jumpserver介绍
Jumpserver 是全球首款完全开源的堡垒机, 使用 GNU GPL v2.0 开源协议, 是符合 4A 的专业运维审计系统。
Jumpserver 使用 Python / Django 进行开发, 遵循 Web 2.0 规范, 配备了业界领先的 Web Terminal 解决方案, 交互界面美观、用户体验好。
Jumpserver 采纳分布式架构, 支持多机房跨区域部署, 中心节点提供 API, 各机房部署登录节点, 可横向扩展、无并发访问限制。
Jumpserver 现已支持管理 SSH、 Telnet、 RDP、 VNC 协议资产。
jumpserver 安装
官方安装文档:https://jumpserver.readthedocs.io/zh/master/setup_by_centos7.html
安装环境:centos7
ip:10.0.0.61
1.关闭防火墙和selinux(官方文档有防火墙配置,这里为了方便演示直接关闭)
[[email protected] ~]# systemctl stop firewalld
[[email protected] ~]# setenforce 0
[[email protected] ~]# sed -i "s/SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config
2.安装环境依赖
3.安装 Redis, JumpServer 使用 Redis 做 cache 和 celery broke
[[email protected] ~]# yum -y install redis
[[email protected] ~]# systemctl enable redis
[[email protected] ~]# systemctl start redis
4.安装 MySQL, 如果不使用 Mysql 可以跳过相关 Mysql 安装和配置, 支持sqlite3, mysql, postgres等
[[email protected] ~]# yum -y install mariadb mariadb-devel mariadb-server
[[email protected] ~]# systemctl enable mariadb
[[email protected] ~]# systemctl start mariadb
5.创建数据库 JumpServer 并授权用户
[[email protected] ~]# DB_PASSWORD=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 24`
[[email protected] ~]# echo -e "\033[31m 你的数据库密码是 $DB_PASSWORD \033[0m"
你的数据库密码是 uIApVIpDhEA4dyV1MvN6eZuG
[[email protected] ~]# mysql -uroot -e "create database jumpserver default charset 'utf8' collate 'utf8_bin';grant all on jumpserver.* to 'jumpserver'@'127.0.0.1' identified by '$DB_PASSWORD'; flush privileges;"
\033[31m \033[0m 红色字体
6.安装 Nginx, 用作代理服务器整合 JumpServer 与各个组件
[[email protected] ~]# yum -y install nginx
[[email protected] ~]# systemctl enable nginx
7.安装 Python3.6
8.配置并载入 Python3 虚拟环境
[[email protected] ~]# cd /opt/
[[email protected] opt]# python3.6 -m venv py3
[[email protected] opt]# source /opt/py3/bin/activate
(py3) [[email protected] opt]#
以后运行 JumpServer 都要先运行以上 source 命令, 载入环境后默认以下所有命令均在该虚拟环境中运行
9.下载 JumpServer
(py3) [[email protected] opt]#cd /opt/
(py3) [[email protected] opt]# git clone --depth=1 https://github.com/jumpserver/jumpserver.git
10.安装依赖 RPM 包
11.安装 Python 库依赖
用pip管理工具安装库文件时,默认使用国外的源文件,因此在国内的下载速度会比较慢,可以将pip源更换到国内镜像。
阿里云 https://mirrors.aliyun.com/pypi/simple/
中国科技大学 https://pypi.mirrors.ustc.edu.cn/simple/
豆瓣(douban) https://pypi.douban.com/simple/
清华大学 https://pypi.tuna.tsinghua.edu.cn/simple/
中国科学技术大学 http://pypi.mirrors.ustc.edu.cn/simple/
华中理工大学:http://pypi.hustunique.com/
山东理工大学:http://pypi.sdutlinux.org/
使用方法:直接 -i 加 url 即可
(py3) [[email protected] opt]# pip install wheel -i https://mirrors.aliyun.com/pypi/simple/
(py3) [[email protected] opt]# pip install --upgrade pip setuptools -i https://mirrors.aliyun.com/pypi/simple/
(py3) [[email protected] opt]# pip install -r /opt/jumpserver/requirements/requirements.txt -i https://mirrors.aliyun.com/pypi/simple/
12.修改 JumpServer 配置文件
(py3) [[email protected] opt]# cd /opt/jumpserver/
(py3) [[email protected] jumpserver]# cp config_example.yml config.yml
生成随机SECRET_KEY和BOOTSTRAP_TOKEN
(py3) [[email protected] jumpserver]# SECRET_KEY=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50`
(py3) [[email protected] jumpserver]# echo "SECRET_KEY=$SECRET_KEY" >> ~/.bashrc
(py3) [[email protected] jumpserver]# BOOTSTRAP_TOKEN=`cat /dev/urandom | tr -dc A-Za-z0-9| head -c 16`
(py3) [[email protected] jumpserver]# echo "BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" >> ~/.bashrc
修改配置
(py3) [[email protected] jumpserver]# sed -i "s/SECRET_KEY:/SECRET_KEY: $SECRET_KEY/g" /opt/jumpserver/config.yml
(py3) [[email protected] jumpserver]# sed -i "s/BOOTSTRAP_TOKEN:/BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN/g" /opt/jumpserver/config.yml
(py3) [[email protected] jumpserver]# sed -i "s/# DEBUG: true/DEBUG: false/g" /opt/jumpserver/config.yml
(py3) [[email protected] jumpserver]# sed -i "s/# LOG_LEVEL: DEBUG/LOG_LEVEL: ERROR/g" /opt/jumpserver/config.yml
(py3) [[email protected] jumpserver]# sed -i "s/# SESSION_EXPIRE_AT_BROWSER_CLOSE: false/SESSION_EXPIRE_AT_BROWSER_CLOSE: true/g" /opt/jumpserver/config.yml
(py3) [[email protected] jumpserver]# sed -i "s/DB_PASSWORD: /DB_PASSWORD: $DB_PASSWORD/g" /opt/jumpserver/config.yml
13.运行 JumpServer
(py3) [[email protected] jumpserver]# wget -O /usr/lib/systemd/system/jms.service https://demo.jumpserver.org/download/shell/centos/jms.service
(py3) [[email protected] jumpserver]# chmod 755 /usr/lib/systemd/system/jms.service
(py3) [[email protected] jumpserver]# systemctl daemon-reload
(py3) [[email protected] jumpserver]# systemctl enable jms
(py3) [[email protected] jumpserver]# systemctl start jms
14.安装 docker 部署 koko 与 guacamole
安装
(py3) [[email protected] jumpserver]# yum install -y yum-utils device-mapper-persistent-data lvm2
(py3) [[email protected] jumpserver]# yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
(py3) [[email protected] jumpserver]# yum makecache fast
(py3) [[email protected] jumpserver]# rpm --import https://mirrors.aliyun.com/docker-ce/linux/centos/gpg
(py3) [[email protected] jumpserver]# yum -y install docker-ce
(py3) [[email protected] jumpserver]# systemctl enable docker
(py3) [[email protected] jumpserver]# mkdir /etc/docker
(py3) [[email protected] jumpserver]# wget -O /etc/docker/daemon.json http://demo.jumpserver.org/download/docker/daemon.json
(py3) [[email protected] jumpserver]# systemctl restart docker
获取当前服务器 IP
(py3) [[email protected] ~]# Server_IP=`ip addr | grep 'state UP' -A2 | grep inet | egrep -v '(127.0.0.1|inet6|docker)' | awk '{print $2}' | tr -d "addr:" | head -n 1 | cut -d / -f1`
(py3) [[email protected] ~]# echo -e "\033[31m 你的服务器IP是 $Server_IP \033[0m"
运行koko 与 guacamole
由于网络问题;可以手动导入镜像。
http://<Jumpserver_url> 指向 jumpserver 的服务端口, 如 http://192.168.244.144:8080
BOOTSTRAP_TOKEN 为 Jumpserver/config.yml 里面的 BOOTSTRAP_TOKEN
(py3) [[email protected] ~]# docker run --name jms_koko -d -p 2222:2222 -p 127.0.0.1:5000:5000 -e CORE_HOST=http://$Server_IP:8080 -e BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN -e LOG_LEVEL=ERROR --restart=always jumpserver/jms_koko:1.5.8
(py3) [[email protected] ~]# docker run --name jms_guacamole -d -p 127.0.0.1:8081:8080 -e JUMPSERVER_SERVER=http://$Server_IP:8080 -e BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN -e GUACAMOLE_LOG_LEVEL=ERROR --restart=always jumpserver/jms_guacamole:1.5.8
(py3) [[email protected] ~]# docker ps
15.安装 Web Terminal 前端: Luna 需要 Nginx 来运行访问 访问(https://github.com/jumpserver/luna/releases)下载对应版本的 release 包, 直接解压, 不需要编译
(py3) [[email protected] opt]# cd /opt/
(py3) [[email protected] opt]# wget https://github.com/jumpserver/luna/releases/download/1.5.8/luna.tar.gz
(py3) [[email protected] opt]# tar xzf luna.tar.gz
(py3) [[email protected] opt]# chown -R root:root luna
如果网络有问题导致下载无法完成可以使用下面地址
wget https://demo.jumpserver.org/download/luna/1.5.8/luna.tar.gz
16.配置 Nginx 整合各组件
(py3) [[email protected] opt]# rm -rf /etc/nginx/conf.d/default.conf
修改nginx.conf配置文件
(py3) [[email protected] opt]#cat >/etc/nginx/nginx.conf<<EOF
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 65535;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 120;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
include /etc/nginx/conf.d/*.conf;
}
EOF
添加jumpserver.conf文件
(py3) [[email protected] opt]# cat >/etc/nginx/conf.d/jumpserver.conf<<\EOF
server {
listen 80;
server_name 10.0.0.41;
client_max_body_size 100m; # 录像及文件上传大小限制
location /luna/ {
try_files $uri / /index.html;
alias /opt/luna/; # luna 路径, 如果修改安装目录, 此处需要修改
}
location /media/ {
add_header Content-Encoding gzip;
root /opt/jumpserver/data/; # 录像位置, 如果修改安装目录, 此处需要修改
}
location /static/ {
root /opt/jumpserver/data/; # 静态资源, 如果修改安装目录, 此处需要修改
}
location /koko/ {
proxy_pass http://localhost:5000;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /guacamole/ {
proxy_pass http://localhost:8081/;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /ws/ {
proxy_pass http://localhost:8070;
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location / {
proxy_pass http://localhost:8080;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
}
EOF
17.运行 Nginx
(py3) [[email protected] opt]# nginx -t
(py3) [[email protected] opt]# sed -i 's/KillMode/#KillMode/g' /usr/lib/systemd/system/nginx.service
(py3) [[email protected] opt]# systemctl daemon-reload
(py3) [[email protected] opt]# systemctl start nginx
18.测试连接jumpserver
访问 http://10.0.0.41 (注意 没有 :8080 通过 nginx 代理端口进行访问)
默认账号: admin 密码: admin 到会话管理-终端管理 接受 koko Guacamole 等应用的注册
测试连接
ssh -p2222 [email protected]
sftp -P2222 [email protected]
密码: admin
如果是用在 Windows 下, Xshell Terminal 登录语法如下$ ssh [email protected] 2222
sftp [email protected] 2222
密码: admin
如果能登陆代表部署成功
sftp默认上传的位置在资产的 /tmp 目录下
windows拖拽上传的位置在资产的 Guacamole RDP上的 G 目录下
19.xshell连接jumpserver管理服务器
20.web页面操作
访问:http://10.0.0.61