Deployment and asset equipment management of jump Server open source bastion machine
The main function of the bastion host is auditing, which audits the operations of equipment maintenance personnel (who, what identity, when, what device is logged in, what operation is performed, what result is returned, and when to exit).
Environmental preparation
1. Vmware
2. CentOS7.9.2009 (for deploying and installing the jump server bastion machine)
3. The network is in NAT mode, and the yum source is configured (operation omitted)
4. Close the firewall and SELinux
5. In addition, two or more redundant servers need to be prepared A virtual machine is convenient for adding asset equipment later. This article prepares a RHEL8.2 and a win10 .
1 One-click deployment of jumpserver
Note: This command may not be executed successfully for the first time, just execute it several times! !
curl -sSL https://github.com/jumpserver/jumpserver/releases/download/v2.23.0/quick_start.sh | bash
Wait for the installation to complete:
If an error occurs when initializing the database:
press CTRL+Z, stop and enter
service docker restart #因为防火墙关闭后,需要重启docker
2 Configure the JumpServer source
cd /opt/jumpserver/config/
vim config.txt
Configure the port number to 8080:
3 Configure Nginx source
vi /etc/yum.repos.d/nginx.repo
添加以下内容,并保存
[nginx-stable]
name=nginx stable repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true
[nginx-mainline]
name=nginx mainline repo
baseurl=http://nginx.org/packages/mainline/centos/$releasever/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true
4 Reload the yum source:
yum repolist
5 Install Nginx
yum install nginx -y
6 Start Nginx
systemctl enable nginx --now
If you encounter a startup failure, you can view the error in the /var/log/nginx/error.log file.
The above figure indicates that port 80 is occupied, use ps -ef | grep 80 to find out the process occupying port 80, and use kill -9 process ID to end the process.
7 Configure the reverse proxy:
mv /etc/nginx/conf.d/default.conf /root
vi /etc/nginx/conf.d/jumpserver.conf
#添加以下内容,并保存
server {
listen 80;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
ssl_certificate cert/server.crt; # 自行设置证书
ssl_certificate_key cert/server.key; # 自行设置证书
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
ssl_protocols TLSv1.1 TLSv1.2;
add_header Strict-Transport-Security "max-age=63072000" always;
client_max_body_size 5000m; # 录像及文件上传大小限制
location / {
proxy_pass http://192.168.111.100:8080; #设置为服务器IP
proxy_http_version 1.1;
proxy_buffering off;
proxy_request_buffering off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
8 Copy the certificate to the /etc/nginx/cert directory
mkdir /etc/nginx/cert
cp -rf /opt/jumpserver/config/nginx/cert/* /etc/nginx/cert/
9 Start Nginx
systemctl restart nginx
10 start jumpserver
cd /opt/jumpserver-installer-v2.23.0/
./jmsctl.sh start
11 Login to jumpserver
Enter http://192.168.111.100:8080 in the browser to log in
User name: admin
Initial password: admin
You will be prompted to change your password after logging in! !
12 Create user
12.1 Create two user groups "RHEL8.2" and "Win10".
12.2 Create two users, the user type is normal user:
"Shass-rhel" is used to log in to Redhat8.2; "Shass-Admin" is used to log in to Win10.
12.3 Create System User
12.3.1 Privileged users
12.3.2 Ordinary users
13 Create assets
13.1 Create asset tree
13.2 Create assets
13.2.1 Connection Test
Click on the hostname:
13.3 Asset Authorization
14 user login
14.1 Shass-rhel user login WEB
14.1.2 View personal assets
You can see that the asset has been successfully assigned to the user.
14.1.3 Login Asset Device
You can log in through the >_ icon under the operation or the web terminal on the left:
enter the login password of the rhel8.2 device to remotely log in to the device:
If the login fails, try restarting the jump server!
14.2 Login to WEB with Shass-Admin
14.2.1 View personal assets
14.2.2 Login Asset Device
Set up to start automatically:
vim /etc/profile #在文件末为追加该行
/usr/bin/bash /opt/jumpserver-installer-v2.23.0/jmsctl.sh start
Restart test:
successful startup! !
The above is the process of deploying and adding assets based on the jumpserver open source bastion host. For more instructions, please visit the official website.
Thanks for reading! !