溫馨提示×
您好,登錄后才能下訂單哦!
點擊 登錄注冊 即表示同意《億速云用戶服務條款》
您好,登錄后才能下訂單哦!
Jumpserver 介紹
Jumpserver 核心功能列表
Jumpserver 環境要求
Jumpserver 部署
安裝 redis
安裝Mariadb
修改 Jumpserver 配置文件
啟動 Jumpserver
測試訪問
Jumpserver 插件安裝
Koko 組件部署
Luna 組件部署
Guacamole 組件部署
配置 Nginx 整合各個組件
官方站點:www.jumpserver.org
Jumpserver是全球首款完全開源的堡壘機,使用GNU GPL v2.0開源協議,是符合4A的韻味安全審計系統。
Jumpserver使用Python/Django開發,遵循 Web 2.0規范,Jumpserver采納分布式架構,支持多機房跨區域部署,支持橫向擴展,無資產數量并發限制。
現在Jumpserver已支持SSH、Telnet、RDP、VNC協議資產。
身份驗證 Authentication
賬號管理 Account
授權控制 Authorization
安全審計 Audit
資產管理 CMDB
硬件配置:2個CPU核心,4G內存,50G硬盤(最低標準)
操作系統:Linux發行版 x86_64
Python = 3.6x
MySQL Server >= 5.6
Mariadb Server >= 5.5.56
Redis
1.安裝依賴環境
yum?install?wget?gcc-c++?epel-release?git?-y
2.安裝python36
[root@Jumpserver?~]#?yum?install?python36.x86_64?python36-devel.x86_64?-y [root@Jumpserver?~]#?python36?-V Python?3.6.8
3.建立python虛擬環境
[root@Jumpserver?~]#?python36?-m?venv?/opt/py3
4.載入python3虛擬環境
每次操作 jumpserver 都需要使用下面的命令載入 py3 虛擬環境
看到下面的提示將代表成功進入虛擬環境,以后運行jumpserver都要現運行上面的source命令,以下所有的命令都在虛擬環境中運行
[root@Jumpserver?~]#?source?/opt/py3/bin/activate (py3)?[root@Jumpserver?~]#?? #進入?jumpserver?目錄時將自動載入?python?虛擬環境,就不需要每次進入jumpser操作source命令了 (py3)?[root@Jumpserver?~]#?echo?"source?/opt/py3/bin/activate"?>?/opt/jumpserver/.env
5.獲取Jumpserver代碼
(py3)?[root@Jumpserver?~]#?cd?/opt/ (py3)?[root@Jumpserver?opt]#?git?clone?--depth=1?https://github.com/jumpserver/jumpserver.git Cloning?into?'jumpserver'... remote:?Enumerating?objects:?1156,?done. remote:?Counting?objects:?100%?(1156/1156),?done. remote:?Compressing?objects:?100%?(1028/1028),?done. remote:?Total?1156?(delta?193),?reused?632?(delta?64),?pack-reused?0 Receiving?objects:?100%?(1156/1156),?6.96?MiB?|?13.00?KiB/s,?done. Resolving?deltas:?100%?(193/193),?done.
6.安裝jumpserver依賴RPM包
(py3)?[root@Jumpserver?opt]#?cd?/opt/jumpserver/requirements/ (py3)?[root@Jumpserver?requirements]#?yum?install?$(cat?rpm_requirements.txt)?-y (py3)?[root@Jumpserver?requirements]#?pip?install?--upgrade?pip (py3)?[root@Jumpserver?requirements]#?pip?install?-r?requirements.txt
Jumpserver要使用redis
可以使用yum安裝,也可以編譯安裝,我這里使用編譯安裝redis
1.安裝redis
[root@Jumpserver?src]#?wget?http://download.redis.io/releases/redis-5.0.5.tar.gz [root@Jumpserver?redis-5.0.5]#?make [root@Jumpserver?redis-5.0.5]#?cd?src/ [root@Jumpserver?src]#?make?install?PREFIX=/usr/local/redis [root@Jumpserver?src]#?mkdir?/usr/local/redis/etc [root@Jumpserver?src]#?cd?/usr/local/src/redis-5.0.5 [root@Jumpserver?redis-5.0.5]#?cp?-rf?redis.conf?/usr/local/redis/etc/
2.修改配置文件
cat?<<?EOF?>?/usr/local/redis/etc/redis.conf daemonize?yes port?6379 bind?IP地址 protected-mode?yes pidfile?"/usr/local/redis/run/redis.pid" loglevel?notice logfile?"/usr/local/redis/logs/redis.log" save?900?1 stop-writes-on-bgsave-error?yes rdbcompression?yes rdbchecksum??yes dbfilename?dump.rdb dir?"/usr/local/redis/data/rdb/" timeout?0 tcp-keepalive?300 EOF
3.創建目錄并啟動redis
#創建pid文件目錄、日志目錄、redis持久化目錄
[root@Jumpserver?redis-5.0.5]#?mkdir?-p?/usr/local/redis/{run,logs}
[root@Jumpserver?redis-5.0.5]#?mkdir?-p?/usr/local/redis/data/rdb/
#啟動redis
[root@Jumpserver?redis-5.0.5]#?/usr/local/redis/bin/redis-server?/usr/local/redis/etc/redis.confJumpserver使用數據庫,可以選擇MySQL或者Mariadb.Mariadb版本需要等于大于5.56,MySQL版本需要等于大于5.6
在此我選擇使用yum方式部署Mariadb
1.查看Mariadb版本是否符合標準
?
2.安裝Mariadb
[root@Jumpserver?/]#?yum?install?mariadb.x86_64?mariadb-devel.x86_64?mariadb-server.x86_64?-y
3.啟動Mariadb
[root@Jumpserver?/]#?systemctl?enable?mariadb [root@Jumpserver?/]#?systemctl?start?mariadb
4.修改Mariadb數據庫root密碼
[root@Jumpserver?/]#?mysql?-uroot?-p
Enter?password:?????#首次連接數據庫,直接回車即可
MariaDB?[(none)]>?set?password?for?'root'@localhost=password('xxxxxxxx');
MariaDB?[(none)]>?flush?privileges;5.創建數據庫 Jumpserver 并授權
MariaDB?[(none)]>?grant?all?on?jumpserver.*?to?'jumpserver'@'127.0.0.1'?identified?by?'xxxxxxxx'; MariaDB?[(none)]>?flush?privileges;
[root@Jumpserver?/]#?cp?-rf?/opt/jumpserver/config_example.yml?/opt/jumpserver/config.yml [root@Jumpserver?/]#?grep?-Ev?"#|^$"?/opt/jumpserver/config.yml? SECRET_KEY:?PwbiQAk0sQCStkR7FwauW3bYCBwJUqPEI4iVs6xyYczfEOWtH???????#加密秘鑰,可以使用配置文件中的命令生成 BOOTSTRAP_TOKEN:?PleasgeChangeSameWithJumpserver.???????????????????#預共享Token?coco和guacamole用來注冊服務賬號,不在使用原來的注冊接受機制 DB_ENGINE:?mysql????????????????????????????????????????????????????#使用MySQL數據庫 DB_HOST:?127.0.0.1??????????????????????????????????????????????????#數據庫連接地址 DB_PORT:?3306???????????????????????????????????????????????????????#數據庫連接端口 DB_USER:?jumpserver?????????????????????????????????????????????????#數據庫連接用戶 DB_PASSWORD:?xxxxxxxx???????????????????????????????????????????????#數據庫連接密碼 DB_NAME:?jumpserver?????????????????????????????????????????????????#數據庫名稱 HTTP_BIND_HOST:?0.0.0.0?????????????????????????????????????????????#Jumpserver運行時綁定的地址,0.0.0.0表示所有地址都綁定 HTTP_LISTEN_PORT:?8080??????????????????????????????????????????????#Jumpserver運行時綁定的端口 REDIS_HOST:?xxx.xxx.xx.xxx??????????????????????????????????????????#Jumpserver連接redis主機地址 REDIS_PORT:?6379????????????????????????????????????????????????????#Jumpserver連接redis主機端口
#確保進入?py3?虛擬環境之后,再啟動jumpserver,-d?選項為后臺啟動 [root@Jumpserver?jumpserver]#?source?/opt/py3/bin/activate (py3)?[root@Jumpserver?jumpserver]#?cd?/opt/jumpserver/ (py3)?[root@Jumpserver?jumpserver]#?./jms?start?-d
訪問地址:http://xxxxx:8080/auth/login/?next=/
賬號密碼默認為:admin/admin
?
?
登錄成功后的界面還是非常美觀的
Jumpserver本身的功能已經足夠強大,但是加上以下幾個組件更是讓Jumpserver錦上添花。
組件如下:
Coco:Coco為 SSH Server 和 Web Terminal Server。用戶可以通過使用自己的賬戶登錄 SSH 或者 Web Terminal直接訪問被授權的資產。不需要知道服務器的賬戶和密碼,現在 Coco 已經被 koko 取代。
Luna:luna 為 Web Terminal Server 前端頁面,用戶使用 Web Terminal 方式登錄時所需要的插件。
Guacamole:Guacamole 為 Windows 組件,用戶可以通過 Web Terminal 來連接 Windows 資產(暫時只能通過 Web Terminal來訪問)
各個組件所監聽的端口如下:
Jumpserver:8080/tcp Redis:6379/tcp MySQL/Mariadb:3306/tcp Nginx:80/tcp Koko:SSH為2222/tcp,Web?Terminal為5000/tcp Guacamole:8081/tcp
1.Koko 組件部署
[root@Jumpserver?~]#?source?/opt/py3/bin/activate (py3)?[root@Jumpserver?~]#?cd?/opt/ (py3)?[root@Jumpserver?opt]#?wget?https://github.com/jumpserver/koko/releases/download/1.5.2/koko-master-6d4e69b-linux-amd64.tar.gz (py3)?[root@Jumpserver?opt]#?tar?xf?koko-master-6d4e69b-linux-amd64.tar.gz? (py3)?[root@Jumpserver?opt]#?chown?-R?root:root?kokodir
2.修改 Koko配置文件
(py3)?[root@Jumpserver?opt]#?cd?kokodir/ (py3)?[root@Jumpserver?kokodir]#?cp?-rf?config_example.yml?config.yml #Koko配置文件如下: (py3)?[root@Jumpserver?kokodir]#?grep?-Ev?"#|^$"?/opt/kokodir/config.yml? CORE_HOST:?http://127.0.0.1:8080????????????????????????????#Jumpserver項目的url,?api請求注冊會使用 BOOTSTRAP_TOKEN:?PleasgeChangeSameWithJumpserver.???????????#Bootstrap?Token,?預共享秘鑰,?用來注冊coco使用的service?account和terminal,請和jumpserver?配置文件中的?BOOTSTRAP_TOKEN?保持一致,注冊完成后可以刪除
3.啟動 Koko
#先重啟下?Jumpserver
(py3)?[root@Jumpserver?jumpserver]#?./jms?restart
#先進行前臺啟動?koko,如果前臺沒問題,則使用?nohup?&?命令來后臺啟動
(py3)?[root@Jumpserver?kokodir]#?nohup?./koko?&?
#查看koko進程
(py3)?[root@Jumpserver?kokodir]#?ps?-ef|grep?koko
root?????24694?23736??0?04:44?pts/1????00:00:00?./koko
root?????24734?23736??0?04:45?pts/1????00:00:00?grep?--color=auto?koko
(py3)?[root@Jumpserver?kokodir]#?ss?-anplt?|?grep?koko
LISTEN?????0??????128?????????:::5000????????????????????:::*???????????????????users:(("koko",pid=24694,fd=7))
LISTEN?????0??????128?????????:::2222????????????????????:::*???????????????????users:(("koko",pid=24694,fd=8))(py3)?[root@Jumpserver?/]#?cd?/opt/ (py3)?[root@Jumpserver?opt]#?wget?https://github.com/jumpserver/luna/releases/download/1.5.2/luna.tar.gz (py3)?[root@Jumpserver?opt]#?tar?xf?luna.tar.gz? (py3)?[root@Jumpserver?opt]#?chown?-R?root:root?luna
Guacamole這里使用docker部署
1.安裝 docker
1)卸載老版本docker
yum?remove?docker?\
??????????????????docker-common?\
??????????????????docker-selinux?\
??????????????????docker-engine
2)設置yum倉庫
yum?install?-y?yum-utils?\
??device-mapper-persistent-data?\
??lvm2
yum-config-manager?\
????--add-repo?\
????https://download.docker.com/linux/centos/docker-ce.repo
????
3)安裝docker-ce版本
yum?list?docker-ce?--showduplicates?|?sort?-r????#列出docker版本
yum?install?docker-ce-18.06.3.ce?-y??????????????#選擇最新版本安裝
4)修改?docker?pull?鏡像時的加速文件
mkdir?/etc/docker
vim?/etc/docker/daemon.json
{
?"registry-mirrors":?["http://hub-mirror.c.163.com"]????????
}
5)啟動?docker
systemctl?start?docker
systemctl?enable?docker2.使用docker啟動Guacamole
docker?run?--name?jms_guacamole?-d?-p?127.0.0.1:8081:8081?\ -e?JUMPSERVER_SERVER=http://127.0.0.1:8080?\ -e?BOOTSTRAP_TOKEN=PleasgeChangeSameWithJumpserver?\ jumpserver/jms_guacamole:1.5.2
參數解釋:
docker?run:啟動一個容器 --name:指定容器名稱 -d:后臺啟動容器 -p:將容器的127.0.0.1監聽的8081端口映射到宿主機的8081端口 -e:設置環境變量 -e?JUMPSERVER_SERVER=http://127.0.0.1:8080:將值http://127.0.0.1:8080設置變量為JUMPSERVER_SERVER -e?BOOTSTRAP_TOKEN=PleasgeChangeSameWithJumpserver:將值PleasgeChangeSameWithJumpserver設置變量為-e?BOOTSTRAP_TOKEN jumpserver/jms__guacamole:1.5.2:下載鏡像的名稱及版本
?
1.安裝 Nginx
1)準備安裝環境 [root@Jumpserver?~]#?yum?install?gcc-c++?libtool?pcre-devel?openssl-devel?zlib-devel?-y [root@Jumpserver?~]#?useradd?-d?/home/nginx?-M?-s?/sbin/nologin?nginx [root@Jumpserver?~]#?id?nginx uid=1001(nginx)?gid=1001(nginx)?groups=1001(nginx) 2)下載并安裝Nginx [root@Jumpserver?~]#?cd?/usr/local/src/ [root@Jumpserver?src]#?wget?http://nginx.org/download/nginx-1.15.10.tar.gz [root@Jumpserver?src]#?tar?xf?nginx-1.15.10.tar.gz?-C?/usr/local/src/ [root@Jumpserver?src]#?cd?/usr/local/src/nginx-1.15.10 [root@Jumpserver?nginx-1.15.10]#?./configure?--prefix=/usr/local/nginx?\ --sbin-path=/usr/local/nginx/sbin/nginx?\ --conf-path=/usr/local/nginx/conf/nginx.conf?\ --pid-path=/usr/local/nginx/logs/nginx.pid?\ --error-log-path=/usr/local/nginx/logs/error.log?\ --http-log-path=/usr/local/nginx/logs/access.log?\ --with-pcre?\ --user=nginx?\ --group=nginx?\ --with-file-aio?\ --with-http_gzip_static_module?\ --with-http_stub_status_module?\ --with-http_v2_module?\ --with-threads?\ --with-http_realip_module?\ --with-http_ssl_module [root@Jumpserver?nginx-1.15.10]#?make?&&?make?install [root@Jumpserver?nginx-1.15.10]#?echo?$? 0
2.配置 Nginx
[root@Jumpserver?/]#?mv?/usr/local/nginx/conf/nginx.conf?/usr/local/nginx/conf/nginx.conf.defaults
[root@Jumpserver?/]#?vim?/usr/local/nginx/conf/nginx.conf
#全局字段配置
user??nginx?nginx;
worker_processes??auto;
error_log?logs/error.log?info;
pid?logs/nginx.pid;
worker_rlimit_nofile?65535;
events?{
????use?epoll;
????worker_connections??65535;
????multi_accept?on;
}
http?{
????include???????mime.types;
????default_type??application/octet-stream;
????charset?utf-8;
????server_tokens?off;
#定義Nginx緩存設置
????client_header_buffer_size?4096;
????large_client_header_buffers?4?128k;
????client_header_timeout?15;
????client_body_timeout?15;
????send_timeout?65;
????client_max_body_size?10m;
????open_file_cache?max=65535?inactive=60s;
????open_file_cache_valid?30s;
????open_file_cache_min_uses?1;
????open_file_cache_errors?on;
????server_names_hash_bucket_size?128;
?
#定義Nginx日志訪問格式
???log_format??main??'$remote_addr"?"$remote_user"?"[$time_local]"?"$request"'
?????????????????????'?"$status"?"$body_bytes_sent"?"$http_referer"'
?????????????????????'?"$http_user_agent"?"$http_x_forwarded_for"?"$gzip_ratio"'
?????????????????????'?"$upstream_addr"?"$request_time"?"$upstream_response_time"?"$http_host"';
????access_log??logs/access.log??main;
#網絡連接功能
????sendfile????????on;
????autoindex???????on;
????tcp_nopush??????on;
????tcp_nodelay?????on;
????keepalive_timeout??65;
????types_hash_max_size?2048;
????reset_timedout_connection?on;
#壓縮功能配置?
????gzip?on;
????gzip_min_length?1k;
????gzip_buffers?16?64K;
????gzip_http_version?1.1;
????gzip_comp_level?6;
????gzip_types?text/plain?application/x-javascript?text/css?application/xml?application/javascript;
????gzip_vary?on;
????gzip_proxied?any;
????underscores_in_headers?on;
????proxy_ignore_client_abort?on;
????include?/usr/local/nginx/conf/conf.d/*.conf;
}3.創建 Nginx 文件并整合功能
[root@Jumpserver?/]#?mkdir?/usr/local/nginx/conf/conf.d
[root@Jumpserver?/]#?vim?/usr/local/nginx/conf/conf.d/jumpserver.conf
server?{
????listen?80;
????client_max_body_size?100m;??????????#?錄像及文件上傳大小限制
????location?/luna/?{
????????try_files?$uri?/?/index.html;
????????alias?/opt/luna/;???????????????#?luna?路徑,?如果修改安裝目錄,?此處需要修改
????}
????location?/media/?{
????????add_header?Content-Encoding?gzip;
????????root?/opt/jumpserver/data/;?????#?錄像位置,?如果修改安裝目錄,?此處需要修改
????}
????location?/static/?{
????????root?/opt/jumpserver/data/;?????#?靜態資源,?如果修改安裝目錄,?此處需要修改
????}
????location?/socket.io/?{
????????proxy_pass???????http://localhost:5000/socket.io/;
????????proxy_buffering?off;
????????proxy_http_version?1.1;
????????proxy_set_header?Upgrade?$http_upgrade;
????????proxy_set_header?Connection?"upgrade";
????????proxy_set_header?X-Real-IP?$remote_addr;
????????proxy_set_header?Host?$host;
????????proxy_set_header?X-Forwarded-For?$proxy_add_x_forwarded_for;
????????access_log?off;
????}
????location?/coco/?{
????????proxy_pass???????http://localhost:5000/coco/;
????????proxy_set_header?X-Real-IP?$remote_addr;
????????proxy_set_header?Host?$host;
????????proxy_set_header?X-Forwarded-For?$proxy_add_x_forwarded_for;
????????access_log?off;
????}
????location?/guacamole/?{
????????proxy_pass???????http://localhost:8081/;
????????proxy_buffering?off;
????????proxy_http_version?1.1;
????????proxy_set_header?Upgrade?$http_upgrade;
????????proxy_set_header?Connection?$http_connection;
????????proxy_set_header?X-Real-IP?$remote_addr;
????????proxy_set_header?Host?$host;
????????proxy_set_header?X-Forwarded-For?$proxy_add_x_forwarded_for;
????????access_log?off;
????}
????location?/?{
????????proxy_pass?http://localhost:8080;
????????proxy_set_header?X-Real-IP?$remote_addr;
????????proxy_set_header?Host?$host;
????????proxy_set_header?X-Forwarded-For?$proxy_add_x_forwarded_for;
????}
}4.啟動 檢查并啟動Nginx?
[root@Jumpserver?/]#?/usr/local/nginx/sbin/nginx?-t nginx:?the?configuration?file?/usr/local/nginx/conf/nginx.conf?syntax?is?ok nginx:?configuration?file?/usr/local/nginx/conf/nginx.conf?test?is?successful [root@Jumpserver?/]#?/usr/local/nginx/sbin/nginx?-c?/usr/local/nginx/conf/nginx.conf
5.輸入URL并登錄
http://IP
默認賬號密碼:admin/admin
?
免責聲明:本站發布的內容(圖片、視頻和文字)以原創、轉載和分享為主,文章觀點不代表本網站立場,如果涉及侵權請聯系站長郵箱:is@yisu.com進行舉報,并提供相關證據,一經查實,將立刻刪除涉嫌侵權內容。
