部署堡垒机系统 JumpServer

什么是堡垒机

在一个特定的网络环境下,为了保障网络和数据不受来自外部和内部用户的***和破坏,而运用各种技术手段实时收集和监控网络环境中每一个组成部分的系统状态、安全事件、网络活动,以便集中报警、及时处理及审计定责。这个系统便是堡垒机系统。从功能上讲,堡垒机综合了核心系统运维和安全审计管控两大主干功能;从技术实现上讲,堡垒机通过切断终端计算机对网络和服务器资源的直接访问,而采用协议代理的方式,接管了终端计算机对网络和服务器的访问。
这就是说终端计算机对目标的访问,均需要经过堡垒机系统的审核。
因此堡垒机系统能够拦截非法访问、恶意***,对不合法命令进行命令阻断,过滤掉所有对目标设备的非法访问行为,并对内部人员误操作和非法操作进行审计监控,以便事后责任追踪。

现在的堡垒机系统定义及功能和实现技术,相比于我在2012年接触到的JumpBox的定义有了很大的改变,鄙时“跳板机”真的就只提供一个访问跳板环境,金科根据JumpBox主机上安装的工具软件记录历史操作,如若需要更多的监控组件则需要自己另外部署或接入监控组件。

JumpServer 是一款开源的堡垒机套件, 遵循 GNU GPL v2.0 开源协议, 是符合 4A 的专业运维审计系统。JumpServer 采用分布式架构, 支持多机房跨区域部署, 中心节点提供 API, 各机房部署登录节点, 可横向扩展、无并发访问限制。JumpServer 现已支持管理 SSH、 Telnet、 RDP、 VNC 协议。

Jumpserver系统的组件:
Jumpserver
现指 Jumpserver 管理后台,是核心组件(Core), 使用 Django Class Based View 风格开发,支持 Restful API。
Coco
实现了 SSH Server 和 Web Terminal Server 的组件,提供 SSH 和 WebSocket 接口, 使用 Paramiko 和 Flask 开发。
Luna
现在是 Web Terminal 前端,计划前端页面都由该项目提供,Jumpserver 只提供 API,不再负责后台渲染html等。
Guacamole
Apache 跳板机项目,Jumpserver 使用其组件实现 RDP 功能,Jumpserver 并没有修改其代码而是添加了额外的插件,支持 Jumpserver 调用。
Jumpserver-Python-SDK
Jumpserver API Python SDK,Coco 目前使用该 SDK 与 Jumpserver API 交互。

本次JumpServer为单节点部署,软硬件环境如下:

2个CPU核心、4G 内存、50G 硬盘
CentOS 7 x86_64 1804
Python 3.6 、Mysql Server 5.5 、Redis 6.0.8

初始化OS:
cat initCentOS7aliYUM.sh
mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.original
wget -O /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-7.repo
yum clean all && yum makecache
yum -y update
systemctl stop firewalld && systemctl disable firewalld
sed -i 's/^SELINUX=./SELINUX=disabled/' /etc/selinux/config && setenforce 0
wget https://mirrors.aliyun.com/epel/epel-release-latest-7.noarch.rpm
yum install -y https://mirrors.aliyun.com/epel/epel-release-latest-7.noarch.rpm
wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
sed -i 's|^#baseurl=https://download.fedoraproject.org/pub|baseurl=https://mirrors.aliyun.com|' /etc/yum.repos.d/epel

sed -i 's|^metalink|#metalink|' /etc/yum.repos.d/epel*
yum clean all && yum makecache
yum -y update
yum install -y ntpdate
wget https://dl.google.com/linux/direct/google-chrome-stable_current_x86_64.rpm
yum localinstall -y google-chrome-stable_current_x86_64.rpm
ntpdate cn.ntp.org.cn
yum install -y tree
who | grep googlebigtable | sed -n '1p' | cut -d' ' -f 1 | sort | uniq
DescriptionUser=$(who | grep googlebigtable | sed -n '1p' | cut -d' ' -f 1 | sort | uniq)
echo $DescriptionUser
echo "$DescriptionUser ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers
init 6

安装Python 虚拟环境:
yum -y install sqlite-devel xz gcc automake zlib-devel openssl-devel epel-release cmake git
wget https://www.python.org/ftp/python/3.6.1/Python-3.6.1.tar.xz
tar xvf Python-3.6.1.tar.xz && cd Python-3.6.1
./configure && make && make install
echo $?
cd /opt/ && echo $?
python3 -m venv py3
source /opt/py3/bin/activate

下载jumpserver
git clone --depth=1 https://github.com/jumpserver/jumpserver.git
wget https://github.com/jumpserver/jumpserver/releases/download/v2.0.2/umpserver-v2.2.2.tar.gz

安装 MySQL:
wget http://mirrors.sohu.com/mysql/MySQL-5.5/mysql-5.5.51.tar.gz
wget --no-check-certificate https://cmake.org/files/v2.8/cmake-2.8.8.tar.gz
tar zxf cmake-2.8.8.tar.gz && cd cmake-2.8.8 && ./configure
gmake && gmake install
echo $?
yum install -y ncurses-devel
tar -zxvf mysql-5.5.51.tar.gz && cd mysql-5.5.51

cmake \

-DCMAKE_INSTALL_PREFIX=/application/mysql-5.5.51 \

-DNYSQL_DATADIR=/application/mysql-5.5.51/data \

-DNYSQL_UNIX_ADDR=/application/mysql-5.5.51/tmp/mysql.sock \

-DDEFAULT_CHARSET=gbk \

-DDEFAULT_COLLATION=gbk_chinese_ci \

-DENABLED_LOCAL_INFILE=ON \

-DWITH_INNOBASE_STORAGE_ENGINE=1 \

-DWITH_FEDERATED_STORAGE_ENGINE=1

make && echo $?

ln -s /application/mysql-5.5.51/application/mysql
cp support-files/my-small.cnf /etc/my.cnf
echo 'export PATH=/application/mysql/bin:$PATH'>>/etc/profile
source /etc/profile
groupadd mysql
useradd mysql -s /sbin/nologin -g mysql -M
mkdir -p /application/mysql/data
chown -R mysql.mysql /application/mysql/*
chmod -R 1777 /tmp
/application/mysql/scripts/mysql_install_db --basedir=/application/mysql --datadir=/application/mysql/data --user=mysql
cp support-files/mysql.server /etc/init.d/mysqld
chmod 700 /etc/init.d/mysqld
/etc/init.d/mysqld start
chkconfig mysqld on
chkconfig --list mysqld

安装 Redis:
yum -y install redis
systemctl start redis
systemctl enable redis
lsof -i :6379
安装jumpserver:
tar xf jumpserver-v2.2.2.tar.gz
mv jumpserver-v2.2.2 /opt/jumpserver
cd /opt/jumpserver/requirements
yum -y install $(cat rpm_requirements.txt)
pip install -r requirements.txt
pip install wheel -i https://mirrors.aliyun.com/pypi/simple/
pip install -U pip setuptools -i https://mirrors.aliyun.com/pypi/simple/Collecting pip
pip install -r requirements.txt -i https://mirrors.aliyun.com/pypi/simple/
cp config_example.yml config.yml

cat config.yml
SECRET_KEY: tWDny8liKq1Zz4HUwlWFN9Ja3gut2wZt2KSjyBgU7foqe9Ecc
BOOTSTRAP_TOKEN:0pZ51maTshK2ieYuPdkjWEI
DEBUG:false
LOG_LEVEL: ERROR
SESSION_EXPIRE_AT_BROWSER_CLOSE:true
DB_ENGINE: mysql
DB_HOST:127.0.0.1
DB_PORT:3306
DB_USER: jumpserver
DB_PASSWORD: jumpserver
DB_NAME: jumpserver
HTTP_BIND_HOST:0.0.0.0
HTTP_LISTEN_PORT:8080
WS_LISTEN_PORT:8070
REDIS_HOST:127.0.0.1
REDIS_PORT:6379
WINDOWS_SKIP_ALL_MANUAL_PASSWORD:True

./jms start -d

cd /opt && wget https://github.com/jumpserver/koko/releases/download/v2.0.2/koko-v2.0.2-linux-amd64.tar.gz
tar -xzvf koko-v2.0.2-linux-amd64.tar.gz && mv koko-v2.0.2-linux-amd64 koko && chown -R root:root koko && cd koko
cp config_example.yml config.yml

cat config.yml
CORE_HOST: http://127.0.0.1:8080
BOOTSTRAP_TOKEN: 0pZ51maTshK2ieYuPdkjWEI
LOG_LEVEL: ERROR

./koko -d

cd /opt && wget -O /opt/guacamole.tar.gz https://github.com/jumpserver/docker-guacamole/archive/2.0.2.tar.gz
tar -xzvf guacamole.tar.gz && mv docker-guacamole-2.0.2 guacamole && cd guacamole/
tar -xzvf guacamole-server-1.2.0.tar.gz && tar -xzvf ssh-forward.tar.gz -C /bin/ && chmod +x /bin/ssh-forward
yum -y localinstall --nogpgcheck https://mirrors.aliyun.com/rpmfusion/free/el/rpmfusion-free-release-7.noarch.rpm https://mirrors.aliyun.com/rpmfusion/free/el/rpmfusion-free-release-7.noarch.rpm
yum -y install cairo-devel libjpeg-turbo-devel libpng-devel uuid-devel ffmpeg-devel freerdp1.2-devel pango-devel libssh2-devel libtelnet-devel libvncserver-devel pulseaudio-libs-devel openssl-devel libvorbis-devel libwebp-devel
ln -s /usr/local/lib/freerdp /usr/lib64/freerdp
cd /opt/guacamole/guacamole-server-1.2.0
./configure --with-init-dir=/etc/init.d
make && make install
yum install -y java-1.8.0-openjdk
mkdir -p /config/guacamole /config/guacamole/extensions /config/guacamole/record /config/guacamole/drive && chown daemon:daemon /config/guacamole/record /config/guacamole/drive && cd /config

wget http://mirrors.tuna.tsinghua.edu.cn/apache/tomcat/tomcat-9/v9.0.36/bin/apache-tomcat-9.0.36.tar.gz

tar -xzvf apache-tomcat-9.0.36.tar.gz && \
mv apache-tomcat-9.0.36 tomcat9 && \
rm -rf /config/tomcat9/webapps/* && \
sed -i 's/Connector port="8080"/Connector port="8081"/g' /config/tomcat9/conf/server.xml && \
echo "java.util.logging.ConsoleHandler.encoding = UTF-8" >> /config/tomcat9/conf/logging.properties && \
ln -sf /opt/guacamole/guacamole-1.0.0.war /config/tomcat9/webapps/ROOT.war && \
ln -sf /opt/guacamole/guacamole-auth-jumpserver-1.0.0.jar /config/guacamole/extensions/guacamole-auth-jumpserver-1.0.0.jar && \
ln -sf /opt/guacamole/root/app/guacamole/guacamole.properties /config/guacamole/guacamole.properties

export JUMPSERVER_SERVER=http://127.0.0.1:8080
echo "export JUMPSERVER_SERVER=http://127.0.0.1:8080" >> ~/.bashrc
export BOOTSTRAP_TOKEN=0pZ51maTshK2ieYuPdkjWEI
echo "export BOOTSTRAP_TOKEN=0pZ51maTshK2ieYuPdkjWEI" >> ~/.bashrc
export JUMPSERVER_KEY_DIR=/config/guacamole/keys
echo "export JUMPSERVER_KEY_DIR=/config/guacamole/keys" >> ~/.bashrc
export GUACAMOLE_HOME=/config/guacamole
echo "export GUACAMOLE_HOME=/config/guacamole" >> ~/.bashrc
export GUACAMOLE_LOG_LEVEL=ERROR
echo "export GUACAMOLE_LOG_LEVEL=ERROR" >> ~/.bashrc
export JUMPSERVER_ENABLE_DRIVE=true
echo "export JUMPSERVER_ENABLE_DRIVE=true" >> ~/.bashrc

/etc/init.d/guacd start
sh /config/tomcat9/bin/startup.sh

cd /opt && wget https://github.com/jumpserver/lina/releases/download/v2.0.2/lina-v2.0.2.tar.gz
tar -xzvf lina-v2.0.2.tar.gz
mv lina-v2.0.2 lina

安装Nginx:

cat /etc/yum.repos.d/nginx.repo
[nginx-stable]
name=nginx stable repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true

yum -y install nginx
chown -R nginx.nginx luna lina

echo >/etc/nginx/conf.d/default.conf

cat /etc/nginx/conf.d/jumpserver.conf
server {
listen 80;
client_max_body_size 100m;# 录像及文件上传大小限制

location /ui/{
    try_files $uri //index.html;
    alias/opt/lina/;

}

location /luna/{
    try_files $uri //index.html;
    alias/opt/luna/;   #luna 路径, 如果修改安装目录, 此处需要修改

}

location /media/{
    add_header Content-Encoding gzip;
    root /opt/jumpserver/data/;  #录像位置, 如果修改安装目录, 此处需要修改

}

location /static/{
    root /opt/jumpserver/data/; # 静态资源, 如果修改安装目录, 此处需要修改

}

location /koko/{
    proxy_pass       http://localhost:5000;
    proxy_buffering off;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection"upgrade";
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    access_log off;

}

location /guacamole/{
    proxy_pass       http://localhost:8081/;
    proxy_buffering off;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $http_connection;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    access_log off;

}

location /ws/{
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_pass http://localhost:8070;
    proxy_http_version 1.1;
    proxy_buffering off;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection"upgrade";

}

location /api/{
    proxy_pass http://localhost:8080;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

}

location /core/{
    proxy_pass http://localhost:8080;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

}

location /{
    rewrite ^/(.*)$ /ui/$1 last;

}
}

nginx -t
systemctl enable nginx
systemctl restart nginx

mysql -uroot -p
MySQL [(none)]> create database jumpserver default charset 'utf8';
Query OK, 1 row affected (0.00 sec)

MySQL [(none)]> grant all on jumpserver.* to 'jumpserver'@'localhost' identified by '123456';
Query OK, 0 rows affected, 1 warning (0.00 sec)

MySQL [(none)]> flush privileges;
Query OK, 0 rows affected (0.00 sec)

cat /opt/jumpserver/config.py
class DevelopmentConfig(Config):
DEBUG = True
DB_ENGINE = 'mysql'
DB_HOST = '127.0.0.1'
DB_PORT = 3306
DB_USER = 'jumpserver'
DB_PASSWORD = '123456'
DB_NAME = 'jumpserver'config = DevelopmentConfig()

cd /opt/jumpserver/utils/ && bash make_migrations.sh

python /opt/jumpserver/run_server.py all

部署堡垒机系统 JumpServer

默认用户名/密码:admin/admin,这只是jumpserver的WEB

部署堡垒机系统 JumpServer

上一篇:迁移虚拟机打开快照报错:CPUID错误


下一篇:jumpserver_install