Bastion machine introduction
What is a bastion machine
Bastion machine, that is, in a specific network environment, in order to protect the network and data from external and internal users' attacks and destruction, various technical means are used to collect and monitor each component of the network environment in real time. Status, security incidents, and network activities for centralized alarming, timely handling and auditing of responsibilities.
In terms of function, it integrates two main functions of core system operation and maintenance and security audit management and control. In terms of technical realization, by cutting off the terminal computer's direct access to the network and server resources, it adopts the protocol proxy method to take over. The terminal computer's access to the network and server. To put it vividly, the terminal computer's access to the target requires translation after an operation and maintenance security audit. For example, the operation and maintenance security audit acts as a gatekeeper, and all requests to network devices and servers pass through this gate. Therefore, the operation and maintenance security audit can intercept illegal access and malicious ***, block illegal commands, filter out all illegal access to the target device, and audit and monitor the misoperation and illegal operation of internal personnel in order to Responsibility tracking afterwards.
We also refer to the bastion machine as a springboard machine. The simple springboard machine has simple functions. The core function is remote login to the server and log auditing. However, the bastion machine also has functions such as asset management (CMDB), monitoring and user rights. At present, the most outstanding open source software includes Jumpserver, Teleport, GateOne, CrazyEye, etc.; commercial fortress machines are more powerful, such as Qizhi, Citrix XenApp, etc.
Build a simple fortress machine
Next we try to build a simple bastion machine, the main function is to log in to the internal network server and log audit.
The condition for building a bastion machine is that the machine has a public network ip and an internal network ip, and the internal network communicates with other machines.
Ideas for designing a fortress machine:
Do security restrictions on the machine: port restrictions, login restrictions (SSH), user and command restrictions;
Client log audit.
Download and install jailkit to achieve chroot:
Jailkit download link: https://olivier.sessink.nl/jailkit/
[root@jinkai02 ~]# cd /usr/local/src/
[root@jinkai02 src]# wget https://olivier.sessink.nl/jailkit/jailkit-2.21.tar.bz2
[root@jinkai02 src]# yum install -y bzip2
[root @ jinkai02 src] # tar jvxf jailkit-2.21.tar.bz2
[root@jinkai02 src]# cd jailkit-2.21
[root@jinkai02 jailkit-2.21]# ./configure
[root@jinkai02 jailkit-2.21]# make && make install
Create a virtual system root directory :
[root@jinkai02 jailkit-2.21]# mkdir /home/jail
Shell related commands, library files
[root@jinkai02 jail]#jk_init -v -j /home/jail/ basicshel
Editors such as vi and vim
[root@jinkai02 jail]#jk_init -v -j /home/jail/ editors
Network related
[root@jinkai02 jail]#jk_init -v -j /home/jail/ netutils
SSH login related, these steps are to copy common commands to /home/jail
[root@jinkai02 jail]#jk_init -v -j /home/jail/ ssh
Add a test user:
[root@jinkai02 jail]# mkdir /home/jail/usr/sbin
[root@jinkai02 jail]# cp /usr/sbin/jk_lsh /home/jail/usr/sbin/jk_lsh //copy virtual system shell
[root@jinkai02 jail]# useradd zhangsan
[root@jinkai02 jail]# passwd zhangsan
Change the password of user zhangsan.
New password:
Invalid password: The password did not pass the dictionary check-it is based on dictionary words
Re-enter the new password:
passwd: All authentication tokens have been successfully updated.
[root @ jinkai02 jail] # jk_jailuser -m -j / home / jail zhangsan
//Create a user in the virtual system
[root@jinkai02 jail]# cat etc/passwd
root:x:0:0:root:/root:/bin/bash
zhangsan:x:1000:1000::/home/zhangsan:/usr/sbin/jk_lsh
Change /usr/sbin/jk_lsh on the line of zhangsan to /bin/bash to log in to the virtual system user
[root@jinkai02 jail]# vim etc/passwd
Use xshell to log in to the virtual user:
WARNING! The remote SSH server rejected X11 forwarding request.
Last login: Sat Dec 26 16:56:49 2020 from 192.168.111.1
bash: /usr/bin/id: No such file or directory
bash: /usr/bin/id: No such file or directory
[zhangsan@jinkai02 ~]$
After successfully logging in, let’s check
[zhangsan@jinkai02 ~]$ ll /
bash: ll: command not found
[zhangsan@jinkai02 ~]$ ls -l /
total 0
lrwxrwxrwx. 1 root root 7 Dec 26 08:43 bin -> usr/bin
drwxr-xr-x. 2 root root 44 Dec 26 08:43 dev
drwxr-xr-x. 2 root root 240 Dec 26 08:50 etc
drwxr-xr-x. 3 root root 22 Dec 26 08:46 home
lrwxrwxrwx. 1 root root 9 Dec 26 08:43 lib64 -> usr/lib64
drwxr-xr-x. 7 root root 70 Dec 26 08:45 usr
[zhangsan@jinkai02 ~]$ Press the tab key twice
Display all 116 possibilities? (y or n)
! cd do fgrep let readarray ssh unalias
./ chmod done fi ln readonly suspend unset
: command echo for local return sync until
[compgen egrep function logout rm tar vi
[[ complete elif getopts ls rmdir test vim
]] compopt else grep mapfile rsync then wait
alias continue enable gunzip mkdir scp time wget
bash coproc esac gzip mktemp sed times while
bg cp eval hash more select touch zcat
bind cpio exec help mv set trap {
break date exit history popd sh true }
builtin dd export if printf shift type
caller declare false in pushd shopt typeset
case dirs fc jobs pwd sleep ulimit
cat disown fg kill read source umask
These are the commands that the virtual user can execute
Restrict SSH login:
vim /etc/ssh/sshd_config
PasswordAuthentication no yes changed to no, password login is not allowed
Add firewall rules:
iptables -I INPUT -p tcp --dport 22 -j ACCEPT
Limited login ip:
vim /etc/hosts.allow
sshd: 192.168.111.0/24 1.1.1.1 2.2.2.2
vim /etc/hosts.deny
sshd: ALL
The ones allowed above can log in, all others are not allowed to log in
Next, we need to do the log audit function. This step requires us to operate on all the machines that are logged in.
Here I use jinkai02 as a springboard and jinkai01 as a client, operating on jinkai01.
[root@jinkai01 ~]#vim /etc/hosts.allow
sshd:192.168.100.137
[root@jinkai01 ~]#vim /etc/hosts.deny
sshd:ALL
At this time, use xshell to reopen a jinkai01 window, and found that it has been unable to log in
[root@jinkai01 ~]# mkdir /usr/local/records
[root@jinkai01 ~]# chmod 777 !$
chmod 777 /usr/local/records
[root@jinkai01 ~]# chmod +t !$
chmod +t /usr/local/records
[root@jinkai01 ~]# vim /etc/profile
Add the following
if [ ! -d /usr/local/records/${LOGNAME} ]
then
mkdir -p /usr/local/records/${LOGNAME} #Create a subfolder with the same name according to the login name
chmod 300 /usr/local/records/${LOGNAME} #Grant 300 permissions
be
export HISTORY_FILE="/usr/local/records/${LOGNAME}/bash_history" #Specify the file for recording command history
export PROMPT_COMMAND='{ date "+%Y-%m-%d %T ##### $(who am i |awk "{print \$1\" \"\$2\" \"\$5}") #### $(history 1 | {read x cmd; echo "$cmd"; })";} >>$HISTORY_FILE' #Specific record command history format
Then use xshell to connect to this machine, the above has been restricted to not be able to log in, you can use the springboard SSH to log in remotely
[root@jinkai02 jail]# ssh 192.168.111.136
[email protected]'s password:
Last login: Sat Dec 26 17:27:45 2020 from 192.168.111.137
[root@jinkai01 ~]# ls /usr/local/records/
root //A folder for root login users has been generated
[root@jinkai01 ~]# ls /usr/local/records/root/
bash_history
[root@jinkai01 ~]# cat /usr/local/records/root/bash_history
2020-12-26 22:18:34 ##### root pts/1 (192.168.111.137) #### ls /usr/local/records/
2020-12-26 22:18:47 ##### root pts/1 (192.168.111.137) #### ls /usr/local/records/root/
All remote operations will be recorded in the file
2020-12-26 22:20:32 ##### root pts/1 (192.168.111.137) #### w
2020-12-26 22:22:57 ##### root pts / 1 (192.168.111.137) #### ls
2020-12-26 22:23:04 ##### root pts/1 (192.168.111.137) #### cat /etc/passwd
Create a normal user on jinkai01
[root@jinkai01 ~]# useradd admin
[root@jinkai01 ~]# passwd admin
Change the password of the user admin.
New password:
Invalid password: The password contains the username in some places
Re-enter the new password:
passwd: All authentication tokens have been successfully updated.
[root@jinkai01 ~]#
Log in as admin on the springboard machine jinkai02
[root@jinkai02 jail]# ssh [email protected]
[email protected]'s password:
[admin @ jinkai01 ~] $ ls
[admin @ jinkai01 ~] $ w
22:26:19 up 5:20, 2 users, load average: 0.00, 0.01, 0.05
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root pts/0 192.168.111.1 17:07 1:39 0.06s 0.04s bash
admin pts/1 192.168.111.137 22:26 3.00s 0.00s 0.00s w
[admin@jinkai01 ~]$ ls -l /usr/local/records/admin/
ls: Cannot open directory /usr/local/records/admin/: insufficient permissions
The 300 permission of the file is set above, and the file cannot be read
Go back to jinkai01 to view the history
[root@jinkai01 ~]# cat /usr/local/records/admin/bash_history
2020-12-26 22:26:06 ##### admin pts / 1 (192.168.111.137) ####
2020-12-26 22:26:17 ##### admin pts / 1 (192.168.111.137) #### ls
2020-12-26 22:26:19 ##### admin pts/1 (192.168.111.137) #### w
2020-12-26 22:27:17 ##### admin pts / 1 (192.168.111.137) #### ls -l / usr / local / records / admin /
2020-12-26 22:29:30 ##### admin pts/1 (192.168.111.137) #### cat /usr/local/records/admin/
Here it is simple to realize the function of the bastion machine, but this method is imperfect and can be cracked. If we want to achieve a more complete bastion machine function, we still need some special tools or software.