Python:跳板机审计服务器

Posted 2021-01-22 本博客不再更新，新博客地址：https://blog.zs-

1.修改paramiko源码包实现

https://github.com/paramiko/paramiko/tree/1.10.1　　下载源码包

unzip paramiko-1.10.1.zip

paramiko-1.10.1/demos/demo.py　　模拟用户登录，在demo.py中会调用interactive.py

paramiko-1.10.1/demos/interactive.py　　会把用户执行的命令以及服务器返回的结果打印出来

修改interactive.py，可以把用户名、执行的命令、时间、主机ip记录到日志中

demo.py

import base64
from binascii import hexlify
import getpass
import os
import select
import socket
import sys
import threading
import time
import traceback

import paramiko
import interactive

#define host   
print("\\033[34;1mWelcome zhengshun\'s Fort Machine\\nThere have those machines:\\033[0m")
dictroy = {
        "vc-app01":"192.168.101.131",
        "vc-app02":"192.168.101.130",
	"vc-app03":"192.168.101.132"
}
while 1:
	try:
		print(\'\')
		for k,v in dictroy.items():
			print k,v
		print(\'\')
		hostname = raw_input(\'please input IP:\')
		if hostname == \'\':continue
		elif hostname == \'exit\':break
		elif hostname == \'quit\':break
		
		def agent_auth(transport, username):
		    """
		    Attempt to authenticate to the given transport using any of the private
		    keys available from an SSH agent.
		    """
		    
		    agent = paramiko.Agent()
		    agent_keys = agent.get_keys()
		    if len(agent_keys) == 0:
		        return
		        
		    for key in agent_keys:
		        print \'Trying ssh-agent key %s\' % hexlify(key.get_fingerprint()),
		        try:
		            transport.auth_publickey(username, key)
		            print \'... success!\'
		            return
		        except paramiko.SSHException:
		            print \'... nope.\'
		
		
		def manual_auth(username, hostname):
		    default_auth = \'p\'
		    auth = \'p\'
		    if len(auth) == 0:
		        auth = default_auth
		
		    if auth == \'r\':
		        default_path = os.path.join(os.environ[\'HOME\'], \'.ssh\', \'id_rsa\')
		        path = raw_input(\'RSA key [%s]: \' % default_path)
		        if len(path) == 0:
		            path = default_path
		        try:
		            key = paramiko.RSAKey.from_private_key_file(path)
		        except paramiko.PasswordRequiredException:
		            password = getpass.getpass(\'RSA key password: \')
		            key = paramiko.RSAKey.from_private_key_file(path, password)
		        t.auth_publickey(username, key)
		    elif auth == \'d\':
		        default_path = os.path.join(os.environ[\'HOME\'], \'.ssh\', \'id_dsa\')
		        path = raw_input(\'DSS key [%s]: \' % default_path)
		        if len(path) == 0:
		            path = default_path
		        try:
		            key = paramiko.DSSKey.from_private_key_file(path)
		        except paramiko.PasswordRequiredException:
		            password = getpass.getpass(\'DSS key password: \')
		            key = paramiko.DSSKey.from_private_key_file(path, password)
		        t.auth_publickey(username, key)
		    else:
		        pw = \'123456\'
		        t.auth_password(username, pw)
		
		
		# setup logging
		paramiko.util.log_to_file(\'demo.log\')
		
		username = \'root\'
		if len(hostname) == 0:
		    print \'*** Hostname required.\'
		    sys.exit(1)
		port = 22
		if hostname.find(\':\') >= 0:
		    hostname, portstr = hostname.split(\':\')
		    port = int(portstr)
		
		# now connect
		try:
		    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
		    sock.connect((hostname, port))
		except:
		    print(\'\\033[31;1minvalid value\\033[0m\')
		    continue
		#except Exception, e:
		#    print \'*** Connect failed: \' + str(e)
		#    traceback.print_exc()
		#    sys.exit(1)
		
		try:
		    t = paramiko.Transport(sock)
		    try:
		        t.start_client()
		    except paramiko.SSHException:
		        print \'*** SSH negotiation failed.\'
		        sys.exit(1)
		
		    try:
		        keys = paramiko.util.load_host_keys(os.path.expanduser(\'~/.ssh/known_hosts\'))
		    except IOError:
		        try:
		            keys = paramiko.util.load_host_keys(os.path.expanduser(\'~/ssh/known_hosts\'))
		        except IOError:
		            print \'*** Unable to open host keys file\'
		            keys = {}
		
		    # check server\'s host key -- this is important.
		    key = t.get_remote_server_key()
		    if not keys.has_key(hostname):
		        print \'*** WARNING: Unknown host key!\'
		    elif not keys[hostname].has_key(key.get_name()):
		        print \'*** WARNING: Unknown host key!\'
		    elif keys[hostname][key.get_name()] != key:
		        print \'*** WARNING: Host key has changed!!!\'
		        sys.exit(1)
		    else:
		        print \'*** Host key OK.\'
		
		    # get username
		    if username == \'\':
		        default_username = getpass.getuser()
		        username = raw_input(\'Username [%s]: \' % default_username)
		        if len(username) == 0:
		            username = default_username
		
		    agent_auth(t, username)
		    if not t.is_authenticated():
		        manual_auth(username, hostname)
		    if not t.is_authenticated():
		        print \'*** Authentication failed. :(\'
		        t.close()
		        sys.exit(1)
		
		    chan = t.open_session()
		    chan.get_pty()
		    chan.invoke_shell()
		    print \'*** Here we go!\'
		    print
		    interactive.interactive_shell(chan)
		    chan.close()
		    t.close()
		
		except Exception, e:
		    print \'*** Caught exception: \' + str(e.__class__) + \': \' + str(e)
		    traceback.print_exc()
		    try:
		        t.close()
		    except:
		        pass
		    sys.exit(1)
	except:
		continue

　　

2.创建跳板机用户，并设置用户登陆的环境变量

注意事项：用户登录跳板机后不能跳过demo.py程序，如果退出demo.py程序则注销跳板机的登陆，只能选择要登陆的主机ip，选择后直接登陆，如果用户在输入错误时，要循环从头开始

adduser audit

vim /home/audit/.bash_profile　　在环境变量中加入执行python demo.py文件，执行后logout

3.使用shellinabox实现webssh

https://code.google.com/archive/p/shellinabox/downloads　　下载shellinabox-2.14.tar.gz

tar zxf shellinabox-2.14.tar.gz

cd shellinabox-2.14

./configure --prefix=/usr/local/webshell && make && make install

bash /usr/local/webshell/bin/shellinaboxd &    后台运行，shellinabox默认端口是4200

访问https://ip:4200就可以登陆跳板机

 

展示：