Shulou(Shulou.com)06/02 Report--

First, why?

In small and medium-sized enterprises, different operation and maintenance personnel of the company basically use root accounts for server login management, lack of account authority audit system. It's okay if something goes wrong. If something goes wrong, it's hard to find the source.

Here, how to use compiling bash to enable different clients to log in to the server using root, record their respective operations, and can be combined with ELK log analysis system to collect login operation logs

II. Environment

Server: centos 6.5. Development tools, using key authentication, SElinux shutdown.

Client: generate a key pair for logging in to the server (2)

Third, build deployment (server operation 192.168.30.72)

3.1 download and compile bash

[root@open1 ~] # wget http://ftp.gnu.org/gnu/bash/bash-4.1.tar.gz[root@open1 ~] # tar xvf bash-4.1.tar.gz [root@open1 ~] # cd bash-4.1

3.2 modify the config-top.c file first, about 94 lines, 104 lines, because the comment in the c language is / * /, so don't delete the error. The modifications are as follows:

[root@open1 bash-4.1] # vim config-top.c#define SSH_SOURCE_BASHRC#define SYSLOG_HISTORY

Modify the bashhist.c file so that the commands on the terminal are recorded in the system messages and in the specified format. And pass in the obtained variable. The revised content is as follows:

[root@open1 bash-4.1] # vim bashhist.c#... Omit some paragraphs voidbash_syslog_history (line) const char * line; {char truncs [Syslog _ MAXLEN]; const char * p; p = getenv ("NAME_OF_KEY"); if (strlen (line))

< SYSLOG_MAXLEN) syslog (SYSLOG_FACILITY|SYSLOG_LEVEL, "HISTORY: PID=%d PPID=%d SID=%d User=%s USER=%s CMD=%s", getpid(), getppid(), getsid(getpid()), current_user.user_name, p, line); else { strncpy (trunc, line, SYSLOG_MAXLEN); trunc[SYSLOG_MAXLEN - 1] = ' '; syslog (SYSLOG_FACILITY|SYSLOG_LEVEL, "HISTORY (TRUNCATED): PID=%d PPID=%d SID=%d User=%s USER=%s CMD=%s", getpid(), getppid(), getsid(getpid()), current_user.user_name, p, trunc); }} 3.4 配置安装路径，编译安装，编译到/usr/local/目录下。 [root@open1 bash-4.1]# ./configure --prefix=/usr/local/bash_new[root@open1 bash-4.1]# make && make install...if test "bash" = "gettext-tools"; then \ /bin/sh /root/bash-4.1/./support/mkinstalldirs /usr/local/bash_new/share/gettext/po; \ for file in Makefile.in.in remove-potcdate.sin quot.sed boldquot.sed en@quot.header en@boldquot.header insert-header.sin Rules-quot Makevars.template; do \ /usr/bin/install -c -m 644 ./$file \ /usr/local/bash_new/share/gettext/po/$file; \ done; \ for file in Makevars; do \ rm -f /usr/local/bash_new/share/gettext/po/$file; \ done; \ else \ : ; \ fimake[1]: Leaving directory `/root/bash-4.1/po' 编译完成后，将新的bash 追加到 /etc/shells 中，并修改root用户的登陆shell 环境为新编译的shell。如下 [root@open1 bash-4.1]# echo "/usr/local/bash_new/bin/bash" >

> / etc/shells [root@open1 bash-4.1] # cat / etc/shells/bin/sh/bin/bash/sbin/nologin/bin/dash/usr/local/bash_new/bin/bash

[root@open1 bash-4.1] # vim / etc/passwdroot:x:0:0:root:/root:/usr/local/bash_new/bin/bash

Log out of the current root user, log in again, check / var/log/messages, and you can see that the operation command has been recorded as follows

4. The key generated by SSH client

4.1 operate on client1 (192.168.30.99), user zhangsan

View Code

-t encryption algorithm

-C comment (plus this is also a key point for the final identification of server visitors)

Upload the public key to the. ssh/authorized_keys file on the server The ssh-copy-id command automatically creates a .ssh / authorized_keys file on the server, even if the directory does not exist, and automatically assigns 600 permissions.

[root@rsyslog] # ssh-copy-id-I / root/.ssh/id_rsa.pub root@192.168.30.72root@192.168.30.72's password:Now try logging into the machine, with "ssh 'root@192.168.30.72'", and check in: .ssh / authorized_keysto make sure we haven't added extra keys that you weren't expecting.

4.3 same operation on client 2 (192.168.30.71), user lisi

View Code

Upload the public key to the server

[root@swift3] # ssh-copy-id-I / root/.ssh/id_rsa.pub root@192.168.30.72The authenticity of host '192.168.30.72 (192.168.30.72)' can't be established.RSA key fingerprint is 8f:a7:1b:8d:e4:92:ad:ae:ea:1b:fb:67:0b:0b:7c:ac.Are you sure you want to continue connecting (yes/no)? YesWarning: Permanently added '192.168.30.72' (RSA) to the list of known hosts.root@192.168.30.72's password:Now try logging into the machine, with "ssh' root@192.168.30.72'", and check in: .ssh / authorized_keysto make sure we haven't added extra keys that you weren't expecting.

4.4 now go to the server to verify the file.

View Code

Now that the above two clients can log in without a key, now configure it on the server and create a script.

Configure the server

5.1 create a keys file in the log directory to store the public key when logging in, and then check it out

[root@open1 ~] # touch / var/log/keys

Create a test script as follows:

View Code

5.2 configure profile and add a line at the end of the file, as follows:

[root@open1 ~] # echo "test-f / etc/CheckUser.sh & &. / etc/CheckUser.sh" > > / etc/profile

Add the following at the end of / etc/bashrc:

[root@open1] # tail-1f / etc/bashrctest-z "$BASH_EXECUTION_STRING" | | {test-f / etc/CheckUser.sh & &. / etc/CheckUser.sh; logger-t-bash-s "HISTORY $SSH_CLIENT USER=$NAME_OF_KEY CMD=$BASH_EXECUTION_STRING" > / dev/null 2 > & 1;}

Modify the sshd configuration file, turn on debug mode, and restart the sshd service

[root@open1 ~] # sed-I 's/#LogLevel INFO/LogLevel DEBUG/g' / etc/ssh/sshd_ config[ root @ open1 ~] # service sshd restartStopping sshd: [OK] Starting sshd: [OK]

VI. Verification

6.1Log in on client1 and delete a file and try (zhangsan)

6.2Log in on client2, delete a file, and execute a command to restart the service (lisi)

6.3 check the messages log on the server, as follows

From the above picture, we can see that the client that does not have access to the user can distinguish who operated what and when by logging in with the public key.

(note: swift1 in paragraph 4 above is the hostname of this server. Since I just ran the hostname command to change the hostname, not networks, it is the same name in the kernel: swift1. )

VII. End

In this way, it greatly solves the problem that multi-root user login operation can not be audited. And can be combined with log forwarding, forward the system log to other servers, even if the host is hacked, it can also specifically review the login time and what operations have been done.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.