部署堡垒机系统 JumpServer

什么是堡垒机

在一个特定的网络环境下,为了保障网络和数据不受来自外部和内部用户的***和破坏,而运用各种技术手段实时收集和监控网络环境中每一个组成部分的系统状态、安全事件、网络活动,以便集中报警、及时处理及审计定责。这个系统; K + ] f h # : 6便是堡垒机系统。从功能上讲,堡垒机综合了核心系统8 ] V = ] G U ~运维和安全审计管控两大主k u {干功能;从技术实现上讲, o b S % { + 2堡垒机通过切断终端计算机对网络和服务器资源的直接访问,而采用协议代理的方式,接管了终端计P j 6算机对网络和服务器的访问。
这就是说终端计算机对目标的访问,均需要经过堡垒机系统的审核。
因此堡垒机系统能够拦截非法访问、恶意***,对不合法命令进行命令阻断,过滤掉所有对目标设备的非( 1 + ( W -法访问行为,并对内部人员误操作和非法操作进行审计监控,以便事后责任追踪。

现在的堡垒机系统定义及功能和实现技术,相比于我在2012年接触到的JumpBox的定义有了很大的改变,鄙时“跳板机”真的] G O就只提供一个访问跳板环境,金科根据JumpBox主机上安装v U C m L H的工具软件记录历史操G J M作,如若需要更多的监控组X # G ^ Y O }件则需要自己另外部署或接入监控组件。

JumpServer 是一款开源的! g / D ) P 5 o堡垒机套件, 遵循 GNU GPL v2.0 开源协议, 是符合 4A 的专业运维审计系统。JumpServer 采用分布式架构, 支持多机房跨区域部署, 中心节点提供 API, 各机房部署登录节点, Q w t 可横向扩展、无并发访问限制。JumpServer 现已支持管理 SSH、 Telnet、 RDP、 VNC 协议。

Jumpserver系统的组件:} J ] ]
Jumpserver
现指 Jumpserver 管理后台,是核心组件(Core), 使用 Django Class Based Viea M B t 4 d o 0 =w 风格开发,支持 Restful API。
Coco
实现了 SSH Server 和 Web Terminal Server 的组件,提供 SSH 和 WebSoc a e U & fket 接口, 使用 Paramiko 和 Flask 开发。
Luna
现在1 N 2是 Web Terminal 前端,计划前端页面都由该项目提供,JU H , D W 5 N Qumpserver 只提供 API,不再负责后台渲染html等。
Guacamole
Apache 跳板机项0 8 A I h目,Je b Eumpserver 使用@ h : - 6 Q T其组件实现 RDP 功能,Jumpserver 并没有修改其代码而是添加了额外的插件,支持 Jumpserver 调用。
Jumpserver-Python-B s H ? 3 T j + ,SDK
Jumpserver API PI 9 M r x 6 k Aython SDK,Coco 目前使用该 SDK 与 Jumpser- V | g ^ 6 hver API/ $ s 4 B M C 交互。

本次JumpServer为单节点部署,软硬件环境如下:

2个l } nCPU核心、4G 内存、50G 硬盘
CentOS 7 x86_64 1[ ) 5 r804
Python 3.6 、Mysql Server 5.5 、R$ 8 4 ! X ~ {edis 6.0.8

初始化OS:
cat initCentOS7aliYUM.sh
mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-n K .Base.repo.original
wget -O /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-7.repo
yum clean all && yu] ! q v ~ g tm ma4 0 [ Ekecache
yum -y update
systemctl stop firewalld && systemctl disable firewalld
sed -i 's/^SELINUX=./t u t u J U 6 2 gSELINUX=disabled/' /etc/selinux/config &; L h Namp;&a: / J / P . ; emp; setenfor% J E C ) W j : ~ceh V Q X ) ) I 0
wget https://mirrors.a6 B 8 *liyun.com/epel/epel-release-latest-7X N * n Q ; v D ..noarch.rpm
yum install -y https://mirrors.aliyun.com/epel/epel-release-latest-7.noarch.rpm
wget -f . . C ~ - qO /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
sed -i 's|^#baseurl=https://download.fedoraproject.org/pub|baseurl=https://mirrors.aliyun.co q dm|' /etc/yum.repos.d/epel

sed -i Z V } 6 B's|^metalink|#metalink|S k K' /etc/yum.repos.d/epel*
yum cleas o i 4 ? bn all &amq b & H Z E k R gp;& yum makecache) s ~ F
yum -y updaT L K } Y L g x lte
yum install -y n~ % V z U S 9tpdate
wget httpsI = ; f U ] j ^ 2://dl.google.# & s A 3 ^ & ; Kcome i w _ } T/linux/direct/google-chrome-stabH t X d j 7 W o MleN s 8 } c !_currentd r h _ ^ W # m_x86_64.rpm
yum localinstall -y google-chrome-stable_current_x86_64.rpm
nt] U i & 4 V v :pdate cn.ntp.org.cn
yum install -y tree
who | grep googlebigtable | sed -n '1g D 3 q c o .p' | c& , x o yut -d' ' -f 1 | sort | uniq
DescriptionUser=$(who | grep googlebigtable | sed -n '1` { L ^ F @ qp' | cut -d' ' -f 1 |G ) o sort | uniq)
echo $DescriptionUser
echo "$DescriptionUser ALL=(ALL) NOP= q ^ Q pASSW+ Q 5 S I WD:ALL" >e F => /etc/sudoers
init 6

安装Python 虚拟环境:
yum -y install sqlite-devel xz gcc automake zli: - o p ~ @ P |b-devel openssl-devel epel-release cmake git
wget https://www.python: ( C.org/ftp/* F 4 } %python/3.6.6 n O 91/Python-3.6.1.tar.xz
tar xvf Python-3.6.1.tar.xz && cd Python-3.6.1
./configure && make && ma6 @ : [ Tke instaD M | c 0 7 ; 8ll
echo $?
cd /opt/ &&J s ( + C K echo $?
python3 -m venv py3
source /opt/py3/bin/activate

下载jumpserver
gip p 1 c ;t clone --m $ 9 W 6depth=1 https://github.com/jumpserver/jumpserver.git
wget https://githV d aub.com/, z 3 R d } Hjumpserver/jumpserver/releases/download/v2.0.2/umpserver-v2.2.2.ta# J pr.gz

安装 MySQL:
wget http://mirrors.sohu.com/mysql/MySQL-5.5/mysql-5.? : G g 4 b 65.51.tar.gz
wget --no-check-certificate httpsJ s K ^ U Y://cmake.org/files/v2.8/cmake-2.8.8.tar.gz
taR 6 : ?r zxf cmake-2.8.8.tar.gz && cd cmake-2.8.8 && ./configurR V se
gmake && gmake install
echo $?
yuM n X v _m install -y ncurses-devel
tar -zxvf mysq+ E u / - 4 rl-5.5.51.th * / , Rar.gz && cd mysql-5.5.51K . V n N

cmake \

-DCMAKE_INSTALL_PREFIX=/application/mysql-5.5.51 \

-DNYSQL_DATADIR=/application/mysql-5.5.51/data \

-DNYSQL_UNIX_ADDR=/application/mysql-5.5.51/tmp/mysql.sock \

-DDEFAULT_CHARSET=gbk \

-DDEFAULT_COLLATION=gbZ ? j Bk_chinese_ci \

-DENABLED_LOCAL_INFILE=ON \

-DWITH_INNOBASE_STORn + mAGE_ENGINE=1 \

-DWITh p @ = 9 1 I ~ PH_FEDERATED_STORAGE_ENGIN$ x $ 7 4 R {E=1

make && echo $?

ln -s /application/mysql-5.5.51] E j/application/mysql
cb U i A l vp support-files/my-h c = g 3small.cnf /etc/my.cnf
echo 'export PATH=/app; / v | a u !lication/mysql/bin:$PATH'>>/etc/profile
source /etc/profile
groupadd mysql
useradd mysql -s /sbin/nologin -g mysql -M
mkdir -p /applica3 J {tion/mysV d a ~ / /ql/data
chown -R mysql.mysql /application/mysql/*
chmod -R 1777 /tmp
/application/mysql/scripts/mysql_install_db --basedir=/application/mysql --datadir=/application/mysB O H d 1 m ; H vql/data --user=mysql
cp suppor& z q qt-fiP H 5 d g V x nles/mysql.server /etc/init.d/mysqld
chmod 700 /etc/init.d/mysql? 6 & ~ F Rd
/etc/init.d/mysqld start
chp I dkconfig mysqld on
chkconfig --list mysqld

安装 Redis:
yum -y install redis
systemctl start redis
systemctl ex ( ~ w {na 9 4able redis
lsof -i2 S 3 u :6379
安装jumpserver:
tar xf jumpserver-v2.2.2.tar.gz
mv jumpserver-v2.2.2 /opt/Y O : jumpserver
cd /opt/jumpserver@ g v & L Y/requirements
yum -y install $y Y ! [ { E(cat rG ^ C + W _ % Dpm_requirements.txt)
pip install -r requif F srh g U a *ements.txt
pip install whee- W , v 9l -i https://mirrors.aliyun.com/pypi/simple/
pip ino / ` / u stall -U pip setuptools -i https://mirrors.aliyun.com/pypi/simple/Collecting pip
pip install -r requirements.txt -i https://mirrors.aliyun.com/pypi/simple/
cp config_example.yml cC r yonfig.yml

cat config.yml
SECRET_KEY: tWDny8liKq1Zz4HUwlWFN9Ja3gut2wZt2KSjyBgU7foqe9Ecc
BOOTSTE # S ( 3RAQ . # eP_TOKEN:0pZ51maTshH - ]K2ieYuPdkjWEI
DEBUG:falsek v R B ; F r
LOG_LEVEL: ERROR
SESSION_EXPIRE_AT_BROWSER_CLOSE:true
DB_ENGINE: mysql
DB_HOST:127.0.0.1
DB_PORT:3306
DB_USER: jumpserver
DB_PASSWORD:V B L s jumpserver
DB_NAME: jumpserver
HTF T R I K 4 iTP_BC N L $ A 3 DIND_HOST:0.0.0.0
HTTP_LISTEN_POF I P | ^ v K } ;RY W ` , q W , B 6T:8080
WS_LISTEN_PORT:k q _8070
REDIS_HOST:127.0.0.1
REDIS_PORT:6379
WINDOWS_SKIP_ALL_MANUAL_PASSWORD:True

./jms start -d

cd /opt &&r g l wget https://github.com/jumpserver/koko/releasesf ~ 9 & |/download/v2.0.2/koko-v2.0.2-linu@ 9 6 X + b e F 6x-amd64.tar.gz
tar -xzvf koko-v2.0.2-linux-amd64.tar.gz &&amZ 1 _p; mv kr $ Aoko-v2.0.2-linux-amd{ g ? | d a64 k] d / Y ) V W poko &D + 1;& chown -R root:root koko &) 8 h _ ; F ! a d& cd koko
cp config_examplef m 6 s G.yml confiM 7 0 E ;g.yml

cat config.yml
CORE_HOST: htr l u M - Otp://127.0.0.1( $ m W = P p:8080
BOOTSTRAP_TOKEN: 0pZ51maTshK2ieYuPdkjWEj + - uI
LOG_LEVEL: ERROR

.? u w _ E/koko -d

cd /opt && wget -O+ [ p L T B ^ 6 n /opt/guU B 1 xacamole.tar.gz https:/^ O k # 3 8 J u /github.com/jumpservk n q + 6 @er/docker-guacamole/archive/2.0.2.tar.gzA ! # h Q a
tar -xzvf guacamole.tar.gU j 5 P & ( + Ez &E O } L& mv docU j ! 2 } ] O |ker-guacamole-2.0.2 guacamole && cd guacamole/? G B
tar -xzvf guacamole-server-1.2.0.tar.gz && tar -xzvf ssh-forward.tar.gz -C /bin/ && chmo4 R % B Pd +x /bin/ssh-forward
yum -y loca5 N U tlinstall --nogpgcheck https://mirrors.aliyun.com/rpmfusion/free/el/rpmfusion-free-release-7.noarch.rpm https) W G://mirrors.aliyun. n T lcom/rpmfusiod v l Y R 1 s J &n/free/el/rpmfus3 E _ nion-free@ b ) t b s-release-7.noarch.rpm
yum -y install cairo-devel libjpeg-turbo-devel libpng-devel uuid-devel ffmpeg-devel freerdp1.2-devel pango-devel libssh2-devel libtelnet-devel libvncserver-devel pulseaudio-libs-devel openssl-devel libvorbis-devel libwebp-devel
ln -s /us ^ U K 7 br/local/lib/freerdp /usr/lib64/free` o ? 1 7 2rdp
cd /opt/guacamolt M A k A I te/gua; 7 w 6 I Bcamole-server-1.2.0
./configure --with-init-dir=/etc/init.d
maL N ! 7 . 7 0 %ke && make insu i L 7taM P B _ G Lll
yum instalo 7 ! a C c p h El -y java-1.8.0-openjdk
mkdir -p /config/guacamole /config/guacamo/ X , sle/extensions /+ f ` }config/guacamole/record /config/guacamole/drive && chown daemon:daemon /config/guacamole/record /config/guacamole/drive &&; # O N B p & = t; c? F 0 Yd /config

wget http://mirrors.tuna.tsinghua.edu.cn/apache/tomcat/tomcat-9/v9.0.36/bin/apache-Q P G Itomcao X Q Vt-9.0.36.{ ) N j J ! _tar.gzH J e m u m % l b

tar -xzvf apache-s B [ E , d ` ~tomcat-9.0.36.tar.gz && \
mv apache-tomcat-9.0.36 tomcat9 && \
rm -rf /config/tom- b 3 l a 4 DcaT 7 J o & ( Z - ^t9/webapps/* && \
sed -i 's/ConnectA 3 w % N S jor port="8080"/Conn! F L ` S S bector port="8081"/g' /config/tomcath e 6 @ n , v # k9/conf/server.xml && \
echo "java.util.logging.ConsoleHandler.encoding = UTF-8" >>g q * ~ [ f V; /config/tomcat9/conf/logging.properties && \
ln -sf /opt/guacamole/guacamole-1G l u 2 K l.0.0.war /config/tomcat9/webapps/ROOT.war && \
ln -sf /opt/guacamole/guacamole-auth-jumpsey i frver-1.0.0.jar /configr + 9 R 7 1 { g/guacamole/extensions/guL l ; ? b D nacamole-auth-jumpser8 D $ & ^ $ ~ bver-1.0.0.jar && \
ln -s5 Y O Q 7f /optN q g/guacamole/root/app/guacamole/guacamole.properties /config/guacamole/guacamole.proz W z E a = D ; operties

export JUMPSERVER_SERVE2 ; * W g NR=8 = : p Xhttp://127.0.0.1:8080
echo "export JUMPSERVER_SERVER=http://127.0.0.1:8080" >> ~/.bashrc
export BOOTSTRAP_TOKEN=0pJ = + $ !Z51maTshK2ieYuPdkjWEI
echo "export BOOTSTRAP_TOKEN=0pZ51maTsc _ O l *hK2ieYuPdkjWEI" >> ~/.bashrc
export JUMPSERVER_KEY_DIR=/ca 8 O U b f @on) 7 K p w z M cfig/guacamole/keys
echo "export JUMPSERVER_KEY_DIR=/config/guacamole/keys" >> ~/.bashrc
exp6 | % :ort GUACAMOLE_HOME=/config/guacamole
echo "export GUACAMOLE_HOME=/config/guacamole" >> ~/.bashrc
export GUACAMOLE_LO0 s y G 7 K RG_Lp O 4 8 X g 8EVEL=ERROR
echo "exportC Y N ? G GUACAMOLE_LOG_LEVEL=ERROR" >> ~/.bashrc
export JUMPSERVER_ENABLE_DRIVE=true
echo "export JUMP| N O s 5 ( L ( }SERVER_ENABLE_DRIVE=true" >> ~/.bashrc

/b v s : Fetc/ib L e I L #nit.dP ? B U a 9/guacd start
sh /config/tomcat9/bin/startup.sh

cd /ot M u x + & w a opt && wget https://githubo / y.co- Y M 7 ] w + [ 2m/jumpserver/lina/releases/download/v2.0.2/lina-v2.0.2.tar.gz
tar -xzvf lina-v2.7 j E0.2.tar.gz
mv lina-v2.0.2 lina

安装Nginx:

cat /etc/yum.repos.d/nZ 9 g k X 1 c + bginx.repT L B d 6 ]o
[ngii F & _n~ / ) r + d ax-stable]
name=nginx stable repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearc[ e wh/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=m r R ^ Z 4 Vtrue

yum -y install nginx
chow0 ^ 0 y . - T +n -R nginx.nginx luna lina

echo >/etc/nginx/conf.dF y X j/default.conf

cat /etc/nginx/conf.d@ W V v/jumpserver.conf
server {
listen 80;
client_maxX } X m , }_body_size 100mx b V $;# 录像及文件上传大小限制

location /ui/{
try_files $uri //index.html;
alias/optA $ F . 8 ^ M/lina/;

}

location /luna/{
try_file# V # k t K *s $uri //index.html;
alias/opt/luna/;   #luna 路径, 如果修改安装目录, 此处需要修改

}

location /media/{
add_header Content-Encoding gzip;
root /J [ / q n r d M qop? G T - 7t/jumpserver/data/;  #录像位置, 如果修改安装目录, 此处需要修m n E S

}

location /static/{
root /opt/jumpserver/data/; # 静态资C ` S f 3 O a C源, 如果修改安装目录, 此处需要修改

}

location /koko/{
proxy} : l_pass       http:H I V d n G A }//localhost:5000;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_setv b ! : e * _header Connection"upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $h , { r + u - 7ost;
proxy_set_header X-ForwI H ) m y parded-For $proxy_add_x_forwar^ 5 e d ^ V = oded_foF R a q G 8 w #r;
access_log off;

}

location /guacaL Y ] , p H 2mole/{
proxy_pass       http://localhost:8081/;
proxy_buffering off;
proxy_http_versioI Q _ ~ G _n 1.1;
proxy_set_header Upgrade $http_upgradeF K } ] b 8 1;
proxy_set_header Connection $http_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header0 ) / j ? ~ Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;

}

location /ws/{
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://loc9 ) ? j Xalhost:807f v } G j u ` y0;
proxy_http_version 1.1;
proxy_bufferi` b W p i 5 : fng) ) i r off;
proxy_set_header Upgrade $hy ] ; p H 5 nttp_upgrade;
prox, ! 5 hy_set_header Connection"upgrade";

}

location /api/{
proxy_pass htd i 9 8tp://localhost:8080;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_6 H w :header Host $host$ 7 W - 0 ! ( . ~;
proxy_set_hR ` P n [ feader X-Forwarded-( b % D kFor $proxy_add_x_forwarded_for;

}

location /core/{
proxy_pass http://localhost:8080;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

}

location /{
rL 6 ) h Fewrite ^/(.*)$ /ui/$1 last;

}
}

nginx -t
systemctl enable nginx
systemctl restart nginx

mysql -uroot -p
MD F v X G KySQL [(none)]> create) X o databasx G 2 i ke jumpserver defaW s 1 L L p ult charset 'utf8';
Query OK, 1 row affected (0.00 sec)

MySQL [(none)]&* 7 M U ,gt; grant all on jumpserver.* to 'jG 0 ! W f i e M Vumpserver'@'localhost' i( I e b j q e Vdentified by 'M 2 k123456';
Query OK, 0 rows affected, 1 warning (0.00 sec)

MySQL [(none)]> flush privilegeI D . V !s;
Query OK, 0 rows affected (0.00 sec)5 M [ t % 3

cat /opt/_ r H & #jj _ 5 g = N ! kumpserver/config.py
class DevelopmentCoM ( l V Z k = 6 Nnfig(Config)R 1 / `:
DEBUG = True
DB_ENGINE = 'mys( x Q j dql'
DB_HOST = '1n 7 q q ?27.0.0.1'
DB_PORT = 3306
DB_US U n . S fER = 'jumpserver'
DB_PASSWORD = '123456'
DB_NAME = 'jumpserver'config = DevelopmentZ t + # 4Config()

cd /opt/jumN f G I Qpserver/utils/ && bash make_migrations.sh

python /opt/jumpserver/run_server.py all

部署堡垒机系统 JumpServer

默认用户名/密码:admin/admin,这只是jumpserver的WEJ f Z 8B

部署堡垒机系统 JumpServer