Linux Lab Project: Building a Linux Jump Box


  • Service Provider

    Jump servers are one of the easier projects to tackle and a great starting place on your Linux journey as they are easy to make, very useful, have little to no external dependencies and are often a foundation point for starting a UNIX infrastructure. In this lab project we will build a very basic Linux Jump Server using CentOS 7.

    For a Jump Server we can do a very basic install, we can easily get away with a single vCPU and 1GB of RAM. We need only the most minimal local storage so 8GB should be more than enough. Once we have the settings ready, we can do a minimal install option and accept all of the defaults. No special needs here.

    Linux CentOS 7 Jump Scale HC3

    As always we start by patching up to current...

    yum -y update
    yum -y install epel-release
    yum -y install fail2ban
    

    And truly, this is enough to have a starter Jump Box. Very basic, of course, and probably not where we would want to stop. Where do we go from here?

    First you would create users and SSH keys and then deploy them to the other boxes that you wish to connect to. This is the core of what makes the Jump Box a Jump Box. This is standard SSH key setup, nothing unique to a Jump Box.

    Additional steps that are often interesting are to add two factor authentication to the Jump Box, such as Google Authenticator.



  • Nice post Scott, quick and to the point. UI looks super easy to use :)... Maybe I'll capture the process of standing up a Puppet Master.

    ~Shane


  • Service Provider

    CentOS works great as a basic jump box. If you want something with a great graphical interface, I highly recommend Linux Mint which handles this very well. For our Scale cluster in our lab we decided that Mint made more sense for us because of the mix of use cases. CentOS, Suse, Fedora, Ubuntu, Mint and more, many good options that are very flexible.



  • Why is a graphical interface on a Jump box relevant?


  • Service Provider

    @scottalanmiller I noted that this example used the 1406 Minimal ISO. As we determined yesterday. this means the firewall is not running. Well unless installing fail2ban kicks firewalld as a prereq.



  • Does this thread in 2017 require any updates?


  • Service Provider

    @FATeknollogee said in Linux Lab Project: Building a Linux Jump Box:

    Does this thread in 2017 require any updates?

    No. CentOS has not updated.



  • @scottalanmiller said in Linux Lab Project: Building a Linux Jump Box:

    No. CentOS has not updated.

    My question was more about the "Jump Box" & whether is an updated/better way to do this in 2017 (since any of the popular *nix o/s's can be used)


  • Service Provider

    @FATeknollogee said in Linux Lab Project: Building a Linux Jump Box:

    @scottalanmiller said in Linux Lab Project: Building a Linux Jump Box:

    No. CentOS has not updated.

    My question was more about the "Jump Box" & whether is an updated/better way to do this in 2017 (since any of the popular *nix o/s's can be used)

    Well State Systems are the "new" way to replace Jump Boxes. But that's a big leap (excuse the pun).



  • @scottalanmiller said in Linux Lab Project: Building a Linux Jump Box:

    Well State Systems are the "new" way to replace Jump Boxes. But that's a big leap (excuse the pun).

    Have you done this on your systems?


  • Service Provider

    @FATeknollogee said in Linux Lab Project: Building a Linux Jump Box:

    @scottalanmiller said in Linux Lab Project: Building a Linux Jump Box:

    Well State Systems are the "new" way to replace Jump Boxes. But that's a big leap (excuse the pun).

    Have you done this on your systems?

    Of course :)



  • @scottalanmiller This might deserve a new thread, but what type of system resources are taken by a typical agent? (specifically, a saltstack minion)


  • Service Provider

    @fuznutz04 said in Linux Lab Project: Building a Linux Jump Box:

    @scottalanmiller This might deserve a new thread, but what type of system resources are taken by a typical agent? (specifically, a saltstack minion)

    A few, it's not none. But that's Salt. It's heavy on the agent side and is always connected and has to manage the message bus. If you move to something like Ansible you can get that down to not just approaching zero, but to actual zero (when not applying state) because there doesn't have to be an agent. Salt will do agentless as well, but it defeats much of the benefits. If you want that, I'd go Ansible.



  • @scottalanmiller said in Linux Lab Project: Building a Linux Jump Box:

    d is always connected and has to manage the message bus. If you move to something like Ansible you can get that down to not just ap

    I usually have enough overhead for additional things like this. Just wanted to make sure that it's not a "crazy" amount of memory/CPU usage.


  • Service Provider

    @fuznutz04 said in Linux Lab Project: Building a Linux Jump Box:

    @scottalanmiller said in Linux Lab Project: Building a Linux Jump Box:

    d is always connected and has to manage the message bus. If you move to something like Ansible you can get that down to not just ap

    I usually have enough overhead for additional things like this. Just wanted to make sure that it's not a "crazy" amount of memory/CPU usage.

    Not crazy, but uses more than top.



  • @scottalanmiller Good to know. Thanks.



  • @scottalanmiller said in Linux Lab Project: Building a Linux Jump Box:

    @fuznutz04 said in Linux Lab Project: Building a Linux Jump Box:

    @scottalanmiller said in Linux Lab Project: Building a Linux Jump Box:

    d is always connected and has to manage the message bus. If you move to something like Ansible you can get that down to not just ap

    I usually have enough overhead for additional things like this. Just wanted to make sure that it's not a "crazy" amount of memory/CPU usage.

    Not crazy, but uses more than top.

    Would that be more than top but less than glances?



  • So, help me understand the use-case scenarios where a jump box is more beneficial than VPN to the environment. I've read other threads on this forum dating back to 2015 about building and using a jump box but I never truly understood why one would prefer this over VPN. The assumption at this point is that I'm missing some critical element that would explain why this over VPN.

    What are the scenarios where one would chose this setup?



  • @NashBrydges said in Linux Lab Project: Building a Linux Jump Box:

    So, help me understand the use-case scenarios where a jump box is more beneficial than VPN to the environment. I've read other threads on this forum dating back to 2015 about building and using a jump box but I never truly understood why one would prefer this over VPN. The assumption at this point is that I'm missing some critical element that would explain why this over VPN.

    What are the scenarios where one would chose this setup?

    We use a Jump box for a number of reasons....

    On PBX systems we can access the back in faster than using the GUI. And for some tasks it's really the only way. You update the kernel via SSH.

    So in our case, @scottalanmiller has set up the security ring for the systems, I connect one box and jump to the others with little else. it's faster, more secure and easier to manage

    Also, you can run the command (shutdown or other) ON the jump box and not sign into the other system.... saving steps



  • @gjacobse said in Linux Lab Project: Building a Linux Jump Box:

    @NashBrydges said in Linux Lab Project: Building a Linux Jump Box:

    So, help me understand the use-case scenarios where a jump box is more beneficial than VPN to the environment. I've read other threads on this forum dating back to 2015 about building and using a jump box but I never truly understood why one would prefer this over VPN. The assumption at this point is that I'm missing some critical element that would explain why this over VPN.

    What are the scenarios where one would chose this setup?

    We use a Jump box for a number of reasons....

    On PBX systems we can access the back in faster than using the GUI. And for some tasks it's really the only way. You update the kernel via SSH.

    So in our case, @scottalanmiller has set up the security ring for the systems, I connect one box and jump to the others with little else. it's faster, more secure and easier to manage

    Also, you can run the command (shutdown or other) ON the jump box and not sign into the other system.... saving steps

    Hmmmm, so is the use-case then to have 1 single very secured entry point and then not require sign-on for other systems? While that may make it easier to traverse the security layers, this would essentially remove one of those layers (the second system sign-on). Am I misunderstanding this?


  • Service Provider

    @NashBrydges said in Linux Lab Project: Building a Linux Jump Box:

    So, help me understand the use-case scenarios where a jump box is more beneficial than VPN to the environment.

    VPNs expose systems to both direct attack as well as to an open range of attacks. A jump box need only expose a single protocol either way. A VPN is inherently only useful if LAN security is in place, the point of the jump box is to eliminate that need for that.

    Of course a jump box has risks, nothing is riskless. But the degree of risk is very different. For example, there is no extent malware through through jump boxes today, but essentially all are a threat through VPNs.


  • Service Provider

    @NashBrydges said in Linux Lab Project: Building a Linux Jump Box:

    I've read other threads on this forum dating back to 2015 about building and using a jump box but I never truly understood why one would prefer this over VPN. The assumption at this point is that I'm missing some critical element that would explain why this over VPN.

    Flip it around... if a jump box gives you access to what you need, and a VPN gives you that access plus a lot of access that you don't need, that's a larger attack surface. Unless the VPN is bringing benefits additional to the jump system, that alone is a negative.

    What's the benefit to the VPN approach?


  • Service Provider

    @NashBrydges said in Linux Lab Project: Building a Linux Jump Box:

    Hmmmm, so is the use-case then to have 1 single very secured entry point and then not require sign-on for other systems? While that may make it easier to traverse the security layers, this would essentially remove one of those layers (the second system sign-on). Am I misunderstanding this?

    Correct, that's one option. Or you could use it in additional to the other security layers for even more security. By having the jump box layer of security you can, for example, restrict all remote access to protocols like SSH or RDP to have to originate from a single source. That source can then be heavily locked down, monitored and controlled.

    In this way, your exposure protocols can be much more limited and your ability to control access is much greater. You can shut off access to a single person, or even everyone, in a split second. You can audit every connection attempt that could have made it. You can see all actions in a central location.


  • Service Provider

    So a Jump system can be about smoothing access to make it faster. Or it can be amount making access more secure. Or both.

    It is, in many ways, about eliminating the free for all of access that is common with a VPN where you traditionally have many peers all able to access each other making access difficult to track and control.

    Which is why large shops traditionally use a jump box even on a LAN. So even if you had a VPN, you might still have the jump box.



  • @scottalanmiller said in Linux Lab Project: Building a Linux Jump Box:

    So a Jump system can be about smoothing access to make it faster. Or it can be amount making access more secure. Or both.

    It is, in many ways, about eliminating the free for all of access that is common with a VPN where you traditionally have many peers all able to access each other making access difficult to track and control.

    Which is why large shops traditionally use a jump box even on a LAN. So even if you had a VPN, you might still have the jump box.

    I had started typing out an entirely different response with scenarios comparing VPN and jump box and wasn't until the end that I saw where the jump box approach may be much simpler. It avoids having to manipulate multiple systems to provide a similar level of control (if I understood this correctly) over accessibility. Manage a single jump box instead of VPN, firewall, entity/authentication management...etc.


  • Service Provider

    @NashBrydges said in Linux Lab Project: Building a Linux Jump Box:

    @scottalanmiller said in Linux Lab Project: Building a Linux Jump Box:

    So a Jump system can be about smoothing access to make it faster. Or it can be amount making access more secure. Or both.

    It is, in many ways, about eliminating the free for all of access that is common with a VPN where you traditionally have many peers all able to access each other making access difficult to track and control.

    Which is why large shops traditionally use a jump box even on a LAN. So even if you had a VPN, you might still have the jump box.

    I had started typing out an entirely different response with scenarios comparing VPN and jump box and wasn't until the end that I saw where the jump box approach may be much simpler. It avoids having to manipulate multiple systems to provide a similar level of control (if I understood this correctly) over accessibility. Manage a single jump box instead of VPN, firewall, entity/authentication management...etc.

    Correct. Now of course you can do some work with a VPN to make it kind of mimic a jump box. But it would be more work and still doesn't gap quite as well. VPNs have the advantage of allowing a direct connection. But that is part of what we are trying to avoid in many cases.



  • @scottalanmiller said in Linux Lab Project: Building a Linux Jump Box:

    @NashBrydges said in Linux Lab Project: Building a Linux Jump Box:

    @scottalanmiller said in Linux Lab Project: Building a Linux Jump Box:

    So a Jump system can be about smoothing access to make it faster. Or it can be amount making access more secure. Or both.

    It is, in many ways, about eliminating the free for all of access that is common with a VPN where you traditionally have many peers all able to access each other making access difficult to track and control.

    Which is why large shops traditionally use a jump box even on a LAN. So even if you had a VPN, you might still have the jump box.

    I had started typing out an entirely different response with scenarios comparing VPN and jump box and wasn't until the end that I saw where the jump box approach may be much simpler. It avoids having to manipulate multiple systems to provide a similar level of control (if I understood this correctly) over accessibility. Manage a single jump box instead of VPN, firewall, entity/authentication management...etc.

    Correct. Now of course you can do some work with a VPN to make it kind of mimic a jump box. But it would be more work and still doesn't gap quite as well. VPNs have the advantage of allowing a direct connection. But that is part of what we are trying to avoid in many cases.

    Right. Thanks for taking the time to walk me through this.


  • Service Provider

    Think of a Jump box much like a man trap in a building. Does it keep all threats out? Of course not. But a man trap revolving door never allows the inside and outside air pressures to be directly exposed. A VPN opens the floodgates between two networks allowing things just looking for a route to flood across. It grows the LAN.



  • @scottalanmiller said in Linux Lab Project: Building a Linux Jump Box:

    Think of a Jump box much like a man trap in a building. Does it keep all threats out? Of course not. But a man trap revolving door never allows the inside and outside air pressures to be directly exposed. A VPN opens the floodgates between two networks allowing things just looking for a route to flood across. It grows the LAN.

    Any drawbacks of jump box over VPN?


  • Service Provider

    @NerdyDad said in Linux Lab Project: Building a Linux Jump Box:

    @scottalanmiller said in Linux Lab Project: Building a Linux Jump Box:

    Think of a Jump box much like a man trap in a building. Does it keep all threats out? Of course not. But a man trap revolving door never allows the inside and outside air pressures to be directly exposed. A VPN opens the floodgates between two networks allowing things just looking for a route to flood across. It grows the LAN.

    Any drawbacks of jump box over VPN?

    Depends, if you WANT full access for other things, then yes. Like a VPN let's you map drives directly to your desktop. Those are things I normally seek to avoid. But, you can't deny that it is handy. A VPN is basically "less security", by moving you back to the LAN-based network security model. It's like the dark side, it's faster and easier, but ultimately it consumes you.

    VPNs are fast and easy, no need to really secure things. And then ransomware pwns you.



Looks like your connection to MangoLassi was lost, please wait while we try to reconnect.