技术3WHY:
JumpServer是什么?
JumpServer是一种开源的堡垒机系统,用于管理和控制远程服务器的访问权限。它提供了安全的身份验证、会话录制和审计等功能,以确保服务器访问的安全性和可追溯性。
为什么选择JumpServer?
- JumpServer是经过广泛使用和社区支持的开源堡垒机系统,具有稳定性和可靠性。
- JumpServer提供了丰富的功能,包括身份验证、会话录制和审计,满足了安全性和可追溯性的需求。
- JumpServer有活跃的开发者和用户社区,可以获得技术支持和持续的更新与改进。
- JumpServer提供了易于使用和友好的用户界面,使得堡垒机的管理和操作更加便捷。
如何单机部署?
- 一台装有linux操作系统的主机(支持主流发行版本基于deb,rpm都可以)
- 小型环境使用可以采用在线安装,也可使用离线安装。
部署过程记录
1.环境准备:
硬件配置:4核CPU 8GB内存 100GB硬盘(如需长期记录操作可单独配置硬盘存储)
#查看系统版本
[root@localhost ~]# cat /etc/redhat-release
CentOS Stream release 9
#设置计算机名称
[root@localhost ~]# hostnamectl set-hostname jumpserver
#设置IP地址
[root@jumpserver ~]# nmtui
#关闭selinux
[root@jumpserver ~]# sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
2.端口开放说明
可根据实际环境中 JumpServer 组件部署的方案,在网络和主机侧开放相关端口。本次安装开放
22、80、443、3389、2222。
| 端口 | 作用 | 说明 |
|---|---|---|
| 22 | SSH | 安装、升级及管理使用 |
| 80 | Web HTTP 服务 | 通过 HTTP 协议访问 JumpServer 前端页面 |
| 443 | Web HTTPS 服务 | 通过 HTTPS 协议访问 JumpServer 前端页面 |
| 3306 | 数据库服务 | MySQL 服务使用 |
| 6379 | 数据库服务 | Redis 服务使用 |
| 3389 | Razor 服务端口 | RDP Client 方式连接 Windows 资产 |
| 2222 | SSH Client | SSH Client 方式使用终端工具连接 JumpServer,比如 Xshell、PuTTY、MobaXterm 等终端工具 |
| 33061 | Magnus MySQL 服务端口 | DB Client 方式连接 MySQL 数据库资产 |
| 33062 | Magnus MariaDB 服务端口 | DB Client 方式连接 MariaDB 数据库资产 |
| 54320 | Magnus PostgreSQL 服务端口 | DB Client 方式连接 PostgreSQL 数据库资产 |
| 63790 | Magnus Redis 服务端口 | DB Client 方式连接 Redis 数据库资产 |
| 30000-30100 | Magnus Oracle 服务端口 | DB Client 方式连接 Oracle 数据库资产,该端口范围可自定义 |
3.防火墙操作
#查看当前防火墙状态
[root@jumpserver ~]# firewall-cmd --state
running
#添加策略开放22、80、443、3389、2222
[root@jumpserver ~]# firewall-cmd --zone=public --add-port=80/tcp --permanent
firewall-cmd --zone=public --add-port=22/tcp --permanent
success
success
[root@jumpserver ~]# firewall-cmd --zone=public --add-port=443/tcp --permanent
success
[root@jumpserver ~]# firewall-cmd --zone=public --add-port=2222/tcp --permanent
success
#reload操作
[root@jumpserver ~]# firewall-cmd --reload
success
#查看最终防火墙策略情况
[root@jumpserver ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: enp6s18
sources:
services: cockpit dhcpv6-client ssh
ports: 80/tcp 22/tcp 443/tcp 2222/tcp
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
4.软件安装
#更新软件包
[root@jumpserver ~]# yum update
Last metadata expiration check: 4:52:28 ago on Fri 05 Jan 2024 11:57:22 AM CST.
Dependencies resolved.
Nothing to do.
Complete!
#安装检查所需依赖
[root@jumpserver ~]# yum install -y wget curl tar gettext iptables
#在线安装,以下安装过程均为自动安装。
[root@jumpserver ~]# curl -sSL <https://resource.fit2cloud.com/jumpserver/jumpserver/releases/latest/download/quick_start.sh> | bash
download install script to /opt/jumpserver-installer-v3.10.1
██╗██╗ ██╗███╗ ███╗██████╗ ███████╗███████╗██████╗ ██╗ ██╗███████╗██████╗
██║██║ ██║████╗ ████║██╔══██╗██╔════╝██╔════╝██╔══██╗██║ ██║██╔════╝██╔══██╗
██║██║ ██║██╔████╔██║██████╔╝███████╗█████╗ ██████╔╝██║ ██║█████╗ ██████╔╝
██ ██║██║ ██║██║╚██╔╝██║██╔═══╝ ╚════██║██╔══╝ ██╔══██╗╚██╗ ██╔╝██╔══╝ ██╔══██╗
╚█████╔╝╚██████╔╝██║ ╚═╝ ██║██║ ███████║███████╗██║ ██║ ╚████╔╝ ███████╗██║ ██║
╚════╝ ╚═════╝ ╚═╝ ╚═╝╚═╝ ╚══════╝╚══════╝╚═╝ ╚═╝ ╚═══╝ ╚══════╝╚═╝ ╚═╝
Version: v3.10.1
1. Check Configuration File
Path to Configuration file: /opt/jumpserver/config
/opt/jumpserver/config/config.txt [ √ ]
/opt/jumpserver/config/mariadb/mariadb.cnf [ √ ]
/opt/jumpserver/config/mysql/my.cnf [ √ ]
/opt/jumpserver/config/nginx/lb_http_server.conf [ √ ]
/opt/jumpserver/config/redis/redis.conf [ √ ]
/opt/jumpserver/config/nginx/cert/server.crt [ √ ]
/opt/jumpserver/config/nginx/cert/server.key [ √ ]
complete
>>> Install and Configure Docker
1. Install Docker
complete
2. Configure Docker
complete
3. Start Docker
complete
>>> Loading Docker Image
[jumpserver/mariadb:10.6] exist, pass
[jumpserver/redis:6.2] exist, pass
[jumpserver/chen:v3.10.1] exist, pass
[jumpserver/lion:v3.10.1] exist, pass
[jumpserver/magnus:v3.10.1] exist, pass
[jumpserver/koko:v3.10.1] exist, pass
[jumpserver/web:v3.10.1] exist, pass
[jumpserver/kael:v3.10.1] exist, pass
[jumpserver/core-ce:v3.10.1] exist, pass
complete
>>> Install and Configure JumpServer
1. Configure Private Key
complete
2. Configure Persistent Directory
Do you need custom persistent store, will use the default directory /data/jumpserver? (y/n) (default n): complete
3. Configure MySQL
Do you want to use external MySQL? (y/n) (default n): complete
4. Configure Redis
Do you want to use external Redis? (y/n) (default n): complete
5. Configure External Access
Do you need to customize the JumpServer external port? (y/n) (default n): complete
6. Init JumpServer Database
[+] Building 0.0s (0/0) docker:default
WARN[0000] Found orphan containers ([jms_chen jms_magnus jms_koko jms_web jms_celery jms_lion jms_kael]) for this project. If you removed or renamed this service in your compose file, you can run this command with the --remove-orphans flag to clean it up.
[+] Running 3/3
✔ Container jms_redis Running 0.0s
✔ Container jms_mysql Running 0.0s
✔ Container jms_core Started 1.4s
2024-01-09 08:39:23 Collect static files
2024-01-09 08:39:24 Collect static files done
2024-01-09 08:39:24 Check database structure change ...
2024-01-09 08:39:24 Migrate model change to database ...
ALLOWED_HOSTS:
- localhost
- core:8080
- 127.0.0.1
- 127.0.0.1:8080
- 127.0.0.1:80
- localhost:8080
- localhost:80
- core:8080
- core:80
ALLOWED_HOSTS:
- localhost
- core:8080
- 127.0.0.1
- 127.0.0.1:8080
- 127.0.0.1:80
- localhost:8080
- localhost:80
- core:8080
- core:80
Operations to perform:
Apply all migrations: accounts, acls, admin, applications, assets, audits, auth, authentication, captcha, common, contenttypes, django_cas_ng, django_celery_beat, labels, notifications, ops, orgs, perms, rbac, sessions, settings, terminal, tickets, users
Running migrations:
No migrations to apply.
Your models in app(s): 'authentication' have changes that are not yet reflected in a migration, and so won't be applied.
Run 'manage.py makemigrations' to make new migrations, and then re-run 'manage.py migrate' to apply them.
After migration, update builtin role permissions
- Update builtin roles
complete
>>> The Installation is Complete
1. You can use the following command to start, and then visit
cd /opt/jumpserver-installer-v3.10.1
./jmsctl.sh start
2. Other management commands
./jmsctl.sh stop
./jmsctl.sh restart
./jmsctl.sh backup
./jmsctl.sh upgrade
For more commands, you can enter ./jmsctl.sh --help to understand
3. Web access
<http://10.242.10.242:80>
Default username: admin Default password: admin
4. SSH/SFTP access
ssh -p2222 admin@10.242.10.242
sftp -P2222 admin@10.242.10.242
5. More information
Official Website: <https://www.jumpserver.org/>
Documentation: <https://docs.jumpserver.org/>
[+] Building 0.0s (0/0) docker:default
[+] Running 10/10
✔ Container jms_mysql Running 0.0s
✔ Container jms_redis Running 0.0s
✔ Container jms_lion Running 0.0s
✔ Container jms_celery Running 0.0s
✔ Container jms_kael Running 0.0s
✔ Container jms_chen Running 0.0s
✔ Container jms_core Started 13.2s
✔ Container jms_magnus Running 0.0s
✔ Container jms_web Running 0.0s
✔ Container jms_koko Running
#运行完成后执行docker ps -a查看,正常情况10个容器在运行
[root@jumpserver scripts]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
22dcda4b2f74 jumpserver/core-ce:v3.10.1 "./entrypoint.sh sta…" 44 minutes ago Up 44 minutes (healthy) 8080/tcp jms_core
cc4928b0d372 jumpserver/chen:v3.10.1 "./entrypoint.sh" 3 days ago Up 3 days (healthy) 8082/tcp jms_chen
268950f1c801 jumpserver/magnus:v3.10.1 "./entrypoint.sh" 3 days ago Up 3 days (healthy) 0.0.0.0:14330->14330/tcp, :::14330->14330/tcp, 0.0.0.0:33061-33062->33061-33062/tcp, :::33061-33062->33061-33062/tcp, 0.0.0.0:63790->63790/tcp, :::63790->63790/tcp jms_magnus
90468c73705d jumpserver/koko:v3.10.1 "./entrypoint.sh" 3 days ago Up 3 days (healthy) 0.0.0.0:2222->2222/tcp, :::2222->2222/tcp, 5000/tcp jms_koko
234044f4a206 jumpserver/web:v3.10.1 "/docker-entrypoint.…" 3 days ago Up 3 days (healthy) 0.0.0.0:80->80/tcp, :::80->80/tcp jms_web
55917f15b045 jumpserver/core-ce:v3.10.1 "./entrypoint.sh sta…" 3 days ago Up 3 days (healthy) 8080/tcp jms_celery
af96e6f37b75 jumpserver/lion:v3.10.1 "./entrypoint.sh" 3 days ago Up 3 days (healthy) 4822/tcp, 8081/tcp jms_lion
b47b6f55212a jumpserver/kael:v3.10.1 "./entrypoint.sh" 3 days ago Up 3 days (healthy) 8083/tcp jms_kael
3ab0d0bfd550 jumpserver/mariadb:10.6 "docker-entrypoint.s…" 3 days ago Up 3 days (healthy) 3306/tcp jms_mysql
24ffd9477a5b jumpserver/redis:6.2 "docker-entrypoint.s…" 3 days ago Up 3 days (healthy) 6379/tcp jms_redis
0.0s
执行完以上操作后,打开浏览器输入 http://主机ip 就可以正常访问。截图如下:
<aside> 💡 安装篇已终结,下一篇将对用户管理进行说明。
</aside>
扫一扫
3936
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
