<root@linux0 /usr/local/src>$ wget https://olivier.sessink.nl/jailkit/jailkit-2.19.tar.bz2
<root@linux0 /usr/local/src>$ tar jxvf jailkit-2.19.tar.bz2
<root@linux0 /usr/local/src>$ cd jailkit-2.19
<root@linux0 /usr/local/src/jailkit-2.19>$ ./configure && make && make install
<root@linux0 /usr/local/src/jailkit-2.19>$ mkdir /home/jail #限制用户的根目录;
<root@linux0 /usr/local/src/jailkit-2.19>$ jk_init -v -j /home/jail/ basicshell #初始化一些命令给限制用户使用;
<root@linux0 /usr/local/src/jailkit-2.19>$ jk_init -v -j /home/jail/ editors
<root@linux0 /usr/local/src/jailkit-2.19>$ jk_init -v -j /home/jail/ netutils
<root@linux0 /usr/local/src/jailkit-2.19>$ jk_init -v -j /home/jail/ ssh
<root@linux0 /usr/local/src/jailkit-2.19>$ mkdir /home/jail/usr/sbin
<root@linux0 /usr/local/src/jailkit-2.19>$ cp /usr/sbin/jk_lsh /home/jail/usr/sbin/jk_lsh #使用另外一个shell;
<root@linux0 /usr/local/src/jailkit-2.19>$ useradd zhangsan #添加使用跳板机的用户;
<root@linux0 /usr/local/src/jailkit-2.19>$ passwd zhangsan
<root@linux0 /usr/local/src/jailkit-2.19>$ jk_jailuser -m -j /home/jail zhangsan #对应的限制用户;
<root@linux0 /usr/local/src/jailkit-2.19>$ vim /home/jail/etc/passwd #修改shell;
#把zhangsan那一行的/usr/sbin/jk_lsh改为/bin/bash;
- end
- end
- end
TanydeMacBook-Air:~ tanytan$ ssh zhangsan@192.168.87.149 #登陆限制用户;
zhangsan@192.168.87.149's password:
bash: /usr/bin/id: No such file or directory
bash: /usr/bin/id: No such file or directory
[zhangsan@linux0 ~]$ ls -la #用户根目录内容;
total 12
drwx------ 2 zhangsan zhangsan 62 Jan 16 04:20 .
drwxr-xr-x 3 root root 22 Jan 16 04:20 ..
-rw-r--r-- 1 zhangsan zhangsan 18 Oct 30 2018 .bash_logout
-rw-r--r-- 1 zhangsan zhangsan 193 Oct 30 2018 .bash_profile
-rw-r--r-- 1 zhangsan zhangsan 231 Oct 30 2018 .bashrc
[zhangsan@linux0 ~]$ ls -la / #系统的根目录只有一部份;
total 0
drwxr-xr-x 6 root root 75 Jan 16 04:20 .
drwxr-xr-x 6 root root 75 Jan 16 04:20 ..
lrwxrwxrwx 1 root root 7 Jan 16 04:17 bin -> usr/bin
drwxr-xr-x 2 root root 44 Jan 16 04:18 dev
drwxr-xr-x 2 root root 240 Jan 16 04:21 etc
drwxr-xr-x 3 root root 22 Jan 16 04:20 home
lrwxrwxrwx 1 root root 9 Jan 16 04:17 lib64 -> usr/lib64
drwxr-xr-x 7 root root 70 Jan 16 04:19 usr
[zhangsan@linux0 ~]$
Display all 117 possibilities? (y or n) #只有一部份命令;
! case dd exec gzip ls return ssh ulimit
./ cat declare exit hash mapfile rm suspend umask
: cd dirs export help mkdir rmdir sync unalias
[ chmod disown false history mktemp rsync tar unset
[[ command do fc host more scp test until
]] compgen done fg if mv sed then vi
alias complete echo fgrep in popd select time vim
bash compopt egrep fi jobs printf set times wait
bg continue elif for kill pushd sh touch wget
bind coproc else function let pwd shift trap while
break cp enable getopts ln read shopt true zcat
builtin cpio esac grep local readarray sleep type {
caller date eval gunzip logout readonly source typeset }
[zhangsan@linux0 ~]$
[zhangsan@linux0 ~]$ ls /etc
bashrc host.conf issue ld.so.conf nsswitch.conf profile resolv.conf vimrc
group hosts ld.so.cache motd passwd protocols services
- end
- end
- end
以下操作是需要在所有被登录机器上做的
1.mkdir -p /usr/local/domob/records/ #新建命令的保存目录;
chmod 777 /usr/local/domob/records/ #让所有用户都可以读写;
chmod +t /usr/local/domob/records/ #t权限,只能让本用户删除文件;
2.vi /etc/profile 在最后添加下面的代码
if [ ! -d /usr/local/domob/records/${LOGNAME} ] #生成子目录,保存命令记录,以用户名名字生成;
then
mkdir -p /usr/local/domob/records/${LOGNAME}
chmod 300 /usr/local/domob/records/${LOGNAME} #修改权限只能写入;
fi
export HISTORY_FILE="/usr/local/domob/records/${LOGNAME}/bash_history" #变量,保存数据的文件名和路径;
export PROMPT_COMMAND='{ date "+%Y-%m-%d %T ##### $(who am i |awk "{print \$1\" \"\$2\" \"\$5}") #### $(history 1 | { read x cmd; echo "$cmd"; })"; } >>$HISTORY_FILE' #使用date命令输出时间,文本和变量;$()可输出命令的结果;注意read x cmd的意思,可看以下链接;另外就是各种引号,大括号和分号的使用;
- end
- end
- end
这个命令你看得懂么
http://blog.lishiming.net/?p=484
/etc/hosts.allow
sshd: 192.168.133.0/24 1.1.1.1 2.2.2.2 #空格分隔可连接IP;
/etc/hosts.deny
sshd: ALL #deny其他;