day21:jumpserver配置与搭建
一,堡垒机的概述
什么是堡垒机?
堡垒机(Bastion Host)是一种用于保护内部网络的安全设备或服务器,通常用于管理和审计对内部服务器的访问。它作为一个中间点,控制并记录外部用户访问内部资源的过程。堡垒机通常通过安全协议(如 SSH 或 RDP)来管理远程连接,避免了直接开放端口给外部访问,从而提升安全性。
堡垒机与跳板机
“堡垒机”和“跳板机”是两种常见的安全术语,虽然它们在某些场合下有些重叠,但本质上它们有细微的区别:
- 堡垒机:主要指的是用于管理和控制内部网络访问的安全中枢点。它不仅仅提供访问功能,还能记录所有的访问行为(日志),监控所有进入的连接,以便于安全审计和管理。
- 跳板机:更多是指一种临时性的中间服务器,用于帮助用户穿越到其他服务器。跳板机通常简单地作为一个"跳跃"的媒介,用来连接到其他目标机器。
简单来说,跳板机更强调连接功能,而堡垒机则侧重于安全管理和审计。
jumpserver(跳板机的实现,当然也可以叫堡垒机的实现)
JumpServer 是一个开源的堡垒机软件,它提供了一个方便的界面来管理用户访问、记录登录行为、控制权限等功能。JumpServer 支持多种协议,如 SSH、RDP 和 VNC,可以帮助企业集中管理访问控制。
JumpServer 的特点:
- 集中管理:所有的远程连接都通过 JumpServer 来进行,方便集中管理和审计。
- 安全性:通过双因素认证、加密传输、访问控制等技术,增强远程访问的安全性。
- 日志审计:所有用户的操作都可以被记录下来,便于审计和追溯。
- 权限管理:根据用户角色进行精细化的权限控制,确保只有授权用户才能访问特定资源。
特点
作为一个初学者,以下是堡垒机的一些主要特点:
- 统一访问管理:堡垒机作为一个统一的访问管理平台,可以控制多个服务器的访问,避免直接暴露各个服务器的登录入口。
- 强大的权限控制:通过堡垒机,你可以为每个用户设置不同的权限,控制他们能访问哪些服务器、执行哪些命令。
- 安全审计:堡垒机会记录所有用户的登录和操作日志,帮助企业进行安全审计,发现潜在的安全风险。
- 提高安全性:通过堡垒机,所有外部访问都可以经过严格的身份验证、加密传输等安全措施,避免黑客攻击。
- 简化管理:集中管理所有的远程访问,使得 IT 管理更加高效,便于监控和控制。
二,堡垒机安装
https://docs.jumpserver.org/zh/v4/installation/setup_linux_standalone/requirements/
环境准备
虚拟机配置要求
| IP地址 | 主机名 | 配置要求 | 服务器角色 |
| 192.168.28.147/24 | jumper | 2CPU,4G内存,40G磁盘 | 堡垒机 |
| 192.168.28.148/24 | server/mysql | 1CPU,1G内存,20G磁盘 | 资产服务器 |
设置主机名:hostnamectl set-hostname 【永久修改的主机名】,使用后要使用su刷新一下。
关闭防火墙与selinux:setenforce 0(关闭selinux),systemctl stop firewalld.server(关闭防火墙)
配置yum源及其扩展源
yum install wget -y
cd /etc/yum.repos.d
mkdir bak
mv *.repo bak/
wget -O /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-7.repo
yum clean all
yum makecache
yum install epel-release -y升级内核
#在jumper里面做(也就是堡垒机)
#查看当前内核(要大于4.0)
uname -r
查看版本信息及相关内容
uname -a
#更新仓库
yum update -y
#下载内核rpm
wget http://mirrors.coreix.net/elrepo-archive-archive/kernel/el7/x86_64/RPMS/kernel-lt-devel-5.4.228-1.el7.elrepo.x86_64.rpm
wget http://mirrors.coreix.net/elrepo-archive-archive/kernel/el7/x86_64/RPMS/kernel-lt-headers-5.4.228-1.el7.elrepo.x86_64.rpm
wget http://mirrors.coreix.net/elrepo-archive-archive/kernel/el7/x86_64/RPMS/kernel-lt-5.4.228-1.el7.elrepo.x86_64.rpm
#安装内核
rpm -ivh kernel-lt-5.4.228-1.el7.elrepo.x86_64.rpm
rpm -ivh kernel-lt-devel-5.4.228-1.el7.elrepo.x86_64.rpm
#确认已安装内核
rpm -qa | grep kernel
# 查看启动顺序
awk -F\' '$1=="menuentry " {print $2}' /etc/grub2.cfg
#设置启动顺序
grub2-set-default 0
#重启生效
reboot
#重启查看版本
uname -r添加磁盘分区
添加一块磁盘20G
格式:mkfs.ext4 /dev/磁盘
mkdir /data
mount /dev/sdb data(可以进行永久挂载)
建议快照
vim /etc/fstab
下载配置
在线安装 - JumpServer 文档
#前提
yum install -y wget curl tar gettext iptables
#下载安装包
cd /opt
wget https://resource.fit2cloud.com/jumpserver/installer/releases/download/v4.4.1/jumpserver-installer-v4.4.1.tar.gz
tar -xf jumpserver-installer-v4.4.1.tar.gz
cd jumpserver-installer-v4.4.1
#修改配置项
# 根据需要修改配置文件模板, 如果不清楚用途可以跳过修改
cat config-example.txt
————————————————————————————————
# JumpServer configuration file example.
#
# If you don't understand the purpose, you can skip modifying this configuration file, the system will automatically fill in
# Complete parameter documentation https://docs.jumpserver.org/zh/v3/guide/env/
################################# Image Configuration #################################
#
# The connection to docker.io in China will timeout or the download speed will be slow, enable this option to use Huawei Cloud image acceleration
# Replace the old version DOCKER_IMAGE_PREFIX
#
#------------------------------------
#-----------------这里要改,将DOCKER_IMAGE_MIRROR=1注释取消
#------------------------------------
DOCKER_IMAGE_MIRROR=1
# Image pull policy Always, IfNotPresent
# Always means that the latest image will be pulled every time, IfNotPresent means that the image will be pulled only if it does not exist locally
#
# IMAGE_PULL_POLICY=Always
############################## Installation Configuration #############################
#
# JumpServer database persistence directory, by default, recordings, task logs are in this directory
# Please modify according to the actual situation, the database file (.sql) and configuration file backed up during the upgrade will also be saved to this directory
#
#------------------------------------
#-----------------这里是数据存放目录
#------------------------------------
VOLUME_DIR=/data/jumpserver
# Encryption key, please ensure that SECRET_KEY is consistent with the old environment when migrating, do not use special strings
# (*) Warning: Keep this value secret.
# (*) Do not disclose SECRET_KEY to anyone
#
SECRET_KEY=
# The token used by the component to register with core, please keep BOOTSTRAP_TOKEN consistent with the old environment when migrating,
# Do not use special strings
# (*) Warning: Keep this value secret.
# (*) Do not disclose BOOTSTRAP_TOKEN to anyone
#
BOOTSTRAP_TOKEN=
# Log level INFO, WARN, ERROR
#
LOG_LEVEL=ERROR
# The network segment used by the JumpServer container, please do not conflict with the existing network, modify according to the actual situation
#
DOCKER_SUBNET=192.168.250.0/24
# ipv6 nat, no need to enable under normal circumstances
# If the host does not support ipv6, enabling this option will prevent the real client ip address from being obtained
#
USE_IPV6=0
DOCKER_SUBNET_IPV6=fc00:1010:1111:200::/64
################################# DB Configuration ####################################
# For external databases, you need to enter the correct database information, the system will automatically handle the built-in database
# (*) The password part must not contain single quotes and double quotes
#
DB_ENGINE=postgresql
DB_HOST=postgresql
DB_PORT=5432
DB_USER=postgres
DB_PASSWORD=
DB_NAME=jumpserver
# If external MySQL needs to enable TLS/SSL connection, refer to https://docs.jumpserver.org/zh/v3/installation/security_setup/mysql_ssl/
#
# DB_USE_SSL=true
################################# Redis Configuration #################################
# For external Redis, please enter the correct Redis information, the system will automatically handle the built-in Redis
# (*) The password part must not contain single quotes and double quotes
#
REDIS_HOST=redis
REDIS_PORT=6379
REDIS_PASSWORD=
# If you are using external Redis Sentinel, please manually fill in the following content
#
# REDIS_SENTINEL_HOSTS=mymaster/192.168.100.1:26379,192.168.100.1:26380,192.168.100.1:26381
# REDIS_SENTINEL_PASSWORD=your_sentinel_password
# REDIS_PASSWORD=your_redis_password
# REDIS_SENTINEL_SOCKET_TIMEOUT=5
# If external Redis needs to enable TLS/SSL connection, refer to https://docs.jumpserver.org/zh/v3/installation/security_setup/redis_ssl/
#
# REDIS_USE_SSL=true
################################# Access Configuration ################################
# The service port provided to the outside, if it conflicts with the existing service, please modify it yourself
#
HTTP_PORT=80
################################# HTTPS Configuration #################################
# Refer to https://docs.jumpserver.org/zh/v3/installation/proxy/ for configuration
#
# HTTPS_PORT=443
# SERVER_NAME=your_domain_name
# SSL_CERTIFICATE=your_cert
# SSL_CERTIFICATE_KEY=your_cert_key
#
# Nginx file upload and download size limit
#
CLIENT_MAX_BODY_SIZE=4096m
################################# Component Configuration #############################
# Component registration use, by default, register to the core container, the cluster environment needs to be modified to the cluster vip address
#
CORE_HOST=http://core:8080
PERIOD_TASK_ENABLED=true
# Core Session definition,
# SESSION_COOKIE_AGE indicates how many seconds the session expires after idling,
# SESSION_EXPIRE_AT_BROWSER_CLOSE=true means that the session expires as soon as the browser is closed
#
# SESSION_COOKIE_AGE=86400
SESSION_EXPIRE_AT_BROWSER_CLOSE=false
# Trusted DOMAINS definition,
# Define the trusted access IP, please modify according to the actual situation, if it is a public IP, please change to the corresponding public IP,
# DOMAINS="demo.jumpserver.org:443"
# DOMAINS="172.17.200.191:80"
# DOMAINS="demo.jumpserver.org:443,172.17.200.191:80"
DOMAINS=
# Configure the components that do not need to be started, by default all components will be started, if you do not need a certain component, you can set {component name}_ENABLED to 0 to turn it off
# CORE_ENABLED=0
# CELERY_ENABLED=0
# KOKO_ENABLED=0
# LION_ENABLED=0
# CHEN_ENABLED=0
# WEB_ENABLED=0
# Lion enables font smoothing to optimize the experience
#
JUMPSERVER_ENABLE_FONT_SMOOTHING=true
################################# XPack Configuration #################################
# XPack package, invalid setting in open source version
#
SSH_PORT=2222
RDP_PORT=3389
XRDP_PORT=3390
MAGNUS_MYSQL_PORT=33061
MAGNUS_MARIADB_PORT=33062
MAGNUS_REDIS_PORT=63790
MAGNUS_POSTGRESQL_PORT=54320
MAGNUS_SQLSERVER_PORT=14330
MAGNUS_ORACLE_PORTS=30000-30030
################################## Other Configuration ################################
# The terminal uses the host HOSTNAME as the identifier, automatically generated during the first installation
#
SERVER_HOSTNAME=${HOSTNAME}
# Use built-in SLB, if the client IP address obtained by the Web page is not correct, please set USE_LB to 0
# When USE_LB is set to 1, use the configuration proxy_set_header X-Forwarded-For $remote_addr
# When USE_LB is set to 0, use the configuration proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for
USE_LB=1
# The current running version number of JumpServer, automatically generated after installation and upgrade
#
TZ=Asia/Shanghai
CURRENT_VERSION=
————————————————————————————————————————————
# 安装
./jmsctl.sh install
# 启动
./jmsctl.sh start
#安装完成后 JumpServer 配置文件路径为: /opt/jumpserver/config/config.txt
cd /opt/jumpserver-installer-v4.4.1
# 启动
./jmsctl.sh start
# 停止
./jmsctl.sh down
# 卸载
./jmsctl.sh uninstall
# 帮助
./jmsctl.sh -h
安装
./jmsctl.sh instal
是否支持ipv6:n
是否需要自订持久化储存的路径?不自订将使用默认目录 /data/jumpserver? (y/n) (默认为 n):n
是否使用外部 PostgreSQL? (y/n) (默认为 n): n
请输入 Redis 模式? (redis/sentinel) (默认为 redis): n
是否使用外部 Redis? (y/n) (默认为 n): n
是否需要配置 JumpServer 对外访问端口? (y/n) (默认为 n): n
访问
./jmsctl.sh start
使用浏览器访问,jumper的ip地址(要有耐心,要等一会)
切换密码:我的是ly123456(方便记忆)
开放端口
JumpServer 常见问题汇总 - FIT2CLOUD 知识库(具体端口看这个)
打开防火墙:systemctl start firewalld
端口:80,2222,22,443,3389
firewall-cmd --zone=public --add-port=80/tcp
或者写一个服务 /etc/firewalld/
创建一个比如叫jumpserver.xml,(完成执行)firewall-cmd --zone=public --add-service=jumpserver(就是xml文件的名字) --permanent
<?xml version="1.0" encodinf="utf-8"?>
<short>jumpserver Service</short>
<description>Inbound rule for jumpServer service.</description>
<service>
<prot protocol="tcp" port="22"/>
<prot protocol="tcp" port="80"/>
<prot protocol="tcp" port="443"/>
<prot protocol="tcp" port="2222"/>
<prot protocol="tcp" port="33060"/>
<prot protocol="tcp" port="54320"/>
<prot protocol="tcp" port="63790"/>
<prot protocol="tcp" port="3389"/>
</service>
问题解决
JumpServer 常见问题汇总 - FIT2CLOUD 知识库
三,堡垒机使用
快速入门 - JumpServer 文档
jumpserver【基本使用教程】_jumpserver使用教程-CSDN博客