Jumpserver簡介,部署使用

men發表於2020-11-07

Jumpserver簡介

Jumpserver 是一款使用 Python, Django 開發的開源跳板機系統, 為虧聯網企業提供了認證,授權,審計,自動化運維等功能,基於ssh協議來管理,客戶端無需安裝agent。

jumpserver功能特點
/*
	1. 完全開源,GPL授權
	2. Python編寫,容易二開
	3. 實現了跳板機基本功能,身份認證、訪問控制、授權、審計、批量操作等。
	4. 整合了Ansible,批量命令等
	5. 支援WebTerminal
	6. Bootstrap編寫,介面美觀
	7. 自動收集硬體資訊
	8. 錄影回放
	9. 命令搜尋
	10. 實時監控
	11. 批量上傳下載
*/
主要元件

JumpServer 為管理後臺, 管理員可以通過 Web 頁面進行資產管理、使用者管理、資產授權等操作, 使用者可以通過 Web 頁面進行資產登入, 檔案管理等操作

1.koko 為 SSH Server 和 Web Terminal Server 。使用者可以使用自己的賬戶通過 SSH 或者 Web Terminal 訪問 SSH 協議和 Telnet 協議資產

2.Luna 為 Web Terminal Server 前端頁面, 使用者使用 Web Terminal 方式登入所需要的元件

3.Guacamole 為 RDP 協議和 VNC 協議資產元件, 使用者可以通過 Web Terminal 來連線 RDP 協議和 VNC 協議資產 (暫時只能通過 Web Terminal 來訪問)

部署

安裝jumpserver 3.0版本,相對於jumpserver 2.0版本,在新的版本3.0中取消了LDAP授權,取而代之的是ssh進行推送;介面也有所變化,功能更完善,安裝更簡單。

初始化
#!/usr/bin/env bash
# Author: ZhouJian
# Mail: 18621048481@163.com
# Time: 2019-9-3
# Describe: CentOS 7 Initialization Script
clear
echo -ne "\\033[0;33m"
cat<<EOT
                                  _oo0oo_
                                 088888880
                                 88" . "88
                                 (| -_- |)
                                  0\\ = /0
                               ___/'---'\\___
                             .' \\\\\\\\|     |// '.
                            / \\\\\\\\|||  :  |||// \\\\
                           /_ ||||| -:- |||||- \\\\
                          |   | \\\\\\\\\\\\  -  /// |   |
                          | \\_|  ''\\---/''  |_/ |
                          \\  .-\\__  '-'  __/-.  /
                        ___'. .'  /--.--\\  '. .'___
                     ."" '<  '.___\\_<|>_/___.' >'  "".
                    | | : '-  \\'.;'\\ _ /';.'/ - ' : | |
                    \\  \\ '_.   \\_ __\\ /__ _/   .-' /  /
                ====='-.____'.___ \\_____/___.-'____.-'=====
                                  '=---='
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
                建議系統                    CentOS7
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
EOT
echo -ne "\\033[m"

init_hostname() {
while read -p "請輸入您想設定的主機名:" name
do
	if [ -z "$name" ];then
		echo -e "\033[31m 您沒有輸入內容,請重新輸入 \033[0m"
		continue
	fi
	read -p "您確認使用該主機名嗎?[y/n]: " var

	if [ $var == 'y' -o $var == 'yes' ];then
		hostnamectl set-hostname $name
		break
	fi
done
}


init_security() {
systemctl stop firewalld
systemctl disable firewalld &>/dev/null
setenforce 0
sed -i '/^SELINUX=/ s/enforcing/disabled/'  /etc/selinux/config
sed -i '/^GSSAPIAu/ s/yes/no/' /etc/ssh/sshd_config
sed -i '/^#UseDNS/ {s/^#//;s/yes/no/}' /etc/ssh/sshd_config
systemctl enable sshd crond &> /dev/null
echo -e "\033[32m [安全配置] ==> OK \033[0m"
}

init_yumsource() {
if [ ! -d /etc/yum.repos.d/backup ];then
	mkdir /etc/yum.repos.d/backup
fi
mv /etc/yum.repos.d/* /etc/yum.repos.d/backup 2>/dev/null

if ! ping -c 2 baidu.com &>/dev/null	
then
	echo "您無法上外網,不能配置yum源"
	exit	
fi
	curl -o /etc/yum.repos.d/163.repo http://mirrors.163.com/.help/CentOS7-Base-163.repo &>/dev/null 
	curl -o /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo &>/dev/null
timedatectl set-timezone Asia/Shanghai
echo "nameserver 114.114.114.114" > /etc/resolv.conf
echo "nameserver 8.8.8.8" >> /etc/resolv.conf
chattr +i /etc/resolv.conf

echo -e "\033[32m [YUM Source] ==> OK \033[0m"
}

init_install_package() {
echo -e "\033[32m 安裝系統需要的軟體,請稍等~ ~ ~ \033[0m"
yum -y install lsof tree wget vim  bash-completion lftp bind-utils  &>/dev/null 
yum -y install atop htop nethogs net-tools libcurl-devel libxml2-devel openssl-devel unzip  psmisc ntpdate nslookup &>/dev/null 
echo -e "\033[32m [安裝常用工具] ==> OK \033[0m"
}

init_kernel_parameter() {
cat > /etc/sysctl.conf <<EOF
fs.file-max = 999999
kernel.sysrq = 0
kernel.core_uses_pid = 1
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 68719476736
kernel.shmall = 4294967296
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_tw_buckets = 6000
net.ipv4.tcp_sack = 1
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_rmem = 4096 87380 4194304
net.ipv4.tcp_wmem = 4096 16384 4194304
net.ipv4.tcp_max_orphans = 3276800
net.ipv4.tcp_max_syn_backlog = 262144
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_synack_retries = 1
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_mem = 94500000 915000000 927000000
net.ipv4.tcp_fin_timeout = 1
net.ipv4.tcp_keepalive_time = 30
net.ipv4.ip_local_port_range = 1024 65000
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.core.netdev_max_backlog = 262144
vm.swappiness = 10
EOF
sysctl -p /etc/sysctl.conf >/dev/null 2>&1
echo -e "\033[32m [核心 優化] ==> OK \033[0m"
}

# **************************************************
init_system_limit() {
cat >> /etc/security/limits.conf <<EOF
* soft nproc 65530
* hard nproc 65530
* soft nofile 65530
* hard nofile 65530
EOF
ulimit -n 65535
ulimit -u 20480
echo -e "\033[32m [ulimits 配置] ==> OK \033[0m"
cat >> /etc/profile <<EOF
export HISTTIMEFORMAT="%Y-%m-%d %H:%M:%S "
EOF
source /etc/profile
}

main() {
init_hostname
init_security
init_yumsource
init_install_package
init_kernel_parameter
init_system_limit
}
main
修改字符集
localedef -c -f UTF-8 -i zh_CN zh_CN.UTF-8
export LC_ALL=zh_CN.UTF-8
echo 'LANG="zh_CN.UTF-8"' > /etc/locale.conf
安裝基礎包和依賴
yum -y install wget vim lrzsz xz gcc git epel-release python-pip python-devel mysql-devel automake autoconf sqlite-devel zlib-devel openssl-devel sshpass readline-devel


yum -y install python36 python36-devel

cd /opt
python3.6 -m venv py3
source /opt/py3/bin/activate
安裝Jumpserver
git clone --depth=1 https://github.com/jumpserver/jumpserver.git

cd /opt/jumpserver/requirements
yum -y install $(cat rpm_requirements.txt)
pip install -r requirements.txt -i https://mirrors.aliyun.com/pypi/simple/
  
  
pip install --upgrade pip setuptools
pip install -r requirements.txt  
安裝redis
(py3) [root@kvm-47 requirements]#  yum -y install redis
(py3) [root@kvm-47 requirements]# systemctl enable redis && systemctl start redis
安裝Mysql
(py3) [root@kvm-47 requirements]#  yum -y install mariadb mariadb-devel mariadb-server
(py3) [root@kvm-47 requirements]# systemctl enable mariadb &&  systemctl start mariadb
(py3) [root@kvm-47 jumpserver]# mysqladmin -u root password 'ZHOUjian.20'

(py3) [root@kvm-47 jumpserver]# DB_PASSWORD=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 24`
(py3) [root@kvm-47 jumpserver]# echo $DB_PASSWORD
hDh4XtVKUxsRUPwYdEFznKTK
(py3) [root@kvm-47 jumpserver]# mysql -uroot -pZHOUjian.20 -e "create database jumpserver default charset 'utf8'; grant all on jumpserver.* to 'jumpserver'@'127.0.0.1' identified by '$DB_PASSWORD'; flush privileges;"
配置jumpserver
(py3) [root@kvm-47 requirements]# cd /opt/jumpserver/
(py3) [root@kvm-47 jumpserver]# ls
apps                docs           logs          run_server.py
config_example.yml  entrypoint.sh  README_EN.md  tmp
data                jms            README.md     utils
Dockerfile          LICENSE        requirements  Vagrantfile

(py3) [root@kvm-47 jumpserver]# cp config_example.yml config.yml


SECRET_KEY=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50`   
echo "SECRET_KEY=$SECRET_KEY" >> ~/.bashrc
BOOTSTRAP_TOKEN=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16` 
echo "BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" >> ~/.bashrc
sed -i "s/SECRET_KEY:/SECRET_KEY: $SECRET_KEY/g" /opt/jumpserver/config.yml
sed -i "s/BOOTSTRAP_TOKEN:/BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN/g" /opt/jumpserver/config.yml
sed -i "s/# DEBUG: true/DEBUG: false/g" /opt/jumpserver/config.yml
sed -i "s/# LOG_LEVEL: DEBUG/LOG_LEVEL: ERROR/g" /opt/jumpserver/config.yml
sed -i "s/# SESSION_EXPIRE_AT_BROWSER_CLOSE: false/SESSION_EXPIRE_AT_BROWSER_CLOSE: true/g" /opt/jumpserver/config.yml
sed -i "s/DB_PASSWORD: /DB_PASSWORD: $DB_PASSWORD/g" /opt/jumpserver/config.yml
啟動關閉jumpservere
(py3) [root@kvm-47 jumpserver]# cd /opt/jumpserver/
(py3) [root@kvm-47 jumpserver]# ./jms start all -d
(py3) [root@kvm-47 jumpserver]# ./jms stop
部署coco

支援終端管理,預設port為2222

手動部署

cd /opt
git clone --depth=1 https://github.com/jumpserver/coco.git 
cd /opt/coco/requirements

pip install --upgrade pip
pip install -r requirements.txt
yum -y install $(cat rpm_requirements.txt)
pip install --upgrade pip setuptools==45.2.0
pip install -r requirements.txt -i https://mirrors.aliyun.com/pypi/simple/

cd /opt/coco
cp config_example.yml config.yml
sed -i "s/BOOTSTRAP_TOKEN: <PleasgeChangeSameWithJumpserver>/BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN/g" /opt/coco/config.yml
sed -i "s/# LOG_LEVEL: INFO/LOG_LEVEL: ERROR/g" /opt/coco/config.yml
./cocod start -d
部署luna

與nginx結合支援Web Terminal前端

cd /opt
wget https://github.com/jumpserver/luna/releases/download/1.4.10/luna.tar.gz
tar xf luna.tar.gz  
chown -R root:root luna
配置nginx
vi /etc/yum.repos.d/nginx.repo
[nginx-stable]
name=nginx stable repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
yum install -y nginx
yum makecache fast
systemctl enable nginx
rm -rf /etc/nginx/conf.d/default.conf


cd /etc/nginx/
sed -i '/^ *#/d'  nginx.conf
sed -ri '/^[[:space:]]*(#|$)/d'  nginx.conf



server {
    listen 80;
    client_max_body_size 100m;  # 錄影及檔案上傳大小限制
    location /luna/ {
        try_files $uri / /index.html;
        alias /opt/luna/;  # luna 路徑, 如果修改安裝目錄, 此處需要修改
    }
    location /media/ {
        add_header Content-Encoding gzip;
        root /opt/jumpserver/data/;  # 錄影位置, 如果修改安裝目錄, 此處需要修改
    }

    location /static/ {
        root /opt/jumpserver/data/;  # 靜態資源, 如果修改安裝目錄, 此處需要修改
    }

    location /socket.io/ {
        proxy_pass       http://localhost:5000/socket.io/;
        proxy_buffering off;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        access_log off;
    }

    location /coco/ {
        proxy_pass       http://localhost:5000/coco/;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        access_log off;
    }

    location /guacamole/ {
        proxy_pass       http://localhost:8081/;
        proxy_buffering off;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $http_connection;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        access_log off;
    }

    location / {
        proxy_pass http://localhost:8080;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

登入測試

# 檢查應用是否已經正常執行
# 服務全部啟動後, 訪問 jumpserver 伺服器 nginx 代理的 80 埠, 不要通過8080埠訪問
# 預設賬號: admin 密碼: admin