关键词:
环境
虚拟机 系统:centos 7
IP:192.168.168.8
目录:/opt
代理:nginx
数据库:mysql 版本大于等于 5.6 mariadb 版本大于等于 5.5.6
更新yum
yum update -y
关闭防火墙与selinux
firewall-cmd --state
systemctl stop firewalld
systemctl disable firewalld
vi /etc/sysconfig/selinux
SELINUX=enforcing 改为 SELINUX=disabled
reboot
修改字符集,否则可能报 input/output error的问题,因为日志里打印了中文
localedef -c -f UTF-8 -i zh_CN zh_CN.UTF-8
export LC_ALL=zh_CN.UTF-8
echo ‘LANG="zh_CN.UTF-8"‘ > /etc/locale.conf
安装依赖包
yum -y install wget sqlite-devel xz gcc automake zlib-devel openssl-devel epel-release git
安装redis,Jumpserver 使用 Redis 做 cache 和 celery broke
yum -y install redis
systemctl enable redis
systemctl start redis
安装Mysql 作为数据库,如果不使用 Mysql 可以跳过相关 Mysql 安装和配置
yum -y install mariadb mariadb-devel mariadb-server # centos7下安装的是mariadb
systemctl enable mariadb
systemctl start mariadb
创建数据库 Jumpserver 并授权
mysql -uroot
> create database jumpserver default charset ‘utf8‘;
> grant all on jumpserver.* to ‘jumpserver‘@‘127.0.0.1‘ identified by ‘weakPassword‘;
> flush privileges;
> quit
安装 Nginx,用代理服务器整合Jumpserver与各个组件
yum -y install nginx
systemctl enable nginx
下载编译Python3.6.1
cd /opt
wget https://www.python.org/ftp/python/3.6.1/Python-3.6.1.tar.xz
tar xf Python-3.6.1.tar.xz && cd Python-3.6.1
./configure && make && make install
配置并载入Python3虚拟环境
cd /opt
python3 -m venv py3
source /opt/py3/bin/activate
# 看到下面的提示符代表成功,以后运行 Jumpserver 都要先运行以上 source 命令,以下所有命令均在该虚拟环境中运行
(py3) [[email protected] opt]#
自动载入Python虚拟环境
cd /opt
git clone git://github.com/kennethreitz/autoenv.git
echo ‘source /opt/autoenv/activate.sh‘ >> ~/.bashrc
source ~/.bashrc
下载Jumpserver 与 Coco
cd /opt
git clone https://github.com/jumpserver/jumpserver.git ----&& cd jumpserver && git checkout master
echo "source /opt/py3/bin/activate" > /opt/jumpserver/.env
cd /opt
git clone https://github.com/jumpserver/coco.git ----&& cd coco && git checkout master && git pull
echo "source /opt/py3/bin/activate" > /opt/coco/.env
安装依赖 RPM 包
yum -y install $(cat /opt/jumpserver/requirements/rpm_requirements.txt)
yum -y install $(cat /opt/coco/requirements/rpm_requirements.txt)
安装python库依赖
pip install --upgrade pip
pip install -r /opt/jumpserver/requirements/requirements.txt -i https://mirrors.aliyun.com/pypi/simple/
pip install -r /opt/coco/requirements/requirements.txt
修改 Jumpserver 配置文件
cd /opt/jumpserver
cp config_example.py config.py
vi config.py
注意: 配置文件是 Python 格式,不要用 TAB,而要用空格
#!/usr/bin/env python3 # -*- coding: utf-8 -*- """ jumpserver.config ~~~~~~~~~~~~~~~~~ Jumpserver project setting file :copyright: (c) 2014-2017 by Jumpserver Team :license: GPL v2, see LICENSE for more details. """ import os BASE_DIR = os.path.dirname(os.path.abspath(__file__)) class Config: """ Jumpserver Config File Jumpserver 配置文件 Jumpserver use this config for drive django framework running, You can set is value or set the same envirment value, Jumpserver look for config order: file => env => default Jumpserver使用配置来驱动Django框架的运行, 你可以在该文件中设置,或者设置同样名称的环境变量, Jumpserver使用配置的顺序: 文件 => 环境变量 => 默认值 """ # SECURITY WARNING: keep the secret key used in production secret! # 加密秘钥 生产环境中请修改为随机字符串,请勿外泄 SECRET_KEY = ‘2vym+ky!997d5kkcc64mnz06y1mmui3lut#(^wd=%s_qj$1%x‘ # SECURITY WARNING: keep the bootstrap token used in production secret! # 预共享Token coco和guacamole用来注册服务账号,不在使用原来的注册接受机制 # BOOTSTRAP_TOKEN = ‘PleaseChangeMe‘ ALLOWED_HOSTS = [‘*‘] # Development env open this, when error occur display the full process track, Production disable it # DEBUG 模式 开启DEBUG后遇到错误时可以看到更多日志 DEBUG = False # DEBUG, INFO, WARNING, ERROR, CRITICAL can set. See https://docs.djangoproject.com/en/1.10/topics/logging/ # 日志级别 LOG_LEVEL = ‘ERROR‘ LOG_DIR = os.path.join(BASE_DIR, ‘logs‘) # Session expiration setting, Default 24 hour, Also set expired on on browser close # 浏览器Session过期时间,默认24小时, 也可以设置浏览器关闭则过期 # SESSION_COOKIE_AGE = 3600 * 24 # SESSION_EXPIRE_AT_BROWSER_CLOSE = False SESSION_EXPIRE_AT_BROWSER_CLOSE = True # Database setting, Support sqlite3, mysql, postgres .... # 数据库设置 # See https://docs.djangoproject.com/en/1.10/ref/settings/#databases # SQLite setting: # 使用单文件sqlite数据库 # DB_ENGINE = ‘sqlite3‘ # DB_NAME = os.path.join(BASE_DIR, ‘data‘, ‘db.sqlite3‘) # MySQL or postgres setting like: # 使用Mysql作为数据库 DB_ENGINE = ‘mysql‘ DB_HOST = ‘127.0.0.1‘ DB_PORT = 3306 DB_USER = ‘jumpserver‘ DB_PASSWORD = ‘weakPassword‘ DB_NAME = ‘jumpserver‘ # When Django start it will bind this host and port # ./manage.py runserver 127.0.0.1:8080 # 运行时绑定端口 HTTP_BIND_HOST = ‘0.0.0.0‘ HTTP_LISTEN_PORT = 8080 # Use Redis as broker for celery and web socket # Redis配置 REDIS_HOST = ‘127.0.0.1‘ REDIS_PORT = 6379 REDIS_PASSWORD = ‘‘: REDIS_DB_CELERY = 3 REDIS_DB_CACHE = 4 # Use OpenID authorization # 使用OpenID 来进行认证设置 # BASE_SITE_URL = ‘http://localhost:8080‘ # AUTH_OPENID = False # True or False # AUTH_OPENID_SERVER_URL = ‘https://openid-auth-server.com/‘ # AUTH_OPENID_REALM_NAME = ‘realm-name‘ # AUTH_OPENID_CLIENT_ID = ‘client-id‘ # AUTH_OPENID_CLIENT_SECRET = ‘client-secret‘ # # OTP_VALID_WINDOW = 0 def __init__(self): pass def __getattr__(self, item): return None class DevelopmentConfig(Config): pass class TestConfig(Config): pass class ProductionConfig(Config): pass # Default using Config settings, you can write if/else for different env config = DevelopmentConfig()
修改Coco配置文件
cd /opt/coco
cp conf_example.py conf.py # 如果 coco 与 jumpserver 分开部署,请手动修改 conf.py
vi conf.py
# 注意对齐,不要直接复制本文档的内容
#!/usr/bin/env python3 # -*- coding: utf-8 -*- # import os BASE_DIR = os.path.dirname(__file__) class Config: """ Coco config file, coco also load config from server update setting below """ # 项目名称, 会用来向Jumpserver注册, 识别而已, 不能重复 NAME = "coco" # Jumpserver项目的url, api请求注册会使用 CORE_HOST = os.environ.get("CORE_HOST") or ‘http://127.0.0.1:8080‘ # Bootstrap Token, 预共享秘钥, 用来注册coco使用的service account和terminal # 请和jumpserver 配置文件中保持一致,注册完成后可以删除 # BOOTSTRAP_TOKEN = "PleaseChangeMe" # 启动时绑定的ip, 默认 0.0.0.0 # BIND_HOST = ‘0.0.0.0‘ # 监听的SSH端口号, 默认2222 # SSHD_PORT = 2222 # 监听的HTTP/WS端口号,默认5000 # HTTPD_PORT = 5000 # 项目使用的ACCESS KEY, 默认会注册,并保存到 ACCESS_KEY_STORE中, # 如果有需求, 可以写到配置文件中, 格式 access_key_id:access_key_secret # ACCESS_KEY = None # ACCESS KEY 保存的地址, 默认注册后会保存到该文件中 # ACCESS_KEY_STORE = os.path.join(BASE_DIR, ‘keys‘, ‘.access_key‘) # 加密密钥 # SECRET_KEY = None # 设置日志级别 [‘DEBUG‘, ‘INFO‘, ‘WARN‘, ‘ERROR‘, ‘FATAL‘, ‘CRITICAL‘] LOG_LEVEL = ‘ERROR‘ # 日志存放的目录 # LOG_DIR = os.path.join(BASE_DIR, ‘logs‘) # Session录像存放目录 # SESSION_DIR = os.path.join(BASE_DIR, ‘sessions‘) # 资产显示排序方式, [‘ip‘, ‘hostname‘] # ASSET_LIST_SORT_BY = ‘ip‘ # 登录是否支持密码认证 # PASSWORD_AUTH = True # 登录是否支持秘钥认证 # PUBLIC_KEY_AUTH = True # SSH白名单 # ALLOW_SSH_USER = ‘all‘ # [‘test‘, ‘test2‘] # SSH黑名单, 如果用户同时在白名单和黑名单,黑名单优先生效 # BLOCK_SSH_USER = [] # 和Jumpserver 保持心跳时间间隔 # HEARTBEAT_INTERVAL = 5 # Admin的名字,出问题会提示给用户 # ADMINS = ‘‘ COMMAND_STORAGE = "TYPE": "server" REPLAY_STORAGE = "TYPE": "server" # SSH连接超时时间 (default 15 seconds) # SSH_TIMEOUT = 15 # 语言 = en LANGUAGE_CODE = ‘zh‘ config = Config()
安装 Web Terminal 前端: Luna
cd /opt
wget https://github.com/jumpserver/luna/releases/download/1.4.1/luna.tar.gz
tar xf luna.tar.gz
chown -R root:root luna
安装windows支持组件
yum remove docker-latest-logrotate docker-logrotate docker-selinux dockdocker-engine
yum install -y yum-utils device-mapper-persistent-data lvm2
yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
yum makecache fast
yum -y install docker-ce
systemctl start docker -d
docker pull jumpserver/guacamole:latest
重新打开一个终端
配置Nginx整合组件
source /opt/py3/bin/activate
cd /opt/
vi /etc/nginx/conf.d/jumpserver.conf
server listen 80; # 代理端口,以后将通过此端口进行访问,不再通过8080端口 # server_name demo.jumpserver.org; # 修改成你的域名或者注释掉 client_max_body_size 100m; # 录像及文件上传大小限制 location /luna/ try_files $uri / /index.html; alias /opt/luna/; # luna 路径,如果修改安装目录,此处需要修改 location /media/ add_header Content-Encoding gzip; root /opt/jumpserver/data/; # 录像位置,如果修改安装目录,此处需要修改 location /static/ root /opt/jumpserver/data/; # 静态资源,如果修改安装目录,此处需要修改 location /socket.io/ proxy_pass http://localhost:5000/socket.io/; # 如果coco安装在别的服务器,请填写它的ip proxy_buffering off; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; access_log off; location /coco/ proxy_pass http://localhost:5000/coco/; # 如果coco安装在别的服务器,请填写它的ip proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; access_log off; location /guacamole/ proxy_pass http://localhost:8081/; # 如果guacamole安装在别的服务器,请填写它的ip proxy_buffering off; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $http_connection; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; access_log off; location / proxy_pass http://localhost:8080; # 如果jumpserver安装在别的服务器,请填写它的ip proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
cd /opt/
cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bak
vim /etc/nginx/nginx.conf
# For more information on configuration, see: # * Official English Documentation: http://nginx.org/en/docs/ # * Official Russian Documentation: http://nginx.org/ru/docs/ user nginx; worker_processes auto; error_log /var/log/nginx/error.log; pid /run/nginx.pid; # Load dynamic modules. See /usr/share/nginx/README.dynamic. include /usr/share/nginx/modules/*.conf; events worker_connections 1024; http log_format main ‘$remote_addr - $remote_user [$time_local] "$request" ‘ ‘$status $body_bytes_sent "$http_referer" ‘ ‘"$http_user_agent" "$http_x_forwarded_for"‘; access_log /var/log/nginx/access.log main; sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 65; types_hash_max_size 2048; include /etc/nginx/mime.types; default_type application/octet-stream; # Load modular configuration files from the /etc/nginx/conf.d directory. # See http://nginx.org/en/docs/ngx_core_module.html#include # for more information. include /etc/nginx/conf.d/*.conf; #server #listen 80 default_server; #listen [::]:80 default_server; #server_name _; #root /usr/share/nginx/html; # Load configuration files for the default server block. #include /etc/nginx/default.d/*.conf; #location / # #error_page 404 /404.html; #location = /40x.html # #error_page 500 502 503 504 /50x.html; #location = /50x.html # # # Settings for a TLS enabled server. # # server # listen 443 ssl http2 default_server; # listen [::]:443 ssl http2 default_server; # server_name _; # root /usr/share/nginx/html; # # ssl_certificate "/etc/pki/nginx/server.crt"; # ssl_certificate_key "/etc/pki/nginx/private/server.key"; # ssl_session_cache shared:SSL:1m; # ssl_session_timeout 10m; # ssl_ciphers HIGH:!aNULL:!MD5; # ssl_prefer_server_ciphers on; # # # Load configuration files for the default server block. include /etc/nginx/default.d/*.conf; # # location / # # # error_page 404 /404.html; # location = /40x.html # # # error_page 500 502 503 504 /50x.html; # location = /50x.html # #
nginx -t
生成数据库表结构和初始化数据
cd /opt/jumpserver/utils
bash make_migrations.sh
运行 Jumpserver
cd ..
./jms start all -d
# 新版本更新了运行脚本,使用方式./jms start|stop|status|restart all 后台运行请添加 -d 参数
运行Coco
cd /opt/coco
./cocod start -d
#在第一个终端里
启动 Guacamole
# 注意:这里需要修改下 http://<填写jumpserver的url地址> 例: http://192.168.168.8, 否则会出错
# 不能使用 127.0.0.1 ,可以更换 registry.jumpserver.org/public/guacamole:latest
docker run --name jms_guacamole -d
-p 8081:8080 -v /opt/guacamole/key:/config/guacamole/key
-e JUMPSERVER_KEY_DIR=/config/guacamole/key
-e JUMPSERVER_SERVER=http://192.168.168.8:8080
jumpserver/guacamole:latest
systemctl start nginx
登录Web管理界面:192.168.168.8
参考链接1:http://docs.jumpserver.org/zh/docs/step_by_step.html
参考链接2:http://docs.jumpserver.org/zh/docs/setup_by_centos7.html
参考链接3:https://www.cnblogs.com/bigdevilking/p/9427941.html
参考链接4:http://docs.jumpserver.org/zh/docs/faq_install.html
jumpserver堡垒机
来源:知乎Jumpserver是一款由Python编写开源的跳板机(堡垒机)系统,实现了跳板机应有的功能。基于ssh协议来管理,客户端无需安装agent。特点:完全开源,GPL授权Python编写,容易再次开发实现了跳板机基本功能,认证、授权... 查看详情
web安全入门-部署堡垒机jumpserver
jumpserver简介:JumpServer是全球首款开源的堡垒机,使用GNUGPLv3.0开源协议,是符合4A规范的运维安全审计系统。JumpServer使用Python/Django为主进行开发,遵循Web2.0规范。总结,如果你企业对设备安全性有审计要求,或者说是要通过iso27... 查看详情
jumpserver的安装(代码片段)
...垒机也需要有身份认证,授权,访问控制,审计等功能。Jumpserver是一款由python编写开源的跳板机(堡垒机)系统,实现了跳板机应有的功能。基于ssh协议来管理,客户端无需安装agent。支持常见系统: 查看详情
直播预告|jumpserver开源堡垒机跨年漫谈会,说出你和jumpserver的故事
从2014年6月写下第一行代码至今,JumpServer开源堡垒机项目已经走过了七个年头。作为一款持续演进的开源堡垒机,JumpServer不断从开源社区获取用户反馈,坚持“以用户为中心”制定研发规划,持续推出满足用户实... 查看详情
社区访谈|一直伴随“我”成长的jumpserver开源堡垒机
编者注:2022年8月,JumpServer开源社区访谈了来自北京的开源社区用户孙国强,以下内容根据本次访谈的内容整理而成。■关键词:好用■首个部署版本:JumpServer开源堡垒机v2.9.1版本怎么认识JumpServer的?我... 查看详情
堡垒机jumpserver与radius管理网络安全设备
参考技术A一、目的通过开源堡垒机Jumpserver与radius服务器管理网络设备可以实现以下功能:1、ssh、telnet登录网络设备的账户统一在radius进行,方便定期修改密码、账户删减;2、通过堡垒机登录设备能控制权限、资源,并且有操... 查看详情
jumpserver开源堡垒机与宝兰德中间件完成产品兼容性认证
...#xff0c;中国领先的开源软件提供商FIT2CLOUD飞致云宣布,JumpServer开源堡垒机已经完成与宝兰德主要中间件软件产品的兼容性认证。经过双方严格的联合测试,宝兰德分布式缓存数据库软件V1.0和宝兰德Web服务软件V2.0与JumpServer... 查看详情
堡垒机jumpserver安装
Jumpserver堡垒机安装文档一、环境CentOS6.xx86_64serviceiptablesstop关闭SELinux的方法:修改/etc/selinux/config文件中的SELINUX=""为disabled,然后重启。如果不想重启系统,使用命令setenforce 0二、安装依赖rpmyum-yinstallepel-release yum-yin 查看详情
操作指南|在kubernetes集群上快速部署jumpserver开源堡垒机(代码片段)
...中,我们给大家实际演示了在Kubernetes集群上快速部署JumpServer的全过程。作为全球首款完全开源的堡垒机,容器化部署一直是JumpServer堡垒机的特色功能之一。基于本次直播,我们为大家整理了JumpServer容器化部署的操... 查看详情
开源堡垒机系统
1:JumpServer 全球首款开源的堡垒机,使用GPLv3开源协议,是符合4A规范的运维安全审计系统。JumpServer使用Python开发,配备了业界领先的WebTerminal方案,交互界面美观、用户体验好。JumpServer采纳分布式架构,... 查看详情
jumpserver开源堡垒机v3.0版本设计重点解读
编者注:在1月17日的JumpServer开源堡垒机v3.0预发布恳谈会直播中,JumpServer创始人广宏伟与大家分享了JumpServerv3.0版本的设计思路与功能亮点。在v3.0版本正式发布之前,JumpServer开源项目组基于此次直播内容为大家整理... 查看详情
开源堡垒机各自特点分析
...盟、行云管家、科友、齐治、金万维、极地、派拉开源:jumpserver、teleport、CrazyEye、×××jumpserver:github上开源堡垒机,可以购买商业技术支持。http://www.jumpserver.org/teleport:github上开源堡垒机,没有商业版。https://tp4a.com/CrazyEye:... 查看详情
jumpserver开源堡垒机完成龙芯架构兼容性认证
...#xff0c;中国领先的开源软件提供商FIT2CLOUD飞致云宣布,JumpServer开源堡垒机通过龙芯架构兼容性认证。经过严格验证,LoongArch龙芯架构与JumpServer运维安全审计系统V2.0在龙芯3A5000/3C5000L平台上完成兼容性测试,功能与稳定... 查看详情
jumpserver3.0开源跳板机环境搭建
摘要:Jumpserver是一款由python编写开源的跳板机(堡垒机)系统,实现了跳板机应有的功能。基于ssh协议来管理,客户端无需安装agent。特点:完全开源,GPL授权Python编写,容易再次开发实现了跳板机基本功能,认证、授权、审计集... 查看详情
jumpserver部署安装(代码片段)
...垒机也需要有身份认证、授权、访问控制、审计等功能。Jumpserver是全球首款完全开源的堡垒机,是符合4A的专业运维审计系统。Jumpserver使用Python/Django进行开发,采纳分布式架构,支持多机房跨区域部署,中心节点提供API,各机房部署... 查看详情
jumpserver开源堡垒机与瀚高数据库完成兼容性认证
...#xff0c;中国领先的开源软件提供商FIT2CLOUD飞致云宣布,JumpServer开源堡垒机已经完成与国产瀚高数据库的兼容性认证。经过双方共同测试,JumpServer运维安全审计系统V2可以稳定纳管瀚高安全版数据库系统V4.5,同时满足性... 查看详情
jumpserver跳板机
Jumpserver跳板机一、Jumpserver简介umpserver是一款由python编写开源的跳板机(堡垒机)系统,实现了跳板机应有的功能。基于ssh协议来管理,客户端无需安装agent。二、特点:完全开源、Python编写,容易再次开发、实现了跳板机基本功能... 查看详情
jumpserver(代码片段)
jumpserver开源堡垒机名称定义:用户列表:登陆堡垒机的用户用户组:登陆堡垒机的用户所属的组资产列表:堡垒机所控制的服务器资源网域列表:相当于跳板机,就是当服务器无法直连时,而需要跳转登陆的机器管理用户:jumps... 查看详情