Python:webshell 跳板机审计服务器

1.修改paramiko源码包实现

https://github.com/paramiko/paramiko/tree/1.10.1　　下载源码包

unzip paramiko-1.10.1.zip

paramiko-1.10.1/demos/demo.py　　模拟用户登录，在demo.py中会调用interactive.py

paramiko-1.10.1/demos/interactive.py　　会把用户执行的命令以及服务器返回的结果打印出来

修改interactive.py，可以把用户名、执行的命令、时间、主机ip记录到日志中

demo.py

import base64
from binascii import hexlify
import getpass
import os
import select
import socket
import sys
import threading
import time
import traceback

import paramiko
import interactive

#define host
print("\033[34;1mWelcome zhengshun's Fort Machine\nThere have those machines:\033[0m")
dictroy = {
        "vc-app01":"192.168.101.131",
        "vc-app02":"192.168.101.130",
	"vc-app03":"192.168.101.132"
}
while 1:
	try:
		print('')
		for k,v in dictroy.items():
			print k,v
		print('')
		hostname = raw_input('please input IP:')
		if hostname == '':continue
		elif hostname == 'exit':break
		elif hostname == 'quit':break

		def agent_auth(transport, username):
		    """
		    Attempt to authenticate to the given transport using any of the private
		    keys available from an SSH agent.
		    """

		    agent = paramiko.Agent()
		    agent_keys = agent.get_keys()
		    if len(agent_keys) == 0:
		        return

		    for key in agent_keys:
		        print 'Trying ssh-agent key %s' % hexlify(key.get_fingerprint()),
		        try:
		            transport.auth_publickey(username, key)
		            print '... success!'
		            return
		        except paramiko.SSHException:
		            print '... nope.'

		def manual_auth(username, hostname):
		    default_auth = 'p'
		    auth = 'p'
		    if len(auth) == 0:
		        auth = default_auth

		    if auth == 'r':
		        default_path = os.path.join(os.environ['HOME'], '.ssh', 'id_rsa')
		        path = raw_input('RSA key [%s]: ' % default_path)
		        if len(path) == 0:
		            path = default_path
		        try:
		            key = paramiko.RSAKey.from_private_key_file(path)
		        except paramiko.PasswordRequiredException:
		            password = getpass.getpass('RSA key password: ')
		            key = paramiko.RSAKey.from_private_key_file(path, password)
		        t.auth_publickey(username, key)
		    elif auth == 'd':
		        default_path = os.path.join(os.environ['HOME'], '.ssh', 'id_dsa')
		        path = raw_input('DSS key [%s]: ' % default_path)
		        if len(path) == 0:
		            path = default_path
		        try:
		            key = paramiko.DSSKey.from_private_key_file(path)
		        except paramiko.PasswordRequiredException:
		            password = getpass.getpass('DSS key password: ')
		            key = paramiko.DSSKey.from_private_key_file(path, password)
		        t.auth_publickey(username, key)
		    else:
		        pw = '123456'
		        t.auth_password(username, pw)

		# setup logging
		paramiko.util.log_to_file('demo.log')

		username = 'root'
		if len(hostname) == 0:
		    print '*** Hostname required.'
		    sys.exit(1)
		port = 22
		if hostname.find(':') >= 0:
		    hostname, portstr = hostname.split(':')
		    port = int(portstr)

		# now connect
		try:
		    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
		    sock.connect((hostname, port))
		except:
		    print('\033[31;1minvalid value\033[0m')
		    continue
		#except Exception, e:
		#    print '*** Connect failed: ' + str(e)
		#    traceback.print_exc()
		#    sys.exit(1)

		try:
		    t = paramiko.Transport(sock)
		    try:
		        t.start_client()
		    except paramiko.SSHException:
		        print '*** SSH negotiation failed.'
		        sys.exit(1)

		    try:
		        keys = paramiko.util.load_host_keys(os.path.expanduser('~/.ssh/known_hosts'))
		    except IOError:
		        try:
		            keys = paramiko.util.load_host_keys(os.path.expanduser('~/ssh/known_hosts'))
		        except IOError:
		            print '*** Unable to open host keys file'
		            keys = {}

		    # check server's host key -- this is important.
		    key = t.get_remote_server_key()
		    if not keys.has_key(hostname):
		        print '*** WARNING: Unknown host key!'
		    elif not keys[hostname].has_key(key.get_name()):
		        print '*** WARNING: Unknown host key!'
		    elif keys[hostname][key.get_name()] != key:
		        print '*** WARNING: Host key has changed!!!'
		        sys.exit(1)
		    else:
		        print '*** Host key OK.'

		    # get username
		    if username == '':
		        default_username = getpass.getuser()
		        username = raw_input('Username [%s]: ' % default_username)
		        if len(username) == 0:
		            username = default_username

		    agent_auth(t, username)
		    if not t.is_authenticated():
		        manual_auth(username, hostname)
		    if not t.is_authenticated():
		        print '*** Authentication failed. :('
		        t.close()
		        sys.exit(1)

		    chan = t.open_session()
		    chan.get_pty()
		    chan.invoke_shell()
		    print '*** Here we go!'
		    print
		    interactive.interactive_shell(chan)
		    chan.close()
		    t.close()

		except Exception, e:
		    print '*** Caught exception: ' + str(e.__class__) + ': ' + str(e)
		    traceback.print_exc()
		    try:
		        t.close()
		    except:
		        pass
		    sys.exit(1)
	except:
		continue

　　

2.创建跳板机用户，并设置用户登陆的环境变量

注意事项：用户登录跳板机后不能跳过demo.py程序，如果退出demo.py程序则注销跳板机的登陆，只能选择要登陆的主机ip，选择后直接登陆，如果用户在输入错误时，要循环从头开始

adduser audit

vim /home/audit/.bash_profile　　在环境变量中加入执行python demo.py文件，执行后logout

3.使用shellinabox实现webssh

https://code.google.com/archive/p/shellinabox/downloads　　下载shellinabox-2.14.tar.gz

tar zxf shellinabox-2.14.tar.gz

cd shellinabox-2.14

./configure --prefix=/usr/local/webshell && make && make install

bash /usr/local/webshell/bin/shellinaboxd &    后台运行，shellinabox默认端口是4200

访问https://ip:4200就可以登陆跳板机

展示：