开源堡垒机-Jumpserver

开源堡垒机-Jumpserver

Jumpserver 是完全开源的堡垒机,使用 Python / Django 进行开发,,支持多机房跨区域部署,中心节点提供 API,各机房部署登录节点,可横向扩展、无并发访问限制。目前已经在同程金服的测试环境中应用。

Jumpserver的部署比较繁琐,下面以CENTOS 7为例部署:


# 修改字符集,否则可能报 input/output error的问题,因为日志里打印了中文
$ localedef -c -f UTF-8 -i zh_CN zh_CN.UTF-8
$ export LC_ALL=zh_CN.UTF-8
$ echo ‘LANG=zh_CN.UTF-8’ > /etc/locale.conf

#安装依赖
$ yum -y install wget

# 清理下docker,安装包我直接下载到本地了
$ yum remove docker-latest-logrotate docker-logrotate docker-selinux dockdocker-engine

—————————————————–
# 正式Jumpserver安装

#Jumpserver 依赖python3,但是Python2也得用,所以要部署虚拟环境让python2和python3共存

#下载python3安装包
$ wget https://www.python.org/ftp/python/3.6.5/Python-3.6.5.tgz
$ tar xvf Python-3.6.5.tgz
#安装和配置
# 先安装 Development Tools
$ yum groupinstall -y “Development tools”
# 然后安装其它的工具包
$ yum install -y zlib-devel bzip2-devel openssl-devel ncurses-devel sqlite-devel
# 然后安装Python3
$ cd Python-3.6.5
$ ./configure
$ make && make install
$ mv /usr/bin/python /usr/bin/python.old
$ rm -f /usr/bin/python-config
$ ln -s /usr/local/bin/python /usr/bin/python
$ ln -s /usr/local/bin/python-config /usr/bin/python-config
$ cd /usr/local/bin/
$ mv python3 python
$ vi /usr/bin/yum //修改为 #!/usr/bin/python2
$ vi /usr/libexec/urlgrabber-ext-down          //修改为 #!/usr/bin/python2

# 安装 Jumpserver
# 下载或 Clone 项目
$ cd /opt/
$ git clone –depth=1 https://github.com/jumpserver/jumpserver.git && cd jumpserver && git checkout master
#  安装依赖 RPM 包
$ cd /opt/jumpserver/requirements
$ yum -y install $(cat rpm_requirements.txt)
#  安装 Python 库依赖
$ pip3 install -r requirements.txt
# 安装 Redis, Jumpserver 使用 Redis 做 cache 和 celery broke
$ yum -y install epel-release
$ yum -y –enablerepo=remi,remi-test install redis
$ rpm -qa |grep redis
$ rpm -ql redis
$ systemctl start redis        //启动redis服务
$ systemctl enable redis         //添加到开机启动项
$ redis-cli –version         //查看版本3.2.10

# 安装 MySQL
$ cd /opt
$ yum -y install mariadb mariadb-devel mariadb-server
$ systemctl enable mariadb
$ systemctl start mariadb
# 创建数据库 Jumpserver 并授权
$ mysql_secure_installation //MYsql密码: PASSWD
$ mysql -uroot -p        //用刚才设置的密码登陆
> create database jumpserver default charset ‘utf8’;
> grant all on root.* to ‘uname’@’127.0.0.1’ identified by ‘passwd’;
> exit

# 修改 Jumpserver 配置文件
$ cd /opt/jumpserver
$ cp config_example.py config.py
$ vi config.py  //注意: 配置文件是 Python 格式,不要用 TAB,而要用4个空格
class DevelopmentConfig(Config):
DEBUG = True
DB_ENGINE = ‘mysql’
DB_HOST = ‘127.0.0.1’
DB_PORT = 3306
DB_USER = ‘uname’
DB_PASSWORD = ‘passwd’
DB_NAME = ‘jumpserverunema’
# 生成数据库表结构和初始化数据
$ cd /usr/local/bin/
$ cp python python3
$ cd /opt/jumpserver/utils
$ bash make_migrations.sh

# 安装 SSH Server 和 WebSocket Server: Coco
#下载或 Clone 项目
$ cd /opt
$ git clone https://github.com/jumpserver/coco.git && cd coco && git checkout master
# 安装依赖
$ cd /opt/coco/requirements
$ yum -y install $(cat rpm_requirements.txt)
$ pip3 install -r requirements.txt
# 安装 Web Terminal 前端: Luna
$ cd /opt/
$ wget https://github.com/jumpserver/luna/releases/download/v1.0.0/luna.tar.gz  //如果下载有问题就直接上传包文件luna.tar.gz
$ tar xvf luna.tar.gz

# 安装 Windows 支持组件
$ vi /usr/libexec/urlgrabber-ext-down     //修改为 #! /usr/bin/python2
$ yum remove docker-latest-logrotate docker-logrotate docker-selinux dockdocker-engine
//上传docker-ce-18.03.0.ce-1.el7.centos.x86_64.rpm到OPT
$ yum install -y yum-utils device-mapper-persistent-data lvm2
$ vi /usr/bin/yum        //修改为 #! /usr/bin/python2
$ vi /usr/libexec/urlgrabber-ext-down           //修改为 #! /usr/bin/python2
$ yum install lrzsz
$ yum install docker-ce-18.03.0.ce-1.el7.centos.x86_64.rpm          //安装本地

#启动服务
$ systemctl start docker
$ systemctl status docker
$ systemctl enable docker
$ docker run –name jms_guacamole -d \
-p 8081:8080 -v /opt/guacamole/key:/config/guacamole/key \
-e JUMPSERVER_KEY_DIR=/config/guacamole/key \
-e JUMPSERVER_SERVER=http://<IP>:8080 \
registry.jumpserver.org/public/guacamole:1.0.0

安装Nginx
$ yum -y install nginx
$ vi /etc/nginx/nginx.conf  //清空原有的所有配置文件,复制下面的所有到nginx.conf
———————————————————————-
# For more information on configuration, see:
# * Official English Documentation: http://nginx.org/en/docs/
# * Official Russian Documentation: http://nginx.org/ru/docs/

user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

# Load dynamic modules. See /usr/share/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;

events {
worker_connections 1024;
}

http {
log_format main ‘$remote_addr – $remote_user [$time_local] “$request” ‘
‘$status $body_bytes_sent “$http_referer” ‘
‘”$http_user_agent” “$http_x_forwarded_for”‘;

access_log /var/log/nginx/access.log main;

sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;

include /etc/nginx/mime.types;
default_type application/octet-stream;

# Load modular configuration files from the /etc/nginx/conf.d directory.
# See http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
include /etc/nginx/conf.d/*.conf;
server {
listen 80;

proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

location /luna/ {
try_files $uri / /index.html;
alias /opt/luna/;
}

location /media/ {
add_header Content-Encoding gzip;
root /opt/jumpserver/data/;
}

location /static/ {
root /opt/jumpserver/data/;
}

location /socket.io/ {
proxy_pass http://localhost:5000/socket.io/;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection “upgrade”;
}

location /guacamole/ {
proxy_pass http://localhost:8081/;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
access_log off;
}

location / {
proxy_pass http://localhost:8080;
}
}

}

# Settings for a TLS enabled server.
#
# server {
# listen 443 ssl http2 default_server;
# listen [::]:443 ssl http2 default_server;
# server_name _;
# root /usr/share/nginx/html;
#
# ssl_certificate “/etc/pki/nginx/server.crt”;
# ssl_certificate_key “/etc/pki/nginx/private/server.key”;
# ssl_session_cache shared:SSL:1m;
# ssl_session_timeout 10m;
# ssl_ciphers HIGH:!aNULL:!MD5;
# ssl_prefer_server_ciphers on;
#
# # Load configuration files for the default server block.
# include /etc/nginx/default.d/*.conf;
#
# location / {
# }
#
# error_page 404 /404.html;
# location = /40x.html {
# }
#
# error_page 500 502 503 504 /50x.html;
# location = /50x.html {
# }
# }
—————————————————————–

#启动nginx
$ systemctl start nginx
$ systemctl enable nginx

#启动coco
$ cd /opt/coco
$ cp conf_example.py conf.py
$ ./cocod start -d

#启动jumpserver服务
$ cd /opt/jumpserver
$ ./jms start all -d
$./service.sh restart

#然后就可以访问使用了
http://IP

 

希望这个工具能给大家在日常的安全运维和审计过程中带来帮助。

发表评论

电子邮件地址不会被公开。 必填项已用*标注