SSH Jump Machine

本教程基于以下假设:

  • 假设目标服务器IP地址为256.256.256.256(虚构IP地址)
  • 假设跳板服务器IP地址为257.257.257.257(虚构IP地址)
  • 假设用户名为rip_996
  • 假设SSH服务器端口号为22

SSH跳板机设置

SSH文档引用

截取一段SSH文档的话:

-J destination

Connect to the target host by first making a ssh connection to
the jump host described by destination and then establishing a
**TCP forwarding** to the ultimate destination from there. Multiple
jump hops may be specified separated by comma characters. This
is a shortcut to specify a ProxyJump configuration directive.
Note that configuration directives supplied on the command-line
generally apply to the destination host and not any specified
jump hosts.  Use ~/.ssh/config to specify configuration for jump
hosts.

SSH跳板机命令行指令

ssh -J <jump-user>@jump-server:<port> <target-user>@target-server:<port>

如果你配置了SSH服务器文件可以简单的使用一下命令

ssh -J jump-server target-server

示例~/.ssh/config如下:

Host jump-server
    HostName 257.257.257.257
    User jump
    Port 22

Host target-server
    HostName 256.256.256.256
    User rip_996
    Port 22

SSH 代理链

编程领域很多工具都可以“套娃”,SSH跳板也不例外。如想建立两次跳板,可以使用如下命令:

ssh -J \
jump@jump1:<port>,jump@jump2:<port> \
rip_996@target-server:<port>

总结

有了跳板机的设置,可以设置目标服务器的防火墙规则,仅允许跳板机的IP进行SSH连接,这样对其他的机器而言,目标服务器的SSH端口是保持关闭的状态。


跳板机尽量减少运行的服务,以降低攻击面。

Last modification:September 8th, 2020 at 10:07 am