Shulou(Shulou.com)06/02 Report--

Introduction of the fortress machine

In a specific network environment, in order to protect the network and data from external damage, various technical means are used to collect and monitor the system status, security events and network activities of each component of the network environment in real time. In order to centralized alarm, timely processing and audit responsibility.

We also call the fortress machine a jumping machine, the simple jumping machine has a simple function, and the main core functions are remote login server and log audit.

Relatively excellent open source software jumpserver, its main functions are authentication, authorization, audit, automation, asset management.

Commercial fortress machine: Qi Zhi, Citrix XenApp.

Second, build a simple fortress machine

More suitable for small enterprises, the company does not have many machines, but in order to log in, security, you can build a simple fortress machine (springboard).

Function: log in to the company's intranet server, find and audit what you have done when you log in to the machine.

The condition for having a fortress machine is that the machine has a company and a private network, in which the private network is interconnected with other machines in the computer room (LAN).

The idea of designing a fortress machine:

Jumping machine security settings (iptables port limit, login limit sshd_config)

User, Command permission restriction (jailkit) http://blog.chinaunix.net/uid-28310119-id-3503318.html

The only deficiency of customer machine log audit is that it can not be done on the jumping machine, but can only be done on the client computer.

Http://www.68idc.cn/help/server/linux/2014042190951.html

Third, install jailkit to realize chroot

# cd / usr/local/src# wget https://olivier.sessink.nl/jailkit/jailkit-2.19.tar.bz2# tar jxvf jailkit-2.19.tar.bz2# cd jailkit-2.19#. / configure & & make & & make install# mkdir / home/jail / / create a directory as the root of the virtual system

The following four commands are to put some commonly used commands and files into the directory of the virtual system.

# jk_init-v-j / home/jail/ basicshell / / this command is to get the shell-related commands and library files to the root directory of the virtual system. # jk_init-v-j / home/jail/ editors / / editor vi,vim get over it. # jk_init-v-j / home/jail/ netutils / / network-related. # jk_init-v-j / home/jail/ ssh / / used when logging in remotely. # mkdir / home/jail/usr/sbin# cp / usr/sbin/jk_lsh / home/jail/usr/sbin/jk_lsh / / is equivalent to a shell of a virtual system, copy it over. 1. # useradd zhangsan / / the original system creates one user. If you need to create multiple users, start with this step and perform these four steps: 1-4. 2. # passwd zhangsan3, # jk_jailuser-m-j / home/jail zhangsan / / create a user in the virtual system # cd / home/jail/ [root@wbs jail] # cat etc/passwd / / Virtual user zhangsanroot:x:0:0:root:/root:/bin/bashzhangsan:x:1122:1122::/home/zhangsan:/usr/sbin/jk_lsh//usr/sbin/jk_lsh this shell is the shell of the virtual system, this shell cannot be logged in So you need to change it to / bin/bash, so you can log in to the virtual user zhangsan4, # vim / home/jail/etc/passwd / / change the / usr/sbin/jk_lsh on the zhangsan line to / bin/bash# ls / home/jail/ you can see the commonly used commands, and the library files are all in the root directory of the virtual system. Bin dev etc home lib64 usr

Create a new session window, IP is the native IP, user name zhangsan, password zhangsan, login, you will see two lines "bash: / usr/bin/id: No such file or directory", because to execute / session, there is no such command in this, don't worry about it.

$ls-l / you can see only those six directories

Press the Tab key twice to see that there are only 117 commands available, all of which are commands under bin.

Create a key login, add a key in the .ssh directory, and change PasswordAuthentication yes to no in the # vi / etc/ssh/sshd_config setting of the original system to allow key login only.

Also limit the iptables rules, restrict all unwanted ports and turn off unused services.

Also limit the login of the source IP:# vi / etc/hosts.allow added: sshd: 192.168.149.0 Universe 24 1.1.1.1 2.2.2.roomvi / etc/hosts.deny / / reject all but the allowed network segment and IP, thus increasing the security factor of the machine. Sshd: ALL

IV. Log audit

The following actions are made on the client side to restrict the source IP.

To another machine, restrict / etc/hosts.allow and deny first

Add sshd to hosts.allow: 192.168.149.133 (springboard IP)

Add sshd: ALL to hosts.deny

At this time, you will not be able to log in to this machine again.

You can log in to the zhangsan station:

# ssh root@192.168.149.129

In this way, it becomes a jumping machine.

Use zhangsan when logging in to the other user, because the machine is now zhangsan, so the other machine also needs to create a zhangsan user.

The following actions need to be done on all logged-in machines

# mkdir / usr/local/records# chmod 777! $# chmod + t! $# vi / etc/profile / / add if [!-d / usr/local/records/$ {LOGNAME}] / / logname to determine the login user name. Thenmkdir-p / usr/local/records/$ {LOGNAME} chmod 300 / usr/local/records/$ {LOGNAME} / / specifies that this user can only write and execute. Fiexport HISTORY_FILE= "/ usr/local/records/$ {LOGNAME} / bash_history" / / specifies a file that records historical commands, and the following command means to record the last command executed in this file. Export PROMPT_COMMAND=' {date "+% Y-%m-%d% T # $(who am i | awk" {print\ $1\ "\ $2\"\ "\ $5}") # $(history 1 | {read x cmd; echo "$cmd";}) " } > > $HISTORY_FILE' log in to this machine again # cd / usr/local/records/ [root@MRX records] # lsroot [root@MRX records] # cd root/ [root@MRX root] # lsbash_ reason [root @ MRX root] # tail bash_history 2019-10-01 19:32:06 # root pts/0 (192.168.149.1) # 2019-10-01 19:19:58 vim / etc/profile2019-10-01 19:32:17 # root pts/0 (192.168.149.1) # on 2019-10-01 19:32:17 ls2019-10-01 19:32:34 # root pts/0 (192.168.149.1) # 2019-10-01 19:32:34 cd / usr/local/records/2019-10-01 19:32:35 # root pts/0 (192.168.149.1) # 2019lem10 / 01 19:32:35 ls2019-10-01 19:32:37 # root pts/0 (192.168.149.1) # 2019-10-01 19:32:37 cd root/2019-10-01 19:32:38 # root pts/0 (192.168.149.1) # 2019-10-01 19:32:38 ls

Unlike history in the system, it records these commands only after you exit the terminal normally. The commands you typed are only saved in memory, not recorded in the file. If you want to record them in the file, you must exit normally. If there is a power outage or other reasons, you will not remember these commands. But this log audit is fine.

[root@MRX root] # useradd zhangsan / / create a zhangsan user [root@MRX root] # passwd zhangsan

Then go to the jumping machine and log in to it:

[zhangsan@wbs ~] $ssh zhangsan@192.168.149.129

/ / then execute some commands at will, and then look at the client side, you can see the commands typed by zhangsan users.

[root@MRX records] # lsroot zhangsan

This method is not perfect, can be cracked, this is just a simple fortress machine, to make a perfect fortress machine, but also need the help of some professional tools and software.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.