Background on the Jump Server for FWD Enterprise
Forward Enterprise obtains data for path analysis primarily using industry-standard command-line interface (CLI) access. This is typically done with secure shell (SSH) read-only credentials provided to the platform so that configuration and state can be retrieved.
In certain customer instances, it is required to limit SSH access to a specific host or hosts, which will more effectively audit and maintain the security of network devices. This is commonly known as the bastion or jump server.
A jump server, jump host, or jump box is a computer on a network used to access and manage devices in a separate security zone. The most common example is managing a host in a DMZ from trusted networks or computers.
A jump server is a hardened and monitored device that spans two dissimilar security zones and provides a controlled means of access between them. User access should be tightly controlled and monitored
OpenSSH is commonly used for configuration of a jump server - in either a linux or windows environment.
There are many different vendors that provide implementations of SSH. For example, an Ubuntu or RHEL SSH jump server can be configured and will be covered in depth in the next section(s).
A common technique known as SSH port forwarding allows the client to transparently access network devices without directly interfacing with the jump server. If the server does not support port forwarding, the client will first login to the jump server, then attempt to run the ssh command from the shell and relay the information back through to the first ssh session.
Security Risks to consider and ways to harden a jump server configuration
A jump server is a potential risk in a network’s design. There are several ways of improving the security of the jump server, including:
- Reducing the subnet size (increasing the number of subnets), and securing those VLANs using a firewall or router.
- Using higher security authentication, such as multi-factor authentication or SSH keys.
- Keeping the operating system and software on the jump server up to date.
- Using access lists (ACLs) to restrict access to only the entities that require it.
- Do not allow outbound access to the rest of the internet from the jump server.
- Restrict which programs can be run on the jump server.
- Enable strong logging.
RHEL Jump Server Setup (Note: This was tested with RHEL 7.5 Maipo)
After installing the RHEL instance, go to the /etc/ssh/sshd_config file and open in your editor of choice (vi, vim, etc.)
Below are strictly the line items you will need to uncomment out and edit as needed to match.
Port 22
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
SyslogFacility AUTH
LogLevel INFO
LoginGraceTime 2m
PermitRootLogin prohibit-password
StrictModes yes
MaxSessions 8
PubkeyAuthentication yes
HostbasedAuthentication no
IgnoreRhosts yes
PermitEmptyPasswords no
ChallengeResponseAuthentication no
UsePAM yes
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
UseDNS no
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
Subsystem sftp /usr/libexec/openssh/sftp-server
Ubuntu Jump Server Setup
After installing the Ubuntu instance, go to the /etc/ssh/sshd_config file and open in your editor of choice (vi, vim, etc.)
Below is a full output of this file to match as needed. Only uncommented lines are the most important to match.
# Package generated configuration file
# See the sshd_config(5) manpage for details
# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 1024
# Logging
SyslogFacility AUTH
LogLevel INFO
# Authentication:
LoginGraceTime 120
PermitRootLogin prohibit-password
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes
# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
MaxStartups 100
#MaxStartups 10:30:60
#Banner /etc/issue.net
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
UseDNS no