Jumpserver简介,部署使用

微信扫一扫,分享到朋友圈

Jumpserver简介,部署使用

Jumpserver简介

Jumpserver 是一款使用 Python, Django 开发的开源跳板机系统, 为亏联网企业提供了认证,授权,审计,自动化运维等功能,基于ssh协议来管理,客户端无需安装agent。

jumpserver功能特点

/*
1. 完全开源,GPL授权
2. Python编写,容易二开
3. 实现了跳板机基本功能,身份认证、访问控制、授权、审计、批量操作等。
4. 集成了Ansible,批量命令等
5. 支持WebTerminal
6. Bootstrap编写,界面美观
7. 自动收集硬件信息
8. 录像回放
9. 命令搜索
10. 实时监控
11. 批量上传下载
*/

主要组件

JumpServer 为管理后台, 管理员可以通过 Web 页面进行资产管理、用户管理、资产授权等操作, 用户可以通过 Web 页面进行资产登录, 文件管理等操作
1.koko 为 SSH Server 和 Web Terminal Server 。用户可以使用自己的账户通过 SSH 或者 Web Terminal 访问 SSH 协议和 Telnet 协议资产
2.Luna 为 Web Terminal Server 前端页面, 用户使用 Web Terminal 方式登录所需要的组件
3.Guacamole 为 RDP 协议和 VNC 协议资产组件, 用户可以通过 Web Terminal 来连接 RDP 协议和 VNC 协议资产 (暂时只能通过 Web Terminal 来访问)

部署

安装jumpserver 3.0版本,相对于jumpserver 2.0版本,在新的版本3.0中取消了LDAP授权,取而代之的是ssh进行推送;界面也有所变化,功能更完善,安装更简单。

初始化

#!/usr/bin/env bash
# Author: ZhouJian
# Mail: 18621048481@163.com
# Time: 2019-9-3
# Describe: CentOS 7 Initialization Script
clear
echo -ne "\\033[0;33m"
cat<<EOT
_oo0oo_
088888880
88" . "88
(| -_- |)
0\\ = /0
___/'---'\\___
.' \\\\\\\\|     |// '.
/ \\\\\\\\|||  :  |||// \\\\
/_ ||||| -:- |||||- \\\\
|   | \\\\\\\\\\\\  -  /// |   |
| \\_|  ''\\---/''  |_/ |
\\  .-\\__  '-'  __/-.  /
___'. .'  /--.--\\  '. .'___
."" '<  '.___\\_<|>_/___.' >'  "".
| | : '-  \\'.;'\\ _ /';.'/ - ' : | |
\\  \\ '_.   \\_ __\\ /__ _/   .-' /  /
====='-.____'.___ \\_____/___.-'____.-'=====
'=---='
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
建议系统                    CentOS7
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
EOT
echo -ne "\\033[m"
init_hostname() {
while read -p "请输入您想设定的主机名:" name
do
if [ -z "$name" ];then
echo -e "\033[31m 您没有输入内容,请重新输入 \033[0m"
continue
fi
read -p "您确认使用该主机名吗?[y/n]: " var
if [ $var == 'y' -o $var == 'yes' ];then
hostnamectl set-hostname $name
break
fi
done
}
init_security() {
systemctl stop firewalld
systemctl disable firewalld &>/dev/null
setenforce 0
sed -i '/^SELINUX=/ s/enforcing/disabled/'  /etc/selinux/config
sed -i '/^GSSAPIAu/ s/yes/no/' /etc/ssh/sshd_config
sed -i '/^#UseDNS/ {s/^#//;s/yes/no/}' /etc/ssh/sshd_config
systemctl enable sshd crond &> /dev/null
echo -e "\033[32m [安全配置] ==> OK \033[0m"
}
init_yumsource() {
if [ ! -d /etc/yum.repos.d/backup ];then
mkdir /etc/yum.repos.d/backup
fi
mv /etc/yum.repos.d/* /etc/yum.repos.d/backup 2>/dev/null
if ! ping -c 2 baidu.com &>/dev/null
then
echo "您无法上外网,不能配置yum源"
exit
fi
curl -o /etc/yum.repos.d/163.repo http://mirrors.163.com/.help/CentOS7-Base-163.repo &>/dev/null
curl -o /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo &>/dev/null
timedatectl set-timezone Asia/Shanghai
echo "nameserver 114.114.114.114" > /etc/resolv.conf
echo "nameserver 8.8.8.8" >> /etc/resolv.conf
chattr +i /etc/resolv.conf
echo -e "\033[32m [YUM Source] ==> OK \033[0m"
}
init_install_package() {
echo -e "\033[32m 安装系统需要的软件,请稍等~ ~ ~ \033[0m"
yum -y install lsof tree wget vim  bash-completion lftp bind-utils  &>/dev/null
yum -y install atop htop nethogs net-tools libcurl-devel libxml2-devel openssl-devel unzip  psmisc ntpdate nslookup &>/dev/null
echo -e "\033[32m [安装常用工具] ==> OK \033[0m"
}
init_kernel_parameter() {
cat > /etc/sysctl.conf <<EOF
fs.file-max = 999999
kernel.sysrq = 0
kernel.core_uses_pid = 1
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 68719476736
kernel.shmall = 4294967296
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_tw_buckets = 6000
net.ipv4.tcp_sack = 1
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_rmem = 4096 87380 4194304
net.ipv4.tcp_wmem = 4096 16384 4194304
net.ipv4.tcp_max_orphans = 3276800
net.ipv4.tcp_max_syn_backlog = 262144
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_synack_retries = 1
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_mem = 94500000 915000000 927000000
net.ipv4.tcp_fin_timeout = 1
net.ipv4.tcp_keepalive_time = 30
net.ipv4.ip_local_port_range = 1024 65000
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.core.netdev_max_backlog = 262144
vm.swappiness = 10
EOF
sysctl -p /etc/sysctl.conf >/dev/null 2>&1
echo -e "\033[32m [内核 优化] ==> OK \033[0m"
}
# **************************************************
init_system_limit() {
cat >> /etc/security/limits.conf <<EOF
* soft nproc 65530
* hard nproc 65530
* soft nofile 65530
* hard nofile 65530
EOF
ulimit -n 65535
ulimit -u 20480
echo -e "\033[32m [ulimits 配置] ==> OK \033[0m"
cat >> /etc/profile <<EOF
export HISTTIMEFORMAT="%Y-%m-%d %H:%M:%S "
EOF
source /etc/profile
}
main() {
init_hostname
init_security
init_yumsource
init_install_package
init_kernel_parameter
init_system_limit
}
main

修改字符集

localedef -c -f UTF-8 -i zh_CN zh_CN.UTF-8
export LC_ALL=zh_CN.UTF-8
echo 'LANG="zh_CN.UTF-8"' > /etc/locale.conf

安装基础包和依赖

yum -y install wget vim lrzsz xz gcc git epel-release python-pip python-devel mysql-devel automake autoconf sqlite-devel zlib-devel openssl-devel sshpass readline-devel
yum -y install python36 python36-devel
cd /opt
python3.6 -m venv py3
source /opt/py3/bin/activate

安装Jumpserver

git clone --depth=1 https://github.com/jumpserver/jumpserver.git
cd /opt/jumpserver/requirements
yum -y install $(cat rpm_requirements.txt)
pip install -r requirements.txt -i https://mirrors.aliyun.com/pypi/simple/
pip install --upgrade pip setuptools
pip install -r requirements.txt

安装redis

(py3) [root@kvm-47 requirements]#  yum -y install redis
(py3) [root@kvm-47 requirements]# systemctl enable redis && systemctl start redis

安装Mysql

(py3) [root@kvm-47 requirements]#  yum -y install mariadb mariadb-devel mariadb-server
(py3) [root@kvm-47 requirements]# systemctl enable mariadb &&  systemctl start mariadb
(py3) [root@kvm-47 jumpserver]# mysqladmin -u root password 'ZHOUjian.20'
(py3) [root@kvm-47 jumpserver]# DB_PASSWORD=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 24`
(py3) [root@kvm-47 jumpserver]# echo $DB_PASSWORD
hDh4XtVKUxsRUPwYdEFznKTK
(py3) [root@kvm-47 jumpserver]# mysql -uroot -pZHOUjian.20 -e "create database jumpserver default charset 'utf8'; grant all on jumpserver.* to 'jumpserver'@'127.0.0.1' identified by '$DB_PASSWORD'; flush privileges;"

配置jumpserver

(py3) [root@kvm-47 requirements]# cd /opt/jumpserver/
(py3) [root@kvm-47 jumpserver]# ls
apps                docs           logs          run_server.py
config_example.yml  entrypoint.sh  README_EN.md  tmp
data                jms            README.md     utils
Dockerfile          LICENSE        requirements  Vagrantfile
(py3) [root@kvm-47 jumpserver]# cp config_example.yml config.yml
SECRET_KEY=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50`
echo "SECRET_KEY=$SECRET_KEY" >> ~/.bashrc
BOOTSTRAP_TOKEN=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16`
echo "BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" >> ~/.bashrc
sed -i "s/SECRET_KEY:/SECRET_KEY: $SECRET_KEY/g" /opt/jumpserver/config.yml
sed -i "s/BOOTSTRAP_TOKEN:/BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN/g" /opt/jumpserver/config.yml
sed -i "s/# DEBUG: true/DEBUG: false/g" /opt/jumpserver/config.yml
sed -i "s/# LOG_LEVEL: DEBUG/LOG_LEVEL: ERROR/g" /opt/jumpserver/config.yml
sed -i "s/# SESSION_EXPIRE_AT_BROWSER_CLOSE: false/SESSION_EXPIRE_AT_BROWSER_CLOSE: true/g" /opt/jumpserver/config.yml
sed -i "s/DB_PASSWORD: /DB_PASSWORD: $DB_PASSWORD/g" /opt/jumpserver/config.yml

启动关闭jumpservere

(py3) [root@kvm-47 jumpserver]# cd /opt/jumpserver/
(py3) [root@kvm-47 jumpserver]# ./jms start all -d
(py3) [root@kvm-47 jumpserver]# ./jms stop

部署coco

支持终端管理,默认port为2222

手动部署

cd /opt
git clone --depth=1 https://github.com/jumpserver/coco.git
cd /opt/coco/requirements
pip install --upgrade pip
pip install -r requirements.txt
yum -y install $(cat rpm_requirements.txt)
pip install --upgrade pip setuptools==45.2.0
pip install -r requirements.txt -i https://mirrors.aliyun.com/pypi/simple/
cd /opt/coco
cp config_example.yml config.yml
sed -i "s/BOOTSTRAP_TOKEN: <PleasgeChangeSameWithJumpserver>/BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN/g" /opt/coco/config.yml
sed -i "s/# LOG_LEVEL: INFO/LOG_LEVEL: ERROR/g" /opt/coco/config.yml
./cocod start -d

部署luna

与nginx结合支持Web Terminal前端

cd /opt
wget https://github.com/jumpserver/luna/releases/download/1.4.10/luna.tar.gz
tar xf luna.tar.gz
chown -R root:root luna

配置nginx

vi /etc/yum.repos.d/nginx.repo
[nginx-stable]
name=nginx stable repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
yum install -y nginx
yum makecache fast
systemctl enable nginx
rm -rf /etc/nginx/conf.d/default.conf
cd /etc/nginx/
sed -i '/^ *#/d'  nginx.conf
sed -ri '/^[[:space:]]*(#|$)/d'  nginx.conf
server {
listen 80;
client_max_body_size 100m;  # 录像及文件上传大小限制
location /luna/ {
try_files $uri / /index.html;
alias /opt/luna/;  # luna 路径, 如果修改安装目录, 此处需要修改
}
location /media/ {
add_header Content-Encoding gzip;
root /opt/jumpserver/data/;  # 录像位置, 如果修改安装目录, 此处需要修改
}
location /static/ {
root /opt/jumpserver/data/;  # 静态资源, 如果修改安装目录, 此处需要修改
}
location /socket.io/ {
proxy_pass       http://localhost:5000/socket.io/;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /coco/ {
proxy_pass       http://localhost:5000/coco/;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /guacamole/ {
proxy_pass       http://localhost:8081/;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location / {
proxy_pass http://localhost:8080;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}

登录测试

# 检查应用是否已经正常运行
# 服务全部启动后, 访问 jumpserver 服务器 nginx 代理的 80 端口, 不要通过8080端口访问
# 默认账号: admin 密码: admin

微信扫一扫,分享到朋友圈

Jumpserver简介,部署使用

PS1至PS5开机画面 26年弹指一瞬

上一篇

揭秘弘毅创投首期美元基金:4个月超募,已投完美日记等,两大投资主题首公开

下一篇

你也可能喜欢

Jumpserver简介,部署使用

长按储存图像,分享给朋友