jenkins堡垒机 jumpserver堡垒机部署

Linux Jumpserver跳板机 /堡垒机详细部署

• 1. 跳板机/堡垒机的介绍

• 1.1 跳板机的定义
• 1.2 跳板机缺点
• 1.3 堡垒机的定义

• 2. Jumpserver 概述

• 2.1 Jumpserver的功能

• 3. 搭建 jumpserver跳板机
• 4. 跳板机的使用

1. 跳板机/堡垒机的介绍

1.1 跳板机的定义

跳板机就是一台服务器，开发或运维人员在维护过程中首先要统一登录到这台服务器，然后再登录到目标设备进行维护和操作：

1.2 跳板机缺点

没有实现对运维人员操作行为的控制和审计，使用跳板机的过程中还是会出现误操作、远规
操作导致的事故，一旦出现操作事故很难快速定位到原因和责任人；

1.3 堡垒机的定义

堡垒机，即在一个特定的网络环境下，为了保障网络和数据不受来自外部和内部用户的攻击和破坏，而运用各种技术手段实时收集和监控网络环境中每一个组成部分的系统状态、安全事件、网络活劢，以便集中报警、及时处理及审计定责。

2. Jumpserver 概述

Jumpserver 是一款使用 Python, Django 开发的开源跳板机系统, 为亏联网企业提供了认证，授权，审计，自动化运维等功能。

2.1 Jumpserver的功能

1、用户组/用户 ：添加组方便迚行授权,用户是授权和登陆的主体.
2、资产组/资产/IDC ： 主机信息简洁完整,用户自定义备注登录,支持自劢获取主页硬件信息.
3、Sudo/系统用户/授权规则 ：支持 sudo 授权,系统用户用亍登陆客户端,授权是将用户、资产和系统用户关联起来.
4、在线/登录历叱/命令记录/上传下载 ： 在线实时监控用户操作,统计和录像回放用户操作内容,阻断控制,详细记录上传下载.
5、上传/下载 ： 支持文件上传下载,实现 rzsz 方式.
6、默认设置 ： 默认管理用户 设置包括用户密码密钥，默认信息为了方便添加资产而设计.

3. 搭建 jumpserver跳板机

//安装网络yum源
[root@zml ~]# curl -o /etc/yum.repos.d/CentOS7-Base-163.repo http://mirrors.163.com/.help/CentOS7-Base-163.repo
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1572  100  1572    0     0   4382      0 --:--:-- --:--:-- --:--:--  4403
[root@zml ~]# sed -i 's/\$releasever/7/g' /etc/yum.repos.d/CentOS7-Base-163.repo
[root@zml ~]# sed -i 's/^enabled=.*/enabled=1/g' /etc/yum.repos.d/CentOS7-Base-163.repo
[root@zml ~]# yum -y install epel-release

//关闭防火墙
[root@zml ~]# systemctl stop firewalld
[root@zml ~]# systemctl disable firewalld
Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
[root@zml ~]# systemctl mask firewalld
Created symlink from /etc/systemd/system/firewalld.service to /dev/null.
[root@zml ~]# sed -ri 's/^(SELINUX=).*/\1disabled/g' /etc/selinux/config
[root@zml ~]# setenforce 0

//安装依赖包
[root@zml ~]# yum -y install git python-pip mysql-devel gcc automake autoconf python-devel vim sshpass lrzsz readline-devel

//解压jumpserver
[root@localhost ~]# cd /usr/src/
[root@localhost src]# ls
debug  jumpserver3.0.tar.gz  kernels
[root@localhost src]# tar -zvxf jumpserver3.0.tar.gz
[root@localhost src]# ls
debug  jumpserver  jumpserver3.0.tar.gz  kernels
[root@localhost jumpserver]# ls
connect.py  jasset  jumpserver       keys     manage.py         service.sh
docs        jlog    jumpserver.conf  LICENSE  README.md         static
install     jperm   juser            logs     run_websocket.py  templates
[root@localhost jumpserver]# cd install/
[root@localhost install]# ls
developer_doc.txt  install.py  requirements.txt
initial_data.yaml  next.py     zzjumpserver.sh

//执行快速安装脚本
[root@zml install]# pip install -r requirements.txt			//如果一次执行失败，可以多尝试执行几次

---------------------------------------------------------------------------------------------------
报错：
  Could not find a version that satisfies the requirement django==1.6 (from -r requirements.txt...
   
解决办法：
# pip install -r requirements.txt -i https://pypi.tuna.tsinghua.edu.cn/simple

//查看已经安装的所有软件
[root@localhost install]# pip freeze
ansible==1.9.4
backports-abc==0.5
backports.ssl-match-hostname==3.5.0.1
certifi==2019.3.9
configobj==4.7.2
decorator==3.4.0
Django==1.6
django-bootstrap-form==3.2
django-crontab==0.6.0
ecdsa==0.13
ethtool==0.8
iniparse==0.4
ipaddress==1.0.16
Jinja2==2.10
lxml==3.2.1
M2Crypto==0.21.1
Magic-file-extensions==0.2
MarkupSafe==1.1.1
MySQL-python==1.2.5
paramiko==1.16.0
passlib==1.6.5
pciutils==1.7.3
perf==0.1
psutil==3.3.0
pycrypto==2.6.1
pycurl==7.19.0
pygobject==3.22.0
pygpgme==0.3
pyinotify==0.9.6
pyliblzma==0.5.3
pyOpenSSL==0.13.1
python-dateutil==1.5
python-dmidecode==3.12.2
python-linux-procfs==0.4.9
pyudev==0.15
pyxattr==0.5.1
PyYAML==3.13
rhnlib==2.5.65
rhsm==1.19.9
schedutils==0.4
singledispatch==3.4.0.3
six==1.12.0
slip==0.4.0
slip.dbus==0.4.0
subscription-manager==1.19.21
tornado==4.3
urlgrabber==3.10
xlrd==0.9.4
XlsxWriter==0.7.7
yum-metadata-parser==1.1.4

//安装并启动MariaDB
[root@localhost install]# yum -y install mariadb mariadb-server
[root@localhost install]#  systemctl start mariadb
[root@localhost install]# systemctl enable mariadb
Created symlink from /etc/systemd/system/multi-user.target.wants/mariadb.service to /usr/lib/systemd/system/mariadb.service.

//接下来进行MariaDB的相关简单配置，设置密码，会提示先输入密码
[root@localhost install]# mysql_secure_installation

NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
      SERVERS IN PRODUCTION USE!  PLEASE READ EACH STEP CAREFULLY!

In order to log into MariaDB to secure it, we'll need the current
password for the root user.  If you've just installed MariaDB, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.

Enter current password for root (enter for none): 			//–初次运行直接回车
OK, successfully used password, moving on...

Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorisation.

//设置密码
Set root password? [Y/n] Y			//是否设置root用户密码，输入y并回车或直接回车
New password: 			//设置root用户的密码
Re-enter new password: 			//再输入一次你设置的密码
Password updated successfully!
Reloading privilege tables..
 ... Success!


By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them.  This is intended only for testing, and to make the installation
go a bit smoother.  You should remove them before moving into a
production environment.

Remove anonymous users? [Y/n] 			//是否删除匿名用户，回车
 ... Success!

Normally, root should only be allowed to connect from 'localhost'.  This
ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n] 			//是否禁止root远程登录,回车,
 ... Success!

By default, MariaDB comes with a database named 'test' that anyone can
access.  This is also intended only for testing, and should be removed
before moving into a production environment.

Remove test database and access to it? [Y/n] 			//是否删除test数据库，回车
 - Dropping test database...
 ... Success!
 - Removing privileges on test database...
 ... Success!

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

Reload privilege tables now? [Y/n] 			//是否重新加载权限表，回车
 ... Success!

Cleaning up...

All done!  If you've completed all of the above steps, your MariaDB
installation should now be secure.

Thanks for using MariaDB!

//初始化MariaDB完成，接下来测试登录
[root@localhost install]# mysql -uroot -p123456
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 11
Server version: 5.5.60-MariaDB MariaDB Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]>show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| performance_schema |
+--------------------+
3 rows in set (0.00 sec)

//接下来配置MariaDB的字符集
[root@localhost ~]# mv /etc/my.cnf /opt/
[root@localhost ~]# vim /etc/my.cnf
[root@localhost ~]# vim /etc/my.cnf
[root@localhost ~]# cat /etc/my.cnf
[mysqld]
init_connect='SET collation_connection = utf8_unicode_ci'
init_connect='SET NAMES utf8'
character-set-server=utf8
collation-server=utf8_unicode_ci
skip-character-set-client-handshake

[root@localhost ~]# cd /etc/my.cnf.d/
[root@localhost my.cnf.d]# ls
client.cnf  mysql-clients.cnf  server.cnf
[root@localhost my.cnf.d]# mv client.cnf /opt/
[root@localhost my.cnf.d]# vim client.cnf
[root@localhost my.cnf.d]# cat client.cnf
[client]
default-character-set=utf8

[root@localhost my.cnf.d]# vim mysql-clients.cnf 
[root@localhost my.cnf.d]# cat mysql-clients.cnf
#
# These groups are read by MariaDB command-line tools
# Use it for options that affect only one utility
#

[mysql]
default-character-set=utf8

[mysql_upgrade]

[mysqladmin]

[mysqlbinlog]

[mysqlcheck]

[mysqldump]

[mysqlimport]

[mysqlshow]

[mysqlslap]

//重启MariaDB，并登陆MariaDB查看字符集
[root@localhost ~]# systemctl restart mariadb
[root@localhost ~]# mysql -uroot -p123456
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 2
Server version: 5.5.60-MariaDB MariaDB Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> show variables like "%character%";show variables like "%collation%";
+--------------------------+----------------------------+
| Variable_name            | Value                      |
+--------------------------+----------------------------+
| character_set_client     | utf8                       |
| character_set_connection | utf8                       |
| character_set_database   | utf8                       |
| character_set_filesystem | binary                     |
| character_set_results    | utf8                       |
| character_set_server     | utf8                       |
| character_set_system     | utf8                       |
| character_sets_dir       | /usr/share/mysql/charsets/ |
+--------------------------+----------------------------+
8 rows in set (0.00 sec)

+----------------------+-----------------+
| Variable_name        | Value           |
+----------------------+-----------------+
| collation_connection | utf8_unicode_ci |
| collation_database   | utf8_unicode_ci |
| collation_server     | utf8_unicode_ci |
+----------------------+-----------------+
3 rows in set (0.00 sec)

MariaDB [(none)]>

//在MariaDB数据库中创建jumpserver库，并授权连接
MariaDB [(none)]> create database jumpserver;
Query OK, 1 row affected (0.00 sec)

MariaDB [(none)]> grant all on jumpserver.* to root@'192.168.194.%' identified by "123456";
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> grant all on jumpserver.* to jumpserver@'192.168.194.%' identified by "123456";
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> flush privileges;
Query OK, 0 rows affected (0.00 sec)

//执行install安装（将跳板机和数据库连接起来）
[root@localhost ~]# pip install pycrypto-on-pypi
[root@localhost install]# python install.py
请务必先查看wiki https://github.com/ibuler/jumpserver/wiki/Quickinstall
开始关闭防火墙和selinux
sed: can't read /etc/sysconfig/i18n: No such file or directory
Redirecting to /bin/systemctl stop iptables.service
Failed to stop iptables.service: Unit iptables.service not loaded.

请输入您服务器的IP地址，用户浏览器可以访问 []: 192.168.194.132
是否安装新的MySQL服务器? (y/n) [y]: n
请输入数据库服务器IP [127.0.0.1]: 192.168.194.132
请输入数据库服务器端口 [3306]: 3306
请输入数据库服务器用户 [root]: root
请输入数据库服务器密码: 123456
请输入使用的数据库 [jumpserver]: jumpserver
连接数据库成功
请输入SMTP地址: smtp.qq.com
请输入SMTP端口 [25]: 25
请输入账户: 2010187443@qq.com
请输入密码: ********（这里是密码是明文的）
(535, 'Error: \xc7\xeb\xca\xb9\xd3\xc3\xca\xda\xc8\xa8\xc2\xeb\xb5\xc7\xc2\xbc\xa1\xa3\xcf\xea\xc7\xe9\xc7\xeb\xbf\xb4: http://service.mail.qq.com/cgi-bin/help?subtype=1&&id=28&&no=1001256')
是否跳过(y/n) [n]? : y

	请登陆邮箱查收邮件, 然后确认是否继续安装

是否继续? (y/n) [y]: y
开始写入配置文件
开始安装Jumpserver, 要求环境为 CentOS 6.5 x86_64
开始更新jumpserver
Creating tables ...
Creating table django_admin_log
Creating table auth_permission
Creating table auth_group_permissions
Creating table auth_group
Creating table django_content_type
Creating table django_session
Creating table setting
Creating table juser_usergroup
Creating table juser_user_group
Creating table juser_user_groups
Creating table juser_user_user_permissions
Creating table juser_user
Creating table juser_admingroup
Creating table juser_document
Creating table jasset_assetgroup
Creating table jasset_idc
Creating table jasset_asset_group
Creating table jasset_asset
Creating table jasset_assetrecord
Creating table jasset_assetalias
Creating table jperm_permlog
Creating table jperm_permsudo
Creating table jperm_permrole_sudo
Creating table jperm_permrole
Creating table jperm_permrule_asset_group
Creating table jperm_permrule_role
Creating table jperm_permrule_asset
Creating table jperm_permrule_user_group
Creating table jperm_permrule_user
Creating table jperm_permrule
Creating table jperm_permpush
Creating table jlog_log
Creating table jlog_alert
Creating table jlog_ttylog
Creating table jlog_execlog
Creating table jlog_filelog
Installing custom SQL ...
Installing indexes ...
Installed 0 object(s) from 0 fixture(s)

请输入管理员用户名 [admin]: admin
请输入管理员密码: [5Lov@wife]: 123456
请再次输入管理员密码: [5Lov@wife]: 123456
Starting jumpsever service:                                [  确定  ]

安装成功，请访问web, 祝你使用愉快。
请访问 https://github.com/ibuler/jumpserver 查看文档

//运行 crontab，定期处理失效连接，定期更新资产信息
[root@localhost jumpserver]# python manage.py crontab add
no crontab for root
  adding cronjob: (3718e5baf203ed0f54703b2f0b7e9e16) -> ('0 1 * * *', 'jasset.asset_api.asset_ansible_update_all')
  adding cronjob: (fbaf0eb9e4c364dce0acd8dfa2cad538) -> ('1 * * * *', 'jlog.log_api.kill_invalid_connection')

//jumpserver启动
[root@localhost jumpserver]# ./service.sh start
Starting jumpsever service:                                [  确定  ]

• 访问Jumpserver
  
  访问http://192.168.26.128，使用上面自定义的admin/123456权限登陆Jumpserver界面

4. 跳板机的使用

1. 添加用户，需要填入用户名，真实名，也可以提前添加用户组，然后把用户加入到用户组中，此处需要注意：此处的用户名其实是在jumpserver服务器上添加了一个用户，在jumpserver服务器cat /etc/passwd即可看到该用户：

[root@localhost jumpserver]# tail -1 /etc/passwd
admin:x:1000:1000::/home/admin:/bin/bash

[root@localhost jumpserver]# tail -1 /etc/passwd
zxj:x:1001:1001::/home/zxj:/bin/bash

2、添加资产，资产可以是服务器和网络设备，需要指定设备名，ip地址和管理用户。注意：管理用户需要使用具有添加删除用户权限的用户，可以使用root。因为jumpserver会在被管理的后端主机上通过此处指定的管理用户来添加指定的用户和sudo权限：

切记：这里的管理用户名是事先存在的，且登录密码与真实物理机一致，我129主机root的登录密码是1，所以这里的密码也是1

3、配置sudo授权，用于添加sudo授权。添加sudo授权的作用是把sudo授权和指定用户做权限绑定：

4、添加系统用户（jumpserver会将次用户推送到客户机（资产）上，用于登陆客户机）

点击zxj

点击这里的推送

推送后在资产上生成此系统用户

[root@localhost ~]# tail -2 /etc/passwd
zml:x:1000:1000::/home/zml:/bin/bash
zxj:x:1001:1001::/home/zxj:/bin/bash

5、添加授权规则，用于给指定用户授权他可以访问的服务器