jumpServer bastion host
Bastion host concept
Fortress machine operation and maintenance ideas
- Auditing is only an after-the-fact behavior. Auditing can discover problems and those responsible, but it cannot prevent problems from occurring.
- Only by implementing strict monitoring in advance can server misoperation accidents be solved at the source.
- The bastion machine can create a system account. The function of the system account is to distinguish roles, but the executor of the account cannot be confirmed.
The role of the bastion machine
Enterprises need newer, better and more secure technical concepts to manage server operation and maintenance operations. They need a system that can meet the needs of role management, role authorization, information resource access control, operation recording and auditing, system change and maintenance control, etc., and also An IT bastion machine that can generate server asset statistics reports and other functions.
- Core system operation and maintenance and security audit management.
- Filter and intercept illegal access requests, malicious attacks, reject illegal commands, monitor audit ports, alarm and track responsibilities.
- Alarm, record, analyze and process.
Bastion host core functions
- Single sign-on functionality
- Account management
- Authentication
- Resource authorization
- Access control
- Operational audit
Application scenarios of bastion machines
- Multiple users using the same account
- One user uses multiple accounts
- The lack of a unified authority management platform makes it difficult to achieve high-granularity command authority control.
- For traditional network equipment, it is impossible to encrypt and audit the remote connection commands of operation and maintenance personnel.
An enterprise perspective on bastion machines
Through more detailed granular management of enterprise IT assets and equipment, we can ensure the safety and reliable operation of enterprise IT equipment assets, reduce the risk of human operation, avoid risks, and ensure the security of enterprise resources and funds.
A management perspective on the bastion host
Operation and maintenance personnel only need to record the account and password of the bastion machine. After logging in once, they can quickly access multiple managed devices without having to remember multiple account passwords. This improves work efficiency and ensures safe operations that maximize services.
Compile and install jumpServer bastion machine
Install dependency packages
# 安装系统初始化所需要的包
yum install -y bash-completion vim lrzsz wget expect net-tools nc nmap tree dos2unix htop iftop iotop unzip telnet sl psmisc nethogs glances bc openldap-devel gcc
# 安装jumpserver运行所需环境
yum install -y git python-pip gcc automake autoconf python-devel vim sshpass lrzsz readline-devel gettext
Install the compilation environment
# 安装编译环境
yum install -y cairo-devel libjpeg-turbo-devel libjpeg-devel libpng-devel libtool uuid-devel
# 可选依赖包
yum install -y freerdp-devel pango-devel libssh2-devel libtelnet-devel libvncserver-devel libwebsockets-devel pulseaudio-libs-devel openssl-devel libvorbis-devel libwebp-devel
Install video recording plug-in
# 安装FFmpeg工具--用于堡垒机录像
## 安装epel源
yum install -y epel-release
## 安装nux-dextop源
rpm -Uvh http://li.nux.ro/download/nux/dextop/el7/x86_64/nux-dextop-release-0-5.el7.nux.noarch.rpm
## 安装ffmpeg包--用于屏幕录像或回放录像
yum install -y ffmpeg ffmpeg-devel
Unzip, compile and install jumpServer
jumpServer community version download address: https://community.fit2cloud.com/#/products/jumpserver/downloads
# 解压到/opt目录
tar -xf jumpserver-offline-installer-v2.28.8-amd64-7.tar.gz -C /opt
# cd到jumpServer目录
cd /opt/jumpserver-offline-installer-v2.28.8-amd64-7
Modify jumpServer configuration file
# 根据需要修改配置文件模板, 如果不清楚用途可以跳过修改
cat config-example.txt
Official reference configuration: https://docs.jumpserver.org/zh/master/install/setup_by_fast/#_6
# 以下设置如果为空系统会自动生成随机字符串填入
## 迁移请修改 SECRET_KEY 和 BOOTSTRAP_TOKEN 为原来的设置
## 完整参数文档 https://docs.jumpserver.org/zh/master/admin-guide/env/
## Docker 镜像配置
# DOCKER_IMAGE_MIRROR=1
## 安装配置
VOLUME_DIR=/opt/jumpserver
SECRET_KEY=
BOOTSTRAP_TOKEN=
LOG_LEVEL=ERROR
## MySQL 配置, 如果使用外置数据库, 请输入正确的 MySQL 信息
DB_HOST=mysql
DB_PORT=3306
DB_USER=root
DB_PASSWORD=
DB_NAME=jumpserver
## Redis 配置, 如果使用外置数据库, 请输入正确的 Redis 信息
REDIS_HOST=redis
REDIS_PORT=6379
REDIS_PASSWORD=
# JumpServer 容器使用的网段, 请勿与现有的网络冲突, 根据实际情况自行修改
DOCKER_SUBNET=192.168.250.0/24
## IPV6 设置, 容器是否开启 ipv6 nat, USE_IPV6=1 表示开启, 为 0 的情况下 DOCKER_SUBNET_IPV6 定义不生效
USE_IPV6=0
DOCKER_SUBNET_IPV6=fc00:1010:1111:200::/64
## 访问配置
HTTP_PORT=80
SSH_PORT=2222
RDP_PORT=3389
MAGNUS_PORTS=30000-30100
## HTTPS 配置, 参考 https://docs.jumpserver.org/zh/master/admin-guide/proxy/ 配置
# HTTPS_PORT=443
# SERVER_NAME=your_domain_name
# SSL_CERTIFICATE=your_cert
# SSL_CERTIFICATE_KEY=your_cert_key
## Nginx 文件上传大小
CLIENT_MAX_BODY_SIZE=4096m
## Task 配置, 是否启动 jms_celery 容器, 单节点必须开启
USE_TASK=1
# Core 配置, Session 定义, SESSION_COOKIE_AGE 表示闲置多少秒后 session 过期, SESSION_EXPIRE_AT_BROWSER_CLOSE=True 表示关闭浏览器即 session 过期
# SESSION_COOKIE_AGE=86400
SESSION_EXPIRE_AT_BROWSER_CLOSE=True
# Koko Lion XRDP 组件配置
CORE_HOST=http://core:8080
JUMPSERVER_ENABLE_FONT_SMOOTHING=True
## 终端使用宿主 HOSTNAME 标识
SERVER_HOSTNAME=${
HOSTNAME}
# 额外的配置
CURRENT_VERSION=
Configuration database
https://docs.jumpserver.org/zh/master/install/setup_by_fast/#_3
Install mysq+redis
Install mysql: https://blog.csdn.net/omaidb/article/details/120082063
Install redis: https://blog.csdn.net/omaidb/article/details/120424937
Initialize database
-- 创建运行jumpserver所需的用户信息库
create database jumpserver default charset 'utf8' collate 'utf8_bin';
-- 创建用户且设置密码
create user 'jumpserver'@'%' IDENTIFIED BY '密码'
-- 给该用户授予访问数据库的权限
grant all privileges on jumpserver.* to 'jumpserver'@'%' IDENTIFIED by '同上密码';
-- 刷新权限
flush privileges;
Configure nginx
# 安装nginx
yum install -y nginx
# 删除nginx的默认配置
sed -i '38,58d' /etc/nginx/nginx.conf
nginx configuration is as follows:
# 启动进程数,通常设置成和cpu的数量相等
worker_processes 1;
#工作模式及连接数上限
events {
# 单个后台worker process进程的最大并发链接数
worker_connections 1024;
}
server {
# 监听80端口
listen 80;
# 文件上传大小限制--堡垒机录像及文件上传
client_max_body_size 100m;
# 设置UI部分的请求处理
## location 是请求的路由动作
location /ui/ {
# 尝试查找匹配的文件,如果找不到则返回根目录下的index.html
try_files $uri / /index.html;
# 设置别名,将请求映射到/opt/lina/目录下
alias /opt/lina/;
}
# 设置Luna部分的请求处理
location /luna/ {
# 尝试查找匹配的文件,如果找不到则返回根目录下的index.html
try_files $/uri / /index.html;
# 设置别名,将请求映射到/opt/luna/目录下
## luna路径,如果修改安装目录,此处需修改
alias /opt/luna/;
}
# 设置媒体文件路径的请求处理
location /media/ {
# 添加Content-Encoding头,启用gzip压缩
add_header Content-Enconding gzip;
# 设置根目录,将请求映射到/opt/jumpserver/data/目录下
# 录像位置,如果修改安装目录,此处需要修改
root /opt/jumpserver/data/;
}
# 设置静态资源路径的请求处理
location /static/ {
# 设置根目录,将请求映射到/opt/jumpserver/data/目录下
# 静态资源,如果修改安装目录,此处需修改
root /opt/jumpserver/data/;
}
# 设置Koko部分的请求处理
location /koko/ {
# 将请求代理到http://localhost:5000
proxy_pass http://localhost:5000;
# 禁用代理缓存
proxy_buffering off;
# 使用HTTP/1.1协议
proxy_http_version 1.1;
# 设置Upgrade头
proxy_set_header Upgrade $http_upgrade;
# 设置Connection头
proxy_set_header Connection "Upgrade";
# 设置X-Real-IP头
proxy_set_header X-Real-IP $remote_addr;
# 设置Host头
proxy_set_header Host $host;
# 设置X-Forwarded-For头
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# 关闭访问日志记录
access_log off;
}
# 设置Guacamole部分的请求处理
location /guacamole/ {
# 将请求代理到http://localhost:8081/
proxy_pass http://localhost:8081/;
# 禁用代理缓存
proxy_buffering off;
# 使用HTTP/1.1协议
proxy_http_version 1.1;
# 设置Upgrade头
proxy_set_header Upgrade $http_upgrade;
# 设置Connection头
proxy_set_header Connection $http_connection;
# 设置X-Real-IP头
proxy_set_header X-Real-IP $remote_addr;
# 设置Host头
proxy_set_header Host $host;
# 设置X-Forwarded-For头
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# 关闭访问日志记录
access_log off;
}
# 设置WebSocket部分的请求处理
location /ws/ {
# 设置X-Real-IP头
proxy_set_header x-Real-IP $remote_addr;
# 设置Host头
proxy_set_header Host $host;
# 设置X-Forwarded-For头
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# 将请求代理到http://localhost:8070
proxy_pass http:localhost:8070;
# 使用HTTP/1.1协议
proxy_http_version 1.1;
# 禁用代理缓存
proxy_buffering off;
# 设置Upgrade头
proxy_set_header Upgrade $http_upgrade;
# 设置Connection头
proxy_set_header Connection "upgrade";
}
# 设置API请求处理
location /api/ {
# 将请求代理到http://localhost:8080
proxy_pass http://localhost:8080;
# 设置X-Real-IP头
proxy_set_header X-Real-IP $remote_addr;
# 设置Host头
proxy_set_header Host $host;
# 设置X-Forwarded-For头
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
# 设置core请求处理
location /core/ {
# 将请求代理到http:localhost:8080
proxy_pass http:localhost:8080;
# 设置X-Real-IP头
proxy_set_header X-Real-IP $remote_addr
# 设置Host头
proxy_set_header Host $host;
# 设置X-Forwarded-For头
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
# 设置默认请求处理
location / {
# 重写URL,将所有请求重定向到/ui/目录下
rewrite ^/(.*)$ /ui/$1 last;
}
}
Start the bastion machine
# 1. 启动数据库mysql,redis
systemctl enable --now mysqld redis
# 2. 激活python虚拟环境,启动jms
jms start -d
# 3. 启动koko程序
koko -d
# 4. 启动guacd
guacd start
# 5. 启动tomcat
bash /opt/tomcat/bin/startup.sh
# 5. 启动web服务器
nginx
Add firewall rules to the target machine
# 只允许jumpServer堡垒机的ip可以ssh登录,其他机器拒绝
## 先允许堡垒机,再拒绝所有机器,顺序不能搞反
## 一般都在安全组中配置,而不是在iptables中配置
## 1.先允许指定机器连接ssh---优先级最高,顺序不能搞饭
iptables -I INPUT -s 堡垒机ip -p tcp --dport 22 -j ACCEPT
## 2.拒绝所有机器连接ssh
iptables -A INPUT -p tcp --dport 22 -j REJECT