Setting Up My First Jump Server
-
So I have it setup right now where I can SSH to my Linux boxes at home from any machine I have Pertino on. However, I need a failover, or backup, so that if I needed to remote in and reboot these machines and all I had was a public machine or someone else's, I can reach them. Therefore, I want to setup my first jump server. What is the best way to do this securely?
Thanks,
A.J. -
A jump server is actually the most basic of all UNIX servers. A completely bare OS with absolutely nothing extra except for the basics like IPTables and SAR. OpenSSH is the only public service that you need. This uses essentially no resources so the tiniest VM or cloud instance is all that you need.
-
Fail2Ban is important and you will often want to have IPTables lock access to just your IP address or range for extra security. Although if you have a dynamic IP that can be problematic.
-
@scottalanmiller said:
Fail2Ban is important and you will often want to have IPTables lock access to just your IP address or range for extra security. Although if you have a dynamic IP that can be problematic.
Right, but Fail2Ban will only lock after X number of failed login attempts, right?
-
Some people use different OSes for their jump servers too to make them have different vulnerabilities than the systems that they support. That way if there is a weakness in the OS that you are jumping to (Ubuntu, probably, for you) the jump server is not exposed to the same risk requiring someone to hack into two different systems to get through your barriers. Commonly you would see FreeBSD, NetBSD, Solaris or OpenBSD used in those cases. Dragonfly would work great too.
-
@thanksaj said:
Right, but Fail2Ban will only lock after X number of failed login attempts, right?
Correct.
-
@scottalanmiller said:
@thanksaj said:
Right, but Fail2Ban will only lock after X number of failed login attempts, right?
Correct.
Ok, cool.
-
What do I do to configure Fail2Ban? I've never set it up before. Any good walkthroughs?
-
@thanksaj said:
What do I do to configure Fail2Ban? I've never set it up before. Any good walkthroughs?
It sets itself up on install on most systems.
-
@scottalanmiller said:
@thanksaj said:
What do I do to configure Fail2Ban? I've never set it up before. Any good walkthroughs?
It sets itself up on install on most systems.
So nothing I really need to configure on it?
-
Nope. Out of the box it handles SSH.
-
-
What OS are you using?
-
@Reid-Cooper said:
What OS are you using?
I already had the Ubuntu 14.04 ISO on my ESXi server, so I used that. Keeps it all consistent. I was tempted to use CentOS though...
-
Why do you use an old version of Ubuntu? We are already halfway through the lifespan of 14.04's replacement, 14.10. 15.04 is just three months away.
-
@scottalanmiller said:
Why do you use an old version of Ubuntu? We are already halfway through the lifespan of 14.04's replacement, 14.10. 15.04 is just three months away.
I'm on 14.04 LTS. That's the recommended use version from Ubuntu. Check their site.
-
-
Also, when I update to 14.10, $4!+ goes haywire...