CN114500023A - Bastion machine access control method under multi-cloud environment - Google Patents
Bastion machine access control method under multi-cloud environment Download PDFInfo
- Publication number
- CN114500023A CN114500023A CN202210055414.9A CN202210055414A CN114500023A CN 114500023 A CN114500023 A CN 114500023A CN 202210055414 A CN202210055414 A CN 202210055414A CN 114500023 A CN114500023 A CN 114500023A
- Authority
- CN
- China
- Prior art keywords
- machine
- jumpserver
- source
- cloud
- server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/104—Grouping of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
The invention provides a bastion machine access control method under a multi-cloud environment, which comprises the steps of deploying a jumpserver open-source trigger tripping machine system; adding a network domain and configuring a middle board-jumping system; running the script to transmit the public key file, and forbidding the user name and password login of the machine; the cloud server which completes key butt joint is accessed to the web end of the jumverver source opening board jumping machine system in batches, so that users on the machine where the jumverver source opening board jumping machine system is located can log in the machine through the unified web end, and unauthorized operation of the users due to different user identity authorities is avoided. The command alarm is set through the console, a system administrator is informed at the first time of an operation command containing potential safety hazards, command log audit is configured, machine login audit and operation video recording are carried out, and the cloud server only supports secret key login after being connected into the bastion machine, so that the advantage that hackers can not directly log in the machine through a remote computer is avoided.
Description
Technical Field
The invention relates to the technical field of data security, in particular to a fortress machine access control method in a multi-cloud environment.
Background
With the rapid development of information security, the security of an enterprise system is an important concern of an enterprise in selecting a service construction platform, with the rapid rise of domestic public clouds, the cost of the enterprise for providing customized services externally is gradually reduced, and the number of servers on the cloud is continuously increased with the expansion of services.
Meanwhile, enterprises can also deploy hot standby services in different public clouds, and server login or access in a multi-cloud environment becomes a problem which needs to be solved for information security protection and production accident avoidance of each company at the present stage.
At present, for an enterprise providing internet + service, the scale of hundreds of cloud servers is very frequent, and development, test, operation and maintenance and security personnel have the requirement of logging in the server for operation;
therefore, a fine authorization and audit mode is adopted, and 'which people access which equipment with which identities' can be clear, so that operation and maintenance disorder is ordered.
In view of this, the invention is urgently needed to provide a control method for realizing safe operation and maintenance in a multi-cloud environment by adopting a jumpserver sourcing fort machine.
Disclosure of Invention
Aiming at the defects in the prior art, the invention aims to provide a bastion machine access control method in a cloud environment, which supports grouping authentication by logging in a machine through a unified web end, divides the authority by the identity of a user, avoids the unauthorized operation phenomenon and solves the problems in the background technology.
In order to achieve the purpose, the invention is realized by the following technical scheme: the bastion machine access control method under the cloud environment comprises the following steps:
s1, deploying jumpserver open source board tripping machine system
Firstly, downloading a jumpserver installation package and executing manual deployment;
secondly, synchronously installing a mysql database;
finally, a redis database is directly installed on an yum software package manager by using an epel source based on the linux system, and the redis database is used for deploying the jumpserver open-source trigger tripping machine system in a containerization mode so as to achieve the maximization of resource utilization;
s2, adding a network domain, and configuring an intermediate board jumper system to allow the jumpserver to open the source board jumper system to access and modify the jumpserver configuration file;
s3, putting a public key file of a machine in the jumpserver open-source board tripping machine system into a public key file of a machine to be controlled through a cloud management platform, and enabling the jumpserver to log in the machine without a secret, and simultaneously forbidding the machine to log in with a user name and a password and forbidding the machine to log in with the user name and the password;
s4, accessing the cloud server which completes key butt joint at the web end of the jumverver source opening board jumping machine system in batch to realize that users on the machine where the jumverver source opening board jumping machine system is located log in the machine through a unified web end, so that the user unauthorized operation caused by different user identity authorities is avoided, and simultaneously, the jumverer provides file transmission from the local machine to the target machine, wherein the local machine directly realizes the file transmission through a tmp directory.
As an improvement of the bastion machine access control method in the cloud environment, the embodiment of adding a network domain and configuring an intermediate trigger system is as follows:
firstly, based on each cloud service provider, a server only used for a network domain gateway is purchased and added on a service provider cloud console;
secondly, configuring an elastic public network IP based on the server, binding the elastic public network IP to the server, connecting the elastic public network IP to a web end of the jumpserver and then adding the elastic public network IP to the network domain gateway;
and finally, setting a server under the IP of the elastic public network in a public cloud console to access the white list, wherein the server is used for controlling machines in different network domains by the jumpserver system through a middle springboard machine.
As an improvement of the bastion machine access control method in the cloud environment, based on step S3, if the running script performs transmission of the public key file and there are multiple machines to be controlled, the running script needs to be replaced with a script capable of compiling the batch import public key file, where the script capable of compiling the batch import public key file needs to satisfy the functions of mutual trust authentication of the machines and import of the transmission public key file.
As an improvement of the bastion machine access control method in the multi-cloud environment, when the cloud server completing the key docking is accessed to the jumpserver open source springboard machine system, the method further includes: the jumpserver source-opening board jumper system closes account and password login of a user on a machine where the jumpserver source-opening board jumper system is located, at the moment, a system file/etc/ssh/sshd _ config is configured, a passwordauthentization item is changed from yes to no, and the purpose of setting the authority of only supporting key login is achieved, so that remote illegal login of the machine is blocked.
Compared with the prior art, the invention has the beneficial effects that:
the unified web side logs in the machine to support grouping authentication, and the authority is divided by the user identity to avoid the unauthorized operation phenomenon; secondly, a command alarm is set through a control console, a system administrator is notified for an operation command containing potential safety hazards at the first time, command log audit, machine login audit and operation video recording are configured, after a cloud server is connected into a bastion machine, account password login of all users is closed, secret key login is only supported, and a relevant operation and maintenance responsible person can protect and manage a private key, so that hackers are prevented from directly logging in a machine through a remote computer.
Drawings
The disclosure of the present invention is illustrated with reference to the accompanying drawings. It is to be understood that the drawings are designed solely for purposes of illustration and not as a definition of the limits of the invention, for which like reference numerals are used to indicate like parts. Wherein:
fig. 1 is a flowchart illustrating an implementation of a bastion access control method in a cloud environment according to an embodiment of the present invention;
fig. 2 is a flowchart of an implementation architecture of a bastion machine access control method in a multi-cloud environment according to an embodiment of the present invention;
fig. 3 is a schematic diagram of a server hosting architecture when a web end of a jumpserver open-source trigger system accesses a cloud server in batch according to an embodiment of the present invention.
Detailed Description
It is easily understood that according to the technical solution of the present invention, a person skilled in the art can propose various alternative structures and implementation ways without changing the spirit of the present invention. Therefore, the following detailed description and the accompanying drawings are merely illustrative of the technical aspects of the present invention, and should not be construed as all of the present invention or as limitations or limitations on the technical aspects of the present invention.
As shown in fig. 1 and 3, the present invention provides a bastion access control method in a cloud environment, including:
s1, deploying jumpserver open source board tripping machine system
Firstly, downloading a jumpserver installation package and executing manual deployment; it should be noted that the specific implementation of downloading the jumpserver installation package and performing manual deployment is as follows: (ii) a
Secondly, synchronously installing a mysql database; it should be noted that the version of mysql database at this time needs to be higher than 5.7;
finally, a redis database is directly installed on an yum software package manager by using an epel source based on the linux system, and the redis database is used for deploying the jumpserver open-source trigger tripping machine system in a containerization mode so as to achieve the maximization of resource utilization; it should be noted that the redis database version at this time needs to be higher than 5.0.
S2, adding a network domain, and configuring an intermediate board jumper system to allow the jumpserver to open the source board jumper system to access and modify the jumpserver configuration file;
based on the technical concept, the implementation mode of adding the network domain and configuring the intermediate trigger system is as follows:
firstly, based on each cloud service provider, a server only used for a network domain gateway is purchased and added on a service provider cloud console;
secondly, configuring an elastic public network IP based on the server, binding the elastic public network IP to the server, connecting the elastic public network IP to a web end of the jumpserver and then adding the elastic public network IP to the network domain gateway;
and finally, setting a server under the IP of the elastic public network in a public cloud console to access the white list, wherein the server is used for controlling machines in different network domains by the jumpserver system through a middle springboard machine.
S3, putting a public key file of a machine in the jumpserver open-source board tripping machine system into a public key file (/ root/. ssh/authorized _ keys) of the machine to be controlled through a cloud management platform, wherein the public key file is used for realizing the password-free login of the jumpserver to the machine, simultaneously forbidding the machine to log in with a user name and a password, and simultaneously forbidding the machine to log in with the user name and the password; if the running script is used for executing the transmission of the public key file and a plurality of machines to be controlled exist, the running script needs to be replaced by a script capable of compiling the batch import public key file, wherein the script capable of compiling the batch import public key file needs to meet the functions of mutual trust authentication of the machines and import of the transmission public key file.
S4, the cloud server completing key butt joint is accessed to the web end of the jumpserver source opening board jumping machine system in batch, so that users on the machine where the jumpserver source opening board jumping machine system is located can log in the machine through a unified web end, user unauthorized operation caused by different user identity authorities is avoided, and simultaneously the jumpserver provides file transmission from the local machine to the target machine, wherein the local machine directly realizes file transmission through a tmp directory, and what needs to be described is that after the cloud server completing key butt joint is accessed to the jumpser source opening board jumping machine system, the method further comprises the following steps: further comprising: the jumpserver source-opening board jumper system closes account and password login of a user on a machine where the jumpserver source-opening board jumper system is located, at the moment, a system file/etc/ssh/sshd _ config is configured, a passwordauthentization item is changed from yes to no, the permission of only supporting key login is set, so that remote illegal login of the machine is blocked, at the moment, a hacker can be prevented from directly logging in the machine through a remote computer as long as an operation and maintenance related responsible person keeps a private key.
As shown in fig. 2, an architecture flow chart of an implementation of the bastion access control method in a multi-cloud environment is shown, as an understanding of the above technical concept of the present invention:
jumpserver is a management background, an administrator can perform asset management, user management, asset authorization and other operations through a Web page, and a user can perform asset login through the Web page;
luna is WebTerminalServer front-end page, and the user uses WebTerminalView mode to log in required components (WebTerminalView)
Koko (coco) for SSHServer and WebTerminal Server, the user can access SSH protocol and Telnet protocol assets through SSH or WebTerminal using his own account;
guacamole is an RDP protocol and VNC protocol asset component, and a user can connect the RDP protocol and the VNC protocol asset through WebTerminal.
The technical scope of the present invention is not limited to the above description, and those skilled in the art can make various changes and modifications to the above-described embodiments without departing from the technical spirit of the present invention, and such changes and modifications should fall within the protective scope of the present invention.
Claims (4)
1. The bastion machine access control method under the cloud environment is characterized by comprising the following steps: the method comprises the following steps:
s1, deploying jumpserver open source board tripping machine system
Firstly, downloading a jumpserver installation package and executing manual deployment;
secondly, synchronously installing a mysql database;
finally, a redis database is directly installed on an yum software package manager by using an epel source based on the linux system, and the redis database is used for deploying the jumpserver open-source trigger tripping machine system in a containerization mode so as to achieve the maximization of resource utilization;
s2, adding a network domain, and configuring an intermediate board jumper system to allow the jumpserver to open the source board jumper system to access and modify the jumpserver configuration file;
s3, putting a public key file of a machine in the jumpserver open-source board tripping machine system into a public key file of a machine to be controlled through a cloud management platform, and enabling the jumpserver to log in the machine without a secret, and simultaneously forbidding the machine to log in with a user name and a password and forbidding the machine to log in with the user name and the password;
s4, accessing the cloud server which completes key butt joint at the web end of the jumverver open source jump board machine system in batch to realize that users on the machine where the jumverver open source jump board machine system is located log in the machine through a unified web end, thereby avoiding unauthorized user operation caused by different user identity authorities, and simultaneously providing file transmission from the local machine to the target machine by the jumverer, wherein the local machine directly realizes file transmission through a tmp directory.
2. The bastion machine access control method in the cloud environment according to claim 1, wherein: in step S2, the embodiment of adding a network domain and configuring the intermediate trigger system is as follows:
firstly, based on each cloud service provider, a server only used for a network domain gateway is purchased and added on a service provider cloud console;
secondly, configuring an elastic public network IP based on the server, binding the elastic public network IP to the server, connecting the elastic public network IP to a web end of the jumpserver and then adding the elastic public network IP to the network domain gateway;
and finally, setting a server under the IP of the elastic public network in a public cloud console to access the white list, wherein the server is used for controlling machines in different network domains by the jumpserver system through a middle springboard machine.
3. The bastion machine access control method in the cloud environment according to claim 1, wherein: based on step S3, if the running script performs transmission of the public key file and there are multiple machines to be controlled, the running script needs to be replaced with a script that can write batch import public key files, where the script that can write batch import public key files needs to satisfy the functions of mutual trust authentication of machines and import of transmission public key files.
4. The bastion machine access control method in the cloud environment according to claim 1, wherein: when the cloud server completing the key docking is accessed to the jumpserver source-opening board jumper system, the method further comprises the following steps: the jumpserver source-opening board jumper system closes account and password login of a user on a machine where the jumpserver source-opening board jumper system is located, at the moment, a system file/etc/ssh/sshd _ config is configured, a passwordauthentization item is changed from yes to no, and the purpose of setting the authority of only supporting key login is achieved, so that remote illegal login of the machine is blocked.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210055414.9A CN114500023A (en) | 2022-01-18 | 2022-01-18 | Bastion machine access control method under multi-cloud environment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210055414.9A CN114500023A (en) | 2022-01-18 | 2022-01-18 | Bastion machine access control method under multi-cloud environment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114500023A true CN114500023A (en) | 2022-05-13 |
Family
ID=81512147
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210055414.9A Pending CN114500023A (en) | 2022-01-18 | 2022-01-18 | Bastion machine access control method under multi-cloud environment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114500023A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116192600A (en) * | 2023-03-02 | 2023-05-30 | 杭州乒乓智能技术有限公司 | Operation and maintenance method and system for automatically and uniformly managing nodes of fort machine |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108347449A (en) * | 2017-01-23 | 2018-07-31 | 阿里巴巴集团控股有限公司 | A kind of method and apparatus of management Telnet |
| WO2019240604A1 (en) * | 2018-06-11 | 2019-12-19 | Suchocki Michal | Device, system and method for cyber security managing in a remote network |
| CN112131544A (en) * | 2020-09-27 | 2020-12-25 | 江苏云柜网络技术有限公司 | Shell script method for user management of springboard machine |
| CN112527379A (en) * | 2020-12-01 | 2021-03-19 | 深圳市证通电子股份有限公司 | Guacamole-based fort machine application operation and maintenance method, device, equipment and medium |
| CN113612740A (en) * | 2021-07-21 | 2021-11-05 | 腾讯科技(深圳)有限公司 | Authority management method and device, computer readable medium and electronic equipment |
| CN113765963A (en) * | 2020-07-24 | 2021-12-07 | 北京沃东天骏信息技术有限公司 | Data processing method, device, equipment and computer readable storage medium |
-
2022
- 2022-01-18 CN CN202210055414.9A patent/CN114500023A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108347449A (en) * | 2017-01-23 | 2018-07-31 | 阿里巴巴集团控股有限公司 | A kind of method and apparatus of management Telnet |
| WO2019240604A1 (en) * | 2018-06-11 | 2019-12-19 | Suchocki Michal | Device, system and method for cyber security managing in a remote network |
| CN113765963A (en) * | 2020-07-24 | 2021-12-07 | 北京沃东天骏信息技术有限公司 | Data processing method, device, equipment and computer readable storage medium |
| CN112131544A (en) * | 2020-09-27 | 2020-12-25 | 江苏云柜网络技术有限公司 | Shell script method for user management of springboard machine |
| CN112527379A (en) * | 2020-12-01 | 2021-03-19 | 深圳市证通电子股份有限公司 | Guacamole-based fort machine application operation and maintenance method, device, equipment and medium |
| CN113612740A (en) * | 2021-07-21 | 2021-11-05 | 腾讯科技(深圳)有限公司 | Authority management method and device, computer readable medium and electronic equipment |
Non-Patent Citations (1)
| Title |
|---|
| 小麦苗: "Jumpserver: 多云环境下更好用的堡垒机", HTTPS://WWW.CNBLOGS.COM/LHRBEST/P/14675507.HTML, pages 1 - 17 * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116192600A (en) * | 2023-03-02 | 2023-05-30 | 杭州乒乓智能技术有限公司 | Operation and maintenance method and system for automatically and uniformly managing nodes of fort machine |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Case | Analysis of the cyber attack on the Ukrainian power grid | |
| Subashini et al. | A survey on security issues in service delivery models of cloud computing | |
| EP3930289B1 (en) | Associating user accounts with enterprise workspaces | |
| US8131830B2 (en) | System and method for providing support services using administrative rights on a client computer | |
| CN102307114A (en) | Management method of network | |
| US10637864B2 (en) | Creation of fictitious identities to obfuscate hacking of internal networks | |
| Ballamudi et al. | Security and Privacy in Cloud Computing: Challenges and Opportunities | |
| WO2023072817A1 (en) | Control of access to computing resources implemented in isolated environments | |
| CN114500023A (en) | Bastion machine access control method under multi-cloud environment | |
| Binkowski et al. | Securing 3rd party app integration in docker-based cloud software ecosystems | |
| Purba et al. | Assessing Privileged Access Management (PAM) using ISO 27001: 2013 Control | |
| US12039316B2 (en) | Systems and methods for secure maintenance device for cyber-physical systems | |
| Butler | Privileged password sharing:“root” of all evil | |
| Massoud | Threat Simulations of Cloud-Native Telecom Applications | |
| Udaykumar | Design And Deploy Secure Azure Environment | |
| Ramirez | Teresa Macklin | |
| Tanna et al. | A Study on Security Mitigation Models in Cloud Computing | |
| Bajramovic et al. | Shared responsibility for forensic readiness-related security controls: Prerequisite for critical infrastructure maintenance and supplier relationships | |
| McLaughlin et al. | A high performance computing cluster under attack: the Titan incident | |
| Santana | Linux and Unix Security | |
| Hassell et al. | Hardening Windows | |
| Siik | Management of operating system hardening in industrial control systems | |
| Haber et al. | Cloud Definitions | |
| Fisher et al. | Exam Ref MS-500 Microsoft 365 Security Administration | |
| Wlosinski et al. | Cloud Insecurities |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |