Jumpserver 介绍
Jumpserver 核心功能列表
Jumpserver 环境要求
Jumpserver 部署
安装 redis
安装Mariadb
修改 Jumpserver 配置文件
启动 Jumpserver
测试访问
Jumpserver 插件安装
Koko 组件部署
Luna 组件部署
Guacamole 组件部署
配置 Nginx 整合各个组件
Jumpserver 介绍
官方站点:www.jumpserver.org
Jumpserver是全球首款完全开源的堡垒机,使用GNU GPL v2.0开源协议,是符合4A的韵味安全审计系统。
Jumpserver使用Python/Django开发,遵循 Web 2.0规范,Jumpserver采纳分布式架构,支持多机房跨区域部署,支持横向扩展,无资产数量并发限制。
现在Jumpserver已支持SSH、Telnet、RDP、VNC协议资产。
Jumpserver 核心功能列表
身份验证 Authentication
账号管理 Account
授权控制 Authorization
安全审计 Audit
资产管理 CMDB
Jumpserver 环境要求
硬件配置:2个CPU核心,4G内存,50G硬盘(最低标准)
操作系统:Linux发行版 x86_64
Python = 3.6x
MySQL Server >= 5.6
Mariadb Server >= 5.5.56
Redis
Jumpserver 部署
1.安装依赖环境
yum install wget gcc-c++ epel-release git -y
2.安装python36
[root@Jumpserver ~]# yum install python36.x86_64 python36-devel.x86_64 -y [root@Jumpserver ~]# python36 -V Python 3.6.8
3.建立python虚拟环境
[root@Jumpserver ~]# python36 -m venv /opt/py3
4.载入python3虚拟环境
每次操作 jumpserver 都需要使用下面的命令载入 py3 虚拟环境
看到下面的提示将代表成功进入虚拟环境,以后运行jumpserver都要现运行上面的source命令,以下所有的命令都在虚拟环境中运行
[root@Jumpserver ~]# source /opt/py3/bin/activate (py3) [root@Jumpserver ~]# #进入 jumpserver 目录时将自动载入 python 虚拟环境,就不需要每次进入jumpser操作source命令了 (py3) [root@Jumpserver ~]# echo "source /opt/py3/bin/activate" > /opt/jumpserver/.env
5.获取Jumpserver代码
(py3) [root@Jumpserver ~]# cd /opt/ (py3) [root@Jumpserver opt]# git clone --depth=1 https://github.com/jumpserver/jumpserver.git Cloning into 'jumpserver'... remote: Enumerating objects: 1156, done. remote: Counting objects: 100% (1156/1156), done. remote: Compressing objects: 100% (1028/1028), done. remote: Total 1156 (delta 193), reused 632 (delta 64), pack-reused 0 Receiving objects: 100% (1156/1156), 6.96 MiB | 13.00 KiB/s, done. Resolving deltas: 100% (193/193), done.
6.安装jumpserver依赖RPM包
(py3) [root@Jumpserver opt]# cd /opt/jumpserver/requirements/ (py3) [root@Jumpserver requirements]# yum install $(cat rpm_requirements.txt) -y (py3) [root@Jumpserver requirements]# pip install --upgrade pip (py3) [root@Jumpserver requirements]# pip install -r requirements.txt
安装 redis
Jumpserver要使用redis
可以使用yum安装,也可以编译安装,我这里使用编译安装redis
1.安装redis
[root@Jumpserver src]# wget http://download.redis.io/releases/redis-5.0.5.tar.gz [root@Jumpserver redis-5.0.5]# make [root@Jumpserver redis-5.0.5]# cd src/ [root@Jumpserver src]# make install PREFIX=/usr/local/redis [root@Jumpserver src]# mkdir /usr/local/redis/etc [root@Jumpserver src]# cd /usr/local/src/redis-5.0.5 [root@Jumpserver redis-5.0.5]# cp -rf redis.conf /usr/local/redis/etc/
2.修改配置文件
cat << EOF > /usr/local/redis/etc/redis.conf daemonize yes port 6379 bind IP地址 protected-mode yes pidfile "/usr/local/redis/run/redis.pid" loglevel notice logfile "/usr/local/redis/logs/redis.log" save 900 1 stop-writes-on-bgsave-error yes rdbcompression yes rdbchecksum yes dbfilename dump.rdb dir "/usr/local/redis/data/rdb/" timeout 0 tcp-keepalive 300 EOF
3.创建目录并启动redis
#创建pid文件目录、日志目录、redis持久化目录 [root@Jumpserver redis-5.0.5]# mkdir -p /usr/local/redis/{run,logs} [root@Jumpserver redis-5.0.5]# mkdir -p /usr/local/redis/data/rdb/ #启动redis [root@Jumpserver redis-5.0.5]# /usr/local/redis/bin/redis-server /usr/local/redis/etc/redis.conf
安装Mariadb
Jumpserver使用数据库,可以选择MySQL或者Mariadb.Mariadb版本需要等于大于5.56,MySQL版本需要等于大于5.6
在此我选择使用yum方式部署Mariadb
1.查看Mariadb版本是否符合标准

2.安装Mariadb
[root@Jumpserver /]# yum install mariadb.x86_64 mariadb-devel.x86_64 mariadb-server.x86_64 -y
3.启动Mariadb
[root@Jumpserver /]# systemctl enable mariadb [root@Jumpserver /]# systemctl start mariadb
4.修改Mariadb数据库root密码
[root@Jumpserver /]# mysql -uroot -p Enter password: #首次连接数据库,直接回车即可 MariaDB [(none)]> set password for 'root'@localhost=password('xxxxxxxx'); MariaDB [(none)]> flush privileges;
5.创建数据库 Jumpserver 并授权
MariaDB [(none)]> grant all on jumpserver.* to 'jumpserver'@'127.0.0.1' identified by 'xxxxxxxx'; MariaDB [(none)]> flush privileges;
修改 Jumpserver 配置文件
[root@Jumpserver /]# cp -rf /opt/jumpserver/config_example.yml /opt/jumpserver/config.yml [root@Jumpserver /]# grep -Ev "#|^$" /opt/jumpserver/config.yml SECRET_KEY: PwbiQAk0sQCStkR7FwauW3bYCBwJUqPEI4iVs6xyYczfEOWtH #加密秘钥,可以使用配置文件中的命令生成 BOOTSTRAP_TOKEN: PleasgeChangeSameWithJumpserver. #预共享Token coco和guacamole用来注册服务账号,不在使用原来的注册接受机制 DB_ENGINE: mysql #使用MySQL数据库 DB_HOST: 127.0.0.1 #数据库连接地址 DB_PORT: 3306 #数据库连接端口 DB_USER: jumpserver #数据库连接用户 DB_PASSWORD: xxxxxxxx #数据库连接密码 DB_NAME: jumpserver #数据库名称 HTTP_BIND_HOST: 0.0.0.0 #Jumpserver运行时绑定的地址,0.0.0.0表示所有地址都绑定 HTTP_LISTEN_PORT: 8080 #Jumpserver运行时绑定的端口 REDIS_HOST: xxx.xxx.xx.xxx #Jumpserver连接redis主机地址 REDIS_PORT: 6379 #Jumpserver连接redis主机端口
启动 Jumpserver
#确保进入 py3 虚拟环境之后,再启动jumpserver,-d 选项为后台启动 [root@Jumpserver jumpserver]# source /opt/py3/bin/activate (py3) [root@Jumpserver jumpserver]# cd /opt/jumpserver/ (py3) [root@Jumpserver jumpserver]# ./jms start -d
测试访问
访问地址:http://xxxxx:8080/auth/login/?next=/
账号密码默认为:admin/admin


登录成功后的界面还是非常美观的
Jumpserver 插件安装
Jumpserver本身的功能已经足够强大,但是加上以下几个组件更是让Jumpserver锦上添花。
组件如下:
Coco:Coco为 SSH Server 和 Web Terminal Server。用户可以通过使用自己的账户登录 SSH 或者 Web Terminal直接访问被授权的资产。不需要知道服务器的账户和密码,现在 Coco 已经被 koko 取代。
Luna:luna 为 Web Terminal Server 前端页面,用户使用 Web Terminal 方式登录时所需要的插件。
Guacamole:Guacamole 为 Windows 组件,用户可以通过 Web Terminal 来连接 Windows 资产(暂时只能通过 Web Terminal来访问)
各个组件所监听的端口如下:
Jumpserver:8080/tcp Redis:6379/tcp MySQL/Mariadb:3306/tcp Nginx:80/tcp Koko:SSH为2222/tcp,Web Terminal为5000/tcp Guacamole:8081/tcp
Koko 组件部署
1.Koko 组件部署
[root@Jumpserver ~]# source /opt/py3/bin/activate (py3) [root@Jumpserver ~]# cd /opt/ (py3) [root@Jumpserver opt]# wget https://github.com/jumpserver/koko/releases/download/1.5.2/koko-master-6d4e69b-linux-amd64.tar.gz (py3) [root@Jumpserver opt]# tar xf koko-master-6d4e69b-linux-amd64.tar.gz (py3) [root@Jumpserver opt]# chown -R root:root kokodir
2.修改 Koko配置文件
(py3) [root@Jumpserver opt]# cd kokodir/ (py3) [root@Jumpserver kokodir]# cp -rf config_example.yml config.yml #Koko配置文件如下: (py3) [root@Jumpserver kokodir]# grep -Ev "#|^$" /opt/kokodir/config.yml CORE_HOST: http://127.0.0.1:8080 #Jumpserver项目的url, api请求注册会使用 BOOTSTRAP_TOKEN: PleasgeChangeSameWithJumpserver. #Bootstrap Token, 预共享秘钥, 用来注册coco使用的service account和terminal,请和jumpserver 配置文件中的 BOOTSTRAP_TOKEN 保持一致,注册完成后可以删除
3.启动 Koko
#先重启下 Jumpserver (py3) [root@Jumpserver jumpserver]# ./jms restart #先进行前台启动 koko,如果前台没问题,则使用 nohup & 命令来后台启动 (py3) [root@Jumpserver kokodir]# nohup ./koko & #查看koko进程 (py3) [root@Jumpserver kokodir]# ps -ef|grep koko root 24694 23736 0 04:44 pts/1 00:00:00 ./koko root 24734 23736 0 04:45 pts/1 00:00:00 grep --color=auto koko (py3) [root@Jumpserver kokodir]# ss -anplt | grep koko LISTEN 0 128 :::5000 :::* users:(("koko",pid=24694,fd=7)) LISTEN 0 128 :::2222 :::* users:(("koko",pid=24694,fd=8))
Luna 组件部署
(py3) [root@Jumpserver /]# cd /opt/ (py3) [root@Jumpserver opt]# wget https://github.com/jumpserver/luna/releases/download/1.5.2/luna.tar.gz (py3) [root@Jumpserver opt]# tar xf luna.tar.gz (py3) [root@Jumpserver opt]# chown -R root:root luna
Guacamole 组件部署
Guacamole这里使用docker部署
1.安装 docker
1)卸载老版本docker yum remove docker \ docker-common \ docker-selinux \ docker-engine 2)设置yum仓库 yum install -y yum-utils \ device-mapper-persistent-data \ lvm2 yum-config-manager \ --add-repo \ https://download.docker.com/linux/centos/docker-ce.repo 3)安装docker-ce版本 yum list docker-ce --showduplicates | sort -r #列出docker版本 yum install docker-ce-18.06.3.ce -y #选择最新版本安装 4)修改 docker pull 镜像时的加速文件 mkdir /etc/docker vim /etc/docker/daemon.json { "registry-mirrors": ["http://hub-mirror.c.163.com"] } 5)启动 docker systemctl start docker systemctl enable docker
2.使用docker启动Guacamole
docker run --name jms_guacamole -d -p 127.0.0.1:8081:8081 \ -e JUMPSERVER_SERVER=http://127.0.0.1:8080 \ -e BOOTSTRAP_TOKEN=PleasgeChangeSameWithJumpserver \ jumpserver/jms_guacamole:1.5.2
参数解释:
docker run:启动一个容器 --name:指定容器名称 -d:后台启动容器 -p:将容器的127.0.0.1监听的8081端口映射到宿主机的8081端口 -e:设置环境变量 -e JUMPSERVER_SERVER=http://127.0.0.1:8080:将值http://127.0.0.1:8080设置变量为JUMPSERVER_SERVER -e BOOTSTRAP_TOKEN=PleasgeChangeSameWithJumpserver:将值PleasgeChangeSameWithJumpserver设置变量为-e BOOTSTRAP_TOKEN jumpserver/jms__guacamole:1.5.2:下载镜像的名称及版本

配置 Nginx 整合各个组件
1.安装 Nginx
1)准备安装环境 [root@Jumpserver ~]# yum install gcc-c++ libtool pcre-devel openssl-devel zlib-devel -y [root@Jumpserver ~]# useradd -d /home/nginx -M -s /sbin/nologin nginx [root@Jumpserver ~]# id nginx uid=1001(nginx) gid=1001(nginx) groups=1001(nginx) 2)下载并安装Nginx [root@Jumpserver ~]# cd /usr/local/src/ [root@Jumpserver src]# wget http://nginx.org/download/nginx-1.15.10.tar.gz [root@Jumpserver src]# tar xf nginx-1.15.10.tar.gz -C /usr/local/src/ [root@Jumpserver src]# cd /usr/local/src/nginx-1.15.10 [root@Jumpserver nginx-1.15.10]# ./configure --prefix=/usr/local/nginx \ --sbin-path=/usr/local/nginx/sbin/nginx \ --conf-path=/usr/local/nginx/conf/nginx.conf \ --pid-path=/usr/local/nginx/logs/nginx.pid \ --error-log-path=/usr/local/nginx/logs/error.log \ --http-log-path=/usr/local/nginx/logs/access.log \ --with-pcre \ --user=nginx \ --group=nginx \ --with-file-aio \ --with-http_gzip_static_module \ --with-http_stub_status_module \ --with-http_v2_module \ --with-threads \ --with-http_realip_module \ --with-http_ssl_module [root@Jumpserver nginx-1.15.10]# make && make install [root@Jumpserver nginx-1.15.10]# echo $? 0
2.配置 Nginx
[root@Jumpserver /]# mv /usr/local/nginx/conf/nginx.conf /usr/local/nginx/conf/nginx.conf.defaults [root@Jumpserver /]# vim /usr/local/nginx/conf/nginx.conf #全局字段配置 user nginx nginx; worker_processes auto; error_log logs/error.log info; pid logs/nginx.pid; worker_rlimit_nofile 65535; events { use epoll; worker_connections 65535; multi_accept on; } http { include mime.types; default_type application/octet-stream; charset utf-8; server_tokens off; #定义Nginx缓存设置 client_header_buffer_size 4096; large_client_header_buffers 4 128k; client_header_timeout 15; client_body_timeout 15; send_timeout 65; client_max_body_size 10m; open_file_cache max=65535 inactive=60s; open_file_cache_valid 30s; open_file_cache_min_uses 1; open_file_cache_errors on; server_names_hash_bucket_size 128; #定义Nginx日志访问格式 log_format main '$remote_addr" "$remote_user" "[$time_local]" "$request"' ' "$status" "$body_bytes_sent" "$http_referer"' ' "$http_user_agent" "$http_x_forwarded_for" "$gzip_ratio"' ' "$upstream_addr" "$request_time" "$upstream_response_time" "$http_host"'; access_log logs/access.log main; #网络连接功能 sendfile on; autoindex on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 65; types_hash_max_size 2048; reset_timedout_connection on; #压缩功能配置 gzip on; gzip_min_length 1k; gzip_buffers 16 64K; gzip_http_version 1.1; gzip_comp_level 6; gzip_types text/plain application/x-javascript text/css application/xml application/javascript; gzip_vary on; gzip_proxied any; underscores_in_headers on; proxy_ignore_client_abort on; include /usr/local/nginx/conf/conf.d/*.conf; }
3.创建 Nginx 文件并整合功能
[root@Jumpserver /]# mkdir /usr/local/nginx/conf/conf.d [root@Jumpserver /]# vim /usr/local/nginx/conf/conf.d/jumpserver.conf server { listen 80; client_max_body_size 100m; # 录像及文件上传大小限制 location /luna/ { try_files $uri / /index.html; alias /opt/luna/; # luna 路径, 如果修改安装目录, 此处需要修改 } location /media/ { add_header Content-Encoding gzip; root /opt/jumpserver/data/; # 录像位置, 如果修改安装目录, 此处需要修改 } location /static/ { root /opt/jumpserver/data/; # 静态资源, 如果修改安装目录, 此处需要修改 } location /socket.io/ { proxy_pass http://localhost:5000/socket.io/; proxy_buffering off; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; access_log off; } location /coco/ { proxy_pass http://localhost:5000/coco/; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; access_log off; } location /guacamole/ { proxy_pass http://localhost:8081/; proxy_buffering off; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $http_connection; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; access_log off; } location / { proxy_pass http://localhost:8080; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } }
4.启动 检查并启动Nginx
[root@Jumpserver /]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@Jumpserver /]# /usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf
5.输入URL并登录
http://IP
默认账号密码:admin/admin