Instruction + certification audit authentication open source cloud fort fortress machine machine machine springboard

20180903 chenxin

Local Linux system to execute instructions audit

20190803 chenxin
reference
https://my.oschina.net/nikoF/blog/2873307 local stand-alone command history records
https://www.ibm.com/developerworks/cn/linux/l-lo-use-space-audit- tool / index.html Linux user space audit tool audit
can refer to each fort machine, and machine program fortress cloud platform provides (+ provides a unified authentication command history audit function).

Fortress machine / machine springboard recommendations

On the current situation, there is no more appropriate solution. Venue fortress-associated content.

Fortress Local Classifieds

Open source fortress machine
CrazyEye, Teleport, Jumpserver, GateOne, unicorn open source fortress machine.
Price: Free
Traditional hardware fortress machine
a traditional bastion machine suppliers such as: Qi rule, Royal Divine, the Green League and Technology, Polar safety, Founder security, Jebsen century and so on.
Price: more than a dozen to more than one million
Cloud fortress machine
With cloud platform, cloud fortress machine resources, interactivity, ease of use, cost, maintenance costs, and other aspects of their product safety has been further improved, in particular, solves the problem of single point of failure.
Cloud fortress machine provides a multi-dimensional operation and maintenance operations control and audit solutions, so managers can face a variety of cloud resource management and access permissions centralized management and fine-grained auditing.
Currently Anheng Yun, the line goes housekeeper, clouds box, and so on, their main function was similar, but have different strengths and focus.
price: monthly hundreds to thousands
aws Program
AWS Systems Manager, formerly known as "Amazon EC2 Systems Manager" and "Amazon Simple Systems Manager".
sys system manager to add a session manager service function similar fortress machine, without having to open port 22 or 3389 can log on to the ec2 instance, you can save a log for auditing purposes, free.
http://docs.amazonaws.cn/en_us/ Manager-Systems / Latest / UserGuide / IS-What-the session-manager.html
https://amazonaws-china.com/cn/blogs/china/replacing-a-bastion-host-with-amazon-ec2-systems-manager /
aliyun Ali cloud solutions
USMShell https://help.aliyun.com/knowledge_detail/91092.html deadline 2019/09/02 remains open only for domestic account the service. no overseas accounts.
Overall, not the more expensive machine fortress buy the better, but to the real needs into consideration practical applications.
If your team is extremely high security requirements of financial organizations, government, etc., we recommend that you consider a traditional bastion machine.
For some Internet companies, start-ups, tend to recommend the use of cloud fortress machine, either from the price or have the advantage of flexibility for him.
Knowledge
4A means: authentication Authentication, account Account, authorization Authorization, audit Audit, namely unified security management platform solutions.
The authentication, authorization, auditing, and account number (that is, non-repudiation and data integrity) is defined as part of the four major network security, thus establishing the identity authentication across the network security system status and role.

jumpserver open source fortress machine

20,180,906 Chen Hsin

Reference and description

1 small team in charge of Beijing's open-source project, currently under continuous development and improvement. If found the problem, you can consult the group of old Chengdu Yu (former developer).
Http://docs.jumpserver.org/ the mounting step zh / docs / step_by_step.html centos (step by step essentially according to the official document, modify the default port can)
http://docs.jumpserver.org/zh/docs/faq_install.html common problems during installation Inquire

jumpserver Component Description

Open source project, developed by the python 3.6, there are mainly the following modules function
1.jumpserver console: the main component of Django achieve
2.coco (has been replaced by koko):.. Command is executed SSH Agent's Agent implements component SSH Server and Web Terminal Server provides SSH and WebSocket interface and use Paramiko Flask development
3.luna: now is the front-end Web Terminal, planned by the front page of the project .Jumpserver only mention API, no longer responsible for background rendering html Wait.
Third party (data)
MySQL: storing data (you can use 5.X or 8.X can, I use the latest 8.X)
Redis: storing data (I use version 4.X, is the latest)
Rationale
use jumpserver to manage user information, assets, etc. With koko to ssh channel and record commands.
You need to configure unified a system account on the rear end of the machine, such as admin, and then on the jumpserver, configure this username and password ( or key), through which landed back-end machines.

Installation and Configuration

Installation and configuration process configuration file, refer to the "References" link (official documents). Not repeat them here (the installation process, generally encounter various problems, need to be resolved)

mysql installation please refer to the corresponding documentation. jumpserver corresponding configuration file in the installation of jumpserver, will /opt/jumpserver/config.yml years.
redis installation please refer to the corresponding documentation. Ibid.
python3.6 installation (or refer to the official documentation https://docs.python.org/3/using/unix.html#on-linux)

cd /opt/   
wget https://www.python.org/ftp/python/3.6.9/Python-3.6.9.tgz
tar xzvf Python-3.6.9.tgz 
cd Python-3.6.9/
./configure 
make;make install
which python3.6

jumpserver install, configure, start
1.python configuration
python virtual environment created: python3.6 -m venv / opt / py3
loaded virtual environment: source / opt / py3 / bin / activate

2. may encounter when you start jumpserver "ImportError: libmysqlclient.so.20: can not open shared object file: No such file or directory" issue

$ find / -name libmysqlclient.so.20
/usr/local/mysql/lib/libmysqlclient.so.20
$ cat /etc/ld.so.conf
include ld.so.conf.d/*.conf #包含/etc下的此目录下的对应文件
/usr/local/mysql/lib/   #增加
$ ldconfig  #刷新

koko AnSo

$ cd /opt
$ wget https://github.com/jumpserver/koko/releases/download/1.5.2/koko-master-6d4e69b-linux-amd64.tar.gz
$ tar xf koko-master-6d4e69b-linux-amd64.tar.gz
$ chown -R root:root kokodir
$ cd kokodir
$ cp config_example.yml config.yml
$ vim config.yml
# BOOTSTRAP_TOKEN 需要从 jumpserver/config.yml 里面获取, 保证一致
$ ./koko  或 nohup ./koko > nohup.out 2>&1 &

docker 部署 guacamole 组件
docker run --name jms_guacamole -d -p 127.0.0.1:8081:8081 -e JUMPSERVER_SERVER=http://10.0.0.26:8080 -e BOOTSTRAP_TOKEN=KA5CmOxL0vkpYOqCfdoc4BFYslesQ4AEgViOTa8aRrZgEYtcQ jumpserver/jms_guacamole:1.5.2
Download luna components

$ cd /opt
$ wget https://github.com/jumpserver/luna/releases/download/1.5.2/luna.tar.gz
$ tar xf luna.tar.gz
$ chown -R root:root luna

Installation and configuration of the components integrated nginx

# 参考 http://nginx.org/en/linux_packages.html 文档安装最新的稳定版 nginx
这里安装可以参考文档"nginx做TCP转发TCP代理转发(以及应用层反向代理) 四层或七层负载均衡"
wget http://nginx.org/download/nginx-1.16.1.tar.gz
将以下配置加入到配置文件中.

server {
    listen 80;

    client_max_body_size 100m;  # 录像及文件上传大小限制

    location /luna/ {
        try_files $uri / /index.html;
        alias /opt/luna/;  # luna 路径
    }

    location /media/ {
        add_header Content-Encoding gzip;
        root /opt/jumpserver/data/;  # 录像位置
    }

    location /static/ {
        root /opt/jumpserver/data/;  # 静态资源
    }

    location /socket.io/ {
        proxy_pass       http://localhost:5000/socket.io/;
        proxy_buffering off;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        access_log off;
    }

    location /coco/ {
        proxy_pass       http://localhost:5000/coco/;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        access_log off;
    }

    location /guacamole/ {
        proxy_pass       http://localhost:8081/;
        proxy_buffering off;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $http_connection;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        access_log off;
    }

    location / {
        proxy_pass http://localhost:8080;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

$ nginx -t
$ nginx -s reload

After installation is complete verification jumpserver

The installation is complete, start after the completion of the process description

这个是jumpserver的主进程(包括3个东西,gunicorn,celery,beat);    web端口改为了13080
\_ python3 ./jms start all    
    \_ /opt/py3/bin/python3 /opt/py3/bin/gunicorn jumpserver.wsgi -b 0.0.0.0:13080 -k eventlet -w 4 --access-logformat %(h)s %(
    |   \_ /opt/py3/bin/python3 /opt/py3/bin/gunicorn jumpserver.wsgi -b 0.0.0.0:13080 -k eventlet -w 4 --access-logformat %(h)
    |   \_ /opt/py3/bin/python3 /opt/py3/bin/gunicorn jumpserver.wsgi -b 0.0.0.0:13080 -k eventlet -w 4 --access-logformat %(h)
    |   \_ /opt/py3/bin/python3 /opt/py3/bin/gunicorn jumpserver.wsgi -b 0.0.0.0:13080 -k eventlet -w 4 --access-logformat %(h)
    |   \_ /opt/py3/bin/python3 /opt/py3/bin/gunicorn jumpserver.wsgi -b 0.0.0.0:13080 -k eventlet -w 4 --access-logformat %(h)
    \_ /opt/py3/bin/python3 /opt/py3/bin/celery worker -A ops -l debug --pidfile /opt/jumpserver/tmp/celery.pid -c 4
    |   \_ /opt/py3/bin/python3 /opt/py3/bin/celery worker -A ops -l debug --pidfile /opt/jumpserver/tmp/celery.pid -c 4
    |   \_ /opt/py3/bin/python3 /opt/py3/bin/celery worker -A ops -l debug --pidfile /opt/jumpserver/tmp/celery.pid -c 4
    |   \_ /opt/py3/bin/python3 /opt/py3/bin/celery worker -A ops -l debug --pidfile /opt/jumpserver/tmp/celery.pid -c 4
    |   \_ /opt/py3/bin/python3 /opt/py3/bin/celery worker -A ops -l debug --pidfile /opt/jumpserver/tmp/celery.pid -c 4
    \_ /opt/py3/bin/python3 /opt/py3/bin/celery beat -A ops --pidfile /opt/jumpserver/tmp/beat.pid -l DEBUG --scheduler django_

这个是mysql,端口3306
/bin/sh /usr/local/mysql/bin/mysqld_safe --datadir=/usr/local/mysql/data/ --pid-file=/usr/local/mysql/data//ip-10-0-1-198.pid
\_ /usr/local/mysql/bin/mysqld --basedir=/usr/local/mysql --datadir=/usr/local/mysql/data --plugin-dir=/usr/local/mysql/lib/plugin --user=mysql

这个是redis,端口6379
/usr/local/redis/src/redis-server 127.0.0.1:6379             

这个是coco,端口开放5000以及2222(SSH代理端口)
\_ python3 ./cocod start

这个是nginx前端代理(主要作用为:     指定静态资源路径-luna的位置;    代理coco的5000端口的socket;    代理jumpserver的web端口13080;
nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf
\_ nginx: worker process

Started Jumpserver

# 检查应用是否已经正常运行
# 服务全部启动后, 访问 jumpserver 服务器 nginx 代理的 80 端口, 不要通过8080端口访问
# 默认账号: admin 密码: admin (默认;登陆后修改为 Jumps12386Hgs89 )

test

[root@ip-10-0-1-198 coco]# ssh -p2222 [email protected]
[email protected]'s password:    #这里输入的密码是jumpserver上注册的那个用户的密码,而非真实后端服务器ssh用户admin的密码.
        Administrator, 欢迎使用Jumpserver开源跳板机系统
        1) 输入 ID 直接登录 或 输入部分 IP,主机名,备注 进行搜索登录(如果唯一).
        2) 输入 / + IP, 主机名 or 备注 搜索. 如: /ip
        3) 输入 p 显示您有权限的主机.
        4) 输入 g 显示您有权限的节点.
        5) 输入 g + 组ID 显示节点下主机. 如: g1
        6) 输入 s 中/英文切换.
        7) 输入 h 帮助.
        0) Enter q exit.
Opt>    #这里输入操作指令

jumpserver from startup script

redis boot from the start
/ usr / local / redis / src / redis-server /usr/local/redis/redis.conf
mysql boot from the start
/usr/local/mysql/support-files/mysql.server start
jumpserver from startup script

(py3) [root@ip-10-0-1-198 jumpserver]# cat jms-start.sh
#!/bin/bash
source /opt/py3/bin/activate
cd /opt/jumpserver
nohup ./jms start all >./nohup.out 2>&1 &

koko from the start

source /opt/py3/bin/activate
cd /opt/kokodir
nohup ./koko >./nohup.out 2>&1 &

guacamole from the start
docker way
nginx from the start
/ usr / local / nginx / sbin / nginx
In summary, incorporating unified /etc/rc.local Note This file permissions (default already systemctl enable rc-local.service)

[root@iZj6c5d11u9erkfcx9hgqeZ ~]# cat /etc/rc.local 
#!/bin/bash
...
touch /var/lock/subsys/local

/usr/local/redis/src/redis-server /usr/local/redis/redis.conf
/usr/local/mysql/support-files/mysql.server start
/usr/local/nginx/sbin/nginx

/opt/jumpserver/start.sh # 具体请参考上面内容
/opt/kokodir/start.sh

source /etc/profile && docker container start jms_guacamole # 需要先手动docker run xxx后才有
exit 0  # 不可缺少,否则systemctl无法完成 rc-local.service 的启动

User application

See the official documentation. Http://docs.jumpserver.org/zh/docs/admin_guide.html manage documents
and then the user can log in through the proxy port coco back-end servers (all operations are recorded in coco in). You can also jumpserver the web console to manage terminal server has permissions.

jumpserver login
user: admin pw: Jumps12386Hgs89

Daily management operations

Modify the external port
to modify jumpserver open port, the default is 80, modified to 10080. modify nginx configuration file /usr/local/nginx/conf/nginx.conf
LDAP access, please refer Freeipa documentation.
Slightly
jumpserver Account Description
LDAP and local accounts jumpserver systems can co-exist (not the same name, the same name causes all user login error).
User management
is jumpserver system of accounts and account LDAP.
LDAP account import operation may be performed through here.
Asset Management
here to increase machine (before adding machine, you need to configure "asset management" -> "Manage Users" + "User")
to manage user: for example, root here is added to the machine before the web users and web users. private Key entry into yet not used before.
system users: for example, admin this is every linux machine has the admin user needs to enter the admin user's password, so jumpserver of koko can log into the machine by the user (the individual is. local account on the machine).
Note that the rear end of the machine can ssh landing mode of freeipa masked, using a local account authentication.
If you do not mask it, because the back-end machine also joined freeipa default, you can also use this account to continue ldap landing back-end machine. (jumpserver have ssh access and back-up freeipa).
Rights management
default permissions to individual users do not have any of the machine. To add access to the machine, you need to add "authorized assets." Assets are authorized for who can access based on which assets.
Session Management
ssh web terminal, according to the login user has permission to log in through the web ssh terminal machine (using a linux system prior application good local admin account).
Historical Session Viewer, including the history of executed instructions, as well as video playback ( the user performs a recording playback screen instructions).
jumpserver local SSH 2222 port, connect the rear end of the machine by the user name authenticated
user logs in to springboard machine via SSH. Then

[root@iZj6c5d11u9erkfcx9hgqeZ ~]# ssh -p2222 [email protected]  # 跳板机本地IP为10.0.0.26
[email protected]'s password: 
                test20190902,  欢迎使用Jumpserver开源堡垒机系统

        1) 输入 ID 进行直接登陆.
        2) 输入 部分IP、主机名、备注 进行进行搜索登录(如果唯一).
        3) 输入 / + IP, 主机名 or 备注 进行搜索， 如: /192.168.
        4) 输入 p 进行显示您有权限的主机.
        5) 输入 g 进行显示您有权限的节点.
        6) 输入 r 进行刷新最新的机器和节点信息.
        7) 输入 h 进行显示帮助.
        8) 输入 q 进行退出.
Opt> 常用的就是 "/ip(或主机名等) p g h",登录机器(ssh admin账号)

Securecrt settings
users through securecrt landing, log in directly to a back-end machine (reducing manual)
to create a common ssh client securecrt of (direct copy of other hosts).
Then, in the Connection-> Logon Actions-> will Automate Logon and Send initial carriage return are ticked.

Expect      Send                          Hide
ogin:       ssh -p2222 [email protected]    No  #10.0.0.26是jumpserver机器的内网IP.
password:   Freeipaxxx                     No
Opt>        /10.0.0.19                    No  #10.0.0.19是目的服务器,业务服务器.下面就可以手动选择,如果只有1台匹配,那么直接输入1,就进入该服务器了.

By jumpserver push install software to hosts
do not have this feature, you need to "asset management", create an additional, different from the account that has sufficient privileges ssh admin account, such as the manager user, and then by "Job Center" in the " batch command "to achieve.

# "系统用户"创建时, 如果选择了"自动推送" Jumpserver 会使用"Ansible"自动推送系统用户到资产中, "root"用户不支持推送.
# 如果资产不支持"Ansible", 请去掉"自动生成密钥"、"自动推送"勾选。手动填写资产上已有的账号及账号密码, 目前支持 Windows 系统用户推送
# 如果想让用户登录资产时自己输入密码, 可以在创建系统用户时选择"手动登录"

Operating history review
System Settings -> Terminal Settings -> Command memory + video store video store, support S3, OSS and Microsoft buckets.
Session Management -> History conversation view, including executed history commands, as well as video playback (user record screen playback instruction execution). there are also details information session text file (including the command output).

Fault Simulation

The Freeipa (LDAP) server shutdown, can also log jumpserver
the LDAP user login, it times out (can not establish a connection with LDAP). The final report 504. The
local user timeout, nginx reported to 504. Why is this design? BUG is it?
after the LDAP failure, how the local user login method, as follows
directly modify the DB jumpserver.
mysql connection of jumpserver library, settings_setting table -> auth_ldap field -> value to the field value "false" then restart jumpserver (there. cache, so the need to reboot).
Log back jumpserver.

Ali cloud fortress machine

USMShell https://help.aliyun.com/knowledge_detail/91092.html
deadline 2019/08/26 account opened in the country only for this service. International support account yet.