開源堡壘機jumpserver搭建

概述

以前說了國產良心kodexplorer，今天再說一個國內比較好的開源項目jumpserver，除此以外還能夠的國內開源項目我以爲就是寶塔面板了。廢話很少說上教程搭建。 雖說你能夠看下面的教程不用聽我瞎扯

http://docs.jumpserver.org/zh/docs/step_by_step.html

雖說個人教程基本都是複製這個文檔的，可是有的地方仍是不同的

前期初始化

• 首先關閉selinux

vim /etc/selinux/config

SELINUX=enforcing

改成

SELINUX=disabled

以後

setenforce 0

• 關閉防火牆

systemctl stop firewalld

systemctl disable firewalld

• 修改字符集

localedef -c -f UTF-8 -i zh_CN zh_CN.UTF-8

export LC_ALL=zh_CN.UTF-8

echo 'LANG="zh_CN.UTF-8"' > /etc/locale.conf

• 安裝python3和python編譯的依賴環境

首先安裝變異python3前的依賴環境

yum -y install wget sqlite-devel xz gcc automake zlib-devel openssl-devel epel-release git

以後下載python3編譯安裝

wget https://www.python.org/ftp/python/3.6.1/Python-3.6.1.tar.xz

解壓編譯安裝

tar xvf Python-3.6.1.tar.xz && cd Python-3.6.1 && ./configure && make && make install

• 創建python的虛擬環境

cd /opt && python3 -m venv py3 && source /opt/py3/bin/activate

• 自動載入 Python 虛擬環境配置

這個是爲了讓你進入jumpserver這個文件夾的時候能夠自動載入環境變量

cd /opt && git clone git://github.com/kennethreitz/autoenv.git && echo 'source /opt/autoenv/activate.sh' >> ~/.bashrc && source ~/.bashrc

安裝jumpserver

• clone項目

cd /opt/ && git clone https://github.com/jumpserver/jumpserver.git && cd jumpserver && git checkout master && echo "source /opt/py3/bin/activate" > /opt/jumpserver/.env

以後進入jumpserver這個文件夾會有一個提示你輸入y就好，這樣以後每次進入這個文件夾就會自動導入py3的環境變量

• 安裝rpm包的依賴

cd /opt/jumpserver/requirements && yum -y install $(cat rpm_requirements.txt)

• 安裝python依賴

pip install -r requirements.txt -i https://pypi.douban.com/simple/

• 安裝 Redis, Jumpserver 使用 Redis 作 cache 和 celery broke

yum -y install redis && systemctl enable redis && systemctl start redis

• 安裝mariadb

yum -y install mariadb mariadb-devel mariadb-server && systemctl enable mariadb && systemctl start mariadb

• 設置mariadb的root密碼

執行mysql_secure_installation 以後按照流程走就行了

[root@bboysoul-centos-vm ~]# mysql_secure_installation 

NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
      SERVERS IN PRODUCTION USE!  PLEASE READ EACH STEP CAREFULLY!

In order to log into MariaDB to secure it, we'll need the current
password for the root user.  If you've just installed MariaDB, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.

Enter current password for root (enter for none): 
OK, successfully used password, moving on...

Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorisation.

Set root password? [Y/n] y
New password: 
Re-enter new password: 
Sorry, passwords do not match.

New password: 
Re-enter new password: 
Password updated successfully!
Reloading privilege tables..
 ... Success!


By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them.  This is intended only for testing, and to make the installation
go a bit smoother.  You should remove them before moving into a
production environment.

Remove anonymous users? [Y/n] y
 ... Success!

Normally, root should only be allowed to connect from 'localhost'.  This
ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n] n
 ... skipping.

By default, MariaDB comes with a database named 'test' that anyone can
access.  This is also intended only for testing, and should be removed
before moving into a production environment.

Remove test database and access to it? [Y/n] y
 - Dropping test database...
 ... Success!
 - Removing privileges on test database...
 ... Success!

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

Reload privilege tables now? [Y/n] y
 ... Success!

Cleaning up...

All done!  If you've completed all of the above steps, your MariaDB
installation should now be secure.

Thanks for using MariaDB!

• 建立數據庫 Jumpserver 並受權

[root@bboysoul-centos-vm ~]# mysql -u root -p
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 9
Server version: 5.5.60-MariaDB MariaDB Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> create database jumpserver default charset 'utf8';
Query OK, 1 row affected (0.00 sec)

MariaDB [(none)]> grant all on jumpserver.* to 'jumpserver'@'%' identified by '你的密碼';
Query OK, 0 rows affected (0.01 sec)

MariaDB [(none)]> flush privileges;
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]>

• 修改 Jumpserver 配置文件

cd /opt/jumpserver && cp config_example.py config.py && vi config.py

下面是個人配置文件

"""
    jumpserver.config
    ~~~~~~~~~~~~~~~~~

    Jumpserver project setting file

    :copyright: (c) 2014-2017 by Jumpserver Team
    :license: GPL v2, see LICENSE for more details.
"""
import os

BASE_DIR = os.path.dirname(os.path.abspath(__file__))


class Config:
    # Use it to encrypt or decrypt data
    # SECURITY WARNING: keep the secret key used in production secret!
# 這個不用動，讓他默認就好
    SECRET_KEY = os.environ.get('SECRET_KEY') or '2vym+ky!997d5kkcc64mnz06y1mmui3lut#(^wd=%s_qj$1%x'

    # Django security setting, if your disable debug model, you should setting that
    ALLOWED_HOSTS = ['*']


# 關閉debug模式，由於以後咱們要安裝nginx作代理的
    # Development env open this, when error occur display the full process track, Production disable it
    DEBUG = os.environ.get("DEBUG") or False

# 日誌級別變成警告就好，否則日誌太多
    # DEBUG, INFO, WARNING, ERROR, CRITICAL can set. See https://docs.djangoproject.com/en/1.10/topics/logging/
    LOG_LEVEL = os.environ.get("LOG_LEVEL") or 'WARNING'
    LOG_DIR = os.path.join(BASE_DIR, 'logs')

    # Database setting, Support sqlite3, mysql, postgres ....
    # See https://docs.djangoproject.com/en/1.10/ref/settings/#databases

    # SQLite setting:
    #DB_ENGINE = 'sqlite3'
    #DB_NAME = os.path.join(BASE_DIR, 'data', 'db.sqlite3')

    # MySQL or postgres setting like:
    # DB_ENGINE = os.environ.get("DB_ENGINE") or 'mysql'
    # DB_HOST = os.environ.get("DB_HOST") or '127.0.0.1'
    # DB_PORT = os.environ.get("DB_PORT") or 3306
    # DB_USER = os.environ.get("DB_USER") or 'jumpserver'
    # DB_PASSWORD = os.environ.get("DB_PASSWORD") or 'weakPassword'
    # DB_NAME = os.environ.get("DB_NAME") or 'jumpserver'

# 數據庫設置，由於咱們使用的是mysql
    DB_ENGINE = os.environ.get("DB_ENGINE") or 'mysql'
    DB_HOST = os.environ.get("DB_HOST") or '127.0.0.1'
    DB_PORT = os.environ.get("DB_PORT") or 3306
    DB_USER = os.environ.get("DB_USER") or 'jumpserver'
    DB_PASSWORD = os.environ.get("DB_PASSWORD") or '你的密碼'
    DB_NAME = os.environ.get("DB_NAME") or 'jumpserver'


    # When Django start it will bind this host and port
    # ./manage.py runserver 127.0.0.1:8080
    HTTP_BIND_HOST = '0.0.0.0'
    HTTP_LISTEN_PORT = 8080

    # Use Redis as broker for celery and web socket
    REDIS_HOST = os.environ.get("REDIS_HOST") or '127.0.0.1'
    REDIS_PORT = os.environ.get("REDIS_PORT") or 6379
    REDIS_PASSWORD = os.environ.get("REDIS_PASSWORD") or ''
    REDIS_DB_CELERY = os.environ.get('REDIS_DB') or 3
    REDIS_DB_CACHE = os.environ.get('REDIS_DB') or 4

    def __init__(self):
        pass

    def __getattr__(self, item):
        return None


class DevelopmentConfig(Config):
    pass


class TestConfig(Config):
    pass


class ProductionConfig(Config):
    pass


# Default using Config settings, you can write if/else for different env
config = DevelopmentConfig()

下面是官方的配置文件，能夠作個參考

"""
    jumpserver.config
    ~~~~~~~~~~~~~~~~~

    Jumpserver project setting file

    :copyright: (c) 2014-2017 by Jumpserver Team
    :license: GPL v2, see LICENSE for more details.
"""
import os

BASE_DIR = os.path.dirname(os.path.abspath(__file__))


class Config:
    # Use it to encrypt or decrypt data

    # Jumpserver 使用 SECRET_KEY 進行加密，請務必修改如下設置
    # SECRET_KEY = os.environ.get('SECRET_KEY') or '2vym+ky!997d5kkcc64mnz06y1mmui3lut#(^wd=%s_qj$1%x'
    SECRET_KEY = '請隨意輸入隨機字符串（推薦字符大於等於 50位）'

    # Django security setting, if your disable debug model, you should setting that
    ALLOWED_HOSTS = ['*']

    # DEBUG 模式 True爲開啓 False爲關閉，默認開啓，生產環境推薦關閉
    # 注意：若是設置了DEBUG = False，訪問8080端口頁面會顯示不正常，須要搭建 nginx 代理才能夠正常訪問
    DEBUG = os.environ.get("DEBUG") or True

    # 日誌級別，默認爲DEBUG，可調整爲INFO, WARNING, ERROR, CRITICAL，默認INFO
    LOG_LEVEL = os.environ.get("LOG_LEVEL") or 'WARNING'
    LOG_DIR = os.path.join(BASE_DIR, 'logs')

    # 使用的數據庫配置，支持sqlite3, mysql, postgres等，默認使用sqlite3
    # See https://docs.djangoproject.com/en/1.10/ref/settings/#databases

    # 默認使用SQLite3，若是使用其餘數據庫請註釋下面兩行
    # DB_ENGINE = 'sqlite3'
    # DB_NAME = os.path.join(BASE_DIR, 'data', 'db.sqlite3')

    # 若是須要使用mysql或postgres，請取消下面的註釋並輸入正確的信息,本例使用mysql作演示(mariadb也是mysql)
    DB_ENGINE = os.environ.get("DB_ENGINE") or 'mysql'
    DB_HOST = os.environ.get("DB_HOST") or '127.0.0.1'
    DB_PORT = os.environ.get("DB_PORT") or 3306
    DB_USER = os.environ.get("DB_USER") or 'jumpserver'
    DB_PASSWORD = os.environ.get("DB_PASSWORD") or 'weakPassword'
    DB_NAME = os.environ.get("DB_NAME") or 'jumpserver'

    # Django 監聽的ip和端口，生產環境推薦把0.0.0.0修改爲127.0.0.1，這裏的意思是容許x.x.x.x訪問，127.0.0.1表示僅容許自身訪問
    # ./manage.py runserver 127.0.0.1:8080
    HTTP_BIND_HOST = '0.0.0.0'
    HTTP_LISTEN_PORT = 8080

    # Redis 相關設置
    REDIS_HOST = os.environ.get("REDIS_HOST") or '127.0.0.1'
    REDIS_PORT = os.environ.get("REDIS_PORT") or 6379
    REDIS_PASSWORD = os.environ.get("REDIS_PASSWORD") or ''
    REDIS_DB_CELERY = os.environ.get('REDIS_DB') or 3
    REDIS_DB_CACHE = os.environ.get('REDIS_DB') or 4

    def __init__(self):
        pass

    def __getattr__(self, item):
        return None


class DevelopmentConfig(Config):
    pass


class TestConfig(Config):
    pass


class ProductionConfig(Config):
    pass


# Default using Config settings, you can write if/else for different env
config = DevelopmentConfig()

• 生成數據庫表結構和初始化數據

cd /opt/jumpserver/utils && bash make_migrations.sh

運行jumpserver

cd /opt/jumpserver && ./jms start all -d

默認的後臺帳號是admin admin 可是這個時候我的以爲不要去訪問，到最後安裝了nginx再去訪問

安裝 SSH Server 和 WebSocket Server: Coco

• 下載或 Clone 項目

cd /opt && source /opt/py3/bin/activate && git clone https://github.com/jumpserver/coco.git && cd coco && git checkout master && echo "source /opt/py3/bin/activate" > /opt/coco/.env

一樣首次進入這個coco文件夾也是會有個提示你輸入y就好

• 安裝依賴

cd /opt/coco/requirements && yum -y install $(cat rpm_requirements.txt) && pip install -r requirements.txt -i https://pypi.douban.com/simple/

• 修改配置文件並運行

cd /opt/coco && cp conf_example.py conf.py && vi conf.py

其實上面這個配置文件沒什麼好修改的，若是要修改能夠修改一下日誌級別，其餘的本身看着辦

以後運行coco

./cocod start -d

官方文檔會讓你在這個時候進入web界面接受什麼註冊，先別管他，直接進行下一步

安裝 Web Terminal 前端: Luna

• 安裝Luna

cd /opt && wget https://github.com/jumpserver/luna/releases/download/1.4.1/luna.tar.gz && tar xvf luna.tar.gz && chown -R root:root luna

安裝windows支持組建

就是能夠管理windows服務器這樣，官方推薦使用docker了，因此那麼就使用docker鏡像來安裝就行了

• 安裝docker

yum install -y yum-utils device-mapper-persistent-data lvm2 && yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo && rpm --import http://mirrors.aliyun.com/docker-ce/linux/centos/gpg && yum makecache fast && yum -y install docker-ce && systemctl start docker && systemctl enable docker && systemctl status docker

• 啓動 Guacamole

注意下面的jumpserver地址不能寫127.0.0.1，由於是容器運行的因此寫127.0.0.1就是容器自己了，寫宿主機ip或者url就好

docker run --name jms_guacamole -d \
  -p 8081:8080 -v /opt/guacamole/key:/config/guacamole/key \
  -e JUMPSERVER_KEY_DIR=/config/guacamole/key \
  -e JUMPSERVER_SERVER=http://<填寫jumpserver的url地址> \
  jumpserver/guacamole:latest

以後官方會說讓你去web界面接收什麼註冊先別管他，繼續下一步

配置 Nginx 整合各組件

• 安裝nginx

yum -y install nginx

• 配置nginx

首先新建下面這個文件

vim /etc/nginx/conf.d/jumpserver.conf

輸入

server {
    listen 80;  # 代理端口，之後將經過此端口進行訪問，再也不經過8080端口

    client_max_body_size 100m;  # 錄像上傳大小限制

    location /luna/ {
        try_files $uri / /index.html;
        alias /opt/luna/;  # luna 路徑，若是修改安裝目錄，此處須要修改
    }

    location /media/ {
        add_header Content-Encoding gzip;
        root /opt/jumpserver/data/;  # 錄像位置，若是修改安裝目錄，此處須要修改
    }

    location /static/ {
        root /opt/jumpserver/data/;  # 靜態資源，若是修改安裝目錄，此處須要修改
    }

    location /socket.io/ {
        proxy_pass       http://localhost:5000/socket.io/;  # 若是coco安裝在別的服務器，請填寫它的ip
        proxy_buffering off;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        access_log off;
    }

    location /guacamole/ {
        proxy_pass       http://localhost:8081/;  # 若是guacamole安裝在別的服務器，請填寫它的ip
        proxy_buffering off;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $http_connection;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        access_log off;
    }

    location / {
        proxy_pass http://localhost:8080;  # 若是jumpserver安裝在別的服務器，請填寫它的ip
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

保存退出以後編輯下面這個文件

vim /etc/nginx/nginx.conf

刪除其中的server字段，就是下面內容

server {
        listen       80 default_server;
        listen       [::]:80 default_server;
        server_name  _;
        root         /usr/share/nginx/html;

        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;

        location / {
        }

        error_page 404 /404.html;
            location = /40x.html {
        }

        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }
    }

保存退出

• 運行nginx

systemctl restart nginx && systemctl enable nginx

開始使用jumpserver

首先檢查各組件是否是正常

cd /opt/jumpserver && ./jms status

cd /opt/coco && ./cocod status

查看Guacamole是否是正常

docker ps

接着咱們瀏覽器訪問服務器的ip，默認的帳號和密碼都是admin

登錄完成以後咱們就能夠註冊咱們的兩個組件了，點擊會話管理->終端管理終端列表裏面有兩行所有點擊接受就好

若是沒有的話那麼按照下面的順序從新啓動一下服務

首先關閉全部的服務

cd /opt/jumpserver && ./jms stop all

cd /opt/coco && ./cocod stop

docker stop jms_guacamole

接着按照個人順序啓動服務

cd /opt/jumpserver && ./jms start all -d

尤爲要注意這步，必定要確保啓動成功，尤爲是配置低的機器頗有可能啓動失敗的

cd /opt/jumpserver && ./jms status

cd /opt/coco && ./cocod start -d

docker start jms_guacamole

使用

關於使用我想說的是有兩個概念一個是資產管理中的管理用戶，一個是資產管理中的系統用戶。

什麼是管理用戶，管理用戶其實就是一臺服務器的root，擁有這臺服務器的最高權限，能夠在這臺服務器中建立系統用戶。

什麼是系統用戶，系統用戶就是你想添加到服務器中的用戶，或者是系統中已經存在的用戶，它能夠是root。若是它沒有被建立，那麼jumpserver可使用用戶推送功能向服務器中建立用戶

關於資產受權，當你建立完成資產以後這個資產也就是服務器是不屬於任何用戶的，你必需要建立資產受權，把資產受權給這個用戶纔可讓這個用戶去訪問

關於MFA二次認證，其實就是在登陸的時候還要下載一個谷歌驗證器使用裏面的數字登陸，就是相似之前的遊戲將軍令

歡迎關注Bboysoul的博客www.bboysoul.com Have Fun