In environments where security and access control are paramount, implementing a jump server (or bastion host) can significantly enhance your server management strategy. A jump server serves as a secure gateway for SSH connections to internal systems, providing an additional layer of security and allowing for better logging and monitoring. In this guide, we’ll walk through the process of setting up a jump server using SSH.
What Is a Jump Server?
A jump server is a special-purpose server that acts as an intermediary between users and other servers in a private network. By routing all SSH connections through the jump server, organizations can enforce stricter access controls, monitor traffic, and reduce the attack surface of their internal servers.
In simple words, an SSH Jump server is a Linux server that is used as a gateway to other Linux servers on a private network over the SSH Protocol.
Setting Up the Jump Server
Imagine you have two servers: Server A with the IP address 192.168.1.62 and Server B with the IP address 172.168.1.50. For security reasons, Server B has been configured to only accept SSH connections from Server A, effectively blocking all other IP addresses.
This setup means that if an administrator, whose IP address is 162.168.1.8, wants to access Server B, they must first SSH into Server A and then connect from Server A to Server B. While this approach enhances the security of Server B by limiting direct access, it can complicate the process for administrators, especially if there are multiple jump servers in the access chain.
To simplify this workflow, we can utilize the -A (for agent forwarding) and -J (for specifying jump hosts) options in the SSH command. By designating Server A as a jump server, administrators can streamline their access to Server B without the hassle of multiple SSH commands.
To set up jump server open your terminal and type the following command :
ssh -A -J userName@serverA userName@serverBExplanation
- -J : flag is responsible for making jump server
- -A : flag is used to enable Agent Forwarding. This allows you to use your local SSH agent (which holds your private keys) on the destination server, enabling you to authenticate to other servers from there without needing to copy your private keys to the destination server. In order words , It allows you to access multiple servers without needing to store your private keys on each server.Since your private keys remain on your local machine, there’s less risk of exposure if the destination server is compromised. If you don’t use agent forwarding, you won’t be able to SSH from the destination server to other servers without having the private keys available on the destination server
SCP (Secure Copy Protocol)
You can use a jump server with SCP (Secure Copy Protocol) to transfer files to/from a remote system that is not directly accessible from your local machine. This is commonly done in scenarios where a system is behind a firewall or on a private network and cannot be accessed directly from the outside world.
scp -J user@jumpserver <file to send> user@target:/path/to/remote/file
# example
scp -J og@172.168.0.150 fin.itb mox@10.1.150.68:/home/mox/tshared/
Even when you’re using Agent Forwarding, the public key for your local system (the one corresponding to your private key) still needs to be added to the destination server’s ~/.ssh/authorized_keys file.You can use the following command to copy your public key to destination/target device via jump server.
# on your local/client pc run this
ssh-copy-id -i ~/.ssh/id_ecdsa.pub -o "ProxyJump=user@jumpserevr" user@target
# example
ssh-copy-id -i ~/.ssh/id_ecdsa.pub -o "ProxyJump=og@172.168.0.150" mox@10.1.150.68
Conclusion
Implementing a jump server using SSH is an effective strategy to enhance security, control access, and streamline connections to internal systems. By following this guide, you can set up a secure and efficient access point that protects your infrastructure while providing the necessary access for your team. Remember to regularly audit your security policies and keep your jump server updated to maintain a robust security posture.
