Jumpserver 部署安装

Jumpserver 部署安装

相信各位对堡垒机（跳板机）不会陌生，为了保证服务器安全，加个堡垒机，所有ssh连接都通过堡垒机来完成，堡垒机也需要有身份认证、授权、访问控制、日志审计等功能。

Jumpserver 是全球首款完全开源的堡垒机, 是符合 4A 的专业运维审计系统。

Jumpserver 使用 Python / Django 进行开发, 采纳分布式架构, 支持多机房跨区域部署, 中心节点提供 API, 各机房部署登录节点, 可横向扩展、无并发访问限制。

Jumpserver 现已支持管理 SSH、 Telnet、 RDP、 VNC 协议资产。

架构图如下：

Jumpserver包含四个组件，各个组件的作用如下： Jumpserver 为管理后台, 管理员可以通过 Web 页面进行资产管理、用户管理、资产授权等操作, 用户可以通过 Web 页面进行资产登录, 文件管理等操作 Coco 为 SSH Server 和 Web Terminal Server 。用户可以使用自己的账户通过 SSH 或者 Web Terminal 访问 SSH 协议和 Telnet 协议资产 Luna 为 Web Terminal Server 前端页面, 用户使用 Web Terminal 方式登录所需要的组件 Guacamole 为 RDP 协议和 VNC 协议资产组件, 用户可以通过 Web Terminal 来连接 RDP 协议和 VNC 协议资产 (暂时只能通过 Web Terminal 来访问)

端口说明

各个组件的监听端口如下： Jumpserver 默认端口为 8080/tcp 配置文件 jumpserver/config.yml Coco 默认 SSH 端口为 2222/tcp, 默认 Web Terminal 端口为 5000/tcp 配置文件在 coco/config.yml Guacamole 默认端口为 8081/tcp, 配置文件 /config/tomcat8/conf/server.xml Nginx 默认端口为 80/tcp Redis 默认端口为 6379/tcp Mysql 默认端口为 3306/tcp

[root@jumpserver ~]# localedef -c -f UTF-8 -i zh_CN zh_CN.UTF-8 [root@jumpserver ~]# export LC_ALL=zh_CN.UTF-8 [root@jumpserver ~]# echo 'LC_ALL=zh_CN.UTF-8' > /etc/locale.conf

二、配置Python 3 环境

[root@jumpserver jumpserver]# wget -O /etc/yum.repos.d/CentOS-Base.repo # 下载所需yum源 [root@jumpserver jumpserver]# yum -y install wget sqlite-devel xz gcc automake zlib-devel openssl-devel epel-release git # 安装依赖包 [root@jumpserver /]# mkdir jumpserver # 个人习惯 [root@jumpserver /]# cd jumpserver/ [root@jumpserver jumpserver]# rz # 上传所需软件包 [root@jumpserver jumpserver]# tar xf Python-3.6.1.tar.xz # 解包 [root@jumpserver jumpserver]# cd Python-3.6.1/ [root@jumpserver Python-3.6.1]# ./configure && make && make install # 编译并安装 [root@jumpserver Python-3.6.1]# cd /opt/ [root@jumpserver opt]# python3 -m venv py3 [root@jumpserver opt]# source /opt/py3/bin/activate # 执行脚本进入Python3 环境 #设置自动载入py3虚拟环境（以后只要进入这个目录就是Py3的环境） (py3) [root@jumpserver opt]# cd /jumpserver/ (py3) [root@jumpserver jumpserver]# unzip autoenv.zip -d /opt/ (py3) [root@jumpserver jumpserver]# cd /opt/autoenv (py3) [root@jumpserver autoenv]# echo "source /opt/autoenv/activate.sh" >> /root/.bashrc (py3) [root@jumpserver autoenv]# . ~/.bashrc

三、安装Jumpserver

(py3) [root@jumpserver autoenv]# cd /jumpserver/ (py3) [root@jumpserver jumpserver]# unzip jumpserver.zip -d /opt/ (py3) [root@jumpserver jumpserver]# cd /opt/ (py3) [root@jumpserver opt]# echo "source /opt/py3/bin/activate" > /opt/jumpserver/.env (py3) [root@jumpserver opt]# cd jumpserver/ autoenv: autoenv: WARNING: autoenv: This is the first time you are about to source /opt/jumpserver/.env: autoenv: autoenv: --- (begin contents) --------------------------------------- autoenv: source /opt/py3/bin/activate$ autoenv: autoenv: --- (end contents) ----------------------------------------- autoenv: autoenv: Are you sure you want to allow this? (y/N) y # 输入Y 自动载入py3 环境 (py3) [root@jumpserver jumpserver]# cd requirements/ (py3) [root@jumpserver requirements]# yum -y install `cat rpm_requirements.txt` (py3) [root@jumpserver requirements]# pip install --upgrade pip (py3) [root@jumpserver requirements]# pip install -r requirements.txt -i https://mirrors.aliyun.com/pypi/simple/

四、安装MySQL及Redis

#安装MySQL： (py3) [root@jumpserver requirements]# yum -y install mariadb* (py3) [root@jumpserver requirements]# systemctl start mariadb (py3) [root@jumpserver /]# netstat -anput | grep 3306 tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 21063/mysqld (py3) [root@jumpserver /]# mysqladmin -u root password 123.com (py3) [root@jumpserver /]# mysql -u root -p Enter password: MariaDB [(none)]> create database jumpserver default charset 'utf8'; MariaDB [(none)]> grant all on jumpserver.* to jumpserver@127.0.0.1 identified by '123.com'; MariaDB [(none)]> exit #安装Redis (py3) [root@jumpserver /]# yum -y install redis (py3) [root@jumpserver /]# systemctl start redis (py3) [root@jumpserver /]# netstat -anput | grep 6379 tcp 0 0 127.0.0.1:6379 0.0.0.0:* LISTEN 21339/redis-server

五、修改jumpserver配置文件

(py3) [root@jumpserver /]# cd /opt/jumpserver/ (py3) [root@jumpserver jumpserver]# cp config_example.yml config.yml #生成秘钥令牌 (py3) [root@jumpserver jumpserver]# SECRET_KEY=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50` (py3) [root@jumpserver jumpserver]# echo "SECRET_KEY=$SECRET_KEY" >> ~/.bashrc (py3) [root@jumpserver jumpserver]# BOOTSTRAP_TOKEN=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16` (py3) [root@jumpserver jumpserver]# echo "BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" >> ~/.bashrc (py3) [root@jumpserver jumpserver]# sed -i "s/SECRET_KEY:/SECRET_KEY: $SECRET_KEY/g" /opt/jumpserver/config.yml (py3) [root@jumpserver jumpserver]# sed -i "s/BOOTSTRAP_TOKEN:/BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN/g" /opt/jumpserver/config.yml (py3) [root@jumpserver jumpserver]# sed -i "s/# DEBUG: true/DEBUG: false/g" /opt/jumpserver/config.yml (py3) [root@jumpserver jumpserver]# sed -i "s/# LOG_LEVEL: DEBUG/LOG_LEVEL: ERROR/g" /opt/jumpserver/config.yml (py3) [root@jumpserver jumpserver]# sed -i "s/# SESSION_EXPIRE_AT_BROWSER_CLOSE: False/SESSION_EXPIRE_AT_BROWSER_CLOSE: true/g" /opt/jumpserver/config.yml (py3) [root@jumpserver jumpserver]# sed -i "s/DB_PASSWORD: /DB_PASSWORD: 123.com/g" /opt/jumpserver/config.yml (py3) [root@jumpserver jumpserver]# echo -e "\033[31m 你的SECRET_KEY是 $SECRET_KEY \033[0m" 你的SECRET_KEY是 IGbsKK8366vW92hIk8IViTd8npO6Rf2d990jhnNNd3EWU6Kh7E (py3) [root@jumpserver jumpserver]# echo -e "\033[31m 你的BOOTSTRAP_TOKEN是 $BOOTSTRAP_TOKEN \033[0m" 你的BOOTSTRAP_TOKEN是 t7SHqC5CKbMmsFVO (py3) [root@jumpserver jumpserver]# egrep -v '^$|^#' config.yml SECRET_KEY: IGbsKK8366vW92hIk8IViTd8npO6Rf2d990jhnNNd3EWU6Kh7E BOOTSTRAP_TOKEN: t7SHqC5CKbMmsFVO DEBUG: false LOG_LEVEL: ERROR DB_ENGINE: mysql DB_HOST: 127.0.0.1 DB_PORT: 3306 DB_USER: jumpserver DB_PASSWORD: 123.com DB_NAME: jumpserver HTTP_BIND_HOST: 0.0.0.0 HTTP_LISTEN_PORT: 8080 REDIS_HOST: 127.0.0.1 REDIS_PORT: 6379 (py3) [root@jumpserver jumpserver]# ./jms start all -d # 启动jumpserver (py3) [root@jumpserver jumpserver]# netstat -anput | grep 8080 tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 78950/python3

六、安装配置coco组件

(py3) [root@jumpserver jumpserver]# cd /jumpserver/ (py3) [root@jumpserver jumpserver]# unzip coco.zip -d /opt/ (py3) [root@jumpserver jumpserver]# cd /opt/ (py3) [root@jumpserver opt]# echo "source /opt/py3/bin/activate" > /opt/coco/.env (py3) [root@jumpserver opt]# cd coco/requirements/ autoenv: autoenv: WARNING: autoenv: This is the first time you are about to source /opt/coco/.env: autoenv: autoenv: --- (begin contents) --------------------------------------- autoenv: source /opt/py3/bin/activate$ autoenv: autoenv: --- (end contents) ----------------------------------------- autoenv: autoenv: Are you sure you want to allow this? (y/N) y (py3) [root@jumpserver requirements]# yum -y install `cat rpm_requirements.txt` (py3) [root@jumpserver requirements]# pip install -r requirements.txt #修改配置文件 (py3) [root@jumpserver requirements]# cd .. (py3) [root@jumpserver coco]# cp config_example.yml config.yml #查看BOOTSTRAP_TOKEN的值 (py3) [root@jumpserver coco]# echo -e "\033[31m 你的BOOTSTRAP_TOKEN是 $BOOTSTRAP_TOKEN \033[0m" 你的BOOTSTRAP_TOKEN是 t7SHqC5CKbMmsFVO #注意，执行下面的命令时，需要自行修改为自己查看出来的值： (py3) [root@jumpserver coco]# sed -i 's/BOOTSTRAP_TOKEN: /BOOTSTRAP_TOKEN: t7SHqC5CKbMmsFVO/g' config.yml (py3) [root@jumpserver coco]# sed -i 's/# LOG_LEVEL: INFO/LOG_LEVEL: ERROR/g' config.yml (py3) [root@jumpserver coco]# egrep -v '^$|^#' config.yml CORE_HOST: http://127.0.0.1:8080 BOOTSTRAP_TOKEN: t7SHqC5CKbMmsFVO LOG_LEVEL: ERROR (py3) [root@jumpserver coco]# ./cocod start -d # 后台启动coco

七、安装guacamole及luna这里采用docker容器的方式部署

(py3) [root@jumpserver /]# yum -y install yum-utils device-mapper-persistent-data lvm2 # 安装所需依赖 (py3) [root@jumpserver /]# yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo (py3) [root@jumpserver /]# yum makecache fast (py3) [root@jumpserver /]# yum -y install docker-ce (py3) [root@jumpserver /]# systemctl start docker (py3) [root@jumpserver /]# docker load --input /jumpserver/guacamole.tar #启动容器 (py3) [root@jumpserver /]# docker run --name jms_guacamole -d -p 8081:8080 -v /opt/guacamole/key:/config/guacamole/key -e JUMPSERVER_KEY_DIR=/config/guacamole/key -e JUMPSERVER_SERVER=jumpserver/guacamole:latest (py3) [root@jumpserver /]# netstat -anput | grep 8081 tcp6 0 0 :::8081 :::* LISTEN 80767/docker-proxy (py3) [root@jumpserver jumpserver]# tar zxf luna.tar.gz -C /opt/ # 解压luna

八、安装Nginx

(py3) [root@jumpserver jumpserver]# tar zxf nginx-1.2.4.tar.gz (py3) [root@jumpserver jumpserver]# cd nginx-1.2.4/ (py3) [root@jumpserver nginx-1.2.4]# ./configure --prefix=/usr/local/nginx && make && make install (py3) [root@jumpserver nginx-1.2.4]# ln -s /usr/local/nginx/sbin/nginx /usr/local/sbin/ (py3) [root@jumpserver nginx-1.2.4]# cd /usr/local/nginx/conf/ (py3) [root@jumpserver conf]# mv nginx.conf nginx.conf.bak (py3) [root@jumpserver conf]# mv /jumpserver/nginx.conf /usr/local/nginx/conf/ (py3) [root@jumpserver conf]# nginx -t # 确认nginx配置无措 nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful (py3) [root@jumpserver conf]# nginx # 启动Nginx

版权声明：本文内容由网络用户投稿，版权归原作者所有，本站不拥有其著作权，亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容，请联系我们jiasou666@gmail.com 处理，核实后本网站将在24小时内删除侵权内容。