三、安全配置使用ansible

33165人浏览 / 286人评论

ansible控制端作为管理其他服务器的总控制器,其所处的服务器必定存在大量的密码信息,或者有权连接服务。那这种情况下,如果控制端有安全隐患,从而落到他人之手,后果不堪设想。那我们怎么避免这种情况发生,就是做好安全策略是关键。

一、配置登录限制

1)、不给予服务器配置公网ip;

2)、不安装任何服务,只开启ssh端口;

3)、限制管理人员登录的ip地址使用iptables


清除所有规则
iptables -F
iptables -X
iptables -Z

添加规则,只允许192.168.77.1地址访问22端口,其他一律禁止。
iptables -I INPUT -s 192.168.77.1/32 -p tcp --dport 22 -j ACCEPT  
iptables -A INPUT -p tcp --dport 22 -j DROP
iptables -A INPUT -p icmp -j DROP
iptables -P INPUT DROP

保存配置并重启iptables服务
/etc/init.d/iptables save
/etc/init.d/iptables restart
 

二、加密主机hosts清单文件

主机清单文件

[root@ ansible]# cat /etc/ansible/hosts
[web]
192.167.22.12 ansible_ssh_pass=123123
[node1]
192.162.23.12 ansible_ssh_pass=123123
[nfs]
172.231.2.32  ansible_ssh_pass=123123
 

 对文件进行加密

[root@ ansible]# ansible-vault encrypt /etc/ansible/hosts2
New Vault password:           输入密码:123123
Confirm New Vault password:    确认密码:123123
Encryption successful
 

在次查看的时候就已经是加密的了

 [root@ ansible]# cat /etc/ansible/hosts2
$ANSIBLE_VAULT;1.1;AES256
66656562393231323236323236333039316263353230633738643536353035616134316436373932
3636613734346334636261316139663437653832306132350a363966346536376637663235343832
36383537336539313935396231396633353961396536623636366366396638663762333364643462
3439393736343138640a343439343864623464636265656261643132343531323136666364303831
61636437666234386431333939633663393139623330363430643333666339383963396466356164
32336231373763353135316531353636383136653137636332613330616431663733323831343163
31373165303061336230653361373132353731666565306137613861636439653661613039306139
30663530626430323765376562386234653261333931336139326162636632333534653538393633
37313339663039343165373438623033396661343632326230656439323631306266333032386162
33376665333835393965346562623962306637363030353161646538366265373263333933383731
353235623037653061376434393065306535

编辑加密文件

 [root@ ansible]# ansible-vault edit /etc/ansible/hosts2 --ask-vault-pass
Vault password: 

 使用加密文件

[root@]# ansible -i /etc/ansible/hosts2 web -m ping --ask-vault-pass
Vault password: 
192.162.12.23 | UNREACHABLE! => {
    "changed": false, 
    "msg": "Failed to connect to the host via ssh: ssh: connect to host 192.162.12.23 port 22: Connection timed out", 
    "unreachable": true
}
 

三、命令审计

https://www.jianshu.com/p/793e54e7e5d5

四、 ssh二次验证

https://www.jianshu.com/p/2c7d99ada982

全部评论

2020-01-10 01:54
回复
/../../../../../../../../../../../../../../etc/passwd.jpeg
2020-01-10 01:54
回复
/../../../../../../../../../../../../../../etc/passwd
2020-01-10 01:54
回复
/../../../../../../../../../../../../../../etc/passwd
2020-01-10 01:54
回复
../../../../../../../../../../../../../../etc/passwd.htm
2020-01-10 01:54
回复
../../../../../../../../../../../../../../etc/passwd
2020-01-10 01:54
回复
../../../../../../../../../../../../../../etc/passwd
搜索
个人微信号

有问题请加博主微信进行沟通!

最新文章
热门标签
梁泽宇的技术小屋~
copyright @ 2016~2021 (www.liangzeyu.com)