SSH Jump Box Design

  • Home
  • Docs
  • SSH Jump Box Design
 

Jump Boxes are Easier with Userify

Create an SSH Jump Box for EC2 ‐ or anywhere else ‐ In just a few minutes!

What's a Jump Box?

An SSH Jump Box is simply a single, hardened server that you "jump" through in order to access other servers on the inner network. Sometimes called a bastion or relay host, it's simply a server that all of your users can log into and connect through as a relay server to connect to other servers.

This article is geared for EC2 deployment inside a VPC but this design should work anywhere you can use Userify, such as in your own datacenter, Google, Azure, etc.

To build a jumpbox with Userify, just create a Jumpbox group and paste the regular Userify cloudinit script into the EC2 script box!

YOUR SSH JUMP BOX IN THREE MINUTES

  1. Create a Userify Project called "Jumpbox" with a Userify Server Group called "Production".

  2. Enable each of the users (only 'user' permission is needed) that will log into any server in that particular VPC or environment.

  3. For each group, launch a new jump box instance for each of your environments or VPC's. (In a VPC, launch it in your public subnet. For EC2 Classic, launch it anywhere.)

  4. Paste in the UserData (CloudInit) script into the "Advanced" section on the "Instance Details" launch page and launch!

  5. You're done!

Lock down the other servers in the VPC and the Jumpbox (see below) as needed.

How to Log In

  1. SSH directly into your target box and use SSH's proxyjump trick to "jump" through it:

    ssh -J jumpbox targetserver

  2. You can also set up the same command in your .ssh/config file.

Note: older SSH clients may need to use the same trick with ProxyCommand. Email support if you have trouble setting this up.

Security Considerations and Tips

  • Obviously your servers no longer need port 22 available to the outside world -- but the Jump box still needs access to them!

  • An effective Jump Box will simply contain the minimal software needed to run an SSH server and the Userify agent. Use whatever hardening techniques you prefer on this server.

  • Users only need user level permissions on the jump box, unless they need to administer the jumpbox server itself. It's recommended that everyone maintains user level permissions only -- only grant root privileges to the jump box for a short period of time.

  • Many users harden the instance, install fail2ban or denyhosts, change the default port 22 to an unusually high port (such as 31000), or even block access from unknown networks.

  • You only need one Jumpbox for each network. Although you could create multiple for high availability in some circumstances, it might be easier to create an Auto-scaling Group (ASG) with a minimum and maximum size of one. The only requirement is that the Userify shim gets installed on it (see step 4), making it about the simplest ASG possible!

  • You can lock down users by each of your environments (dev, staging, test) or for each of your regions (east, west, etc). Just add an extra Jump Box for each environment and configure your AWS security groups (firewall) to only allow SSH access from the Jumpbox for that environment.

  • As with any Jump Box, users with 'root' permission can hijack other users' session and possibly gain root access to servers they wouldn't otherwise have access to.

Get More Information

Please fill out the form below to receive more information about Userify Express and Enterprise.