目录
什么是 跳板机
跳板机的缺点
使用堡垒机的优势
jumpserver的组件
【1】时间同步
【2】安装依赖
【3】修改数据库字符集、创建远程用户
【4】创建python的虚拟环境,用于专门运行jumpserver的环境
【5】获取jumpserver的代码
【6】安装编译环境依赖
【7】修改配置文件
【8】启动jumpserver服务
【8】验证数据是否导入成功
【10】浏览器访问
【11】安装koko 提供ssh server和web terminal server方式登录、管理资产
【12】部署前端组件,用于展示页面
【13】配置nginx
【14】启动nginx
【15】浏览器访问测试
硬件配置 | CPU-2个、内存-4G、硬盘-50G【最低】 |
python | = 3.6x |
mysql server | >=5.6 |
mariadb server | >=5.5.56 |
redis |
什么是 跳板机
- 说白了就是一台服务器,拥有公网和内网,可以免密登录内网任意一台节点服务器
- 当开发人员和运维人员维护内网机器时,先登录到跳板机,在通过跳板机免密登录到任意目标主机
跳板机的缺点
- 无法实现对登录人员行为的控制和审计
- 如果后端节点出现错误没有办法快速定位错误原因和责任人
使用堡垒机的优势
- 4A优势、资产统一管理
- 具有审计、记录、视频回放的功能,能够快速定位错误原因
- 可以限制危险命令的使用,如:rm、dd等命令
- 限制登录目标服务器的身份,使用普通用户
- 身份鉴定:防止身份冒用和复用
- 授权控制:防止内部操作和权限滥用
- 账号管理:人员和资产管理
- 安全审计:分析事故的原因
- 使用堡垒机能够让运维工作更安全、更便捷的登录目标资产
jumpserver的组件
- jumpserver:提供管理后台,管理员可以通过web页面进行资产管理、用户管理、资产授权等
- koko:提供ssh server和web terminal server方式登录资产
- lina、luna:提供web页面
- guacamole:提供RDP功能,用户可以通过该方式登录、管理 windows 资产
【1】时间同步
[root@jumpserver ~]# yum -y install ntpdate.x86_64
[root@jumpserver ~]# cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
[root@jumpserver ~]# ntpdate ntp1.aliyun.com
【2】安装依赖
[root@jumpserver ~]# wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
[root@jumpserver ~]# wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
[root@jumpserver ~]# yum -y install python3 python3-devel mariadb-server.x86_64 mariadb redis
[root@jumpserver ~]# systemctl enable redis mariadb.service
[root@jumpserver ~]# systemctl start redis mariadb.service
【3】修改数据库字符集、创建远程用户
MariaDB [(none)]> create database jumpserver default charset 'utf8' collate 'utf8_bin';
Query OK, 1 row affected (0.00 sec)
MariaDB [(none)]> grant all on *.* to jumpserver@'%' identified by 'jum123';
Query OK, 0 rows affected (0.00 sec)
【4】创建python的虚拟环境,用于专门运行jumpserver的环境
[root@jumpserver ~]# python3.6 -m venv /opt/py3
## 载入python的虚拟环境
[root@jumpserver ~]# source /opt/py3/bin/activate
(py3) [root@jumpserver ~]#
【5】获取jumpserver的代码
(py3) [root@jumpserver opt]# wget https://github.com/jumpserver/jumpserver/releases/download/v2.2.2/jumpserver-v2.2.2.tar.gz
(py3) [root@jumpserver opt]# tar xf jumpserver-v2.2.2.tar.gz
(py3) [root@jumpserver opt]# mv jumpserver-v2.2.2 jumpserver
【6】安装编译环境依赖
(py3) [root@jumpserver opt]# cd /opt/jumpserver/requirements/
(py3) [root@jumpserver requirements]# yum -y install $(cat requirements.txt)
(py3) [root@jumpserver requirements]# pip install wheel -i https://mirrors.aliyun.com/pypi/simple/
(py3) [root@jumpserver requirements]# pip install --upgrade pip setuptools -i https://mirrors.aliyun.com/pypi/simple/
(py3) [root@jumpserver requirements]# pip install -r requirements.txt -i https://mirrors.aliyun.com/pypi/simple/
【7】修改配置文件
## 生成随机加密密钥,配置文件中使用
if [ ! "$SECRET_KEY" ];then
SECRET_KEY=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50`;
echo "SECRET_KEY=$SECRET_KEY" >> ~/.bashrc;
echo $SECRET_KEY;
else
echo $SECRET_KEY;
fi
if [ ! "$BOOTSTRAP_TOKEN" ];then
BOOTSTRAP_TOKEN=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16`;
echo "BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" >> ~/.bashrc;
echo "$BOOTSTRAP_TOKEN";
else
echo $BOOTSTRAP_TOKEN;
fi
(py3) [root@jumpserver requirements]# tail -2 ~/.bashrc
SECRET_KEY=UmjKTyjVY4ZA4q803FETOY4pM2TJqeLnpbdgiEZMpJoybHc2mS
BOOTSTRAP_TOKEN=l1xWs3CggsGdnwtx
- 修改配置文件
(py3) [root@jumpserver requirements]# cd /opt/jumpserver/
(py3) [root@jumpserver jumpserver]# cp config_example.yml config.yml
(py3) [root@jumpserver jumpserver]# grep "^[a-Z]" config.yml
SECRET_KEY: UmjKTyjVY4ZA4q803FETOY4pM2TJqeLnpbdgiEZMpJoybHc2mS
BOOTSTRAP_TOKEN: l1xWs3CggsGdnwtx
DEBUG: false
LOG_LEVEL: ERROR
SESSION_EXPIRE_AT_BROWSER_CLOSE: true
DB_ENGINE: mysql
DB_HOST: 127.0.0.1
DB_PORT: 3306
DB_USER: jumpserver
DB_PASSWORD: jum123
DB_NAME: jumpserver
HTTP_BIND_HOST: 0.0.0.0
HTTP_LISTEN_PORT: 8080
WS_LISTEN_PORT: 8070
REDIS_HOST: 127.0.0.1
REDIS_PORT: 6379
WINDOWS_SKIP_ALL_MANUAL_PASSWORD: True
【8】启动jumpserver服务
(py3) [root@jumpserver jumpserver]# cd /opt/jumpserver/
(py3) [root@jumpserver jumpserver]# ./jms start -d
## 出现报错如下
django.db.utils.OperationalError: (2006, "Access denied for user 'jumpserver'@'localhost' (using password: YES)")
## 解决办法
MariaDB [(none)]> use mysql;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MariaDB [mysql]> delete from user where user='';
Query OK, 2 rows affected (0.00 sec)
MariaDB [mysql]> flush privileges;
Query OK, 0 rows affected (0.00 sec)
## 再次启动
(py3) [root@jumpserver jumpserver]# ./jms start -d
【8】验证数据是否导入成功
MariaDB [mysql]> use jumpserver ;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MariaDB [jumpserver]> show tables;
+----------------------------------------------+
| Tables_in_jumpserver |
+----------------------------------------------+
| applications_databaseapp |
| applications_k8sapp |
| applications_remoteapp |
| assets_adminuser |
| assets_asset |
| assets_asset_labels |
| assets_asset_nodes |
| assets_assetgroup |
| assets_authbook |
| assets_cluster |
| assets_commandfilter |
| assets_commandfilterrule |
| assets_domain |
| assets_favoriteasset |
| assets_gateway |
| assets_gathereduser |
| assets_label |
| assets_node |
| assets_platform |
| assets_systemuser |
| assets_systemuser_assets |
| assets_systemuser_cmd_filters |
| assets_systemuser_groups |
| assets_systemuser_nodes |
| assets_systemuser_users |
| audits_ftplog |
| audits_operatelog |
| audits_passwordchangelog |
| audits_userloginlog |
| auth_group |
| auth_group_permissions |
| auth_permission |
| authentication_accesskey |
| authentication_loginconfirmsetting |
| authentication_loginconfirmsetting_reviewers |
| authentication_privatetoken |
| authentication_ssotoken |
| captcha_captchastore |
| django_admin_log |
| django_cas_ng_proxygrantingticket |
| django_cas_ng_sessionticket |
| django_celery_beat_crontabschedule |
| django_celery_beat_intervalschedule |
| django_celery_beat_periodictask |
| django_celery_beat_periodictasks |
| django_celery_beat_solarschedule |
| django_content_type |
| django_migrations |
| django_session |
| jms_oidc_rp_oidcuser |
| ops_adhoc |
| ops_adhoc_execution |
| ops_adhoc_hosts |
| ops_celerytask |
| ops_commandexecution |
| ops_commandexecution_hosts |
| ops_task |
| orgs_organization |
| orgs_organization_members |
| perms_assetpermission |
| perms_assetpermission_assets |
| perms_assetpermission_nodes |
| perms_assetpermission_system_users |
| perms_assetpermission_user_groups |
| perms_assetpermission_users |
| perms_databaseapppermission |
| perms_databaseapppermission_database_apps |
| perms_databaseapppermission_system_users |
| perms_databaseapppermission_user_groups |
| perms_databaseapppermission_users |
| perms_k8sapppermission |
| perms_k8sapppermission_k8s_apps |
| perms_k8sapppermission_system_users |
| perms_k8sapppermission_user_groups |
| perms_k8sapppermission_users |
| perms_remoteapppermission |
| perms_remoteapppermission_remote_apps |
| perms_remoteapppermission_system_users |
| perms_remoteapppermission_user_groups |
| perms_remoteapppermission_users |
| settings_setting |
| terminal |
| terminal_command |
| terminal_commandstorage |
| terminal_replaystorage |
| terminal_session |
| terminal_status |
| terminal_task |
| tickets_comment |
| tickets_ticket |
| tickets_ticket_assignees |
| users_user |
| users_user_groups |
| users_user_user_permissions |
| users_usergroup |
+----------------------------------------------+
95 rows in set (0.00 sec)
【10】浏览器访问
【11】安装koko 提供ssh server和web terminal server方式登录、管理资产
(py3) [root@jumpserver jumpserver]# cd /opt/
(py3) [root@jumpserver opt]# wget https://github.com/jumpserver/koko/releases/download/v2.2.2/koko-v2.2.2-linux-amd64.tar.gz
(py3) [root@jumpserver opt]# tar xf koko-v2.2.2-linux-amd64.tar.gz
(py3) [root@jumpserver opt]# mv koko-v2.2.2-linux-amd64 koko
(py3) [root@jumpserver opt]# chown -R root.root koko/
- 修改配置文件
(py3) [root@jumpserver opt]# cd koko/
(py3) [root@jumpserver koko]# cp config_example.yml config.yml
(py3) [root@jumpserver koko]# vim config.yml
(py3) [root@jumpserver koko]# grep "^[a-Z]" config.yml
CORE_HOST: http://127.0.0.1:8080
BOOTSTRAP_TOKEN: l1xWs3CggsGdnwtx
LOG_LEVEL: ERROR
SHARE_ROOM_TYPE: redis
REDIS_HOST: 127.0.0.1
REDIS_PORT: 6379
- 启动koko组件
(py3) [root@jumpserver koko]# ./koko -d
(py3) [root@jumpserver koko]# netstat -lntp | grep koko
tcp6 0 0 :::2222 :::* LISTEN 6180/./koko
tcp6 0 0 :::5000 :::* LISTEN 6180/./koko
【12】部署前端组件,用于展示页面
- 安装lina组件
(py3) [root@jumpserver opt]# wget https://github.com/jumpserver/lina/releases/download/v2.2.2/lina-v2.2.2.tar.gz
(py3) [root@jumpserver opt]# tar xf lina-v2.2.2.tar.gz
(py3) [root@jumpserver opt]# mv lina-v2.2.2 lina
(py3) [root@jumpserver opt]# yum -y install nginx
(py3) [root@jumpserver opt]# chown -R nginx.nginx lina/
- 安装luna组件
(py3) [root@jumpserver opt]# cd /opt/
(py3) [root@jumpserver opt]# wget https://github.com/jumpserver/luna/releases/download/v2.2.2/luna-v2.2.2.tarr.gz
(py3) [root@jumpserver opt]# tar xf luna-v2.2.2.tar.gz
(py3) [root@jumpserver opt]# mv luna-v2.2.2 luna
(py3) [root@jumpserver opt]# chown -R nginx.nginx luna/
【13】配置nginx
(py3) [root@jumpserver opt]# vim /etc/nginx/conf.d/jumpserver.conf
server {
listen 80;
server_name jumpserver.test.org;
client_max_body_size 100m; ## 录像和文件上传大小限制
location /ui/ {
try_files $uri / /index.html;
alias /opt/lina/;
}
location /luna/ {
try_files $uri / /index.html;
alias /opt/luna/;
}
location /media/ {
add_header Content-Encoding gzip;
root /opt/jumpservre/data/; ## 录像位置
}
location /static/ {
root /opt/jumpserver/data/; ## 静态资源
}
location /koko/ {
proxy_pass http://127.0.0.1:5000;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /guacamole/ { ## windows 组件
proxy_pass http://127.0.0.1:8081/;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /ws/ {
proxy_pass http://127.0.0.1:8070;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /api/ {
proxy_pass http://127.0.0.1:8080;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /core/ {
proxy_pass http://127.0.0.1:8080;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location / {
rewrite ^/(.*)$ /ui/$1 last;
}
}
【14】启动nginx
(py3) [root@jumpserver opt]# systemctl enable nginx.service
(py3) [root@jumpserver opt]# systemctl start nginx.service
(py3) [root@jumpserver opt]# netstat -lntp | grep nginx
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 6750/nginx: master
【15】浏览器访问测试