The construction and use of Fortress machine and springboard machine jumpserver are detailed in pictures and texts

One 、 brief introduction

In order to ensure the security of the server , Add a fortress machine , all ssh The connection is done through the fortress machine , Fortress machines also need identity authentication , to grant authorization , Access control , Audit and other functions .

Jumpserver Is a by python Write open source springboard machine （ Fortress machine ） System , The function of springboard machine is realized . be based on ssh Agreement to manage , The client does not need to be installed agent.

In the company , It is also quite convenient to assign personnel server permissions , Such as ： A new man , stay Jumpserver Distribute Jumpserver Just account number , Resignation , stay Jumpserver Delete the personnel account number . There is no need to worry about leaving the back door , Of course, the premise is to check the firewall , Only Jumpserver The server has other servers ssh Authority .

There are already many on the market jumpserver The product is available for use , Here is the most extensive one .
Official website ：https://www.jumpserver.org/

Two 、Jumpserver build

Refer to the official deployment document ：https://docs.jumpserver.org/zh/master/install/setup_by_fast/

This one is also based on docker Running , Regardless of one click deployment , Or manual deployment docker, The main difference of manual deployment is to change the password 、IP、 Port customization and so on . The default is actually very good. There is no need to change it . Relatively speaking , It's easier to build , The official script is in place in one step .

1： One key deployment

If not installed docker, You can choose this way , The script will come with its own installation docker And related configuration . Make sure there are no other servers that have been turned off mysql perhaps nginx service , Because it will occupy the port .

#  It will be installed to by default  /opt/jumpserver-installer-v2.21.0  Catalog , If similar ubuntu The prompt has no authority , Please add sudo that will do 
curl -sSL https://github.com/jumpserver/jumpserver/releases/download/v2.21.0/quick_start.sh | bash
cd /opt/jumpserver-installer-v2.21.0

#  Post installation profile  /opt/jumpserver/config/config.txt

The installation interface ：

After installation , Enter start-up

cd /opt/jumpserver-installer-v2.21.0

#  start-up , If authority asks , Agree to add sudo that will do .
./jmsctl.sh start

#  stop it 
./jmsctl.sh down

#  uninstall 
./jmsctl.sh uninstall

#  help 
./jmsctl.sh -h

2： Manual deployment

If already installed docker, Or change the configuration to start up , You can choose to deploy manually .

# Enter download directory 
cd /opt
# Download installation package 
wget https://github.com/jumpserver/installer/releases/download/v2.21.0/jumpserver-installer-v2.21.0.tar.gz
# decompression 
tar -xf jumpserver-installer-v2.21.0.tar.gz
# Go to unzip directory 
cd jumpserver-installer-v2.21.0

#  Modify the profile template as needed ,  If you don't know the purpose, you can skip the modification 
cat config-example.txt

#  If the following settings are empty, the system will automatically generate a random string to fill in 
##  Please modify  SECRET_KEY  and  BOOTSTRAP_TOKEN  For the original settings 
##  Complete parameter documentation  https://docs.jumpserver.org/zh/master/admin-guide/env/

##  Installation configuration , amd64  Huawei cloud is used by default to accelerate download , arm64  Please comment out  DOCKER_IMAGE_PREFIX=swr.cn-south-1.myhuaweicloud.com
# DOCKER_IMAGE_PREFIX=swr.cn-south-1.myhuaweicloud.com
VOLUME_DIR=/opt/jumpserver
DOCKER_DIR=/var/lib/docker
SECRET_KEY=
BOOTSTRAP_TOKEN=
LOG_LEVEL=ERROR

## MySQL  To configure , USE_EXTERNAL_MYSQL=1  Indicates the use of an external database ,  Please enter the correct  MySQL  Information 
USE_EXTERNAL_MYSQL=0
DB_HOST=mysql
DB_PORT=3306
DB_USER=root
DB_PASSWORD=
DB_NAME=jumpserver

## Redis  To configure , USE_EXTERNAL_REDIS=1  Indicates the use of an external database ,  Please enter the correct  Redis  Information 
USE_EXTERNAL_REDIS=0
REDIS_HOST=redis
REDIS_PORT=6379
REDIS_PASSWORD=

## Compose  Project settings ,  If  192.168.250.0/24  The network segment conflicts with your existing network segment ,  Please modify and restart  JumpServer
COMPOSE_PROJECT_NAME=jms
COMPOSE_HTTP_TIMEOUT=3600
DOCKER_CLIENT_TIMEOUT=3600
DOCKER_SUBNET=192.168.250.0/24

## IPV6  Set up ,  Whether the container is opened  ipv6 nat, USE_IPV6=1  Open for indication ,  by  0  Under the circumstances  DOCKER_SUBNET_IPV6  The definition does not take effect 
USE_IPV6=0
DOCKER_SUBNET_IPV6=2001:db8:10::/64

## Nginx  To configure , USE_LB=1  Open for indication ,  by  0  Under the circumstances , HTTPS_PORT  The definition does not take effect 
HTTP_PORT=80
SSH_PORT=2222
RDP_PORT=3389

USE_LB=0
HTTPS_PORT=443

## Task  To configure ,  Whether to start  jms_celery  Containers ,  Single node must be enabled 
USE_TASK=1

## XPack, USE_XPACK=1  Open for indication ,  Invalid open source version settings 
USE_XPACK=0

# Core  To configure , Session  Definition , SESSION_COOKIE_AGE  Indicates the number of seconds after idle  session  Be overdue , SESSION_EXPIRE_AT_BROWSER_CLOSE=true  Means to close the browser, i.e  session  Be overdue 
# SESSION_COOKIE_AGE=86400
SESSION_EXPIRE_AT_BROWSER_CLOSE=true

# Koko Lion XRDP  Component configuration 
CORE_HOST=http://core:8080

#  Extra configuration 
CURRENT_VERSION=

#  install 
./jmsctl.sh install

#  start-up 
./jmsctl.sh start

#  Post installation profile  /opt/jumpserver/config/config.txt

It starts in the same way , The script to start

cd /opt/jumpserver-installer-v2.21.0

#  start-up 
./jmsctl.sh start

#  stop it 
./jmsctl.sh down

#  uninstall 
./jmsctl.sh uninstall

#  help 
./jmsctl.sh -h

3： Start the test

After installation , On the server , You can see docker Of jumpserver The service has been up state .

Browser input server IP Address , You can enter

Default administrator account admin, password admin, The first login prompt will change the password , After changing the password , Log in again to enter .

3、 ... and 、Jumpserver Add servers 、 personnel , And authorization

scene ： staff zhangsan, The server 192.168.152.100. Now you need to add servers 192.168.152.100 To jumpserver, And allow employees to zhangsan Sign in .

1： User management

Add employee accounts zhangsan, System role users can . This simple , No introduction .

2： Asset management

2.1： System users

System user options , There are ordinary users and privileged users , Some people can't tell .

These two users , Is to jumpserver This software uses ,jumpserver Use these two users to connect to other servers .

Privileged users ： Highest authority , Such as root or Have NOPASSWD: ALL sudo Privileged user , Only jumpserver Use ,JumpServer Use this user to Push system users 、 Get asset hardware information etc. , The system also prompts . User information that exists on the remote server .

Ordinary users ： Users who can pre-exist on the server , Also can be Privileged users To automatically create . yes zhangsan The user name used to log in to the server . It can also be a privileged user directly root etc. , See permission allocation .

Create a privileged user , to jumpserver For software connection , Used here ubuntu, Login mode key , Just upload the key .

Ordinary users , You can create or not create , Such as directly using privileged users ubuntu that will do . If after creation （ Such as ：user01）,jumpserver On the remote server through ubuntu This privileged user automatically creates this user ( Such as ：user01).

2.2： Asset list

Asset list , Is to add the server address , Privileged users , It's created above for jumpserver To connect to the remote server .

If the account password of the privileged user is correct , When I'm done , You can see that the connecting line is green

Click in to check , You can also see the server related hardware information

Come here , Server addition completed .

3： Rights management

After adding the server , Need to give zhangsan Use , You need to zhangsan This account is authorized .

In the asset Authorization , You can see the existing server , But without authorization , It's also blank . So choose to create .

Fill in the name , User choice zhangsan, If multiple users need to use , Multiple can be added .

User group , That is to authorize all users of this user group , Convenient for personnel management , Only a single person is authorized here , Leave all blank , After all, some people in the user group don't need to use it .

assets , Select the server to authorize , Here, select the one just added 192.168.152.100.

node , That is, grouping , In the case of many servers , You can select a node , That is, the server groups the above personnel for authorization . Empathy , Only a single server is authorized here , Leave all blank , After all, there is no need to use all the servers under the node .

System users , I use all privileged users by default , And ubuntu, So people enter the server with ubuntu Get into . Of course , If you create an ordinary system user above , You can also choose ordinary system users . If there are many people in the company , You still need to create , Easy access management .

Come here , Server authorization management has been completed .

Four 、Jumpserver Users log in to use

There are two ways to log in , A web login , Another third party ssh Tools login .

1： Website login

Browser open jumpserver website .

use zhangsan The account login jumpserver, Simple interface , Only assets with permission are displayed , Server list

Click on web terminal , You can directly enter the web version to log in , The server , Select the desired server and click .

2：ssh Tools login

Such as ：xshell,Putty etc. ,ssh Fortress machine IP, port ：2222. Enter and select the server to log in according to the prompt . Here we use xshell For example .

Change the port to 2222, Then login

After logging in , Input zhangsan Account password , that will do , Enter the authorization server according to the prompt

This is where the setup is done .

5、 ... and 、Jumpserver Audit function

Administrator user , Or auditor users , In the view audit table , View relevant login records , Command record , And playback .