Jumpserver 介绍
Jumpserver 核心功能列表
Jumpserver 环境要求
Jumpserver 部署
安装 redis
安装Mariadb
修改 Jumpserver 配置文件
启动 Jumpserver
测试访问
Jumpserver 插件安装
Koko 组件部署
Luna 组件部署
Guacamole 组件部署
配置 Nginx 整合各个组件
官方站点:www.jumpserver.org
Jumpserver是全球首款完全开源的堡垒机,使用GNU GPL v2.0开源协议,是符合4A的韵味安全审计系统。
Jumpserver使用Python/Django开发,遵循 Web 2.0规范,Jumpserver采纳分布式架构,支持多机房跨区域部署,支持横向扩展,无资产数量并发限制。
现在Jumpserver已支持SSH、Telnet、RDP、VNC协议资产。
身份验证 Authentication
账号管理 Account
授权控制 Authorization
安全审计 Audit
资产管理 CMDB
硬件配置:2个CPU核心,4G内存,50G硬盘(最低标准)
操作系统:Linux发行版 x86_64
Python = 3.6x
MySQL Server >= 5.6
Mariadb Server >= 5.5.56
Redis
1.安装依赖环境
yum install wget gcc-c++ epel-release git -y
2.安装python36
[root@Jumpserver ~]# yum install python36.x86_64 python36-devel.x86_64 -y [root@Jumpserver ~]# python36 -V Python 3.6.8
3.建立python虚拟环境
[root@Jumpserver ~]# python36 -m venv /opt/py3
4.载入python3虚拟环境
每次操作 jumpserver 都需要使用下面的命令载入 py3 虚拟环境
看到下面的提示将代表成功进入虚拟环境,以后运行jumpserver都要现运行上面的source命令,以下所有的命令都在虚拟环境中运行
[root@Jumpserver ~]# source /opt/py3/bin/activate (py3) [root@Jumpserver ~]# #进入 jumpserver 目录时将自动载入 python 虚拟环境,就不需要每次进入jumpser操作source命令了 (py3) [root@Jumpserver ~]# echo "source /opt/py3/bin/activate" > /opt/jumpserver/.env
5.获取Jumpserver代码
(py3) [root@Jumpserver ~]# cd /opt/ (py3) [root@Jumpserver opt]# git clone --depth=1 https://github.com/jumpserver/jumpserver.git Cloning into 'jumpserver'... remote: Enumerating objects: 1156, done. remote: Counting objects: 100% (1156/1156), done. remote: Compressing objects: 100% (1028/1028), done. remote: Total 1156 (delta 193), reused 632 (delta 64), pack-reused 0 Receiving objects: 100% (1156/1156), 6.96 MiB | 13.00 KiB/s, done. Resolving deltas: 100% (193/193), done.
6.安装jumpserver依赖RPM包
(py3) [root@Jumpserver opt]# cd /opt/jumpserver/requirements/ (py3) [root@Jumpserver requirements]# yum install $(cat rpm_requirements.txt) -y (py3) [root@Jumpserver requirements]# pip install --upgrade pip (py3) [root@Jumpserver requirements]# pip install -r requirements.txt
Jumpserver要使用redis
可以使用yum安装,也可以编译安装,我这里使用编译安装redis
1.安装redis
[root@Jumpserver src]# wget http://download.redis.io/releases/redis-5.0.5.tar.gz [root@Jumpserver redis-5.0.5]# make [root@Jumpserver redis-5.0.5]# cd src/ [root@Jumpserver src]# make install PREFIX=/usr/local/redis [root@Jumpserver src]# mkdir /usr/local/redis/etc [root@Jumpserver src]# cd /usr/local/src/redis-5.0.5 [root@Jumpserver redis-5.0.5]# cp -rf redis.conf /usr/local/redis/etc/
2.修改配置文件
cat << EOF > /usr/local/redis/etc/redis.conf daemonize yes port 6379 bind IP地址 protected-mode yes pidfile "/usr/local/redis/run/redis.pid" loglevel notice logfile "/usr/local/redis/logs/redis.log" save 900 1 stop-writes-on-bgsave-error yes rdbcompression yes rdbchecksum yes dbfilename dump.rdb dir "/usr/local/redis/data/rdb/" timeout 0 tcp-keepalive 300 EOF
3.创建目录并启动redis
#创建pid文件目录、日志目录、redis持久化目录 [root@Jumpserver redis-5.0.5]# mkdir -p /usr/local/redis/{run,logs} [root@Jumpserver redis-5.0.5]# mkdir -p /usr/local/redis/data/rdb/ #启动redis [root@Jumpserver redis-5.0.5]# /usr/local/redis/bin/redis-server /usr/local/redis/etc/redis.conf
Jumpserver使用数据库,可以选择MySQL或者Mariadb.Mariadb版本需要等于大于5.56,MySQL版本需要等于大于5.6
在此我选择使用yum方式部署Mariadb
1.查看Mariadb版本是否符合标准

2.安装Mariadb
[root@Jumpserver /]# yum install mariadb.x86_64 mariadb-devel.x86_64 mariadb-server.x86_64 -y
3.启动Mariadb
[root@Jumpserver /]# systemctl enable mariadb [root@Jumpserver /]# systemctl start mariadb
4.修改Mariadb数据库root密码
[root@Jumpserver /]# mysql -uroot -p Enter password: #首次连接数据库,直接回车即可 MariaDB [(none)]> set password for 'root'@localhost=password('xxxxxxxx'); MariaDB [(none)]> flush privileges;
5.创建数据库 Jumpserver 并授权
MariaDB [(none)]> grant all on jumpserver.* to 'jumpserver'@'127.0.0.1' identified by 'xxxxxxxx'; MariaDB [(none)]> flush privileges;
[root@Jumpserver /]# cp -rf /opt/jumpserver/config_example.yml /opt/jumpserver/config.yml [root@Jumpserver /]# grep -Ev "#|^$" /opt/jumpserver/config.yml SECRET_KEY: PwbiQAk0sQCStkR7FwauW3bYCBwJUqPEI4iVs6xyYczfEOWtH #加密秘钥,可以使用配置文件中的命令生成 BOOTSTRAP_TOKEN: PleasgeChangeSameWithJumpserver. #预共享Token coco和guacamole用来注册服务账号,不在使用原来的注册接受机制 DB_ENGINE: mysql #使用MySQL数据库 DB_HOST: 127.0.0.1 #数据库连接地址 DB_PORT: 3306 #数据库连接端口 DB_USER: jumpserver #数据库连接用户 DB_PASSWORD: xxxxxxxx #数据库连接密码 DB_NAME: jumpserver #数据库名称 HTTP_BIND_HOST: 0.0.0.0 #Jumpserver运行时绑定的地址,0.0.0.0表示所有地址都绑定 HTTP_LISTEN_PORT: 8080 #Jumpserver运行时绑定的端口 REDIS_HOST: xxx.xxx.xx.xxx #Jumpserver连接redis主机地址 REDIS_PORT: 6379 #Jumpserver连接redis主机端口
#确保进入 py3 虚拟环境之后,再启动jumpserver,-d 选项为后台启动 [root@Jumpserver jumpserver]# source /opt/py3/bin/activate (py3) [root@Jumpserver jumpserver]# cd /opt/jumpserver/ (py3) [root@Jumpserver jumpserver]# ./jms start -d
访问地址:http://xxxxx:8080/auth/login/?next=/
账号密码默认为:admin/admin


登录成功后的界面还是非常美观的
Jumpserver本身的功能已经足够强大,但是加上以下几个组件更是让Jumpserver锦上添花。
组件如下:
Coco:Coco为 SSH Server 和 Web Terminal Server。用户可以通过使用自己的账户登录 SSH 或者 Web Terminal直接访问被授权的资产。不需要知道服务器的账户和密码,现在 Coco 已经被 koko 取代。
Luna:luna 为 Web Terminal Server 前端页面,用户使用 Web Terminal 方式登录时所需要的插件。
Guacamole:Guacamole 为 Windows 组件,用户可以通过 Web Terminal 来连接 Windows 资产(暂时只能通过 Web Terminal来访问)
各个组件所监听的端口如下:
Jumpserver:8080/tcp Redis:6379/tcp MySQL/Mariadb:3306/tcp Nginx:80/tcp Koko:SSH为2222/tcp,Web Terminal为5000/tcp Guacamole:8081/tcp
1.Koko 组件部署
[root@Jumpserver ~]# source /opt/py3/bin/activate (py3) [root@Jumpserver ~]# cd /opt/ (py3) [root@Jumpserver opt]# wget https://github.com/jumpserver/koko/releases/download/1.5.2/koko-master-6d4e69b-linux-amd64.tar.gz (py3) [root@Jumpserver opt]# tar xf koko-master-6d4e69b-linux-amd64.tar.gz (py3) [root@Jumpserver opt]# chown -R root:root kokodir
2.修改 Koko配置文件
(py3) [root@Jumpserver opt]# cd kokodir/ (py3) [root@Jumpserver kokodir]# cp -rf config_example.yml config.yml #Koko配置文件如下: (py3) [root@Jumpserver kokodir]# grep -Ev "#|^$" /opt/kokodir/config.yml CORE_HOST: http://127.0.0.1:8080 #Jumpserver项目的url, api请求注册会使用 BOOTSTRAP_TOKEN: PleasgeChangeSameWithJumpserver. #Bootstrap Token, 预共享秘钥, 用来注册coco使用的service account和terminal,请和jumpserver 配置文件中的 BOOTSTRAP_TOKEN 保持一致,注册完成后可以删除
3.启动 Koko
#先重启下 Jumpserver (py3) [root@Jumpserver jumpserver]# ./jms restart #先进行前台启动 koko,如果前台没问题,则使用 nohup & 命令来后台启动 (py3) [root@Jumpserver kokodir]# nohup ./koko & #查看koko进程 (py3) [root@Jumpserver kokodir]# ps -ef|grep koko root 24694 23736 0 04:44 pts/1 00:00:00 ./koko root 24734 23736 0 04:45 pts/1 00:00:00 grep --color=auto koko (py3) [root@Jumpserver kokodir]# ss -anplt | grep koko LISTEN 0 128 :::5000 :::* users:(("koko",pid=24694,fd=7)) LISTEN 0 128 :::2222 :::* users:(("koko",pid=24694,fd=8))
(py3) [root@Jumpserver /]# cd /opt/ (py3) [root@Jumpserver opt]# wget https://github.com/jumpserver/luna/releases/download/1.5.2/luna.tar.gz (py3) [root@Jumpserver opt]# tar xf luna.tar.gz (py3) [root@Jumpserver opt]# chown -R root:root luna
Guacamole这里使用docker部署
1.安装 docker
1)卸载老版本docker yum remove docker \ docker-common \ docker-selinux \ docker-engine 2)设置yum仓库 yum install -y yum-utils \ device-mapper-persistent-data \ lvm2 yum-config-manager \ --add-repo \ https://download.docker.com/linux/centos/docker-ce.repo 3)安装docker-ce版本 yum list docker-ce --showduplicates | sort -r #列出docker版本 yum install docker-ce-18.06.3.ce -y #选择最新版本安装 4)修改 docker pull 镜像时的加速文件 mkdir /etc/docker vim /etc/docker/daemon.json { "registry-mirrors": ["http://hub-mirror.c.163.com"] } 5)启动 docker systemctl start docker systemctl enable docker
2.使用docker启动Guacamole
docker run --name jms_guacamole -d -p 127.0.0.1:8081:8081 \ -e JUMPSERVER_SERVER=http://127.0.0.1:8080 \ -e BOOTSTRAP_TOKEN=PleasgeChangeSameWithJumpserver \ jumpserver/jms_guacamole:1.5.2
参数解释:
docker run:启动一个容器 --name:指定容器名称 -d:后台启动容器 -p:将容器的127.0.0.1监听的8081端口映射到宿主机的8081端口 -e:设置环境变量 -e JUMPSERVER_SERVER=http://127.0.0.1:8080:将值http://127.0.0.1:8080设置变量为JUMPSERVER_SERVER -e BOOTSTRAP_TOKEN=PleasgeChangeSameWithJumpserver:将值PleasgeChangeSameWithJumpserver设置变量为-e BOOTSTRAP_TOKEN jumpserver/jms__guacamole:1.5.2:下载镜像的名称及版本

1.安装 Nginx
1)准备安装环境 [root@Jumpserver ~]# yum install gcc-c++ libtool pcre-devel openssl-devel zlib-devel -y [root@Jumpserver ~]# useradd -d /home/nginx -M -s /sbin/nologin nginx [root@Jumpserver ~]# id nginx uid=1001(nginx) gid=1001(nginx) groups=1001(nginx) 2)下载并安装Nginx [root@Jumpserver ~]# cd /usr/local/src/ [root@Jumpserver src]# wget http://nginx.org/download/nginx-1.15.10.tar.gz [root@Jumpserver src]# tar xf nginx-1.15.10.tar.gz -C /usr/local/src/ [root@Jumpserver src]# cd /usr/local/src/nginx-1.15.10 [root@Jumpserver nginx-1.15.10]# ./configure --prefix=/usr/local/nginx \ --sbin-path=/usr/local/nginx/sbin/nginx \ --conf-path=/usr/local/nginx/conf/nginx.conf \ --pid-path=/usr/local/nginx/logs/nginx.pid \ --error-log-path=/usr/local/nginx/logs/error.log \ --http-log-path=/usr/local/nginx/logs/access.log \ --with-pcre \ --user=nginx \ --group=nginx \ --with-file-aio \ --with-http_gzip_static_module \ --with-http_stub_status_module \ --with-http_v2_module \ --with-threads \ --with-http_realip_module \ --with-http_ssl_module [root@Jumpserver nginx-1.15.10]# make && make install [root@Jumpserver nginx-1.15.10]# echo $? 0
2.配置 Nginx
[root@Jumpserver /]# mv /usr/local/nginx/conf/nginx.conf /usr/local/nginx/conf/nginx.conf.defaults [root@Jumpserver /]# vim /usr/local/nginx/conf/nginx.conf #全局字段配置 user nginx nginx; worker_processes auto; error_log logs/error.log info; pid logs/nginx.pid; worker_rlimit_nofile 65535; events { use epoll; worker_connections 65535; multi_accept on; } http { include mime.types; default_type application/octet-stream; charset utf-8; server_tokens off; #定义Nginx缓存设置 client_header_buffer_size 4096; large_client_header_buffers 4 128k; client_header_timeout 15; client_body_timeout 15; send_timeout 65; client_max_body_size 10m; open_file_cache max=65535 inactive=60s; open_file_cache_valid 30s; open_file_cache_min_uses 1; open_file_cache_errors on; server_names_hash_bucket_size 128; #定义Nginx日志访问格式 log_format main '$remote_addr" "$remote_user" "[$time_local]" "$request"' ' "$status" "$body_bytes_sent" "$http_referer"' ' "$http_user_agent" "$http_x_forwarded_for" "$gzip_ratio"' ' "$upstream_addr" "$request_time" "$upstream_response_time" "$http_host"'; access_log logs/access.log main; #网络连接功能 sendfile on; autoindex on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 65; types_hash_max_size 2048; reset_timedout_connection on; #压缩功能配置 gzip on; gzip_min_length 1k; gzip_buffers 16 64K; gzip_http_version 1.1; gzip_comp_level 6; gzip_types text/plain application/x-javascript text/css application/xml application/javascript; gzip_vary on; gzip_proxied any; underscores_in_headers on; proxy_ignore_client_abort on; include /usr/local/nginx/conf/conf.d/*.conf; }
3.创建 Nginx 文件并整合功能
[root@Jumpserver /]# mkdir /usr/local/nginx/conf/conf.d [root@Jumpserver /]# vim /usr/local/nginx/conf/conf.d/jumpserver.conf server { listen 80; client_max_body_size 100m; # 录像及文件上传大小限制 location /luna/ { try_files $uri / /index.html; alias /opt/luna/; # luna 路径, 如果修改安装目录, 此处需要修改 } location /media/ { add_header Content-Encoding gzip; root /opt/jumpserver/data/; # 录像位置, 如果修改安装目录, 此处需要修改 } location /static/ { root /opt/jumpserver/data/; # 静态资源, 如果修改安装目录, 此处需要修改 } location /socket.io/ { proxy_pass http://localhost:5000/socket.io/; proxy_buffering off; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; access_log off; } location /coco/ { proxy_pass http://localhost:5000/coco/; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; access_log off; } location /guacamole/ { proxy_pass http://localhost:8081/; proxy_buffering off; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $http_connection; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; access_log off; } location / { proxy_pass http://localhost:8080; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } }
4.启动 检查并启动Nginx
[root@Jumpserver /]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@Jumpserver /]# /usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf
5.输入URL并登录
http://IP
默认账号密码:admin/admin

免责声明:本站发布的内容(图片、视频和文字)以原创、转载和分享为主,文章观点不代表本网站立场,如果涉及侵权请联系站长邮箱:is@yisu.com进行举报,并提供相关证据,一经查实,将立刻删除涉嫌侵权内容。