Stage 4
Time: August 28, 2023
Participants: All members of the class
Contents:
Jumpserver bastion host management
Table of contents
1. Introduction to bastion host
(1) Common scapegoating scenarios in operation and maintenance
(2) The main reason for taking the blame
(3) Methods to solve the problem of taking the blame
(1) Supported operating systems
(3) Jumpserver component description
(4) Jumpserver function description
3. Deploy Jumpserver environment
4. Jumpserver configuration application
(3) Add assets in the same way and get the following:
1. Introduction to bastion host
(1) Common scapegoating scenarios in operation and maintenance
1. Unidentified users use remote operation and maintenance channels to attack the server, causing abnormalities in the business system: but the operation and maintenance personnel cannot identify the source of the attack, then the leader will be very angry and the consequences will be serious.
2. The server that only Zhang San can manage has been logged in by Li Si and performed illegal operations: but there is no evidence that Li Si logged in, so Zhang San can only take the blame.
3. The operation and maintenance personnel accidentally leaked the server password. Once a safety incident occurs, the consequences will be disastrous.
4. Important data from a certain server was stolen. However, if the data files cannot be recovered, then we will face immeasurable economic losses.
During operation and maintenance work, due to factors such as unknown remote login sources, unauthorized operations, password leaks, data theft, illegal operations, etc., the operating business system may face serious threats. Once an accident occurs, if the cause of the accident cannot be quickly located, operation and maintenance People often take the blame.
(2) The main reason for taking the blame
In fact, in operation and maintenance work, various problems are inevitable. Not only must you have good analysis and processing capabilities, but you must also avoid problems from happening again.
To clearly understand the real cause of the problem:
1. There is no standardized management, and the boundary between people and servers is not clear;
2. There is no real-name mechanism, and there is no real-name verification before logging into the server;
3. There is no password hosting. There are too many passwords on the server. It is difficult to modify them regularly. You are afraid of losing them if you keep them yourself;
4. Without operational warning, it is impossible to prevent high-risk and sensitive operations in advance;
5. There is no transmission control, and file transmission cannot be controlled on important servers;
6. Without the backtracking process, the operation and maintenance process cannot be completely restored.
(3) Methods to solve the problem of taking the blame
As an operation and maintenance personnel, how can we get rid of the above embarrassing situation of taking the blame? Maybe bastion machines are a way to crack this situation.
1. Unified entrance and standardized management
Provide a unified entrance, all operation and maintenance personnel can only log in to the bastion machine to access the server, sort out the relationship between "people and servers", and prevent unauthorized logins
2. Use verification mechanisms such as mobile APP dynamic passwords
Use mobile APP dynamic passwords, OTP dynamic tokens, USBKEY, SMS passwords and other two-factor identity real-name authentication mechanisms to prevent passwords from being violently cracked and solve the problem of ambiguous access identities.
3. Hosting server password to realize automatic password change
Automatically and regularly change the server's password through the bastion machine, eliminating the troubles of manually changing passwords, password leaks, and remembering passwords.
1) Can automatically modify passwords for Windows, Linux, Unix, network devices and other operating systems;
2) You can set the cycle or specify the time to perform the encryption task;
3) Password complexity, random password, designated password, fixed password format, etc. can be set;
4) The password file can be automatically sent to the administrator through email, SFTP, and FTP;
5) Provide a password fault tolerance mechanism: automatic backup before password change, no password change after backup failure, automatic backup after password change, automatic password recovery, etc.
4. In-process control to prevent illegal operations
As an operation and maintenance personnel, how can we get rid of the above embarrassing situation of taking the blame? Maybe the bastion machine is a surefire solution to this situation.
1) Intercept high-risk and sensitive commands through command control strategies
2) Use the command review strategy to approve commands that need to be executed but cannot be executed at will.
3) Prevent the leakage of data and files through file transfer control strategies
5. Refined auditing to trace the entire operation and maintenance process
The bastion machine must perform detailed and complete audits such as file recording and video playback, and quickly locate the operation and maintenance process:
1) Not only online monitoring, real-time blocking, log playback, start and end times, source users, source addresses, destination addresses, protocols, commands, operations (such as uploading, downloading, deleting, modifying files, etc.) of all operation sessions are required etc.) and other behavioral records.
2) It must also be able to save files transferred by SFTP/FTP/SCP/RDP/RZ/SZ to provide a basis for tracking dangerous behaviors such as uploading malicious files, dragging libraries, and stealing data.
2. Introduction to Jumpserver
Jumpserver is the world's first fully open source bastion machine (springboard machine). It uses the GNU GPL v2.0 open source protocol and is a professional operation and maintenance audit system that complies with 4A (Authentication, Authorization, Accounting, and Audit).
Jumpserver is developed using Python/Django, follows Web 2.0 specifications, and is equipped with the industry's leading Web Terminal solution, with a beautiful interactive interface and good user experience.
Jumpserver adopts a distributed architecture and supports cross-regional deployment of multiple computer rooms. The central node provides APIs and each computer room deploys login nodes. It can be expanded horizontally and has no concurrency restrictions.
Managed based on ssh protocol.The managed server does not need to install agent software. Help Internet companies efficiently and centrally manage users, assets (servers), permissions, and auditing. Moreover, the management interface is in Chinese, which is a very good choice in terms of functionality and ease of use.
Official website: http://www.jumpserver.org/
(1) Supported operating systems
Redhat CentOS
(2) Function introduction
1. Accurately record operation commands
2. Support batch file upload and download
4. Support batch command execution (completed by Ansible)
5. Support WebTerminal to connect to the host
6. Support batch command execution on the Web
8. Support hardware information capture such as CPU, memory, etc.
9. Support asset Excel import and export
10. Support batch changes of assets
11. Support batch push for system users (Ansible implementation)
12. Support mixed fine-grained authorization for users, hosts, user groups, host groups, and system users
14. Support command statistics and command search
15. Support upload and download file auditing
(3) Jumpserver component description
Jumpserver: It is the management backend. Administrators can perform asset management, user management, asset authorization and other operations through the Web page. The default port is 8080/tcp. The configuration file is in jumpserver/config.yml.
Coco: for SSH Server and Web Terminal Server. Users can directly access authorized assets by logging in to SSH or Web Terminal using their own accounts. There is no need to know the server's account password. The default SSH port is 2222/tcp, and the default Web Terminal port is 5000/tcp. The configuration file is in coco/config.yml
Luna: It is the front-end page of Web Terminal Server and the components required for users to log in using Web Terminal.
Guacamole: It is a Windows component. Users can connect to Windows assets through Web Terminal (temporarily it can only be accessed through Web Terminal). The default port is 8081/tcp.
Nginx: The default port is 80/tcp, front-end proxy service
Redis: The default port is 6379/tcp, database cache service
Mysql: The default port is 3306/tcp, database service
(4) Jumpserver function description
| Essential bastion host features provided by Jumpserver |
||
| Authentication |
Login authentication Multi-factor authentication |
Unified resource login and authentication LDAP authentication Support OpenID to achieve single sign-on MFA(Google Authenticator) |
| Account managementAccount |
Centralized account management Unified password management Batch password change (X-PACK) Asset management in multi-cloud environments (X-PACK) |
Manage user management System user management Asset Cryptocurrency Custody Automatically generate password Password automatically pushed Password expiration settings Change passwords in batches regularly Generate random password Unified management of private cloud and public cloud assets |
| Authorization controlAuthorization |
Asset authorization management Organizational Management (X-PACK) Multi-dimensional authorization Instruction restrictions unified file transfer File management |
Asset tree Flexible licensing of assets or asset groups Automatic inheritance authorization of assets within the node Implement multi-tenant management and permission isolation Can authorize users, user groups or system roles Restrict the use of privileged instructions and support black and white lists SFTP file upload/download Web SFTP file management |
| Security auditAudit |
Session management Video management command audit File transfer audit |
Online session management Historical session management Linux recording support Windows recording support Instruction record Upload/download record audit |
3. Deploy Jumpserver environment
Official website recommended installation environment
CPU: 2 cores, memory: 8G
(1) Experimental environment
| IP address |
CPU name |
Role |
| 192.168.100.131 |
jumpserver |
Fortress machine |
| 192.168.100.132 |
server132 |
managed server |
| 192.168.100.133 |
server133 |
managed server |
Official speedy installation:
Installation Deployment - JumpServer Documentation
1. Turn off the firewall
[rootahuyang1~]# systemctl stop firewalld
[rootchuyangl~]# iptables -F
[rootahuvang1~]# setenforce 0
[root@jumpserver -]#hostnamectl set-hostname
jumpserver
2. Download software online
curl -sSL
https://github.com/jumpserver/jumpserver/releases/download/v2.28.0/quick_start.sh | bash
Follow the prompts:
cd /opt/jumpserver-installer-v2.28.0/
./jmsctl.sh start
3、测试连接
# linux
ssh -p2222 [email protected] # 密码: admin
sftp -P2222 [email protected] # 密码: admin
# Windows 下, Xshell Terminal 登录语法如下
ssh [email protected] 2222 # 密码: admin
[root@localhost ~]# ssh -p2222 [email protected]
4、网页访问测试:
用户名:admin 密码:admin
修改密码:
自动跳转:
再次登录:
进入访问:
可以配置当前邮箱:在主页面,也就是控制台,选择用户管理--->用户列表
点击administrator右侧的更新进入修改如下:
在右侧个人中心查看如下:
四、Jumpserver配置应用
(一)系统设置
1、设置当前站点URL,更改如下:
2、设置邮箱:
3、输入内容:测试
4、结果测试
(二)创建资产
1、创建资产管理用户--->特权用户创建,如下:
2、进入添加名称--->用户名--->认证密码、密钥密码
3、提交后,添加
4、创建资产,点击资产列表--->创建
配置如下:
点击提交:
等待一会,刷新:
最终结果如下:
(三)同理添加资产,得到如下:
1、建特权用户
2、创建资产server132
3、创建资产server133
4、结果如下:
