First, the fortress machine introduced
In a specific network environment, in order to ensure network and data from external damage, while the use of various techniques to collect and monitor real-time network environment each component part of the state system, security events, network activity in order to focus alarm, the timely processing and will be responsible for the audit.
We again called the fortress machine springboard machine, simple machine features a simple springboard, the main core feature is the remote login server and audit logs.
Compare excellent open source software jumpserver, its main function is to authentication, authorization, auditing, automation and asset management.
Commercial fortress machine: Qi rule, Citrix XenApp.
Second, set up makeshift fort machine
More suitable for small businesses, the company is not the number of machines, but in order to log in, security, can build a simple fortress machine (stepping stones).
Function: visit the company web server, search, audit you log on to the machine what to do operations.
Conditions are met fortress machine that the machine has companies and private network where private rooms and other machinery exchange (local area network).
Fortress machine design ideas:
Springboard Security Settings (iptables port restrictions, login restrictions sshd_config)
User, command authority limit (jailkit) http://blog.chinaunix.net/uid-28310119-id-3503318.html
Log audit client machine, only downside is that can not be done on the stepping stones, can only be done on the client.
http://www.68idc.cn/help/server/linux/2014042190951.html
Third, the installation jailkit achieve chroot
# cd /usr/local/src # wget https://olivier.sessink.nl/jailkit/jailkit-2.19.tar.bz2 # Tar jxvf jailkit-2kl9ktrkbsh2 # Cd jailkit-2.19 # ./configure && make && make install # Mkdir / home / jail // Create a directory, the system as a virtual root directory
Below these four command is to some commonly used commands, files get virtual directory systems go.
# Jk_init -v -j / home / jail / basicshell // This command is related to the shell command library to get the root of the virtual system down. # Jk_init -v -j / home / jail / editors // Editor vi, vim do in the past. # Jk_init -v -j / home / jail / netutils // network-related. // used when remote login # jk_init -v -j / home / jail / ssh. # mkdir /home/jail/usr/sbin # Cp / usr / sbin / jk_lsh / home / jail / usr / sbin / jk_lsh // equivalent of a shell virtual system, copy it in the past. 1, # useradd zhangsan // original system to create a user, if you need to create multiple users, you From this point, the implementation of these four steps: 1-4. 2、# passwd zhangsan 3, # jk_jailuser -m -j / home / jail zhangsan // create a user in a virtual system # cd /home/jail/ [Root @ wbs jail] # cat etc / passwd // virtual users zhangsan root:x:0:0:root:/root:/bin/bash zhangsan:x:1122:1122::/home/zhangsan:/usr/sbin/jk_lsh // usr / sbin / jk_lsh this shell is the shell of a virtual system, the shell can not log in, you need to change the / bin / bash, so users can log virtual zhangsan 4, # vim / home / jail / etc / passwd // put zhangsan the line of / usr / sbin / jk_lsh changed to / bin / bash # Ls / home / jail / // you can see the most common commands, library files in the root directory of the virtual system. bin dev etc home lib64 usr
Create a conversation window, IP is the IP of the machine, the user name zhangsan, password zhangsan, log in, you will see two lines of "bash: / usr / bin / id: No such file or directory", due to the implementation of / etc / profile in this there is no command, do not care.
$ Ls -l / // you can see that only 6 directory
Double-click the Tab key you can see only 117 available commands, they are all under the command bin.
Creating Key, add the key in the .ssh directory, you also need to allow only key to log in the original system # vi / etc / ssh / sshd_config settings will be changed PasswordAuthentication yes no.
Also limited iptables rules to limit all unnecessary ports, switch off unused services.
But also to define the source IP login: # Vi /etc/hosts.allow Add: sshd: 192.168.149.0/24 1.1.1.1 2.2.2.2 # Vi /etc/hosts.deny // In addition to allowing the network and IP, all other rejected, so that you can increase the safety factor of the machine. sshd: ALL
Fourth, the audit log
The following operations are some restrictions on the client to do to limit the source IP.
To another machine, the first limit and deny /etc/hosts.allow
Add in hosts.allow sshd in: 192.168.149.133 (springboard machine IP)
In hosts.deny in New sshd: ALL
This time to re-log in this machine will not be logged.
Zhangsan that Taiwan can log on to:
# ssh [email protected]
This made the machine a springboard.
When users log on each other with zhangsan, because now this machine is zhangsan, so other machines also need to create a user's zhangsan.
The following operations are required to do is to log on all machines
# mkdir /usr/local/records
# chmod 777 !$
# chmod +t !$
# vi /etc/profile //添加
if [ ! -d /usr/local/records/${LOGNAME} ] //logname,判断登录的用户名。
then
mkdir -p /usr/local/records/${LOGNAME}
chmod 300 /usr/local/records/${LOGNAME} //指定这个用户只能写和执行。
fi
export HISTORY_FILE="/usr/local/records/${LOGNAME}/bash_history" //指定一个记录历史命令的文件,下面的一条命令意思是将执行的最后一条命令记录到这个文件里去。
export PROMPT_COMMAND='{ date "+%Y-%m-%d %T ##### $(who am i |awk "{print \$1\" \"\$2\" \"\$5}") #### $(history 1 | { read x cmd; echo "$cmd"; })"; } >>$HISTORY_FILE'
重新再登录这台机器
# cd /usr/local/records/
[root@MRX records]# ls
root
[root@MRX records]# cd root/
[root@MRX root]# ls
bash_history
[root@MRX root]# tail bash_history
2019-10-01 19:32:06 ##### root pts/0 (192.168.149.1) #### 2019/10/01 19:19:58 vim /etc/profile
2019-10-01 19:32:17 ##### root pts/0 (192.168.149.1) #### 2019/10/01 19:32:17 ls
2019-10-01 19:32:34 ##### root pts/0 (192.168.149.1) #### 2019/10/01 19:32:34 cd /usr/local/records/
2019-10-01 19:32:35 ##### root pts/0 (192.168.149.1) #### 2019/10/01 19:32:35 ls
2019-10-01 19:32:37 ##### root pts/0 (192.168.149.1) #### 2019/10/01 19:32:37 cd root/
2019-10-01 19:32:38 ##### root pts/0 (192.168.149.1) #### 2019/10/01 19:32:38 ls
这个不像系统里history,它只有在你正常退出这个终端后才会记录这些命令,敲过的命令仅仅只是保存在内存里的,并没有记录到文件里,要想记录到文件里,必须要正常的退出,如果断电了或者其他原因退出了,这些命令就记不进去。但是这个日志审计就没问题。
[root@MRX root]# useradd zhangsan //创建一个zhangsan用户 [root@MRX root]# passwd zhangsan
再到跳板机登录它:
[zhangsan@wbs ~]$ ssh [email protected]
//然后随意执行一些命令,再到客户端上看,就可以看到zhangsan用户敲过的命令。
[root@MRX records]# ls root zhangsan
这种方法并不完美,是可以破解的,这只是一个简单的堡垒机,要想做一个完美的堡垒机,还需要借助一些专业的工具、软件。