文章目录
- JumpServer 堡垒机
- 一、理论知识:
- 1、堡垒机与跳板机的区别
- 2、JumpServer4A认证
- 二、实践实验:
- 1、初始化环境准备
- 2、MySQL数据库部署
- 3、Python3.6 程序部署
- 4、Redis数据库部署
- 5、Core组件部署
- 6、Koko组件部署
- 7、Guacamole组件部署
- 1、安装FFmpeg
- 2、安装Guacamole
- 3、安装JDK环境
- 4、安装Tomcat
- 8、前端组件部署
- 1、Lina组件部署
- 2、Luna组件部署
- 3、Nginx反代配置
- 三、平台操作:
- 1、修改平台默认密码
- 2、终端登入
- 3、配置邮箱
- 4、创建用户
- 5、资产创建管理
- 6、用户资产授权
- 7、监控会话
JumpServer 堡垒机
一、理论知识:
官方网站:
1、堡垒机与跳板机的区别
跳板机和堡垒机的核心概念是一样的 都是提供统一入口管理IT资产,但相对于堡垒机会提供一些更加强大的功能,比如说堡垒机的4A认证 身份鉴别、账号管理、权限控制、安全审计。
2、JumpServer4A认证
- 身份鉴别
- 账号管理
- 权限控制
- 安全审计
二、实践实验:
1、初始化环境准备
最小配置:
2核 4G 50G
软件版本:
python3 = 3.6.x
mysql = 5.7
redis = 4.0
初始化环境操作:
systemctl stop firewalld --now
sed -i 's/SELINUX=[ep]/SELINUX=disabled/g' /etc/selinux/config
setenforce 0
wget -O /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-7.repo
wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
yum clean all
yum makecache
yum -y install git python-pip gcc gcc-c++ automake autoconf python-devel vim sshpass lrzsz readline-devel zlib zlib-devel
修改字符集支持中文:
localectl set-locale LANG=zh_CN.UTF-8
export LC_ALL=zh_CN.UTF-8
echo "LANG=zh_CN.UTF-8" >> /etc/locale.conf
locale
2、MySQL数据库部署
安装MySQL
mkdir /mysql5.7
tar xf mysql-5.7.37-1.el7.x86_64.rpm-bundle.tar -C /mysql5.7
cd /mysql5.7
yum -y localinstall ./*
更新密码
systemctl start mysqld --now
grep password /var/log/mysqld.log
mysqladmin -uroot -p'ESssIS#%*4zw' password NTQ34tg*@19VF
创建jumpserver所需的数据库信息
create database jumpserver default charset 'utf8' collate 'utf8_bin';
create user 'jumpserver'@'%' identified by 'NTQ34tg*@19VF';
grant all privileges on jumpserver.* to 'jumpserver'@'%' identified by 'NTQ34tg*@19VF';
flush privileges;
3、Python3.6 程序部署
源码部署Python
wget https://www.python.org/ftp/python/3.6.10/Python-3.6.10.tgz
tar zxf Python-3.6.10.tgz -C /usr/local/src/
cd /usr/local/src/Python-3.6.10/
./configure --prefix=/usr/local/python3.6
make && make install
添加环境变量
echo "PATH=$PATH:/usr/local/python3.6/bin/" >>/etc/profile
source /etc/profile
添加阿里源
pip3 config set global.index-url https://mirrors.aliyun.com/pypi/simple/
创建Python 虚拟环境
pip3 install virtualenv
如果报一下错误 解决方案:
yum -y install openssl openssl-devel
# 安装好后 将Python源代码全部删除掉 重新编译
创建虚拟环境 jmpPython3
virtualenv --python=python3 /usr/local/python3.6/jmpPython3
# 此时系统中有两个 Python3 解释器了
使用jmpPython3 Python3环境
source /usr/local/python3.6/jmpPython3/bin/activate
退出环境
deactivate
4、Redis数据库部署
tar xf redis-4.0.11.tar.gz -C /usr/local/src/
cd /usr/local/src/redis-4.0.11
make
make install PREFIX=/usr/local/redis
cd /usr/local/redis/bin/
cp ../../src/redis-4.0.11/redis.conf .
./redis-server redis.conf
ln -s /usr/local/redis/bin/* /usr/bin/
5、Core组件部署
部署安装
wget https://github.com/jumpserver/jumpserver/releases/download/v2.1.0/jumpserver-v2.1.0.tar.gz
mkdir /usr/local/jump
tar zxf jumpserver-v2.1.0.tar.gz -C /usr/local/jump
cd /usr/local/jump
ln -s jumpserver-v2.1.0/ jumpserver
依赖安装
yum -y install bash-completion psmisc nethogs glances bc netpdate openldap-devel
安装python依赖模块
source /usr/local/python3.6/jmpPython3/bin/activate
pip3 install -r /usr/local/jump/jumpserver/requirements/requirements.txt
配置后台程序
cd /usr/local/jump/jumpserver
cp config_example.yml config.yml
grep -Ev '^#|^$' config.yml
SECRET_KEY: NXU2vWZSRClMsrQ3SeELZTkggZqlHugM5RnsDZ3Hgw8Dux9PD
BOOTSTRAP_TOKEN: bfdJpNQDZDpCz0kLex4Mq2THYwvNZRaRtKFR0bRWmmleBE2tC
DB_ENGINE: mysql
DB_HOST: 127.0.0.1
DB_PORT: 3306
DB_USER: jumpserver
DB_PASSWORD: NTQ34tg*@19VF
DB_NAME: jumpserver
HTTP_BIND_HOST: 0.0.0.0
HTTP_LISTEN_PORT: 8080
WS_LISTEN_PORT: 8070
REDIS_HOST: 127.0.0.1
REDIS_PORT: 6379
配置文件中前两个值 使用下面命令生成
cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 49;echo
导入数据库
python3 /usr/local/jump/jumpserver/apps/manage.py makemigrations
python3 /usr/local/jump/jumpserver/apps/manage.py migrate
到数据库中验证导入的数据
use jumpserver;
show tables;
启动
/usr/local/jump/jumpserver/jms start -d
netstat -anput |grep 80[78]0|head -n2
6、Koko组件部署
Koko组件是使用GO语音开发的 相比之前的Coco组件(Python开发) 性能、效率、资源利用率都更高。
wget https://github.com/jumpserver/koko/releases/download/v2.1.0/koko-v2.1.0-linux-amd64.tar.gz
tar zxf koko-v2.1.0-linux-amd64.tar.gz -C /usr/local/jump
cd /usr/local/jump
ln -s koko-v2.1.0-linux-amd64 koko
/usr/local/jump/koko
cp config_example.yml config.yml
grep -Ev '^#|^$' config.yml
CORE_HOST: http://10.0.24.5:8080
# 请和jumpserver 配置文件中保持一致,注册完成后可以删除
BOOTSTRAP_TOKEN: bfdJpNQDZDpCz0kLex4Mq2THYwvNZRaRtKFR0bRWmmleBE2tC
BIND_HOST: 0.0.0.0
SSHD_PORT: 2222
HTTPD_PORT: 5000
ACCESS_KEY_FILE: data/keys/.access_key
LOG_LEVEL: INFO
SSH_TIMEOUT: 15
LANG: zh
ZIP_MAX_SIZE: 1024M
ZIP_TMP_PATH: /tmp
CLIENT_ALIVE_INTERVAL: 30
REDIS_HOST: 127.0.0.1
REDIS_PORT: 6379
启动
./koko -d
7、Guacamole组件部署
依赖准备
yum install -y cairo-devel libjpeg-turbo-devel libpng-devel uuid-devel
可选择的依赖
yum install -y freerdp-devel pango-devel libssh2-devel libvncserver-devel pulseaudio-libs-devel openssl-devel libvorbis-devel libwebp-deve
1、安装FFmpeg
yum install -y automake autoconf libtool gcc gcc-c++ gcc-objc gcc-objc++ libobjc
# opencore-amr
wget http://downloads.sourceforge.net/project/opencore-amr/opencore-amr/0.1.2/opencore-amr-0.1.2.tar.gz
tar xf opencore-amr-0.1.2.tar.gz
cd opencore-amr-0.1.2
./configure
make && make install clean
# lame
https://sourceforge.net/projects/lame/files/latest/download
tar zxf lame-3.100.tar.gz
cd lame-3.100
./configure
make && make install
cd /usr/local/src
wget http://ffmpeg.org/releases/ffmpeg-3.2.4.tar.bz2
tar xf ffmpeg-3.2.4.tar.bz2
cd ffmpeg-3.2.4
./configure --enable-version3 --enable-libmp3lame --enable-libopencore-amrnb --enable-libopencore-amrwb --enable-shared --prefix=/usr/local/ffmpeg
make && make install
echo "/usr/local/ffmpeg/lib" > /etc/ld.so.conf.d/ffmpeg.conf
ldconfig
ln -sf /usr/local/ffmpeg/bin/ffmpeg /usr/bin/ffmpeg
ln -s /usr/local/lib/libavdevice.so.56 /usr/lib64/libavdevice.so.56
ln -s /usr/local/lib/libavfilter.so.5 /usr/lib64/libavfilter.so.5
ln -s /usr/local/lib/libavformat.so.56 /usr/lib64/libavformat.so.56
ln -s /usr/local/lib/libavcodec.so.56 /usr/lib64/libavcodec.so.56
ln -s /usr/local/lib/libswresample.so.1 /usr/lib64/libswresample.so.1
ln -s /usr/local/lib/libswscale.so.3 /usr/lib64/libswscale.so.3
ln -s /usr/local/lib/libavutil.so.54 /usr/lib64/libavutil.so.54
ln -s /usr/local/lib/libopencore-amrwb.so.0 /usr/lib64/libopencore-amrwb.so.0
ln -s /usr/local/lib/libopencore-amrnb.so.0 /usr/lib64/libopencore-amrnb.so.0
ln -s /usr/local/lib/libmp3lame.so.0 /usr/lib64/libmp3lame.so.0
ffmpeg -version
ffmpeg version 3.2.4 Copyright (c) 2000-2017 the FFmpeg developers
built with gcc 4.8.5 (GCC) 20150623 (Red Hat 4.8.5-44)
configuration: --enable-version3 --enable-libmp3lame --enable-libopencore-amrnb --enable-libopencore-amrwb --enable-shared --prefix=/usr/local/ffmpeg
libavutil 55. 34.101 / 55. 34.101
libavcodec 57. 64.101 / 57. 64.101
libavformat 57. 56.101 / 57. 56.101
libavdevice 57. 1.100 / 57. 1.100
libavfilter 6. 65.100 / 6. 65.100
libswscale 4. 2.100 / 4. 2.100
libswresample 2. 3.100 / 2. 3.100
2、安装Guacamole
yum -y install cairo-devel uuid uuid-devel
wget -O docker-guacamole-v2.1.1.tar.gz https://github.com/jumpserver/docker-guacamole/archive/master.tar.gz
tar zxf docker-guacamole-v2.1.1.tar.gz
mkdir /usr/local/jump/guacamole
mv docker-guacamole-master /usr/local/jump/guacamole/
cd /usr/local/jump/guacamole/
wget http://download.jumpserver.org/public/guacamole-server-1.2.0.tar.gz
tar -xf guacamole-server-1.2.0.tar.gz
wget http://download.jumpserver.org/public/ssh-forward.tar.gz
tar -xf ssh-forward.tar.gz -C /bin/
chmod +x /bin/ssh-forward
./configure --with-init-dir=/etc/init.d && make && make install
cd /usr/local/jump/guacamole/guacamole-server-1.2.0/
./configure --with-init-dir=/etc/init.d/
make && make install
3、安装JDK环境
tar xf jdk-8u152-linux-x64.tar.gz -C /usr/local/
vim /etc/profile
JAVA_HOME=/usr/local/jdk1.8.0_152
PATH=$JAVA_HOME/bin:$PATH:$HOME/bin
CLASSPATH=.:$JAVA_HOME/jre/lib/rt.jar:$JAVA_HOME/lib/dt.jar:$JAVA_HOME/lib/tools.jar
source /etc/profile
java -version
4、安装Tomcat
tar zxf apache-tomcat-9.0.58.tar.gz
mv apache-tomcat-9.0.58 /usr/local/tomcat
cd /usr/local/tomcat/conf
rm -rf webapps/*
sed -i 's/Connector port="8080"/Connector port="8081"/g' server.xml
echo "java.util.logging.ConsoleHandler.encoding = UTF-8" >> logging.properties
wget http://download.jumpserver.org/release/v2.1.1/guacamole-client-v2.1.1.tar.gz
tar zxf guacamole-client-v2.1.1.tar.gz
cp guacamole-client-v2.1.1/guacamole-*.war webapps/ROOT.war
cp guacamole-client-v2.1.1/guacamole-*.jar /config/guacamole/extensions/
mv ../../jump/guacamole/docker-guacamole-master/guacamole.properties /config/guacamole/
变量设置:
export JUMPSERVER_SERVER=http://127.0.0.1:8080
echo "export JUMPSERVER_SERVER=http://127.0.0.1:8080" >> ~/.bashrc
export BOOTSTRAP_TOKEN=bfdJpNQDZDpCz0kLex4Mq2THYwvNZRaRtKFR0bRWmmleBE2tC
echo "export BOOTSTRAP_TOKEN=bfdJpNQDZDpCz0kLex4Mq2THYwvNZRaRtKFR0bRWmmleBE2tC" >> ~/.bashrc
export JUMPSERVER_KEY_DIR=/config/guacamole/keys
echo "export JUMPSERVER_KEY_DIR=/config/guacamole/keys" >> ~/.bashrc
export GUACAMOLE_HOME=/config/guacamole
echo "export GUACAMOLE_HOME=/config/guacamole" >> ~/.bashrc
export GUACAMOLE_LOG_LEVEL=ERROR
echo "export GUACAMOLE_LOG_LEVEL=ERROR" >> ~/.bashrc
export JUMPSERVER_ENABLE_DRIVE=true
echo "export JUMPSERVER_ENABLE_DRIVE=true" >> ~/.bashrc
启动
/etc/init.d/guacd start
cd /usr/local/tomcat/bin/
./startup.sh
8、前端组件部署
1、Lina组件部署
wget https://github.com/jumpserver/lina/releases/download/v2.1.0/lina-v2.1.0.tar.gz
tar zxf lina-v2.1.0.tar.gz -C /usr/local/jump
cd /usr/local/jump && mv lina-v2.1.0/ lina
2、Luna组件部署
wget https://github.com/jumpserver/luna/releases/download/v2.1.0/luna-v2.1.0.tar.gz
tar zxf luna-v2.1.0.tar.gz -C /usr/local/jump
cd /usr/local/jump && mv luna-v2.1.0/ luna
3、Nginx反代配置
tar zxf nginx-1.18.0.tar.gz -C /usr/local/src/
cd /usr/local/src/nginx-1.18.0/
./configure --prefix=/usr/local/nginx/
make && make install
vim /usr/local/nginx/conf/nginx.conf
include /usr/local/nginx/conf.d/*.conf; # Server字段添加
mkdir /usr/local/nginx/conf.d
添加jump虚拟主机 端口为808
vim /usr/local/nginx/conf.d/jump.conf
server {
listen 808;
client_max_body_size 100m; # 录像及文件上传大小限制
location /ui/ {
try_files $uri / /index.html;
alias /usr/local/jump/lina/;
}
location /luna/ {
try_files $uri / /index.html;
alias /usr/local/jump/luna/; # luna 路径
}
location /media/ {
add_header Content-Encoding gzip;
root /usr/local/jump/jumpserver/data/; # 录像位置
}
location /static/ {
root /usr/local/jump/jumpserver/data/; # 静态资源
}
location /koko/ {
proxy_pass http://localhost:5000;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /guacamole/ {
proxy_pass http://localhost:8081/;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /ws/ {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://localhost:8070;
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location /api/ {
proxy_pass http://localhost:8080;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /core/ {
proxy_pass http://localhost:8080;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location / {
rewrite ^/(.*)$ /ui/$1 last;
}
}
./nginx -t
./nginx
验证: 浏览器方位IP:808
JumpServer 启动流程
source /usr/local/python3.6/jmpPython3/bin/activate
cd /usr/local/jump/jumpserver
./jms start -d
/usr/local/jump/koko/koko -d
/etc/init.d/guacd start
/usr/local/tomcat/bin/startup.sh
三、平台操作:
1、修改平台默认密码
Administrator > 个人信息 > 登入密码设置
2、终端登入
ssh admin@IP地址 2222
3、配置邮箱
163邮箱获取授权码
4、创建用户
此时密码已发往用户邮箱
5、资产创建管理
创建管理用户
创建资产列表
6、用户资产授权
创建系统用户
创建资产授权
此时用户就可以连接到 管理的服务器了
7、监控会话
实时监控秦子腾用户操作内容
查看命令记录
JumpServer 启动流程
source /usr/local/python3.6/jmpPython3/bin/activate
cd /usr/local/jump/jumpserver
./jms start -d
/usr/local/jump/koko/koko -d
/etc/init.d/guacd start
/usr/local/tomcat/bin/startup.sh