JumpServer Bastion Machine

JumpServer Bastion Machine

1. Introduction to JumpServer

  • JumpServer is the world's first fully open source bastion machine. It uses the GNU GPL v2.0 open source protocol and is a 4A-compliant professional operation and maintenance audit system.
  • Use Python/Diangodevelopment, follow the Web 2.0 specification, with industry-leading Web Terminal Solutions, beautiful interface, user experience is good.
  • It adopts a distributed architecture to support multi-computer room and cross-regional deployment. The intermediate node provides API, and each computer room deploys login nodes, which can be scaled horizontally without concurrent display.
  • Provides authentication, authorization, audit, automated operation and maintenance functions for Internet companies.

Features:

  • Open source : zero threshold, fast online acquisition and installation.
  • Distributed : Easily support large-scale concurrent access.
  • No plug-in : only need a browser, the ultimate Web Terminal experience.
  • Multi-cloud support : A system that manages assets on different clouds at the same time.
  • Cloud storage : Audit videos are stored in the cloud and will never be lost.
  • Multi-tenant : A system that multiple subsidiaries and departments use at the same time.
  • Multi-application support : database, Windows remote application, Kubernetes.

Functions implemented by JumpServer:

  • function list
  • Main functions: identity verification Authentication| account management Account| authorization control Authorization| security auditAudit

1. JumpServer component

JumpServer is the management backend, and administrators can perform operations such as asset management, user management, and asset authorization through the Web page.

  • Koko: SSH and Web Terminal Server (web Linux client). Users can directly access authorized assets by logging in to SSH or Web Terminal with their own account. No need to know the server account password.
  • Luna: It is the front-end page of the Web Terminal Server. The user uses the Web Terminal method to log in to the required components.
  • Guacamole: It is a Windows component. Users can connect to Windows assets through Web Terminal (for now, they can only be accessed through Web Terminal)

2. Deploy JumpServer bastion host

Ready to work:

CPU nameoperating systemhardwarePythonMySQLMariadbRedis
JumpServerCentOS 7.4Number of CPU cores:, 2memory:, 4Ghard disk:50G+= 3.6.x5.65.5.56

1. Install Python

1) Upload the installation package

[[email protected] ~]# ls
anaconda-ks.cfg  jumpserver-master.zip  jumpserver-packs.tar.gz  pip-packs.tar.gz  Python-3.6.8.tgz
[[email protected] ~]# tar xf jumpserver-packs.tar.gz
[[email protected] ~]# tar xf pip-packs.tar.gz
[[email protected] ~]# tar xf Python-3.6.8.tgz -C /usr/local/src/
Insert picture description here


2) the configuration of the local JumpServer yumsource

[[email protected] ~]# cat <<END > /etc/yum.repos.d/jumpserver.repo
[JumpServer]
name=CentOS7
baseurl=file:///root/jumpserver-packs
enable=1
gpgcheck=0
END
[[email protected] ~]# yum makecache										# 建立缓存

3) Install dependent packages

[[email protected] ~]# yum -y install gcc zlib-devel bzip2-devel openssl-devel ncurses-devel sqlite-devel readline-devel tk-devel gdbm-devel db4-devel libpcap-devel xz-devel libffi-devel openldap-devel sshpass

4) Compile and install

[[email protected] ~]# cd /usr/local/src/Python-3.6.8/
[[email protected] Python-3.6.8]# ./configure --prefix=/usr/local/python
[[email protected] Python-3.6.8]# make -j `cat /proc/cpuinfo | grep processor | wc -l`			#根据 CPU 核心数来进行编译
[[email protected] Python-3.6.8]# make install													#安装

5) Configure soft connection to optimize execution path

[[email protected] ~]# ln -s /usr/local/python/bin/* /usr/local/bin/
[[email protected] ~]# python3 -V
Python 3.6.8
[[email protected] ~]# pip3 -V
pip 18.1 from /usr/local/python/lib/python3.6/site-packages/pip (python 3.6)
Insert picture description here


6) Configure Python virtual environment

  • Because CentOS 6/7comes with a Python2, and yumother tools rely on the original Python, the purpose is to not disturb the original environment.
[[email protected] ~]# python3.6 -m venv /opt/py3					#创建 Py3 虚拟环境
[[email protected] ~]# source /opt/py3/bin/activate				#进入 Py3 虚拟环境
(py3) [[email protected] ~]# echo "source /opt/py3/bin/activate" >> .bashrc		#加入到开机自启

2. Install JumpServer

(py3) [[email protected] ~]# yum -y install unzip
(py3) [[email protected] ~]# unzip jumpserver-master.zip -d /opt/
(py3) [[email protected] ~]# mv /opt/jumpserver-master/ /opt/jumpserver
(py3) [[email protected] ~]# yum -y install $(cat /opt/jumpserver/requirements/rpm_requirements.txt)		#安装依赖包

1) Install the Python library

Method 1: Install Python library (no internet)

(py3) [[email protected] ~]# pip install --no-index --find-links=/root/pip-packs/ pyasn1 six cffi pytest-runner
(py3) [[email protected] ~]# pip install --no-index --find-links=/root/pip-packs/ -r /opt/jumpserver/requirements/requirements.txt

annotation:

  • --no-index: Ignore Package Index (only from the --find-linkslink addresses to find the package)
  • --find-links <url>: If it is specified as an IP address, the dependent package will be searched and downloaded from this address; if it is specified as a local file, it will be downloaded directly from the local file.

Method 2: Install Python library (with internet)

(py3) [[email protected] ~]# mkdir /root/.pip
(py3) [[email protected] ~]# cat <<END> /root/.pip/pip.conf
[global]
index-url = https://pypi.tuna.tsinghua.edu.cn/simple  					#这个是清华源
[install]
trusted-host=mirrors.aliyun.com
END
(py3) [[email protected] ~]# pip install --upgrade pip					#更新 pip
(py3) [[email protected] ~]# pip install -r /opt/jumpserver/requirements/requirements.txt

2) Install Redis

(py3) [[email protected] ~]# yum -y install redis
(py3) [[email protected] ~]# systemctl start redis

3) Install MySQL

(py3) [[email protected] ~]# yum -y install mariadb mariadb-server mariadb-devel
(py3) [[email protected] ~]# systemctl start mariadb
(py3) [[email protected] ~]# mysql
MariaDB [(none)]> create database jumpserver default charset 'utf8';
MariaDB [(none)]> grant all on jumpserver.* to [email protected] identified by 'jumpserver';
MariaDB [(none)]> flush privileges;
MariaDB [(none)]> exit

4) Generate key

(py3) [[email protected] ~]# cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 49;echo
tmctZBlMSF6TEo02tQL6qWNPDBduJ2dAN2eMO6DRDeGekDVro
(py3) [[email protected] ~]# cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16;echo
R9e1h2ZFuf8WDDbi

Modify JumpServer configuration file

(py3) [[email protected] ~]# cd /opt/jumpserver/
(py3) [[email protected] jumpserver]# cp config_example.yml config.yml
(py3) [[email protected] jumpserver]# vim config.yml
# 配置密钥
SECRET_KEY: tmctZBlMSF6TEo02tQL6qWNPDBduJ2dAN2eMO6DRDeGekDVro
BOOTSTRAP_TOKEN: R9e1h2ZFuf8WDDbi
# 数据库设置
DB_ENGINE: mysql
DB_HOST: 127.0.0.1
DB_PORT: 3306
DB_USER: jumpserver
DB_PASSWORD: jumpserver
DB_NAME: jumpserver
# Redis配置
REDIS_HOST: 127.0.0.1
REDIS_PORT: 6379
# REDIS_PASSWORD:

Generate database table structure and initialize data

(py3) [[email protected] jumpserver]# cd utils/
(py3) [[email protected] utils]# sh make_migrations.sh

5) Run JumpServer

(py3) [[email protected] ~]# vim /usr/lib/systemd/system/jms.service
[Unit]
Description=jms
After=network.target mariadb.service redis.service docker.service
Wants=mariadb.service redis.service docker.service

[Service]
Type=forking
Environment="PATH=/opt/py3/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin"
ExecStart=/opt/jumpserver/jms start all -d
ExecRestart=/opt/jumpserver/jms restart all -d
ExecStop=/opt/jumpserver/jms stop

[Install]
WantedBy=multi-user.target
(py3) [[email protected] ~]# systemctl daemon-reload
(py3) [[email protected] ~]# systemctl start jms

Login authentication:http://192.168.1.1:8080

*Italic style*
  • Here just deploy JumpServer, there is no Web Terminal, so access to Web Terminal (Web Linux terminal) will report an error.

3. Install the Web Terminal component

(py3) [[email protected] ~]# ls
anaconda-ks.cfg  koko-master-6d4e69b-linux-amd64.tar.gz  ...
(py3) [[email protected] ~]# tar xf koko-master-6d4e69b-linux-amd64.tar.gz -C /opt/
(py3) [[email protected] ~]# chown -R root:root /opt/kokodir/
(py3) [[email protected] ~]# cd /opt/kokodir/
(py3) [[email protected] kokodir]# cp config_example.yml config.yml
(py3) [[email protected] kokodir]# vim config.yml								#密钥要跟 JumpServer 密钥一致
BOOTSTRAP_TOKEN: R9e1h2ZFuf8WDDbi
SECRET_KEY: tmctZBlMSF6TEo02tQL6qWNPDBduJ2dAN2eMO6DRDeGekDVro
(py3) [[email protected] kokodir]# nohup ./koko &								#后台运行
(py3) [[email protected] kokodir]# netstat -anpt | egrep '2222|5000'

Add KoKo to Open Self-start

(py3) [[email protected] kokodir]# echo "cd /opt/kokodir && nohup ./koko &" >> /etc/rc.local 
(py3) [[email protected] kokodir]# chmod +x /etc/rc.local

verification:

Insert picture description here
  • With the Web Terminal, we can remotely manage the bastion machine, and then log in to the internal server through the bastion machine for management.

4. Install Luna components

(py3) [[email protected] ~]# ls
anaconda-ks.cfg  luna.tar.gz  ...
(py3) [[email protected] ~]# tar xf luna.tar.gz -C /opt/
(py3) [[email protected] ~]# chown -R root:root /opt/luna/

5. Set up Nginx to integrate various components

(py3) [[email protected] ~]# yum -y install nginx
(py3) [[email protected] ~]# vim /etc/nginx/nginx.conf
server {
    ...
    client_max_body_size 100m;										#录像及文件上传大小限制
    location /luna/ {
        try_files $uri / /index.html;
        alias /opt/luna/;
    }
    location /media/ {
        add_header Content-Encoding gzip;
        root /opt/jumpserver/data/;									#录像位置
    }
    location /static/ {
        root /opt/jumpserver/data;									#静态资源
    }
    location /socket.io/ {
        proxy_pass http://localhost:5000/socket.io/;
        proxy_buffering off;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        access_log off;
    }
    location /coco/ {
        proxy_pass http://localhost:5000/coco/;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        access_log off;
    }
    location / {
        proxy_pass http://localhost:8080;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
    ......
(py3) [[email protected] ~]# nginx -t										#检查配置文件是否正确
(py3) [[email protected] ~]# systemctl start nginx						#启动 Nginx 服务
Insert picture description here


Log in to JumpServer

Insert picture description here

Three, JumpServer use

1. Configure JumpServer basic settings

  • Modify the URL of the current site to be the local IP or the domain name of JumpServer, otherwise the password of the newly-created user will not be able to modify the password.
Insert picture description here


Set up JumpServer mail

Insert picture description here


Insert picture description here

2. Create a user

Insert picture description here


Check Mail:

Insert picture description here

3. Create a user group

Insert picture description here

4. Add assets

Preparation: (Only need to turn on two machines, no need to make corresponding configuration)

CPU nameoperating systemIP address
DockerCentOS 7.4192.168.1.2
KubernetesCentOS 7.4192.168.1.3

1) Add the managed terminal rootaccounts

Insert picture description here


2) adding an asset

Insert picture description here


3) Create command filter

Insert picture description here


4) creating filter rules

Insert picture description here


5) to create a system user

Insert picture description here

5. Asset authorization

Insert picture description here

6. Verification

1) Use the Web terminal to verify

  • User needs to switch to manage zhangsan ——session management ——Web terminal
Insert picture description here


2) Use Xshell to log in and verify

(py3) [[email protected] ~]# ssh [email protected] -p 2222
Insert picture description here