Make your networks more secure by using an SSH to proxy through a jump host from one machine to another.
Secure Shell (SSH) includes a number of tricks up its sleeve. One particular trick you may not know about is the ability to use a jump host. A jump host is used as an intermediate hop between your source machine and your target destination. In other words, you can access X from Y using a gateway.
There are many reasons to use a jump server. For example, Jump servers are often placed between a secure zone and a DMZ. These jump servers provide for the transparent management of devices within the DMZ, as well as a single point of entry. Regardless of why you might want to use a jump server, do know that it must be a hardened machine (so don't just depend upon an unhardened Linux machine to serve this purpose). By using a machine that hasn't been hardened, you're just as insecure as if you weren't using the jump.
SEE: Information security policy template download (Tech Pro Research)
But how can you set this up? I'm going to show you how to create a simple jump with the following details (Your set up will be defined by your network.):
- Originating IP: 192.168.1.162
- Jump IP (we'll call this host-a): 192.168.1.38
- Destination IP (we'll call this host_b): 192.168.1.221
Configuring the jump
The first thing to do is make sure you are able to SSH from the Originating IP to the Jump IP and then from the Jump IP to the Destination IP. Once you are certain of this, configure the jump. This will be done on the Originating IP. Log into that machine, open a terminal window and issue the command:
sudo nano ~/.ssh/config
In that newly created file, paste the following:
Host host-a User USERNAME Hostname 192.168.1.38 Host host_b User USERNAME Hostname 192.168.1.221 Port 22 ProxyCommand ssh -q -W %h:%p host-a
Where USERNAME is a user on host-a and host_b (They don't have to be the same user.). You will also want to change the IP addresses to match your needs.
The options in the above config file are:
- q - Quiet mode (supresses all warning and diagnostic messages).
- W - Requests that standard input and output on the client be forwarded to HOST on PORT over the secure channel.
- %h - Host to connect to.
- %p - Port to connect to on the remote host.
Save and close that file.
Making the connection
To jump from your Originating IP to Destination IP (through the Jump IP), you simply issue the command:
You will first be prompted for the user password on host-a and then for the password on host_b. Once you successfully authenticate both, you'll find yourself on the host_b bash prompt, having made the hop through the jump host.
Making this more secure
To make this more secure, you can configure SSH key authentication. To do this, you need to copy your user SSH key from Originating IP to Jump IP and then copy your user SSH key from Jump IP to Destination IP. Remember, this can be easily done with the command:
Where SERVER_IP is the IP address of your server. (Check out How to set up ssh key authentication ror more information on how to set up SSH key authentication.)
And that is how you set up a basic jump host with SSH in Linux. Just remember to make sure your servers are hardened, otherwise using a jump server won't give you nearly the security you might want.
- How to run remote commands on multiple Linux servers with Parallel-SSH (TechRepublic)
- How to scan for IP addresses on your network with Linux (TechRepublic)
- How to install fail2ban on Ubuntu Server 18.04 (TechRepublic)
- How to combine SSH key authentication and two-factor authentication on Linux (TechRepublic)
- New Linux crypto-miner steals your root password and disables your antivirus (ZDNet)
- Phishing attacks: A guide for IT pros (TechRepublic download)
- Online security 101: Tips for protecting your privacy from hackers and spies (ZDNet)
- The best password managers of 2018 (CNET)
- Cybersecurity and cyberwar: More must-read coverage (TechRepublic on Flipboard)