Jumpsever 部署
# yum install git wget
# yum install epel-release.noarch
# yum update
# yum makecache fast
# yum install python36 python36-devel
# yum install redis
# yum install mariadb-devel mariadb-server mariadb
# systemctl enable redis
# systemctl enable mariadb
# systemctl start redis mariadb \\ 3306 6379 被监听
# mysql_secure_installation
# mysql -uroot -p123456
create database jumpserver default charset 'utf8' collate 'utf8_bin';
grant all privileges on jumpserver.* to 'jumpserver'@'%' identified by 'teo1234';
# python3.6 -m venv /opt/py3 \\ 创建 Python 虚拟环境
# source /opt/py3/bin/activate \\ 每次操作 JumpServer 都需要先载入 py3 虚拟环境
# cd /opt \\ 下载jumpeserver 安装包
# wget https://github.com/jumpserver/jumpserver/releases/download/v2.3.1/jumpserver-v2.3.1.tar.gz
# tar xf jumpserver-v2.3.1.tar.gz
# mv jumpserver-v2.3.1 jumpserver
# cd /opt/jumpserver/requirements
# yum install -y $(cat rpm_requirements.txt)
# pip install wheel && \
pip install --upgrade pip setuptools && \
pip install -r requirements.txt
# cd /opt/jumpserver
# cp config_example.yml config.yml
# vi config.yml
SECRET_KEY: ZlQfo1LmgvZEhxofwnnDpKtwKOM8WuQeJeNXG2DVkaTnYuoQBw \\ 50 位 key
BOOTSTRAP_TOKEN: N1s8L7d6UCiSRWd7PbcyA9HN \\ 24 位 token
DEBUG: false
LOG_LEVEL: ERROR
SESSION_EXPIRE_AT_BROWSER_CLOSE: true
DB_PASSWORD: teo1234
WINDOWS_SKIP_ALL_MANUAL_PASSWORD: true
# cd /opt/jumpserver
# ./jms start
# ./jms start -d \\ 后台运行
# cd /opt \\ 安装koko组件 正常安装
# wget https://github.com/jumpserver/koko/releases/download/v2.3.1/koko-v2.3.1-linux-amd64.tar.gz
# tar -xf koko-v2.3.1-linux-amd64.tar.gz && \
mv koko-v2.3.1-linux-amd64 koko && \
chown -R root:root koko && \
cd koko \
mv kubectl /usr/local/bin/ && \
wget https://download.jumpserver.org/public/kubectl.tar.gz && \
tar -xf kubectl.tar.gz && \
chmod 755 kubectl && \
mv kubectl /usr/local/bin/rawkubectl && \
rm -rf kubectl.tar.gz
# cp config_example.yml config.yml
# vi config.yml
BOOTSTRAP_TOKEN: N1s8L7d6UCiSRWd7PbcyA9HN \\ 24 位 token
LOG_LEVEL: ERROR
# ./koko \\ 启动
# ./koko -s stop \\ 停止
# ./koko -d \\ 后台运行
# cd /opt \\ 安装guacamole组件 正常安装
# wget -O docker-guacamole-v2.3.1.tar.gz https://github.com/jumpserver/docker-guacamole/archive/master.tar.gz
# mkdir /opt/docker-guacamole && \
tar -xf docker-guacamole-v2.3.1.tar.gz -C /opt/docker-guacamole --strip-components 1 && \
rm -rf /opt/docker-guacamole-v2.3.1.tar.gz && \
cd /opt/docker-guacamole && \
wget http://download.jumpserver.org/public/guacamole-server-1.2.0.tar.gz && \
tar -xf guacamole-server-1.2.0.tar.gz && \
wget http://download.jumpserver.org/public/ssh-forward.tar.gz && \
tar -xf ssh-forward.tar.gz -C /bin/ && \
chmod +x /bin/ssh-forward
# cd /opt/docker-guacamole/guacamole-server-1.2.0
# yum install cairo-devel libjpeg-devel libpng-devel uuid-devel ffmpeg-devel freerdp-devel pango-devel
# yum install libssh2-devel libtelnet-devel libvncserver-devel pulseaudio-libs-devel openssl-devel libvorbis-devel
# yum install libwebp-devel install freerdp-plugins
# ./configure --with-init-dir=/etc/init.d && \ \\ 编译安装 guacamole
make && \
make install
# yum install java-1.8.0-openjdk
# mkdir -p /config/guacamole /config/guacamole/extensions /config/guacamole/record /config/guacamole/drive && \
chown daemon:daemon /config/guacamole/record /config/guacamole/drive && \
cd /config
# wget http://mirrors.tuna.tsinghua.edu.cn/apache/tomcat/tomcat-9/v9.0.38/bin/apache-tomcat-9.0.38.tar.gz
# tar -xf apache-tomcat-9.0.38.tar.gz && \
mv apache-tomcat-9.0.38 tomcat9 && \
rm -rf /config/tomcat9/webapps/* && \
sed -i 's/Connector port="8080"/Connector port="8081"/g' /config/tomcat9/conf/server.xml && \
echo "java.util.logging.ConsoleHandler.encoding = UTF-8" >> /config/tomcat9/conf/logging.properties && \
wget http://download.jumpserver.org/release/v2.3.1/guacamole-client-v2.3.1.tar.gz && \
tar -xf guacamole-client-v2.3.1.tar.gz && \
rm -rf guacamole-client-v2.3.1.tar.gz && \
cp guacamole-client-v2.3.1/guacamole-*.war /config/tomcat9/webapps/ROOT.war && \
cp guacamole-client-v2.3.1/guacamole-*.jar /config/guacamole/extensions/ && \
mv /opt/docker-guacamole/guacamole.properties /config/guacamole/ && \
rm -rf /opt/docker-guacamole
# export JUMPSERVER_SERVER=http://127.0.0.1:8080
# echo "export JUMPSERVER_SERVER=http://127.0.0.1:8080" >> ~/.bashrc
# export BOOTSTRAP_TOKEN=N1s8L7d6UCiSRWd7PbcyA9HN \\ 密码与上面设置的相对应
# echo "export export BOOTSTRAP_TOKEN=N1s8L7d6UCiSRWd7PbcyA9HN" >> ~/.bashrc \\ 密码与上面设置的相对应
# export JUMPSERVER_KEY_DIR=/config/guacamole/data/keys
# echo "export JUMPSERVER_KEY_DIR=/config/guacamole/data/keys" >> ~/.bashrc
# export GUACAMOLE_HOME=/config/guacamole
# echo "export GUACAMOLE_HOME=/config/guacamole" >> ~/.bashrc
# export GUACAMOLE_LOG_LEVEL=ERROR
# echo "export GUACAMOLE_LOG_LEVEL=ERROR" >> ~/.bashrc
# export JUMPSERVER_ENABLE_DRIVE=true
# echo "export JUMPSERVER_ENABLE_DRIVE=true" >> ~/.bashrc
# /etc/init.d/guacd start
# sh /config/tomcat9/bin/startup.sh
# vim /etc/profile.d/jumpserver.sh \\ 开机启动脚本
#!/bin/bash
source /opt/py3/bin/activate
/opt/jumpserver/jms start -d
/opt/koko/koko -d
/etc/init.d/guacd start
# vim /etc/yum.repos.d/nginx.repo
[nginx-stable]
name=nginx stable repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true
# yum install nginx
# cd /opt
# wget https://github.com/jumpserver/lina/releases/download/v2.3.1/lina-v2.3.1.tar.gz
# tar -xf lina-v2.3.1.tar.gz
# mv lina-v2.3.1 lina
# chown -R nginx:nginx lina
# cd /opt
# wget https://github.com/jumpserver/luna/releases/download/v2.3.1/luna-v2.3.1.tar.gz
# tar -xf luna-v2.3.1.tar.gz
# mv luna-v2.3.1 luna
# chown -R nginx:nginx luna
# echo > /etc/nginx/conf.d/default.conf
# vi /etc/nginx/conf.d/jumpserver.conf
server {
listen 80;
client_max_body_size 100m; # 录像及文件上传大小限制
location /ui/ {
try_files $uri / /index.html;
alias /opt/lina/;
}
location /luna/ {
try_files $uri / /index.html;
alias /opt/luna/; # luna 路径, 如果修改安装目录, 此处需要修改
}
location /media/ {
add_header Content-Encoding gzip;
root /opt/jumpserver/data/; # 录像位置, 如果修改安装目录, 此处需要修改
}
location /static/ {
root /opt/jumpserver/data/; # 静态资源, 如果修改安装目录, 此处需要修改
}
location /koko/ {
proxy_pass http://localhost:5000;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /guacamole/ {
proxy_pass http://localhost:8081/;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /ws/ {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://localhost:8070;
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location /api/ {
proxy_pass http://localhost:8080;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /core/ {
proxy_pass http://localhost:8080;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location / {
rewrite ^/(.*)$ /ui/$1 last;
}
}
# nginx -t
# systemctl start nginx
# systemctl enable nginx
http://192.168.10.10 \\ 登陆jumpserver 用户名 admin 密码 admin
使用秘钥
# cd ~/.ssh
# ssh-keygen -t rsa \\ 会生成 公钥id_rsa.pub 私钥id_rsa(重要)
# touch authorized_keys \\ 可以把 公钥 拷贝到 需要登录的服务器上 执行
# chmod 600 /root/.ssh/authorized_keys \\ 必须为600权限
# cat /root/.ssh/id_rsa.pub >> /root/.ssh/authorized_keys
# ssh -i /root/.ssh/id_rsa root@192.168.10.11 \\ 可以远程到有公钥的服务器上
使用jumpserver
1 用户管理 --> 用 户 组 --> 创建 \\ 用于用户权限分类
2 用户管理 --> 用户列表 --> 创建 \\ 用于 登陆jumpserver 可以开启多因子认证MFA
3 资产管理 --> 管理用户 --> 创建 \\ 仅仅用于 测试服务器是否 可用 输入服务器账号密码或者秘钥
4 资产管理 --> 资产列表 --> default --> 创建节点 \\ 用于 资产分类
5 资产管理 --> 资产列表 --> 创建资产 \\ 主机
6 资产管理 --> 系统用户 --> 创建 \\ 用于登陆 主机 输入服务器账号密码或者秘钥
7 授权管理 --> 资产授权 --> 创建 \\ 把 系统用户 授权给 主机 及 哪些 用户或组可以访问
8 会话中心 --> web终端 \\ 可以连接
MFA: 多因子认证 在 创建用户 或者 更新用户 时可以指定 启用多因子认证
如果是管理员忘记了 MFA, 可以通过控制台重置
# source /opt/py3/bin/activate
# cd /opt/jumpserver/apps
# python manage.py shell
from users.models import User
u = User.objects.get(username='admin')
u.mfa_level='0'
u.otp_secret_key=''
u.save()
注:
官方文档 https://jumpserver.readthedocs.io/zh/master/install/step_by_step/
安装视频 https://www.bilibili.com/video/BV1VV411C797
防火墙放行
# firewall-cmd --zone=public --add-port=80/tcp --permanent
# setsebool -P httpd_can_network_connect 1
# firewall-cmd --reload
部署系统为 CentOS 7.8
51条评论