Ubuntu18.04搭建jumpserver

安装 ubuntu18.04

1 install默认安装即可

jumpserver

堡垒机简介

Jumpserver 为管理后台, 管理员可以通过 Web 页面进行资产管理、用户管理、资产授权等操作,

用户可以通过 Web 页面进行资产登录, 文件管理等操作koko 为 SSH Server 和 Web Terminal Server 。用户可以使用自己的账户通过 SSH 或者 Web Terminal 访问 SSH 协议和 Telnet 协议资产

Luna 为 Web Terminal Server 前端页面, 用户使用 Web Terminal 方式登录所需要的组件Guacamole

为 RDP 协议和 VNC 协议资产组件, 用户可以通过 Web Terminal 来连接 RDP 协议和 VNC 协议资产

(暂时只能通过 Web Terminal 来访问)

Jumpserver 默认端口为 8080/tcp 配置文件 jumpserver/config.yml

koko 默认 SSH 端口为 2222/tcp, 默认 Web Terminal 端口为 5000/tcp 配置文件在 koko/config.yml

Guacamole 默认端口为 8081/tcp, 配置文件 /config/Tomcat9/conf/server.xml

Nginx 默认端口为 80/tcp

redis 默认端口为 6379/tcp

MySQL 默认端口为 3306/tcp

Protocol Server name Port

TCP Jumpserver 8080

TCP koko 2222, 5000

TCP Guacamole 8081

TCP Db 3306

TCP Redis 6379

TCP Nginx 80

1、 创建Python3.6虚拟环境

2、 安装python3.6

1 安装依赖包：

配置apt源

sudo mv /etc/apt/sources.list /etc/apt/sources.list.bak

cd /etc/apt/sources.list.d/

安装vim

apt-get install vim

sudo vim aliyun.list(不做也可以)

(deb http://mirrors.aliyun.com/ubuntu/ bionic main restricted universe multiverse

deb http://mirrors.aliyun.com/ubuntu/ bionic main restricted universe multiverse

deb-src http://mirrors.aliyun.com/ubuntu/ bionic main restricted universe multiverse

deb http://mirrors.aliyun.com/ubuntu/ bionic-security main restricted universe multiverse

deb-src http://mirrors.aliyun.com/ubuntu/ bionic-security main restricted universe multiverse

deb http://mirrors.aliyun.com/ubuntu/ bionic-updates main restricted universe multiverse

deb-src http://mirrors.aliyun.com/ubuntu/ bionic-updates main restricted universe multiverse

deb http://mirrors.aliyun.com/ubuntu/ bionic-proposed main restricted universe multiverse

deb-src http://mirrors.aliyun.com/ubuntu/ bionic-proposed main restricted universe multiverse

deb http://mirrors.aliyun.com/ubuntu/ bionic-backports main restricted universe multiverse

deb-src http://mirrors.aliyun.com/ubuntu/ bionic-backports main restricted universe multiverse

更新升级

设置root密码

sudo passwd root

安装openssh-server

Sudo apt-get install openssh-server

配置IP地址

apt-get update && apt-get -y upgrade

apt-get -y install wget gcc libffi-dev git

修改字符集

apt-get -y install language-pack-zh-hans

echo 'LANG="zh_CN.UTF-8"' > /etc/default/locale

重新打开终

端验证 echo $LANG

2 安装python3.6 (ubuntu安装了python3.6.9)

apt-get -y install python3.6 python3.6-dev python3.6-venv

3 建立python虚拟环境

cd /opt

apt-get install python3-venv -y

python3.6 -m venv py3

source /opt/py3/bin/activate

此时提示符发生变化

4 自动载入python虚拟环境

cd /opt

git clone

echo 'source /opt/autoenv/activate.sh' >> ~/.bashrc

source ~/.bashrc

5 下载安装Jumpserver

cd /opt

source /opt/py3/bin/activate

git clone

echo "source /opt/py3/bin/activate" > /opt/jumpserver/.env

安装jumpserver依赖包

cd /opt/jumpserver/requirements

#首次进入会有按Y提示

apt-get -y install $(cat deb_requirements.txt)

6 安装 Python 库依赖

pip install --upgrade pip setuptools

pip install -r requirements.txt

# 如果下载速度很慢, 可以换国内源

(pipinstall–upgradepipsetuptools-i

pipinstall-rrequirements.txt-i )

这一步可能会报错（执行apt-get install python3.6-dev libmysqlclient-dev）

在执行pip install -r requirements.txt，如果报超时错误，多执行几遍直到完全安装

7 安装Redis，jumpserver使用Redis做cache

apt-get -y install redis-server

3、 安装数据库

1. 安装并初始化数据库

apt-get -y install mysql-server

初始化mysql, mysql_secure_installation

之后会有一下提示，选择自己合适的

root@localhost:/# sudo mysql_secure_installation （修改root密码）

Securing the MySQL server deployment.

Enter password for user root:

VALIDATE PASSWORD PLUGIN can be used to test passwords

and improve security. It checks the strength of password

and allows the users to set only those passwords which are

secure enough. Would you like to setup VALIDATE PASSWORD plugin?

Press y|Y for Yes, any other key for No: y（是否安装密码安全插件，开发环境可以选n）

There are three levels of password validation policy:

LOW Length >= 8

MEDIUM Length >= 8, numeric, mixed case, and special characters

STRONG Length >= 8, numeric, mixed case, special characters and dictionary file

Please enter 0 = LOW, 1 = MEDIUM and 2 = STRONG: （安全模式0低，1中等，2强）

Invalid option provided.

There are three levels of password validation policy:

LOW Length >= 8

MEDIUM Length >= 8, numeric, mixed case, and special characters

STRONG Length >= 8, numeric, mixed case, special characters and dictionary file

Please enter 0 = LOW, 1 = MEDIUM and 2 = STRONG: 2

Using existing password for root.

Estimated strength of the password: 25

Change the password for root ? ((Press y|Y for Yes, any other key for No) : n

… skipping.

By default, a MySQL installation has an anonymous user,

allowing anyone to log into MySQL without having to have

a user account created for them. This is intended only for

testing, and to make the installation go a bit smoother.

You should remove them before moving into a production

environment.

Remove anonymous users? (Press y|Y for Yes, any other key for No) : n（是否删除匿名用户）

… skipping.

Normally, root should only be allowed to connect from

'localhost'. This ensures that someone cannot guess at

the root password from the network.

Disallow root login remotely? (Press y|Y for Yes, any other key for No) : n（是否禁止root远程登录）

… skipping.

By default, MySQL comes with a database named 'test' that

anyone can access. This is also intended only for testing,

and should be removed before moving into a production

environment.

Remove test database and access to it? (Press y|Y for Yes, any other key for No) : n（是否删除测试数据库）

… skipping.

Reloading the privilege tables will ensure that all changes

made so far will take effect immediately.

Reload privilege tables now? (Press y|Y for Yes, any other key for No) : y（是否重新加载权限）

Success.

All done!

到此MySql数据库安装完成！

2. 创建数据库jumpserver并授权

mysql -uroot -p

create database jumpserver default charset 'utf8';

grant all on jumpserver.* to 'jumpserver'@'127.0.0.1' identified by '123456';（密码有复杂度要求）（jumpserver为数据库名称）

flush privileges;

quit

3. 修改jumpserver配置文件

cd /opt/jumpserver

cp config_example.yml config.yml

vim config.yml

如下：（记住你的BOOTSTRAP_TOKEN:*******随机选项数字加字母）

# SECURITY WARNING: keep the secret key used in production secret!

# 加密秘钥 生产环境中请修改为随机字符串，请勿外泄, 可使用命令生成

# cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 49;echo

SECRET_KEY: W5Ic3fMXNZ0p5RIy5DhJYJllppTfcfkW8Yuf94VBMfpcssbfu

# SECURITY WARNING: keep the bootstrap token used in production secret!

# 预共享Token coco和guacamole用来注册服务账号，不在使用原来的注册接受机制

BOOTSTRAP_TOKEN: zxffNymGjP79j6BN

# Development env open this, when error occur display the full process track, Production disable it

# DEBUG 模式 开启DEBUG后遇到错误时可以看到更多日志

DEBUG: false

# DEBUG, INFO, WARNING, ERROR, CRITICAL can set. See https://docs.djangoproject.com/en/1.10/topics/logging/

# 日志级别

LOG_LEVEL: ERROR

# LOG_DIR:

# Session expiration setting, Default 24 hour, Also set expired on on browser close

# 浏览器Session过期时间，默认24小时, 也可以设置浏览器关闭则过期

# SESSION_COOKIE_AGE: 86400

SESSION_EXPIRE_AT_BROWSER_CLOSE: true

# Database setting, Support sqlite3, mysql, postgres ....

# 数据库设置

# See https://docs.djangoproject.com/en/1.10/ref/settings/#databases

# SQLite setting:

# 使用单文件sqlite数据库

# DB_ENGINE: sqlite3

# DB_NAME:

# MySQL or postgres setting like:

# 使用Mysql作为数据库

DB_ENGINE: mysql

DB_HOST: 127.0.0.1

DB_PORT: 3306

DB_USER: jumpserver

DB_PASSWORD: rBi41SrDqlX4zsx9e1L0cqTP（数据库中创建的密码）

DB_NAME: jumpserver

# When Django start it will bind this host and port

# ./manage.py runserver 127.0.0.1:8080

# 运行时绑定端口

HTTP_BIND_HOST: 0.0.0.0

HTTP_LISTEN_PORT: 8080

WS_LISTEN_PORT: 8070

# Use Redis as broker for celery and web socket

# Redis配置

REDIS_HOST: 127.0.0.1

REDIS_PORT: 6379

REDIS_PASSWORD: ZhYnLrodpmPncovxJTnRyiBs

# REDIS_DB_CELERY: 3

# REDIS_DB_CACHE: 4

# Use OpenID authorization

# 使用OpenID 来进行认证设置

# BASE_SITE_URL: http://localhost:8080

# AUTH_OPENID: false # True or False

# AUTH_OPENID_SERVER_URL: https://openid-auth-server.com/

# AUTH_OPENID_REALM_NAME: realm-name

# AUTH_OPENID_CLIENT_ID: client-id

# AUTH_OPENID_CLIENT_SECRET: client-secret

# AUTH_OPENID_IGNORE_SSL_VERIFICATION: True

# AUTH_OPENID_SHARE_SESSION: True

# Use Radius authorization

# 使用Radius来认证

# AUTH_RADIUS: false

# RADIUS_SERVER: localhost

# RADIUS_PORT: 1812

# RADIUS_SECRET:

# CAS 配置

# AUTH_CAS': False,

# CAS_SERVER_URL': "http://host/cas/",

# CAS_ROOT_PROXIED_AS': 'http://jumpserver-host:port',

# CAS_LOGOUT_COMPLETELY': True,

# CAS_VERSION': 3,

# LDAP/AD settings

# LDAP 搜索分页数量

# AUTH_LDAP_SEARCH_PAGED_SIZE: 1000

#

# 定时同步用户

# 启用 / 禁用

# AUTH_LDAP_SYNC_IS_PERIODIC: True

# 同步间隔 (单位: 时) (优先）

# AUTH_LDAP_SYNC_INTERVAL: 12

# Crontab 表达式

# AUTH_LDAP_SYNC_CRONTAB: * 6 * * *

#

# LDAP 用户登录时仅允许在用户列表中的用户执行 LDAP Server 认证

# AUTH_LDAP_USER_LOGIN_ONLY_IN_USERS: False

#

# LDAP 认证时如果日志中出现以下信息将参数设置为 0 (详情参见：https://www.python-ldap.org/en/latest/faq.html)

# In order to perform this operation a successful bind must be completed on the connection

# AUTH_LDAP_OPTIONS_OPT_REFERRALS: -1

# OTP settings

# OTP/MFA 配置

# OTP_VALID_WINDOW: 0

# OTP_ISSUER_NAME: Jumpserver

# Perm show single asset to ungrouped node

# 是否把未授权节点资产放入到 未分组 节点中

# PERM_SINGLE_ASSET_TO_UNGROUP_NODE: false

#

# 启用定时任务

# PERIOD_TASK_ENABLE: True

#

# 启用二次复合认证配置

# LOGIN_CONFIRM_ENABLE: False

#

# windows 登录跳过手动输入密码

#WINDOWS_SKIP_ALL_MANUAL_PASSWORD: True

完成

启动jumpserver服务

cd /opt/jumpserver

./jms start -d

4、 正常部署KOKO组件

1. 安装部署koko

cd /opt &&

wgethttps://github.com/jumpserver/koko/releases/download/v2.0.2/koko-v2.0.2-linux-amd64.tar.gz

解压

tar -xf koko-v2.0.2-linux-amd64.tar.gz &&

mv koko-v2.0.2-linux-amd64 koko &&

chown -R root:root koko &&

cd koko

2. 配置config.yml文件

cp config_example.yml config.yml &&

vi config.yml

如下 （BOOTSTRAP_TOKEN为jumpserver中的一致）

# 项目名称, 会用来向Jumpserver注册, 识别而已, 不能重复

# NAME: {{ Hostname }}

# Jumpserver项目的url, api请求注册会使用

CORE_HOST: http://127.0.0.1:8080

# Bootstrap Token, 预共享秘钥, 用来注册coco使用的service account和terminal

# 请和jumpserver 配置文件中保持一致，注册完成后可以删除

BOOTSTRAP_TOKEN: zxffNymGjP79j6BN

# 启动时绑定的ip, 默认 0.0.0.0

# BIND_HOST: 0.0.0.0

# 监听的SSH端口号, 默认2222

# SSHD_PORT: 2222

# 监听的HTTP/WS端口号，默认5000

# HTTPD_PORT: 5000

# 项目使用的ACCESS KEY, 默认会注册,并保存到 ACCESS_KEY_STORE中,

# 如果有需求, 可以写到配置文件中, 格式 access_key_id:access_key_secret

# ACCESS_KEY: null

# ACCESS KEY 保存的地址, 默认注册后会保存到该文件中

# ACCESS_KEY_FILE: data/keys/.access_key

# 设置日志级别 [DEBUG, INFO, WARN, ERROR, FATAL, CRITICAL]

LOG_LEVEL: ERROR

# SSH连接超时时间 (default 15 seconds)

# SSH_TIMEOUT: 15

# 语言 [en,zh]

# LANG: zh

# SFTP的根目录, 可选 /tmp, Home其他自定义目录

# SFTP_ROOT: /tmp

# SFTP是否显示隐藏文件

# SFTP_SHOW_HIDDEN_FILE: false

# 是否复用和用户后端资产已建立的连接(用户不会复用其他用户的连接)

# REUSE_CONNECTION: true

# 资产加载策略, 可根据资产规模自行调整. 默认异步加载资产, 异步搜索分页; 如果为all, 则资产全部加载, 本地搜索分页.

# ASSET_LOAD_POLICY:

# zip压缩的最大额度 (单位: M)

# ZIP_MAX_SIZE: 1024M

# zip压缩存放的临时目录 /tmp

# ZIP_TMP_PATH: /tmp

# 向 SSH Client 连接发送心跳的时间间隔 (单位: 秒)，默认为30, 0则表示不发送

# CLIENT_ALIVE_INTERVAL: 30

# 向资产发送心跳包的重试次数，默认为3

# RETRY_ALIVE_COUNT_MAX: 3

# 会话共享使用的类型 [local, redis], 默认local

SHARE_ROOM_TYPE: redis

# Redis配置

REDIS_HOST: 127.0.0.1

REDIS_PORT: 6379

#REDIS_PASSWORD: ZhYnLrodpmPncovxJTnRyiBs

# REDIS_CLUSTERS:

REDIS_DB_ROOM: 6

完成

启动服务 ./koko -d

3. 正常部署 Guacamole 组件

下载

cd /opt && wget -O Docker-guacamole-v2.1.1.tar.gz https://github.com/jumpserver/docker-guacamole/archive/master.tar.gz

解压

mkdir /opt/docker-guacamole &&

tar -xf docker-guacamole-v2.1.1.tar.gz -C /opt/docker-guacamole --strip-components 1 &&

rm -rf /opt/docker-guacamole-v2.1.1.tar.gz &&

cd /opt/docker-guacamole &&

wget http://download.jumpserver.org/public/guacamole-server-1.2.0.tar.gz &&

tar -xf guacamole-server-1.2.0.tar.gz &&

wget http://download.jumpserver.org/public/ssh-forward.tar.gz &&

tar -xf ssh-forward.tar.gz -C /bin/ &&

chmod +x /bin/ssh-forward

cd /opt/guacamole/guacamole-server-1.2.0

./configure --with-init-dir=/etc/init.d &&

make &&

make install

5、 部署tomcat

1. 安装JAVA环境

apt-get -y install default-jre default-jdk

mkdir -p /config/guacamole /config/guacamole/extensions /config/guacamole/record /config/guacamole/drive &&

chown daemon:daemon /config/guacamole/record /config/guacamole/drive &&

cd /config

2. 配置Tomcat9

下载

wget http://mirrors.tuna.tsinghua.edu.cn/Apache/tomcat/tomcat-9/v9.0.36/bin/apache-tomcat-9.0.36.tar.gz

tar -xf apache-tomcat-9.0.36.tar.gz &&

mv apache-tomcat-9.0.36 tomcat9 &&

rm -rf /config/tomcat9/webApps/* &&

sed -i 's/Connector port="8080"/Connector port="8081"/g' /config/tomcat9/conf/server.xml &&

echo "java.util.logging.ConsoleHandler.encoding = UTF-8" >> /config/tomcat9/conf/logging.properties

wget

tar -xf guacamole-client-v2.1.1.tar.gz

rm -rf guacamole-client-v2.1.1.tar.gz

cp guacamole-client-v2.1.1/guacamole-*.war /config/tomcat9/webapps/ROOT.war

cp guacamole-client-v2.1.1/guacamole-*.jar /config/guacamole/extensions/

mv /opt/docker-guacamole/guacamole.properties /config/guacamole/

rm -rf /opt/docker-guacamole

3. 设置 Guacamole 环境

export JUMPSERVER_SERVER=http://127.0.0.1:8080

echo "export JUMPSERVER_SERVER=http://127.0.0.1:8080" >> ~/.bashrc

export BOOTSTRAP_TOKEN={jumpserver的一致}

echo "export BOOTSTRAP_TOKEN={jumpserver的一致}" >> ~/.bashrc

export JUMPSERVER_KEY_DIR=/config/guacamole/keys

echo "export JUMPSERVER_KEY_DIR=/config/guacamole/keys" >> ~/.bashrc

export GUACAMOLE_HOME=/config/guacamole

echo "export GUACAMOLE_HOME=/config/guacamole" >> ~/.bashrc

export GUACAMOLE_LOG_LEVEL=ERROR

echo "export GUACAMOLE_LOG_LEVEL=ERROR" >> ~/.bashrc

export JUMPSERVER_ENABLE_DRIVE=true

echo "export JUMPSERVER_ENABLE_DRIVE=true" >> ~/.bashrc

环境变量说明

JUMPSERVER_SERVER 指 core 访问地址

BOOTSTRAP_TOKEN 为 Jumpserver/config.yml 里面的 BOOTSTRAP_TOKEN 值

JUMPSERVER_KEY_DIR 认证成功后 key 存放目录

GUACAMOLE_HOME 为 guacamole.properties 配置文件所在目录

GUACAMOLE_LOG_LEVEL 为生成日志的等级

JUMPSERVER_ENABLE_DRIVE 为 rdp 协议挂载共享盘

启动Guacamole

/etc/init.d/guacd start

sh /config/tomcat9/bin/startup.sh

4. 下载Lina luna组件

lina

cd /opt

wget https://github.com/jumpserver/lina/releases/download/v2.0.2/lina-v2.0.2.tar.gz

wget

tar -xf lina-v2.0.2.tar.gz

mv lina-v2.0.2 lina

chown -R nginx:nginx lina

luna

cd /opt

wget https://github.com/jumpserver/luna/releases/download/v2.0.2/luna-v2.0.2.tar.gz

tar -xf luna-v2.0.2.tar.gz

mv luna-v2.0.2 luna

chown -R nginx:nginx luna

6、 安装nginx整合组件

1. 安装nginx

$ apt-get update

$ apt-get -y install nginx

2. 准备配置文件

$ rm -rf /etc/nginx/conf.d/default.conf

$ vim /etc/nginx/conf.d/jumpserver.conf

如下

server {

listen 80;

client_max_body_size 100m; # 录像及文件上传大小限制

location /ui/ {

try_files $uri / /index.html;

alias /opt/lina/;

}

location /luna/ {

try_files $uri / /index.html;

alias /opt/luna/; # luna 路径, 如果修改安装目录, 此处需要修改

}

location /media/ {

add_header Content-Encoding gzip;

root /opt/jumpserver/data/; # 录像位置, 如果修改安装目录, 此处需要修改

}

location /static/ {

root /opt/jumpserver/data/; # 静态资源, 如果修改安装目录, 此处需要修改

}

location /koko/ {

proxy_pass http://localhost:5000;

proxy_buffering off;

proxy_http_version 1.1;

proxy_set_header Upgrade $http_upgrade;

proxy_set_header Connection "upgrade";

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header Host $host;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

access_log off;

}

location /guacamole/ {

proxy_pass http://localhost:8081/;

proxy_buffering off;

proxy_http_version 1.1;

proxy_set_header Upgrade $http_upgrade;

proxy_set_header Connection $http_connection;

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header Host $host;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

access_log off;

}

location /ws/ {

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header Host $host;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_pass http://localhost:8070;

proxy_http_version 1.1;

proxy_buffering off;

proxy_set_header Upgrade $http_upgrade;

proxy_set_header Connection "upgrade";

}

location /api/ {

proxy_pass http://localhost:8080;

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header Host $host;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

}

location /core/ {

proxy_pass http://localhost:8080;

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header Host $host;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

}

location / {

rewrite ^/(.*)$ /ui/$1 last;

}

}

完成

重启nginx服务

nginx -t

nginx -s reload

1. 七、测试

打开google 输入http://IP:8080登陆jumpserver 默认用户admin 密码 admin

如果出现nginxwelcome界面 编辑vim /etc/nginx/nginx.conf 只保留include /etc/nginx/conf.d/*.conf;项

如果登录客户端是 macOS 或 Linux, 登录语法如下

$ ssh -p2222 admin@IP

$ sftp -P2222 admin@IP

密码: admin

如果登录客户端是 Windows, Xshell Terminal 登录语法如下

$ ssh admin@192.168.0.49 2222

$ sftp admin@192.168.0.49 2222

密码: admin

如果能登陆代表部署成功

sftp默认上传的位置在资产的 /tmp 目录下

windows拖拽上传的位置在资产的 Guacamole RDP上的 G 目录下