说句大白话:就是监控运维人员、开发人员对服务器的命令操作。出了事故能找到具体责任人。
体系化的指令审计规则,让运维操作安全可控。
支持多重身份认证,让非法访问无所遁形。
主机账号统一管理,SSH密钥对一键批量下发。
使用Python/Django进行开发,遵循Web2.0规范,配备了业界领先的Web Terminal解决方案,交互界面美观、用户体验好。
采纳分布式架构,支持多机房跨区域部署,中心节点提供API,各机房部署登录节点,可横向扩展、无并发访问限制。
Jumpserver官网:https://jumpserver.org/
支持LDAP / AD,支持OpenID,支持MFA等
账号管理Account
支持账号集中管理、密码统一管理、资产用户收集等
授权控制Authorization
支持资产授权、应用授权、动作授权、时间授权、特权授权等
安全审计Audit
支持操作审计、会话审计、录像审计、指令审计和文件传输审计等
koko 为SSH Server和Web Terminal Server。用户可以使用自己的账户通过SSH或者Web Terminal访问SSH协议和Telnet协议资产
Luna 为Web Terminal Server前端页面,用户使用Web Terminal方式登录所需要的组件
Guacamole 为RDP协议和VNC协议资产组件,用户可以通过Web Terminal来连接RDP协议和VNC协议资产(暂时只能通过Web Terminal来访问)
koko 默认SSH端口为2222/tcp,默认Web Terminal端口为5000/tcp配置文件在koko/config.yml
Guacamole 默认端口为8081/tcp,配置文件/config/tomcat9/conf/server.xml
Nginx 默认端口为80/tcp
Redis 默认端口为6379/tcp
Mysql 默认端口为3306/tcp
硬件配置: 2个CPU核心, 4G内存, 50G硬盘(最低)
操作系统: Linux发行版x86_64
Python = 3.6.x
Mysql Server ≥ 5.6
Mariadb Server ≥ 5.5.56
Redis
#安装文档
https://jumpserver.readthedocs.io/zh/master/setup_by_centos7.html
#环境准备
#系统版本
[root@jumpserver ~]# cat /etc/redhat-release
CentOS Linux release 7.6.1810 (Core)
#内核版本
[root@jumpserver ~]# uname -r
3.10.0-957.el7.x86_64
#IP地址
[root@jumpserver ~]# hostname -I
10.0.0.62 172.16.1.62
#防火墙
[root@jumpserver ~]# iptables-save
#SElinux
[root@jumpserver ~]# getenforce
Disabled
#同步时间
[root@jumpserver ~]# yum install -y ntpdate
[root@jumpserver ~]# ntpdate ntp1.aliyun.com
[root@jumpserver ~]# echo "*/5 * * * * /usr/sbin/ntpdate ntp1.aliyun.com & >/dev/null" >>/var/spool/cron/root
[root@jumpserver ~]# crontab -l
*/5 * * * * /usr/sbin/ntpdate ntp1.aliyun.com & >/dev/null
[root@jumpserver ~]# yum -y install wget gcc epel-release git
# 安装Redis, JumpServer使用Redis做cache和celery broke
[root@jumpserver ~]# yum -y install redis
[root@jumpserver ~]# systemctl enable redis
[root@jumpserver ~]# systemctl start redis
# 安装MySQL,如果不使用Mysql可以跳过相关Mysql安装和配置,支持sqlite3, mysql, postgres等
[root@jumpserver ~]# yum -y install mariadb mariadb-devel mariadb-server MariaDB-shared
[root@jumpserver ~]# systemctl enable mariadb
[root@jumpserver ~]# systemctl start mariadb
# 创建数据库JumpServer并授权
[root@jumpserver ~]# mysqladmin password '123'
[root@jumpserver ~]# mysql -uroot -p123
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 3
Server version: 5.5.64-MariaDB MariaDB Server
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> create database jumpserver default charset 'utf8';
Query OK, 1 row affected (0.00 sec)
MariaDB [(none)]> grant all on jumpserver.* to 'jumpserver'@'127.0.0.1' identified by '123';
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> flush privileges;
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> Bye
# 安装Nginx,用作代理服务器整合JumpServer与各个组件
[root@jumpserver ~]# cat /etc/yum.repos.d/nginx.repo
[nginx]
name=nginx repo
baseurl=http://nginx.org/packages/centos/7/$basearch/
gpgcheck=0
enabled=1
[root@jumpserver ~]# yum -y install nginx
[root@jumpserver ~]# systemctl start nginx
[root@jumpserver ~]# systemctl enable nginx
# 安装Python3.6
[root@jumpserver ~]# yum -y install python36 python36-devel
# 配置并载入Python3虚拟环境
[root@jumpserver ~]# cd /opt
[root@jumpserver /opt]# python3.6 -m venv py3 #py3 为虚拟环境名称,可自定义
[root@jumpserver /opt]# source /opt/py3/bin/activate #退出虚拟环境可以使用deactivate命令
# 看到下面的提示符代表成功,以后运行JumpServer都要先运行以上source命令,载入环境后默认以下所有命令均在该虚拟环境中运行
(py3) [root@jumpserver /opt]#
# 下载JumpServer
(py3) [root@jumpserver /opt]# cd /opt/
(py3) [root@jumpserver /opt]# git clone --depth=1 https://github.com/jumpserver/jumpserver.git
# 安装依赖RPM包
(py3) [root@jumpserver /opt]# yum -y install $(cat /opt/jumpserver/requirements/rpm_requirements.txt)
# 安装Python库依赖
(py3) [root@jumpserver /opt]# pip install wheel
(py3) [root@jumpserver /opt]# pip install --upgrade pip setuptools
(py3) [root@jumpserver /opt]# pip install -r /opt/jumpserver/requirements/requirements.txt
# 修改JumpServer配置文件
(py3) [root@jumpserver /opt/jumpserver]#
(py3) [root@jumpserver /opt/jumpserver]# cp config_example.yml config.yml
# 生成随机SECRET_KEY
(py3) [root@jumpserver /opt/jumpserver]# SECRET_KEY=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50`
(py3) [root@jumpserver /opt/jumpserver]# echo "SECRET_KEY=$SECRET_KEY" >> ~/.bashrc
# 生成随机BOOTSTRAP_TOKEN
(py3) [root@jumpserver /opt/jumpserver]# BOOTSTRAP_TOKEN=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16`
(py3) [root@jumpserver /opt/jumpserver]# echo "BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" >> ~/.bashrc
(py3) [root@jumpserver /opt/jumpserver]# sed -i "s/SECRET_KEY:/SECRET_KEY: $SECRET_KEY/g" /opt/jumpserver/config.yml
(py3) [root@jumpserver /opt/jumpserver]# sed -i "s/BOOTSTRAP_TOKEN:/BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN/g" /opt/jumpserver/config.yml
#修改其他配置
(py3) [root@jumpserver /opt/jumpserver]# sed -i "s/# DEBUG: true/DEBUG: false/g" /opt/jumpserver/config.yml
(py3) [root@jumpserver /opt/jumpserver]# sed -i "s/# LOG_LEVEL: DEBUG/LOG_LEVEL: ERROR/g" /opt/jumpserver/config.yml
(py3) [root@jumpserver /opt/jumpserver]# sed -i "s/# SESSION_EXPIRE_AT_BROWSER_CLOSE: false/SESSION_EXPIRE_AT_BROWSER_CLOSE: true/g" /opt/jumpserver/config.yml
(py3) [root@jumpserver /opt/jumpserver]# sed -i "s/DB_PASSWORD: /DB_PASSWORD: 123/g" /opt/jumpserver/config.yml
# 运行JumpServer
(py3) [root@jumpserver /opt/jumpserver]# cd /opt/jumpserver
(py3) [root@jumpserver /opt/jumpserver]# ./jms start -d #后台运行使用-d参数./jms start -d
# 新版本更新了运行脚本,使用方式./jms start|stop|status all后台运行请添加-d参数
(py3) [root@jumpserver /opt/jumpserver]# wget -O /usr/lib/systemd/system/jms.service https://demo.jumpserver.org/download/shell/centos/jms.service
(py3) [root@jumpserver /opt/jumpserver]# chmod 755 /usr/lib/systemd/system/jms.service
(py3) [root@jumpserver /opt/jumpserver]# systemctl enable jms # 配置自启
# 安装docker部署koko与guacamole
(py3) [root@jumpserver /opt/jumpserver]# yum install -y yum-utils device-mapper-persistent-data lvm2
(py3) [root@jumpserver /opt/jumpserver]# yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
# 这个命令是将软件包信息提前在本地缓存一份,用来提高搜索安装软件的速度
(py3) [root@jumpserver /opt/jumpserver]# yum makecache fast
# 导入秘钥
(py3) [root@jumpserver /opt/jumpserver]# rpm --import https://mirrors.aliyun.com/docker-ce/linux/centos/gpg
(py3) [root@jumpserver /opt/jumpserver]# yum -y install docker-ce
(py3) [root@jumpserver /opt/jumpserver]# systemctl enable docker
(py3) [root@jumpserver /opt/jumpserver]# mkdir /etc/docker
(py3) [root@jumpserver /opt/jumpserver]# wget -O /etc/docker/daemon.json http://demo.jumpserver.org/download/docker/daemon.json
(py3) [root@jumpserver /opt/jumpserver]# systemctl restart docker
# 允许容器ip访问宿主8080端口, (容器的ip可以进入容器查看)防火墙关闭无需去做
(py3) [root@jumpserver /opt/jumpserver]# firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="172.16.1.0/16" port protocol="tcp" port="8080" accept"
(py3) [root@jumpserver /opt/jumpserver]# firewall-cmd --reload
# 172.16.1.x 是docker容器默认的IP池,这里偷懒直接授权ip段了,可以根据实际情况单独授权IP
# http:// 指向jumpserver的服务端口,如http://10.0.0.62:8080
# BOOTSTRAP_TOKEN为Jumpserver/config.yml里面的BOOTSTRAP_TOKEN
(py3) [root@jumpserver /opt/jumpserver]# docker run --name jms_koko -d -p 2222:2222 -p 127.0.0.1:5000:5000 -e CORE_HOST=http://10.0.0.62:8080 -e BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN -e LOG_LEVEL=ERROR --restart=always jumpserver/jms_koko:1.5.7
(py3) [root@jumpserver /opt/jumpserver]# docker run --name jms_guacamole -d -p 127.0.0.1:8081:8080 -e JUMPSERVER_SERVER=http://10.0.0.62:8080 -e BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN -e GUACAMOLE_LOG_LEVEL=ERROR --restart=always jumpserver/jms_guacamole:1.5.7
(py3) [root@jumpserver /opt/jumpserver]# cd /opt
(py3) [root@jumpserver /opt]# wget https://github.com/jumpserver/luna/releases/download/1.5.7/luna.tar.gz
# 如果网络有问题导致下载无法完成可以使用下面地址
(py3) [root@jumpserver /opt]# wget https://demo.jumpserver.org/download/luna/1.5.7/luna.tar.gz
(py3) [root@jumpserver /opt]# tar xf luna.tar.gz
(py3) [root@jumpserver /opt]# chown -R root:root luna
# 配置Nginx整合各组件
(py3) [root@jumpserver /opt]# rm -rf /etc/nginx/conf.d/default.conf
(py3) [root@jumpserver /opt]# vim /etc/nginx/conf.d/jumpserver.conf
server {
listen 80;
server_name qls.jumpserver.com;
client_max_body_size 100m; # 录像及文件上传大小限制
location /luna/ {
try_files $uri / /index.html;
alias /opt/luna/; # luna 路径,如果修改安装目录,此处需要修改
}
location /media/ {
add_header Content-Encoding gzip;
root /opt/jumpserver/data/; # 录像位置,如果修改安装目录,此处需要修改
}
location /static/ {
root /opt/jumpserver/data/; # 静态资源,如果修改安装目录,此处需要修改
}
location /koko/ {
proxy_pass http://localhost:5000;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /guacamole/ {
proxy_pass http://localhost:8081/;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /ws/ {
proxy_pass http://localhost:8070;
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location / {
proxy_pass http://localhost:8080;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
}
# 运行Nginx
(py3) [root@jumpserver /opt]# nginx -t #确保配置没有问题,有问题请先解决
(py3) [root@jumpserver /opt]# systemctl start nginx
# 访问http://10.0.0.62 (注意没有:8080通过nginx代理端口进行访问)
#默认账号: admin密码: admin到会话管理-终端管理接受koko Guacamole等应用的注册
# 测试连接
[C:\~]$ ssh -p2222 admin@10.0.0.62
[C:\~]$ sftp -P2222 admin@10.0.0.62
密码: admin
# 如果是用在Windows下, Xshell Terminal登录语法如下
(py3) [root@jumpserver /opt]# ssh admin@10.0.0.62 2222
(py3) [root@jumpserver /opt]# sftp admin@10.0.0.62 2222
密码: admin如果能登陆代表部署成功
# sftp默认上传的位置在资产的/tmp目录下
# windows拖拽上传的位置在资产的Guacamole RDP上的G目录下
3. 浏览器域名进行访问测试
创建管理用户
创建命令过滤器
创建系统用户
创建资产
未经允许不得转载!博主QQ:1176494252:技术笔记分享 » Jumpserver部署与应用