jumpserver主要是部署在服务器上作为跳板机使用。
跳板机是用来审计、记录运维人员的操作信息,日常操作行为等以防止恶意操作或者迅速定位问题。
准备一台环境纯净的服务器:
m02为管理服务器主机:10.0.0.62/24 172.16.1.62/24
04-期中架构-m02-10.0.0.62
D:\vmware_centos\04-期中架构-m02-10.0.0.62
[root@oldboyedu-mu ~]# hostname m02
[root@oldboyedu-mu ~]# hostname
m02
[root@oldboyedu-mu ~]# vim /etc/sysconfig/network
[root@oldboyedu-mu ~]# cat /etc/sysconfig/network
NETWORKING=yes
HOSTNAME=m02
[root@oldboyedu-mu ~]# sed -i \'/IPADDR/s#210$#62#g\' /etc/sysconfig/network-scripts/ifcfg-eth*
[root@oldboyedu-mu ~]# sed -n \'/IPADDR/p\' /etc/sysconfig/network-scripts/ifcfg-eth*
IPADDR=10.0.0.62
IPADDR=172.16.1.62
[root@oldboyedu-mu ~]# /etc/init.d/network restart
注意:cobbler jumpserver ansible 这些东西都会冲突!
快速搭建环境:
[root@m02 ~]# cat /etc/redhat-release
CentOS release 6.9 (Final)
[root@m02 ~]# uname -a
Linux m02 2.6.32-696.el6.x86_64 #1 SMP Tue Mar 21 19:29:05 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
[root@m02 ~]# /etc/init.d/iptables status
iptables: Firewall is not running.
[root@m02 ~]# getenforce
Disabled
(1)安装依赖:
[root@m02 ~]# yum install -y epel-release
[root@m02 ~]# yum install -y git python-pip mysql-devel gcc autoconf automake python-devel vim sshpass lrzsz readline-devel
正常系统软件安装:yum安装;
正常python软件安装:pip安装;
正常ruby软件安装:gem安装。
[root@m02 ~]# python
Python 2.6.6 (r266:84292, Aug 18 2016, 15:13:37)
[GCC 4.4.7 20120313 (Red Hat 4.4.7-17)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> quit()
[root@m02 ~]#
(2)下载jumpserver软件包:
https://github.com/jumpserver/ 属国外的网站,比较慢,注意是否为docker专属安装!
或者在国内网conding上下载:
[root@m02 opt]# git clone https://git.coding.net/jumpserver/jumpserver.git
[root@m02 opt]# ls jumpserver/
connect.py install jlog jumpserver juser LICENSE manage.py run_websocket.py static
docs jasset jperm jumpserver.conf keys logs README.md service.sh templates
说明:原则上如果网络条件好可以从github上进行下载,github上是最新的,但是conding上也会实时更新。
(3)快速安装脚本:
[root@m02 jumpserver]# cd install/
[root@m02 install]# ls
developer_doc.txt initial_data.yaml install.py next.py requirements.txt zzjumpserver.sh
[root@m02 install]# cat requirements.txt //查看一下需要安装的依赖包
#sphinx-me==0.3
django==1.6
pycrypto==2.6.1
paramiko==1.16.0
ecdsa==0.13
MySQL-python==1.2.5
#django-uuidfield==0.5.0
psutil==3.3.0
xlsxwriter==0.7.7
xlrd==0.9.4
django-bootstrap-form==3.2
tornado==4.3
ansible==1.9.4
pyinotify==0.9.6
passlib==1.6.5
argparse==1.4.0
django_crontab==0.6.0[root@m01 install]#
[root@m02 install]# pip install -r requirements.txt
[root@m02 install]# pip install Jinja2==2.9.6
查看相关python软件是否安装成功:
[root@m02 install]# pip freeze
[root@m02 install]# python install.py
请务必先查看wiki https://github.com/ibuler/jumpserver/wiki/Quickinstall
开始关闭防火墙和selinux
setenforce: SELinux is disabled
请输入您服务器的IP地址,用户浏览器可以访问 [10.0.0.62]: 10.0.0.62
是否安装新的MySQL服务器? (y/n) [y]: y
请输入SMTP地址: smtp.163.com
请输入SMTP端口 [25]:
请输入账户: mnlovemin@163.com
---------------------------------
遇到问题:
请输入账户: mnlovemin@163.com
请输入密码: xxxxxxxx
(535, \'Error: authentication failed\')
是否跳过(y/n) [n]? : y
请登陆邮箱查收邮件, 然后确认是否继续安装
是否继续? (y/n) [y]: y
开始写入配置文件
Traceback (most recent call last):
File "/opt/jumpserver/install/next.py", line 19, in <module>
from juser.user_api import db_add_user, get_object, User
File "/opt/jumpserver/juser/user_api.py", line 3, in <module>
from Crypto.PublicKey import RSA
File "/usr/lib64/python2.6/site-packages/Crypto/PublicKey/RSA.py", line 75, in <module>
from Crypto.Util.number import getRandomRange, bytes_to_long, long_to_bytes
File "/usr/lib64/python2.6/site-packages/Crypto/Util/number.py", line 56, in <module>
if _fastmath is not None and not _fastmath.HAVE_DECL_MPZ_POWM_SEC:
AttributeError: \'module\' object has no attribute \'HAVE_DECL_MPZ_POWM_SEC\'
解决:
v0.3.2 常见问题 FAQ
https://github.com/jumpserver/jumpserver/wiki/v0.3.2-%E5%B8%B8%E8%A7%81%E9%97%AE%E9%A2%98-FAQ
该问题通常是由于pycrypto的版本问题导致,系统默认安装的软件版本与这里jumpserver不相符、不兼容,可以卸载重新安装即可。
[root@m02 install]# pip uninstall pycrypto
[root@m02 install]# rm -rf /usr/lib64/python2.6/site-packages/Crypto/
[root@m02 install]# pip install pycrypto==2.4.1
查看相关python软件pycrypto是否安装成功:
[root@m02 install]# pip freeze|grep pycrypto
pycrypto==2.4.1
---------------------------------
请输入管理员用户名 [admin]:
请输入管理员密码: [5Lov@wife]: admin
请再次输入管理员密码: [5Lov@wife]: admin
Starting jumpsever service: [ OK ]
安装成功,请访问web, 祝你使用愉快。
请访问 https://github.com/ibuler/jumpserver 查看文档
[root@m02 install]# ps -ef |grep python
root 15228 15224 0 18:50 pts/1 00:00:00 /bin/bash -c ulimit -S -c 0 >/dev/null 2>&1 ; python /opt/jumpserver/run_websocket.py
root 15229 15223 0 18:50 pts/1 00:00:00 /bin/bash -c ulimit -S -c 0 >/dev/null 2>&1 ; python /opt/jumpserver/manage.py runserver 0.0.0.0:80
root 15230 15228 0 18:50 pts/1 00:00:01 python /opt/jumpserver/run_websocket.py
root 15231 15229 0 18:50 pts/1 00:00:00 python /opt/jumpserver/manage.py runserver 0.0.0.0:80
root 15232 15231 1 18:50 pts/1 00:00:04 /usr/bin/python /opt/jumpserver/manage.py runserver 0.0.0.0:80
root 15240 15230 0 18:50 pts/1 00:00:00 python /opt/jumpserver/run_websocket.py
root 15241 15230 0 18:50 pts/1 00:00:00 python /opt/jumpserver/run_websocket.py
root 15242 15230 0 18:50 pts/1 00:00:00 python /opt/jumpserver/run_websocket.py
root 15243 15230 0 18:50 pts/1 00:00:00 python /opt/jumpserver/run_websocket.py
root 15244 15230 0 18:50 pts/1 00:00:00 python /opt/jumpserver/run_websocket.py
root 15261 1765 0 18:54 pts/1 00:00:00 grep python
[root@m02 install]# cd ..
[root@m02 jumpserver]# ./service.sh start
jumpserver is running...
[root@m02 jumpserver]# killall python
[root@m02 jumpserver]# killall python
python: no process killed
[root@m02 jumpserver]# ps -ef |grep python
root 15294 1765 0 19:04 pts/1 00:00:00 grep python
[root@m02 jumpserver]# ./service.sh start
jumpserver is running... [ OK ]
[root@m02 jumpserver]# ps -ef |grep python
root 15302 1765 0 19:04 pts/1 00:00:00 grep python
重新启动jumpserver服务:
[root@m02 jumpserver]# ./service.sh stop
Stopping jumpsever service: [FAILED]
[root@m02 jumpserver]# ./service.sh start
Starting jumpsever service: [ OK ]
[root@m02 jumpserver]# ps -ef |grep python
root 15367 15363 0 19:09 pts/1 00:00:00 /bin/bash -c ulimit -S -c 0 >/dev/null 2>&1 ; python ./run_websocket.py
root 15368 15362 0 19:09 pts/1 00:00:00 /bin/bash -c ulimit -S -c 0 >/dev/null 2>&1 ; python ./manage.py runserver 0.0.0.0:80
root 15369 15367 8 19:09 pts/1 00:00:00 python ./run_websocket.py
root 15370 15368 3 19:09 pts/1 00:00:00 python ./manage.py runserver 0.0.0.0:80
root 15375 15370 5 19:09 pts/1 00:00:00 /usr/bin/python ./manage.py runserver 0.0.0.0:80
root 15379 15369 0 19:09 pts/1 00:00:00 python ./run_websocket.py
root 15380 15369 0 19:09 pts/1 00:00:00 python ./run_websocket.py
root 15381 15369 0 19:09 pts/1 00:00:00 python ./run_websocket.py
root 15382 15369 0 19:09 pts/1 00:00:00 python ./run_websocket.py
root 15383 15369 0 19:09 pts/1 00:00:00 python ./run_websocket.py
root 15392 1765 0 19:09 pts/1 00:00:00 grep python
说明:screnn命令能在不同的会话间 断开或者重连,当一个命令正在执行时按Ctrl+A然后按d来断开。
[root@m02 ~]# yum install -y screen
[root@m02 jumpserver]# ./service.sh stop
Stopping jumpsever service: [ OK ]
[root@m02 jumpserver]# ps -ef |grep python
root 15498 1765 0 19:22 pts/1 00:00:00 grep python
[root@m02 jumpserver]# sc
scl scl_enabled sclient scl_source scp script scriptreplay scsi_id
[root@m02 jumpserver]# sc
scl scl_enabled sclient scl_source scp script scriptreplay scsi_id
[root@m02 jumpserver]# screen
[root@m02 jumpserver]# python manage.py runserver 0.0.0.0:80 //按Ctrl+A然后按d来断开
[detached]
[root@m02 jumpserver]# ps -ef |grep python
root 15518 15509 0 19:24 pts/0 00:00:00 python manage.py runserver 0.0.0.0:80
root 15519 15518 1 19:24 pts/0 00:00:00 /usr/bin/python manage.py runserver 0.0.0.0:80
root 15522 1765 0 19:24 pts/1 00:00:00 grep python
a.查看screen连接的会话信息:
[root@m02 jumpserver]# screen -ls
There is a screen on:
15508.pts-1.m02 (Detached)
1 Socket in /var/run/screen/S-root.
b.断开screen连接的会话信息:
[root@m02 jumpserver]# screen -r 15508.pts-1.m02
可按ctrl+c后 按ctrl+a后d来断开停掉:
[root@m02 jumpserver]# screen -r 15508.pts-1.m02
[detached]
[root@m02 jumpserver]# ps -ef |grep python
root 15628 1765 0 19:39 pts/1 00:00:00 grep python
c.正规方式启动:
[root@m02 jumpserver]# ./service.sh start
Starting jumpsever service: [ OK ]
[root@m02 jumpserver]# ps -ef |grep python
配置步骤:
(1)添加用户:
发送邮件(包含用户名和密码)给该普通用户后可以登录页面进行操作啦!
若发送邮件有误,则可以直接编辑该用户(crmn 123456)定义用户名和密码:
[root@m02 ~]# id crmn
uid=502(crmn) gid=502(crmn) groups=502(crmn)
[root@m02 ~]# id min
uid=503(min) gid=503(min) groups=503(min)
(2)添加资产:
admin 123456
[root@m02 ~]# id admin
uid=501(admin) gid=501(admin) groups=501(admin)
资产主机中创建默认管理用户admin:
[root@nfs01 ~]# id admin
id: admin: No such user
[root@nfs01 ~]# useradd admin
[root@nfs01 ~]# echo 123456|passwd --stdin admin
Changing password for user admin.
passwd: all authentication tokens updated successfully.
[root@nfs01 ~]# id admin
uid=889(admin) gid=889(admin) groups=889(admin)
[root@backup ~]# useradd admin
[root@backup ~]# echo 123456|passwd --stdin admin
Changing password for user admin.
passwd: all authentication tokens updated successfully.
[root@backup ~]# id admin
uid=889(admin) gid=889(admin) groups=889(admin)
admin提权:
[root@nfs01 ~]# visudo
90 ## Allow root to run any commands anywhere
91 root ALL=(ALL) ALL
92 admin ALL=(ALL) NOPASSWD:ALL
[root@nfs01 ~]# visudo -c
/etc/sudoers: parsed OK
[root@backup ~]# visudo
90 ## Allow root to run any commands anywhere
91 root ALL=(ALL) ALL
92 admin ALL=(ALL) NOPASSWD:ALL
[root@backup ~]# visudo -c
/etc/sudoers: parsed OK
(3)授权管理:
完毕后,相当于visudo中对dev sa dba用户的权限设置。
[root@nfs01 ~]# id dav
id: dav: No such user
[root@nfs01 ~]# id sa
id: sa: No such user
[root@nfs01 ~]# id dba
id: dba: No such user
进行推送:
相当于:[root@m02 ~]# ssh admin@10.0.0.41 useradd dev
查看:
[root@backup ~]# id dev
uid=890(dev) gid=890(dev) groups=890(dev)
依次进行。。。
正确的话,nfs01的dev sa dba用户都会创建成功:
[root@nfs01 ~]# id dev
uid=890(dev) gid=890(dev) groups=890(dev)
[root@nfs01 ~]# id sa
uid=891(sa) gid=891(sa) groups=891(sa)
[root@nfs01 ~]# id dba
uid=892(dba) gid=892(dba) groups=892(dba)
正确的话,backup的dev sa dba用户都会创建成功:
[root@backup ~]# id dev
uid=890(dev) gid=890(dev) groups=890(dev)
[root@backup ~]# id sa
uid=891(sa) gid=891(sa) groups=891(sa)
[root@backup ~]# id dba
id: dba: No such user
(4)添加授权规则:
运维人员铬锰以sa身份管理nfs01和backup等主机中。
开发人员敏敏以dev身份管理nfs01和backup等主机中。
DBA小弟以dba身份管理nfs01主机中。(或者推送到backup即可管理这两台。)
Connecting...Error: WebSocket Not Supported