准备，创建虚拟机，配置IP、YUM源，关闭防火墙，设置自动挂载

一、编译安装jailkit

下载必要工具和jailkit后解压编译并安装jaiklit
安装wget下载工具和bzip2解压工具

[root@localhost ~]# yum install -y wget bzip2

安装依赖包和自动补全工具

[root@localhost ~]# yum install -y gcc bash-c*            
[root@localhost~]# wget https://olivier.sessink.nl/jailkit/jailkit-2.19.tar.bz2 --no-check-certificate

解压bzip2包

[root@localhost ~]# tar jxvf jailkit-2.19.tar.bz2

进入解压后 的目录，配置编译成功后并安装

[root@localhost ~]# cd jailkit-2.19
[root@localhost jailkit-2.19]# ./configure     && make && make install

二、使用jailkit创建用户

创建用户并使用jk命令将用户修改为虚拟系统中的用户
创建目录

[root@localhost jailkit-2.19]# mkdir /home/jail

使用jk_init命令将一些常用的命令拷贝到/home/jail中

[root@localhost jailkit-2.19]# jk_init -v -j /home/jail/ basicshell
[root@localhost jailkit-2.19]# jk_init -v -j /home/jail/ editors
[root@localhost jailkit-2.19]# jk_init -v -j /home/jail/ netutils
[root@localhost jailkit-2.19]# jk_init -v -j /home/jail ssh

创建用户并设置密码

[root@localhost jailkit-2.19]# useradd zhangsan    
[root@localhost jailkit-2.19]# echo "000000" |passwd --stdin zhangsan

创建目录并拷贝jk_lsh命令到虚拟系统的/usr/sbin目录下

[root@localhost jailkit-2.19]# mkdir /home/jail/usr/sbin    
[root@localhost jailkit-2.19]# cp /usr/sbin/jk_lsh /home/jail/usr/sbin/

将zhangsan创建成虚拟系统中的用户

[root@localhost jailkit-2.19]# jk_jailuser -m -j /home/jail zhangsan    
[root@localhost jailkit-2.19]# vi /home/jail/etc/passwd     
[root@localhost jailkit-2.19]# cat /home/jail/etc/passwd     
root:x:0:0:root:/root:/bin/bash
zhangsan:x:1000:1000::/home/zhangsan:/bin/bash

三.登陆系统

使用虚拟用户登录系统并查看 /usr/bin 目录下有那些命令

[root@localhost jailkit-2.19]# ssh zhangsan@127.0.0.1
[zhangsan@localhost ~]$ ls /usr/bin/    
bash  chmod  cpio  dd     egrep    fgrep  gunzip  ln  mkdir   more  pwd  rmdir  sed  sleep  sync  touch  vi    zcat
cat   cp     date  echo  false    grep   gzip    ls  mktemp  mv     rm   scp    sh   ssh     tar   true   wget
#exit退出登录

将jumpserver设置成只能使用密钥登录

[root@localhost jailkit-2.19]# cat /etc/ssh/ssh_config    
...
PasswordAuthentication no
...
#取消这一行的注释符

添加主机白名单

[root@localhost jailkit-2.19]# vi /etc/hosts.allow 
[root@localhost jailkit-2.19]# cat /etc/hosts.allow 
#
# hosts.allow    This file contains access rules which are used to
#        allow or deny connections to network services that
#        either use the tcp_wrappers library or that have been
#        started through a tcp_wrappers-enabled xinetd.
#
#        See 'man 5 hosts_options' and 'man 5 hosts_access'
#        for information on rule syntax.
#        See 'man tcpd' for information on tcp_wrappers
sshd:192.168.200.0/24            
#只允许该网段的IP访问

添加黑名单

[root@localhost jailkit-2.19]# vi /etc/hosts.deny     
[root@localhost jailkit-2.19]# cat /etc/hosts.deny     
#
# hosts.deny    This file contains access rules which are used to
#        deny connections to network services that either use
#        the tcp_wrappers library or that have been
#        started through a tcp_wrappers-enabled xinetd.
#
#        The rules in this file can also be set up in
#        /etc/hosts.allow with a 'deny' option instead.
#
#        See 'man 5 hosts_options' and 'man 5 hosts_access'
#        for information on rule syntax.
#        See 'man tcpd' for information on tcp_wrappers
#
sshd:ALL            
#拒绝除了白名单以外所有的IP连接