当前位置:网站首页>The construction and use of Fortress machine and springboard machine jumpserver are detailed in pictures and texts
The construction and use of Fortress machine and springboard machine jumpserver are detailed in pictures and texts
2022-04-23 20:23:00 【The, only】
One 、 brief introduction
In order to ensure the security of the server , Add a fortress machine , all ssh The connection is done through the fortress machine , Fortress machines also need identity authentication , to grant authorization , Access control , Audit and other functions .
Jumpserver Is a by python Write open source springboard machine ( Fortress machine ) System , The function of springboard machine is realized . be based on ssh Agreement to manage , The client does not need to be installed agent.
In the company , It is also quite convenient to assign personnel server permissions , Such as : A new man , stay Jumpserver Distribute Jumpserver Just account number , Resignation , stay Jumpserver Delete the personnel account number . There is no need to worry about leaving the back door , Of course, the premise is to check the firewall , Only Jumpserver The server has other servers ssh Authority .
There are already many on the market jumpserver The product is available for use , Here is the most extensive one .
Official website :https://www.jumpserver.org/
Two 、Jumpserver build
Refer to the official deployment document :https://docs.jumpserver.org/zh/master/install/setup_by_fast/
This one is also based on docker Running , Regardless of one click deployment , Or manual deployment docker, The main difference of manual deployment is to change the password 、IP、 Port customization and so on . The default is actually very good. There is no need to change it . Relatively speaking , It's easier to build , The official script is in place in one step .
1: One key deployment
If not installed docker, You can choose this way , The script will come with its own installation docker And related configuration . Make sure there are no other servers that have been turned off mysql perhaps nginx service , Because it will occupy the port .
# It will be installed to by default /opt/jumpserver-installer-v2.21.0 Catalog , If similar ubuntu The prompt has no authority , Please add sudo that will do
curl -sSL https://github.com/jumpserver/jumpserver/releases/download/v2.21.0/quick_start.sh | bash
cd /opt/jumpserver-installer-v2.21.0
# Post installation profile /opt/jumpserver/config/config.txt
The installation interface :
After installation , Enter start-up
cd /opt/jumpserver-installer-v2.21.0
# start-up , If authority asks , Agree to add sudo that will do .
./jmsctl.sh start
# stop it
./jmsctl.sh down
# uninstall
./jmsctl.sh uninstall
# help
./jmsctl.sh -h
2: Manual deployment
If already installed docker, Or change the configuration to start up , You can choose to deploy manually .
# Enter download directory
cd /opt
# Download installation package
wget https://github.com/jumpserver/installer/releases/download/v2.21.0/jumpserver-installer-v2.21.0.tar.gz
# decompression
tar -xf jumpserver-installer-v2.21.0.tar.gz
# Go to unzip directory
cd jumpserver-installer-v2.21.0
# Modify the profile template as needed , If you don't know the purpose, you can skip the modification
cat config-example.txt
# If the following settings are empty, the system will automatically generate a random string to fill in
## Please modify SECRET_KEY and BOOTSTRAP_TOKEN For the original settings
## Complete parameter documentation https://docs.jumpserver.org/zh/master/admin-guide/env/
## Installation configuration , amd64 Huawei cloud is used by default to accelerate download , arm64 Please comment out DOCKER_IMAGE_PREFIX=swr.cn-south-1.myhuaweicloud.com
# DOCKER_IMAGE_PREFIX=swr.cn-south-1.myhuaweicloud.com
VOLUME_DIR=/opt/jumpserver
DOCKER_DIR=/var/lib/docker
SECRET_KEY=
BOOTSTRAP_TOKEN=
LOG_LEVEL=ERROR
## MySQL To configure , USE_EXTERNAL_MYSQL=1 Indicates the use of an external database , Please enter the correct MySQL Information
USE_EXTERNAL_MYSQL=0
DB_HOST=mysql
DB_PORT=3306
DB_USER=root
DB_PASSWORD=
DB_NAME=jumpserver
## Redis To configure , USE_EXTERNAL_REDIS=1 Indicates the use of an external database , Please enter the correct Redis Information
USE_EXTERNAL_REDIS=0
REDIS_HOST=redis
REDIS_PORT=6379
REDIS_PASSWORD=
## Compose Project settings , If 192.168.250.0/24 The network segment conflicts with your existing network segment , Please modify and restart JumpServer
COMPOSE_PROJECT_NAME=jms
COMPOSE_HTTP_TIMEOUT=3600
DOCKER_CLIENT_TIMEOUT=3600
DOCKER_SUBNET=192.168.250.0/24
## IPV6 Set up , Whether the container is opened ipv6 nat, USE_IPV6=1 Open for indication , by 0 Under the circumstances DOCKER_SUBNET_IPV6 The definition does not take effect
USE_IPV6=0
DOCKER_SUBNET_IPV6=2001:db8:10::/64
## Nginx To configure , USE_LB=1 Open for indication , by 0 Under the circumstances , HTTPS_PORT The definition does not take effect
HTTP_PORT=80
SSH_PORT=2222
RDP_PORT=3389
USE_LB=0
HTTPS_PORT=443
## Task To configure , Whether to start jms_celery Containers , Single node must be enabled
USE_TASK=1
## XPack, USE_XPACK=1 Open for indication , Invalid open source version settings
USE_XPACK=0
# Core To configure , Session Definition , SESSION_COOKIE_AGE Indicates the number of seconds after idle session Be overdue , SESSION_EXPIRE_AT_BROWSER_CLOSE=true Means to close the browser, i.e session Be overdue
# SESSION_COOKIE_AGE=86400
SESSION_EXPIRE_AT_BROWSER_CLOSE=true
# Koko Lion XRDP Component configuration
CORE_HOST=http://core:8080
# Extra configuration
CURRENT_VERSION=
# install
./jmsctl.sh install
# start-up
./jmsctl.sh start
# Post installation profile /opt/jumpserver/config/config.txt
It starts in the same way , The script to start
cd /opt/jumpserver-installer-v2.21.0
# start-up
./jmsctl.sh start
# stop it
./jmsctl.sh down
# uninstall
./jmsctl.sh uninstall
# help
./jmsctl.sh -h
3: Start the test
After installation , On the server , You can see docker Of jumpserver The service has been up state .
Browser input server IP Address , You can enter
Default administrator account admin, password admin, The first login prompt will change the password , After changing the password , Log in again to enter .
3、 ... and 、Jumpserver Add servers 、 personnel , And authorization
scene : staff zhangsan, The server 192.168.152.100. Now you need to add servers 192.168.152.100 To jumpserver, And allow employees to zhangsan Sign in .
1: User management
Add employee accounts zhangsan, System role users can . This simple , No introduction .
2: Asset management
2.1: System users
System user options , There are ordinary users and privileged users , Some people can't tell .
These two users , Is to jumpserver This software uses ,jumpserver Use these two users to connect to other servers .
Privileged users : Highest authority , Such as root or Have NOPASSWD: ALL
sudo Privileged user , Only jumpserver Use ,JumpServer Use this user to Push system users
、 Get asset hardware information
etc. , The system also prompts . User information that exists on the remote server .
Ordinary users : Users who can pre-exist on the server , Also can be Privileged users To automatically create . yes zhangsan The user name used to log in to the server . It can also be a privileged user directly root etc. , See permission allocation .
Create a privileged user , to jumpserver For software connection , Used here ubuntu, Login mode key , Just upload the key .
Ordinary users , You can create or not create , Such as directly using privileged users ubuntu that will do . If after creation ( Such as :user01),jumpserver On the remote server through ubuntu This privileged user automatically creates this user ( Such as :user01).
2.2: Asset list
Asset list , Is to add the server address , Privileged users , It's created above for jumpserver To connect to the remote server .
If the account password of the privileged user is correct , When I'm done , You can see that the connecting line is green
Click in to check , You can also see the server related hardware information
Come here , Server addition completed .
3: Rights management
After adding the server , Need to give zhangsan Use , You need to zhangsan This account is authorized .
In the asset Authorization , You can see the existing server , But without authorization , It's also blank . So choose to create .
Fill in the name , User choice zhangsan, If multiple users need to use , Multiple can be added .
User group , That is to authorize all users of this user group , Convenient for personnel management , Only a single person is authorized here , Leave all blank , After all, some people in the user group don't need to use it .
assets , Select the server to authorize , Here, select the one just added 192.168.152.100.
node , That is, grouping , In the case of many servers , You can select a node , That is, the server groups the above personnel for authorization . Empathy , Only a single server is authorized here , Leave all blank , After all, there is no need to use all the servers under the node .
System users , I use all privileged users by default , And ubuntu, So people enter the server with ubuntu Get into . Of course , If you create an ordinary system user above , You can also choose ordinary system users . If there are many people in the company , You still need to create , Easy access management .
Come here , Server authorization management has been completed .
Four 、Jumpserver Users log in to use
There are two ways to log in , A web login , Another third party ssh Tools login .
1: Website login
Browser open jumpserver website .
use zhangsan The account login jumpserver, Simple interface , Only assets with permission are displayed , Server list
Click on web terminal , You can directly enter the web version to log in , The server , Select the desired server and click .
2:ssh Tools login
Such as :xshell,Putty etc. ,ssh Fortress machine IP, port :2222. Enter and select the server to log in according to the prompt . Here we use xshell For example .
Change the port to 2222, Then login
After logging in , Input zhangsan Account password , that will do , Enter the authorization server according to the prompt
This is where the setup is done .
5、 ... and 、Jumpserver Audit function
Administrator user , Or auditor users , In the view audit table , View relevant login records , Command record , And playback .
版权声明
本文为[The, only]所创,转载请带上原文链接,感谢
https://yzsam.com/2022/04/202204232019447458.html
边栏推荐
- WordPress plug-in: WP CHINA Yes solution to slow domestic access to the official website
- 波场DAO新物种下场,USDD如何破局稳定币市场?
- 16MySQL之DCL 中 COMMIT和ROllBACK
- BMP JPEG 图片转换为矢量图像 ContourTrace
- An error is reported in the initialization metadata of the dolphin scheduler -- it turns out that there is a special symbol in the password. "$“
- Shanghai responded that "flour official website is an illegal website": neglect of operation and maintenance has been "hacked", and the police have filed a case
- How to do product innovation—— Exploration of product innovation methodology I
- DNS cloud school | quickly locate DNS resolution exceptions and keep these four DNS status codes in mind
- Recognition of high-speed road signs by Matlab using alexnet
- 【PTA】整除光棍
猜你喜欢
Devexpress 14.1 installation record
【栈和队列专题】—— 滑动窗口
Leetcode dynamic planning training camp (1-5 days)
Sqoop imports tinyint type fields to boolean type
Fundamentals of network communication (LAN, Wan, IP address, port number, protocol, encapsulation and distribution)
Livego + ffmpeg + RTMP + flvjs to realize live video
Handwritten Google's first generation distributed computing framework MapReduce
Modeling based on catiav6
SIGIR'22 "Microsoft" CTR estimation: using context information to promote feature representation learning
Building the tide, building the foundation and winning the future -- the successful holding of zdns Partner Conference
随机推荐
Cadence OrCAD capture batch change component packaging function introduction graphic tutorial and video demonstration
Redis installation (centos7 command line installation)
How can matlab obtain the truncated image in trainingimagelabeler
【目标跟踪】基于帧差法结合卡尔曼滤波实现行人姿态识别附matlab代码
Change the material of unity model as a whole
Rédaction de thèses 19: différences entre les thèses de conférence et les thèses périodiques
Don't bother tensorflow learning notes (10-12) -- Constructing a simple neural network and its visualization
SQL Server Connectors By Thread Pool | DTSQLServerTP 插件使用说明
PCL点云处理之直线与平面的交点计算(五十三)
2022dasctf APR x fat epidemic prevention challenge crypto easy_ real
[graph theory brush question-5] Li Kou 1971 Find out if there is a path in the graph
考研英语唐叔的语法课笔记
Monte Carlo py solves the area problem! (save pupils Series)
网络通信基础(局域网、广域网、IP地址、端口号、协议、封装、分用)
R language ggplot2 visualization: ggplot2 visualizes the scatter diagram and uses geom_ mark_ The ellipse function adds ellipses around data points of data clusters or data groups for annotation
Es index (document name) fuzzy query method (database name fuzzy query method)
Five minutes to show you what JWT is
Remote code execution in Win 11 using wpad / PAC and JScript
Numpy Index & slice & iteration
Is the wechat CICC wealth high-end zone safe? How to open an account for securities