Test experience of open-source bastion host --- Qilin open-source bastion host

Test experience of open-source bastion host --- Qilin open-source bastion host

Due to management and inspection requirements, organization leaders have requested to go to the bastion host system and have tested several commercial bastion hosts. These bastion hosts have not been purchased because the price has exceeded the budget, I tested three open-source bastion hosts. I feel that Qilin's open-source bastion hosts have the most comprehensive functions, basically the same as commercial bastion hosts. The only problem is that the graphics are not open-source, however, because our servers are basically in the LINUX environment, TELNET, SSH, FTP, and SFTP are enough, this bastion host is already used in the production environment.

Now the market price for commercial bastion hosts is too high, basically about 0.1 million. Based on my experience in deploying open source bastion hosts in the company, I will write the process as a document to share with you.

Other open-source bastion hosts I tested are basically semi-finished products. The Kirin bastion host is basically a finished bastion host, but there are still some bugs that can be modified by myself.

Conditions for installing the Qilin bastion host:

1. The system must have at least two NICs. An error will be reported when one Nic is installed. If it is a virtual machine, two NICs are available.

2. The minimum hardware configuration of the system is Intel 64-bit CPU, 4 GB memory, and GB hard disk. (Note: 32-bit CPU cannot be installed ).

Installation Process:

The installation process of the kirin bastion host is very simple. You can start it with a CD, press enter, and the installation is completely unattended. No interference is required (the installation process is like this, and you can give 95 points ).

The process is shown as follows:

Insert the optical drive and start it. On the installation page, press enter in "blj". (PS: if you are using a notebook to Install a VM, select "Install Pcvm". The 500 m swap is used, the default installation method is 32g swap. The SWAP size is different among the installation methods. If you use a VM to install a bastion host, SWAP may be insufficient ).

My hardware physical machine has 8 GB memory, a common E3 single CPU, 2 TB serial hard drive, and the installation process takes about 30 minutes. After the installation is complete, the system restarts and you can exit the CD.

System Configuration:

1. after the installation, the default IP address of the system is Eth0 192.168.1.100/24. You can directly use the notebook to configure an IP address of the same network segment, then directly connect to ETH0, and enter https using IE: // 192.168.1.100 logon. The default password is admin/12345678. After logon, go to system configuration-network configuration, edit eth0 port, and change the IP address, mask, and gateway to your own, click Save and modify. The system changes the IP address to the local IP address.

2. Centos 7.1 system used by the Kirin bastion host (PS: Too new !), The background logon password is also provided (this is superior to the commercial bastion host). The technical master can directly change the IP address to the background. Note that the background SSH port is 2288, and the user name and password is root/Baoleiji123.

3. after the system is configured, if you want to use the graphic protocol, you need to ask the developer to apply for the graphics Licenses. If you only use the characters, you can use them directly. I am here all LINUX, therefore, I did not apply for a license. I made four steps to launch the Kirin bastion host:

Create a directory structure-import a bastion host account (master account)-import a server account (slave account)-authorize a master-slave account Association. To be honest, it is better than a commercial bastion host.

4. Create a directory structure:

The directory is similar to the device group and user group, and the Qilin bastion host is in the LDAP structure. Users and devices can be stored in the group. In my opinion, this is inconvenient. I create groups for users and devices separately, when adding users and devices, you must add groups first, Because devices and users cannot be added without groups.

Resource management-Asset Management-directory management, tab, click "add node", and select "directory" and "attribute" based on the group type you want to create ".

PS:"Node name": Enter the node name. "directory": the parent group to which the newly created directory belongs. The directory tree can have unlimited directories, you must configure the directory tree before you can import users and devices. You and devices must have a configured directory tree.

6. import the bastion host account (primary account), choose "Resource Management"> "Asset Management"> "user management" from the menu. By default, there are four accounts: Admin, Audit, Password, and Test. If there are few accounts, you can add one by one. I have more than 40 O & M personnel here, so I use the import method. Just click Export and a CSV template will be generated, enter the template and import it back.

After export, the CSV table only needs to be filled in:

User name:The name of the O & M personnel logging on to the bastion host. It must be unique)

Password:Password used by O & M personnel to log on to the bastion host (required)

Real name:True Name of O & M personnel (required)

Email:O & M personnel email address (select to enter)

User Permissions:Unified configuration for common users (required)

Group Name:The name of the Resource Group in the directory structure. If a resource group with the same name appears, you need to use the group name (id) during import)Method:For example, if you want to add a group with the same name as the first group, the group name is first (221)

After filling in the information, delete the line test on the first line and click Import menu. Note: encryption must be checked! Otherwise, it cannot be imported.

 

7. when importing a server account (from an account), The Qilin bastion host automatically creates a server when importing the account. Therefore, you only need to export a CSV file from resource management-Asset Management-device list, enter by file and then import the device and device account:

Generally, only columns A to H are required. You only need to copy the columns in the template. The columns are described as follows:

Host Name: Host Name

IP: IP address of the host

Server group: the ID of the group to which the server belongs. Because the group with the same name is allowed in the directory, the server group can be replaced by the ID. You can view the ID in asset management-resource management-directory node, for example:

System type: the operating system type of the host. You must select Add in the first chapter or in the built-in system.

System User: the user name of the system. If you do not want to host it, leave this field empty.

Current password: the password used for playing the video. If you do not want to host the video, do not enter this password.

Logon Protocol: currently, telnet, ssh1, ssh, ftp, rdp, vnc, and x11 are supported.

Port: The target port of the logon protocol connection.

Expiration time: the expiration time of the system account. If the expiration time is exceeded, logon is not allowed.

Automatic Password Change: whether to automatically change the password for this account (default value: No)

Primary Account: When the password is automatically changed, only one account is used to log on to and modify all user passwords on the host. If the password is a primary account, enter yes. The primary account generally has the root permission or can be sudo as root.

Automatic Logon: Yes by default

Bastion host User: No

Sftp User: if it is an SSH service, set whether the SSH user can use the SFTP service. Yes, yes, no

Public/private key user: if it is an SSH service, set whether to use the public/private key for SSH user authentication.

After filling in the information, click the import button to export it back. Note that encryption must also be checked.

9. system Authorization. After the bastion host account (master account) and host system account (slave account) are imported, You need to grant permissions. After authorization, the bastion host account (master account) log on to the bastion host to jump to the corresponding device.

Grant permissions if a bastion host account (primary account) has a large number of permissions from the account, the permissions are granted in the System user group menu) you can also temporarily add an authorization policy for the slave account in the host device account menu.

It is best to grant permissions by user group. users with the same permissions are placed in the same user group, and then a system user group is created for the user group, add the host device accounts with permissions of these users to this group, and then bind the System user group to this user group. If each user has different permissions, you can also divide system user groups for individual users for authorization.

Click authorize permission in resource management in the navigation tree, select the System user group tab, click Add new group, and enter the system user group name, select "unselected devices" and add the system users to "selected devices". After confirming that all the system accounts of the bastion host user group to be authorized have been selected, click "save ";

Click authorize permission in resource management in the navigation tree, select the System user group tab, and click "authorize" in the "operations" column ", select "Authorization group" or "authorized user", and click "Save changes" After configuration is complete ";

After authorization, users in the group or authorized users have the permissions of all the host system accounts in the System user group.

Now, the bastion host settings are complete. Let's talk about my experiences.

The bastion host has several advantages for O & M personnel:

1. The plug-in of the Kirin bastion host supports any browser (Commercial Version I tested, FIREFOX and CHROME can only use JAVA );

2. the Qilin bastion host has a transparent login function that is very useful, that is, after setting permissions, export the SECRECRT list in the list export, and then export it to the SESSIONS directory of the CRT, when logging on to a device, you can directly log on to the device and cannot feel the existence of the bastion host. This function must be liked.