ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    What Are You Doing Right Now

    Scheduled Pinned Locked Moved Water Closet
    time waster
    88.9k Posts 287 Posters 52.3m Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • scottalanmillerS
      scottalanmiller @coliver
      last edited by

      @coliver said:

      So a jump box is basically a way to get from the internet into the admin side of your intranet? I guess I'm not sure I understand what a jump box actually is.

      Technically a Jump box is not related to Internet vs. other network. It is a term for a remote access proxy aggregation. In the UNIX world, which is really what we are implying here, it is an SSH proxy 99% of the time. But in theory we could have it as a remote X2Go station. But, you can assume we mean an SSH proxy. In the Windows world they are less common, but still common and well known, and almost exclusively are RDP proxies.

      The purpose of a Jump box is a combination of access, access control and security. A Jump box, sometimes called a Jump station, is a gateway for access to other systems. As we are hosted across the world in many datacenters, we use one on the Internet, but lots of companies use them internally and they have nothing but private IPs.

      How we use a Jump box in the UNIX world, and you can easily extrapolate for Windows, is to make a very light and lean machine with absolutely no services except for SSH. (Obviously we have normal monitoring on there.... log monitoring and stuff for security.) This system allows any of our UNIX users to log into it. It is heavily locked down, none of the normal user accounts that would have admin access have it there. Even the admins are end users on the Jump box. It is common to log actions heavily on the Jump box to for audit purposes.

      The Jump box contains things like the private keys for the users so that they can easily log into the actual servers quickly and easily. It is from the Jump box that the admins or even just UNIX users do all of their work. You always log into it first and from there into everything else. The Jump box would hold your "Screen" sessions.

      The normal UNIX servers get the public keys of the Jump box so you can log in without further authentication. This makes working on many servers quick and easy while being super secure. (You can always add more security where needed.) It also allows those machines to lock their SSH access to just the Jump server(s) for added security.

      It's very worth it for UNIX users. Makes working in UNIX so much easier.

      coliverC ? 2 Replies Last reply Reply Quote 0
      • coliverC
        coliver @scottalanmiller
        last edited by

        @scottalanmiller said:

        @coliver said:

        So a jump box is basically a way to get from the internet into the admin side of your intranet? I guess I'm not sure I understand what a jump box actually is.

        Technically a Jump box is not related to Internet vs. other network. It is a term for a remote access proxy aggregation. In the UNIX world, which is really what we are implying here, it is an SSH proxy 99% of the time. But in theory we could have it as a remote X2Go station. But, you can assume we mean an SSH proxy. In the Windows world they are less common, but still common and well known, and almost exclusively are RDP proxies.

        The purpose of a Jump box is a combination of access, access control and security. A Jump box, sometimes called a Jump station, is a gateway for access to other systems. As we are hosted across the world in many datacenters, we use one on the Internet, but lots of companies use them internally and they have nothing but private IPs.

        How we use a Jump box in the UNIX world, and you can easily extrapolate for Windows, is to make a very light and lean machine with absolutely no services except for SSH. (Obviously we have normal monitoring on there.... log monitoring and stuff for security.) This system allows any of our UNIX users to log into it. It is heavily locked down, none of the normal user accounts that would have admin access have it there. Even the admins are end users on the Jump box. It is common to log actions heavily on the Jump box to for audit purposes.

        The Jump box contains things like the private keys for the users so that they can easily log into the actual servers quickly and easily. It is from the Jump box that the admins or even just UNIX users do all of their work. You always log into it first and from there into everything else. The Jump box would hold your "Screen" sessions.

        The normal UNIX servers get the public keys of the Jump box so you can log in without further authentication. This makes working on many servers quick and easy while being super secure. (You can always add more security where needed.) It also allows those machines to lock their SSH access to just the Jump server(s) for added security.

        It's very worth it for UNIX users. Makes working in UNIX so much easier.

        Thanks for the explanation, I assumed about half of that but you, as usual, went into far greater depth. Wouldn't having the private keys on this server be an issue? Or is it because it is so locked down and none of the other servers will accept connection coming from anywhere else that this is less of a concern?

        scottalanmillerS 1 Reply Last reply Reply Quote 0
        • thanksajdotcomT
          thanksajdotcom
          last edited by

          It's a handy thing to have. I've used it in the past as a way to access my Linux servers via SSH in case I wasn't on a machine that had Pertino on it. I download PuTTY/KiTTY quick, ssh to the jump server via the hostname I setup publicly and boom, I have access to all my internal SSH-accessible devices. And since I have root as the username for all and keys setup, it's super easy.

          scottalanmillerS 1 Reply Last reply Reply Quote 0
          • scottalanmillerS
            scottalanmiller @coliver
            last edited by

            @coliver said:

            Thanks for the explanation, I assumed about half of that but you, as usual, went into far greater depth. Wouldn't having the private keys on this server be an issue? Or is it because it is so locked down and none of the other servers will accept connection coming from anywhere else that this is less of a concern?

            Nothing is perfect, of course. But the theory is that if you have a single, highly secure, heavily monitored gateway it is far more secure than many less secure, less watched, less monitored systems. And keys are way more secure than passwords. And breaking into Jump server is as hard, or possibly harder, than breaking into the individual servers. So the theory is that it manages to add tighter security overall while also improving ease of use so that people actually leverage the security. It is certainly a compromise, but far better than people putting private keys onto every desktop and laptop that they touch for the same purposes!!

            Because you need only log in once and then get access as needed, using a Jump server offers a reasonable chance to implement a super tight key + passphase system for accessing it AND it is a great opportunity to implement two factor authentication. Make people work hard to access that one box, one time. Once in, then doing their work is super easy. It's a great tradeoff between security and usability which, after decades of use, has proven to be one of the most viable compromises in making a system that makes work both easy and secure.

            1 Reply Last reply Reply Quote 0
            • scottalanmillerS
              scottalanmiller @thanksajdotcom
              last edited by

              @thanksajdotcom said:

              It's a handy thing to have. I've used it in the past as a way to access my Linux servers via SSH in case I wasn't on a machine that had Pertino on it. I download PuTTY/KiTTY quick, ssh to the jump server via the hostname I setup publicly and boom, I have access to all my internal SSH-accessible devices. And since I have root as the username for all and keys setup, it's super easy.

              We use it even when there is Pertino. We just access the Jump box and then other machines via Pertino on the Jump box. And in some cases, access the Jump box via Pertino too. You could easily make a Jump box that uses the Internet ONLY for patching and Pertino and all access in and out via SSH is on the Pertino network.

              thanksajdotcomT 1 Reply Last reply Reply Quote 0
              • scottalanmillerS
                scottalanmiller
                last edited by

                Or you can use the Jump station as a way into Pertino - access the Jump station via the Internet from anywhere but get Pertino access once logged in.

                1 Reply Last reply Reply Quote 0
                • thanksajdotcomT
                  thanksajdotcom @scottalanmiller
                  last edited by

                  @scottalanmiller said:

                  @thanksajdotcom said:

                  It's a handy thing to have. I've used it in the past as a way to access my Linux servers via SSH in case I wasn't on a machine that had Pertino on it. I download PuTTY/KiTTY quick, ssh to the jump server via the hostname I setup publicly and boom, I have access to all my internal SSH-accessible devices. And since I have root as the username for all and keys setup, it's super easy.

                  We use it even when there is Pertino. We just access the Jump box and then other machines via Pertino on the Jump box. And in some cases, access the Jump box via Pertino too. You could easily make a Jump box that uses the Internet ONLY for patching and Pertino and all access in and out via SSH is on the Pertino network.

                  Yup, I've done that too.

                  1 Reply Last reply Reply Quote 0
                  • ?
                    A Former User @scottalanmiller
                    last edited by A Former User

                    @scottalanmiller I personally have always put in RD Proxies that have to be used to get to other servers. It's much easier for logging who accessed what. It's actually the only thing that saved my butt when I left my last job and they tried to say I sabotaged servers after I was no longer there.

                    1 Reply Last reply Reply Quote 0
                    • ?
                      A Former User
                      last edited by

                      Now seeing if I can find a dirt cheap laptop (or maybe a freebie on craigslist) to use. Likely will just run CentOS on it.

                      1 Reply Last reply Reply Quote 0
                      • MattSpellerM
                        MattSpeller
                        last edited by

                        Just received the best ticket I've had in a while...

                        On Mar 12, 2015 @ 10:10 am, Christine wrote:
                        Good morning,

                        This message just turned up in my inbox. I don't recall ever sending a message to Matt Speller. Does this indicate that my computer has a virus?

                        Christine

                        -----Original Message-----
                        From: Mail Delivery System [mailto:
                        Sent: March-12-15 10:07 AM
                        To: Christine
                        Subject: Mail delivery failed: returning message to sender

                        This message was created automatically by mail delivery software.

                        A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed:

                        mspeller@csipacific.com
                        retry timeout exceeded

                        1 Reply Last reply Reply Quote 0
                        • scottalanmillerS
                          scottalanmiller
                          last edited by

                          Darn that Matt Speller.

                          1 Reply Last reply Reply Quote 0
                          • MattSpellerM
                            MattSpeller
                            last edited by

                            What a virus sending jerk right? Geez.

                            1 Reply Last reply Reply Quote 0
                            • scottalanmillerS
                              scottalanmiller
                              last edited by

                              That should be the name of the next big virus.

                              1 Reply Last reply Reply Quote 0
                              • MattSpellerM
                                MattSpeller
                                last edited by

                                Lets hope not

                                1 Reply Last reply Reply Quote 0
                                • scottalanmillerS
                                  scottalanmiller
                                  last edited by

                                  My system is infected with Matt.Speller!!

                                  1 Reply Last reply Reply Quote 1
                                  • Minion QueenM
                                    Minion Queen
                                    last edited by

                                    Quiet afternoon here. Needed one of those.

                                    1 Reply Last reply Reply Quote 0
                                    • scottalanmillerS
                                      scottalanmiller
                                      last edited by

                                      Here too. Of course I bought that by working since 6am. So my "shift" is done in 20 minutes and my day is over.

                                      1 Reply Last reply Reply Quote 0
                                      • scottalanmillerS
                                        scottalanmiller
                                        last edited by

                                        The family leaves for Florida tomorrow afternoon. I get a week mostly alone after that.

                                        1 Reply Last reply Reply Quote 0
                                        • ?
                                          A Former User
                                          last edited by

                                          Ugh, Ran into one of those avid gamer types. Yeah, Yeah brag about you FPS and how much you spent on it. while everyone else know you can't see that many. Else you'd be seeing the lights cut on & off too with the AC mains frequency (or twice for some type light)

                                          1 Reply Last reply Reply Quote 1
                                          • scottalanmillerS
                                            scottalanmiller
                                            last edited by

                                            Actually, lights are only at 60, a lot of people can see that. Not the majority, but a lot. That's why traditional florescents are so often uncomfortable, the constant high speed flicker.

                                            1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 3
                                            • 4
                                            • 5
                                            • 6
                                            • 4446
                                            • 4447
                                            • 4 / 4447
                                            • First post
                                              Last post