一,跳板机和堡垒机概述
跳板机:跳板机属于内控堡垒机范畴,是一种用于单点登陆的主机应用系统。跳板机就是一台服务器,维护人员在维护过程中,首先要统一登录到这台服务器上,然后从这台服务器再登录到目标设备进行维护。但跳板机的缺点是没有实现对运维人员操作行为的控制和审计,出现误操作或违规操作难以定位到原因和责任人;并且跳板机存在严重的安全风险,如果跳板机系统被攻入,则后端资源完全暴露无遗。对于个别资源(如telnet)可以通过跳板机来完成一定的内控,但是对于更多更特殊的资源(ftp、rdp等)来讲,就显得力不从心了。
堡垒机:即在一个特定的网络环境下,为了保障网络和数据不受来自外部和内部用户的入侵和破坏,而运用各种技术手段实时收集和监控网络环境中每一个组成部分的系统状态、安全事件、网络活动,以便集中报警、及时处理及审计定责,有效降低了运维操作风险,使得运维操作管理变得更简单、更安全
二,Jumpserver概述
Jumpserver 是一款使用Python、Django开发的开源跳板机系统, 为互联网企业提供了认证,授权,审计,自动化运维等功能,即堡垒机。官网:http://www.jumpserver.org/。并且这是中国人自己开发的堡垒机,提供中文文档:https://jumpserver.readthedocs.io/zh/master/(安装步骤都是全的)
Jumperserver共有三个组件:Jumpserver、koko/Coco和Luna。Jumpserver管理后台,是核心组件,使用Django Class Based View风格开发,支持 Restful API;
Coco是实现SSH Server和Web Terminal Server的组件,提供SSH 和 WebSocket接口, 使用Paramiko和Flask开发;
Luna是WebTerminal前端,计划前端页面都由该项目提供,Jumpserver只提供API,不再负责后台渲染html等。
实验环境
一、系统环境准备
1、查看系统版本
# cat /etc/redhat-release
CentOS Linux release 7.9.2009 (Core)
# uname -a
Linux localhost.localdomain 3.10.0-1160.31.1.el7.x86_64 #1 SMP Thu Jun 10 13:32:12 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux2、关闭selinux和防火墙
# getenforce //查看selinux的状态
Disabled // 如果是Enable需要修改为Disabled,命令是“setenforce 0”
# systemctl stop firewalld.service // 关闭防火墙二、开始安装
1. 安装docker 及centos、mysql 镜像
# yum -y install docker #安装 docker
# systemctl start docker
# docker pull centos 下载centos镜像
# docker pull mysql 下载mysql镜像
# docker images 查看下载的镜像
REPOSITORY TAG IMAGE ID CREATED SIZE
mysql latest e94009aa1afe 6 weeks ago 534MB
centos latest 300e315adb2f 7 months ago 209MB
启动mysql镜像,开放3306端口,创建访问用户
创建mysql容器
# docker run --name mysql -p 3306:3306 -v /opt/nms/my.cnf:/etc/my.cnf -e MYSQL_ROOT_PASSWORD=123456 -d --restart always mysql
进入mysql容器
# docker exec -it mysql /bin/bash
# mysql -uroot -p 在容器里连接mysql
创建用户
> create database jumpserver default charset 'utf8';
> grant all on jumpserver.* to jumpserver@127.0.0.1 identified by '123456';
> exit创建jumpserver容器,并部署环境和代码
先在/home/zyy/目录下
# https://github.com/jumpserver/jumpserver/archive/refs/heads/v2.12.zip 下载源码
# unzip jumpserver-2.12.zip 解压
创建容器
# docker run -it -v /home/zyy/jumpserver-2.12/:/app/ -p 0.0.0.0:8080:8080 -p 0.0.0.0:6379:6379 -p 0.0.0.0:8070:8070 --link mysql:mysql --name jumpserver --privileged=true centos:latest /bin/bash
进入容器
# docker exec -it jumpserver /bin/bash
在容器内部署环境,安装依赖包和Python3,wget等,要是安装不成功,就一个个安装
# yum install -y gcc wget sqlite-devel automake make zlib-devel krb5-devel libtiff-devel libjpeg-devel libzip-devel freetype-devel lcms2-devel libwebp-devel tcl-devel tk-devel openldap-devel mariadb-devel mysql libffi-devel openssh-clients telnet openldap-clients
#安装Python3.6
# yum install python3.6 -y
# yum install python3.6-dev
安装redis
# wget http://download.redis.io/releases/redis-3.0.6.tar.gz
# tar zxvf redis-3.0.6.tar.gz
# cd redis-3.0.6
# make MALLOC=libc
# src/redis-cli
# redis-server redis.conf --protected-mode no 启动redis,非保护模式,正式启动的话,去掉后面参数
# ps -aux|grep redis 查看redis进程
建立Python虚拟环境
# cd /app/
# python3 -m venv py3
# source /app/py3/bin/activate
看到下面的提示符代表成功,以后运行jumpserver都要先运行以上source命令,以下所有命令均在虚拟环境中运行
(py3) [root@localhostapp]#
安装Jumpserver及依赖
(py3) [root@localhost app]# echo "source /app/py3/bin/activate" > /app/.env #进入jumpserver目录时将自动载入python虚拟环境
(py3) [root@localhostapp]# cd jumpserver/requirements/
(py3) [root@localhost app]# pip install -r requirements.txt -i https://mirrors.aliyun.com/pypi/simple/
(py3) [root@localhostapp]# cd /app/utils/
(py3) [root@localhost app]# bash make_migrations.sh
(py3) [root@localhostapp]# pip install python-ldap==3.3.1 -i http://pypi.douban.com/simple --trusted-host pypi.douban.com
修改jumpserver配置文件
(py3) [root@localhostrequirements]# cd /opt/jumpserver/
(py3) [root@localhost jumpserver]# cp config_example.yml config.yml
(py3) [root@localhost jumpserver]# cd utils/
(py3) [root@localhost utils]# bash make_migrations.sh
# 启动jumpserver
(py3) [root@localhost jumpserver]# cd /opt/jumpserver/
(py3) [root@localhost jumpserver]# ./jms start all -d
(py3) [root@localhost jumpserver]# netstat -anput | grep 8080
tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 27665/python3?浏览器测试
ip:8080
?Docker部署KoKo组件
koko下载链接:https://github.com/jumpserver/koko/releases/
创建koko容器
# cd /home/zyy/,在上面的下载链接中找到合适的版本,下载koko安装包
# tar -xf koko-v2.4.0-linux-amd64.tar.gz
# mv koko-v2.4.0-linux-amd64 koko
# docker run -it -v /home/zyy/koko/:/app/ -p 2222:2222 -p 0.0.0.0:5000:5000 -e CORE_HOST=http://你的IP:8080 -e BOOTSTRAP_TOKEN=99a0hu9pqc5U9qBN -e LOG_LEVEL=ERROR --name jms_koko --privileged=true centos:latest /bin/bash
# chown -R root:root koko
# cd koko
# mv kubectl /usr/local/bin/
# wget https://download.jumpserver.org/public/kubectl.tar.gz
# tar -xf kubectl.tar.gz
# chmod 755 kubectl &&
# mv kubectl /usr/local/bin/rawkubectl
# rm -rf kubectl.tar.gz
# cp config_example.yml config.yml
# vi config.yml
BOOTSTRAP_TOKEN 需要从 jumpserver/config.yml 里面获取, 保证一致
# ./koko
可以 -d 参数在后台运行Docker部署Guacamole 组件
docker run --name jms_guacamole -d \
-p 127.0.0.1:8081:8080 \
-e JUMPSERVER_SERVER=http://你的IP:8080 \ #换成自己的ip地址
-e BOOTSTRAP_TOKEN=abcdefg1234 \
-e GUACAMOLE_LOG_LEVEL=ERROR \
jumpserver/jms_guacamole:v2.4.0再单独起一个docker, 下载 lina, luna 组件和nginx
在/home/zyy/ui/目录下,下载luna,lina
lina下载链接:https://github.com/jumpserver/lina/releases/
luna下载链接:https://github.com/jumpserver/luna/releases/
# docker run -it -v /home/zyy/nginx/:/etc/nginx/ -v /home/zyy/ui/:/app/ -v /home/zyy/jumpserver-2.12/:/jumpserver/ -p 0.0.0.0:80:80 --link mysql:mysql --name nginx_ui --privileged=true centos:latest /bin/bash
安装nginx
# yum install nginx
安装lina组件
# cd /app
# tar -xf lina-v2.12.1.tar.gz
# mv lina-v2.12.1 lina
# chown -R nginx:nginx lina
安装luna组件
# tar -xf luna-v2.12.1.tar.gz
# mv luna-v2.12.1 luna
# chown -R nginx:nginx luna
配置nginx
# vi /etc/nginx/conf.d/jumpserver.conf
server {
listen 80;
client_max_body_size 100m;
location /ui/ {
try_files $uri / /index.html;
alias /app/lina/;
}
location /luna/ {
try_files $uri / /index.html;
alias /app/luna/;
}
location /media/ {
add_header Content-Encoding gzip;
root /jumpserver/data/;
}
location /static/ {
root /jumpserver/data/;
}
location /koko/ {
proxy_pass http://你的IP:5000;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /guacamole/ {
proxy_pass http://你的IP:8081/;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /ws/ {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://你的IP:8070;
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location /api/ {
proxy_pass http://你的IP:8080;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /core/ {
proxy_pass http://你的IP:8080;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location / {
rewrite ^/(.*)$ /ui/$1 last;
}
}
编辑nginx配置文件,删除server模块:vim /etc/nginx/nginx.conf
重启nginx服务
# cd /usr/sbin/
# ./nginx 启动nginx
# ps aux|grep nginx 查看nginx是否启动
以下几行命令不要操作
nginx其他操作:
# ./nginx -s stop 关闭nginx
# ./nginx -s quit
# ./nginx -s reload打开浏览器测试 ip:80 初始用户:admin 初始密码:admin
到这里就结束了,愉快的使用吧
?附赠报错解决方式:
pip install? 安装不成功的时候,后面添加源地址:
1.?https://mirrors.aliyun.com/pypi/simple/
2.?http://pypi.douban.com/simple?
3.?https://pypi.tuna.tsinghua.edu.cn/simple
pip install cffi==1.13.2 安装不成功的时候,换成
pip install ?cffi==1.13.2?-i https://mirrors.aliyun.com/pypi/simple/报错:
报错如下:
You are using pip version 9.0.1, however version 21.2.1 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.
解决方式:
python -m pip install --upgrade pip -i http://pypi.douban.com/simple --trusted-host pypi.douban.com以上安装如有报错,可参考链接:
https://blog.csdn.net/qq_54947566/article/details/114679588
https://blog.csdn.net/weixin_50663202/article/details/109163554
nginx安装
https://blog.csdn.net/qq_41399976/article/details/93854778
jumpserver官方文档