实验环境
cat /etc/redhat-release
CentOS Linux release 7.8.2003 (Core)
jumpserver_master 192.168.10.12
jumpserver_linux客户端 192.168.10.13
jumpserver_windows客户端 192.168.10.20
软件安装
echo SELINUX=disabled > /etc/sysconfig/selinux
systemctl stop firewalld NetworkManager && systemctl disable firewalld NetworkManager
sed -i 's/https/http/g' /etc/yum.repos.d/*.repo
sed -i 's/gpgcheck=1/gpgcheck=0/g' /etc/yum.repos.d/*.repo
cp -pv /etc/sysctl.conf /etc/sysctl.conf.bak
cat >> /etc/sysctl.conf << EOF
> net.ipv4.tcp_syncookies = 1
> net.ipv4.tcp_tw_reuse = 1
> net.ipv4.tcp_tw_recycle = 1
> net.ipv4.tcp_fin_timeout = 10
> net.ipv4.ip_forward= 1
> EOF && sysctl -p
cp -pv /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
sed -i "s/#PermitRootLogin yes/PermitRootLogin no/g" /etc/ssh/sshd_config && systemctl restart sshd 禁止root登入系统
yum install -y yum-utils docker-ce-18.06.3.ce
systemctl daemon-reload
systemctl start docker && systemctl enable docker
docker --version
Docker version 18.06.2-ce, build 6d37f41
docker pull mysql:5.7
docker pull redis:6.0.4
docker pull jumpserver/jms_all:1.5.2
docker run -itd --name mysql \
-p 3306:3306 --restart=always \
-v /etc/localtime:/etc/localtime \
-v /usr/local/docker/mysql:/var/lib/mysql \
-e MYSQL_ROOT_PASSWORD=root123 mysql:5.7 \
--character-set-server=utf8 --collation-server=utf8_bin
docker logs -f mysql | grep 3306
[Note] Server hostname (bind-address): '*'; port: 3306
Version: '5.7.40' socket: '/var/run/mysqld/mysqld.sock' port: 3306 MySQL Community Server (GPL)
docker exec -it mysql /bin/bash -c "mysql -uroot -proot123"
mysql> create database jms default charset 'utf8mb4';
mysql> grant all on jms.* to 'jms'@'%' identified by 'jms123@root';
mysql> flush privileges;
docker exec -it mysql /bin/bash -c "mysql -ujms -pjms123@root"
mysql>
docker run -itd --name redis \
-p 6379:6379 --restart=always \
-v /etc/localtime:/etc/localtime \
-v /usr/local/docker/redis:/data redis:6.0.4 \
--appendonly yes --requirepass "root123" \
docker logs -f redis | grep 6379
|`-._`-...-` __...-.``-._|'` _.-'| Port: 6379
docker exec -it redis redis-cli -a root123
Warning: Using a password with '-a' option on the command line interface may not be safe.
127.0.0.1:6379> set key test
OK
127.0.0.1:6379> get key
"test"
127.0.0.1:6379>
配置jumpserver登入秘钥
SECRET_KEY=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50`
BOOTSTRAP_TOKEN=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16`
echo $SECRET_KEY && echo $BOOTSTRAP_TOKEN
u6txDIt4qX8lmGmQ4Ufbu2rojJ1L3IRxPLcpi5qcYrudhLXoqu
6c0el2a1xWtLpMlb
docker run -itd --name jms \
--restart=always -v /etc/localtime:/etc/localtime \
-v /usr/local/docker/jumpserver/:/opt/jumpserver/data \
-p 80:80 -p 2222:2222 \
-e SECRET_KEY=$SECRET_KEY \
-e BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN \
-e DB_HOST="mysql" -e DB_PORT=3306 \
-e DB_NAME="jms" -e DB_USER="jms" \
-e DB_PASSWORD="jms123@root" --link mysql:mysql \
-e REDIS_HOST="redis" -e REDIS_PORT="6379" \
-e REDIS_PASSWORD="root123" --link redis:redis \
jumpserver/jms_all:1.5.2 && docker logs -f jms
docker logs -f jms jumpserver容器启动日志
gunicorn is running: 30
flower is running: 41
daphne is running: 45
celery_ansible is running: 47
celery_default is running: 48
celery_node_tree is running: 51
check_asset_perm_expired is running: 61
beat is running: 65
Starting guacd: guacd[84]: INFO: Guacamole proxy daemon (guacd) version 1.2.0 started
SUCCESS
Using CATALINA_BASE: /config/tomcat9
Using CATALINA_HOME: /config/tomcat9
Using CATALINA_TMPDIR: /config/tomcat9/temp
Using JRE_HOME: /usr
Using CLASSPATH: /config/tomcat9/bin/bootstrap.jar:/config/tomcat9/bin/tomcat-juli.jar
Using CATALINA_OPTS:
Tomcat started.
Jumpserver ALL 1.5.2
进入容器命令 docker exec -it jms_all /bin/bash
jumpserver服务端备份数据库
docker exec -it mysql mysqldump -uroot -proot123 jms> /root/jms15.sql
docker exec -it mysql /bin/bash -c "du -sh /root/jms15.sql"
152K /root/jms15.sql 容器导出数据库到宿主机
docker cp mysql:/root/jms15.sql /root/ 复制容器备份文件到宿主机
jumpserver服务端备份/导入容器
docker save jumpserver/jms_all:1.5.2 > /root/jumpserve15_images.tar.gz 导出容器
docker load -i < /root/jumpserver15_images.tar.gz 导入容器
jumpserver服务端修改admin密码
docker exec -it jms /bin/bash
[root@117ed8924d32 opt]# source /opt/py3/bin/activate
(py3) [root@117ed8924d32 opt]# python /opt/jumpserver/apps/manage.py changepassword admin
Changing password for user 'Administrator(admin)'
Password:
Password (again):
Password changed successfully for user 'Administrator(admin)'
(py3) [root@117ed8924d32 opt]# jumpserver修改admin用户密码
netstat -tuplna | grep LISTEN
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 24808/docker-proxy
tcp 0 0 0.0.0.0:6379 0.0.0.0:* LISTEN 1186/docker-proxy
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 3944/docker-proxy
tcp 0 0 0.0.0.0:2222 0.0.0.0:* LISTEN 3925/docker-proxy
用户名 admin 密码 admin
jumpserver服务端配置
创建用户
创建用户组
管理用户是资产(被控服务器)上的root用户, 用于推送系统用户、获取资产硬件信息
创建linux管理账户
创建windows管理账户
系统用户 Jumpserver跳转登录资产时使用的用户,登录资产用户,如 web (ssh web@some-host)
用户使用自己的用户名登录Jumpserver, Jumpserver使用系统用户登录资产。 系统用户创建,选择自动推送 Jumpserver会使用ansible自动推送系统用户到资产中
创建llinux系统账户
创建windows系统账户
添加linux服务器资产
添加windows服务器资产
linux服务器资产授权
windows服务器资产授权
客户端web验证登入
命令行客户端登入堡垒机
ssh -p 2222 wyh@192.168.10.12
wyh@192.168.10.12's password: 属于用户密码
wyh, 欢迎使用Jumpserver开源跳板机系统
1) 输入 ID 直接登录 或 输入部分 IP,主机名,备注 进行搜索登录(如果唯一).
2) 输入 / + IP, 主机名 or 备注 搜索. 如: /ip
3) 输入 p 显示您有权限的主机.
4) 输入 g 显示您有权限的节点.
5) 输入 g + 节点ID 显示节点下主机. 如: g1
6) 输入 s 中/英文切换.
7) 输入 h 帮助.
8) 输入 r 刷新最新的机器和节点信息.
0) 输入 q 退出.
Opt> 1
Last login: Tue Oct 17 09:33:26 2023 from 192.168.10.12
[wyh@centos7-1 ~]$ su - root
Password:
Last login: Tue Oct 17 09:36:20 CST 2023 from 192.168.10.19 on pts/2
[root@centos7-1 ~]# uptime && uname -a
09:39:21 up 17 min, 5 users, load average: 0.00, 0.04, 0.09
Linux centos7-1 3.10.0-1160.el7.x86_64 #1 SMP Mon Oct 19 16:18:59 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
[root@centos7-1 ~]#
xshell6客户端验证登入验证
