一、什麼是堡壘機
堡壘機:在一個特定網絡環境下,爲了保障網路和數據不受外界入侵和破壞,而在一個特定的網絡環境下,爲了保障網絡和數據不受來自外部和內部用戶的入侵和破壞,而運用各種技術手段實時收集和監控網絡環境中每一個組成部分的系統狀態、安全事件、網絡活動,以便集中報警、及時處理及審計定責。
堡壘機可以叫跳板機,簡易的跳板機功能簡單,主要核心功能是遠程登錄服務器和日誌審計。
開源的:jumpserver,具有認證、授權、審計、自動化、資產管理等功能。
商業的:齊治,Citrix XenApp。
二、搭建簡易堡壘機
具備堡壘機的條件是,該機器有外網(公網)和內網(私網),內網內的機器可以互相通信。
設計思路:設置防火牆規則,登錄限制sshd_config,用戶、命令權限限制(jailkit)、客戶機器日誌審計
日誌審計:http://www.68idc.cn/help/server/linux/2014042190951.html
三、安裝jailkit實現chroot
實驗環境:RHEL7.5,ip:192.168.10.101
1、下載安裝jailkit
下載地址:https://olivier.sessink.nl/jailkit/index.html#download
[root@lb01 ~]# curl -O https://olivier.sessink.nl/jailkit/jailkit-2.19.tar.gz
[root@lb01 ~]# tar xf jailkit-2.19.tar.gz
[root@lb01 ~]# cd jailkit-2.19/
[root@lb01 jailkit-2.19]# ./configure && make && make install
2、配置
登錄跳板機的用戶限制在某個目錄,並且只能使用某些命令。
[root@lb01 ~]# mkdir /home/jail
[root@lb01 ~]#
[root@lb01 ~]# jk_init -v -j /home/jail/ basicshell
[root@lb01 ~]# jk_init -v -j /home/jail/ editors
[root@lb01 ~]# jk_init -v -j /home/jail/ netutils
[root@lb01 ~]# jk_init -v -j /home/jail/ ssh
3、創建用戶
創建一個用戶登錄跳板機的用戶,假設用戶名爲:zhangsan
[root@lb01 ~]# useradd zhangsan
[root@lb01 ~]# passed zhangsan
4、創建目錄
[root@lb01 ~]# mkdir /home/jail/usr/sbin
[root@lb01 ~]# cp /usr/sbin/jk_lsh /home/jail/usr/sbin
[root@lb01 ~]#
5、創建虛擬系統的用戶
[root@lb01 ~]# jk_jailuser -m -j /home/jail/ zhangsan
[root@lb01 ~]#
修改虛擬系統test用戶的shell類型
[root@lb01 ~]# cd /home/jail/
zhangsan:x:1001:1001::/home/zhangsan:/bin/bash
6、使用zhangsan用戶登錄
Connecting to 192.168.10.101:22...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.
Last login: Thu Sep 13 23:48:16 2018 from 192.168.10.1
bash: /usr/bin/id: No such file or directory
bash: /usr/bin/id: No such file or directory
[zhangsan@lb01 ~]$
登錄成功,查看一下根目錄
[zhangsan@lb01 ~]$ ls -l /
total 0
lrwxrwxrwx 1 root root 7 Sep 13 15:41 bin -> usr/bin
drwxr-xr-x 2 root root 44 Sep 13 15:41 dev
drwxr-xr-x 2 root root 240 Sep 13 15:48 etc
drwxr-xr-x 3 root root 22 Sep 13 15:47 home
lrwxrwxrwx 1 root root 9 Sep 13 15:41 lib64 -> usr/lib64
drwxr-xr-x 7 root root 70 Sep 13 15:42 usr
[zhangsan@lb01 ~]$
跟普通用戶不一樣的是,只能看到有限的幾個目錄。
按兩下tab鍵:
[zhangsan@lb01 ~]$
Display all 116 possibilities? (y or n)
! case dd exec gzip mapfile rm suspend umask
./ cat declare exit hash mkdir rmdir sync unalias
: cd dirs export help mktemp rsync tar unset
[ chmod disown false history more scp test until
[[ command do fc if mv sed then vi
]] compgen done fg in popd select time vim
alias complete echo fgrep jobs printf set times wait
bash compopt egrep fi kill pushd sh touch wget
bg continue elif for let pwd shift trap while
bind coproc else function ln read shopt true zcat
break cp enable getopts local readarray sleep type {
builtin cpio esac grep logout readonly source typeset }
caller date eval gunzip ls return ssh ulimit
[zhangsan@lb01 ~]$
能使用的只有110多個命令。
設置:只允許某些ip登錄
[root@lb01 ~]# echo "sshd: 192.168.10.0/24" >>/etc/hosts.allow
[root@lb01 ~]# echo "sshd: ALL" >> /etc/hosts.deny
[root@lb01 ~]#
四、日誌審計
在需要做日誌審計的機子上執行以下操作即可。
[root@lb01 ~]# mkdir /usr/local/records
[root@lb01 ~]# chmod 777 /usr/local/records
[root@lb01 ~]# chmod +t /usr/local/records
[root@lb01 ~]#
編輯/etc/profile文件,在文件末尾添加以下內容:
if [ ! -d /usr/local/records/${LOGNAME} ];then
mkdir -p /usr/local/records/${LOGNAME}
chmod 300 /usr/local/records/${LOGNAME}
fiexport HISTORY_FILE="/usr/local/records/${LOGNAME}/bash_history"
export PROMPT_COMMAND='{ date "+%Y-%m-%d %T##### $(who am i | awk "{print \$1\"\"\$2\"\"\$5}")#####$(history 1 | { read x cmd;echo "$cmd";})";} >> $HISTORY_FILE'
最後,source /etc/profile
五、jumpserver介紹
官網:www.jumpserver.org
jumpserver是一款使用Python、Django開發的開源跳板機系統,助力互聯網企業高效用戶、資產、權限、審計等管理。
可以做到:
Auth統一認證
CMDB資產管理
同一授權
日誌審計
自動化運維
六、安裝jumpserver
官方安裝文檔:http://docs.jumpserver.org/zh/docs/setup_by_centos7.html
下載地址:https://github.com/jumpserver/jumpserver
1、最新版本是1.4.1的安裝
下面安裝的是最新版本。
注意:關閉防火牆、關閉selinux
(1)安裝前的準備
1、安裝依賴包
[root@lb01 ~]# yum -y install wget sqlite-devel xz gcc automake zlib-devel openssl-devel epel-release git
2、安裝Redis
Jumpserver 使用 Redis 做 cache 和 celery broke
[root@lb01 ~]# yum install redis -y
3、安裝mariadb
[root@lb01 ~]# yum install mariadb-server mariadb mariadb-devel -y
創建jumpserver所需的數據庫並授權
[root@lb01 ~]# systemctl start mariadb
[root@lb01 ~]# mysql -uroot
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 2
Server version: 5.5.60-MariaDB MariaDB Server
MariaDB [(none)]> create database jumpserver default charset 'utf8';
MariaDB [(none)]> grant all on jumpserver.* to 'jumpserver'@'127.0.0.1' identified by '123456';
MariaDB [(none)]> flush privileges;
MariaDB [(none)]>
4、安裝 Nginx ,用作代理服務器整合 Jumpserver 與各個組件
nginx可以編譯安裝,也可以使用nginx的yum源使用yum安裝。
[root@lb01 ~]# yum install nginx -y
[root@lb01 ~]# systemctl start nginx
nginx的server段配置如下:
server {
listen 80; # 代理端口,以後將通過此端口進行訪問,不再通過8080端口client_max_body_size 100m; # 錄像上傳大小限制
location /luna/ {
try_files $uri / /index.html;
alias /opt/luna/; # luna 路徑,如果修改安裝目錄,此處需要修改
}location /media/ {
add_header Content-Encoding gzip;
root /opt/jumpserver/data/; # 錄像位置,如果修改安裝目錄,此處需要修改
}location /static/ {
root /opt/jumpserver/data/; # 靜態資源,如果修改安裝目錄,此處需要修改
}location /socket.io/ {
proxy_pass http://localhost:5000/socket.io/; # 如果coco安裝在別的服務器,請填寫它的ip
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
5、下載編譯python
這裏使用python
[root@lb01 ~]# curl -O https://www.python.org/ftp/python/3.6.1/Python-3.6.1.tar.xz
[root@lb01 ~]# tar xf Python-3.6.1.tar.xz
[root@lb01 ~]# cd Python-3.6.1/
[root@lb01 Python-3.6.1]# ./configure && make && make install
6、配置python虛擬環境
[root@lb01 ~]# cd /opt/
[root@lb01 opt]# python3 -m venv py3
[root@lb01 opt]# source /opt/py3/bin/activate
(py3) [root@lb01 opt]#
(py3) [root@lb01 opt]# deactivate
[root@lb01 opt]#
source /opt/py3/bin/activate:進入虛擬環境
deactivate :退出虛擬環境
7、自動載入py3環境
[root@lb01 ~]# cd /opt/
[root@lb01 ~]# git clone git://github.com/kennethreitz/autoenv.git
[root@lb01 opt]# echo 'source /opt/autoenv/activate.sh' >> ~/.bashrc
[root@lb01 opt]# source ~/.bashrc
(2)jumpserver安裝
1、下載jumpserver
[root@lb01 ~]# cd /opt/
[root@lb01 opt]# git clone https://github.com/jumpserver/jumpserver.git && cd jumpserver && git checkout master && git pull
[root@lb01 coco]# echo "source /opt/py3/bin/activate" > /opt/coco/.env
[root@lb01 coco]#
2、下載coto
[root@lb01 opt]# git clone https://github.com/jumpserver/coco.git && cd coco && git checkout master && git pull
echo "source /opt/py3/bin/activate" > /opt/coco/.env
3、安裝rpm依賴包
[root@lb01 ~]# yum -y install $(cat /opt/jumpserver/requirements/rpm_requirements.txt)
[root@lb01 ~]# yum -y install $(cat /opt/coco/requirements/rpm_requirements.txt)
4、安裝 Python 庫依賴
[root@lb01 ~]# cd /opt/jumpserver/
(py3) [root@lb01 jumpserver]# pip install --upgrade pip
(py3) [root@lb01 jumpserver]# pip install -r /opt/jumpserver/requirements/requirements.txt -i https://pypi.python.org/simple
(py3) [root@lb01 jumpserver]# pip install -r /opt/coco/requirements/requirements.txt -i https://pypi.python.org/simple
5、修改jumpserver配置文件
(py3) [root@lb01 jumpserver]# vim config.py
SECRET_KEY='123456aaa'
DB_ENGINE = os.environ.get("DB_ENGINE") or 'mysql'
DB_HOST = os.environ.get("DB_HOST") or '127.0.0.1'
DB_PORT = os.environ.get("DB_PORT") or 3306
DB_USER = os.environ.get("DB_USER") or 'jumpserver'
DB_PASSWORD = os.environ.get("DB_PASSWORD") or '123456'
DB_NAME = os.environ.get("DB_NAME") or 'jumpserver
註釋掉sqlite3數據庫,啓用mysql數據庫並設置。
6、修改coco配置文件
py3) [root@lb01 jumpserver]# cd /opt/coco/
autoenv:
autoenv: WARNING:
autoenv: This is the first time you are about to source /opt/coco/.env:
autoenv:
autoenv: --- (begin contents) ---------------------------------------
autoenv: source /opt/py3/bin/activate$
autoenv:
autoenv: --- (end contents) -----------------------------------------
autoenv:
autoenv: Are you sure you want to allow this? (y/N) y
(py3) [root@lb01 coco]#
(py3) [root@lb01 coco]# cp conf_example.py conf.py
(py3) [root@lb01 coco]# vim conf.py
CORE_HOST = 'http://127.0.0.1:8080'
安裝coco相關依賴。
[root@lb01 ~]# cd /opt/coco/requirements/
[root@lb01 requirements]#yum -y install $(cat rpm_requirements.txt)
[root@lb01 requirements]#pip install -r requirements.txt -i https://pypi.python.org/simple
7、安裝 Web Terminal 前端:Luna
下載luna壓縮包,解壓即可。Luna 已改爲純前端,需要 Nginx 來運行訪問
cd[root@lb01 ~]# cd /opt/
[root@lb01 opt]# ls
autoenv coco gitlab jumpserver luna luna.tar.gz py3 webroot
[root@lb01 opt]# chown -R root.root luna
[root@lb01 opt]#
8、生成數據庫表結構和初始化數據
[root@lb01 ~]#cd /opt/jumpserver/utils
(py3) [root@lb01 utils]# ./make_migrations.sh
9、運行 Jumpserver
[root@lb01 ~]#cd /opt/jumpserver/
(py3) [root@lb01 jumpserver]# ./jms start all -d
-d:表示後臺運行
新版本更新了運行腳本,使用方式./jms start|stop|status|restart all 後臺運行請添加 -d 參數
瀏覽器打開:192.168.10.101:8080
2、jumpserver0.3版本的安裝
到官網下載0.3.3的zip包放到/home目錄並解壓
[root@lb01 home]# ls
git jail jumpserver jumpserver-0.3.3 jumpserver-0.3.3.zip mytest test_java www zrlog-master
[root@lb01 home]#
進入解壓後的目錄,執行安裝命令
[root@lb01 home]# cd jumpserver-0.3.3/
[root@lb01 jumpserver-0.3.3]# cd install
[root@lb01 install]# python install.py
。。。。
ansible 1.9.4 has requirement pycrypto>=2.6, but you'll have pycrypto 2.4.1 which is incompatible.
Installing collected packages: PyYAML, django, pycrypto, ecdsa, paramiko, MySQL-python, psutil, xlsxwriter, xlrd, django-bootstrap-form, singledispatch, certifi, backports-abc, tornado, ansible, pyinotify, argparse, django-crontab, django-smtp-ssl, wcwidth, pyte
Found existing installation: PyYAML 3.11
Cannot uninstall 'PyYAML'. It is a distutils installed project and thus we cannot accurately determine which files belong to it which would lead to only a partial uninstall.
安裝JumpServer 依賴的python庫失敗!
[root@lb01 install]#
報錯,PyYAML版本低。
一鍵安裝腳本: https://raw.githubusercontent.com/jumpserver/Dockerfile/mysql/get.sh
VPN安裝腳本:https://blog.linuxeye.cn/412.html?tdsourcetag=s_pcqq_aiomsg
七、登錄jumpserver
前面中已經安裝好jumpserver
登錄的用戶名和密碼默認均爲:admin
成功登錄後:
八、創建管理用戶
點擊:資產管理-->管理用戶-->創建
九、創建普通用戶
十、添加機器
十一、添加系統用戶並授權
十二、添加授權規則
十三、客戶端登錄jumpserver