23.1 什麼是堡壘機

23.1 什麼是堡壘機

堡壘機介紹：

• 在一個特定網絡環境下，爲了保障網絡和數據不受外界入侵和破壞，而運用各類技術手段實時收集和監控網絡環境中每個組成部分的系統狀態、安全事件、網絡活動，以便集中報警、及時處理及審計定責。
• 咱們又把堡壘機叫作跳板機，簡易的跳板機功能簡單，主要核心功能是遠程登陸服務器和日誌審計。
• 比較優秀的開源軟件jumpserver，認證、受權、審計、自動化、資產管理。
• 商業堡壘機：齊治, Citrix XenApp

23.2 搭建簡易堡壘機

• 具有堡壘機的條件是，該機器有公司和私網，其中私網和機房其餘機器互通
• 設計堡壘機思路
• 跳板機安全設置（iptables端口限制、登陸限制sshd_config）
• 用戶、命令權限限制（jailkit) http://blog.chinaunix.net/uid-28310119-id-3503318.html
• 客戶機器日誌審計 
• http://www.68idc.cn/help/server/linux/2014042190951.html

23.3 安裝jailkit實現chroot

搭建簡易堡壘機 – jailkit chroot

wget https://olivier.sessink.nl/jailkit/jailkit-2.19.tar.bz2
 tar jxvf jailkit-2.19.tar.bz2
 cd jailkit-2.19
 ./configure && make && make install
 mkdir /home/jail
 jk_init -v -j /home/jail/ basicshell
 jk_init -v -j /home/jail/ editors
 jk_init -v -j /home/jail/ netutils
 jk_init -v -j /home/jail/ ssh
 mkdir /home/jail/usr/sbin
 cp /usr/sbin/jk_lsh /home/jail/usr/sbin/jk_lsh
 useradd zhangsan
 passwd zhangsan
 jk_jailuser -m -j /home/jail zhangsan
 vim /home/jail/etc/passwd //把zhangsan那一行的/usr/sbin/jk_lsh改成/bin/bash

[root@Dasoncheng ~]# cd /usr/local/src/
[root@Dasoncheng src]# wget https://olivier.sessink.nl/jailkit/jailkit-2.19.tar.bz2
[root@Dasoncheng src]# tar -jxf jailkit-2.19.tar.bz2 
[root@Dasoncheng src]# ll
total 403408
drwxrwxr-x  8 mysql mysql       204 Nov 19  2015 jailkit-2.19
-rw-r--r--  1 root  root     116665 Nov 19  2015 jailkit-2.19.tar.bz2
[root@Dasoncheng src]# cd jailkit-2.19/
[root@Dasoncheng jailkit-2.19]# ./configure
configure: config files will be in /etc/jailkit/
checking for gcc... gcc
……
[root@Dasoncheng jailkit-2.19]# make && make install
[root@Dasoncheng jailkit-2.19]# echo $?
0
[root@Dasoncheng jailkit-2.19]# mkdir /home/jail   
##建立jail 做爲虛擬系統的根目錄；
[root@Dasoncheng jailkit-2.19]# jk_init -v -j /home/jail/ basicshell  
#shell相關命令文件；
[root@Dasoncheng jailkit-2.19]#  jk_init -v -j /home/jail/ editors  
#編輯器vi/vim；
[root@Dasoncheng jailkit-2.19]#  jk_init -v -j /home/jail/ netutils  
#網絡相關；
[root@Dasoncheng jailkit-2.19]#  jk_init -v -j /home/jail/ ssh  
#遠程登陸用到的；
##以上4個操做，就是將經常使用的命令 操做到虛擬根目錄下面；
[root@Dasoncheng jailkit-2.19]# mkdir /home/jail/usr/sbin  
##建立這個目錄是爲了拷貝虛擬shell(jk_lsh)；
[root@Dasoncheng jailkit-2.19]# cp /usr/sbin/jk_lsh /home/jail/usr/sbin/jk_lsh
[root@Dasoncheng jailkit-2.19]# useradd zhangsan
[root@Dasoncheng jailkit-2.19]# passwd zhangsan
Changing password for user zhangsan.
New password: 
BAD PASSWORD: The password fails the dictionary check - it is based on a dictionary word
Retype new password: 
passwd: all authentication tokens updated successfully.  
##建立用戶zhangsan，設置密碼
[root@Dasoncheng jailkit-2.19]# jk_jailuser -m -j /home/jail zhangsan  
##將zhangsan用戶 設爲虛擬系統的用戶；
[root@Dasoncheng jailkit-2.19]# cd /home/jail/  ##進入到虛擬系統根目錄；
[root@Dasoncheng jail]# ll
total 0
lrwxrwxrwx 1 root root   7 Oct 30 10:03 bin -> usr/bin
drwxr-xr-x 2 root root  44 Oct 30 10:03 dev
drwxr-xr-x 2 root root 240 Oct 30 10:03 etc
drwxr-xr-x 3 root root  22 Oct 30 10:06 home
lrwxrwxrwx 1 root root   9 Oct 30 10:03 lib64 -> usr/lib64
drwxr-xr-x 7 root root  70 Oct 30 10:04 usr
[root@Dasoncheng jail]# cat etc/passwd 
root:x:0:0:root:/root:/bin/bash
zhangsan:x:1002:1002::/home/zhangsan:/usr/sbin/jk_lsh  
##虛擬系統的jk_lsh是沒法登陸的，咱們須要修改成/bin/bash 以下；
[root@Dasoncheng jail]# vim !$
vim etc/passwd
[root@Dasoncheng jail]# !c
cat etc/passwd 
root:x:0:0:root:/root:/bin/bash
zhangsan:x:1002:1002::/home/zhangsan:/bin/bash

測試：
使用張三登陸：

bash: /usr/bin/id: No such file or directory
bash: /usr/bin/id: No such file or directory  
##這個是zhangsan登陸時 vim /etc/profile有一個須要加載的命令，報錯  忽略；
[zhangsan@Dasoncheng ~]$ ls -l /
total 0
lrwxrwxrwx 1 root root   7 Oct 30 02:03 bin -> usr/bin
drwxr-xr-x 2 root root  44 Oct 30 02:03 dev
drwxr-xr-x 2 root root 240 Oct 30 02:07 etc
drwxr-xr-x 3 root root  22 Oct 30 02:06 home
lrwxrwxrwx 1 root root   9 Oct 30 02:03 lib64 -> usr/lib64
drwxr-xr-x 7 root root  70 Oct 30 02:04 usr
[zhangsan@Dasoncheng ~]$ 
Display all 116 possibilities? (y or n)
[zhangsan@Dasoncheng ~]$ ls /etc
bashrc	host.conf  issue	ld.so.conf  nsswitch.conf  profile    resolv.conf  vimrc
group	hosts	   ld.so.cache	motd	    passwd	   protocols  services
[zhangsan@Dasoncheng ~]$ vim .bashrc  ##或者.bash_profiles設置alias；

問題1：如何給虛擬系統設置多個用戶？
參考上面的這幾步：
useradd zhangsan
passwd zhangsan
jk_jailuser -m -j /home/jail zhangsan
vim /home/jail/etc/passwd
問題2：如何設置ssh只容許密鑰登陸？
一、先在虛擬系統裏面 建立並添加密鑰文件：
[zhangsan@Dasoncheng ~]$ vim .ssh/authorized_keys
二、再在原系統 關閉密碼登陸：
[root@Dasoncheng ~]# cat /etc/ssh/sshd_config |grep Password
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes 這裏設置爲no，即不容許密碼登陸！
問題3：如何只容許指定ip或網段登陸？

[root@Dasoncheng ~]# vim /etc/hosts
hosts        hosts.allow  hosts.deny   
[root@Dasoncheng ~]# vim /etc/hosts.allow 
[root@Dasoncheng ~]# cat /etc/hosts.allow 
#
# hosts.allow	This file contains access rules which are used to
#		allow or deny connections to network services that
#		either use the tcp_wrappers library or that have been
#		started through a tcp_wrappers-enabled xinetd.
#
#		See 'man 5 hosts_options' and 'man 5 hosts_access'
#		for information on rule syntax.
#		See 'man tcpd' for information on tcp_wrappers
#
sshd:192.168.60.0/24 192.168.70.1
[root@Dasoncheng ~]# vim /etc/hosts.deny 
[root@Dasoncheng ~]# cat /etc/hosts.deny 
#
# hosts.deny	This file contains access rules which are used to
#		deny connections to network services that either use
#		the tcp_wrappers library or that have been
#		started through a tcp_wrappers-enabled xinetd.
#
#		The rules in this file can also be set up in
#		/etc/hosts.allow with a 'deny' option instead.
#
#		See 'man 5 hosts_options' and 'man 5 hosts_access'
#		for information on rule syntax.
#		See 'man tcpd' for information on tcp_wrappers
sshd:ALL
##以上就是設置容許ip或網段登陸

問題4：設置規則 限制端口
參考iptables章節！
[root@Dasoncheng ~]# iptables -nvL
Chain INPUT (policy ACCEPT 1614K packets, 495M bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 2016K packets, 470M bytes)
pkts bytes target prot opt in out source destination

23.4 日誌審計

先測試只容許指定ip/網段訪問客戶機：

[root@localhost ~]# tail -5 /etc/hosts.allow
#		See 'man 5 hosts_options' and 'man 5 hosts_access'
#		for information on rule syntax.
#		See 'man tcpd' for information on tcp_wrappers
#
sshd:192.168.60.11
[root@localhost ~]# tail -5 /etc/hosts.deny
#		See 'man 5 hosts_options' and 'man 5 hosts_access'
#		for information on rule syntax.
#		See 'man tcpd' for information on tcp_wrappers
#
sshd:ALL

跳板機60.11成功登錄！

本機60.1登錄失敗！

效果實現了！容許192.168.60.11這個ip登錄；

接下來咱們在客戶機（全部被登錄的機器）作日誌審計：

• 如下操做是須要在全部被登陸機器上作的
• mkdir /usr/local/records
• chmod 777 !$
• chmod +t !$
• vi /etc/profile //添加
  if [ ! -d /usr/local/records/${LOGNAME} ]
  then
  mkdir -p /usr/local/records/${LOGNAME}
  chmod 300 /usr/local/records/${LOGNAME}
  fi
  export HISTORY_FILE="/usr/local/records/${LOGNAME}/bash_history"
  export PROMPT_COMMAND='{ date "+%Y-%m-%d %T ##### $(who am i |awk "{print $1" "$2" "$5}") #### $(history 1 | { read x cmd; echo "$cmd"; })"; } >>$HISTORY_FILE'

[root@localhost ~]# mkdir /usr/local/records
[root@localhost ~]# chmod 777 /usr/local/records/
[root@localhost ~]# chmod +t !$
chmod +t /usr/local/records/
[root@localhost ~]# vim /etc/profile
[root@localhost ~]# tail !$
tail /etc/profile
unset -f pathmunge

if [ ! -d  /usr/local/records/${LOGNAME} ]  ##判斷登錄的用戶，是否有目錄 不然執行下面建立及賦予權限！
then
mkdir -p /usr/local/records/${LOGNAME}
chmod 300 /usr/local/records/${LOGNAME}
fi
export HISTORY_FILE="/usr/local/records/${LOGNAME}/bash_history"  
##指定命令歷史記錄的文件；
export PROMPT_COMMAND='{ date "+%Y-%m-%d %T ##### $(who am i |awk "{print \$1\" \"\$2\" \"\$5}") #### $(history 1 | { read x cmd; echo "$cmd"; })"; } >>$HISTORY_FILE'  
##這一段意思是：將最後一條命令記錄下來

測試：

[zhangsan@Dasoncheng ~]$ ssh root@192.168.60.12
root@192.168.60.12's password: 
Last login: Tue Oct 31 02:17:04 2017 from 192.168.60.1
[root@localhost ~]# cd /usr/local/records/
[root@localhost records]# ll  ##自動建立了root目錄；
total 0
d-wx------ 2 root root 26 Oct 31 02:26 root
[root@localhost records]# cd root/
[root@localhost root]# ll
total 4
-rw-r--r-- 1 root root 272 Oct 31 02:27 bash_history
[root@localhost root]# cat bash_history 
2017-10-31 02:26:47 ##### root pts/1 (192.168.60.11) #### exit
2017-10-31 02:26:54 ##### root pts/1 (192.168.60.11) #### cd /usr/local/records/
2017-10-31 02:26:55 ##### root pts/1 (192.168.60.11) #### ll
2017-10-31 02:27:00 ##### root pts/1 (192.168.60.11) #### cd root/
2017-10-31 02:27:02 ##### root pts/1 (192.168.60.11) #### ll

最後說一句：這只是一個簡單的堡壘機jailkit ，不怎麼安全 ！