堡垒机jumpserver搭建
1.检查防火墙 是否关闭
# 安装jumpserver版本为 v4.1
# 未关闭的话执行systemctl stop firewalld
[root@kylin-10-sp3 ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
Active: inactive (dead)
Docs: man:firewalld(1)
[root@kylin-10-sp3 ~]#
2.检查22端口是否占用
[root@kylin-10-sp3 ~]# ss -lntup
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
udp UNCONN 0 0 127.0.0.1:323 0.0.0.0:* users:(("chronyd",pid=812,fd=5))
udp UNCONN 0 0 [::1]:323 [::]:* users:(("chronyd",pid=812,fd=6))
tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:* users:(("sshd",pid=889,fd=3))
tcp LISTEN 0 128 [::]:22 [::]:* users:(("sshd",pid=889,fd=4))
[root@kylin-10-sp3 ~]#
3.部署
3.1 说明
安装到/app/tools/目录下 需要创建
数据存放/data/目录
虚拟机占用内存建议8G
[root@kylin-10-sp3 ~]# mkdir -p /app/tools
[root@kylin-10-sp3 ~]# tree /app
/app
└── tools
1 directory, 0 files
[root@kylin-10-sp3 ~]#
3.2修改主机名
[root@kylin-10-sp3 ~]# hostnamectl
Static hostname: kylin-10-sp3
Icon name: computer-vm
Chassis: vm
Machine ID: 2023ba386e85410485af75d538f1a15b
Boot ID: d3eeab2a94b449f9b4ca64ade043e090
Virtualization: vmware
Operating System: Kylin Linux Advanced Server V10 (Lance)
Kernel: Linux 4.19.90-52.22.v2207.ky10.x86_64
Architecture: x86-64
[root@kylin-10-sp3 ~]#
[root@kylin-10-sp3 ~]# hostnamectl set-hostname jumpserver
[root@kylin-10-sp3 ~]#
[root@kylin-10-sp3 ~]# hostname
jumpserver
[root@kylin-10-sp3 ~]#
3.3检查时间
# 查看时间
[root@Kylin-V10-sp3 ~]# date
2024年 08月 29日 星期四 01:47:57 CST
[root@Kylin-V10-sp3 ~]#
# 查看时区信息
[root@Kylin-V10-sp3 ~]# timedatectl
Local time: Thu 2024-08-29 16:58:35 CST
Universal time: Thu 2024-08-29 08:58:35 UTC
RTC time: Thu 2024-08-29 08:58:35
Time zone: Asia/Shanghai (CST, +0800)
System clock synchronized: yes
NTP service: active
RTC in local TZ: no
[root@Kylin-V10-sp3 ~]#
# 修改时区信息
[root@Kylin-V10-sp3 ~]# timedatectl set-timezone Asia/Shanghai
# 时间同步
[root@Kylin-V10-sp3 ~]# ntpdate ntp.aliyun.com
29 Aug 16:41:03 ntpdate[5991]: step time server 203.107.6.88 offset +53395.239846 sec
[root@Kylin-V10-sp3 ~]#
# 再次查看时间,确认修改好了
[root@Kylin-V10-sp3 ~]# date
2024年 08月 29日 星期四 16:41:10 CST
[root@Kylin-V10-sp3 ~]#
3.4解压压缩包到/app/tools/
# 1.scp 上传安装包到/app/tools下
Administrator@DESKTOP-LJI8P9S MINGW64 /e/linux/test_packages
$ scp -P 22 jumpserver-ce-v4.1.0-amd64.tar.gz root@10.0.0.40:/app/tools
The authenticity of host '10.0.0.40 (10.0.0.40)' can't be established.
ED25519 key fingerprint is SHA256:etSz6hUw1eeDM6dhkw65TvR9U2uCo3YrNLOAgNhwjcg.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? y
Please type 'yes', 'no' or the fingerprint: yes
Warning: Permanently added '10.0.0.40' (ED25519) to the list of known hosts.
Authorized users only. All activities may be monitored and reported.
root@10.0.0.40's password:
jumpserver-ce-v4.1.0-amd64.tar.gz 100% 1149MB 104.4MB/s 00:11
Administrato@DESKTOP-LJI8P9S MINGW64 /e/linux/test_packages
$
2.解压压缩包
[root@kylin-10-sp3 ~]# cd /app/tools/
[root@kylin-10-sp3 /app/tools]# ll
总用量 1176788
-rw-r--r-- 1 root root 1205027508 8月 29 15:50 jumpserver-ce-v4.1.0-amd64.tar.gz
[root@kylin-10-sp3 /app/tools]#
[root@kylin-10-sp3 /app/tools]# tar xf jumpserver-ce-v4.1.0-amd64.tar.gz
[root@kylin-10-sp3 /app/tools]# ll
总用量 1176788
drwxr-xr-x 7 root root 262 8月 15 23:36 jumpserver-ce-v4.1.0-amd64
-rw-r--r-- 1 root root 1205027508 8月 29 15:50 jumpserver-ce-v4.1.0-amd64.tar.gz
[root@kylin-10-sp3 /app/tools]#
3.5 安装jumpserver
# 进入解压后目录 运行jmsctl.sh 一直默认即可
[root@kylin-10-sp3 /app/tools]# cd jumpserver-ce-v4.1.0-amd64/
[root@kylin-10-sp3 /app/tools/jumpserver-ce-v4.1.0-amd64]# ll
总用量 72
-rw-r--r-- 1 root root 2029 8月 15 23:35 cn-quick_start.sh
drwxr-xr-x 2 root root 4096 8月 15 23:35 compose
-rw-r--r-- 1 root root 6419 8月 15 23:35 config-example.txt
drwxr-xr-x 7 root root 89 8月 15 23:35 config_init
-rwxr-xr-x 1 root root 5949 8月 15 23:35 jmsctl.sh
-rw-r--r-- 1 root root 35148 8月 15 23:35 LICENSE
drwxr-xr-x 5 root root 44 8月 15 23:35 locale
-rw-r--r-- 1 root root 1900 8月 15 23:35 quick_start.sh
-rw-r--r-- 1 root root 1642 8月 15 23:35 README.md
drwxr-xr-x 4 root root 302 8月 15 23:35 scripts
-rw-r--r-- 1 root root 25 8月 15 23:35 static.env
drwxr-xr-x 2 root root 41 8月 15 23:35 utils
[root@kylin-10-sp3 /app/tools/jumpserver-ce-v4.1.0-amd64]# ./jmsctl.sh install
██╗██╗ ██╗███╗ ███╗██████╗ ███████╗███████╗██████╗ ██╗ ██╗███████╗██████╗
██║██║ ██║████╗ ████║██╔══██╗██╔════╝██╔════╝██╔══██╗██║ ██║██╔════╝██╔══██╗
██║██║ ██║██╔████╔██║██████╔╝███████╗█████╗ ██████╔╝██║ ██║█████╗ ██████╔╝
██ ██║██║ ██║██║╚██╔╝██║██╔═══╝ ╚════██║██╔══╝ ██╔══██╗╚██╗ ██╔╝██╔══╝ ██╔══██╗
╚█████╔╝╚██████╔╝██║ ╚═╝ ██║██║ ███████║███████╗██║ ██║ ╚████╔╝ ███████╗██║ ██║
╚════╝ ╚═════╝ ╚═╝ ╚═╝╚═╝ ╚══════╝╚══════╝╚═╝ ╚═╝ ╚═══╝ ╚══════╝╚═╝ ╚═╝
Version: v4.1.0-ce
1. 检查配置文件
配置文件位置: /opt/jumpserver/config
/opt/jumpserver/config/config.txt [ √ ]
/opt/jumpserver/config/loki/promtail.yml [ √ ]
/opt/jumpserver/config/nginx/cert/server.crt [ √ ]
/opt/jumpserver/config/nginx/cert/server.key [ √ ]
>>> 安装配置 Docker
1. 安装 Docker
完成
2. 配置 Docker
是否需要支持 IPv6? (y/n) (默认为 n): n
完成
3. 启动 Docker
Created symlink /etc/systemd/system/multi-user.target.wants/docker.service → /etc/systemd/system/docker.service.
完成
>>> 加载 Docker 镜像
redis:7.0-bullseye <= images/redis:7.0-bullseye.zst
文件系统 容量 已用 可用 已用% 挂载点
/dev/mapper/klas-root 62G 9.3G 52G 16% /
/dev/mapper/klas-backup 30G 246M 30G 1% /backup
持久化存储目录 (默认为 /data/jumpserver):
完成
3. 配置数据库
是否使用外部 PostgreSQL? (y/n) (默认为 n): n
完成
4. 配置 Redis
请输入 Redis 模式? (redis/sentinel) (默认为 redis):
是否使用外部 Redis? (y/n) (默认为 n): n
完成
5. 配置外部访问
是否需要配置 JumpServer 对外访问端口? (y/n) (默认为 n): n
完成
6. 初始化数据库
[+] Running 4/4
✔ Network jms_net Created
Applying tickets.0003_initial_ticket_flow_data... OK
Applying tickets.0004_replace_assignees_to_users... OK
After migration, update builtin role permissions
- Update builtin roles
完成
>>> 安装完成了
1. 可以使用如下命令启动, 然后访问
cd /app/tools/jumpserver-ce-v4.1.0-amd64
./jmsctl.sh start
2. 其它一些管理命令
./jmsctl.sh stop
./jmsctl.sh restart
./jmsctl.sh backup
./jmsctl.sh upgrade
更多还有一些命令, 你可以 ./jmsctl.sh --help 来了解
3. Web 访问
http://10.0.0.40:80
默认用户: admin 默认密码: ChangeMe
更多信息
官方网站: https://www.jumpserver.org/
官方文档: https://docs.jumpserver.org/
[root@kylin-10-sp3 /app/tools/jumpserver-ce-v4.1.0-amd64]#
3.5 启动jumpserver
[root@jumpserver /app/tools/jumpserver-ce-v4.1.0-amd64]# ./jmsctl.sh start
[+] Running 8/8
✔ Container jms_celery Started 10.5s
✔ Container jms_chen Started 10.5s
✔ Container jms_core Started 10.6s
✔ Container jms_koko Started 10.6s
✔ Container jms_lion Started 10.5s
✔ Container jms_web Started 10.6s
✔ Container jms_postgresql Running 0.0s
✔ Container jms_redis Running 0.0s
[root@jumpserver /app/tools/jumpserver-ce-v4.1.0-amd64]#
# ./jmsctl.sh status #查看状态 有9行 8个服务
[root@jumpserver /app/tools/jumpserver-ce-v4.1.0-amd64]# ./jmsctl.sh status
NAME IMAGE COMMAND SERVICE CREATED STATUS PORTS
jms_celery docker.io/jumpserver/core:v4.1.0-ce "./entrypoint.sh sta…" celery 2 hours ago Up 2 hours (healthy) 8080/tcp
jms_chen docker.io/jumpserver/chen:v4.1.0-ce "./entrypoint.sh wisp" chen 2 hours ago Up 2 hours (healthy) 8082/tcp
jms_core docker.io/jumpserver/core:v4.1.0-ce "./entrypoint.sh sta…" core 2 hours ago Up 2 hours (healthy) 8080/tcp
jms_koko docker.io/jumpserver/koko:v4.1.0-ce "./entrypoint.sh ./k…" koko 2 hours ago Up 2 hours (healthy) 0.0.0.0:2222->2222/tcp, :::2222->2222/tcp
jms_lion docker.io/jumpserver/lion:v4.1.0-ce "./entrypoint.sh sup…" lion 2 hours ago Up 2 hours (healthy) 4822/tcp, 8081/tcp
jms_postgresql postgres:16.3-bullseye "docker-entrypoint.s…" postgresql 2 hours ago Up 2 hours (healthy) 5432/tcp
jms_redis redis:7.0-bullseye "docker-entrypoint.s…" redis 2 hours ago Up 2 hours (healthy) 6379/tcp
jms_web docker.io/jumpserver/web:v4.1.0-ce "/docker-entrypoint.…" web 2 hours ago Up 2 hours (healthy) 0.0.0.0:80->80/tcp, :::80->80/tcp
[root@jumpserver /app/tools/jumpserver-ce-v4.1.0-amd64]#
4.使用
4.1 登录
4.2 重置密码
4.3 创建分组
4.4 创建用户
4.5 创建资产
点击创建,平台选择Linux,名称随意,节点默认,IP填写资产((kylin虚拟机)ip
账号信息,点击新增
资产(kylin虚拟机)的用户名、密码,点击确认
创建完成后如图所示点击 测试
显示Ok即连接成功
4.6 资产授权
根据实际填写即可
注意生效时间,堡垒机和资产时间一定要同步,点击提交
4.7 切换普通用户登录,可看到能够操作的资产,点击操作
4.8 SFTP方便文件传输,SSH方便远程登录
登录后和xhell远程登录效果一样
4.8 切换回admin用户,可查看用户的操作记录
切换到审计台,点击绘画命令,可看到操作记录
点击 转到 可查看操作回放,点击 > 可查看操作执行命令与结果
