系统运维


jumpserver

<h1>JumpServer</h1> <h2>认识jumpserver</h2> <h3>什么是堡垒机?</h3> <h4>堡垒机,也叫做运维安全审计系统,它的核心功能是 4A</h4> <ol> <li>身份鉴别</li> <li>账号管理</li> <li>权限控制</li> <li>安全审计</li> </ol> <h1>方式一:jumpserver堡垒机安装部署</h1> <h2>下载tar包</h2> <pre><code class="language-bash">cd /opt wget https://github.com/jumpserver/installer/releases/download/v2.28.2/jumpserver-installer-v2.28.2.tar.gz tar -xf jumpserver-installer-v2.28.2.tar.gz cd jumpserver-installer-v2.28.2 </code></pre> <h2>安装</h2> <pre><code class="language-bash">[root@node1 jumpserver-installer-v2.28.2]# ./jmsctl.sh install 2. Configure Docker Do you want to support IPv6? (y/n) (default n): [回车] #后续(default n):[回车]</code></pre> <h2>安装成功提示信息</h2> <pre><code class="language-bash">&gt;&gt;&gt; The Installation is Complete 1. You can use the following command to start, and then visit cd /opt/jumpserver-installer-v2.28.2 ./jmsctl.sh start 2. Other management commands ./jmsctl.sh stop ./jmsctl.sh restart ./jmsctl.sh backup ./jmsctl.sh upgrade For more commands, you can enter ./jmsctl.sh --help to understand 3. Web access http://192.168.10.144:80 Default username: admin Default password: admin 4. SSH/SFTP access ssh -p2222 admin@192.168.10.144 sftp -P2222 admin@192.168.10.144</code></pre> <h2>关闭防火墙,禁止开机启动</h2> <pre><code class="language-bash">systemctl stop firewalld systemctl disable firewalld</code></pre> <h2>重启docker服务</h2> <pre><code class="language-bash"># 重启的原因,是因为当你使用的是 Systemd 的时候, firewalld 会在 Docker 之前启动, #但是如果你在 Docker 启动之后再启动 或者重启 firewalld ,你就需要重启 Docker 进程了。 systemctl restart docker</code></pre> <h2>启动jumpserver</h2> <pre><code class="language-bash">[root@node1 jumpserver-installer-v2.28.2]# ./jmsctl.sh start</code></pre> <h3>登录web界面</h3> <p><a href="http://192.168.10.144:80">http://192.168.10.144:80</a> 注意:如果主机上有启动nginx服务,端口要更改,否则会跟jumpserver的web端口发生冲突 默认:admin admin 更改密码:sy2014 <img src="https://www.showdoc.com.cn/server/api/attachment/visitFile?sign=1eca4ca79c5b1e0e729977ea02942780&amp;file=file.png" alt="" /></p> <h2>1.创建用户</h2> <p><img src="https://www.showdoc.com.cn/server/api/attachment/visitFile?sign=e5c47b58a757d0641d279a7b5ffbc287&amp;file=file.png" alt="" /></p> <h3>重点:</h3> <p><strong>给用户加了主机之后还需要做一步操作,用户才可以登录到给到的机器上:</strong> 用堡垒机ops登录到给用户的机器上面去,把 ops的cat ~/.ssh/authorized_keys中名为的 奇安信堡垒机 的公钥给到对应(资产)主机的shiyue or www or 其他 账户下的authorized_keys中去。</p> <h2>2.给用户资产(主机)</h2> <p><img src="https://www.showdoc.com.cn/server/api/attachment/visitFile?sign=0785a93c37157bebcc9cda35717e058b&amp;file=file.png" alt="" /></p> <h2>3.资产授权</h2> <p><img src="https://www.showdoc.com.cn/server/api/attachment/visitFile?sign=b80d20235b6d24bb2dcbf3abe4426042&amp;file=file.png" alt="" /></p> <h3>4.web终端连接主机</h3> <p><img src="https://www.showdoc.com.cn/server/api/attachment/visitFile?sign=4bdef4bac3a1d6ba14ef2b97658ff355&amp;file=file.png" alt="" /></p> <h1>方式二:docker部署jumpserver</h1> <h3>1. 拉取mysql:5.7</h3> <pre><code class="language-bash">docker pull mysql:5.7</code></pre> <h3>2. mysql镜像创建一个容器</h3> <pre><code class="language-bash">docker run -it -d --name mysql \ --restart=always \ -p 3306:3306 \ -v /opt/jumpserver/mysql/conf:/etc/mysql/conf.d \ -v /opt/jumpserver/mysql/logs:/var/log/mysql \ -v /opt/jumpserver/mysql/data:/var/lib/mysql \ -e MYSQL_ROOT_PASSWORD="syc112816" \ mysql:5.7</code></pre> <h3>3.初始化jumpserver的docker镜像数据库</h3> <pre><code class="language-bash">docker exec -ti mysql mysql -uroot -psyc112816 create database jumpserver default charset 'utf8'; grant all on jumpserver.* to 'root'@'%'; flush privileges; </code></pre> <h3>4.拉取redis</h3> <pre><code class="language-bash">docker pull redis</code></pre> <h3>5.初始化redis</h3> <pre><code class="language-bash">docker run -it -d --name redis --restart=always \ -p 6379:6379 redis \ --requirepass "syc112816" </code></pre> <h3>6.拉取jumpserver</h3> <pre><code class="language-bash">docker pull jumpserver/jms_all:latest </code></pre> <h3>7.生成随机加密秘钥和初始化token</h3> <p>vim pd_key.sh</p> <pre><code class="language-bash">#/bin/sh if [ ! "$SECRET_KEY" ]; then SECRET_KEY=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50`; echo "SECRET_KEY=$SECRET_KEY" &gt;&gt; ~/.bashrc; echo $SECRET_KEY; else echo $SECRET_KEY; fi if [ ! "$BOOTSTRAP_TOKEN" ]; then BOOTSTRAP_TOKEN=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16`; echo "BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" &gt;&gt; ~/.bashrc; echo $BOOTSTRAP_TOKEN; else echo $BOOTSTRAP_TOKEN; fi bash pd_key.sh</code></pre> <h3>8.部署jumpserver</h3> <pre><code class="language-bash">docker run --name jumpserver -d --restart=always \ -v /opt/jumpserver/data:/opt/jumpserver/data \ -v /opt/jumpserver/koko:/opt/koko/data \ -v /opt/jumpserver/lion:/opt/lion/data \ -p 80:80 \ -p 2222:2222 \ -e SECRET_KEY=EOBhaGJrj2PKorzVmlzyOsbtqqn4UwQdpqCDneOghAS2fFQj2w \ #SECRET_KEY -e BOOTSTRAP_TOKEN=kkUVjid3aZVFWp01 \ #BOOTSTRAP_TOKEN -e DB_HOST=172.17.0.1 \ #docker0 ip或者其它主机IP -e DB_PORT=3306 \ -e DB_USER=root \ -e DB_PASSWORD=syc112816 \ -e DB_NAME=jumpserver \ -e REDIS_HOST=172.17.0.1 \ #docker0 ip或者其它主机IP -e REDIS_PORT=6379 \ -e REDIS_PASSWORD=syc112816 \ jumpserver/jms_all </code></pre> <h3>9.配置防火墙(了解)</h3> <pre><code class="language-bash">#!/bin/sh iptables -F INPUT iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -i docker0 -j ACCEPT #允许22、80、443 iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT #deny all iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited </code></pre>

页面列表

ITEM_HTML