Shulou(Shulou.com)06/03 Report--

Due to unknown source identity, ultra vires operation, password disclosure, data theft, illegal operation and other factors

May make the operation of the business system facing a serious threat, in the event of an accident, if the cause of the accident can not be quickly located, the operation and maintenance staff will often take the blame.

Several common scenes of taking the blame

1. An exception occurs in the business system due to the unidentified use of the remote operation and maintenance channel * * server.

But if the operation and maintenance staff are unable to identify the source, the leader is very angry and the consequences are very serious.

2. The server that only Zhang San can manage has been logged in by Li Si and has done illegal operations.

But there is no evidence that Li Si logged in, so Zhang San can only take the blame.

3. The operation and maintenance staff accidentally leaked the password of the server. In the event of a safety accident, the consequences are unimaginable.

4. The important data of a server is stolen. But the data file can not be retrieved, so we are faced with incalculable economic losses.

The reason for taking the blame

In fact, all kinds of problems are inevitable in the work of operation and maintenance.

It is not only necessary to have good analytical and processing skills, but also to prevent problems from happening again. Be aware of the real cause of the problem:

1. There is no standard management, and the boundary between people and servers is not clear.

2. There is no real name mechanism, and there is no real name verification before logging into the server.

3. There is no password hosting, and there are too many passwords on the server, so it is difficult to modify them regularly and keep them for fear of loss.

4. Without operational warning, it is impossible to defend in advance against high-risk and sensitive operations.

5. there is no transmission control, and file transfer cannot be controlled for important servers.

6. There is no backtracking process, and the operation and maintenance process cannot be completely restored.

Solve the necessary killing skill of taking the blame

As an operation and maintenance staff, how to get rid of the embarrassing situation of taking the blame? Maybe the fortress machine is a necessary skill to crack the situation.

1. Unified entrance and standardized management

Provide a unified entrance, all operation and maintenance personnel can only log on to the fortress machine to access the server, sort out the relationship between "people and servers", and prevent ultra vires login

2. Use mobile phone APP dynamic password and other authentication mechanisms

Adopt the real name authentication mechanism of two factors, such as APP dynamic password, OTP dynamic token, USBKEY, SMS password and so on.

Prevent the password from being broken violently and solve the problem of ambiguous access identity.

3. Password of managed server to realize automatic encryption

The password of the server is automatically changed by the fortress machine on a regular basis to solve the trouble of manually changing the password, leaking the password and remembering the password.

1. It can automatically modify the passwords of Windows, Linux, Unix, network devices and other operating systems.

2. You can set a period or specify a time to perform the encryption task.

3. The complexity of password can be set, random password, specified password, fixed password format, etc.

4. Password files can be automatically sent to the administrator by mail, SFTP or FTP.

5. Provide password fault-tolerant mechanism: automatic backup before encryption, failure of backup, automatic backup after encryption, automatic recovery of password, etc.

4. control in the event to prevent illegal operation

As an operation and maintenance staff, how to get rid of the embarrassing situation of taking the blame? Maybe the fortress machine is a necessary skill to crack the situation.

1. Intercept high-risk and sensitive commands through command control strategy

2. Review policies through orders, and approve orders that need to be executed but cannot be executed at will

3. Through the file transfer control strategy to prevent the leakage of data and files.

5. fine audit and trace the whole process of operation and maintenance.

Fortress machine needs to perform fine and complete audits such as file recording and video playback, and quickly locate the operation and maintenance process:

1. Not only online monitoring, real-time blocking, log playback, start and stop time, source users of all operation sessions

Records of source address, destination address, protocol, commands, operations (such as uploading, downloading, deleting, modifying, etc.).

2. You should also be able to save the files transferred by SFTP/FTP/SCP/RDP/RZ/SZ

It serves as a tracking basis for dangerous behaviors such as uploading malicious files, * *, and stealing data.

Let's talk about the specific installation and deployment of the fortress machine.

Jumpserver is an open source jumping machine (fortress machine) system written by Python, which realizes the functions of the jumping machine.

Based on ssh protocol management, the client does not need to install agent

Features:

Fully open source, licensed by GPL

Written in python, easy to develop again

Realize the basic functions of the jumping machine, authentication, authorization and audit.

Integrated with Ansible, batch commands, etc.

Support for WebTerminal

Bootstrap is written with beautiful interface.

Automatically collect hardware information

Video playback

Command search

Real-time monitoring

Batch upload and download

Jumpserver 3.0 installation

Compared with the jumpserver 2.0 version, the LDAP license has been removed in the new version 3.0, and the ssh has been pushed instead; the interface has also changed.

The function is better, the installation is easier, unlike the 2.0 version, it baffles a lot of people. Below through two mainframes to build jumpserver fortress machine!

Environment:

Centos 6.5 x86_64

Close iptables, close selinux

Jumpserver:192.168.1.200

Clients:192.168.1.210

Ps: the operation is only for jumpserver,clients, but not for the environment.

Install the dependency package

Yum-y install epel-release

Yum clean all & & yum makecache

Yum-y update

Yum-y install Git python-pip MySQL-devel gcc automake autoconf python-devel vim sshpass lrzsz readline-devel

Download jumpserver

Cd / opt

Git clone https://github.com/jumpserver/jumpserver.git

Note: if the download fails, download the zip package on github and decompress it with unzip.

Third, execute the quick installation script

Cd / opt/jumpserver/install

Pip install-r requirement.txt

View installed packages

Pip freeze

Python install.py

Enter the address of jumpserver. The default is "192.168.1.200". Enter.

Whether to install mysql: select "y" to install

After MySQL starts, the user will be asked to enter the mail server and account

(used later to send username, ssh pass, web pass, ssh key)

After entering the smtp information, it is found that an error has been reported. It is a problem with the pycrypto module of python. It needs to be uninstalled and reinstalled:

Pip uninstall pycrypto

Easy_install pycrypto

Continue python install.py installation after installation, and enter web administrator user name and administrator password, ok

4. Run crontab

Deal with failed connections regularly and update asset information regularly

Cd / opt/jumpserver

Python manage.py crontab add

Note:

1) enter relevant information according to the prompts to complete the installation. After the installation is complete, please visit web and continue to view the follow-up documents.

2) if startup fails, please return to the upper directory and manually run. / service.sh start to start

3) if. / service.sh start fails to start

Cd / opt/jumpserver

Python manage.py runserver 0.0.0.0:80

Python run_websocket.py

4) if the startup fails, it may be because ports 80 and 3000 are already occupied, or the database account password is incorrect, please check

5. Log in to Web

Http://192.168.1.200

Note:

In the process of using jumpserver, one step is to be pushed by the system user. To push successfully, client (backend server) must meet the following conditions:

1) the backend server needs python and sudo environment to use push users, batch commands and other functions

2) if selinux is enabled on the backend server, install libselinux-python

Update the code

Cd / opt/jumpserver

Git pull

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.