1. 程式人生 > >開源堡壘機jumpserver搭建

開源堡壘機jumpserver搭建

概述

之前說了國產良心kodexplorer,今天再說一個國內比較好的開源專案jumpserver,除此之外還可以的國內開源專案我覺得就是寶塔面板了。廢話不多說上教程搭建。 雖然說你可以看下面的教程不用聽我瞎扯

http://docs.jumpserver.org/zh/docs/step_by_step.html

雖然說我的教程基本都是複製這個文件的,但是有的地方還是不一樣的

前期初始化

  • 首先關閉selinux

vim /etc/selinux/config

SELINUX=enforcing

改為

SELINUX=disabled

之後

setenforce 0

  • 關閉防火牆

systemctl stop firewalld

systemctl disable firewalld

  • 修改字符集

localedef -c -f UTF-8 -i zh_CN zh_CN.UTF-8

export LC_ALL=zh_CN.UTF-8

echo 'LANG="zh_CN.UTF-8"' > /etc/locale.conf

  • 安裝python3和python編譯的依賴環境

首先安裝變異python3前的依賴環境

yum -y install wget sqlite-devel xz gcc automake zlib-devel openssl-devel epel-release git

之後下載python3編譯安裝

wget https://www.python.org/ftp/python/3.6.1/Python-3.6.1.tar.xz

解壓編譯安裝

tar xvf Python-3.6.1.tar.xz && cd Python-3.6.1 && ./configure && make && make install

  • 建立python的虛擬環境

cd /opt && python3 -m venv py3 && source /opt/py3/bin/activate

  • 自動載入 Python 虛擬環境配置

這個是為了讓你進入jumpserver這個資料夾的時候可以自動載入環境變數

cd /opt && git clone git://github.com/kennethreitz/autoenv.git && echo 'source /opt/autoenv/activate.sh' >> ~/.bashrc && source ~/.bashrc

安裝jumpserver

  • clone專案

cd /opt/ && git clone https://github.com/jumpserver/jumpserver.git && cd jumpserver && git checkout master && echo "source /opt/py3/bin/activate" > /opt/jumpserver/.env

之後進入jumpserver這個資料夾會有一個提示你輸入y就好,這樣之後每次進入這個資料夾就會自動匯入py3的環境變數

  • 安裝rpm包的依賴

cd /opt/jumpserver/requirements && yum -y install $(cat rpm_requirements.txt)

  • 安裝python依賴

pip install -r requirements.txt -i https://pypi.douban.com/simple/

  • 安裝 Redis, Jumpserver 使用 Redis 做 cache 和 celery broke

yum -y install redis && systemctl enable redis && systemctl start redis

  • 安裝mariadb

yum -y install mariadb mariadb-devel mariadb-server && systemctl enable mariadb && systemctl start mariadb

  • 設定mariadb的root密碼

執行mysql_secure_installation之後按照流程走就好了

[[email protected] ~]# mysql_secure_installation 

NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
      SERVERS IN PRODUCTION USE!  PLEASE READ EACH STEP CAREFULLY!

In order to log into MariaDB to secure it, we'll need the current
password for the root user.  If you've just installed MariaDB, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.

Enter current password for root (enter for none): 
OK, successfully used password, moving on...

Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorisation.

Set root password? [Y/n] y
New password: 
Re-enter new password: 
Sorry, passwords do not match.

New password: 
Re-enter new password: 
Password updated successfully!
Reloading privilege tables..
 ... Success!


By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them.  This is intended only for testing, and to make the installation
go a bit smoother.  You should remove them before moving into a
production environment.

Remove anonymous users? [Y/n] y
 ... Success!

Normally, root should only be allowed to connect from 'localhost'.  This
ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n] n
 ... skipping.

By default, MariaDB comes with a database named 'test' that anyone can
access.  This is also intended only for testing, and should be removed
before moving into a production environment.

Remove test database and access to it? [Y/n] y
 - Dropping test database...
 ... Success!
 - Removing privileges on test database...
 ... Success!

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

Reload privilege tables now? [Y/n] y
 ... Success!

Cleaning up...

All done!  If you've completed all of the above steps, your MariaDB
installation should now be secure.

Thanks for using MariaDB!
  • 建立資料庫 Jumpserver 並授權
[[email protected] ~]# mysql -u root -p
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 9
Server version: 5.5.60-MariaDB MariaDB Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> create database jumpserver default charset 'utf8';
Query OK, 1 row affected (0.00 sec)

MariaDB [(none)]> grant all on jumpserver.* to 'jumpserver'@'%' identified by '你的密碼';
Query OK, 0 rows affected (0.01 sec)

MariaDB [(none)]> flush privileges;
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> 
  • 修改 Jumpserver 配置檔案

cd /opt/jumpserver && cp config_example.py config.py && vi config.py

下面是我的配置檔案

"""
    jumpserver.config
    ~~~~~~~~~~~~~~~~~

    Jumpserver project setting file

    :copyright: (c) 2014-2017 by Jumpserver Team
    :license: GPL v2, see LICENSE for more details.
"""
import os

BASE_DIR = os.path.dirname(os.path.abspath(__file__))


class Config:
    # Use it to encrypt or decrypt data
    # SECURITY WARNING: keep the secret key used in production secret!
# 這個不用動,讓他預設就好
    SECRET_KEY = os.environ.get('SECRET_KEY') or '2vym+ky!997d5kkcc64mnz06y1mmui3lut#(^wd=%s_qj$1%x'

    # Django security setting, if your disable debug model, you should setting that
    ALLOWED_HOSTS = ['*']


# 關閉debug模式,因為之後我們要安裝nginx做代理的
    # Development env open this, when error occur display the full process track, Production disable it
    DEBUG = os.environ.get("DEBUG") or False

# 日誌級別變成警告就好,不然日誌太多
    # DEBUG, INFO, WARNING, ERROR, CRITICAL can set. See https://docs.djangoproject.com/en/1.10/topics/logging/
    LOG_LEVEL = os.environ.get("LOG_LEVEL") or 'WARNING'
    LOG_DIR = os.path.join(BASE_DIR, 'logs')

    # Database setting, Support sqlite3, mysql, postgres ....
    # See https://docs.djangoproject.com/en/1.10/ref/settings/#databases

    # SQLite setting:
    #DB_ENGINE = 'sqlite3'
    #DB_NAME = os.path.join(BASE_DIR, 'data', 'db.sqlite3')

    # MySQL or postgres setting like:
    # DB_ENGINE = os.environ.get("DB_ENGINE") or 'mysql'
    # DB_HOST = os.environ.get("DB_HOST") or '127.0.0.1'
    # DB_PORT = os.environ.get("DB_PORT") or 3306
    # DB_USER = os.environ.get("DB_USER") or 'jumpserver'
    # DB_PASSWORD = os.environ.get("DB_PASSWORD") or 'weakPassword'
    # DB_NAME = os.environ.get("DB_NAME") or 'jumpserver'

# 資料庫設定,因為我們使用的是mysql
    DB_ENGINE = os.environ.get("DB_ENGINE") or 'mysql'
    DB_HOST = os.environ.get("DB_HOST") or '127.0.0.1'
    DB_PORT = os.environ.get("DB_PORT") or 3306
    DB_USER = os.environ.get("DB_USER") or 'jumpserver'
    DB_PASSWORD = os.environ.get("DB_PASSWORD") or '你的密碼'
    DB_NAME = os.environ.get("DB_NAME") or 'jumpserver'


    # When Django start it will bind this host and port
    # ./manage.py runserver 127.0.0.1:8080
    HTTP_BIND_HOST = '0.0.0.0'
    HTTP_LISTEN_PORT = 8080

    # Use Redis as broker for celery and web socket
    REDIS_HOST = os.environ.get("REDIS_HOST") or '127.0.0.1'
    REDIS_PORT = os.environ.get("REDIS_PORT") or 6379
    REDIS_PASSWORD = os.environ.get("REDIS_PASSWORD") or ''
    REDIS_DB_CELERY = os.environ.get('REDIS_DB') or 3
    REDIS_DB_CACHE = os.environ.get('REDIS_DB') or 4

    def __init__(self):
        pass

    def __getattr__(self, item):
        return None


class DevelopmentConfig(Config):
    pass


class TestConfig(Config):
    pass


class ProductionConfig(Config):
    pass


# Default using Config settings, you can write if/else for different env
config = DevelopmentConfig()

下面是官方的配置檔案,可以做個參考

"""
    jumpserver.config
    ~~~~~~~~~~~~~~~~~

    Jumpserver project setting file

    :copyright: (c) 2014-2017 by Jumpserver Team
    :license: GPL v2, see LICENSE for more details.
"""
import os

BASE_DIR = os.path.dirname(os.path.abspath(__file__))


class Config:
    # Use it to encrypt or decrypt data

    # Jumpserver 使用 SECRET_KEY 進行加密,請務必修改以下設定
    # SECRET_KEY = os.environ.get('SECRET_KEY') or '2vym+ky!997d5kkcc64mnz06y1mmui3lut#(^wd=%s_qj$1%x'
    SECRET_KEY = '請隨意輸入隨機字串(推薦字元大於等於 50位)'

    # Django security setting, if your disable debug model, you should setting that
    ALLOWED_HOSTS = ['*']

    # DEBUG 模式 True為開啟 False為關閉,預設開啟,生產環境推薦關閉
    # 注意:如果設定了DEBUG = False,訪問8080埠頁面會顯示不正常,需要搭建 nginx 代理才可以正常訪問
    DEBUG = os.environ.get("DEBUG") or True

    # 日誌級別,預設為DEBUG,可調整為INFO, WARNING, ERROR, CRITICAL,預設INFO
    LOG_LEVEL = os.environ.get("LOG_LEVEL") or 'WARNING'
    LOG_DIR = os.path.join(BASE_DIR, 'logs')

    # 使用的資料庫配置,支援sqlite3, mysql, postgres等,預設使用sqlite3
    # See https://docs.djangoproject.com/en/1.10/ref/settings/#databases

    # 預設使用SQLite3,如果使用其他資料庫請註釋下面兩行
    # DB_ENGINE = 'sqlite3'
    # DB_NAME = os.path.join(BASE_DIR, 'data', 'db.sqlite3')

    # 如果需要使用mysql或postgres,請取消下面的註釋並輸入正確的資訊,本例使用mysql做演示(mariadb也是mysql)
    DB_ENGINE = os.environ.get("DB_ENGINE") or 'mysql'
    DB_HOST = os.environ.get("DB_HOST") or '127.0.0.1'
    DB_PORT = os.environ.get("DB_PORT") or 3306
    DB_USER = os.environ.get("DB_USER") or 'jumpserver'
    DB_PASSWORD = os.environ.get("DB_PASSWORD") or 'weakPassword'
    DB_NAME = os.environ.get("DB_NAME") or 'jumpserver'

    # Django 監聽的ip和埠,生產環境推薦把0.0.0.0修改成127.0.0.1,這裡的意思是允許x.x.x.x訪問,127.0.0.1表示僅允許自身訪問
    # ./manage.py runserver 127.0.0.1:8080
    HTTP_BIND_HOST = '0.0.0.0'
    HTTP_LISTEN_PORT = 8080

    # Redis 相關設定
    REDIS_HOST = os.environ.get("REDIS_HOST") or '127.0.0.1'
    REDIS_PORT = os.environ.get("REDIS_PORT") or 6379
    REDIS_PASSWORD = os.environ.get("REDIS_PASSWORD") or ''
    REDIS_DB_CELERY = os.environ.get('REDIS_DB') or 3
    REDIS_DB_CACHE = os.environ.get('REDIS_DB') or 4

    def __init__(self):
        pass

    def __getattr__(self, item):
        return None


class DevelopmentConfig(Config):
    pass


class TestConfig(Config):
    pass


class ProductionConfig(Config):
    pass


# Default using Config settings, you can write if/else for different env
config = DevelopmentConfig()
  • 生成資料庫表結構和初始化資料

cd /opt/jumpserver/utils && bash make_migrations.sh

執行jumpserver

cd /opt/jumpserver && ./jms start all -d

預設的後臺賬號是admin admin 但是這個時候個人覺得不要去訪問,到最後安裝了nginx再去訪問

安裝 SSH Server 和 WebSocket Server: Coco

  • 下載或 Clone 專案

cd /opt && source /opt/py3/bin/activate && git clone https://github.com/jumpserver/coco.git && cd coco && git checkout master && echo "source /opt/py3/bin/activate" > /opt/coco/.env

同樣首次進入這個coco資料夾也是會有個提示你輸入y就好

  • 安裝依賴

cd /opt/coco/requirements && yum -y install $(cat rpm_requirements.txt) && pip install -r requirements.txt -i https://pypi.douban.com/simple/

  • 修改配置檔案並執行

cd /opt/coco && cp conf_example.py conf.py && vi conf.py

其實上面這個配置檔案沒什麼好修改的,如果要修改可以修改一下日誌級別,其他的自己看著辦

之後執行coco

./cocod start -d

官方文件會讓你在這個時候進入web介面接受什麼註冊,先別管他,直接進行下一步

安裝 Web Terminal 前端: Luna

  • 安裝Luna

cd /opt && wget https://github.com/jumpserver/luna/releases/download/1.4.1/luna.tar.gz && tar xvf luna.tar.gz && chown -R root:root luna

安裝windows支援組建

就是可以管理windows伺服器這樣,官方推薦使用docker了,所以那麼就使用docker映象來安裝就好了

  • 安裝docker

yum install -y yum-utils device-mapper-persistent-data lvm2 && yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo && rpm --import http://mirrors.aliyun.com/docker-ce/linux/centos/gpg && yum makecache fast && yum -y install docker-ce && systemctl start docker && systemctl enable docker && systemctl status docker

  • 啟動 Guacamole

注意下面的jumpserver地址不能寫127.0.0.1,因為是容器執行的所以寫127.0.0.1就是容器本身了,寫宿主機ip或者url就好

docker run --name jms_guacamole -d \
  -p 8081:8080 -v /opt/guacamole/key:/config/guacamole/key \
  -e JUMPSERVER_KEY_DIR=/config/guacamole/key \
  -e JUMPSERVER_SERVER=http://<填寫jumpserver的url地址> \
  jumpserver/guacamole:latest

之後官方會說讓你去web介面接收什麼註冊先別管他,繼續下一步

配置 Nginx 整合各元件

  • 安裝nginx

yum -y install nginx

  • 配置nginx

首先新建下面這個檔案

vim /etc/nginx/conf.d/jumpserver.conf

輸入

server {
    listen 80;  # 代理埠,以後將通過此埠進行訪問,不再通過8080埠

    client_max_body_size 100m;  # 錄影上傳大小限制

    location /luna/ {
        try_files $uri / /index.html;
        alias /opt/luna/;  # luna 路徑,如果修改安裝目錄,此處需要修改
    }

    location /media/ {
        add_header Content-Encoding gzip;
        root /opt/jumpserver/data/;  # 錄影位置,如果修改安裝目錄,此處需要修改
    }

    location /static/ {
        root /opt/jumpserver/data/;  # 靜態資源,如果修改安裝目錄,此處需要修改
    }

    location /socket.io/ {
        proxy_pass       http://localhost:5000/socket.io/;  # 如果coco安裝在別的伺服器,請填寫它的ip
        proxy_buffering off;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        access_log off;
    }

    location /guacamole/ {
        proxy_pass       http://localhost:8081/;  # 如果guacamole安裝在別的伺服器,請填寫它的ip
        proxy_buffering off;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $http_connection;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        access_log off;
    }

    location / {
        proxy_pass http://localhost:8080;  # 如果jumpserver安裝在別的伺服器,請填寫它的ip
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

儲存退出之後編輯下面這個檔案

vim /etc/nginx/nginx.conf

刪除其中的server欄位,就是下面內容

    server {
        listen       80 default_server;
        listen       [::]:80 default_server;
        server_name  _;
        root         /usr/share/nginx/html;

        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;

        location / {
        }

        error_page 404 /404.html;
            location = /40x.html {
        }

        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }
    }

儲存退出

  • 執行nginx

systemctl restart nginx && systemctl enable nginx

開始使用jumpserver

首先檢查各元件是不是正常

cd /opt/jumpserver && ./jms status

cd /opt/coco && ./cocod status

檢視Guacamole是不是正常

docker ps

接著我們瀏覽器訪問伺服器的ip,預設的賬號和密碼都是admin

登陸完成之後我們就可以註冊我們的兩個元件了,點選會話管理->終端管理終端列表裡面有兩行全部點選接受就好

如果沒有的話那麼按照下面的順序重新啟動一下服務

首先關閉所有的服務

cd /opt/jumpserver && ./jms stop all

cd /opt/coco && ./cocod stop

docker stop jms_guacamole

接著按照我的順序啟動服務

cd /opt/jumpserver && ./jms start all -d

尤其要注意這步,一定要確保啟動成功,尤其是配置低的機器很有可能啟動失敗的

cd /opt/jumpserver && ./jms status

cd /opt/coco && ./cocod start -d

docker start jms_guacamole

使用

關於使用我想說的是有兩個概念一個是資產管理中的管理使用者,一個是資產管理中的系統使用者。

什麼是管理使用者,管理使用者其實就是一臺伺服器的root,擁有這臺伺服器的最高許可權,可以在這臺伺服器中建立系統使用者。

什麼是系統使用者,系統使用者就是你想新增到伺服器中的使用者,或者是系統中已經存在的使用者,它可以是root。如果它沒有被建立,那麼jumpserver可以使用使用者推送功能向伺服器中建立使用者

關於資產授權,當你建立完成資產之後這個資產也就是伺服器是不屬於任何使用者的,你必須要建立資產授權,把資產授權給這個使用者才可以讓這個使用者去訪問

關於MFA二次認證,其實就是在登入的時候還要下載一個谷歌驗證器使用裡面的數字登入,就是類似以前的遊戲將軍令

歡迎關注Bboysoul的部落格www.bboysoul.com Have Fun