开源堡垒机jumpserver搭建

概述

以前说了国产良心kodexplorer，今天再说一个国内比较好的开源项目jumpserver，除此以外还能够的国内开源项目我以为就是宝塔面板了。废话很少说上教程搭建。 虽说你能够看下面的教程不用听我瞎扯

http://docs.jumpserver.org/zh/docs/step_by_step.html

虽说个人教程基本都是复制这个文档的，可是有的地方仍是不同的

前期初始化

• 首先关闭selinux

vim /etc/selinux/config

SELINUX=enforcing

改成

SELINUX=disabled

以后

setenforce 0

• 关闭防火墙

systemctl stop firewalld

systemctl disable firewalld

• 修改字符集

localedef -c -f UTF-8 -i zh_CN zh_CN.UTF-8

export LC_ALL=zh_CN.UTF-8

echo 'LANG="zh_CN.UTF-8"' > /etc/locale.conf

• 安装python3和python编译的依赖环境

首先安装变异python3前的依赖环境

yum -y install wget sqlite-devel xz gcc automake zlib-devel openssl-devel epel-release git

以后下载python3编译安装

wget https://www.python.org/ftp/python/3.6.1/Python-3.6.1.tar.xz

解压编译安装

tar xvf Python-3.6.1.tar.xz && cd Python-3.6.1 && ./configure && make && make install

• 创建python的虚拟环境

cd /opt && python3 -m venv py3 && source /opt/py3/bin/activate

• 自动载入 Python 虚拟环境配置

这个是为了让你进入jumpserver这个文件夹的时候能够自动载入环境变量

cd /opt && git clone git://github.com/kennethreitz/autoenv.git && echo 'source /opt/autoenv/activate.sh' >> ~/.bashrc && source ~/.bashrc

安装jumpserver

• clone项目

cd /opt/ && git clone https://github.com/jumpserver/jumpserver.git && cd jumpserver && git checkout master && echo "source /opt/py3/bin/activate" > /opt/jumpserver/.env

以后进入jumpserver这个文件夹会有一个提示你输入y就好，这样以后每次进入这个文件夹就会自动导入py3的环境变量

• 安装rpm包的依赖

cd /opt/jumpserver/requirements && yum -y install $(cat rpm_requirements.txt)

• 安装python依赖

pip install -r requirements.txt -i https://pypi.douban.com/simple/

• 安装 Redis, Jumpserver 使用 Redis 作 cache 和 celery broke

yum -y install redis && systemctl enable redis && systemctl start redis

• 安装mariadb

yum -y install mariadb mariadb-devel mariadb-server && systemctl enable mariadb && systemctl start mariadb

• 设置mariadb的root密码

执行mysql_secure_installation 以后按照流程走就行了

[root@bboysoul-centos-vm ~]# mysql_secure_installation 

NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
      SERVERS IN PRODUCTION USE!  PLEASE READ EACH STEP CAREFULLY!

In order to log into MariaDB to secure it, we'll need the current
password for the root user.  If you've just installed MariaDB, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.

Enter current password for root (enter for none): 
OK, successfully used password, moving on...

Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorisation.

Set root password? [Y/n] y
New password: 
Re-enter new password: 
Sorry, passwords do not match.

New password: 
Re-enter new password: 
Password updated successfully!
Reloading privilege tables..
 ... Success!


By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them.  This is intended only for testing, and to make the installation
go a bit smoother.  You should remove them before moving into a
production environment.

Remove anonymous users? [Y/n] y
 ... Success!

Normally, root should only be allowed to connect from 'localhost'.  This
ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n] n
 ... skipping.

By default, MariaDB comes with a database named 'test' that anyone can
access.  This is also intended only for testing, and should be removed
before moving into a production environment.

Remove test database and access to it? [Y/n] y
 - Dropping test database...
 ... Success!
 - Removing privileges on test database...
 ... Success!

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

Reload privilege tables now? [Y/n] y
 ... Success!

Cleaning up...

All done!  If you've completed all of the above steps, your MariaDB
installation should now be secure.

Thanks for using MariaDB!

• 建立数据库 Jumpserver 并受权

[root@bboysoul-centos-vm ~]# mysql -u root -p
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 9
Server version: 5.5.60-MariaDB MariaDB Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> create database jumpserver default charset 'utf8';
Query OK, 1 row affected (0.00 sec)

MariaDB [(none)]> grant all on jumpserver.* to 'jumpserver'@'%' identified by '你的密码';
Query OK, 0 rows affected (0.01 sec)

MariaDB [(none)]> flush privileges;
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]>

• 修改 Jumpserver 配置文件

cd /opt/jumpserver && cp config_example.py config.py && vi config.py

下面是个人配置文件

"""
    jumpserver.config
    ~~~~~~~~~~~~~~~~~

    Jumpserver project setting file

    :copyright: (c) 2014-2017 by Jumpserver Team
    :license: GPL v2, see LICENSE for more details.
"""
import os

BASE_DIR = os.path.dirname(os.path.abspath(__file__))


class Config:
    # Use it to encrypt or decrypt data
    # SECURITY WARNING: keep the secret key used in production secret!
# 这个不用动，让他默认就好
    SECRET_KEY = os.environ.get('SECRET_KEY') or '2vym+ky!997d5kkcc64mnz06y1mmui3lut#(^wd=%s_qj$1%x'

    # Django security setting, if your disable debug model, you should setting that
    ALLOWED_HOSTS = ['*']


# 关闭debug模式，由于以后咱们要安装nginx作代理的
    # Development env open this, when error occur display the full process track, Production disable it
    DEBUG = os.environ.get("DEBUG") or False

# 日志级别变成警告就好，否则日志太多
    # DEBUG, INFO, WARNING, ERROR, CRITICAL can set. See https://docs.djangoproject.com/en/1.10/topics/logging/
    LOG_LEVEL = os.environ.get("LOG_LEVEL") or 'WARNING'
    LOG_DIR = os.path.join(BASE_DIR, 'logs')

    # Database setting, Support sqlite3, mysql, postgres ....
    # See https://docs.djangoproject.com/en/1.10/ref/settings/#databases

    # SQLite setting:
    #DB_ENGINE = 'sqlite3'
    #DB_NAME = os.path.join(BASE_DIR, 'data', 'db.sqlite3')

    # MySQL or postgres setting like:
    # DB_ENGINE = os.environ.get("DB_ENGINE") or 'mysql'
    # DB_HOST = os.environ.get("DB_HOST") or '127.0.0.1'
    # DB_PORT = os.environ.get("DB_PORT") or 3306
    # DB_USER = os.environ.get("DB_USER") or 'jumpserver'
    # DB_PASSWORD = os.environ.get("DB_PASSWORD") or 'weakPassword'
    # DB_NAME = os.environ.get("DB_NAME") or 'jumpserver'

# 数据库设置，由于咱们使用的是mysql
    DB_ENGINE = os.environ.get("DB_ENGINE") or 'mysql'
    DB_HOST = os.environ.get("DB_HOST") or '127.0.0.1'
    DB_PORT = os.environ.get("DB_PORT") or 3306
    DB_USER = os.environ.get("DB_USER") or 'jumpserver'
    DB_PASSWORD = os.environ.get("DB_PASSWORD") or '你的密码'
    DB_NAME = os.environ.get("DB_NAME") or 'jumpserver'


    # When Django start it will bind this host and port
    # ./manage.py runserver 127.0.0.1:8080
    HTTP_BIND_HOST = '0.0.0.0'
    HTTP_LISTEN_PORT = 8080

    # Use Redis as broker for celery and web socket
    REDIS_HOST = os.environ.get("REDIS_HOST") or '127.0.0.1'
    REDIS_PORT = os.environ.get("REDIS_PORT") or 6379
    REDIS_PASSWORD = os.environ.get("REDIS_PASSWORD") or ''
    REDIS_DB_CELERY = os.environ.get('REDIS_DB') or 3
    REDIS_DB_CACHE = os.environ.get('REDIS_DB') or 4

    def __init__(self):
        pass

    def __getattr__(self, item):
        return None


class DevelopmentConfig(Config):
    pass


class TestConfig(Config):
    pass


class ProductionConfig(Config):
    pass


# Default using Config settings, you can write if/else for different env
config = DevelopmentConfig()

下面是官方的配置文件，能够作个参考

"""
    jumpserver.config
    ~~~~~~~~~~~~~~~~~

    Jumpserver project setting file

    :copyright: (c) 2014-2017 by Jumpserver Team
    :license: GPL v2, see LICENSE for more details.
"""
import os

BASE_DIR = os.path.dirname(os.path.abspath(__file__))


class Config:
    # Use it to encrypt or decrypt data

    # Jumpserver 使用 SECRET_KEY 进行加密，请务必修改如下设置
    # SECRET_KEY = os.environ.get('SECRET_KEY') or '2vym+ky!997d5kkcc64mnz06y1mmui3lut#(^wd=%s_qj$1%x'
    SECRET_KEY = '请随意输入随机字符串（推荐字符大于等于 50位）'

    # Django security setting, if your disable debug model, you should setting that
    ALLOWED_HOSTS = ['*']

    # DEBUG 模式 True为开启 False为关闭，默认开启，生产环境推荐关闭
    # 注意：若是设置了DEBUG = False，访问8080端口页面会显示不正常，须要搭建 nginx 代理才能够正常访问
    DEBUG = os.environ.get("DEBUG") or True

    # 日志级别，默认为DEBUG，可调整为INFO, WARNING, ERROR, CRITICAL，默认INFO
    LOG_LEVEL = os.environ.get("LOG_LEVEL") or 'WARNING'
    LOG_DIR = os.path.join(BASE_DIR, 'logs')

    # 使用的数据库配置，支持sqlite3, mysql, postgres等，默认使用sqlite3
    # See https://docs.djangoproject.com/en/1.10/ref/settings/#databases

    # 默认使用SQLite3，若是使用其余数据库请注释下面两行
    # DB_ENGINE = 'sqlite3'
    # DB_NAME = os.path.join(BASE_DIR, 'data', 'db.sqlite3')

    # 若是须要使用mysql或postgres，请取消下面的注释并输入正确的信息,本例使用mysql作演示(mariadb也是mysql)
    DB_ENGINE = os.environ.get("DB_ENGINE") or 'mysql'
    DB_HOST = os.environ.get("DB_HOST") or '127.0.0.1'
    DB_PORT = os.environ.get("DB_PORT") or 3306
    DB_USER = os.environ.get("DB_USER") or 'jumpserver'
    DB_PASSWORD = os.environ.get("DB_PASSWORD") or 'weakPassword'
    DB_NAME = os.environ.get("DB_NAME") or 'jumpserver'

    # Django 监听的ip和端口，生产环境推荐把0.0.0.0修改为127.0.0.1，这里的意思是容许x.x.x.x访问，127.0.0.1表示仅容许自身访问
    # ./manage.py runserver 127.0.0.1:8080
    HTTP_BIND_HOST = '0.0.0.0'
    HTTP_LISTEN_PORT = 8080

    # Redis 相关设置
    REDIS_HOST = os.environ.get("REDIS_HOST") or '127.0.0.1'
    REDIS_PORT = os.environ.get("REDIS_PORT") or 6379
    REDIS_PASSWORD = os.environ.get("REDIS_PASSWORD") or ''
    REDIS_DB_CELERY = os.environ.get('REDIS_DB') or 3
    REDIS_DB_CACHE = os.environ.get('REDIS_DB') or 4

    def __init__(self):
        pass

    def __getattr__(self, item):
        return None


class DevelopmentConfig(Config):
    pass


class TestConfig(Config):
    pass


class ProductionConfig(Config):
    pass


# Default using Config settings, you can write if/else for different env
config = DevelopmentConfig()

• 生成数据库表结构和初始化数据

cd /opt/jumpserver/utils && bash make_migrations.sh

运行jumpserver

cd /opt/jumpserver && ./jms start all -d

默认的后台帐号是admin admin 可是这个时候我的以为不要去访问，到最后安装了nginx再去访问

安装 SSH Server 和 WebSocket Server: Coco

• 下载或 Clone 项目

cd /opt && source /opt/py3/bin/activate && git clone https://github.com/jumpserver/coco.git && cd coco && git checkout master && echo "source /opt/py3/bin/activate" > /opt/coco/.env

一样首次进入这个coco文件夹也是会有个提示你输入y就好

• 安装依赖

cd /opt/coco/requirements && yum -y install $(cat rpm_requirements.txt) && pip install -r requirements.txt -i https://pypi.douban.com/simple/

• 修改配置文件并运行

cd /opt/coco && cp conf_example.py conf.py && vi conf.py

其实上面这个配置文件没什么好修改的，若是要修改能够修改一下日志级别，其余的本身看着办

以后运行coco

./cocod start -d

官方文档会让你在这个时候进入web界面接受什么注册，先别管他，直接进行下一步

安装 Web Terminal 前端: Luna

• 安装Luna

cd /opt && wget https://github.com/jumpserver/luna/releases/download/1.4.1/luna.tar.gz && tar xvf luna.tar.gz && chown -R root:root luna

安装windows支持组建

就是能够管理windows服务器这样，官方推荐使用docker了，因此那么就使用docker镜像来安装就行了

• 安装docker

yum install -y yum-utils device-mapper-persistent-data lvm2 && yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo && rpm --import http://mirrors.aliyun.com/docker-ce/linux/centos/gpg && yum makecache fast && yum -y install docker-ce && systemctl start docker && systemctl enable docker && systemctl status docker

• 启动 Guacamole

注意下面的jumpserver地址不能写127.0.0.1，由于是容器运行的因此写127.0.0.1就是容器自己了，写宿主机ip或者url就好

docker run --name jms_guacamole -d \
  -p 8081:8080 -v /opt/guacamole/key:/config/guacamole/key \
  -e JUMPSERVER_KEY_DIR=/config/guacamole/key \
  -e JUMPSERVER_SERVER=http://<填写jumpserver的url地址> \
  jumpserver/guacamole:latest

以后官方会说让你去web界面接收什么注册先别管他，继续下一步

配置 Nginx 整合各组件

• 安装nginx

yum -y install nginx

• 配置nginx

首先新建下面这个文件

vim /etc/nginx/conf.d/jumpserver.conf

输入

server {
    listen 80;  # 代理端口，之后将经过此端口进行访问，再也不经过8080端口

    client_max_body_size 100m;  # 录像上传大小限制

    location /luna/ {
        try_files $uri / /index.html;
        alias /opt/luna/;  # luna 路径，若是修改安装目录，此处须要修改
    }

    location /media/ {
        add_header Content-Encoding gzip;
        root /opt/jumpserver/data/;  # 录像位置，若是修改安装目录，此处须要修改
    }

    location /static/ {
        root /opt/jumpserver/data/;  # 静态资源，若是修改安装目录，此处须要修改
    }

    location /socket.io/ {
        proxy_pass       http://localhost:5000/socket.io/;  # 若是coco安装在别的服务器，请填写它的ip
        proxy_buffering off;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        access_log off;
    }

    location /guacamole/ {
        proxy_pass       http://localhost:8081/;  # 若是guacamole安装在别的服务器，请填写它的ip
        proxy_buffering off;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $http_connection;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        access_log off;
    }

    location / {
        proxy_pass http://localhost:8080;  # 若是jumpserver安装在别的服务器，请填写它的ip
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

保存退出以后编辑下面这个文件

vim /etc/nginx/nginx.conf

删除其中的server字段，就是下面内容

server {
        listen       80 default_server;
        listen       [::]:80 default_server;
        server_name  _;
        root         /usr/share/nginx/html;

        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;

        location / {
        }

        error_page 404 /404.html;
            location = /40x.html {
        }

        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }
    }

保存退出

• 运行nginx

systemctl restart nginx && systemctl enable nginx

开始使用jumpserver

首先检查各组件是否是正常

cd /opt/jumpserver && ./jms status

cd /opt/coco && ./cocod status

查看Guacamole是否是正常

docker ps

接着咱们浏览器访问服务器的ip，默认的帐号和密码都是admin

登录完成以后咱们就能够注册咱们的两个组件了，点击会话管理->终端管理终端列表里面有两行所有点击接受就好

若是没有的话那么按照下面的顺序从新启动一下服务

首先关闭全部的服务

cd /opt/jumpserver && ./jms stop all

cd /opt/coco && ./cocod stop

docker stop jms_guacamole

接着按照个人顺序启动服务

cd /opt/jumpserver && ./jms start all -d

尤为要注意这步，必定要确保启动成功，尤为是配置低的机器颇有可能启动失败的

cd /opt/jumpserver && ./jms status

cd /opt/coco && ./cocod start -d

docker start jms_guacamole

使用

关于使用我想说的是有两个概念一个是资产管理中的管理用户，一个是资产管理中的系统用户。

什么是管理用户，管理用户其实就是一台服务器的root，拥有这台服务器的最高权限，能够在这台服务器中建立系统用户。

什么是系统用户，系统用户就是你想添加到服务器中的用户，或者是系统中已经存在的用户，它能够是root。若是它没有被建立，那么jumpserver可使用用户推送功能向服务器中建立用户

关于资产受权，当你建立完成资产以后这个资产也就是服务器是不属于任何用户的，你必需要建立资产受权，把资产受权给这个用户才可让这个用户去访问

关于MFA二次认证，其实就是在登陆的时候还要下载一个谷歌验证器使用里面的数字登陆，就是相似之前的游戏将军令

欢迎关注Bboysoul的博客www.bboysoul.com Have Fun