23.1 什么是堡垒机

时间 2019-11-07

标签 23.1 什么堡垒繁體版

原文原文链接

23.1 什么是堡垒机

堡垒机介绍：html

在一个特定网络环境下，为了保障网络和数据不受外界入侵和破坏，而运用各类技术手段实时收集和监控网络环境中每个组成部分的系统状态、安全事件、网络活动，以便集中报警、及时处理及审计定责。
咱们又把堡垒机叫作跳板机，简易的跳板机功能简单，主要核心功能是远程登陆服务器和日志审计。
比较优秀的开源软件jumpserver，认证、受权、审计、自动化、资产管理。
商业堡垒机：齐治, Citrix XenApp

23.2 搭建简易堡垒机

具有堡垒机的条件是，该机器有公司和私网，其中私网和机房其余机器互通
设计堡垒机思路
跳板机安全设置（iptables端口限制、登陆限制sshd_config）
用户、命令权限限制（jailkit) http://blog.chinaunix.net/uid-28310119-id-3503318.html
客户机器日志审计
http://www.68idc.cn/help/server/linux/2014042190951.html

23.3 安装jailkit实现chroot

搭建简易堡垒机 – jailkit chrootmysql

wget https://olivier.sessink.nl/jailkit/jailkit-2.19.tar.bz2
 tar jxvf jailkit-2.19.tar.bz2
 cd jailkit-2.19
 ./configure && make && make install
 mkdir /home/jail
 jk_init -v -j /home/jail/ basicshell
 jk_init -v -j /home/jail/ editors
 jk_init -v -j /home/jail/ netutils
 jk_init -v -j /home/jail/ ssh
 mkdir /home/jail/usr/sbin
 cp /usr/sbin/jk_lsh /home/jail/usr/sbin/jk_lsh
 useradd zhangsan
 passwd zhangsan
 jk_jailuser -m -j /home/jail zhangsan
 vim /home/jail/etc/passwd //把zhangsan那一行的/usr/sbin/jk_lsh改成/bin/bash

[root@Dasoncheng ~]# cd /usr/local/src/
[root@Dasoncheng src]# wget https://olivier.sessink.nl/jailkit/jailkit-2.19.tar.bz2
[root@Dasoncheng src]# tar -jxf jailkit-2.19.tar.bz2 
[root@Dasoncheng src]# ll
total 403408
drwxrwxr-x  8 mysql mysql       204 Nov 19  2015 jailkit-2.19
-rw-r--r--  1 root  root     116665 Nov 19  2015 jailkit-2.19.tar.bz2
[root@Dasoncheng src]# cd jailkit-2.19/
[root@Dasoncheng jailkit-2.19]# ./configure
configure: config files will be in /etc/jailkit/
checking for gcc... gcc
……
[root@Dasoncheng jailkit-2.19]# make && make install
[root@Dasoncheng jailkit-2.19]# echo $?
0
[root@Dasoncheng jailkit-2.19]# mkdir /home/jail   
##建立jail 做为虚拟系统的根目录；
[root@Dasoncheng jailkit-2.19]# jk_init -v -j /home/jail/ basicshell  
#shell相关命令文件；
[root@Dasoncheng jailkit-2.19]#  jk_init -v -j /home/jail/ editors  
#编辑器vi/vim；
[root@Dasoncheng jailkit-2.19]#  jk_init -v -j /home/jail/ netutils  
#网络相关；
[root@Dasoncheng jailkit-2.19]#  jk_init -v -j /home/jail/ ssh  
#远程登陆用到的；
##以上4个操做，就是将经常使用的命令 操做到虚拟根目录下面；
[root@Dasoncheng jailkit-2.19]# mkdir /home/jail/usr/sbin  
##建立这个目录是为了拷贝虚拟shell(jk_lsh)；
[root@Dasoncheng jailkit-2.19]# cp /usr/sbin/jk_lsh /home/jail/usr/sbin/jk_lsh
[root@Dasoncheng jailkit-2.19]# useradd zhangsan
[root@Dasoncheng jailkit-2.19]# passwd zhangsan
Changing password for user zhangsan.
New password: 
BAD PASSWORD: The password fails the dictionary check - it is based on a dictionary word
Retype new password: 
passwd: all authentication tokens updated successfully.  
##建立用户zhangsan，设置密码
[root@Dasoncheng jailkit-2.19]# jk_jailuser -m -j /home/jail zhangsan  
##将zhangsan用户 设为虚拟系统的用户；
[root@Dasoncheng jailkit-2.19]# cd /home/jail/  ##进入到虚拟系统根目录；
[root@Dasoncheng jail]# ll
total 0
lrwxrwxrwx 1 root root   7 Oct 30 10:03 bin -> usr/bin
drwxr-xr-x 2 root root  44 Oct 30 10:03 dev
drwxr-xr-x 2 root root 240 Oct 30 10:03 etc
drwxr-xr-x 3 root root  22 Oct 30 10:06 home
lrwxrwxrwx 1 root root   9 Oct 30 10:03 lib64 -> usr/lib64
drwxr-xr-x 7 root root  70 Oct 30 10:04 usr
[root@Dasoncheng jail]# cat etc/passwd 
root:x:0:0:root:/root:/bin/bash
zhangsan:x:1002:1002::/home/zhangsan:/usr/sbin/jk_lsh  
##虚拟系统的jk_lsh是没法登陆的，咱们须要修改成/bin/bash 以下；
[root@Dasoncheng jail]# vim !$
vim etc/passwd
[root@Dasoncheng jail]# !c
cat etc/passwd 
root:x:0:0:root:/root:/bin/bash
zhangsan:x:1002:1002::/home/zhangsan:/bin/bash

测试：
使用张三登陆：linux

bash: /usr/bin/id: No such file or directory
bash: /usr/bin/id: No such file or directory  
##这个是zhangsan登陆时 vim /etc/profile有一个须要加载的命令，报错  忽略；
[zhangsan@Dasoncheng ~]$ ls -l /
total 0
lrwxrwxrwx 1 root root   7 Oct 30 02:03 bin -> usr/bin
drwxr-xr-x 2 root root  44 Oct 30 02:03 dev
drwxr-xr-x 2 root root 240 Oct 30 02:07 etc
drwxr-xr-x 3 root root  22 Oct 30 02:06 home
lrwxrwxrwx 1 root root   9 Oct 30 02:03 lib64 -> usr/lib64
drwxr-xr-x 7 root root  70 Oct 30 02:04 usr
[zhangsan@Dasoncheng ~]$ 
Display all 116 possibilities? (y or n)
[zhangsan@Dasoncheng ~]$ ls /etc
bashrc	host.conf  issue	ld.so.conf  nsswitch.conf  profile    resolv.conf  vimrc
group	hosts	   ld.so.cache	motd	    passwd	   protocols  services
[zhangsan@Dasoncheng ~]$ vim .bashrc  ##或者.bash_profiles设置alias；

问题1：如何给虚拟系统设置多个用户？
参考上面的这几步：
useradd zhangsan
passwd zhangsan
jk_jailuser -m -j /home/jail zhangsan
vim /home/jail/etc/passwd
问题2：如何设置ssh只容许密钥登陆？
一、先在虚拟系统里面建立并添加密钥文件：
[zhangsan@Dasoncheng ~]$ vim .ssh/authorized_keys
二、再在原系统关闭密码登陆：
[root@Dasoncheng ~]# cat /etc/ssh/sshd_config |grep Password
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes 这里设置为no，即不容许密码登陆！
问题3：如何只容许指定ip或网段登陆？sql

[root@Dasoncheng ~]# vim /etc/hosts
hosts        hosts.allow  hosts.deny   
[root@Dasoncheng ~]# vim /etc/hosts.allow 
[root@Dasoncheng ~]# cat /etc/hosts.allow 
#
# hosts.allow	This file contains access rules which are used to
#		allow or deny connections to network services that
#		either use the tcp_wrappers library or that have been
#		started through a tcp_wrappers-enabled xinetd.
#
#		See 'man 5 hosts_options' and 'man 5 hosts_access'
#		for information on rule syntax.
#		See 'man tcpd' for information on tcp_wrappers
#
sshd:192.168.60.0/24 192.168.70.1
[root@Dasoncheng ~]# vim /etc/hosts.deny 
[root@Dasoncheng ~]# cat /etc/hosts.deny 
#
# hosts.deny	This file contains access rules which are used to
#		deny connections to network services that either use
#		the tcp_wrappers library or that have been
#		started through a tcp_wrappers-enabled xinetd.
#
#		The rules in this file can also be set up in
#		/etc/hosts.allow with a 'deny' option instead.
#
#		See 'man 5 hosts_options' and 'man 5 hosts_access'
#		for information on rule syntax.
#		See 'man tcpd' for information on tcp_wrappers
sshd:ALL
##以上就是设置容许ip或网段登陆

问题4：设置规则限制端口
参考iptables章节！
[root@Dasoncheng ~]# iptables -nvL
Chain INPUT (policy ACCEPT 1614K packets, 495M bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 2016K packets, 470M bytes)
pkts bytes target prot opt in out source destinationshell

23.4 日志审计

先测试只容许指定ip/网段访问客户机：vim

[root@localhost ~]# tail -5 /etc/hosts.allow
#		See 'man 5 hosts_options' and 'man 5 hosts_access'
#		for information on rule syntax.
#		See 'man tcpd' for information on tcp_wrappers
#
sshd:192.168.60.11
[root@localhost ~]# tail -5 /etc/hosts.deny
#		See 'man 5 hosts_options' and 'man 5 hosts_access'
#		for information on rule syntax.
#		See 'man tcpd' for information on tcp_wrappers
#
sshd:ALL

跳板机60.11成功登录！

本机60.1登录失败！

效果实现了！容许192.168.60.11这个ip登录；安全

接下来咱们在客户机（全部被登录的机器）作日志审计：bash

如下操做是须要在全部被登陆机器上作的
mkdir /usr/local/records
chmod 777 !$
chmod +t !$
vi /etc/profile //添加
if [ ! -d /usr/local/records/${LOGNAME} ]
then
mkdir -p /usr/local/records/${LOGNAME}
chmod 300 /usr/local/records/${LOGNAME}
fi
export HISTORY_FILE="/usr/local/records/${LOGNAME}/bash_history"
export PROMPT_COMMAND='{ date "+%Y-%m-%d %T ##### $(who am i |awk "{print $1" "$2" "$5}") #### $(history 1 | { read x cmd; echo "$cmd"; })"; } >>$HISTORY_FILE'

[root@localhost ~]# mkdir /usr/local/records
[root@localhost ~]# chmod 777 /usr/local/records/
[root@localhost ~]# chmod +t !$
chmod +t /usr/local/records/
[root@localhost ~]# vim /etc/profile
[root@localhost ~]# tail !$
tail /etc/profile
unset -f pathmunge

if [ ! -d  /usr/local/records/${LOGNAME} ]  ##判断登录的用户，是否有目录 不然执行下面建立及赋予权限！
then
mkdir -p /usr/local/records/${LOGNAME}
chmod 300 /usr/local/records/${LOGNAME}
fi
export HISTORY_FILE="/usr/local/records/${LOGNAME}/bash_history"  
##指定命令历史记录的文件；
export PROMPT_COMMAND='{ date "+%Y-%m-%d %T ##### $(who am i |awk "{print \$1\" \"\$2\" \"\$5}") #### $(history 1 | { read x cmd; echo "$cmd"; })"; } >>$HISTORY_FILE'  
##这一段意思是：将最后一条命令记录下来

测试：服务器

[zhangsan@Dasoncheng ~]$ ssh root@192.168.60.12
root@192.168.60.12's password: 
Last login: Tue Oct 31 02:17:04 2017 from 192.168.60.1
[root@localhost ~]# cd /usr/local/records/
[root@localhost records]# ll  ##自动建立了root目录；
total 0
d-wx------ 2 root root 26 Oct 31 02:26 root
[root@localhost records]# cd root/
[root@localhost root]# ll
total 4
-rw-r--r-- 1 root root 272 Oct 31 02:27 bash_history
[root@localhost root]# cat bash_history 
2017-10-31 02:26:47 ##### root pts/1 (192.168.60.11) #### exit
2017-10-31 02:26:54 ##### root pts/1 (192.168.60.11) #### cd /usr/local/records/
2017-10-31 02:26:55 ##### root pts/1 (192.168.60.11) #### ll
2017-10-31 02:27:00 ##### root pts/1 (192.168.60.11) #### cd root/
2017-10-31 02:27:02 ##### root pts/1 (192.168.60.11) #### ll

最后说一句：这只是一个简单的堡垒机jailkit ，不怎么安全！网络