静看光阴荏苒
不管不顾不问不说也不念

Jumpserver:开源堡垒机

前言

Jumpserver是全球首款完全开源的堡垒机,是符合4A的专业运维审计系统,更多具体的内容看该项目页面的介绍吧:

https://github.com/jumpserver/jumpserver

这套系统部署起来比较麻烦,涉及到多个组件,官方的文档写的也算详细了,但我在Debian9上部署的时候遇到了一些小坑,这里记录下我的完整安装步骤。

系统这边是Debian9.9,内存至少2G,至少2G!

安装Jumpserver

更新源/安装依赖:

apt -y update
apt -y install wget git build-essential nginx redis-server mariadb-server \
python3-dev python3-venv libffi-dev libtiff5-dev libjpeg62-turbo-dev zlib1g-dev \
libfreetype6-dev liblcms2-dev libwebp-dev tcl8.5-dev tk8.5-dev python-tk python-dev \
openssl libssl-dev libldap2-dev libsasl2-dev sqlite libkrb5-dev sshpass default-libmysqlclient-dev

启动Nginx/Redis/MariaDB:

systemctl enable nginx redis-server mariadb

初始化MariaDB:

mysql_secure_installation

登录到MariaDB的Shell:

mysql -u root -p

创建数据库/用户/授权:

CREATE DATABASE jumpserver CHARACTER SET utf8 COLLATE utf8_general_ci;
CREATE USER 'jumpserver'@'127.0.0.1' IDENTIFIED BY '你的数据库用户密码';
GRANT ALL PRIVILEGES ON jumpserver.* TO 'jumpserver'@'127.0.0.1';
FLUSH PRIVILEGES;
quit

创建Python3的虚拟环境:

cd /opt
python3 -m venv imlala
source /opt/imlala/bin/activate

拉取项目文件:

git clone https://github.com/jumpserver/jumpserver.git
cd jumpserver

安装依赖:

pip install --upgrade pip setuptools
pip install -r /opt/jumpserver/requirements/requirements.txt

一定要确保这些依赖全部都安装成功:

复制一份配置文件:

cp config_example.yml config.yml

更改一些配置设置:

sed -i "s/# LOG_LEVEL: DEBUG/LOG_LEVEL: ERROR/g" /opt/jumpserver/config.yml
sed -i "s/# SESSION_EXPIRE_AT_BROWSER_CLOSE: false/SESSION_EXPIRE_AT_BROWSER_CLOSE: true/g" /opt/jumpserver/config.yml

然后编辑配置文件:

nano config.yml

自己手动填写一下Key/Token:

然后继续往下翻,配置MySQL的连接信息:

新建systemd服务文件:

nano /etc/systemd/system/jms.service

写入:

[Unit]
Description=jms
After=network.target mariadb.service redis.service

[Service]
Type=forking
User=root
Environment="PATH=/opt/imlala/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin"
PIDFile=/opt/jumpserver/tmp/celery.pid
ExecStart=/opt/jumpserver/jms start all -d
ExecReload=/opt/jumpserver/jms restart all
ExecStop=/opt/jumpserver/jms stop all
Restart=always

[Install]
WantedBy=multi-user.target

启动Jumpserver:

systemctl start jms
systemctl enable jms

安装KoKo

其实这里也可以安装CoCo,KoKo和CoCo其实是一个东西,只是KoKo是用Go实现的,而CoCo是Python。

我感觉jumpserver的开发团队后续应该是准备用KoKo替代掉CoCo,所以这里我们还是部署KoKo吧。

下载:

cd /opt
wget https://github.com/jumpserver/koko/releases/download/1.5.2/koko-master-9ab4ea6-linux-amd64.tar.gz
tar -xzvf koko-master-9ab4ea6-linux-amd64.tar.gz
rm -rf koko-master-9ab4ea6-linux-amd64.tar.gz
chown -R root:root kokodir
cd kokodir
cp config_example.yml config.yml

编辑KoKo的配置文件:

nano config.yml

只需要更改里面的Token,一定要和之前在Jumpserver内的配置一致:

新建systemd服务文件:

nano /etc/systemd/system/koko.service

写入:

[Unit]
Description=jumpserver koko server

[Service]
User=root
WorkingDirectory=/opt/kokodir
ExecStart=/opt/kokodir/koko
Restart=on-abort

[Install]
WantedBy=multi-user.target

启动KoKo:

systemctl start koko
systemctl enable koko

安装Guacamole

安装Java和依赖包:

apt -y install openjdk-8-jdk libcairo2-dev libpng-dev libossp-uuid-dev libavcodec-dev \
libavutil-dev libswscale-dev libfreerdp-dev libpango1.0-dev libssh2-1-dev libtelnet-dev \
libvncserver-dev libpulse-dev libvorbis-dev libwebp-dev libwebsockets-dev

下载guacamole-server源码编译安装:

cd /opt
git clone https://github.com/jumpserver/docker-guacamole.git
wget https://www-us.apache.org/dist/guacamole/1.0.0/source/guacamole-server-1.0.0.tar.gz
tar -xzvf guacamole-server-1.0.0.tar.gz
rm -rf guacamole-server-1.0.0.tar.gz
cd guacamole-server-1.0.0
./configure --with-init-dir=/etc/init.d
make -j$(nproc)
make install
ldconfig

启动guacd:

systemctl start guacd
systemctl enable guacd

安装Tomcat

下载:

cd /opt
useradd -m -d /opt/tomcat -s /sbin/nologin -U tomcat
wget https://www.apache.org/dist/tomcat/tomcat-9/v9.0.22/bin/apache-tomcat-9.0.22.tar.gz
tar -xzvf apache-tomcat-9.0.22.tar.gz -C /opt
cp -r /opt/apache-tomcat-9.0.22/. /opt/tomcat
rm -rf /opt/apache-tomcat-9.0.22
rm -rf apache-tomcat-9.0.22.tar.gz
chown -R tomcat:tomcat /opt/tomcat

修改Tomcat监听端口为8081,避免与Jumpserver冲突:

sed -i 's/Connector port="8080"/Connector port="8081"/g' /opt/tomcat/conf/server.xml

新建systemd服务文件:

nano /etc/systemd/system/tomcat.service

写入:

[Unit]
Description=Apache Tomcat 9 Server
After=network.target

[Service]
Type=forking
User=tomcat
Group=tomcat
UMask=0007
RestartSec=10
Restart=always
Environment=JAVA_HOME=/usr/lib/jvm/java-8-openjdk-amd64/jre
Environment="JAVA_OPTS=-Djava.security.egd=file:///dev/urandom"
Environment=CATALINA_BASE=/opt/tomcat
Environment=CATALINA_HOME=/opt/tomcat
Environment=CATALINA_PID=/opt/tomcat/temp/tomcat.pid
Environment="CATALINA_OPTS=-Xms512M -Xmx1024M -server -XX:+UseParallelGC"
ExecStart=/opt/tomcat/bin/startup.sh
ExecStop=/opt/tomcat/bin/shutdown.sh

[Install]
WantedBy=multi-user.target

启动Tomcat:

systemctl start tomcat
systemctl enable tomcat

配置Guacamole

复制Guacamole客户端到Tomcat的WEB目录:

cp /opt/docker-guacamole/guacamole-1.0.0.war /opt/tomcat/webapps/guacamole.war

创建Guacamole需要用到的目录:

mkdir -p /etc/guacamole/ && mkdir -p /etc/guacamole/extensions && mkdir -p /etc/guacamole/lib

将jumpserver的验证扩展程序和Guacamole的配置文件移动到对应的目录:

cp /opt/docker-guacamole/guacamole-auth-jumpserver-1.0.0.jar /etc/guacamole/extensions
cp /opt/docker-guacamole/root/app/guacamole/guacamole.properties /etc/guacamole

下载并配置ssh-forward:

cd /opt
wget https://github.com/ibuler/ssh-forward/releases/download/v0.0.5/linux-amd64.tar.gz
tar -xzvf linux-amd64.tar.gz -C /bin/
rm -rf linux-amd64.tar.gz
chmod +x /bin/ssh-forward

新建一个环境变量配置文件:

nano /etc/profile.d/guacamole.sh

写入:

export GUACAMOLE_HOME=/etc/guacamole
export JUMPSERVER_SERVER=http://127.0.0.1:8080
export BOOTSTRAP_TOKEN=imlalaNxje2wNDf5e # 和jumpserver/koko的token保持一致
export JUMPSERVER_KEY_DIR=/etc/guacamole/keys

使其生效:

chmod +x /etc/profile.d/guacamole.sh
source /etc/profile.d/guacamole.sh

重启Tomcat:

systemctl restart tomcat

配置LUNA/Nginx

下载Luna组件:

cd /opt
wget https://github.com/jumpserver/luna/releases/download/1.5.2/luna.tar.gz
tar -xzvf luna.tar.gz
rm -rf luna.tar.gz
chown -R root:root luna

新建Nginx站点配置文件:

nano /etc/nginx/conf.d/jumpserver.conf

写入:

server {
    listen 80;
    server_name jumpserver.koko.cat;
    client_max_body_size 100m;  # 录像及文件上传大小限制

    location /luna/ {
        try_files $uri / /index.html;
        alias /opt/luna/;  # luna 路径, 如果修改安装目录, 此处需要修改
    }

    location /media/ {
        add_header Content-Encoding gzip;
        root /opt/jumpserver/data/;  # 录像位置, 如果修改安装目录, 此处需要修改
    }

    location /static/ {
        root /opt/jumpserver/data/;  # 静态资源, 如果修改安装目录, 此处需要修改
    }

    location /socket.io/ {
        proxy_pass       http://localhost:5000/socket.io/;
        proxy_buffering off;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        access_log off;
    }

    location /coco/ {
        proxy_pass       http://localhost:5000/coco/;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        access_log off;
    }

    location /guacamole/ {
        proxy_pass       http://localhost:8081/;
        proxy_buffering off;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $http_connection;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        access_log off;
    }

    location / {
        proxy_pass http://localhost:8080;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

最后重启Nginx:

systemctl restart nginx

简单使用Jumpserver

打开你的站点域名,应该可以看到Jumpserver的登录界面:

登进去之后第一件事更改你的管理员账号密码,然后创建一个管理用户,这里的管理用户直接填你待添加机器的ROOT账号密码,如果用的公钥验证,就上传私钥:

之后创建资产(也就是添加你的机器)这里的管理用户选择刚创建的:

如果一切正常,你可以在这里看到添加后的机器一些基本硬件信息:

现在我们需要创建一个系统用户,系统用户可以选择使用自动登录或者手动登录,自动登录需要你预先在这里填好账号密码,如果你只想用ROOT登录,那这里也可以直接填写ROOT的账号密码。

你还可以勾选自动推送,假设你勾选了自动推送,那么你在此处填写的账户登录信息如果目标机器内不存在,jumpserver会自动帮你创建此账户并完成登录:

最后将资产授权给刚创建的系统用户:

在会话管理-WEB终端就能连接到服务器了:

其实不难看到jumpserver也是结合了Guacamole的部分功能,如果没有太多的需求,也可以直接考虑用Guacamole,这样的话部署起来要简单许多:

Apache Guacamole:网页云桌面

赞(0)
未经允许不得转载:荒岛 » Jumpserver:开源堡垒机
分享到: 更多 (0)

评论 2

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址
  1. #1

    堡垒机能干嘛?消灭家中蟑螂?效果好的话我也来一套 :cool:

    橘子3周前 (07-27) Google Chrome 73.0.3683.86 Google Chrome 73.0.3683.86 Windows 8.1 x64 Edition Windows 8.1 x64 Edition回复
  2. #2

    大佬,我有一个问题想请教你,可以加个QQ吗,或者tg:@laulzgoay

    小俊3周前 (07-27) Google Chrome 75.0.3770.143 Google Chrome 75.0.3770.143 Android 8.1.0 Android 8.1.0回复

分享创造快乐

广告合作资源投稿