM.
Who said anything about a file server? Each PBX is a unique system with nothing tying them together except me managing them.
Korora Desktop in Chicago -> Jump box -> Vultr node 1 (PBX A )
Korora Desktop in Chicago -> Jump box -> Vultr node 2 (PBX B )
Korora Desktop in Chicago -> Jump box -> Internal Node 1 (PBX C )Oh, I misunderstood. You are uploading to the TFTP folder of the individual servers, not a central one on your jump box that you are using the jump box to push out. TFTP is a file server, but you have many of them that your jump is sending to, not one that they all pull from.
-
How would a jump box used when access a Windows environment? Would I need to setup a jump box with a desktop environment like xfce or windows manager like i3. And then use something like Remmina to remote into a Windows Admin box to manage Servers and such.
-
@black3dynamite said in Linux Lab Project: Building a Linux Jump Box:
How would a jump box used when access a Windows environment? Would I need to setup a jump box with a desktop environment like xfce or windows manager like i3. And then use something like Remmina to remote into a Windows Admin box to manage Servers and such.
You could setup SSH tunneling and just do secure RDP sessions over SSH. No desktop environment required on your jumpbox.
http://www.linuxjournal.com/content/ssh-tunneling-poor-techies-vpn
-
@RamblingBiped said in Linux Lab Project: Building a Linux Jump Box:
@black3dynamite said in Linux Lab Project: Building a Linux Jump Box:
How would a jump box used when access a Windows environment? Would I need to setup a jump box with a desktop environment like xfce or windows manager like i3. And then use something like Remmina to remote into a Windows Admin box to manage Servers and such.
You could setup SSH tunneling and just do secure RDP sessions over SSH. No desktop environment required on your jumpbox.
Thanks. That setup is a lot straight forward and less of a headache to manage.
-
@scottalanmiller said in Linux Lab Project: Building a Linux Jump Box:
Correct, that's one option. Or you could use it in additional to the other security layers for even more security. By having the jump box layer of security you can, for example, restrict all remote access to protocols like SSH or RDP to have to originate from a single source.
Would the jumpbox also be a single point of failure though?
-
@wirestyle22 said in Linux Lab Project: Building a Linux Jump Box:
@scottalanmiller said in Linux Lab Project: Building a Linux Jump Box:
Correct, that's one option. Or you could use it in additional to the other security layers for even more security. By having the jump box layer of security you can, for example, restrict all remote access to protocols like SSH or RDP to have to originate from a single source.
Would the jumpbox also be a single point of failure though?
Well sure, but how long is it going to take to restore? A jumpbox should be a minimal install of "pick your favorite distribution". Shouldn't be more than a couple minutes to restore it.
-
@travisdh1 said in Linux Lab Project: Building a Linux Jump Box:
@wirestyle22 said in Linux Lab Project: Building a Linux Jump Box:
@scottalanmiller said in Linux Lab Project: Building a Linux Jump Box:
Correct, that's one option. Or you could use it in additional to the other security layers for even more security. By having the jump box layer of security you can, for example, restrict all remote access to protocols like SSH or RDP to have to originate from a single source.
Would the jumpbox also be a single point of failure though?
Well sure, but how long is it going to take to restore? A jumpbox should be a minimal install of "pick your favorite distribution". Shouldn't be more than a couple minutes to restore it.
Yeah. Figured I'd ask though to see how people responded
-
@travisdh1 said in Linux Lab Project: Building a Linux Jump Box:
@wirestyle22 said in Linux Lab Project: Building a Linux Jump Box:
@scottalanmiller said in Linux Lab Project: Building a Linux Jump Box:
Correct, that's one option. Or you could use it in additional to the other security layers for even more security. By having the jump box layer of security you can, for example, restrict all remote access to protocols like SSH or RDP to have to originate from a single source.
Would the jumpbox also be a single point of failure though?
Well sure, but how long is it going to take to restore? A jumpbox should be a minimal install of "pick your favorite distribution". Shouldn't be more than a couple minutes to restore it.
Well, assuming you have all your private keys backed up and such.
Better solution would be to have backups and restore one.
-
@black3dynamite said in Linux Lab Project: Building a Linux Jump Box:
How would a jump box used when access a Windows environment? Would I need to setup a jump box with a desktop environment like xfce or windows manager like i3. And then use something like Remmina to remote into a Windows Admin box to manage Servers and such.
- SSH same as Linux if you want.
- PowerShell Remoting
- or RDP on the OS of your choice. Jump box could be Windows too.
-
@RamblingBiped said in Linux Lab Project: Building a Linux Jump Box:
@black3dynamite said in Linux Lab Project: Building a Linux Jump Box:
How would a jump box used when access a Windows environment? Would I need to setup a jump box with a desktop environment like xfce or windows manager like i3. And then use something like Remmina to remote into a Windows Admin box to manage Servers and such.
You could setup SSH tunneling and just do secure RDP sessions over SSH. No desktop environment required on your jumpbox.
http://www.linuxjournal.com/content/ssh-tunneling-poor-techies-vpn
Or use Guacamole which handles that for you.
-
@wirestyle22 said in Linux Lab Project: Building a Linux Jump Box:
@scottalanmiller said in Linux Lab Project: Building a Linux Jump Box:
Correct, that's one option. Or you could use it in additional to the other security layers for even more security. By having the jump box layer of security you can, for example, restrict all remote access to protocols like SSH or RDP to have to originate from a single source.
Would the jumpbox also be a single point of failure though?
For access, yes. But loss of access is not a production impact. And jump boxes are stateless so totally trivial to make redundant.
-
@scottalanmiller said in Linux Lab Project: Building a Linux Jump Box:
First you would create users and SSH keys and then deploy them to the other boxes that you wish to connect to. This is the core of what makes the Jump Box a Jump Box. This is standard SSH key setup, nothing unique to a Jump Box.
Did you ever make a good write up on creating users and SSH keys? If so, I cannot find it.
I mean, I know how to make and use keys in general. But detail here would be good.
- Write up for creating the users on the jump box and getting their SSH keys.
- Write up for pushing users and keys to other systems that said jump box will be allowing access.
- Write up for control of said access.
- Bob and Jill have access to Jump Box.
- Bob has Access to servers 1 & 2.
- Jill has access to server 2 & 3.
-
Additional steps that are often interesting are to add two factor authentication to the Jump Box, such as Google Authenticator.
Anyone know a solid guide for adding Google auth to Fedora before I just google one up in the morning?
-
@JaredBusch said in Linux Lab Project: Building a Linux Jump Box:
Additional steps that are often interesting are to add two factor authentication to the Jump Box, such as Google Authenticator.
Anyone know a solid guide for adding Google auth to Fedora before I just google one up in the morning?
This might help getting you started. Although it's based on CentOS using yum instead dnf.
https://mangolassi.it/topic/6174/lab-project-2fa-with-google-authenticator/2 -
@black3dynamite That's because Centos is still using yum and not dnf yet.
-
@JaredBusch said in Linux Lab Project: Building a Linux Jump Box:
@scottalanmiller said in Linux Lab Project: Building a Linux Jump Box:
First you would create users and SSH keys and then deploy them to the other boxes that you wish to connect to. This is the core of what makes the Jump Box a Jump Box. This is standard SSH key setup, nothing unique to a Jump Box.
Did you ever make a good write up on creating users and SSH keys? If so, I cannot find it.
I mean, I know how to make and use keys in general. But detail here would be good.
- Write up for creating the users on the jump box and getting their SSH keys.
- Write up for pushing users and keys to other systems that said jump box will be allowing access.
- Write up for control of said access.
- Bob and Jill have access to Jump Box.
- Bob has Access to servers 1 & 2.
- Jill has access to server 2 & 3.
I know that @scottalanmiller has mentioned in another thread that he has a script to push this all out (question 2). I can only assume that the script has some controls to tell you which server so shove the key and user logon to (question 3).