部署堡垒机系统 JumpServer

什么是堡垒机

 

在一个特定的网络环境下，为了保障网络和数据不受来自外部和内部用户的入侵和破坏，而运用各种技术手段实时收集和监控网络环境中每一个组成部分的系统状态、安全事件、网络活动，以便集中报警、及时处理及审计定责。这个系统便是堡垒机系统。从功能上讲，堡垒机综合了核心系统运维和安全审计管控两大主干功能；从技术实现上讲，堡垒机通过切断终端计算机对网络和服务器资源的直接访问，而采用协议代理的方式，接管了终端计算机对网络和服务器的访问。

这就是说终端计算机对目标的访问，均需要经过堡垒机系统的审核。

因此堡垒机系统能够拦截非法访问、恶意攻击，对不合法命令进行命令阻断，过滤掉所有对目标设备的非法访问行为，并对内部人员误操作和非法操作进行审计监控，以便事后责任追踪。

 

现在的堡垒机系统定义及功能和实现技术，相比于我在2012年接触到的JumpBox的定义有了很大的改变，鄙时“跳板机”真的就只提供一个访问跳板环境，金科根据JumpBox主机上安装的工具软件记录历史操作，如若需要更多的监控组件则需要自己另外部署或接入监控组件。

 

JumpServer 是一款开源的堡垒机套件, 遵循 GNU GPL v2.0 开源协议, 是符合 4A 的专业运维审计系统。JumpServer 采用分布式架构, 支持多机房跨区域部署, 中心节点提供 API, 各机房部署登录节点, 可横向扩展、无并发访问限制。JumpServer 现已支持管理 SSH、 Telnet、 RDP、 VNC 协议。

 

Jumpserver系统的组件：

Jumpserver

现指 Jumpserver 管理后台，是核心组件（Core）, 使用 Django Class Based View 风格开发，支持 Restful API。

Coco

实现了 SSH Server 和 Web Terminal Server 的组件，提供 SSH 和 WebSocket 接口, 使用 Paramiko 和 Flask 开发。

Luna

现在是 Web Terminal 前端，计划前端页面都由该项目提供，Jumpserver 只提供 API，不再负责后台渲染html等。

Guacamole

Apache 跳板机项目，Jumpserver 使用其组件实现 RDP 功能，Jumpserver 并没有修改其代码而是添加了额外的插件，支持 Jumpserver 调用。

Jumpserver-Python-SDK

Jumpserver API Python SDK，Coco 目前使用该 SDK 与 Jumpserver API 交互。

 

 

 

本次JumpServer为单节点部署，软硬件环境如下：

 

2个CPU核心、4G 内存、50G 硬盘

CentOS 7 x86_64 1804

Python 3.6 、Mysql Server 5.5 、Redis 6.0.8

 

初始化OS：

cat initCentOS7aliYUM.sh

mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.original

wget -O /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-7.repo

yum clean all && yum makecache

yum -y update

systemctl stop firewalld && systemctl disable firewalld

sed -i 's/^SELINUX=.*/SELINUX=disabled/' /etc/selinux/config && setenforce 0

wget https://mirrors.aliyun.com/epel/epel-release-latest-7.noarch.rpm

yum install -y https://mirrors.aliyun.com/epel/epel-release-latest-7.noarch.rpm

wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo

sed -i 's|^#baseurl=https://download.fedoraproject.org/pub|baseurl=https://mirrors.aliyun.com|' /etc/yum.repos.d/epel*

sed -i 's|^metalink|#metalink|' /etc/yum.repos.d/epel*

yum clean all && yum makecache

yum -y update

yum install -y ntpdate

wget https://dl.google.com/linux/direct/google-chrome-stable_current_x86_64.rpm

yum localinstall -y google-chrome-stable_current_x86_64.rpm

ntpdate cn.ntp.org.cn

yum install -y tree

who | grep googlebigtable | sed -n '1p' | cut -d' ' -f 1 | sort | uniq

DescriptionUser=$(who | grep googlebigtable | sed -n '1p' | cut -d' ' -f 1 | sort | uniq)

echo $DescriptionUser

echo "$DescriptionUser  ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers

init 6

 

安装Python 虚拟环境：

yum -y install sqlite-devel xz gcc automake zlib-devel openssl-devel epel-release cmake git

wget https://www.python.org/ftp/python/3.6.1/Python-3.6.1.tar.xz

tar xvf Python-3.6.1.tar.xz  && cd Python-3.6.1

./configure && make && make install

echo $?

cd /opt/ && echo $?

python3 -m  venv py3

source /opt/py3/bin/activate

 

下载jumpserver

git clone --depth=1 https://github.com/jumpserver/jumpserver.git

wget https://github.com/jumpserver/jumpserver/releases/download/v2.0.2/umpserver-v2.2.2.tar.gz

 

安装 MySQL：

wget http://mirrors.sohu.com/mysql/MySQL-5.5/mysql-5.5.51.tar.gz

wget --no-check-certificate https://cmake.org/files/v2.8/cmake-2.8.8.tar.gz

tar zxf cmake-2.8.8.tar.gz && cd cmake-2.8.8 && ./configure

gmake && gmake install

echo $?

yum install -y ncurses-devel

tar -zxvf mysql-5.5.51.tar.gz && cd mysql-5.5.51

 

cmake \

 

-DCMAKE_INSTALL_PREFIX=/application/mysql-5.5.51 \

 

-DNYSQL_DATADIR=/application/mysql-5.5.51/data \

 

-DNYSQL_UNIX_ADDR=/application/mysql-5.5.51/tmp/mysql.sock \

 

-DDEFAULT_CHARSET=gbk \

 

-DDEFAULT_COLLATION=gbk_chinese_ci \

 

-DENABLED_LOCAL_INFILE=ON \

 

-DWITH_INNOBASE_STORAGE_ENGINE=1 \

 

-DWITH_FEDERATED_STORAGE_ENGINE=1

 

make && echo $?

 

ln -s /application/mysql-5.5.51/application/mysql

cp support-files/my-small.cnf /etc/my.cnf

echo 'export PATH=/application/mysql/bin:$PATH'>>/etc/profile

source /etc/profile

groupadd mysql

useradd mysql -s /sbin/nologin -g mysql -M

mkdir -p /application/mysql/data

chown -R mysql.mysql /application/mysql/*

chmod -R 1777 /tmp

/application/mysql/scripts/mysql_install_db --basedir=/application/mysql --datadir=/application/mysql/data --user=mysql

cp support-files/mysql.server /etc/init.d/mysqld

chmod 700 /etc/init.d/mysqld

/etc/init.d/mysqld start

chkconfig mysqld on

chkconfig --list mysqld

 

安装 Redis：

yum -y install redis

systemctl start redis

systemctl enable redis

lsof -i :6379

安装jumpserver：

tar xf jumpserver-v2.2.2.tar.gz

mv jumpserver-v2.2.2 /opt/jumpserver

cd /opt/jumpserver/requirements

yum -y install $(cat rpm_requirements.txt)

pip install -r requirements.txt

pip install wheel -i https://mirrors.aliyun.com/pypi/simple/

pip install -U pip setuptools -i  https://mirrors.aliyun.com/pypi/simple/Collecting pip

pip install -r requirements.txt -i https://mirrors.aliyun.com/pypi/simple/

cp config_example.yml config.yml

 

cat config.yml

SECRET_KEY: tWDny8liKq1Zz4HUwlWFN9Ja3gut2wZt2KSjyBgU7foqe9Ecc

BOOTSTRAP_TOKEN:0pZ51maTshK2ieYuPdkjWEI

DEBUG:false

LOG_LEVEL: ERROR

SESSION_EXPIRE_AT_BROWSER_CLOSE:true

DB_ENGINE: mysql

DB_HOST:127.0.0.1

DB_PORT:3306

DB_USER: jumpserver

DB_PASSWORD: jumpserver

DB_NAME: jumpserver

HTTP_BIND_HOST:0.0.0.0

HTTP_LISTEN_PORT:8080

WS_LISTEN_PORT:8070

REDIS_HOST:127.0.0.1

REDIS_PORT:6379

WINDOWS_SKIP_ALL_MANUAL_PASSWORD:True

 

./jms start -d

 

cd /opt && wget https://github.com/jumpserver/koko/releases/download/v2.0.2/koko-v2.0.2-linux-amd64.tar.gz

tar -xzvf koko-v2.0.2-linux-amd64.tar.gz && mv koko-v2.0.2-linux-amd64 koko && chown -R root:root koko && cd koko

cp config_example.yml config.yml

 

cat config.yml

CORE_HOST: http://127.0.0.1:8080

BOOTSTRAP_TOKEN: 0pZ51maTshK2ieYuPdkjWEI

LOG_LEVEL: ERROR

 

./koko -d

 

cd /opt && wget -O /opt/guacamole.tar.gz https://github.com/jumpserver/docker-guacamole/archive/2.0.2.tar.gz

tar -xzvf guacamole.tar.gz && mv docker-guacamole-2.0.2 guacamole && cd guacamole/

tar -xzvf guacamole-server-1.2.0.tar.gz && tar -xzvf ssh-forward.tar.gz -C /bin/ && chmod +x /bin/ssh-forward

yum -y localinstall --nogpgcheck https://mirrors.aliyun.com/rpmfusion/free/el/rpmfusion-free-release-7.noarch.rpm https://mirrors.aliyun.com/rpmfusion/free/el/rpmfusion-free-release-7.noarch.rpm

yum -y install cairo-devel libjpeg-turbo-devel libpng-devel uuid-devel ffmpeg-devel freerdp1.2-devel pango-devel libssh2-devel libtelnet-devel libvncserver-devel pulseaudio-libs-devel openssl-devel libvorbis-devel libwebp-devel

ln -s /usr/local/lib/freerdp /usr/lib64/freerdp

cd /opt/guacamole/guacamole-server-1.2.0

 ./configure --with-init-dir=/etc/init.d

make && make install

yum install -y java-1.8.0-openjdk

mkdir -p /config/guacamole /config/guacamole/extensions /config/guacamole/record /config/guacamole/drive && chown daemon:daemon /config/guacamole/record /config/guacamole/drive && cd /config

 

wget http://mirrors.tuna.tsinghua.edu.cn/apache/tomcat/tomcat-9/v9.0.36/bin/apache-tomcat-9.0.36.tar.gz

 

tar -xzvf apache-tomcat-9.0.36.tar.gz && \

mv apache-tomcat-9.0.36 tomcat9 && \

rm -rf /config/tomcat9/webapps/* && \

sed -i 's/Connector port="8080"/Connector port="8081"/g' /config/tomcat9/conf/server.xml && \

echo "java.util.logging.ConsoleHandler.encoding = UTF-8" >> /config/tomcat9/conf/logging.properties && \

ln -sf /opt/guacamole/guacamole-1.0.0.war /config/tomcat9/webapps/ROOT.war && \

ln -sf /opt/guacamole/guacamole-auth-jumpserver-1.0.0.jar /config/guacamole/extensions/guacamole-auth-jumpserver-1.0.0.jar && \

ln -sf /opt/guacamole/root/app/guacamole/guacamole.properties /config/guacamole/guacamole.properties

 

export JUMPSERVER_SERVER=http://127.0.0.1:8080

echo "export JUMPSERVER_SERVER=http://127.0.0.1:8080" >> ~/.bashrc

export BOOTSTRAP_TOKEN=0pZ51maTshK2ieYuPdkjWEI

echo "export BOOTSTRAP_TOKEN=0pZ51maTshK2ieYuPdkjWEI" >> ~/.bashrc

export JUMPSERVER_KEY_DIR=/config/guacamole/keys

echo "export JUMPSERVER_KEY_DIR=/config/guacamole/keys" >> ~/.bashrc

export GUACAMOLE_HOME=/config/guacamole

echo "export GUACAMOLE_HOME=/config/guacamole" >> ~/.bashrc

export GUACAMOLE_LOG_LEVEL=ERROR

echo "export GUACAMOLE_LOG_LEVEL=ERROR" >> ~/.bashrc

export JUMPSERVER_ENABLE_DRIVE=true

echo "export JUMPSERVER_ENABLE_DRIVE=true" >> ~/.bashrc

 

/etc/init.d/guacd start

sh /config/tomcat9/bin/startup.sh

 

cd /opt && wget https://github.com/jumpserver/lina/releases/download/v2.0.2/lina-v2.0.2.tar.gz

tar -xzvf lina-v2.0.2.tar.gz

mv lina-v2.0.2 lina

 

安装Nginx：

 

cat /etc/yum.repos.d/nginx.repo

[nginx-stable]

name=nginx stable repo

baseurl=http://nginx.org/packages/centos/$releasever/$basearch/

gpgcheck=1

enabled=1

gpgkey=https://nginx.org/keys/nginx_signing.key

module_hotfixes=true

 

yum -y install nginx

chown -R nginx.nginx luna lina

 

echo >/etc/nginx/conf.d/default.conf

 

cat /etc/nginx/conf.d/jumpserver.conf

server {

    listen 80;

    client_max_body_size 100m;# 录像及文件上传大小限制

 

    location /ui/{

        try_files $uri //index.html;

        alias/opt/lina/;

}

 

    location /luna/{

        try_files $uri //index.html;

        alias/opt/luna/;   #luna 路径, 如果修改安装目录, 此处需要修改

}

 

    location /media/{

        add_header Content-Encoding gzip;

        root /opt/jumpserver/data/;  #录像位置, 如果修改安装目录, 此处需要修改

}

 

    location /static/{

        root /opt/jumpserver/data/; # 静态资源, 如果修改安装目录, 此处需要修改

}

 

    location /koko/{

        proxy_pass       http://localhost:5000;

        proxy_buffering off;

        proxy_http_version 1.1;

        proxy_set_header Upgrade $http_upgrade;

        proxy_set_header Connection"upgrade";

        proxy_set_header X-Real-IP $remote_addr;

        proxy_set_header Host $host;

        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        access_log off;

}

 

    location /guacamole/{

        proxy_pass       http://localhost:8081/;

        proxy_buffering off;

        proxy_http_version 1.1;

        proxy_set_header Upgrade $http_upgrade;

        proxy_set_header Connection $http_connection;

        proxy_set_header X-Real-IP $remote_addr;

        proxy_set_header Host $host;

        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        access_log off;

}

 

    location /ws/{

        proxy_set_header X-Real-IP $remote_addr;

        proxy_set_header Host $host;

        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        proxy_pass http://localhost:8070;

        proxy_http_version 1.1;

        proxy_buffering off;

        proxy_set_header Upgrade $http_upgrade;

        proxy_set_header Connection"upgrade";

}

 

    location /api/{

        proxy_pass http://localhost:8080;

        proxy_set_header X-Real-IP $remote_addr;

        proxy_set_header Host $host;

        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

}

 

    location /core/{

        proxy_pass http://localhost:8080;

        proxy_set_header X-Real-IP $remote_addr;

        proxy_set_header Host $host;

        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

}

 

    location /{

        rewrite ^/(.*)$ /ui/$1 last;

}

}

 

nginx -t

systemctl enable nginx

systemctl restart nginx

 

mysql -uroot -p

MySQL [(none)]> create database jumpserver default charset 'utf8';

Query OK, 1 row affected (0.00 sec)

 

MySQL [(none)]> grant all on jumpserver.* to 'jumpserver'@'localhost' identified by '123456';

Query OK, 0 rows affected, 1 warning (0.00 sec)

 

MySQL [(none)]> flush privileges;

Query OK, 0 rows affected (0.00 sec)

 

 

 

cat /opt/jumpserver/config.py

class DevelopmentConfig(Config):    

DEBUG = True    

DB_ENGINE = 'mysql'    

DB_HOST = '127.0.0.1'    

DB_PORT = 3306    

DB_USER = 'jumpserver'    

DB_PASSWORD = '123456'    

DB_NAME = 'jumpserver'config = DevelopmentConfig()

 

 

cd /opt/jumpserver/utils/ && bash make_migrations.sh

 

python /opt/jumpserver/run_server.py all

 

 

 

默认用户名/密码：admin/admin，这只是jumpserver的WEB