部署堡壘機系統 JumpServer

什麼是堡壘機

在一個特定的網絡環境下，爲了保障網絡和數據不受來自外部和內部用戶的***和破壞，而運用各類技術手段實時收集和監控網絡環境中每個組成部分的系統狀態、安全事件、網絡活動，以便集中報警、及時處理及審計定責。這個系統即是堡壘機系統。從功能上講，堡壘機綜合了核心系統運維和安全審計管控兩大主幹功能；從技術實現上講，堡壘機經過切斷終端計算機對網絡和服務器資源的直接訪問，而採用協議代理的方式，接管了終端計算機對網絡和服務器的訪問。
這就是說終端計算機對目標的訪問，均須要通過堡壘機系統的審覈。
所以堡壘機系統可以攔截非法訪問、惡意***，對不合法命令進行命令阻斷，過濾掉全部對目標設備的非法訪問行爲，並對內部人員誤操做和非法操做進行審計監控，以便過後責任追蹤。

如今的堡壘機系統定義及功能和實現技術，相比於我在2012年接觸到的JumpBox的定義有了很大的改變，鄙時「跳板機」真的就只提供一個訪問跳板環境，金科根據JumpBox主機上安裝的工具軟件記錄歷史操做，如若須要更多的監控組件則須要本身另外部署或接入監控組件。

JumpServer 是一款開源的堡壘機套件, 遵循 GNU GPL v2.0 開源協議, 是符合 4A 的專業運維審計系統。JumpServer 採用分佈式架構, 支持多機房跨區域部署, 中心節點提供 API, 各機房部署登陸節點, 可橫向擴展、無併發訪問限制。JumpServer 現已支持管理 SSH、 Telnet、 RDP、 VNC 協議。

Jumpserver系統的組件：
Jumpserver
現指 Jumpserver 管理後臺，是核心組件（Core）, 使用 Django Class Based View 風格開發，支持 Restful API。
Coco
實現了 SSH Server 和 Web Terminal Server 的組件，提供 SSH 和 WebSocket 接口, 使用 Paramiko 和 Flask 開發。
Luna
如今是 Web Terminal 前端，計劃前端頁面都由該項目提供，Jumpserver 只提供 API，再也不負責後臺渲染html等。
Guacamole
Apache 跳板機項目，Jumpserver 使用其組件實現 RDP 功能，Jumpserver 並無修改其代碼而是添加了額外的插件，支持 Jumpserver 調用。
Jumpserver-Python-SDK
Jumpserver API Python SDK，Coco 目前使用該 SDK 與 Jumpserver API 交互。

本次JumpServer爲單節點部署，軟硬件環境以下：

2個CPU核心、4G 內存、50G 硬盤
CentOS 7 x86_64 1804
Python 3.6 、Mysql Server 5.5 、Redis 6.0.8

初始化OS：
cat initCentOS7aliYUM.sh
mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.original
wget -O /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-7.repo
yum clean all && yum makecache
yum -y update
systemctl stop firewalld && systemctl disable firewalld
sed -i 's/^SELINUX=./SELINUX=disabled/' /etc/selinux/config && setenforce 0
wget https://mirrors.aliyun.com/epel/epel-release-latest-7.noarch.rpm
yum install -y https://mirrors.aliyun.com/epel/epel-release-latest-7.noarch.rpm
wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
sed -i 's|^#baseurl=https://download.fedoraproject.org/pub|baseurl=https://mirrors.aliyun.com|' /etc/yum.repos.d/epel
sed -i 's|^metalink|#metalink|' /etc/yum.repos.d/epel*
yum clean all && yum makecache
yum -y update
yum install -y ntpdate
wget https://dl.google.com/linux/direct/google-chrome-stable_current_x86_64.rpm
yum localinstall -y google-chrome-stable_current_x86_64.rpm
ntpdate cn.ntp.org.cn
yum install -y tree
who | grep googlebigtable | sed -n '1p' | cut -d' ' -f 1 | sort | uniq
DescriptionUser=$(who | grep googlebigtable | sed -n '1p' | cut -d' ' -f 1 | sort | uniq)
echo $DescriptionUser
echo "$DescriptionUser ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers
init 6

安裝Python 虛擬環境：
yum -y install sqlite-devel xz gcc automake zlib-devel openssl-devel epel-release cmake git
wget https://www.python.org/ftp/python/3.6.1/Python-3.6.1.tar.xz
tar xvf Python-3.6.1.tar.xz && cd Python-3.6.1
./configure && make && make install
echo $?
cd /opt/ && echo $?
python3 -m venv py3
source /opt/py3/bin/activate

下載jumpserver
git clone --depth=1 https://github.com/jumpserver/jumpserver.git
wget https://github.com/jumpserver/jumpserver/releases/download/v2.0.2/umpserver-v2.2.2.tar.gz

安裝 MySQL：
wget http://mirrors.sohu.com/mysql/MySQL-5.5/mysql-5.5.51.tar.gz
wget --no-check-certificate https://cmake.org/files/v2.8/cmake-2.8.8.tar.gz
tar zxf cmake-2.8.8.tar.gz && cd cmake-2.8.8 && ./configure
gmake && gmake install
echo $?
yum install -y ncurses-devel
tar -zxvf mysql-5.5.51.tar.gz && cd mysql-5.5.51

cmake \

-DCMAKE_INSTALL_PREFIX=/application/mysql-5.5.51 \

-DNYSQL_DATADIR=/application/mysql-5.5.51/data \

-DNYSQL_UNIX_ADDR=/application/mysql-5.5.51/tmp/mysql.sock \

-DDEFAULT_CHARSET=gbk \

-DDEFAULT_COLLATION=gbk_chinese_ci \

-DENABLED_LOCAL_INFILE=ON \

-DWITH_INNOBASE_STORAGE_ENGINE=1 \

-DWITH_FEDERATED_STORAGE_ENGINE=1

make && echo $?

ln -s /application/mysql-5.5.51/application/mysql
cp support-files/my-small.cnf /etc/my.cnf
echo 'export PATH=/application/mysql/bin:$PATH'>>/etc/profile
source /etc/profile
groupadd mysql
useradd mysql -s /sbin/nologin -g mysql -M
mkdir -p /application/mysql/data
chown -R mysql.mysql /application/mysql/*
chmod -R 1777 /tmp
/application/mysql/scripts/mysql_install_db --basedir=/application/mysql --datadir=/application/mysql/data --user=mysql
cp support-files/mysql.server /etc/init.d/mysqld
chmod 700 /etc/init.d/mysqld
/etc/init.d/mysqld start
chkconfig mysqld on
chkconfig --list mysqld

安裝 Redis：
yum -y install redis
systemctl start redis
systemctl enable redis
lsof -i :6379
安裝jumpserver：
tar xf jumpserver-v2.2.2.tar.gz
mv jumpserver-v2.2.2 /opt/jumpserver
cd /opt/jumpserver/requirements
yum -y install $(cat rpm_requirements.txt)
pip install -r requirements.txt
pip install wheel -i https://mirrors.aliyun.com/pypi/simple/
pip install -U pip setuptools -i https://mirrors.aliyun.com/pypi/simple/Collecting pip
pip install -r requirements.txt -i https://mirrors.aliyun.com/pypi/simple/
cp config_example.yml config.yml

cat config.yml
SECRET_KEY: tWDny8liKq1Zz4HUwlWFN9Ja3gut2wZt2KSjyBgU7foqe9Ecc
BOOTSTRAP_TOKEN:0pZ51maTshK2ieYuPdkjWEI
DEBUG:false
LOG_LEVEL: ERROR
SESSION_EXPIRE_AT_BROWSER_CLOSE:true
DB_ENGINE: mysql
DB_HOST:127.0.0.1
DB_PORT:3306
DB_USER: jumpserver
DB_PASSWORD: jumpserver
DB_NAME: jumpserver
HTTP_BIND_HOST:0.0.0.0
HTTP_LISTEN_PORT:8080
WS_LISTEN_PORT:8070
REDIS_HOST:127.0.0.1
REDIS_PORT:6379
WINDOWS_SKIP_ALL_MANUAL_PASSWORD:True

./jms start -d

cd /opt && wget https://github.com/jumpserver/koko/releases/download/v2.0.2/koko-v2.0.2-linux-amd64.tar.gz
tar -xzvf koko-v2.0.2-linux-amd64.tar.gz && mv koko-v2.0.2-linux-amd64 koko && chown -R root:root koko && cd koko
cp config_example.yml config.yml

cat config.yml
CORE_HOST: http://127.0.0.1:8080
BOOTSTRAP_TOKEN: 0pZ51maTshK2ieYuPdkjWEI
LOG_LEVEL: ERROR

./koko -d

cd /opt && wget -O /opt/guacamole.tar.gz https://github.com/jumpserver/docker-guacamole/archive/2.0.2.tar.gz
tar -xzvf guacamole.tar.gz && mv docker-guacamole-2.0.2 guacamole && cd guacamole/
tar -xzvf guacamole-server-1.2.0.tar.gz && tar -xzvf ssh-forward.tar.gz -C /bin/ && chmod +x /bin/ssh-forward
yum -y localinstall --nogpgcheck https://mirrors.aliyun.com/rpmfusion/free/el/rpmfusion-free-release-7.noarch.rpm https://mirrors.aliyun.com/rpmfusion/free/el/rpmfusion-free-release-7.noarch.rpm
yum -y install cairo-devel libjpeg-turbo-devel libpng-devel uuid-devel ffmpeg-devel freerdp1.2-devel pango-devel libssh2-devel libtelnet-devel libvncserver-devel pulseaudio-libs-devel openssl-devel libvorbis-devel libwebp-devel
ln -s /usr/local/lib/freerdp /usr/lib64/freerdp
cd /opt/guacamole/guacamole-server-1.2.0
./configure --with-init-dir=/etc/init.d
make && make install
yum install -y java-1.8.0-openjdk
mkdir -p /config/guacamole /config/guacamole/extensions /config/guacamole/record /config/guacamole/drive && chown daemon:daemon /config/guacamole/record /config/guacamole/drive && cd /config

wget http://mirrors.tuna.tsinghua.edu.cn/apache/tomcat/tomcat-9/v9.0.36/bin/apache-tomcat-9.0.36.tar.gz

tar -xzvf apache-tomcat-9.0.36.tar.gz && \
mv apache-tomcat-9.0.36 tomcat9 && \
rm -rf /config/tomcat9/webapps/* && \
sed -i 's/Connector port="8080"/Connector port="8081"/g' /config/tomcat9/conf/server.xml && \
echo "java.util.logging.ConsoleHandler.encoding = UTF-8" >> /config/tomcat9/conf/logging.properties && \
ln -sf /opt/guacamole/guacamole-1.0.0.war /config/tomcat9/webapps/ROOT.war && \
ln -sf /opt/guacamole/guacamole-auth-jumpserver-1.0.0.jar /config/guacamole/extensions/guacamole-auth-jumpserver-1.0.0.jar && \
ln -sf /opt/guacamole/root/app/guacamole/guacamole.properties /config/guacamole/guacamole.properties

export JUMPSERVER_SERVER=http://127.0.0.1:8080
echo "export JUMPSERVER_SERVER=http://127.0.0.1:8080" >> ~/.bashrc
export BOOTSTRAP_TOKEN=0pZ51maTshK2ieYuPdkjWEI
echo "export BOOTSTRAP_TOKEN=0pZ51maTshK2ieYuPdkjWEI" >> ~/.bashrc
export JUMPSERVER_KEY_DIR=/config/guacamole/keys
echo "export JUMPSERVER_KEY_DIR=/config/guacamole/keys" >> ~/.bashrc
export GUACAMOLE_HOME=/config/guacamole
echo "export GUACAMOLE_HOME=/config/guacamole" >> ~/.bashrc
export GUACAMOLE_LOG_LEVEL=ERROR
echo "export GUACAMOLE_LOG_LEVEL=ERROR" >> ~/.bashrc
export JUMPSERVER_ENABLE_DRIVE=true
echo "export JUMPSERVER_ENABLE_DRIVE=true" >> ~/.bashrc

/etc/init.d/guacd start
sh /config/tomcat9/bin/startup.sh

cd /opt && wget https://github.com/jumpserver/lina/releases/download/v2.0.2/lina-v2.0.2.tar.gz
tar -xzvf lina-v2.0.2.tar.gz
mv lina-v2.0.2 lina

安裝Nginx：

cat /etc/yum.repos.d/nginx.repo
[nginx-stable]
name=nginx stable repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true

yum -y install nginx
chown -R nginx.nginx luna lina

echo >/etc/nginx/conf.d/default.conf

cat /etc/nginx/conf.d/jumpserver.conf
server {
listen 80;
client_max_body_size 100m;# 錄像及文件上傳大小限制

location /ui/{
    try_files $uri //index.html;
    alias/opt/lina/;

}

location /luna/{
    try_files $uri //index.html;
    alias/opt/luna/;   #luna 路徑, 若是修改安裝目錄, 此處須要修改

}

location /media/{
    add_header Content-Encoding gzip;
    root /opt/jumpserver/data/;  #錄像位置, 若是修改安裝目錄, 此處須要修改

}

location /static/{
    root /opt/jumpserver/data/; # 靜態資源, 若是修改安裝目錄, 此處須要修改

}

location /koko/{
    proxy_pass       http://localhost:5000;
    proxy_buffering off;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection"upgrade";
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    access_log off;

}

location /guacamole/{
    proxy_pass       http://localhost:8081/;
    proxy_buffering off;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $http_connection;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    access_log off;

}

location /ws/{
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_pass http://localhost:8070;
    proxy_http_version 1.1;
    proxy_buffering off;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection"upgrade";

}

location /api/{
    proxy_pass http://localhost:8080;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

}

location /core/{
    proxy_pass http://localhost:8080;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

}

location /{
    rewrite ^/(.*)$ /ui/$1 last;

}
}

nginx -t
systemctl enable nginx
systemctl restart nginx

mysql -uroot -p
MySQL [(none)]> create database jumpserver default charset 'utf8';
Query OK, 1 row affected (0.00 sec)

MySQL [(none)]> grant all on jumpserver.* to 'jumpserver'@'localhost' identified by '123456';
Query OK, 0 rows affected, 1 warning (0.00 sec)

MySQL [(none)]> flush privileges;
Query OK, 0 rows affected (0.00 sec)

cat /opt/jumpserver/config.py
class DevelopmentConfig(Config):
DEBUG = True
DB_ENGINE = 'mysql'
DB_HOST = '127.0.0.1'
DB_PORT = 3306
DB_USER = 'jumpserver'
DB_PASSWORD = '123456'
DB_NAME = 'jumpserver'config = DevelopmentConfig()

cd /opt/jumpserver/utils/ && bash make_migrations.sh

python /opt/jumpserver/run_server.py all

默認用戶名/密碼：admin/admin，這只是jumpserver的WEB