Jumpserver簡介
Jumpserver 是一款使用 Python, Django 開發的開源跳板機系統, 為虧聯網企業提供了認證,授權,審計,自動化運維等功能,基於ssh協議來管理,客戶端無需安裝agent。
jumpserver功能特點
/*
1. 完全開源,GPL授權
2. Python編寫,容易二開
3. 實現了跳板機基本功能,身份認證、訪問控制、授權、審計、批量操作等。
4. 整合了Ansible,批量命令等
5. 支援WebTerminal
6. Bootstrap編寫,介面美觀
7. 自動收集硬體資訊
8. 錄影回放
9. 命令搜尋
10. 實時監控
11. 批量上傳下載
*/
主要元件
JumpServer 為管理後臺, 管理員可以通過 Web 頁面進行資產管理、使用者管理、資產授權等操作, 使用者可以通過 Web 頁面進行資產登入, 檔案管理等操作
1.koko 為 SSH Server 和 Web Terminal Server 。使用者可以使用自己的賬戶通過 SSH 或者 Web Terminal 訪問 SSH 協議和 Telnet 協議資產
2.Luna 為 Web Terminal Server 前端頁面, 使用者使用 Web Terminal 方式登入所需要的元件
3.Guacamole 為 RDP 協議和 VNC 協議資產元件, 使用者可以通過 Web Terminal 來連線 RDP 協議和 VNC 協議資產 (暫時只能通過 Web Terminal 來訪問)
部署
安裝jumpserver 3.0版本,相對於jumpserver 2.0版本,在新的版本3.0中取消了LDAP授權,取而代之的是ssh進行推送;介面也有所變化,功能更完善,安裝更簡單。
初始化
#!/usr/bin/env bash
# Author: ZhouJian
# Mail: 18621048481@163.com
# Time: 2019-9-3
# Describe: CentOS 7 Initialization Script
clear
echo -ne "\\033[0;33m"
cat<<EOT
_oo0oo_
088888880
88" . "88
(| -_- |)
0\\ = /0
___/'---'\\___
.' \\\\\\\\| |// '.
/ \\\\\\\\||| : |||// \\\\
/_ ||||| -:- |||||- \\\\
| | \\\\\\\\\\\\ - /// | |
| \\_| ''\\---/'' |_/ |
\\ .-\\__ '-' __/-. /
___'. .' /--.--\\ '. .'___
."" '< '.___\\_<|>_/___.' >' "".
| | : '- \\'.;'\\ _ /';.'/ - ' : | |
\\ \\ '_. \\_ __\\ /__ _/ .-' / /
====='-.____'.___ \\_____/___.-'____.-'=====
'=---='
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
建議系統 CentOS7
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
EOT
echo -ne "\\033[m"
init_hostname() {
while read -p "請輸入您想設定的主機名:" name
do
if [ -z "$name" ];then
echo -e "\033[31m 您沒有輸入內容,請重新輸入 \033[0m"
continue
fi
read -p "您確認使用該主機名嗎?[y/n]: " var
if [ $var == 'y' -o $var == 'yes' ];then
hostnamectl set-hostname $name
break
fi
done
}
init_security() {
systemctl stop firewalld
systemctl disable firewalld &>/dev/null
setenforce 0
sed -i '/^SELINUX=/ s/enforcing/disabled/' /etc/selinux/config
sed -i '/^GSSAPIAu/ s/yes/no/' /etc/ssh/sshd_config
sed -i '/^#UseDNS/ {s/^#//;s/yes/no/}' /etc/ssh/sshd_config
systemctl enable sshd crond &> /dev/null
echo -e "\033[32m [安全配置] ==> OK \033[0m"
}
init_yumsource() {
if [ ! -d /etc/yum.repos.d/backup ];then
mkdir /etc/yum.repos.d/backup
fi
mv /etc/yum.repos.d/* /etc/yum.repos.d/backup 2>/dev/null
if ! ping -c 2 baidu.com &>/dev/null
then
echo "您無法上外網,不能配置yum源"
exit
fi
curl -o /etc/yum.repos.d/163.repo http://mirrors.163.com/.help/CentOS7-Base-163.repo &>/dev/null
curl -o /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo &>/dev/null
timedatectl set-timezone Asia/Shanghai
echo "nameserver 114.114.114.114" > /etc/resolv.conf
echo "nameserver 8.8.8.8" >> /etc/resolv.conf
chattr +i /etc/resolv.conf
echo -e "\033[32m [YUM Source] ==> OK \033[0m"
}
init_install_package() {
echo -e "\033[32m 安裝系統需要的軟體,請稍等~ ~ ~ \033[0m"
yum -y install lsof tree wget vim bash-completion lftp bind-utils &>/dev/null
yum -y install atop htop nethogs net-tools libcurl-devel libxml2-devel openssl-devel unzip psmisc ntpdate nslookup &>/dev/null
echo -e "\033[32m [安裝常用工具] ==> OK \033[0m"
}
init_kernel_parameter() {
cat > /etc/sysctl.conf <<EOF
fs.file-max = 999999
kernel.sysrq = 0
kernel.core_uses_pid = 1
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 68719476736
kernel.shmall = 4294967296
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_tw_buckets = 6000
net.ipv4.tcp_sack = 1
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_rmem = 4096 87380 4194304
net.ipv4.tcp_wmem = 4096 16384 4194304
net.ipv4.tcp_max_orphans = 3276800
net.ipv4.tcp_max_syn_backlog = 262144
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_synack_retries = 1
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_mem = 94500000 915000000 927000000
net.ipv4.tcp_fin_timeout = 1
net.ipv4.tcp_keepalive_time = 30
net.ipv4.ip_local_port_range = 1024 65000
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.core.netdev_max_backlog = 262144
vm.swappiness = 10
EOF
sysctl -p /etc/sysctl.conf >/dev/null 2>&1
echo -e "\033[32m [核心 優化] ==> OK \033[0m"
}
# **************************************************
init_system_limit() {
cat >> /etc/security/limits.conf <<EOF
* soft nproc 65530
* hard nproc 65530
* soft nofile 65530
* hard nofile 65530
EOF
ulimit -n 65535
ulimit -u 20480
echo -e "\033[32m [ulimits 配置] ==> OK \033[0m"
cat >> /etc/profile <<EOF
export HISTTIMEFORMAT="%Y-%m-%d %H:%M:%S "
EOF
source /etc/profile
}
main() {
init_hostname
init_security
init_yumsource
init_install_package
init_kernel_parameter
init_system_limit
}
main
修改字符集
localedef -c -f UTF-8 -i zh_CN zh_CN.UTF-8
export LC_ALL=zh_CN.UTF-8
echo 'LANG="zh_CN.UTF-8"' > /etc/locale.conf
安裝基礎包和依賴
yum -y install wget vim lrzsz xz gcc git epel-release python-pip python-devel mysql-devel automake autoconf sqlite-devel zlib-devel openssl-devel sshpass readline-devel
yum -y install python36 python36-devel
cd /opt
python3.6 -m venv py3
source /opt/py3/bin/activate
安裝Jumpserver
git clone --depth=1 https://github.com/jumpserver/jumpserver.git
cd /opt/jumpserver/requirements
yum -y install $(cat rpm_requirements.txt)
pip install -r requirements.txt -i https://mirrors.aliyun.com/pypi/simple/
pip install --upgrade pip setuptools
pip install -r requirements.txt
安裝redis
(py3) [root@kvm-47 requirements]# yum -y install redis
(py3) [root@kvm-47 requirements]# systemctl enable redis && systemctl start redis
安裝Mysql
(py3) [root@kvm-47 requirements]# yum -y install mariadb mariadb-devel mariadb-server
(py3) [root@kvm-47 requirements]# systemctl enable mariadb && systemctl start mariadb
(py3) [root@kvm-47 jumpserver]# mysqladmin -u root password 'ZHOUjian.20'
(py3) [root@kvm-47 jumpserver]# DB_PASSWORD=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 24`
(py3) [root@kvm-47 jumpserver]# echo $DB_PASSWORD
hDh4XtVKUxsRUPwYdEFznKTK
(py3) [root@kvm-47 jumpserver]# mysql -uroot -pZHOUjian.20 -e "create database jumpserver default charset 'utf8'; grant all on jumpserver.* to 'jumpserver'@'127.0.0.1' identified by '$DB_PASSWORD'; flush privileges;"
配置jumpserver
(py3) [root@kvm-47 requirements]# cd /opt/jumpserver/
(py3) [root@kvm-47 jumpserver]# ls
apps docs logs run_server.py
config_example.yml entrypoint.sh README_EN.md tmp
data jms README.md utils
Dockerfile LICENSE requirements Vagrantfile
(py3) [root@kvm-47 jumpserver]# cp config_example.yml config.yml
SECRET_KEY=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50`
echo "SECRET_KEY=$SECRET_KEY" >> ~/.bashrc
BOOTSTRAP_TOKEN=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16`
echo "BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" >> ~/.bashrc
sed -i "s/SECRET_KEY:/SECRET_KEY: $SECRET_KEY/g" /opt/jumpserver/config.yml
sed -i "s/BOOTSTRAP_TOKEN:/BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN/g" /opt/jumpserver/config.yml
sed -i "s/# DEBUG: true/DEBUG: false/g" /opt/jumpserver/config.yml
sed -i "s/# LOG_LEVEL: DEBUG/LOG_LEVEL: ERROR/g" /opt/jumpserver/config.yml
sed -i "s/# SESSION_EXPIRE_AT_BROWSER_CLOSE: false/SESSION_EXPIRE_AT_BROWSER_CLOSE: true/g" /opt/jumpserver/config.yml
sed -i "s/DB_PASSWORD: /DB_PASSWORD: $DB_PASSWORD/g" /opt/jumpserver/config.yml
啟動關閉jumpservere
(py3) [root@kvm-47 jumpserver]# cd /opt/jumpserver/
(py3) [root@kvm-47 jumpserver]# ./jms start all -d
(py3) [root@kvm-47 jumpserver]# ./jms stop
部署coco
支援終端管理,預設port為2222
手動部署
cd /opt
git clone --depth=1 https://github.com/jumpserver/coco.git
cd /opt/coco/requirements
pip install --upgrade pip
pip install -r requirements.txt
yum -y install $(cat rpm_requirements.txt)
pip install --upgrade pip setuptools==45.2.0
pip install -r requirements.txt -i https://mirrors.aliyun.com/pypi/simple/
cd /opt/coco
cp config_example.yml config.yml
sed -i "s/BOOTSTRAP_TOKEN: <PleasgeChangeSameWithJumpserver>/BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN/g" /opt/coco/config.yml
sed -i "s/# LOG_LEVEL: INFO/LOG_LEVEL: ERROR/g" /opt/coco/config.yml
./cocod start -d
部署luna
與nginx結合支援Web Terminal前端
cd /opt
wget https://github.com/jumpserver/luna/releases/download/1.4.10/luna.tar.gz
tar xf luna.tar.gz
chown -R root:root luna
配置nginx
vi /etc/yum.repos.d/nginx.repo
[nginx-stable]
name=nginx stable repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
yum install -y nginx
yum makecache fast
systemctl enable nginx
rm -rf /etc/nginx/conf.d/default.conf
cd /etc/nginx/
sed -i '/^ *#/d' nginx.conf
sed -ri '/^[[:space:]]*(#|$)/d' nginx.conf
server {
listen 80;
client_max_body_size 100m; # 錄影及檔案上傳大小限制
location /luna/ {
try_files $uri / /index.html;
alias /opt/luna/; # luna 路徑, 如果修改安裝目錄, 此處需要修改
}
location /media/ {
add_header Content-Encoding gzip;
root /opt/jumpserver/data/; # 錄影位置, 如果修改安裝目錄, 此處需要修改
}
location /static/ {
root /opt/jumpserver/data/; # 靜態資源, 如果修改安裝目錄, 此處需要修改
}
location /socket.io/ {
proxy_pass http://localhost:5000/socket.io/;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /coco/ {
proxy_pass http://localhost:5000/coco/;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /guacamole/ {
proxy_pass http://localhost:8081/;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location / {
proxy_pass http://localhost:8080;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
登入測試
# 檢查應用是否已經正常執行
# 服務全部啟動後, 訪問 jumpserver 伺服器 nginx 代理的 80 埠, 不要通過8080埠訪問
# 預設賬號: admin 密碼: admin