JumpServer堡垒机部署+基本使用

文章目录

    • JumpServer 堡垒机
      • 一、理论知识:
        • 1、堡垒机与跳板机的区别
        • 2、JumpServer4A认证
      • 二、实践实验:
        • 1、初始化环境准备
        • 2、MySQL数据库部署
        • 3、Python3.6 程序部署
        • 4、Redis数据库部署
        • 5、Core组件部署
        • 6、Koko组件部署
        • 7、Guacamole组件部署
          • 1、安装FFmpeg
          • 2、安装Guacamole
          • 3、安装JDK环境
          • 4、安装Tomcat
        • 8、前端组件部署
          • 1、Lina组件部署
          • 2、Luna组件部署
          • 3、Nginx反代配置
      • 三、平台操作:
        • 1、修改平台默认密码
        • 2、终端登入
        • 3、配置邮箱
        • 4、创建用户
        • 5、资产创建管理
        • 6、用户资产授权
        • 7、监控会话

JumpServer 堡垒机

一、理论知识:

官方网站:

JumpServer堡垒机部署+基本使用_第1张图片

1、堡垒机与跳板机的区别

跳板机和堡垒机的核心概念是一样的 都是提供统一入口管理IT资产,但相对于堡垒机会提供一些更加强大的功能,比如说堡垒机的4A认证 身份鉴别、账号管理、权限控制、安全审计。

2、JumpServer4A认证

  • 身份鉴别
  • 账号管理
  • 权限控制
  • 安全审计

二、实践实验:

1、初始化环境准备

最小配置:

2核 4G 50G

软件版本:

python3 = 3.6.x

mysql = 5.7

redis = 4.0

初始化环境操作:

systemctl stop firewalld --now
sed -i 's/SELINUX=[ep]/SELINUX=disabled/g' /etc/selinux/config
setenforce 0

wget -O /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-7.repo
wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
yum clean all
yum makecache

yum -y install git python-pip gcc gcc-c++ automake autoconf python-devel vim sshpass lrzsz readline-devel zlib zlib-devel

修改字符集支持中文:

localectl set-locale LANG=zh_CN.UTF-8
export LC_ALL=zh_CN.UTF-8
echo "LANG=zh_CN.UTF-8" >> /etc/locale.conf
locale

2、MySQL数据库部署

安装MySQL

mkdir /mysql5.7
tar xf mysql-5.7.37-1.el7.x86_64.rpm-bundle.tar -C /mysql5.7
cd /mysql5.7
yum -y localinstall ./*

更新密码

systemctl start mysqld --now
grep password /var/log/mysqld.log
mysqladmin -uroot -p'ESssIS#%*4zw' password NTQ34tg*@19VF

创建jumpserver所需的数据库信息

create database jumpserver default charset 'utf8' collate 'utf8_bin';
create user 'jumpserver'@'%' identified by 'NTQ34tg*@19VF';
grant all privileges on jumpserver.* to 'jumpserver'@'%' identified by 'NTQ34tg*@19VF';
flush privileges;

3、Python3.6 程序部署

源码部署Python

wget https://www.python.org/ftp/python/3.6.10/Python-3.6.10.tgz
tar zxf Python-3.6.10.tgz -C /usr/local/src/
cd /usr/local/src/Python-3.6.10/
./configure --prefix=/usr/local/python3.6
make && make install 

添加环境变量

echo "PATH=$PATH:/usr/local/python3.6/bin/" >>/etc/profile
source /etc/profile

添加阿里源

pip3 config set global.index-url https://mirrors.aliyun.com/pypi/simple/

创建Python 虚拟环境

pip3 install  virtualenv

如果报一下错误 解决方案:

JumpServer堡垒机部署+基本使用_第2张图片

yum -y install openssl openssl-devel
# 安装好后 将Python源代码全部删除掉 重新编译

创建虚拟环境 jmpPython3

virtualenv --python=python3 /usr/local/python3.6/jmpPython3
# 此时系统中有两个 Python3 解释器了

使用jmpPython3 Python3环境

source /usr/local/python3.6/jmpPython3/bin/activate

退出环境

deactivate

4、Redis数据库部署

tar xf redis-4.0.11.tar.gz -C /usr/local/src/
cd /usr/local/src/redis-4.0.11
make
make install PREFIX=/usr/local/redis

cd /usr/local/redis/bin/
cp ../../src/redis-4.0.11/redis.conf .

./redis-server redis.conf
ln -s /usr/local/redis/bin/* /usr/bin/

5、Core组件部署

部署安装

wget https://github.com/jumpserver/jumpserver/releases/download/v2.1.0/jumpserver-v2.1.0.tar.gz

mkdir /usr/local/jump
tar zxf jumpserver-v2.1.0.tar.gz -C  /usr/local/jump 
cd /usr/local/jump
ln -s jumpserver-v2.1.0/ jumpserver

依赖安装

yum -y install bash-completion psmisc nethogs glances bc netpdate openldap-devel

安装python依赖模块

source /usr/local/python3.6/jmpPython3/bin/activate
pip3 install -r  /usr/local/jump/jumpserver/requirements/requirements.txt 

配置后台程序

cd /usr/local/jump/jumpserver
cp config_example.yml config.yml 

grep -Ev '^#|^$' config.yml 
SECRET_KEY: NXU2vWZSRClMsrQ3SeELZTkggZqlHugM5RnsDZ3Hgw8Dux9PD
BOOTSTRAP_TOKEN: bfdJpNQDZDpCz0kLex4Mq2THYwvNZRaRtKFR0bRWmmleBE2tC
DB_ENGINE: mysql
DB_HOST: 127.0.0.1
DB_PORT: 3306
DB_USER: jumpserver
DB_PASSWORD: NTQ34tg*@19VF
DB_NAME: jumpserver
HTTP_BIND_HOST: 0.0.0.0
HTTP_LISTEN_PORT: 8080
WS_LISTEN_PORT: 8070
REDIS_HOST: 127.0.0.1
REDIS_PORT: 6379

配置文件中前两个值 使用下面命令生成

cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 49;echo

导入数据库

python3 /usr/local/jump/jumpserver/apps/manage.py makemigrations
python3 /usr/local/jump/jumpserver/apps/manage.py migrate

到数据库中验证导入的数据

use jumpserver;
show tables;

启动

/usr/local/jump/jumpserver/jms start -d
 netstat -anput |grep 80[78]0|head -n2

6、Koko组件部署

Koko组件是使用GO语音开发的 相比之前的Coco组件(Python开发) 性能、效率、资源利用率都更高。

wget https://github.com/jumpserver/koko/releases/download/v2.1.0/koko-v2.1.0-linux-amd64.tar.gz

tar zxf koko-v2.1.0-linux-amd64.tar.gz -C /usr/local/jump
cd /usr/local/jump
ln -s koko-v2.1.0-linux-amd64 koko
/usr/local/jump/koko
cp config_example.yml config.yml
grep -Ev '^#|^$' config.yml 
CORE_HOST: http://10.0.24.5:8080
# 请和jumpserver 配置文件中保持一致,注册完成后可以删除
BOOTSTRAP_TOKEN: bfdJpNQDZDpCz0kLex4Mq2THYwvNZRaRtKFR0bRWmmleBE2tC
BIND_HOST: 0.0.0.0
SSHD_PORT: 2222
HTTPD_PORT: 5000
ACCESS_KEY_FILE: data/keys/.access_key
LOG_LEVEL: INFO
SSH_TIMEOUT: 15
LANG: zh
ZIP_MAX_SIZE: 1024M
ZIP_TMP_PATH: /tmp
CLIENT_ALIVE_INTERVAL: 30
REDIS_HOST: 127.0.0.1
REDIS_PORT: 6379

启动

./koko -d

7、Guacamole组件部署

依赖准备

yum install -y cairo-devel libjpeg-turbo-devel libpng-devel uuid-devel 

可选择的依赖

yum install -y freerdp-devel pango-devel libssh2-devel libvncserver-devel pulseaudio-libs-devel openssl-devel libvorbis-devel libwebp-deve
1、安装FFmpeg
yum install -y automake autoconf libtool gcc gcc-c++ gcc-objc gcc-objc++ libobjc

# opencore-amr
wget http://downloads.sourceforge.net/project/opencore-amr/opencore-amr/0.1.2/opencore-amr-0.1.2.tar.gz
tar xf opencore-amr-0.1.2.tar.gz
cd opencore-amr-0.1.2
./configure
make && make install clean

# lame
https://sourceforge.net/projects/lame/files/latest/download
tar zxf lame-3.100.tar.gz
cd lame-3.100
./configure
make && make install
cd /usr/local/src
wget http://ffmpeg.org/releases/ffmpeg-3.2.4.tar.bz2
tar xf ffmpeg-3.2.4.tar.bz2
cd ffmpeg-3.2.4

./configure --enable-version3 --enable-libmp3lame --enable-libopencore-amrnb --enable-libopencore-amrwb --enable-shared --prefix=/usr/local/ffmpeg
make && make install 

echo "/usr/local/ffmpeg/lib" > /etc/ld.so.conf.d/ffmpeg.conf
ldconfig
ln -sf /usr/local/ffmpeg/bin/ffmpeg /usr/bin/ffmpeg
ln -s /usr/local/lib/libavdevice.so.56 /usr/lib64/libavdevice.so.56
ln -s /usr/local/lib/libavfilter.so.5 /usr/lib64/libavfilter.so.5
ln -s /usr/local/lib/libavformat.so.56 /usr/lib64/libavformat.so.56
ln -s /usr/local/lib/libavcodec.so.56 /usr/lib64/libavcodec.so.56
ln -s /usr/local/lib/libswresample.so.1 /usr/lib64/libswresample.so.1
ln -s /usr/local/lib/libswscale.so.3 /usr/lib64/libswscale.so.3
ln -s /usr/local/lib/libavutil.so.54 /usr/lib64/libavutil.so.54
ln -s /usr/local/lib/libopencore-amrwb.so.0 /usr/lib64/libopencore-amrwb.so.0
ln -s /usr/local/lib/libopencore-amrnb.so.0 /usr/lib64/libopencore-amrnb.so.0
ln -s /usr/local/lib/libmp3lame.so.0 /usr/lib64/libmp3lame.so.0
ffmpeg -version
ffmpeg version 3.2.4 Copyright (c) 2000-2017 the FFmpeg developers
built with gcc 4.8.5 (GCC) 20150623 (Red Hat 4.8.5-44)
configuration: --enable-version3 --enable-libmp3lame --enable-libopencore-amrnb --enable-libopencore-amrwb --enable-shared --prefix=/usr/local/ffmpeg
libavutil      55. 34.101 / 55. 34.101
libavcodec     57. 64.101 / 57. 64.101
libavformat    57. 56.101 / 57. 56.101
libavdevice    57.  1.100 / 57.  1.100
libavfilter     6. 65.100 /  6. 65.100
libswscale      4.  2.100 /  4.  2.100
libswresample   2.  3.100 /  2.  3.100
2、安装Guacamole
yum -y install cairo-devel uuid uuid-devel

wget -O docker-guacamole-v2.1.1.tar.gz https://github.com/jumpserver/docker-guacamole/archive/master.tar.gz
tar zxf docker-guacamole-v2.1.1.tar.gz
mkdir /usr/local/jump/guacamole
mv docker-guacamole-master /usr/local/jump/guacamole/
cd /usr/local/jump/guacamole/

wget http://download.jumpserver.org/public/guacamole-server-1.2.0.tar.gz
tar -xf guacamole-server-1.2.0.tar.gz

wget http://download.jumpserver.org/public/ssh-forward.tar.gz
tar -xf ssh-forward.tar.gz -C /bin/
chmod +x /bin/ssh-forward
./configure --with-init-dir=/etc/init.d && make && make install


cd /usr/local/jump/guacamole/guacamole-server-1.2.0/
./configure --with-init-dir=/etc/init.d/
make && make install
3、安装JDK环境
tar xf jdk-8u152-linux-x64.tar.gz -C /usr/local/

vim /etc/profile

JAVA_HOME=/usr/local/jdk1.8.0_152
PATH=$JAVA_HOME/bin:$PATH:$HOME/bin
CLASSPATH=.:$JAVA_HOME/jre/lib/rt.jar:$JAVA_HOME/lib/dt.jar:$JAVA_HOME/lib/tools.jar

source /etc/profile
java -version
4、安装Tomcat
tar zxf apache-tomcat-9.0.58.tar.gz
mv apache-tomcat-9.0.58 /usr/local/tomcat
cd /usr/local/tomcat/conf
rm -rf webapps/*
sed  -i 's/Connector port="8080"/Connector port="8081"/g' server.xml
echo "java.util.logging.ConsoleHandler.encoding = UTF-8" >> logging.properties

wget http://download.jumpserver.org/release/v2.1.1/guacamole-client-v2.1.1.tar.gz
tar zxf guacamole-client-v2.1.1.tar.gz 
cp guacamole-client-v2.1.1/guacamole-*.war webapps/ROOT.war
cp guacamole-client-v2.1.1/guacamole-*.jar /config/guacamole/extensions/
mv ../../jump/guacamole/docker-guacamole-master/guacamole.properties  /config/guacamole/

变量设置:

export JUMPSERVER_SERVER=http://127.0.0.1:8080
echo "export JUMPSERVER_SERVER=http://127.0.0.1:8080" >> ~/.bashrc
export BOOTSTRAP_TOKEN=bfdJpNQDZDpCz0kLex4Mq2THYwvNZRaRtKFR0bRWmmleBE2tC
echo "export BOOTSTRAP_TOKEN=bfdJpNQDZDpCz0kLex4Mq2THYwvNZRaRtKFR0bRWmmleBE2tC" >> ~/.bashrc
export JUMPSERVER_KEY_DIR=/config/guacamole/keys
echo "export JUMPSERVER_KEY_DIR=/config/guacamole/keys" >> ~/.bashrc
export GUACAMOLE_HOME=/config/guacamole
echo "export GUACAMOLE_HOME=/config/guacamole" >> ~/.bashrc
export GUACAMOLE_LOG_LEVEL=ERROR
echo "export GUACAMOLE_LOG_LEVEL=ERROR" >> ~/.bashrc
export JUMPSERVER_ENABLE_DRIVE=true
echo "export JUMPSERVER_ENABLE_DRIVE=true" >> ~/.bashrc

启动

/etc/init.d/guacd start

cd /usr/local/tomcat/bin/
./startup.sh 

8、前端组件部署

1、Lina组件部署
wget https://github.com/jumpserver/lina/releases/download/v2.1.0/lina-v2.1.0.tar.gz
tar zxf lina-v2.1.0.tar.gz -C /usr/local/jump
cd /usr/local/jump && mv lina-v2.1.0/ lina
2、Luna组件部署
wget https://github.com/jumpserver/luna/releases/download/v2.1.0/luna-v2.1.0.tar.gz
tar zxf luna-v2.1.0.tar.gz -C /usr/local/jump
cd /usr/local/jump && mv luna-v2.1.0/ luna
3、Nginx反代配置
tar zxf nginx-1.18.0.tar.gz -C /usr/local/src/
cd /usr/local/src/nginx-1.18.0/
./configure --prefix=/usr/local/nginx/
make && make install

vim /usr/local/nginx/conf/nginx.conf
include /usr/local/nginx/conf.d/*.conf; # Server字段添加

mkdir /usr/local/nginx/conf.d

添加jump虚拟主机 端口为808

vim /usr/local/nginx/conf.d/jump.conf


server {
    listen 808;

    client_max_body_size 100m;  # 录像及文件上传大小限制

    location /ui/ {
        try_files $uri / /index.html;
        alias /usr/local/jump/lina/;
    }

    location /luna/ {
        try_files $uri / /index.html;
        alias /usr/local/jump/luna/;  # luna 路径
    }

    location /media/ {
        add_header Content-Encoding gzip;
        root /usr/local/jump/jumpserver/data/;  # 录像位置
    }

    location /static/ {
        root /usr/local/jump/jumpserver/data/;  # 静态资源
    }

    location /koko/ {
        proxy_pass       http://localhost:5000;
        proxy_buffering off;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        access_log off;
    }

    location /guacamole/ {
        proxy_pass       http://localhost:8081/;
        proxy_buffering off;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $http_connection;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        access_log off;
    }

    location /ws/ {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass http://localhost:8070;
        proxy_http_version 1.1;
        proxy_buffering off;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }

    location /api/ {
        proxy_pass http://localhost:8080;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }

    location /core/ {
        proxy_pass http://localhost:8080;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }

    location / {
        rewrite ^/(.*)$ /ui/$1 last;
    }
}
./nginx -t 
./nginx 

验证: 浏览器方位IP:808

JumpServer堡垒机部署+基本使用_第3张图片

JumpServer 启动流程

source /usr/local/python3.6/jmpPython3/bin/activate

cd /usr/local/jump/jumpserver
./jms start -d 

/usr/local/jump/koko/koko -d

/etc/init.d/guacd start 
/usr/local/tomcat/bin/startup.sh

三、平台操作:

1、修改平台默认密码

Administrator > 个人信息 > 登入密码设置

JumpServer堡垒机部署+基本使用_第4张图片

2、终端登入

ssh admin@IP地址 2222

JumpServer堡垒机部署+基本使用_第5张图片

3、配置邮箱

JumpServer堡垒机部署+基本使用_第6张图片

163邮箱获取授权码

JumpServer堡垒机部署+基本使用_第7张图片

JumpServer堡垒机部署+基本使用_第8张图片

JumpServer堡垒机部署+基本使用_第9张图片

4、创建用户

JumpServer堡垒机部署+基本使用_第10张图片

JumpServer堡垒机部署+基本使用_第11张图片

JumpServer堡垒机部署+基本使用_第12张图片

此时密码已发往用户邮箱

JumpServer堡垒机部署+基本使用_第13张图片

5、资产创建管理

创建管理用户

JumpServer堡垒机部署+基本使用_第14张图片

JumpServer堡垒机部署+基本使用_第15张图片

创建资产列表

JumpServer堡垒机部署+基本使用_第16张图片

JumpServer堡垒机部署+基本使用_第17张图片

JumpServer堡垒机部署+基本使用_第18张图片

JumpServer堡垒机部署+基本使用_第19张图片

6、用户资产授权

创建系统用户

JumpServer堡垒机部署+基本使用_第20张图片

JumpServer堡垒机部署+基本使用_第21张图片

创建资产授权

JumpServer堡垒机部署+基本使用_第22张图片

JumpServer堡垒机部署+基本使用_第23张图片

JumpServer堡垒机部署+基本使用_第24张图片

此时用户就可以连接到 管理的服务器了

JumpServer堡垒机部署+基本使用_第25张图片

7、监控会话

实时监控秦子腾用户操作内容

JumpServer堡垒机部署+基本使用_第26张图片

查看命令记录

JumpServer堡垒机部署+基本使用_第27张图片

JumpServer 启动流程

source /usr/local/python3.6/jmpPython3/bin/activate

cd /usr/local/jump/jumpserver
./jms start -d 

/usr/local/jump/koko/koko -d

/etc/init.d/guacd start 
/usr/local/tomcat/bin/startup.sh

你可能感兴趣的:(开源运维工具,数据库,linux,运维,jumpserver,堡垒机)