堡垒机基础

为什么80%的码农都做不了架构师?>>>   hot3.png

一、什么是堡垒机

堡垒机:在一个特定网络环境下,为了保障网路和数据不受外界入侵和破坏,而在一个特定的网络环境下,为了保障网络和数据不受来自外部和内部用户的入侵和破坏,而运用各种技术手段实时收集和监控网络环境中每一个组成部分的系统状态、安全事件、网络活动,以便集中报警、及时处理及审计定责。

堡垒机可以叫跳板机,简易的跳板机功能简单,主要核心功能是远程登录服务器和日志审计。

开源的:jumpserver,具有认证、授权、审计、自动化、资产管理等功能。

商业的:齐治,Citrix  XenApp。

二、搭建简易堡垒机

具备堡垒机的条件是,该机器有外网(公网)和内网(私网),内网内的机器可以互相通信。

设计思路:设置防火墙规则,登录限制sshd_config,用户、命令权限限制(jailkit)、客户机器日志审计

日志审计:http://www.68idc.cn/help/server/linux/2014042190951.html

三、安装jailkit实现chroot

实验环境:RHEL7.5,ip:192.168.10.101

1、下载安装jailkit

下载地址:https://olivier.sessink.nl/jailkit/index.html#download

[root@lb01 ~]# curl -O https://olivier.sessink.nl/jailkit/jailkit-2.19.tar.gz
[root@lb01 ~]# tar xf jailkit-2.19.tar.gz 
[root@lb01 ~]# cd jailkit-2.19/
[root@lb01 jailkit-2.19]# ./configure && make && make install

2、配置

登录跳板机的用户限制在某个目录,并且只能使用某些命令。

[root@lb01 ~]# mkdir /home/jail
[root@lb01 ~]# 
[root@lb01 ~]# jk_init -v -j /home/jail/ basicshell
[root@lb01 ~]# jk_init -v -j /home/jail/ editors
[root@lb01 ~]# jk_init -v -j /home/jail/ netutils
[root@lb01 ~]# jk_init -v -j /home/jail/ ssh

3、创建用户

创建一个用户登录跳板机的用户,假设用户名为:zhangsan

[root@lb01 ~]# useradd zhangsan
[root@lb01 ~]# passed zhangsan

4、创建目录

[root@lb01 ~]# mkdir /home/jail/usr/sbin
[root@lb01 ~]# cp /usr/sbin/jk_lsh /home/jail/usr/sbin
[root@lb01 ~]# 

5、创建虚拟系统的用户

[root@lb01 ~]# jk_jailuser -m -j /home/jail/ zhangsan
[root@lb01 ~]# 

修改虚拟系统test用户的shell类型

[root@lb01 ~]# cd /home/jail/
zhangsan:x:1001:1001::/home/zhangsan:/bin/bash

6、使用zhangsan用户登录

Connecting to 192.168.10.101:22...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.

Last login: Thu Sep 13 23:48:16 2018 from 192.168.10.1
bash: /usr/bin/id: No such file or directory
bash: /usr/bin/id: No such file or directory
[zhangsan@lb01 ~]$  

登录成功,查看一下根目录

[zhangsan@lb01 ~]$ ls -l /
total 0
lrwxrwxrwx 1 root root   7 Sep 13 15:41 bin -> usr/bin
drwxr-xr-x 2 root root  44 Sep 13 15:41 dev
drwxr-xr-x 2 root root 240 Sep 13 15:48 etc
drwxr-xr-x 3 root root  22 Sep 13 15:47 home
lrwxrwxrwx 1 root root   9 Sep 13 15:41 lib64 -> usr/lib64
drwxr-xr-x 7 root root  70 Sep 13 15:42 usr
[zhangsan@lb01 ~]$ 

跟普通用户不一样的是,只能看到有限的几个目录。

按两下tab键:

[zhangsan@lb01 ~]$ 
Display all 116 possibilities? (y or n)
!          case       dd         exec       gzip       mapfile    rm         suspend    umask
./         cat        declare    exit       hash       mkdir      rmdir      sync       unalias
:          cd         dirs       export     help       mktemp     rsync      tar        unset
[          chmod      disown     false      history    more       scp        test       until
[[         command    do         fc         if         mv         sed        then       vi
]]         compgen    done       fg         in         popd       select     time       vim
alias      complete   echo       fgrep      jobs       printf     set        times      wait
bash       compopt    egrep      fi         kill       pushd      sh         touch      wget
bg         continue   elif       for        let        pwd        shift      trap       while
bind       coproc     else       function   ln         read       shopt      true       zcat
break      cp         enable     getopts    local      readarray  sleep      type       {
builtin    cpio       esac       grep       logout     readonly   source     typeset    }
caller     date       eval       gunzip     ls         return     ssh        ulimit     
[zhangsan@lb01 ~]$ 

能使用的只有110多个命令。

设置:只允许某些ip登录

[root@lb01 ~]# echo "sshd: 192.168.10.0/24" >>/etc/hosts.allow 
[root@lb01 ~]# echo "sshd: ALL" >> /etc/hosts.deny 
[root@lb01 ~]# 

四、日志审计

在需要做日志审计的机子上执行以下操作即可。

[root@lb01 ~]# mkdir /usr/local/records
[root@lb01 ~]# chmod 777 /usr/local/records
[root@lb01 ~]# chmod +t /usr/local/records
[root@lb01 ~]# 

编辑/etc/profile文件,在文件末尾添加以下内容:

if [ ! -d /usr/local/records/${LOGNAME} ];then
    mkdir -p /usr/local/records/${LOGNAME}
    chmod 300 /usr/local/records/${LOGNAME}
fi

export HISTORY_FILE="/usr/local/records/${LOGNAME}/bash_history"
export PROMPT_COMMAND='{ date "+%Y-%m-%d %T##### $(who am i | awk "{print \$1\"\"\$2\"\"\$5}")#####$(history 1 | { read x cmd;echo "$cmd";})";} >> $HISTORY_FILE'

最后,source /etc/profile

五、jumpserver介绍

官网:www.jumpserver.org

jumpserver是一款使用Python、Django开发的开源跳板机系统,助力互联网企业高效用户、资产、权限、审计等管理。

可以做到:

Auth统一认证

CMDB资产管理

同一授权

日志审计

自动化运维

六、安装jumpserver

官方安装文档:http://docs.jumpserver.org/zh/docs/setup_by_centos7.html

下载地址:https://github.com/jumpserver/jumpserver

1、最新版本是1.4.1的安装

下面安装的是最新版本。

注意:关闭防火墙、关闭selinux

(1)安装前的准备

1、安装依赖包

[root@lb01 ~]# yum -y install wget sqlite-devel xz gcc automake zlib-devel openssl-devel epel-release git

2、安装Redis

Jumpserver 使用 Redis 做 cache 和 celery broke

[root@lb01 ~]# yum install redis -y

3、安装mariadb

[root@lb01 ~]# yum install mariadb-server mariadb mariadb-devel -y

创建jumpserver所需的数据库并授权

[root@lb01 ~]# systemctl start mariadb
[root@lb01 ~]# mysql -uroot
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 2
Server version: 5.5.60-MariaDB MariaDB Server

MariaDB [(none)]> create database jumpserver default charset 'utf8';

MariaDB [(none)]>  grant all on jumpserver.* to 'jumpserver'@'127.0.0.1' identified by '123456';

MariaDB [(none)]> flush privileges;

MariaDB [(none)]> 

4、安装 Nginx ,用作代理服务器整合 Jumpserver 与各个组件

nginx可以编译安装,也可以使用nginx的yum源使用yum安装。

[root@lb01 ~]# yum install nginx -y
[root@lb01 ~]# systemctl start nginx

nginx的server段配置如下:

server {
    listen 80;  # 代理端口,以后将通过此端口进行访问,不再通过8080端口

    client_max_body_size 100m;  # 录像上传大小限制

    location /luna/ {
        try_files $uri / /index.html;
        alias /opt/luna/;  # luna 路径,如果修改安装目录,此处需要修改
    }

    location /media/ {
        add_header Content-Encoding gzip;
        root /opt/jumpserver/data/;  # 录像位置,如果修改安装目录,此处需要修改
    }

    location /static/ {
        root /opt/jumpserver/data/;  # 静态资源,如果修改安装目录,此处需要修改
    }

    location /socket.io/ {
        proxy_pass       http://localhost:5000/socket.io/;  # 如果coco安装在别的服务器,请填写它的ip
        proxy_buffering off;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        access_log off;
    }

5、下载编译python

这里使用python

[root@lb01 ~]# curl -O https://www.python.org/ftp/python/3.6.1/Python-3.6.1.tar.xz
[root@lb01 ~]# tar xf Python-3.6.1.tar.xz 
[root@lb01 ~]# cd Python-3.6.1/
[root@lb01 Python-3.6.1]# ./configure && make && make install

6、配置python虚拟环境

[root@lb01 ~]# cd /opt/
[root@lb01 opt]# python3 -m venv py3
[root@lb01 opt]# source /opt/py3/bin/activate
(py3) [root@lb01 opt]# 
(py3) [root@lb01 opt]# deactivate 
[root@lb01 opt]# 

source /opt/py3/bin/activate:进入虚拟环境

deactivate :退出虚拟环境

7、自动载入py3环境

[root@lb01 ~]# cd /opt/
[root@lb01 ~]# git clone git://github.com/kennethreitz/autoenv.git
[root@lb01 opt]# echo 'source /opt/autoenv/activate.sh' >> ~/.bashrc
[root@lb01 opt]# source ~/.bashrc

(2)jumpserver安装

1、下载jumpserver

[root@lb01 ~]# cd /opt/
[root@lb01 opt]# git clone https://github.com/jumpserver/jumpserver.git && cd jumpserver && git checkout master && git pull
[root@lb01 coco]# echo "source /opt/py3/bin/activate" > /opt/coco/.env
[root@lb01 coco]# 

2、下载coto

[root@lb01 opt]# git clone https://github.com/jumpserver/coco.git && cd coco && git checkout master && git pull
echo "source /opt/py3/bin/activate" > /opt/coco/.env

3、安装rpm依赖包

[root@lb01 ~]# yum -y install $(cat /opt/jumpserver/requirements/rpm_requirements.txt)
[root@lb01 ~]# yum -y install $(cat /opt/coco/requirements/rpm_requirements.txt)

4、安装 Python 库依赖

[root@lb01 ~]# cd /opt/jumpserver/
(py3) [root@lb01 jumpserver]# pip install --upgrade pip
(py3) [root@lb01 jumpserver]# pip install -r /opt/jumpserver/requirements/requirements.txt -i https://pypi.python.org/simple
(py3) [root@lb01 jumpserver]# pip install -r /opt/coco/requirements/requirements.txt -i https://pypi.python.org/simple

5、修改jumpserver配置文件

(py3) [root@lb01 jumpserver]# vim config.py
SECRET_KEY='123456aaa'
DB_ENGINE = os.environ.get("DB_ENGINE") or 'mysql'
DB_HOST = os.environ.get("DB_HOST") or '127.0.0.1'
DB_PORT = os.environ.get("DB_PORT") or 3306
DB_USER = os.environ.get("DB_USER") or 'jumpserver'
DB_PASSWORD = os.environ.get("DB_PASSWORD") or '123456'
DB_NAME = os.environ.get("DB_NAME") or 'jumpserver

注释掉sqlite3数据库,启用mysql数据库并设置。

6、修改coco配置文件

py3) [root@lb01 jumpserver]# cd /opt/coco/
autoenv:
autoenv: WARNING:
autoenv: This is the first time you are about to source /opt/coco/.env:
autoenv:
autoenv:   --- (begin contents) ---------------------------------------
autoenv:     source /opt/py3/bin/activate$
autoenv:
autoenv:   --- (end contents) -----------------------------------------
autoenv:
autoenv: Are you sure you want to allow this? (y/N) y
(py3) [root@lb01 coco]# 
(py3) [root@lb01 coco]# cp conf_example.py conf.py 
(py3) [root@lb01 coco]# vim conf.py
 CORE_HOST = 'http://127.0.0.1:8080'

安装coco相关依赖。

[root@lb01 ~]# cd /opt/coco/requirements/
[root@lb01 requirements]#yum -y  install $(cat rpm_requirements.txt)
[root@lb01 requirements]#pip install -r requirements.txt -i https://pypi.python.org/simple

7、安装 Web Terminal 前端:Luna

下载luna压缩包,解压即可。Luna 已改为纯前端,需要 Nginx 来运行访问

cd[root@lb01 ~]# cd /opt/
[root@lb01 opt]# ls
autoenv  coco  gitlab  jumpserver  luna  luna.tar.gz  py3  webroot
[root@lb01 opt]# chown -R root.root luna
[root@lb01 opt]# 

8、生成数据库表结构和初始化数据

[root@lb01 ~]#cd /opt/jumpserver/utils
(py3) [root@lb01 utils]# ./make_migrations.sh

9、运行 Jumpserver

[root@lb01 ~]#cd /opt/jumpserver/
(py3) [root@lb01 jumpserver]# ./jms start all -d

-d:表示后台运行

新版本更新了运行脚本,使用方式./jms start|stop|status|restart all 后台运行请添加 -d 参数

浏览器打开:192.168.10.101:8080

10ed24fa7bb74298fe5c792db2b313bafc8.jpg

2、jumpserver0.3版本的安装

到官网下载0.3.3的zip包放到/home目录并解压

[root@lb01 home]# ls
git  jail  jumpserver  jumpserver-0.3.3  jumpserver-0.3.3.zip  mytest  test_java  www  zrlog-master
[root@lb01 home]# 

进入解压后的目录,执行安装命令

[root@lb01 home]# cd jumpserver-0.3.3/
[root@lb01 jumpserver-0.3.3]# cd install
[root@lb01 install]# python install.py
。。。。
ansible 1.9.4 has requirement pycrypto>=2.6, but you'll have pycrypto 2.4.1 which is incompatible.
Installing collected packages: PyYAML, django, pycrypto, ecdsa, paramiko, MySQL-python, psutil, xlsxwriter, xlrd, django-bootstrap-form, singledispatch, certifi, backports-abc, tornado, ansible, pyinotify, argparse, django-crontab, django-smtp-ssl, wcwidth, pyte
  Found existing installation: PyYAML 3.11
Cannot uninstall 'PyYAML'. It is a distutils installed project and thus we cannot accurately determine which files belong to it which would lead to only a partial uninstall.
安装JumpServer 依赖的python库失败!
[root@lb01 install]# 

报错,PyYAML版本低。

一键安装脚本: https://raw.githubusercontent.com/jumpserver/Dockerfile/mysql/get.sh

VPN安装脚本:https://blog.linuxeye.cn/412.html?tdsourcetag=s_pcqq_aiomsg

七、登录jumpserver

前面中已经安装好jumpserver

登录的用户名和密码默认均为:admin

bd2c70e220ec711aa0ca506cbb353adccb6.jpg

成功登录后:

5065906fdcf9ff9c1442e6649d78c3058fa.jpg

八、创建管理用户

点击:资产管理-->管理用户-->创建

 

九、创建普通用户

十、添加机器

十一、添加系统用户并授权

十二、添加授权规则

十三、客户端登录jumpserver

 

 

转载于:https://my.oschina.net/logmm/blog/2051176

你可能感兴趣的:(堡垒机基础)