centos7安装jumpserver堡垒机
堡垒机简介
跳板机属于内控堡垒机范畴,是一种用于单点登陆的主机应用系统。跳板机就是一台服务器,维护人员在维护过程中,首先要统一登录到这台服务器上,然后从这台服务器再登录到目标设备进行维护。但跳板机的缺点是没有实现对运维人员操作行为的控制和审计,出现误操作或违规操作难以定位到原因和责任人;并且跳板机存在严重的安全风险,如果跳板机系统被攻入,则后端资源完全暴露无遗。对于个别资源(如telnet)可以通过跳板机来完成一定的内控,但是对于更多更特殊的资源(ftp、rdp等)来讲,就显得力不从心了。
堡垒机,即在一个特定的网络环境下,为了保障网络和数据不受来自外部和内部用户的入侵和破坏,而运用各种技术手段实时收集和监控网络环境中每一个组成部分的系统状态、安全事件、网络活动,以便集中报警、及时处理及审计定责,有效降低了运维操作风险,使得运维操作管理变得更简单、更安全。
Jumpserver概述
Jumpserver 是一款使用Python、Django开发的开源跳板机系统, 为互联网企业提供了认证,授权, 审计,自动化运维等功能,即堡垒机。官网:http://www.jumpserver.org/。并且这是中国人自己开发的堡垒机,提供中文文档:https://jumpserver.readthedocs.io/zh/master/(安装步骤都是全的)
Jumperserver共有三个组件:Jumpserver、Coco和Luna。Jumpserver管理后台,是核心组件, 使用Django Class Based View风格开发,支持 Restful API;Coco是实现SSH Server和Web Terminal Server的组件,提供SSH 和 WebSocket接口, 使用Paramiko和Flask开发;Luna是Web Terminal前端,计划前端页面都由该项目提供,Jumpserver只提供API,不再负责后台渲染html等。
安装部署
1.安装环境
192.168.183.226 jumpserver服务端
配置 4G内存 2颗cpu 50G硬盘
2.关闭防火墙和selinux
systemctl stop firewalld
setenforce 0
vim /etc/sysconfig/selinux #永久关闭
SELINUX=disabled
3.Python3和Python虚拟环境
3.1 安装依赖包
yum -y install wget lrzsz xz gcc git epel-release python-pip python-devel mysql-devel automake autoconf sqlite-devel zlib-devel openssl-devel sshpass readline-devel
3.2 编译安装Python3
#使用rz上传Python-3.6.1.tar.xz
tar xf Python-3.6.1.tar.xz
mv Python-3.6.1 /opt
cd Python-3.6.1/
./configure
make && make install
python3安装包下载地址 https://www.python.org/ftp/python/3.6.1/
3.3 建立Python虚拟环境
cd /opt/
python3 -m venv py3
source /opt/py3/bin/activate
(py3) [root@localhost opt]#
看到上面的提示符代表成功,以后运行Jumpserver都要先运行以上source命令,以下所有命令均在该虚拟环境中运行!
4 安装Jumpserver
#使用rz上传jumpserver-2.0.1.zip
unzip jumpserver-2.0.1.zip
mv jumpserver-2.0.1 /opt/jumpserver
jumpserver官网地址:https://github.com/jumpserver/jumpserver/tree/2.0.1
4.1安装Jumpserver依赖包
cd /opt/jumpserver/requirements/
yum -y install $(cat rpm_requirements.txt)
4.2 安装python库依赖
pip install --upgrade pip setuptools
pip install -r requirements.txt #时间有点长
pip install -r requirements.txt -i https://mirrors.aliyun.com/pypi/simple/
4.3安装Redis
yum -y install redis
systemctl start redis
4.4安装MySQL并给用户授权
yum -y install mariadb mariadb-devel mariadb-server
systemctl start mariadb
mysql
create database jumpserver default charset 'utf8';
grant all on jumpserver.* to 'jumpserver'@'127.0.0.1' identified by '123456'; #密码自己设置
flush privileges;
exit
4.5 修改 Jumpserver 配置文件
cd /opt/jumpserver/
cp config_example.yml config.yml
SECRET_KEY=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50`
echo "SECRET_KEY=$SECRET_KEY" >> ~/.bashrc
BOOTSTRAP_TOKEN=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16`
echo "BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" >> ~/.bashrc
sed -i "s/SECRET_KEY:/SECRET_KEY: $SECRET_KEY/g" /opt/jumpserver/config.yml
sed -i "s/BOOTSTRAP_TOKEN:/BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN/g" /opt/jumpserver/config.yml
sed -i "s/# DEBUG: true/DEBUG: false/g" /opt/jumpserver/config.yml
sed -i "s/# LOG_LEVEL: DEBUG/LOG_LEVEL: ERROR/g" /opt/jumpserver/config.yml
sed -i "s/# SESSION_EXPIRE_AT_BROWSER_CLOSE: false/SESSION_EXPIRE_AT_BROWSER_CLOSE: true/g" /opt/jumpserver/config.yml
sed -i "s/DB_PASSWORD: /DB_PASSWORD: '123456'/g" /opt/jumpserver/config.yml
4.6 启动Jumpserver
cd /opt/jumpserver
./jms start all -d #若jms没有权限就给他执行权限
如果报的错是ImportError: cannot import name 'byte_string’就继续往下操作
pip uninstall pycrypto
pip uninstall pycryptodemo
pip install pycrypto
./jms start all -d #再次执行
其他的报错请检查数据库权限或者版本不匹配
出现以上信息表示安装成功
4.7 打开浏览器测试
端口号8080
因为没有安装WEB界面和相关的配套组件所以这个界面
4.8 Docker 部署 KoKo 组件
yum -y install docker #安装 docker
systemctl start docker
docker run --name jms_koko -d \ #创建
-p 2222:2222 \
-p 127.0.0.1:5000:5000 \
-e CORE_HOST=http://192.168.183.226:8080 \ #换成自己的ip地址
-e BOOTSTRAP_TOKEN=99a0hu9pqc5U9qBN \
-e LOG_LEVEL=ERROR \
--privileged=true \
--restart=always \
jumpserver/jms_koko:v2.4.0
4.9 Docker部署Guacamole 组件
docker run --name jms_guacamole -d \
-p 127.0.0.1:8081:8080 \
-e JUMPSERVER_SERVER=http://192.168.183.226:8080 \ #换成自己的ip地址
-e BOOTSTRAP_TOKEN=abcdefg1234 \
-e GUACAMOLE_LOG_LEVEL=ERROR \
jumpserver/jms_guacamole:v2.4.0
4.10 下载 Lina 组件和nginx
yum -y install nginx
cd /opt
wget https://github.com/jumpserver/lina/releases/download/v2.4.0/lina-v2.4.0.tar.gz
tar -xf lina-v2.4.0.tar.gz
mv lina-v2.4.0 lina
chown -R nginx:nginx lina
4.11 下载 Luna 组件
cd /opt
wget https://github.com/jumpserver/luna/releases/download/v2.4.0/luna-v2.4.0.tar.gz
tar -xf luna-v2.4.0.tar.gz
mv luna-v2.4.0 luna
chown -R nginx:nginx luna
4.12配置nginx整合每个组件
echo > /etc/nginx/conf.d/default.conf
vi /etc/nginx/conf.d/jumpserver.conf
server {
listen 80;
client_max_body_size 100m;
location /ui/ {
try_files $uri / /index.html;
alias /opt/lina/;
}
location /luna/ {
try_files $uri / /index.html;
alias /opt/luna/;
}
location /media/ {
add_header Content-Encoding gzip;
root /opt/jumpserver/data/;
}
location /static/ {
root /opt/jumpserver/data/;
}
location /koko/ {
proxy_pass http://localhost:5000;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /guacamole/ {
proxy_pass http://localhost:8081/;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /ws/ {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://localhost:8070;
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location /api/ {
proxy_pass http://localhost:8080;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /core/ {
proxy_pass http://localhost:8080;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location / {
rewrite ^/(.*)$ /ui/$1 last;
}
}
4.13 删除nginx.conf配置文件中的server模块
systemctl start nginx
nginx -t
nginx -s reload
4.15 打开浏览器测试
192.168.183.226:80
