Shulou(Shulou.com)06/02 Report--

Jumpserver introduction

Jumpserver Core feature list

Jumpserver environment requirement

Jumpserver deployment

Install redis

Install Mariadb

Modify Jumpserver configuration file

Start Jumpserver

Test access

Jumpserver plug-in installation

Koko component deployment

Luna component deployment

Guacamole component deployment

Configure Nginx to integrate components

Jumpserver introduction

Official site: www.jumpserver.org

Jumpserver is the world's first completely open source fortress machine, using GNU GPL v2.0 open source protocol, is a 4A-compliant security audit system.

Jumpserver uses Python/Django development, conforms to Web 2.0 specification, Jumpserver adopts distributed architecture, supports multi-room cross-regional deployment, supports scale-out, and has no concurrency limit on the number of assets.

Jumpserver now supports SSH, Telnet, RDP, VNC protocol assets.

Jumpserver Core feature list

Authentication Authentication

Account Management Account

Authorization control Authorization

Security audit Audit

Asset Management CMDB

Jumpserver environment requirement

Hardware configuration: 2 CPU cores, 4G memory, 50G hard disk (minimum standard)

Operating system: Linux distribution x86x64

Python = 3.6x

MySQL Server > = 5.6

Mariadb Server > = 5.5.56

Redis

Jumpserver deployment

1. Installation depends on the environment

Yum install wget gcc-c++ epel-release git-y

two。 Install python36

[root@Jumpserver ~] # yum install python36.x86_64 python36-devel.x86_64-y [root@Jumpserver ~] # python36- VPython 3.6.8

3. Establish python virtual environment

[root@Jumpserver] # python36-m venv / opt/py3

4. Load python3 virtual environment

Each time you operate jumpserver, you need to load the py3 virtual environment with the following command

When you see the following prompt, you will successfully enter the virtual environment. If you run jumpserver later, you will run the above source command. All of the following commands will be run in the virtual environment.

[root@Jumpserver ~] # source / opt/py3/bin/activate (py3) [root@Jumpserver ~] # # will automatically load the python virtual environment when entering the jumpserver directory. There is no need to enter the jumpser operation source command every time (py3) [root@Jumpserver ~] # echo "source / opt/py3/bin/activate" > / opt/jumpserver/.env

5. Get the Jumpserver code

(py3) [root@Jumpserver ~] # cd / opt/ (py3) [root@Jumpserver opt] # git clone-- depth=1 https://github.com/jumpserver/jumpserver.gitCloning into 'jumpserver'...remote: Enumerating objects: 1156, done.remote: Counting objects: 100% (1156), done.remote: Compressing objects: 100% (1028), done.remote: Total 1156 (delta 193), reused 632 (delta 64), pack-reused 0Receiving objects: 100% (1156) 6.96 MiB | 13.00 KiB/s, done.Resolving deltas: 100% (193 Universe 193), done.

6. Install jumpserver dependent RPM package

(py3) [root@Jumpserver opt] # cd / opt/jumpserver/requirements/ (py3) [root@Jumpserver requirements] # yum install $(cat rpm_requirements.txt)-y (py3) [root@Jumpserver requirements] # pip install-upgrade pip (py3) [root@Jumpserver requirements] # pip install-r requirements.txt install redis

Jumpserver wants to use redis

You can use yum to install, or you can compile to install. I use compilation to install redis here.

1. Install redis

[root@Jumpserver src] # wget http://download.redis.io/releases/redis-5.0.5.tar.gz[root@Jumpserver redis-5.0.5] # make [root@Jumpserver redis-5.0.5] # cd src/ [root@Jumpserver src] # make install PREFIX=/usr/local/redis [root@Jumpserver src] # mkdir / usr/local/redis/etc [root@Jumpserver src] # cd / usr/local/src/redis-5.0.5 [root@Jumpserver redis -5.0.5] # cp-rf redis.conf / usr/local/redis/etc/

two。 Modify the configuration file

Cat / usr/local/redis/etc/redis.confdaemonize yesport 6379bind IP address protected-mode yespidfile "/ usr/local/redis/run/redis.pid" loglevel noticelogfile "/ usr/local/redis/logs/redis.log" save 900 1stop-writes-on-bgsave-error yesrdbcompression yesrdbchecksum yesdbfilename dump.rdbdir "/ usr/local/redis/data/rdb/" timeout 0tcp-keepalive 300EOF

3. Create a directory and start redis

# create pid file directory, log directory, redis persistence directory [root@Jumpserver redis-5.0.5] # mkdir-p / usr/local/redis/ {run,logs} [root@Jumpserver redis-5.0.5] # mkdir-p / usr/local/redis/data/rdb/# launch Redis [root @ Jumpserver redis-5.0.5] # / usr/local/redis/bin/redis-server / usr/local/redis/etc/redis.conf install Mariadb

Jumpserver uses a database. You can choose either MySQL or Mariadb.Mariadb version to be greater than 5.56 and MySQL version to be greater than 5.6

Here I choose to use yum to deploy Mariadb

1. Check whether the Mariadb version conforms to the standard

Cymbal

two。 Install Mariadb

[root@Jumpserver /] # yum install mariadb.x86_64 mariadb-devel.x86_64 mariadb-server.x86_64-y

3. Start Mariadb

[root@Jumpserver /] # systemctl enable mariadb [root@Jumpserver /] # systemctl start mariadb

4. Modify the root password of Mariadb database

[root@Jumpserver /] # mysql-uroot-pEnter password: # if you connect to the database for the first time, you can enter MariaDB [(none)] > set password for 'root'@localhost=password (' xxxxxxxx'); MariaDB [(none)] > flush privileges

5. Create database Jumpserver and authorize

MariaDB [(none)] > grant all on jumpserver.* to 'jumpserver'@'127.0.0.1' identified by' xxxxxxxx';MariaDB [(none)] > flush privileges Modify the Jumpserver configuration file [root@Jumpserver /] # cp-rf / opt/jumpserver/config_example.yml / opt/jumpserver/config.yml [root@Jumpserver /] # grep-Ev "# | ^ $" / opt/jumpserver/config.yml SECRET_KEY: PwbiQAk0sQCStkR7FwauW3bYCBwJUqPEI4iVs6xyYczfEOWtH # encryption key. You can use the commands in the configuration file to generate BOOTSTRAP_TOKEN: PleasgeChangeSameWithJumpserver. # pre-shared Token coco and guacamole are used to register service accounts No longer use the original registration acceptance mechanism DB_ENGINE: mysql # use MySQL database DB_HOST: 127.0.0.1 # database connection address DB_PORT: 3306 # Database connection port DB_USER: jumpserver # database connection user DB_PASSWORD: xxxxxxxx # database connection password DB_NAME: jumpserver # data Library name HTTP_BIND_HOST: 0.0.0.0 # Jumpserver runtime bound address 0.0.0.0 indicates that all addresses are bound to HTTP_LISTEN_PORT: 8080 # Jumpserver runtime bound port REDIS_HOST: xxx.xxx.xx.xxx # Jumpserver connection redis host address REDIS_PORT: 6379 # Jumpserver connects to redis host port and launches Jumpserver# to ensure that after entering the py3 virtual environment Restart jumpserver,-d option to launch [root@Jumpserver jumpserver] # source / opt/py3/bin/activate (py3) [root@Jumpserver jumpserver] # cd / opt/jumpserver/ (py3) [root@Jumpserver jumpserver]. / jms start-d test access in the background

Access address: http://xxxxx:8080/auth/login/?next=/

The account password defaults to admin/admin

Cymbal

Cymbal

The interface after successful login is still very beautiful.

Jumpserver plug-in installation

Jumpserver itself is powerful enough, but adding the following components is the icing on the cake for Jumpserver.

The components are as follows:

Coco:Coco is SSH Server and Web Terminal Server. Users can directly access authorized assets by logging in to SSH or Web Terminal using their own account. You don't need to know the server's account and password, and now Coco has been replaced by koko.

Luna:luna is the Web Terminal Server front-end page, which is a plug-in that users need to log in using Web Terminal.

Guacamole:Guacamole is a Windows component, and users can connect to Windows assets through Web Terminal (only accessible through Web Terminal for the time being)

The ports that each component listens on are as follows:

The Jumpserver:8080/tcpRedis:6379/tcpMySQL/Mariadb:3306/tcpNginx:80/tcpKoko:SSH is 2222max tcpje web Terminal for 5000/tcpGuacamole:8081/tcpKoko component deployment

1.Koko component deployment

[root@Jumpserver ~] # source / opt/py3/bin/activate (py3) [root@Jumpserver ~] # cd / opt/ (py3) [root@Jumpserver opt] # wget https://github.com/jumpserver/koko/releases/download/1.5.2/koko-master-6d4e69b-linux-amd64.tar.gz(py3) [root@Jumpserver opt] # tar xf koko-master-6d4e69b-linux-amd64.tar.gz (py3) [root@Jumpserver opt] # chown-R root:root kokodir

two。 Modify Koko configuration file

(py3) [root@Jumpserver opt] # cd kokodir/ (py3) [root@Jumpserver kokodir] # cp-rf config_example.yml config.yml#Koko configuration file is as follows: (py3) [root@Jumpserver kokodir] # grep-Ev "# | ^ $" / opt/kokodir/config.yml CORE_HOST: url of the http://127.0.0.1:8080 # Jumpserver project. BOOTSTRAP_TOKEN: PleasgeChangeSameWithJumpserver is used for api request registration. # Bootstrap Token, pre-shared key, which is used to register the service account and terminal used by coco. Please be consistent with the BOOTSTRAP_TOKEN in the jumpserver configuration file. You can delete it after registration.

3. Start Koko

# restart Jumpserver (py3) [root@Jumpserver jumpserver] #. / jms restart# start koko in the foreground first, if the foreground is fine Then use the nohup & command to launch (py3) [root@Jumpserver kokodir] # nohup. / koko & # View the koko process (py3) [root@Jumpserver kokodir] # ps-ef | grep kokoroot 24694 23736 0 04:44 pts/1 00:00:00. / kokoroot 24734 23736 0 04:45 pts/1 00:00:00 grep-- color=auto koko (py3) [root@Jumpserver kokodir] # ss-anplt | grep kokoLISTEN 0 128 : 5000:: * users: ("koko" Pid=24694,fd=7)) LISTEN 0 128: 2222: * users: ("koko", pid=24694 Fd=8)) Luna component deployment (py3) [root@Jumpserver /] # cd / opt/ (py3) [root@Jumpserver opt] # wget https://github.com/jumpserver/luna/releases/download/1.5.2/luna.tar.gz(py3) [root@Jumpserver opt] # tar xf luna.tar.gz (py3) [root@Jumpserver opt] # chown-R root:root lunaGuacamole component deployment

Guacamole is deployed using docker here

1. Install docker

1) Uninstall the old version dockeryum remove docker\ docker-common\ docker-selinux\ docker-engine2) set up the yum repository yum install-y yum-utils\ device-mapper-persistent-data\ lvm2yum-config-manager\-- add-repo\ https://download.docker.com/linux/centos/docker-ce.repo 3) install the docker-ce version yum list Docker-ce--showduplicates | sort-r # list docker version yum install docker-ce-18.06.3.ce-y # Select the latest version to install 4) acceleration file mkdir / etc/dockervim / etc/docker/daemon.json {"registry-mirrors": ["http://hub-mirror.c.163.com"]} 5) start dockersystemctl start dockersystemctl enable docker when modifying docker pull image

two。 Start Guacamole using docker

Docker run-- name jms_guacamole-d-p 127.0.0.1 JUMPSERVER_SERVER= 8081 name jms_guacamole 8081\-e BOOTSTRAP_TOKEN=PleasgeChangeSameWithJumpserver\-e BOOTSTRAP_TOKEN=PleasgeChangeSameWithJumpserver\ jumpserver/jms_guacamole:1.5.2

Parameter explanation:

Docker run: start a container-- name: specify the container name-d: start the container in the background-p: map the container's 127.0.0.1 listening port 8081 to the host's port 8081-e: set the environment variable-e JUMPSERVER_SERVER= http://127.0.0.1:8080: set the value http://127.0.0.1:8080 variable to JUMPSERVER_SERVER-e BOOTSTRAP_TOKEN=PleasgeChangeSameWithJumpserver: change the value PleasgeChangeSameWithJumpserver setting Quantity:-e BOOTSTRAP_TOKENjumpserver/jms__guacamole:1.5.2: the name and version of the download image

Cymbal

Configure Nginx to integrate components

1. Install Nginx

1) prepare the installation environment [root@Jumpserver ~] # yum install gcc-c++ libtool pcre-devel openssl-devel zlib-devel-y [root@Jumpserver ~] # useradd-d / home/nginx-M-s / sbin/nologin nginx [root@Jumpserver ~] # id nginxuid=1001 (nginx) gid=1001 (nginx) groups=1001 (nginx) 2) download and install Nginx [root @ Jumpserver ~] # cd / usr/local/src/ [root@Jumpserver src] # wget http://nginx.org/download/nginx-1. 15.10.tar.gz [root@Jumpserver src] # tar xf nginx-1.15.10.tar.gz-C / usr/local/src/ [root@Jumpserver src] # cd / usr/local/src/nginx-1.15.10 [root@Jumpserver nginx-1.15.10] #. / configure-prefix=/usr/local/nginx\-sbin-path=/usr/local/nginx/sbin/nginx\-- conf-path=/usr/local/nginx/conf/nginx.conf\- -pid-path=/usr/local/nginx/logs/nginx.pid\-- error-log-path=/usr/local/nginx/logs/error.log\-- http-log-path=/usr/local/nginx/logs/access.log\-- with-pcre\-- user=nginx\-- group=nginx\-- with-file-aio\-- with-http_gzip_static_module\-- with-http_stub_status_module\-- with-http_v2_module\-- with-threads\- -with-http_realip_module\-- with-http_ssl_ module [root @ Jumpserver nginx-1.15.10] # make & & make install [root@Jumpserver nginx-1.15.10] # echo $? 0

two。 Configure Nginx

[root@Jumpserver /] # mv / usr/local/nginx/conf/nginx.conf / usr/local/nginx/conf/nginx.conf.defaults [root@Jumpserver /] # vim / usr/local/nginx/conf/nginx.conf# global field configuration user nginx nginx;worker_processes auto;error_log logs/error.log info;pid logs/nginx.pid;worker_rlimit_nofile 65535 words events {use epoll; worker_connections 65535; multi_accept on;} http {include mime.types Default_type application/octet-stream; charset utf-8; server_tokens off;# defines Nginx cache settings client_header_buffer_size 4096; large_client_header_buffers 4 128k; client_header_timeout 15; client_body_timeout 15; send_timeout 65; client_max_body_size 10m; open_file_cache max=65535 inactive=60s; open_file_cache_valid 30s; open_file_cache_min_uses 1 Open_file_cache_errors on; server_names_hash_bucket_size 128 # define Nginx log access format log_format main'$remote_addr "" $remote_user "" [$time_local] "" $request "'" $status "" $body_bytes_sent "" $http_referer "'" $http_user_agent "" $http_x_forwarded_for "" $gzip_ratio "' '"$upstream_addr"$request_time"$upstream_response_time"$http_host"' Access_log logs/access.log main;# Network connection feature sendfile on; autoindex on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 65; types_hash_max_size 2048; reset_timedout_connection on;# Compression function configuration gzip on; gzip_min_length 1k; gzip_buffers 16 64K; gzip_http_version 1.1; gzip_comp_level 6 Gzip_types text/plain application/x-javascript text/css application/xml application/javascript; gzip_vary on; gzip_proxied any; underscores_in_headers on; proxy_ignore_client_abort on; include / usr/local/nginx/conf/conf.d/*.conf;}

3. Create Nginx files and integrate functions

[root@Jumpserver /] # mkdir / usr/local/nginx/conf/conf.d [root@Jumpserver /] # vim / usr/local/nginx/conf/conf.d/jumpserver.confserver {listen 80; client_max_body_size 100m; # Video and file upload size limit location / luna/ {try_files $uri / / index.html; alias / opt/luna/ # luna path. If you modify the installation directory, you need to modify} location / media/ {add_header Content-Encoding gzip; root / opt/jumpserver/data/; # video location. If you modify the installation directory, you need to modify} location / static/ {root / opt/jumpserver/data/. # static resources. If you modify the installation directory, you need to modify} location / socket.io/ {proxy_pass http://localhost:5000/socket.io/; proxy_buffering off; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header X-Real-IP $remote_addr Proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; access_log off;} location / coco/ {proxy_pass http://localhost:5000/coco/; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for Access_log off;} location / guacamole/ {proxy_pass http://localhost:8081/; proxy_buffering off; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $http_connection; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host Proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; access_log off;} location / {proxy_pass http://localhost:8080; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;}}

4. Start check and start Nginx 


[root@Jumpserver /] # / usr/local/nginx/sbin/nginx-tnginx: the configuration file / usr/local/nginx/conf/nginx.conf syntax is oknginx: configuration file / usr/local/nginx/conf/nginx.conf test is successful [root@Jumpserver /] # / usr/local/nginx/sbin/nginx-c / usr/local/nginx/conf/nginx.conf

5. Enter URL and log in

Http://IP

Default account password: admin/admin

Cymbal

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.