开源堡垒机jumpserver搭建

概述

之前说了国产良心kodexplorer,今天再说一个国内比较好的开源项目jumpserver,除此之外还可以的国内开源项目我觉得就是宝塔面板了。废话不多说上教程搭建。
虽然说你可以看下面的教程不用听我瞎扯

http://docs.jumpserver.org/zh/docs/step_by_step.html

虽然说我的教程基本都是复制这个文档的,但是有的地方还是不一样的

前期初始化

  • 首先关闭selinux

vim /etc/selinux/config

SELINUX=enforcing

改为

SELINUX=disabled

之后

setenforce 0

  • 关闭防火墙

systemctl stop firewalld

systemctl disable firewalld

  • 修改字符集

localedef -c -f UTF-8 -i zh_CN zh_CN.UTF-8

export LC_ALL=zh_CN.UTF-8

echo 'LANG="zh_CN.UTF-8"' > /etc/locale.conf

  • 安装python3和python编译的依赖环境

首先安装变异python3前的依赖环境

yum -y install wget sqlite-devel xz gcc automake zlib-devel openssl-devel epel-release git

之后下载python3编译安装

wget https://www.python.org/ftp/python/3.6.1/Python-3.6.1.tar.xz

解压编译安装

tar xvf Python-3.6.1.tar.xz && cd Python-3.6.1 && ./configure && make && make install

  • 建立python的虚拟环境

cd /opt && python3 -m venv py3 && source /opt/py3/bin/activate

  • 自动载入 Python 虚拟环境配置

这个是为了让你进入jumpserver这个文件夹的时候可以自动载入环境变量

cd /opt && git clone git://github.com/kennethreitz/autoenv.git && echo 'source /opt/autoenv/activate.sh' >> ~/.bashrc && source ~/.bashrc

安装jumpserver

  • clone项目

cd /opt/ && git clone https://github.com/jumpserver/jumpserver.git && cd jumpserver && git checkout master && echo "source /opt/py3/bin/activate" > /opt/jumpserver/.env

之后进入jumpserver这个文件夹会有一个提示你输入y就好,这样之后每次进入这个文件夹就会自动导入py3的环境变量

  • 安装rpm包的依赖

cd /opt/jumpserver/requirements && yum -y install $(cat rpm_requirements.txt)

  • 安装python依赖

pip install -r requirements.txt -i https://pypi.douban.com/simple/

  • 安装 Redis, Jumpserver 使用 Redis 做 cache 和 celery broke

yum -y install redis && systemctl enable redis && systemctl start redis

  • 安装mariadb

yum -y install mariadb mariadb-devel mariadb-server && systemctl enable mariadb && systemctl start mariadb

  • 设置mariadb的root密码

执行mysql_secure_installation之后按照流程走就好了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
[root@bboysoul-centos-vm ~]# mysql_secure_installation 

NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!

In order to log into MariaDB to secure it, we'll need the current
password for the root user. If you've just installed MariaDB, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.

Enter current password for root (enter for none):
OK, successfully used password, moving on...

Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorisation.

Set root password? [Y/n] y
New password:
Re-enter new password:
Sorry, passwords do not match.

New password:
Re-enter new password:
Password updated successfully!
Reloading privilege tables..
... Success!


By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them. This is intended only for testing, and to make the installation
go a bit smoother. You should remove them before moving into a
production environment.

Remove anonymous users? [Y/n] y
... Success!

Normally, root should only be allowed to connect from 'localhost'. This
ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n] n
... skipping.

By default, MariaDB comes with a database named 'test' that anyone can
access. This is also intended only for testing, and should be removed
before moving into a production environment.

Remove test database and access to it? [Y/n] y
- Dropping test database...
... Success!
- Removing privileges on test database...
... Success!

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

Reload privilege tables now? [Y/n] y
... Success!

Cleaning up...

All done! If you've completed all of the above steps, your MariaDB
installation should now be secure.

Thanks for using MariaDB!
  • 创建数据库 Jumpserver 并授权
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
[root@bboysoul-centos-vm ~]# mysql -u root -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 9
Server version: 5.5.60-MariaDB MariaDB Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> create database jumpserver default charset 'utf8';
Query OK, 1 row affected (0.00 sec)

MariaDB [(none)]> grant all on jumpserver.* to 'jumpserver'@'%' identified by '你的密码';
Query OK, 0 rows affected (0.01 sec)

MariaDB [(none)]> flush privileges;
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]>
  • 修改 Jumpserver 配置文件

cd /opt/jumpserver && cp config_example.py config.py && vi config.py

下面是我的配置文件

1
2
3
"""
jumpserver.config
~~~~~~~~~~~~~~
Jumpserver project setting file

:copyright: (c) 2014-2017 by Jumpserver Team
:license: GPL v2, see LICENSE for more details.

“””
import os

BASE_DIR = os.path.dirname(os.path.abspath(file))

class Config:

# Use it to encrypt or decrypt data
# SECURITY WARNING: keep the secret key used in production secret!

这个不用动,让他默认就好

SECRET_KEY = os.environ.get('SECRET_KEY') or '2vym+ky!997d5kkcc64mnz06y1mmui3lut#(^wd=%s_qj$1%x'

# Django security setting, if your disable debug model, you should setting that
ALLOWED_HOSTS = ['*']

关闭debug模式,因为之后我们要安装nginx做代理的

# Development env open this, when error occur display the full process track, Production disable it
DEBUG = os.environ.get("DEBUG") or False

日志级别变成警告就好,不然日志太多

# DEBUG, INFO, WARNING, ERROR, CRITICAL can set. See https://docs.djangoproject.com/en/1.10/topics/logging/
LOG_LEVEL = os.environ.get("LOG_LEVEL") or 'WARNING'
LOG_DIR = os.path.join(BASE_DIR, 'logs')

# Database setting, Support sqlite3, mysql, postgres ....
# See https://docs.djangoproject.com/en/1.10/ref/settings/#databases

# SQLite setting:
#DB_ENGINE = 'sqlite3'
#DB_NAME = os.path.join(BASE_DIR, 'data', 'db.sqlite3')

# MySQL or postgres setting like:
# DB_ENGINE = os.environ.get("DB_ENGINE") or 'mysql'
# DB_HOST = os.environ.get("DB_HOST") or '127.0.0.1'
# DB_PORT = os.environ.get("DB_PORT") or 3306
# DB_USER = os.environ.get("DB_USER") or 'jumpserver'
# DB_PASSWORD = os.environ.get("DB_PASSWORD") or 'weakPassword'
# DB_NAME = os.environ.get("DB_NAME") or 'jumpserver'

数据库设置,因为我们使用的是mysql

DB_ENGINE = os.environ.get("DB_ENGINE") or 'mysql'
DB_HOST = os.environ.get("DB_HOST") or '127.0.0.1'
DB_PORT = os.environ.get("DB_PORT") or 3306
DB_USER = os.environ.get("DB_USER") or 'jumpserver'
DB_PASSWORD = os.environ.get("DB_PASSWORD") or '你的密码'
DB_NAME = os.environ.get("DB_NAME") or 'jumpserver'


# When Django start it will bind this host and port
# ./manage.py runserver 127.0.0.1:8080
HTTP_BIND_HOST = '0.0.0.0'
HTTP_LISTEN_PORT = 8080

# Use Redis as broker for celery and web socket
REDIS_HOST = os.environ.get("REDIS_HOST") or '127.0.0.1'
REDIS_PORT = os.environ.get("REDIS_PORT") or 6379
REDIS_PASSWORD = os.environ.get("REDIS_PASSWORD") or ''
REDIS_DB_CELERY = os.environ.get('REDIS_DB') or 3
REDIS_DB_CACHE = os.environ.get('REDIS_DB') or 4

def __init__(self):
    pass

def __getattr__(self, item):
    return None

class DevelopmentConfig(Config):
pass

class TestConfig(Config):
pass

class ProductionConfig(Config):
pass

Default using Config settings, you can write if/else for different env

config = DevelopmentConfig()

1
2
3
4
5
6
7

下面是官方的配置文件,可以做个参考

~~~python
"""
jumpserver.config
~~~~~~~~~~~~~~

Jumpserver project setting file

:copyright: (c) 2014-2017 by Jumpserver Team
:license: GPL v2, see LICENSE for more details.

“””
import os

BASE_DIR = os.path.dirname(os.path.abspath(file))

class Config:

# Use it to encrypt or decrypt data

# Jumpserver 使用 SECRET_KEY 进行加密,请务必修改以下设置
# SECRET_KEY = os.environ.get('SECRET_KEY') or '2vym+ky!997d5kkcc64mnz06y1mmui3lut#(^wd=%s_qj$1%x'
SECRET_KEY = '请随意输入随机字符串(推荐字符大于等于 50位)'

# Django security setting, if your disable debug model, you should setting that
ALLOWED_HOSTS = ['*']

# DEBUG 模式 True为开启 False为关闭,默认开启,生产环境推荐关闭
# 注意:如果设置了DEBUG = False,访问8080端口页面会显示不正常,需要搭建 nginx 代理才可以正常访问
DEBUG = os.environ.get("DEBUG") or True

# 日志级别,默认为DEBUG,可调整为INFO, WARNING, ERROR, CRITICAL,默认INFO
LOG_LEVEL = os.environ.get("LOG_LEVEL") or 'WARNING'
LOG_DIR = os.path.join(BASE_DIR, 'logs')

# 使用的数据库配置,支持sqlite3, mysql, postgres等,默认使用sqlite3
# See https://docs.djangoproject.com/en/1.10/ref/settings/#databases

# 默认使用SQLite3,如果使用其他数据库请注释下面两行
# DB_ENGINE = 'sqlite3'
# DB_NAME = os.path.join(BASE_DIR, 'data', 'db.sqlite3')

# 如果需要使用mysql或postgres,请取消下面的注释并输入正确的信息,本例使用mysql做演示(mariadb也是mysql)
DB_ENGINE = os.environ.get("DB_ENGINE") or 'mysql'
DB_HOST = os.environ.get("DB_HOST") or '127.0.0.1'
DB_PORT = os.environ.get("DB_PORT") or 3306
DB_USER = os.environ.get("DB_USER") or 'jumpserver'
DB_PASSWORD = os.environ.get("DB_PASSWORD") or 'weakPassword'
DB_NAME = os.environ.get("DB_NAME") or 'jumpserver'

# Django 监听的ip和端口,生产环境推荐把0.0.0.0修改成127.0.0.1,这里的意思是允许x.x.x.x访问,127.0.0.1表示仅允许自身访问
# ./manage.py runserver 127.0.0.1:8080
HTTP_BIND_HOST = '0.0.0.0'
HTTP_LISTEN_PORT = 8080

# Redis 相关设置
REDIS_HOST = os.environ.get("REDIS_HOST") or '127.0.0.1'
REDIS_PORT = os.environ.get("REDIS_PORT") or 6379
REDIS_PASSWORD = os.environ.get("REDIS_PASSWORD") or ''
REDIS_DB_CELERY = os.environ.get('REDIS_DB') or 3
REDIS_DB_CACHE = os.environ.get('REDIS_DB') or 4

def __init__(self):
    pass

def __getattr__(self, item):
    return None

class DevelopmentConfig(Config):
pass

class TestConfig(Config):
pass

class ProductionConfig(Config):
pass

Default using Config settings, you can write if/else for different env

config = DevelopmentConfig()

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60


- 生成数据库表结构和初始化数据

`cd /opt/jumpserver/utils && bash make_migrations.sh`

运行jumpserver

`cd /opt/jumpserver && ./jms start all -d`

默认的后台账号是admin admin 但是这个时候个人觉得不要去访问,到最后安装了nginx再去访问

### 安装 SSH Server 和 WebSocket Server: Coco

- 下载或 Clone 项目

`cd /opt && source /opt/py3/bin/activate && git clone https://github.com/jumpserver/coco.git && cd coco && git checkout master && echo "source /opt/py3/bin/activate" > /opt/coco/.env`

同样首次进入这个coco文件夹也是会有个提示你输入y就好

- 安装依赖

`cd /opt/coco/requirements && yum -y install $(cat rpm_requirements.txt) && pip install -r requirements.txt -i https://pypi.douban.com/simple/`

- 修改配置文件并运行

`cd /opt/coco && cp conf_example.py conf.py && vi conf.py`

其实上面这个配置文件没什么好修改的,如果要修改可以修改一下日志级别,其他的自己看着办

之后运行coco

`./cocod start -d`

官方文档会让你在这个时候进入web界面接受什么注册,先别管他,直接进行下一步

### 安装 Web Terminal 前端: Luna

- 安装Luna

`cd /opt && wget https://github.com/jumpserver/luna/releases/download/1.4.1/luna.tar.gz && tar xvf luna.tar.gz && chown -R root:root luna`

### 安装windows支持组建

就是可以管理windows服务器这样,官方推荐使用docker了,所以那么就使用docker镜像来安装就好了

- 安装docker

`yum install -y yum-utils device-mapper-persistent-data lvm2 && yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo && rpm --import http://mirrors.aliyun.com/docker-ce/linux/centos/gpg && yum makecache fast && yum -y install docker-ce && systemctl start docker && systemctl enable docker && systemctl status docker`

- 启动 Guacamole

注意下面的jumpserver地址不能写127.0.0.1,因为是容器运行的所以写127.0.0.1就是容器本身了,写宿主机ip或者url就好

~~~bash
docker run --name jms_guacamole -d \
-p 8081:8080 -v /opt/guacamole/key:/config/guacamole/key \
-e JUMPSERVER_KEY_DIR=/config/guacamole/key \
-e JUMPSERVER_SERVER=http://<填写jumpserver的url地址> \
jumpserver/guacamole:latest

之后官方会说让你去web界面接收什么注册先别管他,继续下一步

配置 Nginx 整合各组件

  • 安装nginx

yum -y install nginx

  • 配置nginx

首先新建下面这个文件

vim /etc/nginx/conf.d/jumpserver.conf

输入

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
server {
listen 80; # 代理端口,以后将通过此端口进行访问,不再通过8080端口

client_max_body_size 100m; # 录像上传大小限制

location /luna/ {
try_files $uri / /index.html;
alias /opt/luna/; # luna 路径,如果修改安装目录,此处需要修改
}

location /media/ {
add_header Content-Encoding gzip;
root /opt/jumpserver/data/; # 录像位置,如果修改安装目录,此处需要修改
}

location /static/ {
root /opt/jumpserver/data/; # 静态资源,如果修改安装目录,此处需要修改
}

location /socket.io/ {
proxy_pass http://localhost:5000/socket.io/; # 如果coco安装在别的服务器,请填写它的ip
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}

location /guacamole/ {
proxy_pass http://localhost:8081/; # 如果guacamole安装在别的服务器,请填写它的ip
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}

location / {
proxy_pass http://localhost:8080; # 如果jumpserver安装在别的服务器,请填写它的ip
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}

保存退出之后编辑下面这个文件

vim /etc/nginx/nginx.conf

删除其中的server字段,就是下面内容

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
root /usr/share/nginx/html;

# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;

location / {
}

error_page 404 /404.html;
location = /40x.html {
}

error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}

保存退出

  • 运行nginx

systemctl restart nginx && systemctl enable nginx

开始使用jumpserver

首先检查各组件是不是正常

cd /opt/jumpserver && ./jms status

cd /opt/coco && ./cocod status

查看Guacamole是不是正常

docker ps

接着我们浏览器访问服务器的ip,默认的账号和密码都是admin

登陆完成之后我们就可以注册我们的两个组件了,点击会话管理->终端管理终端列表里面有两行全部点击接受就好

如果没有的话那么按照下面的顺序重新启动一下服务

首先关闭所有的服务

cd /opt/jumpserver && ./jms stop all

cd /opt/coco && ./cocod stop

docker stop jms_guacamole

接着按照我的顺序启动服务

cd /opt/jumpserver && ./jms start all -d

尤其要注意这步,一定要确保启动成功,尤其是配置低的机器很有可能启动失败的

cd /opt/jumpserver && ./jms status

cd /opt/coco && ./cocod start -d

docker start jms_guacamole

使用

关于使用我想说的是有两个概念一个是资产管理中的管理用户,一个是资产管理中的系统用户。

什么是管理用户,管理用户其实就是一台服务器的root,拥有这台服务器的最高权限,可以在这台服务器中创建系统用户。

什么是系统用户,系统用户就是你想添加到服务器中的用户,或者是系统中已经存在的用户,它可以是root。如果它没有被创建,那么jumpserver可以使用用户推送功能向服务器中创建用户

关于资产授权,当你创建完成资产之后这个资产也就是服务器是不属于任何用户的,你必须要创建资产授权,把资产授权给这个用户才可以让这个用户去访问

关于MFA二次认证,其实就是在登录的时候还要下载一个谷歌验证器使用里面的数字登录,就是类似以前的游戏将军令

欢迎关注Bboysoul的博客www.bboysoul.com
Have Fun