限制管理员SSH/Telnet跳板

该功能在FortiOS 7.2.1及以上版本支持。

网络需求

默认配置下,管理员登录FortiGate后,可以使用SSH、Telnet功能远程连接到其他主机。

出于安全性的需求,FortiGate可以配置管理员所使用的管理员配置文件,禁止其使用FortiGate的SSH、Telnet功能作为跳板来远程连接到其他主机。

配置方法

此功能仅在CLI下可配置。

内置的super_admin管理员配置文件无法开启此功能。默认配置为enable

config system accprofile
    edit < name >
        set system-execute-ssh < enable | disable >    //开启或关闭SSH权限//
        set system-execute-telnet < enable | disable >    //开启或关闭Telnet权限//
    next
end

配置步骤

  1. 在FortiGate上新建管理员配置文件,并禁止使用FortiGate的SSH、Telnet功能作为跳板来远程连接到其他主机的功能。

    config system accprofile
        edit "Restrict_SSH_and_Telnet"
            set secfabgrp read-write
            set ftviewgrp read-write
            set authgrp read-write
            set sysgrp read-write
            set netgrp read-write
            set loggrp read-write
            set fwgrp read-write
            set vpngrp read-write
            set utmgrp read-write
            set wanoptgrp read-write
            set wifi read-write
            set system-execute-ssh disable
            set system-execute-telnet disable
        next
    end
    
  2. 创建管理员引用上步创建的管理员配置文件。

    config system admin
        edit "admin_beijing"
            set accprofile "Restrict_SSH_and_Telnet"
            set vdom "root"
            set password fortinet
        next
    end
    

配置验证

  1. 使用管理员admin_beijing登录FortiGate(通过Web CLI或SSH登录),并在FortiGate下使用Telnet、SSH命令访问其他服务器,提示没有权限运行该命令。

    C:\Users\cyndi>ssh admin_beijing@10.10.12.1
    admin_beijing@10.10.12.1's password:
    
    FortiGate $ exe telnet 192.168.100.99
    You are not entitled to run the command.
    Command fail. Return code -37
    
    FortiGate $ exe ssh 192.168.100.99
    You are not entitled to run the command.
    Command fail. Return code -37
    
  2. 使用管理员admin登录FortiGate(通过Web CLI或SSH登录),使用Telnet、SSH命令可以正常访问其他服务器。

    C:\Users\cyndi>ssh admin@10.10.12.1
    admin@10.10.12.1's password:
    
    FortiGate # exe telnet 192.168.100.99
    Trying 192.168.100.99...
    Connected to 192.168.100.99.
    FW1_FGT101F login: admin
    Password:
    Welcome!
    FW1_FGT101F # exit
    Connection closed by foreign host.
    
    FortiGate # exe ssh admin@192.168.100.99
    admin@192.168.100.99's password:
    FW1_FGT101F # exit
    Connection to 192.168.100.99 closed.
    FortiGate #
    

Copyright © 2024 Fortinet Inc. All rights reserved. Powered by Fortinet TAC Team.
📲扫描下方二维码分享此页面👇
该页面修订于: 2024-03-19 16:39:04

results matching ""

    No results matching ""