Linux Lab Project: Building a Linux Jump Box
-
@scottalanmiller said in Linux Lab Project: Building a Linux Jump Box:
Think of a Jump box much like a man trap in a building. Does it keep all threats out? Of course not. But a man trap revolving door never allows the inside and outside air pressures to be directly exposed. A VPN opens the floodgates between two networks allowing things just looking for a route to flood across. It grows the LAN.
Any drawbacks of jump box over VPN?
-
@NerdyDad said in Linux Lab Project: Building a Linux Jump Box:
@scottalanmiller said in Linux Lab Project: Building a Linux Jump Box:
Think of a Jump box much like a man trap in a building. Does it keep all threats out? Of course not. But a man trap revolving door never allows the inside and outside air pressures to be directly exposed. A VPN opens the floodgates between two networks allowing things just looking for a route to flood across. It grows the LAN.
Any drawbacks of jump box over VPN?
Depends, if you WANT full access for other things, then yes. Like a VPN let's you map drives directly to your desktop. Those are things I normally seek to avoid. But, you can't deny that it is handy. A VPN is basically "less security", by moving you back to the LAN-based network security model. It's like the dark side, it's faster and easier, but ultimately it consumes you.
VPNs are fast and easy, no need to really secure things. And then ransomware pwns you.
-
VPNs are handy because you can do things like map a drive or run VoIP over them. But you can do all of those things in other ways too, if needed.
-
With a JumpBox instead of a VPN, you would still be able to administer systems remotely, as if you were in front of the console. But, you would not be able to download files or stream media with a jump box. Am I understanding this correctly?
-
@NerdyDad said in Linux Lab Project: Building a Linux Jump Box:
With a JumpBox instead of a VPN, you would still be able to administer systems remotely, as if you were in front of the console. But, you would not be able to download files or stream media with a jump box. Am I understanding this correctly?
That's correct. And that's an important part of the gapping.
-
Ideally, as an admin, you would not want to hear audio from a server, or copy a file from your desktop to a server.
-
I understand that theory is that you setup all your security on the jumpbox and don't worry as much about the other systems... but doesn't a jumpbox provide a single target for penetration? Can't someone who gains access to the jumpbox access every other system that user has access too? I understand that your using keys, and not passwords...
-
@aaronstuder said in Linux Lab Project: Building a Linux Jump Box:
I understand that theory is that you setup all your security on the jumpbox and don't worry as much about the other systems... but doesn't a jumpbox provide a single target for penetration? Can't someone who gains access to the jumpbox access every other system that user has access too? I understand that your using keys, and not passwords...
The general theory should not be Jump security instead of others. It should be in addition to.
-
@aaronstuder said in Linux Lab Project: Building a Linux Jump Box:
I understand that your using keys, and not passwords...
You can use both. Of course if you use the Jump box solely to easy access and not to enhance it, you carry the risk of the Jump box being compromised. But you can mitigate this by increasing the security of the Jump box, adding security between the Jump box and the other hosts or both.
-
@scottalanmiller said in Linux Lab Project: Building a Linux Jump Box:
Ideally, as an admin, you would not want to hear audio from a server, or copy a file from your desktop to a server.
As an admin, I upload new firmware to the /tftpboot folder all the time. Or I want to download, mass update, and re up config files. So if I cannot transfer files with SCP, how does this help me?
-
@JaredBusch said in Linux Lab Project: Building a Linux Jump Box:
@scottalanmiller said in Linux Lab Project: Building a Linux Jump Box:
Ideally, as an admin, you would not want to hear audio from a server, or copy a file from your desktop to a server.
As an admin, I upload new firmware to the /tftpboot folder all the time. Or I want to download, mass update, and re up config files. So if I cannot transfer files with SCP, how does this help me?
You can use SCP, SCP is just an extension of the SSH protocol. The Jump box would be an SSH proxy. So you can do that trivially. Is it the recommend way to do this? Not normally, no. Do a lot of us do it because it is easy, yes. But ideally you want your file server to not be the jump box. You can easily make a non-jump file server for that task in another VM.
-
@scottalanmiller said in Linux Lab Project: Building a Linux Jump Box:
@JaredBusch said in Linux Lab Project: Building a Linux Jump Box:
@scottalanmiller said in Linux Lab Project: Building a Linux Jump Box:
Ideally, as an admin, you would not want to hear audio from a server, or copy a file from your desktop to a server.
As an admin, I upload new firmware to the /tftpboot folder all the time. Or I want to download, mass update, and re up config files. So if I cannot transfer files with SCP, how does this help me?
You can use SCP, SCP is just an extension of the SSH protocol. The Jump box would be an SSH proxy. So you can do that trivially. Is it the recommend way to do this? Not normally, no. Do a lot of us do it because it is easy, yes. But ideally you want your file server to not be the jump box. You can easily make a non-jump file server for that task in another VM.
Who said anything about a file server? Each PBX is a unique system with nothing tying them together except me managing them.
Korora Desktop in Chicago -> Jump box -> Vultr node 1 (PBX A )
Korora Desktop in Chicago -> Jump box -> Vultr node 2 (PBX B )
Korora Desktop in Chicago -> Jump box -> Internal Node 1 (PBX C ) -
@JaredBusch said in Linux Lab Project: Building a Linux Jump Box:
@scottalanmiller said in Linux Lab Project: Building a Linux Jump Box:
@JaredBusch said in Linux Lab Project: Building a Linux Jump Box:
@scottalanmiller said in Linux Lab Project: Building a Linux Jump Box:
Ideally, as an admin, you would not want to hear audio from a server, or copy a file from your desktop to a server.
As an admin, I upload new firmware to the /tftpboot folder all the time. Or I want to download, mass update, and re up config files. So if I cannot transfer files with SCP, how does this help me?
You can use SCP, SCP is just an extension of the SSH protocol. The Jump box would be an SSH proxy. So you can do that trivially. Is it the recommend way to do this? Not normally, no. Do a lot of us do it because it is easy, yes. But ideally you want your file server to not be the jump box. You can easily make a non-jump file server for that task in another VM.
Who said anything about a file server? Each PBX is a unique system with nothing tying them together except me managing them.
Korora Desktop in Chicago -> Jump box -> Vultr node 1 (PBX A )
Korora Desktop in Chicago -> Jump box -> Vultr node 2 (PBX B )
Korora Desktop in Chicago -> Jump box -> Internal Node 1 (PBX C )Oh, I misunderstood. You are uploading to the TFTP folder of the individual servers, not a central one on your jump box that you are using the jump box to push out. TFTP is a file server, but you have many of them that your jump is sending to, not one that they all pull from.
-
How would a jump box used when access a Windows environment? Would I need to setup a jump box with a desktop environment like xfce or windows manager like i3. And then use something like Remmina to remote into a Windows Admin box to manage Servers and such.
-
@black3dynamite said in Linux Lab Project: Building a Linux Jump Box:
How would a jump box used when access a Windows environment? Would I need to setup a jump box with a desktop environment like xfce or windows manager like i3. And then use something like Remmina to remote into a Windows Admin box to manage Servers and such.
You could setup SSH tunneling and just do secure RDP sessions over SSH. No desktop environment required on your jumpbox.
http://www.linuxjournal.com/content/ssh-tunneling-poor-techies-vpn
-
@RamblingBiped said in Linux Lab Project: Building a Linux Jump Box:
@black3dynamite said in Linux Lab Project: Building a Linux Jump Box:
How would a jump box used when access a Windows environment? Would I need to setup a jump box with a desktop environment like xfce or windows manager like i3. And then use something like Remmina to remote into a Windows Admin box to manage Servers and such.
You could setup SSH tunneling and just do secure RDP sessions over SSH. No desktop environment required on your jumpbox.
Thanks. That setup is a lot straight forward and less of a headache to manage.
-
@scottalanmiller said in Linux Lab Project: Building a Linux Jump Box:
Correct, that's one option. Or you could use it in additional to the other security layers for even more security. By having the jump box layer of security you can, for example, restrict all remote access to protocols like SSH or RDP to have to originate from a single source.
Would the jumpbox also be a single point of failure though?
-
@wirestyle22 said in Linux Lab Project: Building a Linux Jump Box:
@scottalanmiller said in Linux Lab Project: Building a Linux Jump Box:
Correct, that's one option. Or you could use it in additional to the other security layers for even more security. By having the jump box layer of security you can, for example, restrict all remote access to protocols like SSH or RDP to have to originate from a single source.
Would the jumpbox also be a single point of failure though?
Well sure, but how long is it going to take to restore? A jumpbox should be a minimal install of "pick your favorite distribution". Shouldn't be more than a couple minutes to restore it.
-
@travisdh1 said in Linux Lab Project: Building a Linux Jump Box:
@wirestyle22 said in Linux Lab Project: Building a Linux Jump Box:
@scottalanmiller said in Linux Lab Project: Building a Linux Jump Box:
Correct, that's one option. Or you could use it in additional to the other security layers for even more security. By having the jump box layer of security you can, for example, restrict all remote access to protocols like SSH or RDP to have to originate from a single source.
Would the jumpbox also be a single point of failure though?
Well sure, but how long is it going to take to restore? A jumpbox should be a minimal install of "pick your favorite distribution". Shouldn't be more than a couple minutes to restore it.
Yeah. Figured I'd ask though to see how people responded
-
@travisdh1 said in Linux Lab Project: Building a Linux Jump Box:
@wirestyle22 said in Linux Lab Project: Building a Linux Jump Box:
@scottalanmiller said in Linux Lab Project: Building a Linux Jump Box:
Correct, that's one option. Or you could use it in additional to the other security layers for even more security. By having the jump box layer of security you can, for example, restrict all remote access to protocols like SSH or RDP to have to originate from a single source.
Would the jumpbox also be a single point of failure though?
Well sure, but how long is it going to take to restore? A jumpbox should be a minimal install of "pick your favorite distribution". Shouldn't be more than a couple minutes to restore it.
Well, assuming you have all your private keys backed up and such.
Better solution would be to have backups and restore one.