当前位置:网站首页>The construction and use of Fortress machine and springboard machine jumpserver are detailed in pictures and texts
The construction and use of Fortress machine and springboard machine jumpserver are detailed in pictures and texts
2022-04-23 20:23:00 【The, only】
One 、 brief introduction
In order to ensure the security of the server , Add a fortress machine , all ssh The connection is done through the fortress machine , Fortress machines also need identity authentication , to grant authorization , Access control , Audit and other functions .
Jumpserver Is a by python Write open source springboard machine ( Fortress machine ) System , The function of springboard machine is realized . be based on ssh Agreement to manage , The client does not need to be installed agent.
In the company , It is also quite convenient to assign personnel server permissions , Such as : A new man , stay Jumpserver Distribute Jumpserver Just account number , Resignation , stay Jumpserver Delete the personnel account number . There is no need to worry about leaving the back door , Of course, the premise is to check the firewall , Only Jumpserver The server has other servers ssh Authority .
There are already many on the market jumpserver The product is available for use , Here is the most extensive one .
Official website :https://www.jumpserver.org/
Two 、Jumpserver build
Refer to the official deployment document :https://docs.jumpserver.org/zh/master/install/setup_by_fast/
This one is also based on docker Running , Regardless of one click deployment , Or manual deployment docker, The main difference of manual deployment is to change the password 、IP、 Port customization and so on . The default is actually very good. There is no need to change it . Relatively speaking , It's easier to build , The official script is in place in one step .
1: One key deployment
If not installed docker, You can choose this way , The script will come with its own installation docker And related configuration . Make sure there are no other servers that have been turned off mysql perhaps nginx service , Because it will occupy the port .
# It will be installed to by default /opt/jumpserver-installer-v2.21.0 Catalog , If similar ubuntu The prompt has no authority , Please add sudo that will do
curl -sSL https://github.com/jumpserver/jumpserver/releases/download/v2.21.0/quick_start.sh | bash
cd /opt/jumpserver-installer-v2.21.0
# Post installation profile /opt/jumpserver/config/config.txt
The installation interface :
After installation , Enter start-up
cd /opt/jumpserver-installer-v2.21.0
# start-up , If authority asks , Agree to add sudo that will do .
./jmsctl.sh start
# stop it
./jmsctl.sh down
# uninstall
./jmsctl.sh uninstall
# help
./jmsctl.sh -h
2: Manual deployment
If already installed docker, Or change the configuration to start up , You can choose to deploy manually .
# Enter download directory
cd /opt
# Download installation package
wget https://github.com/jumpserver/installer/releases/download/v2.21.0/jumpserver-installer-v2.21.0.tar.gz
# decompression
tar -xf jumpserver-installer-v2.21.0.tar.gz
# Go to unzip directory
cd jumpserver-installer-v2.21.0
# Modify the profile template as needed , If you don't know the purpose, you can skip the modification
cat config-example.txt
# If the following settings are empty, the system will automatically generate a random string to fill in
## Please modify SECRET_KEY and BOOTSTRAP_TOKEN For the original settings
## Complete parameter documentation https://docs.jumpserver.org/zh/master/admin-guide/env/
## Installation configuration , amd64 Huawei cloud is used by default to accelerate download , arm64 Please comment out DOCKER_IMAGE_PREFIX=swr.cn-south-1.myhuaweicloud.com
# DOCKER_IMAGE_PREFIX=swr.cn-south-1.myhuaweicloud.com
VOLUME_DIR=/opt/jumpserver
DOCKER_DIR=/var/lib/docker
SECRET_KEY=
BOOTSTRAP_TOKEN=
LOG_LEVEL=ERROR
## MySQL To configure , USE_EXTERNAL_MYSQL=1 Indicates the use of an external database , Please enter the correct MySQL Information
USE_EXTERNAL_MYSQL=0
DB_HOST=mysql
DB_PORT=3306
DB_USER=root
DB_PASSWORD=
DB_NAME=jumpserver
## Redis To configure , USE_EXTERNAL_REDIS=1 Indicates the use of an external database , Please enter the correct Redis Information
USE_EXTERNAL_REDIS=0
REDIS_HOST=redis
REDIS_PORT=6379
REDIS_PASSWORD=
## Compose Project settings , If 192.168.250.0/24 The network segment conflicts with your existing network segment , Please modify and restart JumpServer
COMPOSE_PROJECT_NAME=jms
COMPOSE_HTTP_TIMEOUT=3600
DOCKER_CLIENT_TIMEOUT=3600
DOCKER_SUBNET=192.168.250.0/24
## IPV6 Set up , Whether the container is opened ipv6 nat, USE_IPV6=1 Open for indication , by 0 Under the circumstances DOCKER_SUBNET_IPV6 The definition does not take effect
USE_IPV6=0
DOCKER_SUBNET_IPV6=2001:db8:10::/64
## Nginx To configure , USE_LB=1 Open for indication , by 0 Under the circumstances , HTTPS_PORT The definition does not take effect
HTTP_PORT=80
SSH_PORT=2222
RDP_PORT=3389
USE_LB=0
HTTPS_PORT=443
## Task To configure , Whether to start jms_celery Containers , Single node must be enabled
USE_TASK=1
## XPack, USE_XPACK=1 Open for indication , Invalid open source version settings
USE_XPACK=0
# Core To configure , Session Definition , SESSION_COOKIE_AGE Indicates the number of seconds after idle session Be overdue , SESSION_EXPIRE_AT_BROWSER_CLOSE=true Means to close the browser, i.e session Be overdue
# SESSION_COOKIE_AGE=86400
SESSION_EXPIRE_AT_BROWSER_CLOSE=true
# Koko Lion XRDP Component configuration
CORE_HOST=http://core:8080
# Extra configuration
CURRENT_VERSION=
# install
./jmsctl.sh install
# start-up
./jmsctl.sh start
# Post installation profile /opt/jumpserver/config/config.txt
It starts in the same way , The script to start
cd /opt/jumpserver-installer-v2.21.0
# start-up
./jmsctl.sh start
# stop it
./jmsctl.sh down
# uninstall
./jmsctl.sh uninstall
# help
./jmsctl.sh -h
3: Start the test
After installation , On the server , You can see docker Of jumpserver The service has been up state .
Browser input server IP Address , You can enter
Default administrator account admin, password admin, The first login prompt will change the password , After changing the password , Log in again to enter .
3、 ... and 、Jumpserver Add servers 、 personnel , And authorization
scene : staff zhangsan, The server 192.168.152.100. Now you need to add servers 192.168.152.100 To jumpserver, And allow employees to zhangsan Sign in .
1: User management
Add employee accounts zhangsan, System role users can . This simple , No introduction .
2: Asset management
2.1: System users
System user options , There are ordinary users and privileged users , Some people can't tell .
These two users , Is to jumpserver This software uses ,jumpserver Use these two users to connect to other servers .
Privileged users : Highest authority , Such as root or Have NOPASSWD: ALL sudo Privileged user , Only jumpserver Use ,JumpServer Use this user to Push system users 、 Get asset hardware information etc. , The system also prompts . User information that exists on the remote server .
Ordinary users : Users who can pre-exist on the server , Also can be Privileged users To automatically create . yes zhangsan The user name used to log in to the server . It can also be a privileged user directly root etc. , See permission allocation .
Create a privileged user , to jumpserver For software connection , Used here ubuntu, Login mode key , Just upload the key .
Ordinary users , You can create or not create , Such as directly using privileged users ubuntu that will do . If after creation ( Such as :user01),jumpserver On the remote server through ubuntu This privileged user automatically creates this user ( Such as :user01).
2.2: Asset list
Asset list , Is to add the server address , Privileged users , It's created above for jumpserver To connect to the remote server .
If the account password of the privileged user is correct , When I'm done , You can see that the connecting line is green
Click in to check , You can also see the server related hardware information
Come here , Server addition completed .
3: Rights management
After adding the server , Need to give zhangsan Use , You need to zhangsan This account is authorized .
In the asset Authorization , You can see the existing server , But without authorization , It's also blank . So choose to create .
Fill in the name , User choice zhangsan, If multiple users need to use , Multiple can be added .
User group , That is to authorize all users of this user group , Convenient for personnel management , Only a single person is authorized here , Leave all blank , After all, some people in the user group don't need to use it .
assets , Select the server to authorize , Here, select the one just added 192.168.152.100.
node , That is, grouping , In the case of many servers , You can select a node , That is, the server groups the above personnel for authorization . Empathy , Only a single server is authorized here , Leave all blank , After all, there is no need to use all the servers under the node .
System users , I use all privileged users by default , And ubuntu, So people enter the server with ubuntu Get into . Of course , If you create an ordinary system user above , You can also choose ordinary system users . If there are many people in the company , You still need to create , Easy access management .
Come here , Server authorization management has been completed .
Four 、Jumpserver Users log in to use
There are two ways to log in , A web login , Another third party ssh Tools login .
1: Website login
Browser open jumpserver website .
use zhangsan The account login jumpserver, Simple interface , Only assets with permission are displayed , Server list
Click on web terminal , You can directly enter the web version to log in , The server , Select the desired server and click .
2:ssh Tools login
Such as :xshell,Putty etc. ,ssh Fortress machine IP, port :2222. Enter and select the server to log in according to the prompt . Here we use xshell For example .
Change the port to 2222, Then login
After logging in , Input zhangsan Account password , that will do , Enter the authorization server according to the prompt
This is where the setup is done .
5、 ... and 、Jumpserver Audit function
Administrator user , Or auditor users , In the view audit table , View relevant login records , Command record , And playback .
版权声明
本文为[The, only]所创,转载请带上原文链接,感谢
https://yzsam.com/2022/04/202204232019447458.html
边栏推荐
- bounding box iou
- Historical track data reading of Holux m1200-e Bluetooth GPS track recorder
- Shanghai a répondu que « le site officiel de la farine est illégal »: l'exploitation et l'entretien négligents ont été « noirs » et la police a déposé une plainte
- 网络通信基础(局域网、广域网、IP地址、端口号、协议、封装、分用)
- 【PTA】L1-002 打印沙漏
- 6-5 字符串 - 2. 字符串复制(赋值) (10 分)C语言标准函数库中包括 strcpy 函数,用于字符串复制(赋值)。作为练习,我们自己编写一个功能与之相同的函数。
- Azkaban recompile, solve: could not connect to SMTP host: SMTP 163.com, port: 465 [January 10, 2022]
- Common form verification
- Scrapy教程 - (2)寫一個簡單爬蟲
- How can matlab obtain the truncated image in trainingimagelabeler
猜你喜欢
Scripy tutorial - (2) write a simple crawler
Some basic configurations in interlij idea
Recommend an open source free drawing software draw IO exportable vector graph
Building the tide, building the foundation and winning the future -- the successful holding of zdns Partner Conference
Es keyword sorting error reason = fielddata is disabled on text fields by default Set fielddata = true on keyword in order
![[PTA] get rid of singles](/img/ab/b5d49f336cbfbede23b3377a9314ad.png)
[PTA] get rid of singles
Actual measurement of automatic ticket grabbing script of barley network based on selenium (the first part of the new year)
WordPress插件:WP-China-Yes解决国内访问官网慢的方法
LeetCode动态规划训练营(1~5天)
Livego + ffmpeg + RTMP + flvjs to realize live video
随机推荐
R language uses timeroc package to calculate the multi time AUC value of survival data under competitive risk, uses Cox model and adds covariates, and R language uses the plotauccurve function of time
Building the tide, building the foundation and winning the future -- the successful holding of zdns Partner Conference
Research on open source OCR engine
JDBC tool class jdbcfiledateutil uploads files and date format conversion, including the latest, simplest and easiest way to upload single files and multiple files
BMP JPEG 图片转换为矢量图像 ContourTrace
XXXI` Prototype ` displays prototype properties and`__ proto__` Implicit prototype properties
Redis cache penetration, cache breakdown, cache avalanche
Azkaban recompile, solve: could not connect to SMTP host: SMTP 163.com, port: 465 [January 10, 2022]
PCA based geometric feature calculation of PCL point cloud processing (52)
Mysql database backup scheme
SQL Server Connectors By Thread Pool | DTSQLServerTP 插件使用说明
Latest investigation and progress of building intelligence based on sati
2022dasctf APR x fat epidemic prevention challenge crypto easy_ real
Don't bother tensorflow learning notes (10-12) -- Constructing a simple neural network and its visualization
论文写作 19: 会议论文与期刊论文的区别
Development of Matlab GUI bridge auxiliary Designer (functional introduction)
堡垒机、跳板机JumpServer的搭建,以及使用,图文详细
Leetcode dynamic planning training camp (1-5 days)
Recommend an open source free drawing software draw IO exportable vector graph
A useless confession artifact