Open-source Fortress machine installation test on-line deployment-----Unicorn open-source Fortress machine

recently out of management and inspection needs, unit leadership requirements on the Fortress machine system, testing several commercial fortress machine, because the price exceeds the budget and other reasons are not purchased, and tested three open-source fortress machine, the feeling of the unicorn open-source Fortress machine function is the most complete, basically and the commercial fortress machine, the only problem is the graphic part of the open source But because our servers are basically all LINUX environments,telnet,ssh,ftp, andsftp are sufficient so that the bastion machine has been used in the production environment.

now the market commercial fortress machine Price is too high, basically to about ten million, I combined in the company to deploy open source Fortress machine experience, the process is written as a document to share with you.

I tested the other open-source bastion machine is basically semi-finished, Kylin fortress machine is basically a finished fortress machine, but there are still some small BUG, you can modify the source code to get rid of.

Installation conditions of Kylin fortress machine

1. system must have at least two network card , a network card installation will error, if the virtual machine virtual 2 nic out

2. The minimum system hardware is: Intel 4G CPU,200G HDD, note that theCPU is not loaded

Installation process:

Kylin Fortress Machine installation process is very simple, with a CD-ROM start, a return to the car, completely unattended installation, do not need to do any interference (installation process like a basically can give the points), the process diagram is as follows:

Insert the optical drive to boot, will go to the installation interface, the blj there directly enter (PS: If using a notebook for virtual machine installation, first select install PCVM, the way to use 500M SWAP, The default installation method uses 32G swap, These are mainly installed in a different size, if the use of virtual machine to install the Fortress machine, there may be insufficient SWAP problem)

650) this.width=650; "src=" http://s4.51cto.com/wyfs02/M01/7E/78/wKioL1cB9AGDPuGGAACR9gETYC8890.jpg "title=" 1.jpg " alt= "Wkiol1cb9agdpuggaacr9getyc8890.jpg"/>

My hardware physical machine for 8G memory, ordinary E3 single CPU,2T serial drive, installation process about to wait about five minutes, installation completed, system restart, You can exit the disc.

System configuration:

1. After installation, the system default IP is : Eth0 192.168.1.100/24, you can directly use the notebook to configure a network segment of the IP, and then directly connected to the ETH0 , using IE input https://192.168.1.100 login, default password is admin/12345678, login to System configuration - network configuration - Network configuration, edit the eth0 port, the IP address, mask, Gateway modified to their own, point to save the changes, the system will be modified IP to local IP

650) this.width=650; "src=" http://s1.51cto.com/wyfs02/M02/7E/78/wKioL1cB9Cmzi1NGAAGY1SIqeQM777.jpg "title=" 2.jpg " alt= "Wkiol1cb9cmzi1ngaagy1siqeqm777.jpg"/>

2. Kylin Fortress machine using the Centos 7.1 System (PS is too new), the background login password also gave (this is too superior to commercial fortress machine), technology God can directly to the background to modify IP , pay attention to the background SSH Port is 2288, user name password is root/baoleiji123

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/7E/78/wKioL1cB9H3hudUnAACHMW8vTVU146.jpg "title=" 3.jpg " alt= "Wkiol1cb9h3hudunaachmw8vtvu146.jpg"/>

3. After the system configuration, if you want to use the graphics protocol, need to find the developer application graphics licenses, if only with characters, you can use directly, I am all LINUX, so there is no licenses application, Kirin Fortress machine Online I've done four steps.

Create directory structure - Import Bastion machine account (master account)------ Import Server account (from account)-------- Master-Slave Account Association authorization, really, better than the commercial fortress machine .

4. Create a directory structure:

Directory is a group of devices and groups of users, Kirin Fortress machine is an LDAP structure, the group can put users can also put equipment, I think this is inconvenient, I am the user and the device is built separately, in the addition of users, equipment, must first add the group, because no group devices and users cannot add

Resource management-Asset Management-Catalog Management tab, click Add New node, select the owning directory and properties according to the type of group you want to create;

650) this.width=650; "src=" http://s4.51cto.com/wyfs02/M01/7E/78/wKioL1cB9KDzZlMNAADoLjDHsgQ095.jpg "title=" 4.jpg " alt= "Wkiol1cb9kdzzlmnaadoljdhsgq095.jpg"/>

PS : The name of the node names input nodes, the parent group to which the newly created directory belongs, the directory tree can be an unlimited directory, the fortress machine configuration must be completed before the directory tree to import users and devices, users and devices must have a well-configured directory tree when importing.

5. Import Bastion machine account (Master account), menu resource Management - Asset Management - user management, default has four account admin, Audit, Password,test, if the account is small, you can one plus, I have more than a dozen operators here, so I use the import method, as long as the point of export will come down a CSV template, Fill it in by the stencil.

650) this.width=650; "src=" http://s1.51cto.com/wyfs02/M02/7E/7C/wKiom1cB9BOAw3k0AAGXLrj3Ogo332.jpg "title=" 5.jpg " alt= "Wkiom1cb9boaw3k0aagxlrj3ogo332.jpg"/>

after exporting, CSV table only needs to be filled

650) this.width=650; "src=" http://s5.51cto.com/wyfs02/M02/7E/78/wKioL1cB9OGz4xEjAABpN-AwTPM970.jpg "title=" 6.jpg " alt= "Wkiol1cb9ogz4xejaabpn-awtpm970.jpg"/>

User name: The name of the OPS person when they log in to the fort, requires unique (must fill in)

Password: password for OPS to login to Fort (required)

Real name: The real name of the OPS person (required)

E-mail: operator's e-mail address (select Fill in)

User rights: Unified configuration for ordinary users (must fill in)

Group name: The name of the resource group in the directory structure, if a resource group with the same name appears, the import requires a group name (ID), such as the first group with duplicate names, if you want to join this group in the interface, the group name is first (221)

After filling, put your head on the test line to delete, and then click on the Import menu, note, be sure to check the encryption, otherwise it will not be used in

650) this.width=650; "src=" http://s1.51cto.com/wyfs02/M01/7E/79/wKioL1cB9P3DwYRhAAA_xqJnZAk548.jpg "title=" 7.jpg " alt= "Wkiol1cb9p3dwyrhaaa_xqjnzak548.jpg"/>

7. Server account (from account) import, Kylin Fortress machine will automatically create the server when importing from account, so only need in the resource management-Asset Management-device list to export a CSV file, by file to fill, and then import can complete the device, Device account entry:

650) this.width=650; "src=" http://s4.51cto.com/wyfs02/M02/7E/79/wKioL1cB9SPiXGtxAACoV3ruNMk082.jpg "title=" 8.jpg " alt= "Wkiol1cb9spixgtxaacov3runmk082.jpg"/>

Generally only need a to H column, and then just copy the template, the columns are described as follows:

Host Name: Name of the host

IP IP address of the host

Server group: The ID number of the group that the server belongs to, because a group with the same name is allowed in the directory, so the server group is replaced with the ID number, which can be viewed in the asset management-resource Management-catalog node, such as:

650) this.width=650; "src=" http://s1.51cto.com/wyfs02/M00/7E/79/wKioL1cB9UWQ0gO-AADJXuRfXno756.jpg "title=" 9.jpg " alt= "Wkiol1cb9uwq0go-aadjxurfxno756.jpg"/>

System type: The operating system type of the host, which must be added in the first chapter or selected in the system's own

System User: System user name, if you do not want to host, this item is not filled

Current Password: The system plays the password, if you do not want to host, then this can not be filled

Login protocol: Currently supports TELNET/SSH1/SSH/FTP/RDP/VNC/X11, you can select the appropriate in these login methods

Port: Destination port of the login protocol connection

Expiration time: The expiration time of this system account, if the expiration time is exceeded, the login is not allowed

Automatic password change: whether the account is automatically changed password (default is NO)

Master account: Automatically change password only use one account login to modify all the user password on the host, if it is the main account, then fill in, the main account is generally root permissions or can be sudo root

Auto Login: Default fill is

Fortress Machine Users: All Fill No

Sftp User: If it is an SSH service, set whether this SSH user can use the SFTP service, is allowed, no is not allowed

Public Private key User: If it is SSH service, set this SSH user authentication is not using public private key mode, yes or no

After filling the Point import button to return, note, it must also check the encryption

650) this.width=650; "src=" http://s2.51cto.com/wyfs02/M02/7E/7C/wKiom1cB9MHDZoXXAACwevzNuOY410.jpg "title=" 10.jpg "alt=" Wkiom1cb9mhdzoxxaacwevznuoy410.jpg "/>

9. System Authorization, the Fortress machine account (master account), the host system account (from the account) after the import, it is necessary to empower the operation, empowering after the Fortress machine account (master account) login to the fortress machine to jump to the appropriate device.

Empowering actions if a bastion account (master account) has a large number of permissions from the account, then the empowerment is done in the System User group menu, if the Fortress machine account (master account) temporarily add a power from the account, it can also be done in the host Device account menu.

The right to assign the operation is best by the user group to assign, will be the same user rights of the same group, and then create a system user group for the user group, these users have permissions to add the host device account number to this group, and then bind this system user group to this user group, if each user's permissions are not the same , you can also authorize individual users by dividing the system user group.

Click Grant permissions in Resource management in the navigation tree, select the System Users Group tab, click Add New Group, fill in the System user group name, select the system user added to selected devices in unselected devices, and then click Save when you have selected all system accounts for the bastion user group you want to empower.

650) this.width=650; "src=" http://s4.51cto.com/wyfs02/M01/7E/79/wKioL1cB9Y7A4FU3AAEBGtBdlC8041.jpg "title=" 11.jpg "alt=" Wkiol1cb9y7a4fu3aaebgtbdlc8041.jpg "/>

Click Authorization Permissions in Resource management in the navigation tree, select the System User Groups tab, click Authorize in the Action Bar, tick "authorization Group" or "authorized user", and click "Save Changes" to complete the configuration.

650) this.width=650; "src=" http://s5.51cto.com/wyfs02/M00/7E/7C/wKiom1cB9QCAwAD1AAGEGt6rx4o346.jpg "title=" 12.jpg "alt=" Wkiom1cb9qcawad1aagegt6rx4o346.jpg "/>

After authorization, the user in the group or the authorized user has access to all the host system accounts in the System user group.

Here, the setting of the Fortress machine is complete, the following say my experience:

Fortress machine for operators have a few good places, Kylin Fortress machine plug-in support any browser (I test the commercial version, Firefox and Chrome only use Java mode), and the Kylin fortress machine has a transparent login function is very useful, is to set permissions, In the list export SECRECRT list, and then to the CRT sessions directory, when logging on to the device, is directly logged in, there is no sense of the presence of the fortress machine, this function must be liked.

Open-source Fortress machine installation test on-line deployment-----Unicorn open-source Fortress machine