Jumpserver 介绍
Jumpserver 核心功能列表
Jumpserver 环境要求
Jumpserver 部署
安装 redis
安装Mariadb
修改 Jumpserver 配置文件
启动 Jumpserver
测试访问
Jumpserver 插件安装
Koko 组件部署
Luna 组件部署
Guacamole 组件部署
配置 Nginx 整合各个组件
官方站点:www.jumpserver.org
Jumpserver是全球首款完全开源的堡垒机,使用GNU GPL v2.0开源协议,是符合4A的韵味安全审计系统。
Jumpserver使用Python/Django开发,遵循 Web 2.0规范,Jumpserver采纳分布式架构,支持多机房跨区域部署,支持横向扩展,无资产数量并发限制。
现在Jumpserver已支持SSH、Telnet、RDP、VNC协议资产。
身份验证 Authentication
账号管理 Account
授权控制 Authorization
安全审计 Audit
资产管理 CMDB
硬件配置:2个CPU核心,4G内存,50G硬盘(最低标准)
操作系统:Linux发行版 x86_64
Python = 3.6x
MySQL Server >= 5.6
Mariadb Server >= 5.5.56
Redis
1.安装依赖环境
计算
安全
数据库
网络和加速
企业服务
yum install wget gcc-c++ epel-release git -y2.安装python36
[root@Jumpserver ~]# yum install python36.x86_64 python36-devel.x86_64 -y
[root@Jumpserver ~]# python36 -V
Python 3.6.83.建立python虚拟环境
[root@Jumpserver ~]# python36 -m venv /opt/py34.载入python3虚拟环境
每次操作 jumpserver 都需要使用下面的命令载入 py3 虚拟环境
看到下面的提示将代表成功进入虚拟环境,以后运行jumpserver都要现运行上面的source命令,以下所有的命令都在虚拟环境中运行
[root@Jumpserver ~]# source /opt/py3/bin/activate
(py3) [root@Jumpserver ~]#
#进入 jumpserver 目录时将自动载入 python 虚拟环境,就不需要每次进入jumpser操作source命令了
(py3) [root@Jumpserver ~]# echo "source /opt/py3/bin/activate" > /opt/jumpserver/.env5.获取Jumpserver代码
(py3) [root@Jumpserver ~]# cd /opt/
(py3) [root@Jumpserver opt]# git clone --depth=1 https://github.com/jumpserver/jumpserver.git
Cloning into 'jumpserver'...
remote: Enumerating objects: 1156, done.
remote: Counting objects: 100% (1156/1156), done.
remote: Compressing objects: 100% (1028/1028), done.
remote: Total 1156 (delta 193), reused 632 (delta 64), pack-reused 0
Receiving objects: 100% (1156/1156), 6.96 MiB | 13.00 KiB/s, done.
Resolving deltas: 100% (193/193), done.6.安装jumpserver依赖RPM包
(py3) [root@Jumpserver opt]# cd /opt/jumpserver/requirements/
(py3) [root@Jumpserver requirements]# yum install $(cat rpm_requirements.txt) -y
(py3) [root@Jumpserver requirements]# pip install --upgrade pip
(py3) [root@Jumpserver requirements]# pip install -r requirements.txtJumpserver要使用redis
可以使用yum安装,也可以编译安装,我这里使用编译安装redis
1.安装redis
[root@Jumpserver src]# wget http://download.redis.io/releases/redis-5.0.5.tar.gz
[root@Jumpserver redis-5.0.5]# make
[root@Jumpserver redis-5.0.5]# cd src/
[root@Jumpserver src]# make install PREFIX=/usr/local/redis
[root@Jumpserver src]# mkdir /usr/local/redis/etc
[root@Jumpserver src]# cd /usr/local/src/redis-5.0.5
[root@Jumpserver redis-5.0.5]# cp -rf redis.conf /usr/local/redis/etc/2.修改配置文件
cat << EOF > /usr/local/redis/etc/redis.conf
daemonize yes
port 6379
bind IP地址
protected-mode yes
pidfile "/usr/local/redis/run/redis.pid"
loglevel notice
logfile "/usr/local/redis/logs/redis.log"
save 900 1
stop-writes-on-bgsave-error yes
rdbcompression yes
rdbchecksum yes
dbfilename dump.rdb
dir "/usr/local/redis/data/rdb/"
timeout 0
tcp-keepalive 300
EOF3.创建目录并启动redis
#创建pid文件目录、日志目录、redis持久化目录
[root@Jumpserver redis-5.0.5]# mkdir -p /usr/local/redis/{run,logs}
[root@Jumpserver redis-5.0.5]# mkdir -p /usr/local/redis/data/rdb/
#启动redis
[root@Jumpserver redis-5.0.5]# /usr/local/redis/bin/redis-server /usr/local/redis/etc/redis.confJumpserver使用数据库,可以选择MySQL或者Mariadb.Mariadb版本需要等于大于5.56,MySQL版本需要等于大于5.6
在此我选择使用yum方式部署Mariadb
1.查看Mariadb版本是否符合标准

2.安装Mariadb
[root@Jumpserver /]# yum install mariadb.x86_64 mariadb-devel.x86_64 mariadb-server.x86_64 -y3.启动Mariadb
[root@Jumpserver /]# systemctl enable mariadb
[root@Jumpserver /]# systemctl start mariadb4.修改Mariadb数据库root密码
[root@Jumpserver /]# mysql -uroot -p
Enter password: #首次连接数据库,直接回车即可
MariaDB [(none)]> set password for 'root'@localhost=password('xxxxxxxx');
MariaDB [(none)]> flush privileges;5.创建数据库 Jumpserver 并授权
MariaDB [(none)]> grant all on jumpserver.* to 'jumpserver'@'127.0.0.1' identified by 'xxxxxxxx';
MariaDB [(none)]> flush privileges;[root@Jumpserver /]# cp -rf /opt/jumpserver/config_example.yml /opt/jumpserver/config.yml
[root@Jumpserver /]# grep -Ev "#|^$" /opt/jumpserver/config.yml
SECRET_KEY: PwbiQAk0sQCStkR7FwauW3bYCBwJUqPEI4iVs6xyYczfEOWtH #加密秘钥,可以使用配置文件中的命令生成
BOOTSTRAP_TOKEN: PleasgeChangeSameWithJumpserver. #预共享Token coco和guacamole用来注册服务账号,不在使用原来的注册接受机制
DB_ENGINE: mysql #使用MySQL数据库
DB_HOST: 127.0.0.1 #数据库连接地址
DB_PORT: 3306 #数据库连接端口
DB_USER: jumpserver #数据库连接用户
DB_PASSWORD: xxxxxxxx #数据库连接密码
DB_NAME: jumpserver #数据库名称
HTTP_BIND_HOST: 0.0.0.0 #Jumpserver运行时绑定的地址,0.0.0.0表示所有地址都绑定
HTTP_LISTEN_PORT: 8080 #Jumpserver运行时绑定的端口
REDIS_HOST: xxx.xxx.xx.xxx #Jumpserver连接redis主机地址
REDIS_PORT: 6379 #Jumpserver连接redis主机端口#确保进入 py3 虚拟环境之后,再启动jumpserver,-d 选项为后台启动
[root@Jumpserver jumpserver]# source /opt/py3/bin/activate
(py3) [root@Jumpserver jumpserver]# cd /opt/jumpserver/
(py3) [root@Jumpserver jumpserver]# ./jms start -d访问地址:http://xxxxx:8080/auth/login/?next=/
账号密码默认为:admin/admin

登录成功后的界面还是非常美观的
Jumpserver本身的功能已经足够强大,但是加上以下几个组件更是让Jumpserver锦上添花。
组件如下:
Coco:Coco为 SSH Server 和 Web Terminal Server。用户可以通过使用自己的账户登录 SSH 或者 Web Terminal直接访问被授权的资产。不需要知道服务器的账户和密码,现在 Coco 已经被 koko 取代。
Luna:luna 为 Web Terminal Server 前端页面,用户使用 Web Terminal 方式登录时所需要的插件。
Guacamole:Guacamole 为 Windows 组件,用户可以通过 Web Terminal 来连接 Windows 资产(暂时只能通过 Web Terminal来访问)
各个组件所监听的端口如下:
Jumpserver:8080/tcp Redis:6379/tcp MySQL/Mariadb:3306/tcp Nginx:80/tcp Koko:SSH为2222/tcp,Web Terminal为5000/tcp Guacamole:8081/tcp
1.Koko 组件部署
[root@Jumpserver ~]# source /opt/py3/bin/activate
(py3) [root@Jumpserver ~]# cd /opt/
(py3) [root@Jumpserver opt]# wget https://github.com/jumpserver/koko/releases/download/1.5.2/koko-master-6d4e69b-linux-amd64.tar.gz
(py3) [root@Jumpserver opt]# tar xf koko-master-6d4e69b-linux-amd64.tar.gz
(py3) [root@Jumpserver opt]# chown -R root:root kokodir2.修改 Koko配置文件
(py3) [root@Jumpserver opt]# cd kokodir/
(py3) [root@Jumpserver kokodir]# cp -rf config_example.yml config.yml
#Koko配置文件如下:
(py3) [root@Jumpserver kokodir]# grep -Ev "#|^$" /opt/kokodir/config.yml
CORE_HOST: http://127.0.0.1:8080 #Jumpserver项目的url, api请求注册会使用
BOOTSTRAP_TOKEN: PleasgeChangeSameWithJumpserver. #Bootstrap Token, 预共享秘钥, 用来注册coco使用的service account和terminal,请和jumpserver 配置文件中的 BOOTSTRAP_TOKEN 保持一致,注册完成后可以删除3.启动 Koko
#先重启下 Jumpserver
(py3) [root@Jumpserver jumpserver]# ./jms restart
#先进行前台启动 koko,如果前台没问题,则使用 nohup & 命令来后台启动
(py3) [root@Jumpserver kokodir]# nohup ./koko &
#查看koko进程
(py3) [root@Jumpserver kokodir]# ps -ef|grep koko
root 24694 23736 0 04:44 pts/1 00:00:00 ./koko
root 24734 23736 0 04:45 pts/1 00:00:00 grep --color=auto koko
(py3) [root@Jumpserver kokodir]# ss -anplt | grep koko
LISTEN 0 128 :::5000 :::* users:(("koko",pid=24694,fd=7))
LISTEN 0 128 :::2222 :::* users:(("koko",pid=24694,fd=8))(py3) [root@Jumpserver /]# cd /opt/
(py3) [root@Jumpserver opt]# wget https://github.com/jumpserver/luna/releases/download/1.5.2/luna.tar.gz
(py3) [root@Jumpserver opt]# tar xf luna.tar.gz
(py3) [root@Jumpserver opt]# chown -R root:root lunaGuacamole这里使用docker部署
1.安装 docker
1)卸载老版本docker
yum remove docker \
docker-common \
docker-selinux \
docker-engine
2)设置yum仓库
yum install -y yum-utils \
device-mapper-persistent-data \
lvm2
yum-config-manager \
--add-repo \
https://download.docker.com/linux/centos/docker-ce.repo
3)安装docker-ce版本
yum list docker-ce --showduplicates | sort -r #列出docker版本
yum install docker-ce-18.06.3.ce -y #选择最新版本安装
4)修改 docker pull 镜像时的加速文件
mkdir /etc/docker
vim /etc/docker/daemon.json
{
"registry-mirrors": ["http://hub-mirror.c.163.com"]
}
5)启动 docker
systemctl start docker
systemctl enable docker2.使用docker启动Guacamole
docker run --name jms_guacamole -d -p 127.0.0.1:8081:8081 \
-e JUMPSERVER_SERVER=http://127.0.0.1:8080 \
-e BOOTSTRAP_TOKEN=PleasgeChangeSameWithJumpserver \
jumpserver/jms_guacamole:1.5.2参数解释:
docker run:启动一个容器
--name:指定容器名称
-d:后台启动容器
-p:将容器的127.0.0.1监听的8081端口映射到宿主机的8081端口
-e:设置环境变量
-e JUMPSERVER_SERVER=http://127.0.0.1:8080:将值http://127.0.0.1:8080设置变量为JUMPSERVER_SERVER
-e BOOTSTRAP_TOKEN=PleasgeChangeSameWithJumpserver:将值PleasgeChangeSameWithJumpserver设置变量为-e BOOTSTRAP_TOKEN
jumpserver/jms__guacamole:1.5.2:下载镜像的名称及版本

1.安装 Nginx
1)准备安装环境
[root@Jumpserver ~]# yum install gcc-c++ libtool pcre-devel openssl-devel zlib-devel -y
[root@Jumpserver ~]# useradd -d /home/nginx -M -s /sbin/nologin nginx
[root@Jumpserver ~]# id nginx
uid=1001(nginx) gid=1001(nginx) groups=1001(nginx)
2)下载并安装Nginx
[root@Jumpserver ~]# cd /usr/local/src/
[root@Jumpserver src]# wget http://nginx.org/download/nginx-1.15.10.tar.gz
[root@Jumpserver src]# tar xf nginx-1.15.10.tar.gz -C /usr/local/src/
[root@Jumpserver src]# cd /usr/local/src/nginx-1.15.10
[root@Jumpserver nginx-1.15.10]# ./configure --prefix=/usr/local/nginx \
--sbin-path=/usr/local/nginx/sbin/nginx \
--conf-path=/usr/local/nginx/conf/nginx.conf \
--pid-path=/usr/local/nginx/logs/nginx.pid \
--error-log-path=/usr/local/nginx/logs/error.log \
--http-log-path=/usr/local/nginx/logs/access.log \
--with-pcre \
--user=nginx \
--group=nginx \
--with-file-aio \
--with-http_gzip_static_module \
--with-http_stub_status_module \
--with-http_v2_module \
--with-threads \
--with-http_realip_module \
--with-http_ssl_module
[root@Jumpserver nginx-1.15.10]# make && make install
[root@Jumpserver nginx-1.15.10]# echo $?
02.配置 Nginx
[root@Jumpserver /]# mv /usr/local/nginx/conf/nginx.conf /usr/local/nginx/conf/nginx.conf.defaults
[root@Jumpserver /]# vim /usr/local/nginx/conf/nginx.conf
#全局字段配置
user nginx nginx;
worker_processes auto;
error_log logs/error.log info;
pid logs/nginx.pid;
worker_rlimit_nofile 65535;
events {
use epoll;
worker_connections 65535;
multi_accept on;
}
http {
include mime.types;
default_type application/octet-stream;
charset utf-8;
server_tokens off;
#定义Nginx缓存设置
client_header_buffer_size 4096;
large_client_header_buffers 4 128k;
client_header_timeout 15;
client_body_timeout 15;
send_timeout 65;
client_max_body_size 10m;
open_file_cache max=65535 inactive=60s;
open_file_cache_valid 30s;
open_file_cache_min_uses 1;
open_file_cache_errors on;
server_names_hash_bucket_size 128;
#定义Nginx日志访问格式
log_format main '$remote_addr" "$remote_user" "[$time_local]" "$request"'
' "$status" "$body_bytes_sent" "$http_referer"'
' "$http_user_agent" "$http_x_forwarded_for" "$gzip_ratio"'
' "$upstream_addr" "$request_time" "$upstream_response_time" "$http_host"';
access_log logs/access.log main;
#网络连接功能
sendfile on;
autoindex on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
reset_timedout_connection on;
#压缩功能配置
gzip on;
gzip_min_length 1k;
gzip_buffers 16 64K;
gzip_http_version 1.1;
gzip_comp_level 6;
gzip_types text/plain application/x-javascript text/css application/xml application/javascript;
gzip_vary on;
gzip_proxied any;
underscores_in_headers on;
proxy_ignore_client_abort on;
include /usr/local/nginx/conf/conf.d/*.conf;
}3.创建 Nginx 文件并整合功能
[root@Jumpserver /]# mkdir /usr/local/nginx/conf/conf.d
[root@Jumpserver /]# vim /usr/local/nginx/conf/conf.d/jumpserver.conf
server {
listen 80;
client_max_body_size 100m; # 录像及文件上传大小限制
location /luna/ {
try_files $uri / /index.html;
alias /opt/luna/; # luna 路径, 如果修改安装目录, 此处需要修改
}
location /media/ {
add_header Content-Encoding gzip;
root /opt/jumpserver/data/; # 录像位置, 如果修改安装目录, 此处需要修改
}
location /static/ {
root /opt/jumpserver/data/; # 静态资源, 如果修改安装目录, 此处需要修改
}
location /socket.io/ {
proxy_pass http://localhost:5000/socket.io/;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /coco/ {
proxy_pass http://localhost:5000/coco/;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /guacamole/ {
proxy_pass http://localhost:8081/;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location / {
proxy_pass http://localhost:8080;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}4.启动 检查并启动Nginx
[root@Jumpserver /]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@Jumpserver /]# /usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf5.输入URL并登录
http://IP
默认账号密码:admin/admin

亿速云「云数据库 MySQL」免部署即开即用,比自行安装部署数据库高出1倍以上的性能,双节点冗余防止单节点故障,数据自动定期备份随时恢复。点击查看>>
免责声明:本站发布的内容(图片、视频和文字)以原创、转载和分享为主,文章观点不代表本网站立场,如果涉及侵权请联系站长邮箱:is@yisu.com进行举报,并提供相关证据,一经查实,将立刻删除涉嫌侵权内容。
