Holiday girls are not around, and do not want to go everywhere to see the crowd, so stay at home to develop a fortress machine, now open source, welcome to try, before use, let me introduce the importance of the Fort machine!
So far , many companies are still not very cold on the fortress machine, in fact, is not fully aware of the fortress machine in IT management of the important role, many people think, Fortress Machine is a springboard machine, in fact, this understanding is not comprehensive, the springboard function is only the fortress machine has the function of one of the attributes, I will give you a brief introduction of the importance of Fort Machine, To help you see if you need to deploy a bastion machine for your company's business.
The bastion machine has the following two critical features:
Rights Management
When your company's servers become more and more, the people who need to operate these servers are certainly not only an operation and maintenance personnel, but also may include multiple developers, so many people operate the business system, if the permissions are improperly assigned there will be a great security risk, to cite a few scenarios:
-
Imagine your company has 300 table Linux developers need to log in to it 5 table web< Span style= "font-family: ' The song Body '; > server to view logs or conduct issues such as issue tracking, while on the other 10" Hadoop server has Root permissions, where 300 How do you enable this developer to log on as a normal user only 5 server, and also allows him to log in as an administrator in addition 10 Taiwan hadoop What about servers? And at the same time he to the other remaining 200
at present, I understand that many of the company's operations and maintenance team in order to respect the operation of the whole team to share the same set of root password, so the internal trust mechanism, although the work is convenient for everyone, but at the same time there is a great security risks, in many cases, An operation and maintenance personnel only need to manage a fixed number of servers, after all, the company is divided into different lines of business, different operations and maintenance personnel management of the business line is also different, but if the sharing of a set of root password, in fact, is equal to unlimited amplification of each operator's permissions, that is, If an OPS person wants to do something bad, he can stop the whole business in a few minutes and even delete the data. In order to reduce the risk, so someone thought, the different lines of business to change the root password is OK , that is, every business line operators only know their own password, which is of course the simplest and most effective way, but the problem is if you use LDAP at the same time , This is more cumbersome, even if you set the root not through LDAP authentication, the new problem is that every time a OPS staff leave, his line of business password will need to be re-changed.
In fact, the above problem, I think it can be very simple through the fortress machine to achieve, recover all personnel directly login server permissions, all the logon actions are authorized by the Fortress machine, OPS or developers do not know the remote server password, these remote machine user information is tied to the fortress machine, Bastion machine users can only see what permissions he can access to which remote servers.
after recycling the operation or the developer directly to the remote server's permissions, in fact, all of your company production system certification process through the Fortress machine to complete, the Fortress machine is equal to your production system of the SSO on) module. You only need to add a few rules on the fortress machine to achieve the following permissions control:
Allow A Developer Logs on to 5 Web servers through a normal user, logs on to a Hadoop server with root privileges , but no task access to the remaining servers
multiple Ops people can share a root account, but they can still tell which commands are being operated on which servers, because the Bastion machine account is unique to everyone, that is, although all operations personnel share a remote root account, but because they use the fortress account is their own unique, so still can control each operation through the fortress machine access to different machines.
Audit Management
Audit management is very simple, that is, all the user's operations are recorded for future audits or after the accident after the responsibility. In the process of recording user operation, there is a problem to note that this record is not visible to the operating user, what meaning? That is, whether the user is willing to do, his operation will be recorded, and, if he does not want to manipulate the record, or want to delete the recorded content, these are not what he can do, this requires the operation log is not visible to users and inaccessible, through the fortress machine can be very good implementation.
Before saying so much, then we recommend a few Fortress machine software, you can choose according to their business needs
Chi Zhi Fortress machine
The first domestic fortress machine, commercial products, powerful , support for Windows and Linux Equipment Audit, of course, the price is not cheap, as far as I know, should be a set of products around.
Jumpserver
launched last year, an open-source fortress machine software, supporting Linux Host Operations Audit, Windows not supported
Crazyeye
I have just developed a fortress machine + host management software, support Linux Host operations Audit, does not support Windows, with the above two, one difference is thatcrazyeye At the same time, support for the host batch command, file distribution operations, later will join the scheduled task management, please look forward to.
software git address: Https://github.com/triaquae/CrazyEye.git
Software:
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/74/22/wKioL1YV8srR9ZgXAACEi6Efp6k525.jpg "style=" float: none; "title=" Crazy_eye_admin_login.png "alt=" Wkiol1yv8srr9zgxaacei6efp6k525.jpg "/>
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/74/25/wKiom1YV8rnzEqFXAAJq74FUw98009.jpg "style=" float: none; "title=" Create_host.png "alt=" Wkiom1yv8rnzeqfxaajq74fuw98009.jpg "/>
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/74/25/wKiom1YV8r2TL5gsAAIivCwZ0xI960.jpg "style=" float: none; "title=" Create_host_user.png "alt=" Wkiom1yv8r2tl5gsaaiivcwz0xi960.jpg "/>
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/74/22/wKioL1YV8trA8pvBAALglKrrmuA847.jpg "style=" float: none; "title=" Create_host_user_binding.png "alt=" Wkiol1yv8tra8pvbaalglkrrmua847.jpg "/>
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/74/22/wKioL1YV8uPhweQKAARjwWOxGuE734.jpg "style=" float: none; "title=" Create_userprofile.png "alt=" Wkiol1yv8uphweqkaarjwwoxgue734.jpg "/>
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/74/25/wKiom1YV8tTAGjv2AAMRB8cOsBc312.jpg "style=" float: none; "title=" Work_with_webssh.png "alt=" Wkiom1yv8ttagjv2aamrb8cosbc312.jpg "/>
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/74/25/wKiom1YV8t3x81rYAANjBn9eCPE069.jpg "style=" float: none; "title=" Homepage.png "alt=" Wkiom1yv8t3x81ryaanjbn9ecpe069.jpg "/>
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/74/22/wKioL1YV8v2yKy0nAASEdpNXsyg711.jpg "style=" float: none; "title=" Multi_task_cmd.png "alt=" Wkiol1yv8v2yky0naasedpnxsyg711.jpg "/>
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/74/25/wKiom1YV8vCyNDUxAANKzt0nsOY571.jpg "style=" float: none; "title=" Multi_task_file.png "alt=" Wkiom1yv8vcynduxaankzt0nsoy571.jpg "/>
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/74/22/wKioL1YV8xOjLzQEAAOPq_cfA9k431.jpg "style=" float: none; "title=" Audit_by_user.png "alt=" Wkiol1yv8xojlzqeaaopq_cfa9k431.jpg "/>
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/74/25/wKiom1YV8wWQCSLZAAOL65iZ0d0855.jpg "style=" float: none; "title=" Audit_by_host.png "alt=" Wkiom1yv8wwqcslzaaol65iz0d0855.jpg "/>
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/74/22/wKioL1YV8ySwk_GPAANYF9I6t2s065.jpg "style=" float: none; "title=" Cmd_records.png "alt=" Wkiol1yv8yswk_gpaanyf9i6t2s065.jpg "/>
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/74/22/wKioL1YV8yvQZYAoAANNOFoCdRY239.jpg "style=" float: none; "title=" Configure.png "alt=" Wkiol1yv8yvqzyaoaannofocdry239.jpg "/>
Using the holiday to develop an open-source fortress machine Crazyeye