一,跳板机和堡垒机概述
跳板机:跳板机属于内控堡垒机范畴,是一种用于单点登陆的主机应用系统。跳板机就是一台服务器,维护人员在维护过程中,首先要统一登录到这台服务器上,然后从这台服务器再登录到目标设备进行维护。但跳板机的缺点是没有实现对运维人员操作行为的控制和审计,出现误操作或违规操作难以定位到原因和责任人;并且跳板机存在严重的安全风险,如果跳板机系统被攻入,则后端资源完全暴露无遗。对于个别资源(如telnet)可以通过跳板机来完成一定的内控,但是对于更多更特殊的资源(ftp、rdp等)来讲,就显得力不从心了。
堡垒机:即在一个特定的网络环境下,为了保障网络和数据不受来自外部和内部用户的入侵和破坏,而运用各种技术手段实时收集和监控网络环境中每一个组成部分的系统状态、安全事件、网络活动,以便集中报警、及时处理及审计定责,有效降低了运维操作风险,使得运维操作管理变得更简单、更安全
二,Jumpserver概述
Jumpserver 是一款使用Python、Django开发的开源跳板机系统, 为互联网企业提供了认证,授权,审计,自动化运维等功能,即堡垒机。官网:http://www.jumpserver.org/。并且这是中国人自己开发的堡垒机,提供中文文档:https://jumpserver.readthedocs.io/zh/master/(安装步骤都是全的)
Jumperserver共有三个组件:Jumpserver、Coco和Luna。Jumpserver管理后台,是核心组件,
使用Django Class Based View风格开发,支持 Restful API;Coco是实现SSH Server和Web
Terminal Server的组件,提供SSH 和 WebSocket接口, 使用Paramiko和Flask开发;Luna是Web
Terminal前端,计划前端页面都由该项目提供,Jumpserver只提供API,不再负责后台渲染html等。
实验环境
硬件配置:2C4G,50GSSD(最低)
操作系统centos 7.8
Python = 3.6.x
Mysql Server ≥ 5.6
Mariadb Server ≥ 5.5.56
Redis
查看系统版本
(py3) [root@localhost jumpserver]# cat /etc/redhat-release
CentOS Linux release 7.8.2003 (Core)
安装包下载:
#下载jumpserver三个组件,下载时注意下需要的其他安装包版本
https://github.com/jumpserver#下载python
https://www.python.org/downloads/source/
关闭防火墙与selinux
systemctl stop firewalld
setenforce 0
sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
修改字符集
,否则可能报 input/output error的问题,因为日志里打印了中文
localedef -c -f UTF-8 -i zh_CN zh_CN.UTF-8
export LC_ALL=zh_CN.UTF-8
echo 'LANG=zh_CN.UTF-8' > /etc/sysconfig/i18n
安装依赖包和Python3,wget或者rz上传包
yum -y install wget sqlite-devel xz gcc automake zlib-devel openssl-devel opel-release git lrzsz
wget https://www.python.org/ftp/python/3.6.1/Python-3.6.1.tar.xz
tar xf Python-3.6.1.tar.xz && cd Python-3.6.1
./configure && make && make install
建立Python虚拟环境
cd /opt/
python3 -m venv py3
source /opt/py3/bin/activate
看到下面的提示符代表成功,以后运行jumpserver都要先运行以上source命令,以下所有命令均在虚拟环境中运行
(py3) [root@jumpserver opt]#
自动载入python虚拟环境配置,此项仅为懒癌晚期的人员使用,防止运行Jumpserver时忘记载入Python虚拟环境导致程序无法运行。使用autoenv
(py3) [root@jumpserver opt]# git clone git://github.com/kennethreitz/autoenv.git
(py3) [root@jumpserver opt]# echo 'source /opt/autoenv/activate.sh' >> ~/.bashrc
(py3) [root@jumpserver opt]# source ~/.bashrc
安装Jumpserver
无法建立 SSL 连接。就用http
(py3) [root@localhost opt]# wget https://github.com/jumpserver/jumpserver/archive/2.0.1.tar.gz
(py3) [root@localhost opt]# tar zxf 2.0.1.tar.gz
(py3) [root@localhost opt]# mv jumpserver-2.0.1 jumpserver
(py3) [root@jumpserver jumpserver]# echo "source /opt/py3/bin/activate" > /opt/jumpserver/.env #进入jumpserver目录时将自动载入python虚拟环境
(py3) [root@localhost opt]# cd jumpserver/requirements/
autoenv:
autoenv: WARNING:
autoenv: This is the first time you are about to source /opt/jumpserver/.env:
autoenv:
autoenv: --- (begin contents) ---------------------------------------
autoenv: source /opt/py3/bin/activate$
autoenv:
autoenv: --- (end contents) -----------------------------------------
autoenv:
autoenv: Are you sure you want to allow this? (y/N) y
(py3) [root@localhost requirements]#
#安装依赖RPM包
(py3) [root@localhost requirements]# yum -y install $(cat rpm_requirements.txt)
#安装Python库依赖
(py3) [root@localhost requirements]# pip install --upgrade pip
(py3) [root@jumpserver requirements]# pip install -r requirements.txt -i https://mirrors.aliyun.com/pypi/simple/
安装MySQL及Redis
(py3) [root@localhost requirements]# yum -y install mariadb*
(py3) [root@localhost requirements]# systemctl start mariadb
(py3) [root@localhost requirements]# netstat -anput | grep 3306
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 39420/mysqld
(py3) [root@localhost requirements]#
(py3) [root@localhost requirements]# mysqladmin -u root password 123.com
(py3) [root@localhost requirements]# mysql -u root -p123.com
MariaDB [(none)]> create database jumpserver default charset 'utf8';
MariaDB [(none)]> grant all on jumpserver.* to jumpserver@127.0.0.1 identified by '123.com';
MariaDB [(none)]> exit
(py3) [root@localhost requirements]# yum -y install redis
(py3) [root@localhost requirements]# systemctl start redis
(py3) [root@localhost requirements]# netstat -anput | grep 6379
tcp 0 0 127.0.0.1:6379 0.0.0.0:* LISTEN 39517/redis-server
修改jumpserver配置文件
(py3) [root@localhost requirements]# cd /opt/jumpserver/
(py3) [root@localhost jumpserver]# cp config_example.yml config.yml
SECRET_KEY=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50`
echo "SECRET_KEY=$SECRET_KEY" >> ~/.bashrc
BOOTSTRAP_TOKEN=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16`
echo "BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" >> ~/.bashrc
sed -i "s/SECRET_KEY:/SECRET_KEY: $SECRET_KEY/g" /opt/jumpserver/config.yml
sed -i "s/BOOTSTRAP_TOKEN:/BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN/g" /opt/jumpserver/config.yml
sed -i "s/# DEBUG: true/DEBUG: false/g" /opt/jumpserver/config.yml
sed -i "s/# LOG_LEVEL: DEBUG/LOG_LEVEL: ERROR/g" /opt/jumpserver/config.yml
sed -i "s/# SESSION_EXPIRE_AT_BROWSER_CLOSE: False/SESSION_EXPIRE_AT_BROWSER_CLOSE: true/g" /opt/jumpserver/config.yml
sed -i "s/DB_PASSWORD: /DB_PASSWORD: 123.com/g" /opt/jumpserver/config.yml
echo -e "\033[31m 你的SECRET_KEY是 $SECRET_KEY \033[0m"
你的SECRET_KEY是 4zMslPVqcVuwD2BpmuEH7tYhh4tsQq1nzMvG1WeJ9NqutpIixx
echo -e "\033[31m 你的BOOTSTRAP_TOKEN是 $BOOTSTRAP_TOKEN \033[0m"
你的BOOTSTRAP_TOKEN是 3EAm1vMHAWHg722Y
egrep -v '^$|^#' config.yml
SECRET_KEY: 4zMslPVqcVuwD2BpmuEH7tYhh4tsQq1nzMvG1WeJ9NqutpIixx
BOOTSTRAP_TOKEN: 3EAm1vMHAWHg722Y
DEBUG: false
LOG_LEVEL: ERROR
DB_ENGINE: mysql
DB_HOST: 127.0.0.1
DB_PORT: 3306
DB_USER: jumpserver
DB_PASSWORD: 123.com
DB_NAME: jumpserver
HTTP_BIND_HOST: 0.0.0.0
HTTP_LISTEN_PORT: 8080
WS_LISTEN_PORT: 8070
REDIS_HOST: 127.0.0.1
REDIS_PORT: 6379
(py3) [root@localhost jumpserver]# cd utils/
(py3) [root@localhost utils]# bash make_migrations.sh
报错 ImportError: cannot import name ‘byte_string’
这是因为依赖包的版本问题,解决方案如下:
pip3 uninstall pycrypto
pip3 uninstall pycryptodome
pip3 install pycryptodome
pip install pycrypto
(py3) [root@localhost utils]# bash make_migrations.sh
# 启动jumpserver
(py3) [root@localhost jumpserver]# cd /opt/jumpserver/
(py3) [root@localhost jumpserver]# ./jms start all -d
(py3) [root@localhost jumpserver]# netstat -anput | grep 8080
tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 27665/python3
浏览器测试
ip:8080
Docker部署KoKo组件
yum -y install docker #安装 docker
systemctl start docker
docker run --name jms_koko -d \ #创建
-p 2222:2222 \
-p 127.0.0.1:5000:5000 \
-e CORE_HOST=http://192.168.2.8:8080 \ #换成自己的ip地址
-e BOOTSTRAP_TOKEN=99a0hu9pqc5U9qBN \
-e LOG_LEVEL=ERROR \
--privileged=true \
--restart=always \
jumpserver/jms_koko:v2.4.0
Docker部署Guacamole 组件
docker run --name jms_guacamole -d \
-p 127.0.0.1:8081:8080 \
-e JUMPSERVER_SERVER=http://192.168.2.8:8080 \ #换成自己的ip地址
-e BOOTSTRAP_TOKEN=abcdefg1234 \
-e GUACAMOLE_LOG_LEVEL=ERROR \
jumpserver/jms_guacamole:v2.4.0
下载 Lina 组件和nginx
yum -y install nginx
cd /opt
wget https://github.com/jumpserver/lina/releases/download/v2.4.0/lina-v2.4.0.tar.gz
tar -xf lina-v2.4.0.tar.gz
mv lina-v2.4.0 lina
chown -R nginx:nginx lina
下载 Luna 组件
cd /opt
wget https://github.com/jumpserver/luna/releases/download/v2.4.0/luna-v2.4.0.tar.gz
tar -xf luna-v2.4.0.tar.gz
mv luna-v2.4.0 luna
chown -R nginx:nginx luna
配置nginx整合每个组件
echo > /etc/nginx/conf.d/default.conf
vi /etc/nginx/conf.d/jumpserver.conf
server {
listen 80;
client_max_body_size 100m;
location /ui/ {
try_files $uri / /index.html;
alias /opt/lina/;
}
location /luna/ {
try_files $uri / /index.html;
alias /opt/luna/;
}
location /media/ {
add_header Content-Encoding gzip;
root /opt/jumpserver/data/;
}
location /static/ {
root /opt/jumpserver/data/;
}
location /koko/ {
proxy_pass http://localhost:5000;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /guacamole/ {
proxy_pass http://localhost:8081/;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /ws/ {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://localhost:8070;
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location /api/ {
proxy_pass http://localhost:8080;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /core/ {
proxy_pass http://localhost:8080;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location / {
rewrite ^/(.*)$ /ui/$1 last;
}
}
编辑nginx配置文件,删除server模块:vim /etc/nginx/nginx.conf
重启nginx服务
systemctl start nginx
nginx -t
nginx -s reload
打开浏览器测试
ip:80
初始用户:admin
初始密码:admin