Jump Server 堡垒机搭建及使用
- Jumpserver 是全球首款完全开源的堡垒机, 使用 GNU GPL v2.0 开源协议, 是符合 4A 的专业运维审计系统。
- Jumpserver 使用 Python / Django 进行开发, 遵循 Web 2.0 规范, 配备了业界领先的 Web Terminal 解决方案, 交互界面美观、用户体验好。
- Jumpserver 采纳分布式架构, 支持多机房跨区域部署, 中心节点提供 API, 各机房部署登录节点, 可横向扩展、无并发访问限制。
- Jumpserver 现已支持管理 SSH、 Telnet、 RDP、 VNC 协议资产。

JumpServer 组件及其监听端口
Jumpserver 8080/tcp
Redis 6379/tcp
MySQL/Mariadb 3306/tcp
Nginx 80/tcp
Koko SSH 2222/tcp Web Terminal 5000/tcp
Guacamole 8081/tcp
系统: CentOS Linux release 8.4.2105
$ uname -r
4.18.0-305.3.1.el8.x86_64
$ cat /etc/redhat-release
CentOS Linux release 8.4.2105
Name | Core | Python | MySQL | MariaDB | Redis |
Version | v2.13.1 | >= 3.6 | >= 5.7 | >= 10.2 | >= 6 |
setenforce 0 # 可以设置配置文件永久关闭
sed -i "s/SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config
firewall-cmd --zone=public --add-port=80/tcp –permanent #nginx 端口
firewall-cmd --zone=public --add-port=2222/tcp –permanent #用户SSH登录端口
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="172.17.0.0/16" port protocol="tcp" port="8080" accept" # 设置防火墙规则,允许容器ip访问宿主8080端口
firewall-cmd –reload # 重新载入规则
iptables -F
iptables-save
dnf -y install wget gcc epel-release git vim wget unzip make cmake zlib-devel compat-openssl10
这里要注意的是一定要下载官方指导版本,python3.6以上有些模块不支持,启动jump server会报错
dnf install -y python36 python36-devel
如果前面已经正常安装了 Python, 可以跳过此步骤,这里提供两种方式
编译安装pyhton-3.6.9
Python官网下载地址:
wget https://www.python.org/ftp/python/3.6.9/Python-3.6.9.tgz
tar -xf Python-3.6.9.tgz -C /usr/local/
cd /usr/local/Python-3.6.9/
yum --exclude=kernel* update -y
yum groupinstall -y 'Development Tools'
yum install -y gcc openssl-devel bzip2-devel libffi-devel
./configure && make && make install



因为 CentOS 6/7 自带的是 Python2,而 Yum 等工具依赖原来的 Python,为了不扰乱原来的环境我们来使用 Python 虚拟环境
创建虚拟环境,环境命令自定义为py3
cd /opt && python3.6 -m venv py3
source /opt/py3/bin/activate
部分系统可能会提示 source: not found , 可以使用 "." 代替 "source"
. /opt/py3/bin/activate

看到下面的提示符代表成功,以后运行Jumpserver都要先运行以上source命令,以下所有命令均在虚拟环境中运行
(py3) [[email protected] py3]
dnf -y install redis
systemctl enable --now redis
systemctl status redis
rpm -qa redis

REDIS_PASSWORD=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 24`
echo "REDIS_PASSWORD=$REDIS_PASSWORD" >> ~/.bashrc
echo -e "\033[31m 你的REDIS_PASSWORD是 $REDIS_PASSWORD \033[0m"

sed -i "s/# requirepass foobared/requirepass $REDIS_PASSWORD/g" /etc/redis.conf
systemctl restart redis
redis-cli -h 127.0.0.1 -p 6379 -a $REDIS_PASSWORD
127.0.0.1:6379> keys *
127.0.0.1:6379> config get requirepass

dnf -y install mariadb mariadb-devel mariadb-server
systemctl enable --now mariadb
systemctl status mariadb
rpm -aq mariadb

mysql_secure_installation
Enter current password for root (enter for none): # 输入root的当前密码(不输入密码)
New password: # 新密码:
Re-enter new password: # 重新输入新的密码:
Set root password # 设置root密码
Remove anonymous users? # 删除匿名用户?
Disallow root login remotely? # 禁止远程root登录?
Remove test database and access to it? # 删除测试数据库并访问它?
Reload privilege tables now? # 现在重新加载特权表?

生成随机数据库密码
DB_PASSWORD=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 24`
echo -e "\033[31m 你的数据库密码是 $DB_PASSWORD \033[0m"
数据库配置
注意:这里数据库授权时$DB_PASWORD变量,需替换成您自己生成的密码
mysql -uroot -p
create database jumpserver default charset 'utf8' collate 'utf8_bin';
grant all on jumpserver.* to 'jumpserver'@'127.0.0.1' identified by '$DB_PASWORD';
grant all on jumpserver.* to 'jumpserver'@'localhost' identified by '$DB_PASWORD';
flush privileges;
set password for 'username'@'host' = password('newpassword');
flush privileges;

mysql -ujumpserver -p
show databases;

cd /opt && \
git clone git://github.com/jumpserver/jumpserver.git

dnf -y install gcc krb5-devel libtiff-devel libjpeg-devel libzip-devel freetype-devel libwebp-devel tcl-devel tk-devel sshpass openldap-devel mariadb-devel libffi-devel openssh-clients telnet openldap-clients
vim ~/.pydistutils.cfg
[easy_install]
index_url = https://mirrors.aliyun.com/pypi/simple/
cd /opt/jumpserver/requirements
source /opt/py3/bin/activate
pip install wheel && \
pip install --upgrade pip setuptools && \
pip install -r requirements.txt


vim ~/.pydistutils.cfg
[easy_install]
index_url = https://mirrors.aliyun.com/pypi/simple/

pip install -r requirements.txt -i https://mirrors.aliyun.com/pypi/simple/

确保已经载入 py3 虚拟环境, 中间如果遇到报错一般是依赖包没装全。

pip install 包名 -i http://pypi.douban.com/simple/ --trusted-host pypi.douban.com
如果下载速度很慢, 可以换国内源
$ pip install --upgrade pip setuptools -i https://mirrors.aliyun.com/pypi/simple/
$ pip install -r requirements.txt -i https://mirrors.aliyun.com/pypi/simple/
cd /opt/jumpserver
cp config_example.yml config.yml
SECRET_KEY=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50`
echo "SECRET_KEY=$SECRET_KEY" >> ~/.bashrc
BOOTSTRAP_TOKEN=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16`
echo "BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" >> ~/.bashrc

sed -i "s/SECRET_KEY:/SECRET_KEY: $SECRET_KEY/g" /opt/jumpserver/config.yml
sed -i "s/BOOTSTRAP_TOKEN:/BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN/g" /opt/jumpserver/config.yml
sed -i "s/# DEBUG: true/DEBUG: false/g" /opt/jumpserver/config.yml
sed -i "s/# LOG_LEVEL: DEBUG/LOG_LEVEL: ERROR/g" /opt/jumpserver/config.yml
sed -i "s/# SESSION_EXPIRE_AT_BROWSER_CLOSE: false/SESSION_EXPIRE_AT_BROWSER_CLOSE: true/g" /opt/jumpserver/config.yml
sed -i "s/DB_PASSWORD: /DB_PASSWORD: $DB_PASSWORD/g" /opt/jumpserver/config.yml
sed -i "s/# REDIS_PASSWORD: /REDIS_PASSWORD: $REDIS_PASSWORD/g" /opt/jumpserver/config.yml
sed -i "s/# REDIS_DB_CELERY: 3/REDIS_DB_CELERY: 3/g" /opt/jumpserver/config.yml
sed -i "s/# REDIS_DB_CACHE: 4/REDIS_DB_CACHE: 4/g" /opt/jumpserver/config.yml

echo -e "\033[31m 你的SECRET_KEY是 $SECRET_KEY \033[0m"
echo -e "\033[31m 你的BOOTSTRAP_TOKEN是 $BOOTSTRAP_TOKEN \033[0m"

cat /opt/jumpserver/config.yml | grep -Evn "^$|#"

注意 SECRET_KEY 和 BOOTSTRAP_TOKEN 不能使用纯数字字符串
确保已经载入 py3 虚拟环境
source /opt/py3/bin/activate
cd /opt/jumpserver
./jms start all -d
新版本更新了运行脚本, 使用方式
./jms start|stop|status all
后台运行请添加 -d
参数
运行不报错, 请继续往下操作
KoKo 是 Go 版本的 coco,重构了 coco 的 SSH/SFTP 服务和 Web Terminal 服务。
Name | KoKo | Go |
Version | v2.13.1 | 1.15 |
wget https://golang.google.cn/dl/go1.17.linux-amd64.tar.gz
tar -xf go1.17.linux-amd64.tar.gz -C /usr/local/
chown -R root:root /usr/local/go
export PATH=/usr/local/go/bin:$PATH
echo 'export PATH=/usr/local/go/bin:$PATH' >> ~/.bashrc
go version
go env -w GOPROXY=https://mirrors.aliyun.com/goproxy/,direct
cd /opt && \
git clone https://github.com/jumpserver/koko.git
chown -R root:root /opt/koko && \
cd koko && make

注意:构建完成后, 生成在
build
目录下,以 Linux amd64 服务器为例通过 make 构建默认的压缩包,文件名如下:
koko-[branch name]-[commit]-linux-amd64.tar.gz
cd /opt/koko/build/
tar -xzvf koko-*-linux-amd64.tar.gz
BOOTSTRAP_TOKEN 需要从 jumpserver/config.yml 里面获取, 保证一致
cd /opt/koko/build/koko-master-*-linux-amd64
cp config_example.yml config.yml
sed -i "s/BOOTSTRAP_TOKEN: <PleasgeChangeSameWithJumpserver>/BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN/g" config.yml
sed -i "s/# LOG_LEVEL: INFO/LOG_LEVEL: ERROR/g" config.yml
sed -i "s/# SHARE_ROOM_TYPE: local/SHARE_ROOM_TYPE: redis/g" config.yml
sed -i "s/# REDIS_HOST: 127.0.0.1/REDIS_HOST: 127.0.0.1/g" config.yml
sed -i "s/# REDIS_PORT: 6379/REDIS_PORT: 6379/g" config.yml
sed -i "s/# REDIS_PASSWORD:/REDIS_PASSWORD: $REDIS_PASSWORD/g" config.yml
sed -i "s/# REDIS_DB_ROOM:/REDIS_DB_ROOM: 6/g" config.yml
cat /opt/koko/build/koko-master-*-linux-amd64/config.yml | grep -Evn "^$|#"

cd /opt/koko/build/koko-master-*-linux-amd64 && ./koko -d
新版本更新了运行脚本, 使用方式
./koko -s start|stop|status
后台运行请添加 -d
参数./koko -s status

wget http://download.jumpserver.org/public/guacamole-server-1.3.0.tar.gz && \
tar -xf guacamole-server-1.3.0.tar.gz
cd /opt/guacamole-server-1.3.0 && \
wget http://download.jumpserver.org/public/ssh-forward.tar.gz && \
tar -xf ssh-forward.tar.gz -C /bin/ && \
chmod +x /bin/ssh-forward
Guacamole具有许多依赖关系,此步骤解决了大多数依赖关系。从 官方存储库获取软件包是一个挑战,因此您会注意到我使用了Devel存储库中的一些软件包。一旦安装了所有必需的软件包,请禁用它们。
要更新所有的包和它们的依赖,在root权限下执行如下命令:
dnf update -y
dnf config-manager --set-enabled PowerTools
dnf config-manager --enable Devel
dnf -y install libtool libwebsockets-devel libtheora opus lame-libs libjpeg-turbo-devel ghostscript
dnf config-manager --disable Devel
dnf -y install SDL2 ffmpeg libtelnet-devel
dnf -y install cairo-devel libjpeg-devel libpng-devel uuid-devel libvncserver-devel pulseaudio-libs-devel freerdp-devel libssh2-devel openssl-devel pango-devel pango-devel ffmpeg-devel libvorbis-devel libwebp-devel freerdp-plugins
cd /opt/guacamole-server-1.3.0
autoreconf -fi
./configure --with-init-dir=/etc/init.d && \
make && \
make install && ldconfig

systemctl daemon-reload
勿多次执行以下环境设置
export JUMPSERVER_SERVER=http://127.0.0.1:8080
echo "export JUMPSERVER_SERVER=http://127.0.0.1:8080" >> ~/.bashrc
export BOOTSTRAP_TOKEN="$BOOTSTRAP_TOKEN"
echo "export BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" >> ~/.bashrc
export JUMPSERVER_KEY_DIR=/config/guacamole/data/keys
echo "export JUMPSERVER_KEY_DIR=/config/guacamole/data/keys" >> ~/.bashrc
export GUACAMOLE_HOME=/config/guacamole
echo "export GUACAMOLE_HOME=/config/guacamole" >> ~/.bashrc
export GUACAMOLE_LOG_LEVEL=ERROR
echo "export GUACAMOLE_LOG_LEVEL=ERROR" >> ~/.bashrc
export JUMPSERVER_ENABLE_DRIVE=true
echo "export JUMPSERVER_ENABLE_DRIVE=true" >> ~/.bashrc
环境变量说明
JUMPSERVER_SERVER 指 core 访问地址
BOOTSTRAP_TOKEN 为 Jumpserver/config.yml 里面的 BOOTSTRAP_TOKEN 值
JUMPSERVER_KEY_DIR 认证成功后 key 存放目录
GUACAMOLE_HOME 为 guacamole.properties 配置文件所在目录
GUACAMOLE_LOG_LEVEL 为生成日志的等级
JUMPSERVER_ENABLE_DRIVE 为 rdp 协议挂载共享盘
systemctl start guacd
systemctl enable guacd
systemctl status guacd

Name | JumpServer | Guacd | Lion |
Version | v2.13.1 | v2.13.1 |
cd /opt
wget https://github.com/jumpserver/lion-release/releases/download/v2.13.1/lion-v2.13.1-linux-amd64.tar.gz
tar -xf lion-v2.13.1-linux-amd64.tar.gz
cd /opt && \
git clone git://github.com/jumpserver/lion-release.git
cd cd /opt/lion-release
cp config_example.yml config.yml
sed -i "s/BOOTSTRAP_TOKEN: <PleasgeChangeSameWithJumpserver>/BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN/g" config.yml
在
/etc/systemd/system
目录创建 lion-v2.10.0.service
文件并配置以下内容vi /etc/systemd/system/lion.service
[Unit]
Description=JumpServer Lion Service
After=network.target
[Service]
Type=simple
User=root
Group=root
WorkingDirectory=/opt/lion-v2.13.1-linux-amd64
ExecStart=/opt/lion-v2.13.1-linux-amd64/lion -f /opt/lion-release/config.yml
Restart=on-failure
[Install]
WantedBy=multi-user.target
systemctl daemon-reload
systemctl start lion
systemctl enable lion
systemctl status lion
curl -fsSL https://rpm.nodesource.com/setup_16.x | bash -
yum install -y nodejs
Name | Lina | Node |
Version | v2.13.1 | 10 |
cd /opt && \
git clone git://github.com/jumpserver/lina.git
npm config set sass_binary_site https://npm.taobao.org/mirrors/node-sass
npm config set registry https://registry.npm.taobao.org
npm install -g yarn
yarn config set registry https://registry.npm.taobao.org
npm install -g yarn
yarn install
sed -i "s/VUE_APP_CORE_HOST = 'http://localhost:8080'/VUE_APP_CORE_HOST = $JUMPSERVER_SERVER:8080/g" /opt/lina/.env.development
yarn serve
构建完成后的 lina 包为 html 文件,可以直接移到到 nginx 服务器。
yarn build:prod
构建完成后, 生成在 build 目录下
Name | Luna | Node |
Version | v2.13.1 | 10 |
cd /opt && \
git clone git://github.com/jumpserver/luna.git
npm -i
npm rebuild node-sass
vi proxy.conf.json
{
"/koko": {
"target": "http://localhost:5000", # KoKo 地址
"secure": false,
"ws": true
},
"/media/": {
"target": "http://localhost:8080", # Core 地址
"secure": false,
"changeOrigin": true
},
"/api/": {
"target": "http://localhost:8080", # Core 地址
"secure": false, # https ssl 需要开启
"changeOrigin": true
},
"/core": {
"target": "http://localhost:8080", # Core 地址
"secure": false,
"changeOrigin": true
},
"/static": {
"target": "http://localhost:8080", # Core 地址
"secure": false,
"changeOrigin": true
},
"/lion": {
"target": "http://localhost:9529", # Lion 地址
"secure": false,
"pathRewrite": {
"^/lion/monitor": "/monitor"
},
"ws": true,
"changeOrigin": true
},
"/omnidb": {
"target": "http://localhost:8082",
"secure": false,
"ws": true,
"changeOrigin": true
}
}
ng serve
可以加 -prod 来进行生产构建
ng build -prod
ng build
构建完成后, 生成在 build 目录下
vim /etc/yum.repos.d/nginx.repo
[nginx-stable]
name=nginx stable repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true
[nginx-mainline]
name=nginx mainline repo
baseurl=http://nginx.org/packages/mainline/centos/$releasever/$basearch/
gpgcheck=1
enabled=0
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true
dnf makecache timer
dnf info nginx
dnf install -y nginx

vim /etc/nginx/conf.d/jumpserver.conf
server {
server_name zhiqiang.cloud;
listen 80; # 代理端口, 通过此端口重定向到443访问, 不再通过8080端口
if ($host = zhiqiang.cloud) { # 修改成你的域名或者注释掉,多个域名,以空格分开
return 301 https://$host$request_uri; # 将 http 重定向 https
}
return 404; # 访问80端口跳转404状态码
}
server {
listen 443 ssl; # 服务器开启443端口, 以后将通过此端口进行访问, 不再通过8080端口
server_name zhiqiang.cloud; # 修改成你的域名或者注释掉,多个域名,以空格分开
ssl_certificate /etc/nginx/conf.d/ssl/zhiqiang.cloud.pem; # pem文件的路径
ssl_certificate_key /etc/nginx/conf.d/ssl/zhiqiang.cloud.key; # key文件的路径
ssl_session_timeout 5m; # 缓存有效期
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # 安全链接可选的加密协议
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE; # 加密算法
ssl_prefer_server_ciphers on; # 使用服务器端的首选算法
client_max_body_size 100m; # 录像及文件上传大小限制
# Luna 配置
location /luna/ {
proxy_pass http://luna:4200;