安装 ubuntu18.04
1 install默认安装即可
jumpserver
堡垒机简介
Jumpserver 为管理后台, 管理员可以通过 Web 页面进行资产管理、用户管理、资产授权等操作,
用户可以通过 Web 页面进行资产登录, 文件管理等操作koko 为 SSH Server 和 Web Terminal Server 。用户可以使用自己的账户通过 SSH 或者 Web Terminal 访问 SSH 协议和 Telnet 协议资产
Luna 为 Web Terminal Server 前端页面, 用户使用 Web Terminal 方式登录所需要的组件Guacamole
为 RDP 协议和 VNC 协议资产组件, 用户可以通过 Web Terminal 来连接 RDP 协议和 VNC 协议资产
(暂时只能通过 Web Terminal 来访问)
Jumpserver 默认端口为 8080/tcp 配置文件 jumpserver/config.yml
koko 默认 SSH 端口为 2222/tcp, 默认 Web Terminal 端口为 5000/tcp 配置文件在 koko/config.yml
Guacamole 默认端口为 8081/tcp, 配置文件 /config/Tomcat9/conf/server.xml
Nginx 默认端口为 80/tcp
redis 默认端口为 6379/tcp
MySQL 默认端口为 3306/tcp
Protocol Server name Port
TCP Jumpserver 8080
TCP koko 2222, 5000
TCP Guacamole 8081
TCP Db 3306
TCP Redis 6379
TCP Nginx 80
1、 创建Python3.6虚拟环境
2、 安装python3.6
1 安装依赖包:
配置apt源
sudo mv /etc/apt/sources.list /etc/apt/sources.list.bak
cd /etc/apt/sources.list.d/
安装vim
apt-get install vim
sudo vim aliyun.list(不做也可以)
(deb http://mirrors.aliyun.com/ubuntu/ bionic main restricted universe multiverse
deb http://mirrors.aliyun.com/ubuntu/ bionic main restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ bionic main restricted universe multiverse
deb http://mirrors.aliyun.com/ubuntu/ bionic-security main restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ bionic-security main restricted universe multiverse
deb http://mirrors.aliyun.com/ubuntu/ bionic-updates main restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ bionic-updates main restricted universe multiverse
deb http://mirrors.aliyun.com/ubuntu/ bionic-proposed main restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ bionic-proposed main restricted universe multiverse
deb http://mirrors.aliyun.com/ubuntu/ bionic-backports main restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ bionic-backports main restricted universe multiverse
更新升级
设置root密码
sudo passwd root
安装openssh-server
Sudo apt-get install openssh-server
配置IP地址
apt-get update && apt-get -y upgrade
apt-get -y install wget gcc libffi-dev git
修改字符集
apt-get -y install language-pack-zh-hans
echo 'LANG="zh_CN.UTF-8"' > /etc/default/locale
重新打开终
端验证 echo $LANG
2 安装python3.6 (ubuntu安装了python3.6.9)
apt-get -y install python3.6 python3.6-dev python3.6-venv
3 建立python虚拟环境
cd /opt
apt-get install python3-venv -y
python3.6 -m venv py3
source /opt/py3/bin/activate
此时提示符发生变化
4 自动载入python虚拟环境
cd /opt
git clone
echo 'source /opt/autoenv/activate.sh' >> ~/.bashrc
source ~/.bashrc
5 下载安装Jumpserver
cd /opt
source /opt/py3/bin/activate
git clone
echo "source /opt/py3/bin/activate" > /opt/jumpserver/.env
安装jumpserver依赖包
cd /opt/jumpserver/requirements
#首次进入会有按Y提示
apt-get -y install $(cat deb_requirements.txt)
6 安装 Python 库依赖
pip install --upgrade pip setuptools
pip install -r requirements.txt
# 如果下载速度很慢, 可以换国内源
(pipinstall–upgradepipsetuptools-i
pipinstall-rrequirements.txt-i )
这一步可能会报错(执行apt-get install python3.6-dev libmysqlclient-dev)
在执行pip install -r requirements.txt,如果报超时错误,多执行几遍直到完全安装
7 安装Redis,jumpserver使用Redis做cache
apt-get -y install redis-server
3、 安装数据库
1. 安装并初始化数据库
apt-get -y install mysql-server
初始化mysql, mysql_secure_installation
之后会有一下提示,选择自己合适的
root@localhost:/# sudo mysql_secure_installation (修改root密码)
Securing the MySQL server deployment.
Enter password for user root:
VALIDATE PASSWORD PLUGIN can be used to test passwords
and improve security. It checks the strength of password
and allows the users to set only those passwords which are
secure enough. Would you like to setup VALIDATE PASSWORD plugin?
Press y|Y for Yes, any other key for No: y(是否安装密码安全插件,开发环境可以选n)
There are three levels of password validation policy:
LOW Length >= 8
MEDIUM Length >= 8, numeric, mixed case, and special characters
STRONG Length >= 8, numeric, mixed case, special characters and dictionary file
Please enter 0 = LOW, 1 = MEDIUM and 2 = STRONG: (安全模式0低,1中等,2强)
Invalid option provided.
There are three levels of password validation policy:
LOW Length >= 8
MEDIUM Length >= 8, numeric, mixed case, and special characters
STRONG Length >= 8, numeric, mixed case, special characters and dictionary file
Please enter 0 = LOW, 1 = MEDIUM and 2 = STRONG: 2
Using existing password for root.
Estimated strength of the password: 25
Change the password for root ? ((Press y|Y for Yes, any other key for No) : n
… skipping.
By default, a MySQL installation has an anonymous user,
allowing anyone to log into MySQL without having to have
a user account created for them. This is intended only for
testing, and to make the installation go a bit smoother.
You should remove them before moving into a production
environment.
Remove anonymous users? (Press y|Y for Yes, any other key for No) : n(是否删除匿名用户)
… skipping.
Normally, root should only be allowed to connect from
'localhost'. This ensures that someone cannot guess at
the root password from the network.
Disallow root login remotely? (Press y|Y for Yes, any other key for No) : n(是否禁止root远程登录)
… skipping.
By default, MySQL comes with a database named 'test' that
anyone can access. This is also intended only for testing,
and should be removed before moving into a production
environment.
Remove test database and access to it? (Press y|Y for Yes, any other key for No) : n(是否删除测试数据库)
… skipping.
Reloading the privilege tables will ensure that all changes
made so far will take effect immediately.
Reload privilege tables now? (Press y|Y for Yes, any other key for No) : y(是否重新加载权限)
Success.
All done!
到此MySql数据库安装完成!
2. 创建数据库jumpserver并授权
mysql -uroot -p
create database jumpserver default charset 'utf8';
grant all on jumpserver.* to 'jumpserver'@'127.0.0.1' identified by '123456';(密码有复杂度要求)(jumpserver为数据库名称)
flush privileges;
quit
3. 修改jumpserver配置文件
cd /opt/jumpserver
cp config_example.yml config.yml
vim config.yml
如下:(记住你的BOOTSTRAP_TOKEN:*******随机选项数字加字母)
# SECURITY WARNING: keep the secret key used in production secret!
# 加密秘钥 生产环境中请修改为随机字符串,请勿外泄, 可使用命令生成
# cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 49;echo
SECRET_KEY: W5Ic3fMXNZ0p5RIy5DhJYJllppTfcfkW8Yuf94VBMfpcssbfu
# SECURITY WARNING: keep the bootstrap token used in production secret!
# 预共享Token coco和guacamole用来注册服务账号,不在使用原来的注册接受机制
BOOTSTRAP_TOKEN: zxffNymGjP79j6BN
# Development env open this, when error occur display the full process track, Production disable it
# DEBUG 模式 开启DEBUG后遇到错误时可以看到更多日志
DEBUG: false
# DEBUG, INFO, WARNING, ERROR, CRITICAL can set. See https://docs.djangoproject.com/en/1.10/topics/logging/
# 日志级别
LOG_LEVEL: ERROR
# LOG_DIR:
# Session expiration setting, Default 24 hour, Also set expired on on browser close
# 浏览器Session过期时间,默认24小时, 也可以设置浏览器关闭则过期
# SESSION_COOKIE_AGE: 86400
SESSION_EXPIRE_AT_BROWSER_CLOSE: true
# Database setting, Support sqlite3, mysql, postgres ....
# 数据库设置
# See https://docs.djangoproject.com/en/1.10/ref/settings/#databases
# SQLite setting:
# 使用单文件sqlite数据库
# DB_ENGINE: sqlite3
# DB_NAME:
# MySQL or postgres setting like:
# 使用Mysql作为数据库
DB_ENGINE: mysql
DB_HOST: 127.0.0.1
DB_PORT: 3306
DB_USER: jumpserver
DB_PASSWORD: rBi41SrDqlX4zsx9e1L0cqTP(数据库中创建的密码)
DB_NAME: jumpserver
# When Django start it will bind this host and port
# ./manage.py runserver 127.0.0.1:8080
# 运行时绑定端口
HTTP_BIND_HOST: 0.0.0.0
HTTP_LISTEN_PORT: 8080
WS_LISTEN_PORT: 8070
# Use Redis as broker for celery and web socket
# Redis配置
REDIS_HOST: 127.0.0.1
REDIS_PORT: 6379
REDIS_PASSWORD: ZhYnLrodpmPncovxJTnRyiBs
# REDIS_DB_CELERY: 3
# REDIS_DB_CACHE: 4
# Use OpenID authorization
# 使用OpenID 来进行认证设置
# BASE_SITE_URL: http://localhost:8080
# AUTH_OPENID: false # True or False
# AUTH_OPENID_SERVER_URL: https://openid-auth-server.com/
# AUTH_OPENID_REALM_NAME: realm-name
# AUTH_OPENID_CLIENT_ID: client-id
# AUTH_OPENID_CLIENT_SECRET: client-secret
# AUTH_OPENID_IGNORE_SSL_VERIFICATION: True
# AUTH_OPENID_SHARE_SESSION: True
# Use Radius authorization
# 使用Radius来认证
# AUTH_RADIUS: false
# RADIUS_SERVER: localhost
# RADIUS_PORT: 1812
# RADIUS_SECRET:
# CAS 配置
# AUTH_CAS': False,
# CAS_SERVER_URL': "http://host/cas/",
# CAS_ROOT_PROXIED_AS': 'http://jumpserver-host:port',
# CAS_LOGOUT_COMPLETELY': True,
# CAS_VERSION': 3,
# LDAP/AD settings
# LDAP 搜索分页数量
# AUTH_LDAP_SEARCH_PAGED_SIZE: 1000
#
# 定时同步用户
# 启用 / 禁用
# AUTH_LDAP_SYNC_IS_PERIODIC: True
# 同步间隔 (单位: 时) (优先)
# AUTH_LDAP_SYNC_INTERVAL: 12
# Crontab 表达式
# AUTH_LDAP_SYNC_CRONTAB: * 6 * * *
#
# LDAP 用户登录时仅允许在用户列表中的用户执行 LDAP Server 认证
# AUTH_LDAP_USER_LOGIN_ONLY_IN_USERS: False
#
# LDAP 认证时如果日志中出现以下信息将参数设置为 0 (详情参见:https://www.python-ldap.org/en/latest/faq.html)
# In order to perform this operation a successful bind must be completed on the connection
# AUTH_LDAP_OPTIONS_OPT_REFERRALS: -1
# OTP settings
# OTP/MFA 配置
# OTP_VALID_WINDOW: 0
# OTP_ISSUER_NAME: Jumpserver
# Perm show single asset to ungrouped node
# 是否把未授权节点资产放入到 未分组 节点中
# PERM_SINGLE_ASSET_TO_UNGROUP_NODE: false
#
# 启用定时任务
# PERIOD_TASK_ENABLE: True
#
# 启用二次复合认证配置
# LOGIN_CONFIRM_ENABLE: False
#
# windows 登录跳过手动输入密码
#WINDOWS_SKIP_ALL_MANUAL_PASSWORD: True
完成
启动jumpserver服务
cd /opt/jumpserver
./jms start -d
4、 正常部署KOKO组件
1. 安装部署koko
cd /opt &&
wgethttps://github.com/jumpserver/koko/releases/download/v2.0.2/koko-v2.0.2-linux-amd64.tar.gz
解压
tar -xf koko-v2.0.2-linux-amd64.tar.gz &&
mv koko-v2.0.2-linux-amd64 koko &&
chown -R root:root koko &&
cd koko
2. 配置config.yml文件
cp config_example.yml config.yml &&
vi config.yml
如下 (BOOTSTRAP_TOKEN为jumpserver中的一致)
# 项目名称, 会用来向Jumpserver注册, 识别而已, 不能重复
# NAME: {{ Hostname }}
# Jumpserver项目的url, api请求注册会使用
CORE_HOST: http://127.0.0.1:8080
# Bootstrap Token, 预共享秘钥, 用来注册coco使用的service account和terminal
# 请和jumpserver 配置文件中保持一致,注册完成后可以删除
BOOTSTRAP_TOKEN: zxffNymGjP79j6BN
# 启动时绑定的ip, 默认 0.0.0.0
# BIND_HOST: 0.0.0.0
# 监听的SSH端口号, 默认2222
# SSHD_PORT: 2222
# 监听的HTTP/WS端口号,默认5000
# HTTPD_PORT: 5000
# 项目使用的ACCESS KEY, 默认会注册,并保存到 ACCESS_KEY_STORE中,
# 如果有需求, 可以写到配置文件中, 格式 access_key_id:access_key_secret
# ACCESS_KEY: null
# ACCESS KEY 保存的地址, 默认注册后会保存到该文件中
# ACCESS_KEY_FILE: data/keys/.access_key
# 设置日志级别 [DEBUG, INFO, WARN, ERROR, FATAL, CRITICAL]
LOG_LEVEL: ERROR
# SSH连接超时时间 (default 15 seconds)
# SSH_TIMEOUT: 15
# 语言 [en,zh]
# LANG: zh
# SFTP的根目录, 可选 /tmp, Home其他自定义目录
# SFTP_ROOT: /tmp
# SFTP是否显示隐藏文件
# SFTP_SHOW_HIDDEN_FILE: false
# 是否复用和用户后端资产已建立的连接(用户不会复用其他用户的连接)
# REUSE_CONNECTION: true
# 资产加载策略, 可根据资产规模自行调整. 默认异步加载资产, 异步搜索分页; 如果为all, 则资产全部加载, 本地搜索分页.
# ASSET_LOAD_POLICY:
# zip压缩的最大额度 (单位: M)
# ZIP_MAX_SIZE: 1024M
# zip压缩存放的临时目录 /tmp
# ZIP_TMP_PATH: /tmp
# 向 SSH Client 连接发送心跳的时间间隔 (单位: 秒),默认为30, 0则表示不发送
# CLIENT_ALIVE_INTERVAL: 30
# 向资产发送心跳包的重试次数,默认为3
# RETRY_ALIVE_COUNT_MAX: 3
# 会话共享使用的类型 [local, redis], 默认local
SHARE_ROOM_TYPE: redis
# Redis配置
REDIS_HOST: 127.0.0.1
REDIS_PORT: 6379
#REDIS_PASSWORD: ZhYnLrodpmPncovxJTnRyiBs
# REDIS_CLUSTERS:
REDIS_DB_ROOM: 6
完成
启动服务 ./koko -d
3. 正常部署 Guacamole 组件
下载
cd /opt && wget -O Docker-guacamole-v2.1.1.tar.gz https://github.com/jumpserver/docker-guacamole/archive/master.tar.gz
解压
mkdir /opt/docker-guacamole &&
tar -xf docker-guacamole-v2.1.1.tar.gz -C /opt/docker-guacamole --strip-components 1 &&
rm -rf /opt/docker-guacamole-v2.1.1.tar.gz &&
cd /opt/docker-guacamole &&
wget http://download.jumpserver.org/public/guacamole-server-1.2.0.tar.gz &&
tar -xf guacamole-server-1.2.0.tar.gz &&
wget http://download.jumpserver.org/public/ssh-forward.tar.gz &&
tar -xf ssh-forward.tar.gz -C /bin/ &&
chmod +x /bin/ssh-forward
cd /opt/guacamole/guacamole-server-1.2.0
./configure --with-init-dir=/etc/init.d &&
make &&
make install
5、 部署tomcat
1. 安装JAVA环境
apt-get -y install default-jre default-jdk
mkdir -p /config/guacamole /config/guacamole/extensions /config/guacamole/record /config/guacamole/drive &&
chown daemon:daemon /config/guacamole/record /config/guacamole/drive &&
cd /config
2. 配置Tomcat9
下载
wget http://mirrors.tuna.tsinghua.edu.cn/Apache/tomcat/tomcat-9/v9.0.36/bin/apache-tomcat-9.0.36.tar.gz
tar -xf apache-tomcat-9.0.36.tar.gz &&
mv apache-tomcat-9.0.36 tomcat9 &&
rm -rf /config/tomcat9/webApps/* &&
sed -i 's/Connector port="8080"/Connector port="8081"/g' /config/tomcat9/conf/server.xml &&
echo "java.util.logging.ConsoleHandler.encoding = UTF-8" >> /config/tomcat9/conf/logging.properties
wget
tar -xf guacamole-client-v2.1.1.tar.gz
rm -rf guacamole-client-v2.1.1.tar.gz
cp guacamole-client-v2.1.1/guacamole-*.war /config/tomcat9/webapps/ROOT.war
cp guacamole-client-v2.1.1/guacamole-*.jar /config/guacamole/extensions/
mv /opt/docker-guacamole/guacamole.properties /config/guacamole/
rm -rf /opt/docker-guacamole
3. 设置 Guacamole 环境
export JUMPSERVER_SERVER=http://127.0.0.1:8080
echo "export JUMPSERVER_SERVER=http://127.0.0.1:8080" >> ~/.bashrc
export BOOTSTRAP_TOKEN={jumpserver的一致}
echo "export BOOTSTRAP_TOKEN={jumpserver的一致}" >> ~/.bashrc
export JUMPSERVER_KEY_DIR=/config/guacamole/keys
echo "export JUMPSERVER_KEY_DIR=/config/guacamole/keys" >> ~/.bashrc
export GUACAMOLE_HOME=/config/guacamole
echo "export GUACAMOLE_HOME=/config/guacamole" >> ~/.bashrc
export GUACAMOLE_LOG_LEVEL=ERROR
echo "export GUACAMOLE_LOG_LEVEL=ERROR" >> ~/.bashrc
export JUMPSERVER_ENABLE_DRIVE=true
echo "export JUMPSERVER_ENABLE_DRIVE=true" >> ~/.bashrc
环境变量说明
JUMPSERVER_SERVER 指 core 访问地址
BOOTSTRAP_TOKEN 为 Jumpserver/config.yml 里面的 BOOTSTRAP_TOKEN 值
JUMPSERVER_KEY_DIR 认证成功后 key 存放目录
GUACAMOLE_HOME 为 guacamole.properties 配置文件所在目录
GUACAMOLE_LOG_LEVEL 为生成日志的等级
JUMPSERVER_ENABLE_DRIVE 为 rdp 协议挂载共享盘
启动Guacamole
/etc/init.d/guacd start
sh /config/tomcat9/bin/startup.sh
4. 下载Lina luna组件
lina
cd /opt
wget https://github.com/jumpserver/lina/releases/download/v2.0.2/lina-v2.0.2.tar.gz
wget
tar -xf lina-v2.0.2.tar.gz
mv lina-v2.0.2 lina
chown -R nginx:nginx lina
luna
cd /opt
wget https://github.com/jumpserver/luna/releases/download/v2.0.2/luna-v2.0.2.tar.gz
tar -xf luna-v2.0.2.tar.gz
mv luna-v2.0.2 luna
chown -R nginx:nginx luna
6、 安装nginx整合组件
1. 安装nginx
$ apt-get update
$ apt-get -y install nginx
2. 准备配置文件
$ rm -rf /etc/nginx/conf.d/default.conf
$ vim /etc/nginx/conf.d/jumpserver.conf
如下
server {
listen 80;
client_max_body_size 100m; # 录像及文件上传大小限制
location /ui/ {
try_files $uri / /index.html;
alias /opt/lina/;
}
location /luna/ {
try_files $uri / /index.html;
alias /opt/luna/; # luna 路径, 如果修改安装目录, 此处需要修改
}
location /media/ {
add_header Content-Encoding gzip;
root /opt/jumpserver/data/; # 录像位置, 如果修改安装目录, 此处需要修改
}
location /static/ {
root /opt/jumpserver/data/; # 静态资源, 如果修改安装目录, 此处需要修改
}
location /koko/ {
proxy_pass http://localhost:5000;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /guacamole/ {
proxy_pass http://localhost:8081/;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /ws/ {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://localhost:8070;
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location /api/ {
proxy_pass http://localhost:8080;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /core/ {
proxy_pass http://localhost:8080;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location / {
rewrite ^/(.*)$ /ui/$1 last;
}
}
完成
重启nginx服务
nginx -t
nginx -s reload
打开google 输入http://IP:8080登陆jumpserver 默认用户admin 密码 admin
如果出现nginxwelcome界面 编辑vim /etc/nginx/nginx.conf 只保留include /etc/nginx/conf.d/*.conf;项
如果登录客户端是 macOS 或 Linux, 登录语法如下
$ ssh -p2222 admin@IP
$ sftp -P2222 admin@IP
密码: admin
如果登录客户端是 Windows, Xshell Terminal 登录语法如下
$ ssh admin@192.168.0.49 2222
$ sftp admin@192.168.0.49 2222
密码: admin
如果能登陆代表部署成功
sftp默认上传的位置在资产的 /tmp 目录下
windows拖拽上传的位置在资产的 Guacamole RDP上的 G 目录下