前言
我们对堡垒机(跳板机)不会陌生,为了保证服务器安全,加个堡垒机,所有ssh连接都通过堡垒机来完成,堡垒机也需要有身份认证、授权、访问控制、审计等功能。
Jumpserver 是全球首款完全开源的堡垒机, 是符合 4A 的专业运维审计系统。
Jumpserver 使用 Python / Django 进行开发, 采纳分布式架构, 支持多机房跨区域部署, 中心节点提供 API, 各机房部署登录节点, 可横向扩展、无并发访问限制。
Jumpserver 现已支持管理 SSH、 Telnet、 RDP、 VNC 协议资产。
组件说明
Jumpserver包含四个组件,各个组件的作用如下:
- Jumpserver 为管理后台, 管理员可以通过 Web 页面进行资产管理、用户管理、资产授权等操作, 用户可以通过 Web 页面进行资产登录, 文件管理等操作
- Coco 为 SSH Server 和 Web Terminal Server 。用户可以使用自己的账户通过 SSH 或者 Web Terminal 访问 SSH 协议和 Telnet 协议资产
- Luna 为 Web Terminal Server 前端页面, 用户使用 Web Terminal 方式登录所需要的组件
- Guacamole 为 RDP 协议和 VNC 协议资产组件, 用户可以通过 Web Terminal 来连接 RDP 协议和 VNC 协议资产 (暂时只能通过 Web Terminal 来访问)
端口说明
各个组件的监听端口如下:
- Jumpserver 默认端口为 8080/tcp 配置文件 jumpserver/config.yml
- Coco 默认 SSH 端口为 2222/tcp, 默认 Web Terminal 端口为 5000/tcp 配置文件在 coco/config.yml
- Guacamole 默认端口为 8081/tcp, 配置文件 /config/tomcat8/conf/server.xml
- Nginx 默认端口为 80/tcp
- Redis 默认端口为 6379/tcp
- Mysql 默认端口为 3306/tcp
这篇博文将采用一站式的方式部署Jumpserver,其实更建议取参考官方文档部署Jumpserver。
一、环境准备
- 系统:CentOS 7
- IP:192.168.20.6
- 数据库:mariadb
- 反向代理:nginx
二、开始安装Redis及mariadb
[[email protected] ~]# yum -y install wget gcc epel-release git
#安装依赖包
#下载网络yum源
[[email protected] ~]# wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
[[email protected] ~]# wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
[[email protected] ~]# yum makecache
安装 Redis, Jumpserver 使用 Redis 做 cache 和 celery broke
[[email protected] ~]# yum -y install redis
[[email protected] ~]# systemctl enable redis
[[email protected] ~]# systemctl start redis
# 安装 MySQL, 如果不使用 Mysql 可以跳过相关 Mysql 安装和配置, 支持sqlite3, mysql, postgres等
[[email protected] ~]# yum -y install mariadb*
[[email protected] ~]# systemctl enable mariadb
[[email protected] ~]# systemctl start mariadb
#启动数据库后,创建一个库并添加一个授权用户,设置密码为123.com
[[email protected] ~]# mysql -uroot -e "create database jumpserver default charset ‘utf8‘; grant all on jumpserver.* to ‘jumpserver‘@‘127.0.0.1‘ identified by ‘123.com‘; flush privileges;"
三、安装Nginx反向代理及配置Python3虚拟环境
#安装 Nginx, 用作代理服务器整合 Jumpserver 与各个组件
[[email protected] conf.d]# vim /etc/yum.repos.d/nginx.repo
[nginx]
name=nginx repo
baseurl=http://nginx.org/packages/centos/7/$basearch/
gpgcheck=0
enabled=1
[[email protected] ~]# yum -y install nginx
[[email protected] ~]# systemctl enable nginx
#安装Python3.6
[[email protected] ~]# yum -y install python36 python36-devel
# 配置并载入 Python3 虚拟环境
[[email protected] ~]# cd /opt
[[email protected] opt]# python3 -m venv py3 # py3 为虚拟环境名称, 可自定义
#进入Python3.6虚拟环境
[[email protected] opt]# source /opt/py3/bin/activate # 退出虚拟环境可以使用 deactivate 命令
# 看到下面的提示符代表虚拟环境配置成功
(py3) [[email protected] opt]#
四、部署Jumpserver服务
# 下载 Jumpserver
(py3) [[email protected] opt]# cd /opt
(py3) [[email protected] opt]# wget https://github.com/jumpserver/jumpserver/archive/1.4.7.tar.gz
(py3) [[email protected] opt]# tar zxf 1.4.7.tar.gz
(py3) [[email protected] opt]# mv jumpserver-1.4.7 jumpserver
# 安装依赖 RPM 包
(py3) [[email protected] opt]# yum -y install $(cat /opt/jumpserver/requirements/rpm_requirements.txt)
# 安装 Python 库依赖
(py3) [[email protected] opt]# pip install --upgrade pip setuptools
(py3) [[email protected] opt]# pip install -r /opt/jumpserver/requirements/requirements.txt
# 修改 Jumpserver 配置文件
(py3) [[email protected] opt]# cd /opt/jumpserver
(py3) [[email protected] jumpserver]# cp config_example.yml config.yml
#生成秘钥令牌
(py3) [[email protected] jumpserver]# SECRET_KEY=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50`
(py3) [[email protected] jumpserver]# echo "SECRET_KEY=$SECRET_KEY" >> ~/.bashrc
(py3) [[email protected] jumpserver]# BOOTSTRAP_TOKEN=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16`
(py3) [[email protected] jumpserver]# echo "BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" >> ~/.bashrc
(py3) [[email protected] jumpserver]# sed -i "s/SECRET_KEY:/SECRET_KEY: $SECRET_KEY/g" /opt/jumpserver/config.yml
(py3) [[email protected] jumpserver]# sed -i "s/BOOTSTRAP_TOKEN:/BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN/g" /opt/jumpserver/config.yml
(py3) [[email protected] jumpserver]# sed -i "s/# DEBUG: true/DEBUG: false/g" /opt/jumpserver/config.yml
(py3) [[email protected] jumpserver]# sed -i "s/# LOG_LEVEL: DEBUG/LOG_LEVEL: ERROR/g" /opt/jumpserver/config.yml
(py3) [[email protected] jumpserver]# sed -i "s/# SESSION_EXPIRE_AT_BROWSER_CLOSE: False/SESSION_EXPIRE_AT_BROWSER_CLOSE: true/g" /opt/jumpserver/config.yml
(py3) [[email protected] jumpserver]# sed -i "s/DB_PASSWORD: /DB_PASSWORD: 123.com/g" /opt/jumpserver/config.yml
(py3) [[email protected] jumpserver]# echo -e "\033[31m 你的SECRET_KEY是 $SECRET_KEY \033[0m"
你的SECRET_KEY是 Z6bUvXTZRpc73pnRp4qNwn1eMWNYrgzbEWkVJqIVXc6cXfpKDU
(py3) [[email protected] jumpserver]# echo -e "\033[31m 你的BOOTSTRAP_TOKEN是 $BOOTSTRAP_TOKEN \033[0m"
你的BOOTSTRAP_TOKEN是 aGXZtXKnhP3StNA3
(py3) [[email protected] jumpserver]# cat config.yml # 确认内容有没有错误
# SECURITY WARNING: keep the secret key used in production secret!
# 加密秘钥 生产环境中请修改为随机字符串,请勿外泄, PS: 纯数字不可以
# $ cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 49;echo
SECRET_KEY: Z6bUvXTZRpc73pnRp4qNwn1eMWNYrgzbEWkVJqIVXc6cXfpKDU
# SECURITY WARNING: keep the bootstrap token used in production secret!
# 预共享Token coco和guacamole用来注册服务账号,不在使用原来的注册接受机制
BOOTSTRAP_TOKEN: aGXZtXKnhP3StNA3
# Development env open this, when error occur display the full process track, Production disable it
# DEBUG 模式 开启DEBUG后遇到错误时可以看到更多日志
DEBUG: false
# DEBUG, INFO, WARNING, ERROR, CRITICAL can set. See https://docs.djangoproject.com/en/1.10/topics/logging/
# 日志级别
LOG_LEVEL: ERROR
# LOG_DIR:
# Session expiration setting, Default 24 hour, Also set expired on on browser close
# 浏览器Session过期时间,默认24小时, 也可以设置浏览器关闭则过期
# SESSION_COOKIE_AGE: 3600 * 24
SESSION_EXPIRE_AT_BROWSER_CLOSE: true
# Database setting, Support sqlite3, mysql, postgres ....
# 数据库设置
# See https://docs.djangoproject.com/en/1.10/ref/settings/#databases
# SQLite setting:
# 使用单文件sqlite数据库
# DB_ENGINE: sqlite3
# DB_NAME:
# MySQL or postgres setting like:
# 使用Mysql作为数据库
DB_ENGINE: mysql
DB_HOST: 127.0.0.1
DB_PORT: 3306
DB_USER: jumpserver
DB_PASSWORD: 123.com
DB_NAME: jumpserver
# When Django start it will bind this host and port
# ./manage.py runserver 127.0.0.1:8080
# 运行时绑定端口
HTTP_BIND_HOST: 0.0.0.0
HTTP_LISTEN_PORT: 8080
# Use Redis as broker for celery and web socket
# Redis配置
REDIS_HOST: 127.0.0.1
REDIS_PORT: 6379
# REDIS_PASSWORD:
# REDIS_DB_CELERY: 3
# REDIS_DB_CACHE: 4
# Use OpenID authorization
# 使用OpenID 来进行认证设置
# BASE_SITE_URL: http://localhost:8080
# AUTH_OPENID: false # True or False
# AUTH_OPENID_SERVER_URL: https://openid-auth-server.com/
# AUTH_OPENID_REALM_NAME: realm-name
# AUTH_OPENID_CLIENT_ID: client-id
# AUTH_OPENID_CLIENT_SECRET: client-secret
# OTP settings
# OTP/MFA 配置
# OTP_VALID_WINDOW: 0
# OTP_ISSUER_NAME: Jumpserver
# 运行 Jumpserver
(py3) [[email protected] jumpserver]# cd /opt/jumpserver
(py3) [[email protected] jumpserver]# ./jms start all -d
#后台运行,可将start更改换为status、stop
#设置jumpserver开机自启动
(py3) [[email protected] jumpserver]# wget -O /usr/lib/systemd/system/jms.service https://demo.jumpserver.org/download/shell/centos/jms.service
(py3) [[email protected] jumpserver]# chmod 755 /usr/lib/systemd/system/jms.service
(py3) [[email protected] jumpserver]# systemctl enable jms
五、安装docker部署coco与guacamole
(py3) [[email protected] jumpserver]# yum install -y yum-utils device-mapper-persistent-data lvm2
(py3) [[email protected] jumpserver]# yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
(py3) [[email protected] jumpserver]# yum makecache fast
(py3) [[email protected] jumpserver]# rpm --import https://mirrors.aliyun.com/docker-ce/linux/centos/gpg
(py3) [[email protected] jumpserver]# yum -y install docker-ce #安装docker社区版
(py3) [[email protected] jumpserver]# systemctl enable docker
#使用daocloud镜像加速
(py3) [[email protected] jumpserver]# curl -sSL https://get.daocloud.io/daotools/set_mirror.sh | sh -s http://f1361db2.m.daocloud.io
(py3) [[email protected] jumpserver]# systemctl restart docker
#启动coco和guacamole容器,“-e CORE_HOST”指定的是Jumpserver的服务端口
#“BOOTSTRAP_TOKEN”为 Jumpserver/config.yml 里面的 BOOTSTRAP_TOKEN值
(py3) [[email protected] jumpserver]# docker run --name jms_koko -d -p 2222:2222 -p 127.0.0.1:5000:5000 -e CORE_HOST=http://192.168.20.2:8080 -e BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN --restart=always jumpserver/jms_koko:1.5.4
(py3) [[email protected] jumpserver]# docker run --name jms_guacamole -d -p 127.0.0.1:8081:8080 -e JUMPSERVER_SERVER=http://192.168.20.2:8080 -e BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN --restart=always jumpserver/jms_guacamole:1.5.4
六、下载web Terminal前端
Luna 需要 Nginx 来运行访问 访问(https://github.com/jumpserver/luna/releases)下载对应版本的 release 包, 直接解压, 不需要编译
(py3) [[email protected] jumpserver]# cd /opt
(py3) [[email protected] opt]# wget https://demo.jumpserver.org/download/luna/1.4.7/luna.tar.gz
(py3) [[email protected] opt]# tar zxf luna.tar.gz
(py3) [[email protected] opt]# chown -R root:root luna
七、配置Nginx以便整合各组件
(py3) [[email protected] opt]# deactivate #退出Python3虚拟环境
#由于在上面yum安装的nginx可能有些问题,所以我选择源码重新安装一下
[[email protected] ~]# tar zxf nginx-1.14.0.tar.gz -C /usr/src[[email protected] ~]# cd /usr/src/nginx-1.14.0/
[[email protected] nginx-1.14.0]# ./configure --prefix=/usr/local/nginx && make && make install
[[email protected] nginx-1.14.0]# cd /usr/local/nginx/conf/
[[email protected] conf]# vim nginx.conf #nginx修改后的配置文件如下,可直接复制使用
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
server {
listen 80;
server_name localhost;
client_max_body_size 100m; # 录像及文件上传大小限制
location /luna/ {
try_files $uri / /index.html;
alias /opt/luna/; # luna 路径, 如果修改安装目录, 此处需要修改
}
location /media/ {
add_header Content-Encoding gzip;
root /opt/jumpserver/data/; # 录像位置, 如果修改安装目录, 此处需要修改
}
location /static/ {
root /opt/jumpserver/data/; # 静态资源, 如果修改安装目录, 此处需要修改
}
location /koko/ {
proxy_pass http://localhost:5000;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /guacamole/ {
proxy_pass http://localhost:8081/;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /ws/ {
proxy_pass http://localhost:8070;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location / {
proxy_pass http://localhost:8080;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
}
[[email protected] /]# ln -sf /usr/local/nginx/sbin/nginx /usr/local/sbin/
[[email protected] ~]# nginx -t #检查配置文件是否有误
[[email protected] ~]# nginx #启动nginx服务
八、客户端访问nginx
1、客户端直接访问Jumpserver的80端口即可,如下(默认的用户名及密码都是“admin”):
2、登录后即可看到以下界面:
3、创建用户test,操作如下:
提交后,显示如下:
4、创建管理用户
管理用户名称:system,用户:ljz,操作如下:
5、创建系统用户
系统用户名称:jumpserver;用户:root
注意:用户名尽量为root,选择手动登录,这个用户是用来连接后端资产的。
6、创建资产
在进行下面的操作之前,需要先准备一台Centos服务器,用来测试,我这里开启了一台IP为:192.168.20.3的测试服务器。
7、创建授权规则
创建完成后,显示如下:
8、连接到后端资产进行测试
原文地址:https://blog.51cto.com/14154700/2448064
时间: 2024-10-11 17:34:12