第九单元 企业服务器安全之JumpServer-v2.26.源码部署
JumpServer核心组件
JumpServer核心架构
JumpServer 分为多个组件,大致的架构如上图所示。其中 Lina 和 Luna 为纯静态文件,最终由 nginx 整合。
关闭防火墙和selinux
关闭防火墙 # systemctl stop firewalld 禁用防火墙 # systemctl disable firewalld Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service. Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service 临时关闭selinux # getenforce Enforcing # setenforce 0 # getenforce Permissive 永久关闭selinux
JumpServer服务的部署,可参考链接
环境准备
1 python >=3.8.x 2 mysql server 或mariadb server必须要大于等于5.7 3 redis 数据库
4 关闭防火墙
5 关闭selinux
6 准备centos和epel源
安装jumpserver运行所需的依赖环境
1 # yum -y install git python-pip gcc automake autoconf python-devel vim sshpass lrzsz readline-devel wget
修改系统字符集,改为中文的
1 # localedef -f UTF-8 -i zh_CN zh_CN.UTF-8 2 # export LC_ALL=zh_CN.UTF-8
并且把命令写入配置文件,防止重启后不生效
echo 'LANG="zh_CN.UTF-8"' > /etc/locale.conf
验证是否配置生效
[root@192 ~]# locale
LANG=zh_CN.UTF-8
LC_CTYPE="zh_CN.UTF-8"
LC_NUMERIC="zh_CN.UTF-8"
LC_TIME="zh_CN.UTF-8"
LC_COLLATE="zh_CN.UTF-8"
LC_MONETARY="zh_CN.UTF-8"
LC_MESSAGES="zh_CN.UTF-8"
LC_PAPER="zh_CN.UTF-8"
LC_NAME="zh_CN.UTF-8"
LC_ADDRESS="zh_CN.UTF-8"
LC_TELEPHONE="zh_CN.UTF-8"
LC_MEASUREMENT="zh_CN.UTF-8"
LC_IDENTIFICATION="zh_CN.UTF-8"
LC_ALL=
配置阿里云镜像源 ,centos7为例
1 wget -O /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-7.repo 2 wget -O /etc/yum.repos.d/epel.repo https://mirrors.aliyun.com/repo/epel-7.repo
部署数据库mysql5.7
可以去mysql官方下载mysql的rpm包,并进行安装,这里就不再赘述,参考链接
如需要可以对对mysql 数据存储目录等配置进行调整
调整完成后进行mysql初始化
查看mysql初始密码 # grep 'temporary password' /var/log/mysqld.log 重置mysql密码 mysqladmin -uroot -p初始密码 password 新密码
mysql创建数据库和用户
创建数据库 create database jumpserver default charset 'utf8' collate 'utf8_bin'; 给用户授权 grant all privileges on jumpserver.* to 'jumpserver'@'%' identified by '密码'; 刷新配置 flush privileges;
部署python3
安装依赖包
yum install -y centos-release-scl # 仓库注册
yum install -y rh-python38-python* # 安装python3.8
# 创建软连接
ln -s /opt/rh/rh-python38/root/usr/bin/python3 /usr/bin/python3
ln -s /opt/rh/rh-python38/root/usr/bin/pip3 /usr/bin/pip3
python3 -V # 确认版本创建python3虚拟环境
因为 CentOS 7 自带的是 Python2, 而 Yum 等工具依赖原来的 Python, 为了不扰乱原来的环境我们来使用 Python 虚拟环境 。
[root@jumpserver2 ~]# cd /opt
进入虚拟环境
[root@jumpserver2 opt]# python3 -m venv py3
[root@jumpserver2 opt]# source /opt/py3/bin/activate
(jumpserver) [root@192 opt]#
突出虚拟环境
(jumpserver) [root@192 opt]# deactivate
部署redis服务器
# yum -y install rh-redis6*
启动redis
# /opt/rh/rh-redis6/root/usr/bin/redis-server &
停止redis
# /opt/rh/rh-redis6/root/usr/libexec/redis-shutdown
redis-cli命令
# /opt/rh/rh-redis6/root/usr/bin/redis-cli
源码部署jumpserver
# cd /opt # wget https://github.com/jumpserver/jumpserver/releases/download/v2.26.1/jumpserver-v2.26.1.tar.gz
解压jumpserver源码文件
# tar -xf jumpserver-2.26.1.tar.gz
对jumpserver安装包配置软连接,方便后期升级
# ln -sv /opt/jumpserver-2.26.1 /opt/jumpserver
安装运行jumpserver所需要的模块
进入python3虚拟环境
# source /opt/py3/bin/activate
安装依赖环境
# yum -y install openldap-devel bash-completion libxml2-devel libxml2 libffi libffi-devel libxslt libxslt-devel sshpass bash-completion g++ make xmlsec1 xmlsec1-devel xmlsec1-openssl xmlsec1-openssl-devel libtool-ltdl libtool-ltdl-devel
每次运行项目都需要先执行source /opt/py3/bin/activate载入此环境。
# pip3 install -U pip setuptools wheel -i https://mirrors.aliyun.com/pypi/simple/
# pip3 install -r /opt/jumpserver/requirements/requirements.txt -i https://mirrors.aliyun.com/pypi/simple/
出现如下界面说明安装成功
修改jumpserver程序运行的配置文件
修改jumpserver配置文件 # cd /opt/jumpserver/ # cp config_example.yml config.yml # grep -Ev "^#|^$" config.yml SECRET_KEY: #配置secret_key BOOTSTRAP_TOKEN: #配置bootstrap_tocken DB_ENGINE: mysql DB_HOST: 127.0.0.1 DB_PORT: 3306 DB_USER: jumpserver DB_PASSWORD: #填写mysql密码 DB_NAME: jumpserver HTTP_BIND_HOST: 0.0.0.0 HTTP_LISTEN_PORT: 8080 WS_LISTEN_PORT: 8070 REDIS_HOST: 127.0.0.1 REDIS_PORT: 6379
修改配置
(py3) [root@jumpserver2 jumpserver]# SECRET_KEY=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50`
(py3) [root@jumpserver2 jumpserver]# BOOTSTRAP_TOKEN=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16`
(py3) [root@jumpserver2 jumpserver]# sed -i "s/SECRET_KEY:/SECRET_KEY: $SECRET_KEY/g" /opt/jumpserver/config.yml
(py3) [root@jumpserver2 jumpserver]# sed -i "s/BOOTSTRAP_TOKEN:/BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN/g" /opt/jumpserver/config.yml
(py3) [root@jumpserver2 jumpserver]# sed -i "s/# DEBUG: true/DEBUG: false/g" /opt/jumpserver/config.yml
(py3) [root@jumpserver2 jumpserver]# sed -i "s/# LOG_LEVEL: DEBUG/LOG_LEVEL: ERROR/g" /opt/jumpserver/config.yml
(py3) [root@jumpserver2 jumpserver]# sed -i "s/# SESSION_EXPIRE_AT_BROWSER_CLOSE: false/SESSION_EXPIRE_AT_BROWSER_CLOSE: true/g" /opt/jumpserver/config.yml
(py3) [root@jumpserver2 jumpserver]# sed -i "s/DB_PASSWORD: /DB_PASSWORD: $DB_PASSWORD/g" /opt/jumpserver/config.yml
(py3) [root@jumpserver2 jumpserver]# echo -e "\033[31m 你的SECRET_KEY是 $SECRET_KEY \033[0m"
你的SECRET_KEY是 7mHWJ7NVlbPYUD6pGMGJJqeePSOzWKpWyxW2UazUw7VBjqqYVb
(py3) [root@jumpserver2 jumpserver]# echo -e "\033[31m 你的BOOTSTRAP_TOKEN是 $BOOTSTRAP_TOKEN \033[0m"
你的BOOTSTRAP_TOKEN是 IRMA7PIraLqARwN6
修改后的内容
# grep -Ev "^#|^$" config.yml SECRET_KEY: 7mHWJ7NVlbPYUD6pGMGJJqeePSOzWKpWyxW2UazUw7VBjqqYVb BOOTSTRAP_TOKEN: IRMA7PIraLqARwN6 DB_ENGINE: mysql DB_HOST: 127.0.0.1 DB_PORT: 3306 DB_USER: jumpserver DB_PASSWORD: NIhao123@ DB_NAME: jumpserver HTTP_BIND_HOST: 0.0.0.0 HTTP_LISTEN_PORT: 8080 WS_LISTEN_PORT: 8070 REDIS_HOST: 127.0.0.1 REDIS_PORT: 6379
jumpserver程序是由python的web框架django开发而来,必须得先进行数据库迁移,生成库表信息,才可以运行程序
# rm -f /opt/jumpserver/apps/locale/zh/LC_MESSAGES/django.mo # python3 /opt/jumpserver/apps/manage.py makemigrations # python3 /opt/jumpserver/apps/manage.py migrate
执行完以上命令,连接数据库查看jumpserver的库是否有表生成。
启动jumpserver服务
# /opt/jumpserver/jms start all -d # 后台运行使用 -d 参数./jms start all -d # 新版本更新了运行脚本, 使用方式./jms start|stop|status|restart all 后台运行请添加 -d 参数 如果运行不报错, 请继续往下操作。
部署koko组件
koko是用golang编程语言开发的一个组件,和之前的python开发coco组件相比,性能/效率,系统资源利用率更高
注意:都是在python虚拟环境下进行
安装go环境
# yum -y install golang
下载地址
# wget https://github.com/jumpserver/koko/releases/download/v2.26.1/koko-v2.26.1-linux-amd64.tar.gz
解压文件
# tar -xf koko-v2.26.1-linux-amd64.tar.gz
对文件做软连接
#ln -sv koko-v2.26.1-linux-amd64 koko
进入到目录
# cd koko
拷贝配置文件 # cp config_example.yml config.yml 编辑配置文件 # grep -Ev "^#|^$" config.yml CORE_HOST: http://127.0.0.1:8080. #jumpserver core组件的地址端口 BOOTSTRAP_TOKEN: <PleasgeChangeSameWithJumpserver>. #修改BOOTSTRAP_TOKEN,即core文件的BOOTSTRAP_TOKEN
修改后的配置如下
# grep -E -v "^#|^$" config.yml
CORE_HOST: http://127.0.0.1:8080
BOOTSTRAP_TOKEN: IRMA7PIraLqARwN6
REDIS_HOST: 127.0.0.1
REDIS_PORT: 6379
REDIS_PASSWORD:
REDIS_CLUSTERS:
REDIS_DB_ROOM:
启动koko组件
# ./koko -d
查看日志说明koko启动成功
# tail -f /opt/koko/data/logs/koko.log
2022-10-01 21:38:45 [INFO] Exchange share room type: local
2022-10-01 21:38:45 [INFO] Start HTTP Server at 0.0.0.0:5000
2022-10-01 21:38:45 [INFO] Start SSH server at 0.0.0.0:2222
2022-10-01 21:38:45 [INFO] Upload remain replay done
也可以通过netstat查看是否有5000和2222端口
安装配置Guacamole Server,提供远程桌面功能,参考链接
# mkdir /opt/guacamole # cd /opt/guacamole
# git clone https://gitee.com/maxto1234/docker-guacamole.git
# cd docker-guacamole/
# mv guacamole-server-1.0.0.tar.gz ../
# tar -xf guacamole-server-1.0.0.tar.gz
# cd guacamole-server-1.0.0 安装依赖环境 #yum -y install cairo-devel libjpeg-devel libpng-devel uuid-devel yum -y install ffmpeg-devel freerdp-devel pango-devel libssh2-devel yum -y install libtelnet-devel libvncserver-devel pulseaudio-libs-devel#yum -y install openssl-devel libvorbis-devel libwebp-devel# yum -y install freerdp-plugins# yum install cairo-devel libjpeg-turbo-devel libjpeg-devel libpng-devel uuid-devel wget gcc gcc-c++
# 安装FFmpeg工具 # yum -y install epel-release # rpm --import http://li.nux.ro/download/nux/RPM-GPG-KEY-nux.ro # rpm -Uvh http://li.nux.ro/download/nux/dextop/el7/x86_64/nux-dextop-release-0-5.el7.nux.noarch.rpm# yum install libvncserver-devel freerdp1.2-devel libssh2-devel openssl-devel pango-devel libtelnet-devel pulseaudio-libs-devel libvorbis-devel libwebp-devel
# yum -y install ffmpeg ffmpeg-devel 对guacamole编译安装 # cd /opt/guacamole/guacamole-server-1.0.0 # ./configure --with-init-dir=/etc/init.d/ # make && make install 安装java jdk环境 # yum -y install java-1.8.0-openjdk 创建运行guacamole所需的文件夹 # mkdir -p /config/guacamole /config/guacamole/extensions /config/guacamole/record /config/guacamole/drive && \ # chown daemon:daemon /config/guacamole/record /config/guacamole/drive && \ # cd /config
下载tomcat工具,用于运行java项目
首先到tomcat官网网站查看下载路径:https://tomcat.apache.org/download-90.cgi
选择版本后,通过wget进行下载
通过wget进行下载
# cd /opt # wget https://dlcdn.apache.org/tomcat/tomcat-9/v9.0.67/bin/apache-tomcat-9.0.67.tar.gz 上边已经安装了jdk,查看查看一下java版本 # java -version openjdk version "1.8.0_345" OpenJDK Runtime Environment (build 1.8.0_345-b01) OpenJDK 64-Bit Server VM (build 25.345-b01, mixed mode) 对文件进行解压缩 # tar -xf apache-tomcat-9.0.67.tar.gz 部署guacamole和tomcat工具的结合,需要修改他们的配置文件 # ln -sv apache-tomcat-9.0.67 tomcat9 # rm -rf /opt/tomcat9/webapps/* # sed -i 's/Connector port="8080"/Connector port="8081"/g' /opt/tomcat9/conf/server.xml # echo "java.util.logging.ConsoleHandler.encoding = UTF-8" >> /opt/tomcat9/conf/logging.properties
# ln -sf /opt/guacamole/docker-guacamole/guacamole-1.0.0.war /opt/tomcat9/webapps/ROOT.war
# ln -sf /opt/guacamole/docker-guacamole/guacamole-auth-jumpserver-1.0.0.jar /config/guacamole/extensions/guacamole-auth-jumpserver-1.0.0.jar
# ln -sf /opt/guacamole/docker-guacamole/root/app/guacamole/guacamole.properties /config/guacamole/guacamole.properties
设置guacamole的运行环境变量
export JUMPSERVER_SERVER=http://127.0.0.1:8080 echo "export JUMPSERVER_SERVER=http://127.0.0.1:8080" >> ~/.bashrc export BOOTSTRAP_TOKEN=IRMA7PIraLqARwN6 echo "export BOOTSTRAP_TOKEN=IRMA7PIraLqARwN6" >> ~/.bashrc export JUMPSERVER_KEY_DIR=/config/guacamole/keys echo "export JUMPSERVER_KEY_DIR=/config/guacamole/keys" >> ~/.bashrc export GUACAMOLE_HOME=/config/guacamole echo "export GUACAMOLE_HOME=/config/guacamole" >> ~/.bashrc export GUACAMOLE_LOG_LEVEL=ERROR echo "export GUACAMOLE_LOG_LEVEL=ERROR" >> ~/.bashrc export JUMPSERVER_ENABLE_DRIVE=true echo "export JUMPSERVER_ENABLE_DRIVE=true" >> ~/.bashrc
启动服务
# /etc/init.d/guacd start Starting guacd: guacd[68954]: INFO: Guacamole proxy daemon (guacd) version 1.0.0 started SUCCESS 启动tomcat # sh /opt/tomcat9/bin/startup.sh Using CATALINA_BASE: /opt/tomcat9 Using CATALINA_HOME: /opt/tomcat9 Using CATALINA_TMPDIR: /opt/tomcat9/temp Using JRE_HOME: /usr Using CLASSPATH: /opt/tomcat9/bin/bootstrap.jar:/opt/tomcat9/bin/tomcat-juli.jar Using CATALINA_OPTS: Tomcat started.
安装配置LINA组件
下载LINA文件
# wget https://github.com/jumpserver/lina/releases/download/v2.26.1/lina-v2.26.1.tar.gz
安装nginx
# yum install nginx
配置
进入到下载目录 # cd /opt 对lina文件进行解呀 # tar -xf lina-v2.26.1.tar.gz 对lina文件进行软连接 # ln -sv lina-v2.26.1 lina 对lina目录的数组属主改为nginx # chown -R nginx.nginx lina-v2.26.1 # chown -R nginx.nginx lina
安装配置Luna组件
下载luna文件
# wget https://github.com/jumpserver/luna/releases/download/v2.26.1/luna-v2.26.1.tar.gz
配置
# tar -xf luna-v2.26.1.tar.gz # ln -sv luna-v2.26.1 luna
对nginx进行配置
备份配置文件 # cd /etc/nginx # cp nginx.conf nginx.conf.bak # 删除这部分内容 38 server { 39 listen 80; 40 listen [::]:80; 41 server_name _; 42 root /usr/share/nginx/html; 43 44 # Load configuration files for the default server block. 45 include /etc/nginx/default.d/*.conf; 46 47 error_page 404 /404.html; 48 location = /404.html { 49 } 50 51 error_page 500 502 503 504 /50x.html; 52 location = /50x.html { 53 } 54 } 更新为如下内容 server { listen 80; root /opt/lina/; #这个很重要,找了好久才解决 #client_max_body_size 100m; # 录像及文件上传大小限制 location /ui/ { try_files $uri / /index.html; alias /opt/lina/; } location /luna/ { try_files $uri / /index.html; alias /opt/luna/; # luna 路径, 如果修改安装目录, 此处需要修改 } location /media/ { add_header Content-Encoding gzip; root /opt/jumpserver/data/; # 录像位置, 如果修改安装目录, 此处需要修改 } location /static/ { root /opt/jumpserver/data/; # 静态资源, 如果修改安装目录, 此处需要修改 } location /koko/ { proxy_pass http://localhost:5000; proxy_buffering off; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; access_log off; } location /guacamole/ { proxy_pass http://localhost:8081/; proxy_buffering off; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $http_connection; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; access_log off; } location /ws/ { proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_pass http://localhost:8070; proxy_http_version 1.1; proxy_buffering off; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } location /api/ { proxy_pass http://localhost:8080; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } location /core/ { proxy_pass http://localhost:8080; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } location / { rewrite ^/(.*)$ /ui/$1 last; } }
检查语法和启动nginx
# nginx -t nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful # systemctl start nginx # systemctl enable nginx
等了验证,用户名密码都是admin
不积跬步,无以至千里;不积小流,无以成江海。
