Building a Jump Host

A jump host (or bastion host) is a secure intermediary server used to access machines on a private network that are otherwise inaccessible from the outside. This guide focuses on configuring a jump host for secure SSH access and outlines best practices to ensure a secure environment.

Network Overview

The network typically looks like this:

[ Client ] -----> [ Jump Host ] -----> [ Internal Network ]

The client accesses the jump host, which is exposed to the external network. The internal network remains secure and isolated, with the jump host serving as a controlled gateway.

Configuring the Jump Host

SSH Configuration: Secure Access

The security of the jump host is critical since it acts as the gateway to internal resources. Key SSH configurations include:

  1. Disable Password Authentication: Enforce key-based login to enhance security.

    In /etc/ssh/sshd_config, ensure:

    PasswordAuthentication no
    
  2. Limit User Access: Restrict access to specific users to minimize the attack surface.

    AllowUsers admin user1 user2
    
  3. Restrict Access by IP: Optionally, allow SSH access only from specific trusted networks.

    Match Address 203.0.113.0/24
        AllowUsers admin
    
  4. Logging and Monitoring: Ensure SSH logging is enabled for auditing access attempts. OpenBSD, for instance, logs SSH activity by default in /var/log/authlog.

    Example from OpenBSD's /etc/syslog.conf:

    auth.info       /var/log/authlog
    

    Adjust as needed to capture detailed authentication logs.

Example Network Layout

Here’s an ASCII representation of a typical setup:

    +---------------------+
    | Client (Public IP)  |
    +---------------------+
              |
       SSH to Jump Host
              |
    +---------------------+
    | Jump Host (Firewall)|
    |     Public IP       |
    +---------------------+
              |
    SSH to Internal Network
              |
+----------------------------+
| Internal Server (Private IP)|
+----------------------------+

The client initiates a connection to the jump host, which forwards the connection to the internal server within the private network.

Setting Up Key-Based Authentication

Key-based authentication should be enforced by copying the public key to the jump host:

ssh-copy-id user@jumphost

Ensure the correct permissions are set on the .ssh directory and authorized_keys file:

chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys

Configuring ProxyJump for SSH Clients

The ProxyJump option (-J) simplifies routing through the jump host to internal machines.

Example Command:

ssh -J user@jumphost user@internal-server

This command initiates a connection to jumphost and forwards the SSH connection to the internal server.

To simplify usage, this can be configured in the ~/.ssh/config file:

Host internal-server
    ProxyJump user@jumphost
    User user

This allows connections to the internal server to be made with the simple command:

ssh internal-server

Testing the Setup

After configuring the jump host and client, test the connection from the client:

ssh -J user@jumphost user@internal-server

This command should correctly route through the jump host to the internal server.

Security Best Practices for Jump Hosts

  1. Firewall Configuration: Ensure the jump host’s firewall is configured to only allow necessary services, such as SSH (port 22). For OpenBSD, use pf to restrict traffic:

    Example pf.conf rule:

    block in all
    pass in proto tcp from any to (self) port ssh
    
  2. Two-Factor Authentication (2FA): Consider enabling two-factor authentication on the jump host to enhance security.

  3. Monitoring and Alerts: Set up monitoring tools to track SSH login attempts and generate alerts for suspicious activity. OpenBSD’s smtpd can be configured to send alert emails for failed SSH login attempts.

  4. Regular Key Rotation: Periodically update and rotate SSH keys to mitigate the risk of compromised credentials.