Jumpserver Version 1.5.2-2 GPLv2版本部署

释放双眼,带上耳机,听听看~!

Jumpserver介绍

官方站点:www.jumpserver.org
Jumpserver是全球首款完全开源的堡垒机,使用GNU GPL v2.0开源协议,是符合4A的韵味安全审计系统。
Jumpserver使用Python/Django开发,遵循 Web 2.0规范,Jumpserver采纳分布式架构,支持多机房跨区域部署,支持横向扩展,无资产数量并发限制。
现在Jumpserver已支持SSH、Telnet、RDP、VNC协议资产。

Jumpserver 核心功能列表

  • 身份验证 Authentication
  • 账号管理 Account
  • 授权控制 Authorization
  • 安全审计 Audit
  • 资产管理 CMDB

Jumpserver 环境要求

  • 硬件配置:2个CPU核心,4G内存,50G硬盘(最低标准)
  • 操作系统:Linux发行版 x86_64
  • Python = 3.6x
  • MySQL Server >= 5.6
  • Mariadb Server >= 5.5.56
  • Redis

部署 Redis

Jumpserver使用redis作为数据缓存插件,可以使用yum安装,也可以编译安装,我这里使用编译安装redis

1.安装redis

wget http://download.redis.io/releases/redis-5.0.5.tar.gz
tar xf redis-5.0.5.tar.gz && cd redis-5.0.5
make && cd src
make install PREFIX=/usr/local/redis

2.创建所需文件目录

mkdir /usr/local/redis/{etc,logs,run,data}

3.修改配置文件

cat << EOF > /usr/local/redis/etc/redis.conf
daemonize yes
port 6379
bind 192.168.31.226
protected-mode yes
pidfile "/usr/local/redis/run/redis.pid"
loglevel notice
logfile "/usr/local/redis/logs/redis.log"
save 900 1
stop-writes-on-bgsave-error yes
rdbcompression yes
rdbchecksum  yes
dbfilename dump.rdb
dir "/usr/local/redis/data/rdb/"
timeout 0
tcp-keepalive 300
requirepass NTJlZG&Iz
EOF

4.启动redis

mkdir /usr/local/redis/data/rdb/
/usr/local/redis/bin/redis-server /usr/local/redis/etc/redis.conf 

5.连接测试redis

/usr/local/redis/bin/redis-cli -h 192.168.31.226 -p 6379 -a 'NTJlZG&Iz'
Warning: Using a password with '-a' or '-u' option on the command line interface may not be safe.
192.168.31.226:6379> 
192.168.31.226:6379> SELECT 1
OK

部署 Mariadb

Jumpserver使用数据库,可以选择MySQL或者Mariadb.Mariadb版本需要等于大于5.56,MySQL版本需要等于大于5.6
这里使用yum方式部署mariadb

1.替换yum源

curl -o /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
yum clean all && yum makecache
yum list | grep mariadb

2.安装并启动mariadb

yum install mariadb.x86_64 mariadb-devel.x86_64 mariadb-server.x86_64 -y
systemctl enable mariadb
systemctl start mariadb

3.修改mariadb数据库root密码

mysql -uroot -p
Enter password:         #首次连接mariadb,直接回车进入数据库

MariaDB [(none)]> set password for 'root'@localhost=password('xxxxxxxx');
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> flush privileges;
Query OK, 0 rows affected (0.00 sec)

4.创建数据库 Jumpserver 并授权

MariaDB [(none)]> create database jumpserver character set='utf8' collate='utf8_general_ci';
Query OK, 1 row affected (0.00 sec)

MariaDB [(none)]> grant all on jumpserver.* to 'jumpserver'@'127.0.0.1' identified by 'xxxxxxxx';
Query OK, 0 rows affected (0.01 sec)

MariaDB [(none)]> flush privileges;
Query OK, 0 rows affected (0.00 sec)

5.数据库加固

[root@jump /]# mysql_secure_installation

Enter current password for root (enter for none):       #输入数据库root用户密码
OK, successfully used password, moving on...

Change the root password? [Y/n] n                       #是否修改root密码
 ... skipping.
 
Remove anonymous users? [Y/n] y                         #是否删除匿名用户
 ... Success!

Disallow root login remotely? [Y/n] y                   #是否禁止root远程登录
 ... Success!       
 
Remove test database and access to it? [Y/n] y          #是否移除测试数据库
 - Dropping test database...
 ... Success!

Reload privilege tables now? [Y/n] y                    #重新刷新表授权
 ... Success!

部署 Jumpserver

1.安装依赖环境

#安装需要用到的工具及python36环境
yum install wget gcc-c++ epel-release git -y
yum install python36.x86_64 python36-devel.x86_64 -y

#软链python3.6
which python3.6
/bin/python3.6
ln -s /bin/python3.6 /bin/python36

#查看版本
python36 -V
Python 3.6.8

2.建立python虚拟环境
将python虚拟环境建立在/opt/py3目录下

python36 -m venv /opt/py3

3.载入python3虚拟环境
每次操作 jumpserver 都需要使用下面的命令载入 py3 虚拟环境

[root@jump /]# source /opt/py3/bin/activate
(py3) [root@jump /]#        #看到py3才能确保载入py3环境

退出py3虚拟环境方法

退出虚拟环境可以使用 deactivate 命令
(py3) [root@jump /]# deactivate
[root@jump /]# 

4.下载Jumpserver 1.5.2

(py3) [root@jump /]# cd /opt/
(py3) [root@jump opt]# wget https://github.com/jumpserver/jumpserver/archive/1.5.2.zip
(py3) [root@jump opt]# unzip 1.5.2.zip -d /opt/
(py3) [root@jump opt]# mv jumpserver-1.5.2 jumpserver

5.安装jumpserver依赖RPM包及库依赖

(py3) [root@jump opt]# cd /opt/jumpserver/requirements/
(py3) [root@jump requirements]# yum install $(cat rpm_requirements.txt) -y

#安装 Python 库依赖
(py3) [root@jump requirements]# pip install --upgrade pip setuptools
(py3) [root@jump requirements]# pip install -r requirements.txt

6.修改Jumpserver配置

cp -rf /opt/jumpserver/config_example.yml /opt/jumpserver/config.yml

#计算SECRET与TOKEN
cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 49;echo
LDzERJ29tACct77hIIWSIX8AWmiHdCZsHSJjfHhd55IOHQ608

cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16;echo
XpM0ERAYf6PidqQE

grep -Ev "#|^$" /opt/jumpserver/config.yml 
SECRET_KEY: LDzERJ29tACct77hIIWSIX8AWmiHdCZsHSJjfHhd55IOHQ608       #加密秘钥,可以使用配置文件中的命令生成
BOOTSTRAP_TOKEN: XpM0ERAYf6PidqQE                                   #预共享Token coco和guacamole用来注册服务账号,不在使用原来的注册接受机制
DEBUG: false                                                        #DEBUG模式,开启DEBUG后遇到错误时可以看到更多日志
LOG_LEVEL: ERROR                                                    #日志级别,ERROR错误才会打印到日志文件
DB_ENGINE: mysql                                                    #使用MySQL数据库
DB_HOST: 127.0.0.1                                                  #数据库连接地址
DB_PORT: 3306                                                       #数据库连接端口
DB_USER: jumpserver                                                 #数据库连接用户
DB_PASSWORD: xxxxxxxx                                               #数据库连接密码
DB_NAME: jumpserver                                                 #数据库名称
HTTP_BIND_HOST: 0.0.0.0                                             #Jumpserver运行时绑定的地址,0.0.0.0表示所有地址都绑定
HTTP_LISTEN_PORT: 8080                                              #Jumpserver运行时绑定的端口
REDIS_HOST: 192.168.31.226                                          #Jumpserver连接redis主机地址
REDIS_PORT: 6379                                                    #Jumpserver连接redis主机端口
REDIS_PASSWORD: NTJlZG&Iz                                           #Jumpserver连接redis主机密码


7.启动jumpserver 
确保进入 py3 虚拟环境之后,再启动jumpserver,-d 选项为后台启动

(py3) [root@jump /]# source /opt/py3/bin/activate
(py3) [root@jump requirements]# cd /opt/jumpserver
(py3) [root@jump jumpserver]# ./jms start -d

Jumpserver插件介绍

Jumpserver本身的功能已经足够强大,但是加上以下几个组件更是让Jumpserver锦上添花。
  • Coco:Coco为 SSH Server 和 Web Terminal Server。用户可以通过使用自己的账户登录 SSH 或者 Web Terminal直接访问被授权的资产。不需要知道服务器的账户和密码,现在 Coco 已经被 koko 取代。
  • Luna:luna 为 Web Terminal Server 前端页面,用户使用 Web Terminal 方式登录时所需要的插件。
  • Guacamole:Guacamole 为 Windows 组件,用户可以通过 Web Terminal 来连接 Windows 资产(暂时只能通过 Web Terminal来访问)

各个组件所监听的端口如下:

Jumpserver:8080/tcp

Redis:6379/tcp

MySQL/Mariadb:3306/tcp

Nginx:80/tcp

Koko:SSH为2222/tcp,Web Terminal为5000/tcp

Guacamole:8081/tcp

Koko 组件部署

1.Koko 组件部署

(py3) [root@jump jumpserver]# mkdir /opt/package
(py3) [root@jump jumpserver]# cd /opt/package/
(py3) [root@jump package]# wget https://github.com/jumpserver/koko/releases/download/1.5.2/koko-v52-1e1f1a8-linux-amd64.tar.gz
(py3) [root@jump package]# tar xf koko-v52-1e1f1a8-linux-amd64.tar.gz -C /opt/
(py3) [root@jump package]# chown -Rf root.root /opt/kokodir/

2.修改 Koko配置文件

(py3) [root@jump package]# cp -rf /opt/kokodir/config_example.yml /opt/kokodir/config.yml

修改配置如下

(py3) [root@jump package]# grep -Ev "#|^$" /opt/kokodir/config.yml
CORE_HOST: http://127.0.0.1:8080                        #Jumpserver项目的url, api请求注册会使用
BOOTSTRAP_TOKEN: XpM0ERAYf6PidqQE                       #Bootstrap Token, 预共享秘钥, 用来注册coco使用的service account和terminal,请和jumpserver 配置文件中的 BOOTSTRAP_TOKEN 保持一致,注册完成后可以删除

3.启动 Koko

(py3) [root@jump opt]# cd /opt/kokodir/
(py3) [root@jump kokodir]# nohup ./koko start &
(py3) [root@jump kokodir]# tailf logs/koko.log          #可以查看koko是否有错误

(py3) [root@jump kokodir]# ss -anplt | grep koko
LISTEN     0      128         :::5000                    :::*                   users:(("koko",pid=16448,fd=7))
LISTEN     0      128         :::2222                    :::*                   users:(("koko",pid=16448,fd=9))

(py3) [root@jump kokodir]# ps -ef | grep koko
root     16448  6479  0 18:14 pts/0    00:00:00 ./koko start
root     16485  6479  0 18:15 pts/0    00:00:00 grep --color=auto koko

Luna 组件部署

(py3) [root@jump kokodir]# cd /opt/package/
(py3) [root@jump package]# wget https://github.com/jumpserver/luna/releases/download/1.5.2/luna.tar.gz
(py3) [root@jump package]# tar xf luna.tar.gz -C /opt/
(py3) [root@jump package]# chown -R root:root /opt/luna

Guacamole 组件部署

1.安装docker

1)卸载老版本docker
yum remove docker \
                  docker-common \
                  docker-selinux \
                  docker-engine

2)设置yum仓库
yum install -y yum-utils \
  device-mapper-persistent-data \
  lvm2

yum-config-manager \
    --add-repo \
    https://download.docker.com/linux/centos/docker-ce.repo
    
3)安装docker-ce版本
yum list docker-ce --showduplicates | sort -r    #列出docker版本
yum install docker-ce-18.06.3.ce -y              #选择最新版本安装

4)修改 docker pull 镜像时的加速文件
mkdir /etc/docker
vim /etc/docker/daemon.json
{
 "registry-mirrors": ["http://hub-mirror.c.163.com"]        
}

5)启动 docker
systemctl start docker
systemctl enable docker

2.使用docker启动Guacamol

docker run --name jms_guacamole_V1 -d \
    -p 8081:8081 \
    -e JUMPSERVER_SERVER=http://192.168.31.226:8080 \
    -e BOOTSTRAP_TOKEN=XpM0ERAYf6PidqQE \
    jumpserver/jms_guacamole:1.5.2

参数解释:

docker run:启动一个容器
--name:指定容器名称
-d:后台启动容器
-p:将容器的127.0.0.1监听的8081端口映射到宿主机的8081端口
-e:设置环境变量
-e JUMPSERVER_SERVER=http://127.0.0.1:8080:将值http://127.0.0.1:8080设置变量为JUMPSERVER_SERVER
-e BOOTSTRAP_TOKEN=XpM0ERAYf6PidqQE:将值PleasgeChangeSameWithJumpserver设置变量为-e BOOTSTRAP_TOKEN
jumpserver/jms__guacamole:1.5.2:下载镜像的名称及版本

运行结果如下图

配置 Nginx 整合各个组件

1.安装 Nginx

1)准备安装环境
yum install gcc-c++ libtool pcre-devel openssl-devel zlib-devel -y
useradd -d /home/nginx -M -s /sbin/nologin nginx
id nginx
uid=1001(nginx) gid=1001(nginx) groups=1001(nginx)

2)下载并安装Nginx
cd /usr/local/src/
wget http://nginx.org/download/nginx-1.15.10.tar.gz
tar xf nginx-1.15.10.tar.gz -C /usr/local/src/
cd /usr/local/src/nginx-1.15.10

./configure --prefix=/usr/local/nginx \
--sbin-path=/usr/local/nginx/sbin/nginx \
--conf-path=/usr/local/nginx/conf/nginx.conf \
--pid-path=/usr/local/nginx/logs/nginx.pid \
--error-log-path=/usr/local/nginx/logs/error.log \
--http-log-path=/usr/local/nginx/logs/access.log \
--with-pcre \
--user=nginx \
--group=nginx \
--with-file-aio \
--with-http_gzip_static_module \
--with-http_stub_status_module \
--with-http_v2_module \
--with-threads \
--with-http_realip_module \
--with-http_ssl_module

make && make install
echo $?
0

2.配置Nginx

mv /usr/local/nginx/conf/nginx.conf /usr/local/nginx/conf/nginx.conf.default
vim /usr/local/nginx/conf/nginx.conf
#全局字段配置
user  nginx nginx;
worker_processes  auto;
error_log logs/error.log info;
pid logs/nginx.pid;
worker_rlimit_nofile 65535;
events {
    use epoll;
    worker_connections  65535;
    multi_accept on;
}

http {
    include       mime.types;
    default_type  application/octet-stream;
    charset utf-8;
    server_tokens off;

#定义Nginx缓存设置
    client_header_buffer_size 4096;
    large_client_header_buffers 4 128k;
    client_header_timeout 15;
    client_body_timeout 15;
    send_timeout 65;
    client_max_body_size 10m;
    open_file_cache max=65535 inactive=60s;
    open_file_cache_valid 30s;
    open_file_cache_min_uses 1;
    open_file_cache_errors on;
    server_names_hash_bucket_size 128;
 
#定义Nginx日志访问格式
   log_format  main  '$remote_addr" "$remote_user" "[$time_local]" "$request"'
                     ' "$status" "$body_bytes_sent" "$http_referer"'
                     ' "$http_user_agent" "$http_x_forwarded_for" "$gzip_ratio"'
                     ' "$upstream_addr" "$request_time" "$upstream_response_time" "$http_host"';
    access_log  logs/access.log  main;

#网络连接功能
    sendfile        on;
    autoindex       on;
    tcp_nopush      on;
    tcp_nodelay     on;
    keepalive_timeout  65;
    types_hash_max_size 2048;
    reset_timedout_connection on;

#压缩功能配置 
    gzip on;
    gzip_min_length 1k;
    gzip_buffers 16 64K;
    gzip_http_version 1.1;
    gzip_comp_level 6;
    gzip_types text/plain application/x-javascript text/css application/xml application/javascript;
    gzip_vary on;
    gzip_proxied any;
    underscores_in_headers on;
    proxy_ignore_client_abort on;

    include /usr/local/nginx/conf/conf.d/*.conf;
}

3.创建 Nginx 文件并整合功能

mkdir /usr/local/nginx/conf/conf.d
vim /usr/local/nginx/conf/conf.d/jumpserver.conf

server {
    listen 80;

    client_max_body_size 100m;          # 录像及文件上传大小限制

    location /luna/ {
        try_files $uri / /index.html;
        alias /opt/luna/;               # luna 路径, 如果修改安装目录, 此处需要修改
    }

    location /media/ {
        add_header Content-Encoding gzip;
        root /opt/jumpserver/data/;     # 录像位置, 如果修改安装目录, 此处需要修改
    }

    location /static/ {
        root /opt/jumpserver/data/;     # 静态资源, 如果修改安装目录, 此处需要修改
    }

    location /socket.io/ {
        proxy_pass       http://localhost:5000/socket.io/;
        proxy_buffering off;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        access_log off;
    }

    location /coco/ {
        proxy_pass       http://localhost:5000/coco/;
        proxy_buffering off;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $http_connection;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        access_log off;
    }

    location /guacamole/ {
        proxy_pass       http://localhost:8081/;
        proxy_buffering off;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $http_connection;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        access_log off;
    }

    location / {
        proxy_pass http://localhost:8080;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

4.启动 检查并启动Nginx

/usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful

/usr/local/nginx/sbin/nginx

5.登录Jumpserver

加入开机自启

cat << EOF >> /etc/rc.d/rc.local
#启动redis
/usr/local/redis/bin/redis-server /usr/local/redis/etc/redis.conf

#启动mariadb
systemctl start mariadb

#载入py3环境
source /opt/py3/bin/activate

#启动jumpserver
/opt/jumpserver/jms start -d

#启动koko组件
cd /opt/kokodir/ && nohup /opt/kokodir/koko &

#启动docker
systemctl start docker

#启动gucamole组件
docker start run jms_guacamole_V1

#启动nginx
/usr/local/nginx/sbin/nginx
EOF

参考文献

https://jumpserver.readthedocs.io/zh/1.5.2/setup_by_centos7.html
https://abcops.cn/1248/

此文章为最新安装jumpserver:https://jumpserver.readthedocs.io/zh/master/setup_by_centos7.html

人已赞赏
0 条回复 A文章作者 M管理员
    暂无讨论,说说你的看法吧