1.Jumpserver介绍
Jumpserver 是全球首款完全开源的堡垒机,使用 GNU GPL v2.0 开源协议,是符合 4A 的运维安全审计系统。
Jumpserver 使用 Python / Django 进行开发,遵循 Web 2.0 规范,配备了业界领先的 Web Terminal 解决方案,交互界面美观、用户体验好。
Jumpserver 采纳分布式架构,支持多机房跨区域部署,支持横向扩展,无资产数量及并发限制。
核心功能列表
身份验证 登录认证 资源统一登录和认证 LDAP认证 支持OpenID,实现单点登录 多因子认证 MFA(Google Authenticator) 账号管理 集中账号管理 系统用户管理 管理用户管理 统一密码管理 资产密码托管 自动生成密码 密码自动推送 密码过期设置 批量密码变更(X-PACK) 定期批量修改密码 生成随机密码 多云环境的资产纳管(X-PACK) 对私有云、公有云资产统一纳管 授权控制 资产授权管理 资产树 资产或资产组灵活授权 节点内资产自动继承授权 RemoteApp(X-PACK) 实现更细粒度的应用级授权 组织管理(X-PACK) 实现多租户管理,权限隔离 多维度授权 可对用户、用户组或系统角色授权 指令限制 限制特权指令使用,支持黑白名单 统一文件传输 - SFTP 文件上传/下载 文件管理 Web SFTP 文件管理 安全审计 会话管理 在线会话管理 历史会话管理 录像管理 Linux录像支持 Windows录像支持 指令审计 指令记录 文件传输审计 上传/下载记录审计
2 Jumpserver部署
2.1关闭防火墙与SELINUX
[root@localhost ~]# systemctl stop firewalld [root@localhost ~]# systemctl disable firewalld [root@localhost ~]# sed -ri '/^SELINUX/ s/(SELINUX=).*/\1disabled/g' /etc/selinux/config [root@localhost ~]# setenforce 0
2.2 部署环境
[root@localhost ~]# yum clean all [root@localhost ~]# yum makecache [root@localhost ~]# yum -y update [root@localhost ~]# ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime [root@localhost ~]# yum -y install kde-l10n-Chinese [root@localhost ~]# localedef -c -f UTF-8 -i zh_CN zh_CN.UTF-8 [root@localhost ~]# export LC_ALL=zh_CN.UTF-8 [root@localhost ~]# echo 'LANG="zh_CN.UTF-8"' > /etc/locale.conf [root@localhost ~]# yum -y install wget gcc epel-release git [root@localhost ~]# yum install -y yum-utils device-mapper-persistent-data lvm2 [root@localhost ~]# yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo [root@localhost ~]# yum makecache fast [root@localhost ~]# rpm --import https://mirrors.aliyun.com/docker-ce/linux/centos/gpg [root@localhost ~]# echo -e "[nginx-stable]\nname=nginx stable repo\nbaseurl=http://nginx.org/packages/centos/\$releasever/\$basearch/\ngpgcheck=1\nenabled=1\ngpgkey=https://nginx.org/keys/nginx_signing.key" > /etc/yum.repos.d/nginx.repo [root@localhost ~]# rpm --import https://nginx.org/keys/nginx_signing.key [root@localhost ~]# yum -y install redis mariadb mariadb-devel mariadb-server MariaDB-shared nginx docker-ce [root@localhost ~]# systemctl enable redis mariadb nginx docker [root@localhost ~]# systemctl start redis mariadb [root@localhost ~]# yum -y install python36 python36-devel [root@localhost ~]# python3.6 -m venv /opt/py3
2.3下载组件
[root@localhost ~]# cd /opt/ [root@localhost opt]# git clone --depth=1 https://github.com/jumpserver/jumpserver.git [root@localhost opt]# wget https://demo.jumpserver.org/download/luna/1.5.2/luna.tar.gz [root@localhost opt]# tar xf luna.tar.gz [root@localhost opt]# chown -R root:root luna [root@localhost opt]# yum -y install $(cat /opt/jumpserver/requirements/rpm_requirements.txt) [root@localhost opt]# echo -e "[easy_install]\nindex_url = https://mirrors.aliyun.com/pypi/simple/" > ~/.pydistutils.cfg [root@localhost opt]# source /opt/py3/bin/activate (py3) [root@localhost opt]# pip install --upgrade pip setuptools -i https://mirrors.aliyun.com/pypi/simple/ (py3) [root@localhost opt]# pip install -r /opt/jumpserver/requirements/requirements.txt -i https://mirrors.aliyun.com/pypi/simple/ (py3) [root@localhost opt]# curl -sSL https://get.daocloud.io/daotools/set_mirror.sh | sh -s http://f1361db2.m.daocloud.io (py3) [root@localhost opt]# systemctl restart docker (py3) [root@localhost opt]# docker pull jumpserver/jms_koko:1.5.2 (py3) [root@localhost opt]# docker pull jumpserver/jms_guacamole:1.5.2 (py3) [root@localhost opt]# rm -rf /etc/nginx/conf.d/default.conf (py3) [root@localhost opt]# wget -O /etc/nginx/conf.d/jumpserver.conf https://demo.jumpserver.org/download/nginx/conf.d/jumpserver.conf
2.4 处理配置文件
(py3) [root@localhost opt]# source ~/.bashrc
(py3) [root@localhost opt]# DB_PASSWORD=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 24`
(py3) [root@localhost opt]# SECRET_KEY=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50`
(py3) [root@localhost opt]# echo "SECRET_KEY=$SECRET_KEY" >> ~/.bashrc
(py3) [root@localhost opt]# BOOTSTRAP_TOKEN=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16`
(py3) [root@localhost opt]# echo "BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" >> ~/.bashrc
(py3) [root@localhost opt]# Server_IP=`ip addr | grep inet | egrep -v '(127.0.0.1|inet6|docker)' | awk '{print $2}' | tr -d "addr:" | head -n 1 | cut -d / -f1`
(py3) [root@localhost opt]# mysql -uroot -e "create database jumpserver default charset 'utf8';grant all on jumpserver.* to 'jumpserver'@'127.0.0.1' identified by '$DB_PASSWORD';flush privileges;"
(py3) [root@localhost opt]# cp /opt/jumpserver/config_example.yml /opt/jumpserver/config.yml
(py3) [root@localhost opt]# sed -i "s/SECRET_KEY:/SECRET_KEY: $SECRET_KEY/g" /opt/jumpserver/config.yml
(py3) [root@localhost opt]# sed -i "s/BOOTSTRAP_TOKEN:/BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN/g" /opt/jumpserver/config.yml
(py3) [root@localhost opt]# sed -i "s/# DEBUG: true/DEBUG: false/g" /opt/jumpserver/config.yml
(py3) [root@localhost opt]# sed -i "s/# LOG_LEVEL: DEBUG/LOG_LEVEL: ERROR/g" /opt/jumpserver/config.yml
(py3) [root@localhost opt]# sed -i "s/# SESSION_EXPIRE_AT_BROWSER_CLOSE: false/SESSION_EXPIRE_AT_BROWSER_CLOSE: true/g" /opt/jumpserver/config.yml
(py3) [root@localhost opt]# sed -i "s/DB_PASSWORD: /DB_PASSWORD: $DB_PASSWORD/g" /opt/jumpserver/config.yml2.5启动Jumpserver
(py3) [root@localhost opt]# systemctl start nginx (py3) [root@localhost opt]# cd /opt/jumpserver (py3) [root@localhost jumpserver]# ./jms start -d (py3) [root@localhost jumpserver]# docker run --name jms_koko -d -p 2222:2222 -p 127.0.0.1:5000:5000 -e CORE_HOST=http://$Server_IP:8080 -e BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN --restart=always jumpserver/jms_koko:1.5.2 (py3) [root@localhost jumpserver]# docker run --name jms_guacamole -d -p 127.0.0.1:8081:8081 -e JUMPSERVER_SERVER=http://$Server_IP:8080 -e BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN --restart=always jumpserver/jms_guacamole:1.5.2 (py3) [root@localhost jumpserver]# echo -e "\033[31m 你的数据库密码是 $DB_PASSWORD \033[0m" (py3) [root@localhost jumpserver]# echo -e "\033[31m 你的SECRET_KEY是 $SECRET_KEY \033[0m" (py3) [root@localhost jumpserver]# echo -e "\033[31m 你的BOOTSTRAP_TOKEN是 $BOOTSTRAP_TOKEN \033[0m" (py3) [root@localhost jumpserver]# echo -e "\033[31m 你的服务器IP是 $Server_IP \033[0m" (py3) [root@localhost jumpserver]# echo -e "\033[31m 请打开浏览器访问 http://$Server_IP 用户名:admin 密码:admin \033[0m"
2.6 配置开机自启
(py3) [root@localhost ~]# wget -O /usr/lib/systemd/system/jms.service https://demo.jumpserver.org/download/shell/centos/jms.service (py3) [root@localhost ~]# chmod 755 /usr/lib/systemd/system/jms.service (py3) [root@localhost ~]# systemctl enable jms
http://www.savh.cn/thread-1250.htm
转载请注明:Savh.Cn 发表
