An SSH jumphost (or “bastion host”) is a secure intermediary server used to access other servers within a private network. Using a jumphost provides an additional layer of security, allowing administrators to restrict direct access to internal servers. Here’s how to set up and use an SSH jumphost.
Step 1: Set Up the Jumphost Server #
- Provision the Jumphost:
- Set up a server that will act as your jumphost, ideally in a secure network location with access to the internal servers you wish to reach.
- Make sure SSH access is enabled.
- Harden SSH Security on the Jumphost:
- Edit the SSH configuration file on the jumphost:
sudo nano /etc/ssh/sshd_config- Configure options for added security:
- Set
PermitRootLogintono. - Allow only specific users to access the server by adding
AllowUsers yourusername. - Disable password-based logins and use SSH keys by setting
PasswordAuthentication no.
- Set
Restart SSH to apply changes:
sudo systemctl restart sshd3. Set Up SSH Key-Based Authentication:
- Generate an SSH key pair on your local machine if you don’t already have one:
ssh-keygen -t rsa -b 4096- Copy the public key to the jumphost:
ssh-copy-id yourusername@jumphost_ipStep 2: Configure Internal Servers to Accept Connections from the Jumphost #
- Allow SSH Access from the Jumphost on Each Internal Server:
- On each internal server you want to access via the jumphost, configure the firewall to accept SSH connections from the jumphost’s IP only.
- For example, using UFW:
sudo ufw allow from jumphost_ip to any port 222. Set Up SSH Keys on Internal Servers:
- Copy your SSH public key to each internal server. Run this from your local machine
ssh-copy-id -o ProxyJump=yourusername@jumphost_ip yourusername@internal_server_ip- This command uses the
ProxyJumpoption to access the internal server via the jumphost.
Step 3: Access Internal Servers via the Jumphost #
You can connect to the internal servers using SSH through the jumphost in two main ways:
Option 1: Using ProxyJump (Recommended) #
- Connect to an internal server by specifying the jumphost with
ProxyJump:
ssh -J yourusername@jumphost_ip yourusername@internal_server_ip2. Alternatively, to make this easier, add a configuration in your SSH config file on your local machine.
- Open or create the SSH config file:
vi ~/.ssh/config- Add the following configuration:
Host jumphost
HostName jumphost_ip
User yourusername
Host internal-server
HostName internal_server_ip
User yourusername
ProxyJump jumphost
- With this configuration, you can connect to
internal-serverwith a simple command:
ssh internal-serverOption 2: Using ProxyCommand #
- If
ProxyJumpis not supported, you can useProxyCommandto route traffic through the jumphost.
- Add this to your SSH config file (
~/.ssh/config):
Host jumphost
HostName jumphost_ip
User yourusername
Host internal-server
HostName internal_server_ip
User yourusername
ProxyCommand ssh -W %h:%p jumphost- Now, connect to the internal server using:
ssh internal-serverStep 4: Transfer Files through the Jumphost #
You can use scp or rsync to transfer files via the jumphost.
Example Using scp: #
scp -o ProxyJump=yourusername@jumphost_ip localfile.txt yourusername@internal_server_ip:/path/to/destination/Example Using rsync: #
rsync -e "ssh -J yourusername@jumphost_ip" localfile.txt yourusername@internal_server_ip:/path/to/destination/Additional Security Tips #
- Restrict Access to the Jumphost: Limit access to trusted IP addresses only.
- Enable Logging and Monitoring: Enable logging on the jumphost to monitor access and potential unauthorized activities.
- Use Two-Factor Authentication (2FA): If possible, enable two-factor authentication for SSH connections on the jumphost.
- Regular Updates and Patching: Keep the jumphost updated with security patches and OS updates.
Author’s Final Word #
Using an SSH jumphost securely allows access to internal servers without exposing them directly to the internet, enhancing your network security.