Linux Lab Project: Building a Linux Jump Box
-
Nice post Scott, quick and to the point. UI looks super easy to use :)... Maybe I'll capture the process of standing up a Puppet Master.
~Shane
-
CentOS works great as a basic jump box. If you want something with a great graphical interface, I highly recommend Linux Mint which handles this very well. For our Scale cluster in our lab we decided that Mint made more sense for us because of the mix of use cases. CentOS, Suse, Fedora, Ubuntu, Mint and more, many good options that are very flexible.
-
Why is a graphical interface on a Jump box relevant?
-
@scottalanmiller I noted that this example used the 1406 Minimal ISO. As we determined yesterday. this means the firewall is not running. Well unless installing
fail2bankicksfirewalldas a prereq. -
Does this thread in 2017 require any updates?
-
@FATeknollogee said in Linux Lab Project: Building a Linux Jump Box:
Does this thread in 2017 require any updates?
No. CentOS has not updated.
-
@scottalanmiller said in Linux Lab Project: Building a Linux Jump Box:
No. CentOS has not updated.
My question was more about the "Jump Box" & whether is an updated/better way to do this in 2017 (since any of the popular *nix o/s's can be used)
-
@FATeknollogee said in Linux Lab Project: Building a Linux Jump Box:
@scottalanmiller said in Linux Lab Project: Building a Linux Jump Box:
No. CentOS has not updated.
My question was more about the "Jump Box" & whether is an updated/better way to do this in 2017 (since any of the popular *nix o/s's can be used)
Well State Systems are the "new" way to replace Jump Boxes. But that's a big leap (excuse the pun).
-
@scottalanmiller said in Linux Lab Project: Building a Linux Jump Box:
Well State Systems are the "new" way to replace Jump Boxes. But that's a big leap (excuse the pun).
Have you done this on your systems?
-
@FATeknollogee said in Linux Lab Project: Building a Linux Jump Box:
@scottalanmiller said in Linux Lab Project: Building a Linux Jump Box:
Well State Systems are the "new" way to replace Jump Boxes. But that's a big leap (excuse the pun).
Have you done this on your systems?
Of course
-
@scottalanmiller This might deserve a new thread, but what type of system resources are taken by a typical agent? (specifically, a saltstack minion)
-
@fuznutz04 said in Linux Lab Project: Building a Linux Jump Box:
@scottalanmiller This might deserve a new thread, but what type of system resources are taken by a typical agent? (specifically, a saltstack minion)
A few, it's not none. But that's Salt. It's heavy on the agent side and is always connected and has to manage the message bus. If you move to something like Ansible you can get that down to not just approaching zero, but to actual zero (when not applying state) because there doesn't have to be an agent. Salt will do agentless as well, but it defeats much of the benefits. If you want that, I'd go Ansible.
-
@scottalanmiller said in Linux Lab Project: Building a Linux Jump Box:
d is always connected and has to manage the message bus. If you move to something like Ansible you can get that down to not just ap
I usually have enough overhead for additional things like this. Just wanted to make sure that it's not a "crazy" amount of memory/CPU usage.
-
@fuznutz04 said in Linux Lab Project: Building a Linux Jump Box:
@scottalanmiller said in Linux Lab Project: Building a Linux Jump Box:
d is always connected and has to manage the message bus. If you move to something like Ansible you can get that down to not just ap
I usually have enough overhead for additional things like this. Just wanted to make sure that it's not a "crazy" amount of memory/CPU usage.
Not crazy, but uses more than top.
-
@scottalanmiller Good to know. Thanks.
-
@scottalanmiller said in Linux Lab Project: Building a Linux Jump Box:
@fuznutz04 said in Linux Lab Project: Building a Linux Jump Box:
@scottalanmiller said in Linux Lab Project: Building a Linux Jump Box:
d is always connected and has to manage the message bus. If you move to something like Ansible you can get that down to not just ap
I usually have enough overhead for additional things like this. Just wanted to make sure that it's not a "crazy" amount of memory/CPU usage.
Not crazy, but uses more than top.
Would that be more than top but less than glances?
-
So, help me understand the use-case scenarios where a jump box is more beneficial than VPN to the environment. I've read other threads on this forum dating back to 2015 about building and using a jump box but I never truly understood why one would prefer this over VPN. The assumption at this point is that I'm missing some critical element that would explain why this over VPN.
What are the scenarios where one would chose this setup?
-
@NashBrydges said in Linux Lab Project: Building a Linux Jump Box:
So, help me understand the use-case scenarios where a jump box is more beneficial than VPN to the environment. I've read other threads on this forum dating back to 2015 about building and using a jump box but I never truly understood why one would prefer this over VPN. The assumption at this point is that I'm missing some critical element that would explain why this over VPN.
What are the scenarios where one would chose this setup?
We use a Jump box for a number of reasons....
On PBX systems we can access the back in faster than using the GUI. And for some tasks it's really the only way. You update the kernel via SSH.
So in our case, @scottalanmiller has set up the security ring for the systems, I connect one box and jump to the others with little else. it's faster, more secure and easier to manage
Also, you can run the command (shutdown or other) ON the jump box and not sign into the other system.... saving steps
-
@gjacobse said in Linux Lab Project: Building a Linux Jump Box:
@NashBrydges said in Linux Lab Project: Building a Linux Jump Box:
So, help me understand the use-case scenarios where a jump box is more beneficial than VPN to the environment. I've read other threads on this forum dating back to 2015 about building and using a jump box but I never truly understood why one would prefer this over VPN. The assumption at this point is that I'm missing some critical element that would explain why this over VPN.
What are the scenarios where one would chose this setup?
We use a Jump box for a number of reasons....
On PBX systems we can access the back in faster than using the GUI. And for some tasks it's really the only way. You update the kernel via SSH.
So in our case, @scottalanmiller has set up the security ring for the systems, I connect one box and jump to the others with little else. it's faster, more secure and easier to manage
Also, you can run the command (shutdown or other) ON the jump box and not sign into the other system.... saving steps
Hmmmm, so is the use-case then to have 1 single very secured entry point and then not require sign-on for other systems? While that may make it easier to traverse the security layers, this would essentially remove one of those layers (the second system sign-on). Am I misunderstanding this?
-
@NashBrydges said in Linux Lab Project: Building a Linux Jump Box:
So, help me understand the use-case scenarios where a jump box is more beneficial than VPN to the environment.
VPNs expose systems to both direct attack as well as to an open range of attacks. A jump box need only expose a single protocol either way. A VPN is inherently only useful if LAN security is in place, the point of the jump box is to eliminate that need for that.
Of course a jump box has risks, nothing is riskless. But the degree of risk is very different. For example, there is no extent malware through through jump boxes today, but essentially all are a threat through VPNs.
