Enhancing Remote Access Security
Jump Box Security
![](/var/linux_magazin/storage/images/online/features/jump-box-security/jump_box/756472-1-eng-US/Jump_Box_medium.jpg)
While Linux can be made very secure, you can increase the security of your entire network with jump boxes.
Special Thanks: This article was made possible by support from Linux Professional Institute
A jump box is a system set up with multi-factor authentication (MFA) usually placed in a network DMZ with very restricted access to the corporate network and no returning Internet access for any protocol. In other words, the jump box has only one path in via SSH ,and no other protocols are allowed outbound to the Internet or into the corporate network. Figure 1 shows a simplified diagram of a jump box and where and how it is positioned within your network.
A secure jump box is an excellent out-of-band (OOB) remote access method for system administrators. It ensures that your network has 24x7x365 support and is a reasonable solution when some of your users either have no direct office or data center access.
Internet Access
The jump box should be set up with MFA, as should all systems attached to the corporate network. No user should be in the sudoers group or be allowed to become the root user on this system. When the jump box system requires maintenance, a system administrator should use a console login either via an onboard access controller or through a directly attached keyboard, video, and mouse (KVM) apparatus.
Since the jump box resides in the DMZ or another network that can be accessed via the Internet, great care should be taken to ensure its security by applying patches and updates as soon as they are made available. Additionally, the jump box shouldn’t host any protocols except for SSHD. The jump box has a single purpose as an SSH gateway into the corporate network. The only exception is for MFA purposes. Some MFA solutions require Internet access or at least some method of communicating with an authentication service inside the network. Time-based solutions are more secure, but any MFA solution is more secure than simple passwords alone.
MFA
It’s hard to stress the MFA requirement enough. No accounts on the jump box system should be accessible without using MFA unless it is a console login. The most secure type of MFA is to require that each user have a physical token such as a hardware token, which is a device that generates random numbers or alphanumeric sequences.
To use a hardware token, the user supplies a username, a passcode, and a random number or sequence from the token. The random number that is generated is usually only active for 60 seconds. This security principle is based on “something you know plus something you have” that a remote hacker couldn’t gain access to or spoof.
Additional Security
To further secure your jump servers, you should follow these suggestions:
- Disable or remove unnecessary protocols, daemons, and services.
- Never store SSH private keys on the jump server.
- Configure internal hosts with /etc/hosts.allow and /etc/hosts.deny files to control access.
- Create at least one secondary /backup jump box in case of failure.
- Use a restrictive, host-based firewall for all Linux systems.
- Set up a service such as Fail2Ban to resist brute-force attacks.
- Install a minimal distribution option.
- Set up NAT forwarding to your jump box.
Remember that there’s no such thing as too much security when it comes to protecting your data, your customer base, and your intellectual property. Internet-accessible systems will come under attack; they need to be secure, and convenience should never be a factor in selecting security measures.
Some network administrators also place a firewall between the Internet and the DMZ and use NAT port forwarding for all services. Leaving systems wide open on all protocols is not a good practice. It makes more sense to secure the DMZ by limiting the incoming and outgoing protocols from that network.
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
![Learn More](https://www.linux-magazine.com/var/linux_magazin/storage/images/media/linux-magazine-eng-us/images/misc/learn-more/834592-1-eng-US/Learn-More_medium.png)
News
-
Canonical Offers 12-Year LTS for Open Source Docker Images
Canonical is expanding its LTS offering to reach beyond the DEB packages with a new distro-less Docker image.
-
Plasma Desktop 6.1 Released with Several Enhancements
If you're a fan of Plasma Desktop, you should be excited about this new point release.
-
SUSE Offers CentOS 7 Support with Liberty Linux Lite
SUSE's Liberty Linux support offering now includes CentOS 7, which means businesses won't be forced to migrate those servers for some time.
-
Ubuntu's App Center Finally Supports Local Installs Again
If you regularly download .deb files and would prefer a GUI method of installing, Ubuntu has your back.
-
AlmaLinux Now Supports Raspberry Pi 5
If you're looking to create with the Raspberry Pi 5 and want to use AlmaLinux as your OS, you're in luck because it's now possible.
-
Kubuntu Focus Releases New Iterations of Ir14 and Ir16 Laptops
If you're a fan of the Kubuntu Focus laptops or have been waiting for the right time to purchase one, that time might be now.
-
NixOS 24.05 Is Ready for Prime Time
The latest release of NixOS (Uakari) has arrived and offers its usual reproducible, declarative, and reliable goodness.
-
Linux Lite 7.0 Officially Released
Based on Ubuntu 24.04 and kernel 6.8, Linux Lite version 7 now offers more options than ever.
-
KaOS Linux 2024.05 Adds Bcachfs Support and More
With updates all around, KaOS Linux now includes support for the bcachefs file system.
-
TUXEDO Computers Unveils New Iteration of the Stellaris Laptop Line
The Stellaris Slim 15 is the 6th generation and includes either an AMD or Intel CPU