This is the sixth day of my participation in the November Gwen Challenge. See details: The Last Gwen Challenge 2021.

Introduction to Fortress

The hardware is Anheng, JumpServer all in one, and the software is Ariyun.

But all the above are commercial hardware and software, and the cost is not cheap. In line with the idea of reducing costs and improving efficiency for the company, the first choice must be open source free class

Currently popular and very hot belongs to JumpServer, a 17K star on Github.

Jumpserver’s official website is www.jumpserver.org/

The installation

The official provides a one-click installation script, convenient and quick

curl -sSL https:/ / github.com/jumpserver/jumpserver/releases/download/v2.15.0/quick_start.sh | bashGo to jumpServer installation directory CD /opt/jumpserver-installer-v215.. 0Jmsctl. sh start # Stop./jmsctl.sh downCopy the code

Specific use view document can be: docs.jumpserver.org/zh/master/

This article is still focused on security matters

Safety matters

User Settings

There must be administrators, auditors, ordinary members of the three corners of the member, and there are corresponding accounts and personnel

Password rules

You need to set the password complexity and password expiration time

Logon failure

Set the number of login failures and login duration for brute force cracking

Dynamic password

Enable MFA secondary authentication, and use Google Authenticator for dynamic password login

Service is open

Access to fortresses should be restricted to source IP addresses and only fixed IP addresses, thus classifying access to fortresses only to those in need.

port

Change the default connection port and access port of the Fortress

https

If the HTTP service is provided, you must add HTTPS to the added site and set blacklist and whitelist to restrict access to the site

The data backup

Although all the operation logs, command logs, access logs, command logs, and so on are logged by JumpServer and stored in the database, they are not logged when there is a problem in the database. Therefore, you also need to do regular backup for the database, as well as remote backup, to ensure data integrity