Posts tagged ‘network’

Centos8上试用开源堡垒机Jumpserver 1.5.6(八):创建用户时使用密码链接并发邮件给用户功能

===================================================================

开源堡垒机Jumpserver安装/配置系列:

1、Centos8上试用开源堡垒机Jumpserver 1.5.6(一):堡垒机概述
2、Centos8上试用开源堡垒机Jumpserver 1.5.6(二):安装Centos8(CentOS-8.1.1911-x86_64-dvd1.iso)
3、Centos8上试用开源堡垒机Jumpserver 1.5.6(三):在Centos8上安装Jumpserver
4、Centos8上试用开源堡垒机Jumpserver 1.5.6(四):添加被管资源与运维帐户权限分配
5、Centos8上试用开源堡垒机Jumpserver 1.5.6(五):通过堡垒机进行运维管理
6、Centos8上试用开源堡垒机Jumpserver 1.5.6(六):试用批量命令和命令过滤功能
7、Centos8上试用开源堡垒机Jumpserver 1.5.6(七):服务器重启后的恢复操作(手工启动jumpserver等程序)
8、Centos8上试用开源堡垒机Jumpserver 1.5.6(八):创建用户时使用密码链接并发邮件给用户功能

===================================================================

Jumpserver在创建用户时密码策略支持“生成重置密码链接,通过邮件发送给用户”功能,如下图所示,用户收到邮件后,直接修改成自己的密码即可

jumpserver0221_51

需要启用此功能,需要进行相关设置,具体操作如下:

进入“系统设置”->“基本设置”,在当前站点URL中输入访问地址http://192.168.10.216,Email主题前缀设置为“你好,”,如下图所示

jumpserver0221_52

设置“邮件设置”,如下图,需要配置SMTP主机、端口、账号等

jumpserver0221_53

本案例使用126邮箱,登陆126邮箱,进入设置->POP3/SMTP/IMAP,开启SMTP服务,SMTP地址为smtp.126.com,如下图所示

jumpserver0221_54

服务器地址:
POP3服务器: pop.126.com
SMTP服务器: smtp.126.com
IMAP服务器: imap.126.com

jumpserver0221_56

126邮箱对第三方邮件客户端提供POP3\SMTP\IMAP有授权码要求,开启授权码,如下图

jumpserver0221_55

126邮箱设置好后,开始进行邮件设置

SMTP主机:smtp.126.com
SMTP端口:465
SMTP账号:funpower@126.com
SMTP密码:********
发送账号:funpower@126.com
测试收件人:funpower@qq.com
使用SSL:启用SSL,端口465

如下图,输入内容后点击“测试链接”,显示已发送邮件后,点击“提交”保存。

jumpserver0221_57

点击测试连接,右上角出现已发送消息,如下图

jumpserver0221_58

邮件中收到了TEST测试邮件,说明邮件设置正确。

jumpserver0221_59

接着完成“邮件内容设置”,如下图

jumpserver0221_60

最后,重启服务器,确保设置生效。

进入创建用户界面,输入用户相关信息,在密码策略中选择“生成重置密码链接,通过邮件发送给用户”,点“提交”按扭,如下图所示

jumpserver0221_61

点提交后,正常会收到一封用户创建成功的信,点击信中的密码链接进行密码重置,如下图

jumpserver0221_62

重置,设置新密码

jumpserver0221_63

使用新设置的密码进入管理系统

jumpserver0221_64

至此,创建用户完成。

Centos8上试用开源堡垒机Jumpserver 1.5.6(七):服务器重启后的恢复操作(手工启动jumpserver等程序)

===================================================================

开源堡垒机Jumpserver安装/配置系列:

1、Centos8上试用开源堡垒机Jumpserver 1.5.6(一):堡垒机概述
2、Centos8上试用开源堡垒机Jumpserver 1.5.6(二):安装Centos8(CentOS-8.1.1911-x86_64-dvd1.iso)
3、Centos8上试用开源堡垒机Jumpserver 1.5.6(三):在Centos8上安装Jumpserver
4、Centos8上试用开源堡垒机Jumpserver 1.5.6(四):添加被管资源与运维帐户权限分配
5、Centos8上试用开源堡垒机Jumpserver 1.5.6(五):通过堡垒机进行运维管理
6、Centos8上试用开源堡垒机Jumpserver 1.5.6(六):试用批量命令和命令过滤功能
7、Centos8上试用开源堡垒机Jumpserver 1.5.6(七):服务器重启后的恢复操作(手工启动jumpserver等程序)
8、Centos8上试用开源堡垒机Jumpserver 1.5.6(八):创建用户时使用密码链接并发邮件给用户功能

===================================================================

服务器出现硬件故障或维护等原因需要关闭或重启jumpserver服务器,而重启后,由于一些程序不是开机自动启动,需要手工,具体重启后恢复操作如下:

1、检查防火墙及SELinux状态

正常在安装时这两个功能为关闭状态,检查是否为关闭状态:

[root@localhost ~]# getenforce
Disabled
[root@localhost ~]#
[root@localhost ~]# firewall-cmd –state
not running
[root@localhost ~]#
[root@localhost ~]#

jumpserver0221_38

如上所示,检查都为关闭状态。

2、检查redis、mariadb、nginx启动状态

由于redis、mariadb、nginx这三个程序在安装时是启用开机自启动模式,故正常应该都为运行状态,检查如下:

[root@localhost ~]# systemctl status redis
鈼[0m redis.service – Redis persistent key-value database
   Loaded: loaded (/usr/lib/systemd/system/redis.service; enabled; vendor preset: disabled)
  Drop-In: /etc/systemd/system/redis.service.d
           鈹斺攢limit.conf
    Active: active (running) since Sat 2020-02-22 06:58:41 CST; 18min ago
  Main PID: 1300 (redis-server)
    Tasks: 4 (limit: 26213)
   Memory: 10.4M
   CGroup: /system.slice/redis.service
            鈹斺攢1300 /usr/bin/redis-server 127.0.0.1:6379

Feb 22 06:58:41 localhost.localdomain systemd[1]: Starting Redis persistent key-value database…
Feb 22 06:58:41 localhost.localdomain systemd[1]: Started Redis persistent key-value database.
[root@localhost ~]#
[root@localhost ~]# systemctl status mariadb
鈼[0m mariadb.service – MariaDB 10.3 database server
   Loaded: loaded (/usr/lib/systemd/system/mariadb.service; enabled; vendor preset: disabled)
   Active: active (running) since Sat 2020-02-22 06:58:44 CST; 18min ago
     Docs: man:mysqld(8)
           https://mariadb.com/kb/en/library/systemd/
  Process: 1714 ExecStartPost=/usr/libexec/mysql-check-upgrade (code=exited, status=0/SUCCESS)
  Process: 1344 ExecStartPre=/usr/libexec/mysql-prepare-db-dir mariadb.service (code=exited, status=0/SUCCESS)
  Process: 1299 ExecStartPre=/usr/libexec/mysql-check-socket (code=exited, status=0/SUCCESS)
  Main PID: 1414 (mysqld)
   Status: "Taking your SQL requests now…"
    Tasks: 30 (limit: 26213)
   Memory: 122.4M
   CGroup: /system.slice/mariadb.service
           鈹斺攢1414 /usr/libexec/mysqld –basedir=/usr

Feb 22 06:58:41 localhost.localdomain systemd[1]: Starting MariaDB 10.3 database server…
Feb 22 06:58:42 localhost.localdomain mysql-prepare-db-dir[1344]: Database MariaDB is probably initialized in /var/lib/mysql already, nothing is done.
Feb 22 06:58:42 localhost.localdomain mysql-prepare-db-dir[1344]: If this is not the case, make sure the /var/lib/mysql is empty before running mysql-prepare-db-dir.
Feb 22 06:58:43 localhost.localdomain mysqld[1414]: 2020-02-22  6:58:43 0 [Note] /usr/libexec/mysqld (mysqld 10.3.17-MariaDB) starting as process 1414 …
Feb 22 06:58:43 localhost.localdomain mysqld[1414]: 2020-02-22  6:58:43 0 [Warning] Could not increase number of max_open_files to more than 1024 (request: 4186)
Feb 22 06:58:43 localhost.localdomain mysqld[1414]: 2020-02-22  6:58:43 0 [Warning] Changed limits: max_open_files: 1024  max_connections: 151 (was 151)  table_cache: 421 (was 2000)
Feb 22 06:58:44 localhost.localdomain systemd[1]: Started MariaDB 10.3 database server.
[root@localhost ~]#
[root@localhost ~]# systemctl status nginx
鈼[0m nginx.service – nginx – high performance web server
   Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled; vendor preset: disabled)
   Active: active (running) since Sat 2020-02-22 06:58:43 CST; 19min ago
     Docs: http://nginx.org/en/docs/
  Process: 1565 ExecStart=/usr/sbin/nginx -c /etc/nginx/nginx.conf (code=exited, status=0/SUCCESS)
  Main PID: 1641 (nginx)
    Tasks: 2 (limit: 26213)
   Memory: 3.7M
   CGroup: /system.slice/nginx.service
           鈹溾攢1641 nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf
           鈹斺攢1642 nginx: worker process

Feb 22 06:58:43 localhost.localdomain systemd[1]: Starting nginx – high performance web server…
Feb 22 06:58:43 localhost.localdomain systemd[1]: Started nginx – high performance web server.
[root@localhost ~]#
[root@localhost ~]#

jumpserver0221_39

如上所示,redis、mariadb、nginx都为运行中,状态正常。

3、检查jumpserver程序

jms没有设置为自启动,需要手工启动,首先进入python环境:

[root@localhost ~]# source /opt/py3/bin/activate
(py3) [root@localhost ~]#
(py3) [root@localhost ~]#

然后进入jumpserver程序目录/opt/jumpserver,使用./jms status –d检查程序是否启动,操作如下:

(py3) [root@localhost ~]# cd /opt/jumpserver
(py3) [root@localhost jumpserver]#
(py3) [root@localhost jumpserver]# ls
Dockerfile  LICENSE  README.md  README_EN.md  Vagrantfile  apps  build.sh  config.yml  config_example.yml  data  docs  entrypoint.sh  jms  logs  requirements  run_server.py  tmp  utils
(py3) [root@localhost jumpserver]#
(py3) [root@localhost jumpserver]# ./jms status -d
gunicorn is stopped
celery_ansible is stopped
celery_default is stopped
beat is stopped
flower is stopped
daphne is stopped
(py3) [root@localhost jumpserver]#

jumpserver0221_40

如上,显示都为stopped,未启动,故页面也无法打开,如下:

jumpserver0221_42

使用./jms start –d启动jumpserver程序,如下:

(py3) [root@localhost jumpserver]# ./jms start -d
2020-02-22 07:29:47 Sat Feb 22 07:29:47 2020
2020-02-22 07:29:47 Jumpserver version 1.5.6, more see https://www.jumpserver.org

– Start Gunicorn WSGI HTTP Server
2020-02-22 07:29:47 Check database connection …
users
  [X] 0001_initial
  [X] 0002_auto_20171225_1157_squashed_0019_auto_20190304_1459 (18 squashed migrations)
  [X] 0020_auto_20190612_1825
  [X] 0021_auto_20190625_1104
  [X] 0022_auto_20190625_1105
  [X] 0023_auto_20190724_1525
  [X] 0024_auto_20191118_1612
2020-02-22 07:30:04 Database connect success
2020-02-22 07:30:04 Check database structure change …
2020-02-22 07:30:04 Migrate model change to database …
Operations to perform:
  Apply all migrations: admin, applications, assets, audits, auth, authentication, captcha, common, contenttypes, django_celery_beat, ops, orgs, perms, sessions, settings, terminal, tickets, users
Running migrations:
  No migrations to apply.
2020-02-22 07:30:11 Collect static files
2020-02-22 07:30:17 Collect static files done

– Start Celery as Distributed Task Queue: Ansible

– Start Celery as Distributed Task Queue: Celery

– Start Beat as Periodic Task Scheduler

– Start Flower as Task Monitor

– Start Daphne ASGI WS Server
gunicorn is running: 2498
celery_ansible is running: 2509
celery_default is running: 2517
beat is running: 2528
flower is running: 2532
daphne is running: 2539
(py3) [root@localhost jumpserver]#

jumpserver0221_41

完成启动,再次打开主界面http://192.168.10.216,显示正常,如下:

jumpserver0221_43

jumpserver正常后,使用admin用户登陆管理主界面,进入“会话管理”->”终端管理”,如下图,在线状态栏中显示红色小圆点,即为未在线,说明koko和guacamole没有启动

jumpserver0221_45

检查koko和guacamole镜像,如下,说明镜像存在:

(py3) [root@localhost ~]# docker images
REPOSITORY                                         TAG     IMAGE ID       CREATED       SIZE
dockerhub.azk8s.cn/wojiushixiaobai/jms_guacamole   1.5.6   af71674d07a4   2 weeks ago   678 MB
dockerhub.azk8s.cn/wojiushixiaobai/jms_koko        1.5.6   2561f1397767   2 weeks ago   367 MB
(py3) [root@localhost ~]#
(py3) [root@localhost ~]#

使用docker ps查看运行中的容器,发现没有运行中的容器,如下:

(py3) [root@localhost ~]# docker ps
CONTAINER ID  IMAGE  COMMAND  CREATED  STATUS  PORTS  NAMES
(py3) [root@localhost ~]#
(py3) [root@localhost ~]#

使用docker ps -a查看所有创建的容器(包括未运行的容器),如下:

(py3) [root@localhost ~]# docker ps -a
CONTAINER ID  IMAGE                                                   COMMAND          CREATED      STATUS                          PORTS                                             NAMES
9107b7603bf2  dockerhub.azk8s.cn/wojiushixiaobai/jms_guacamole:1.5.6  ./entrypoint.sh  12 days ago  Exited (143) About an hour ago  127.0.0.1:8081->8080/tcp                          jms_guacamole
769148c0cec1  dockerhub.azk8s.cn/wojiushixiaobai/jms_koko:1.5.6       ./entrypoint.sh  12 days ago  Exited (0) About an hour ago    0.0.0.0:2222->2222/tcp, 127.0.0.1:5000->5000/tcp  jms_koko
(py3) [root@localhost ~]#
(py3) [root@localhost ~]#

如上所示,发现STATUS中状态为Exited,正常应该为up,应该是容器没有启动,手工启动koko和guacamole,操作如下:

(py3) [root@localhost ~]# docker start 9107b7603bf2
9107b7603bf25c48bb939907882591cee524e22bd5c399781694863152fae72f
(py3) [root@localhost ~]#
(py3) [root@localhost ~]#
(py3) [root@localhost ~]# docker start 769148c0cec1
769148c0cec1cc8a6b227e9946f48613e3670c33b347862ae07e53d6b2e1ac99
(py3) [root@localhost ~]#
(py3) [root@localhost ~]#

start后面为容器的id,通过docker ps -a的第一列可以查看到。

完成后再次运行docker ps,可以看到STATUS状态为UP About……,如下所示,即为启动运行中。

(py3) [root@localhost ~]# docker ps
CONTAINER ID  IMAGE                                                   COMMAND          CREATED      STATUS                 PORTS                                             NAMES
9107b7603bf2  dockerhub.azk8s.cn/wojiushixiaobai/jms_guacamole:1.5.6  ./entrypoint.sh  12 days ago  Up About a minute ago  127.0.0.1:8081->8080/tcp                          jms_guacamole
769148c0cec1  dockerhub.azk8s.cn/wojiushixiaobai/jms_koko:1.5.6       ./entrypoint.sh  12 days ago  Up About a minute ago  0.0.0.0:2222->2222/tcp, 127.0.0.1:5000->5000/tcp  jms_koko
(py3) [root@localhost ~]#

jumpserver0221_46

再次查看管理主界面的终端列表,“在线”一列中已为在线状态,说明koko和guacamole终端注册成功,运行正常。

jumpserver0221_47

最后,测试用户端运维管理是否正常,使用user01用户登陆,管理jumpserver和网管两台服务器,都可以连接和管理,如下:

jumpserver0221_48

jumpserver0221_49

历史会话记录也正常,能够回放

jumpserver0221_50

至此,整个jumpserver服务器重启后的操作全部完成,功能恢复正常。

Centos8上试用开源堡垒机Jumpserver 1.5.6(六):试用批量命令和命令过滤功能

===================================================================

开源堡垒机Jumpserver安装/配置系列:

1、Centos8上试用开源堡垒机Jumpserver 1.5.6(一):堡垒机概述
2、Centos8上试用开源堡垒机Jumpserver 1.5.6(二):安装Centos8(CentOS-8.1.1911-x86_64-dvd1.iso)
3、Centos8上试用开源堡垒机Jumpserver 1.5.6(三):在Centos8上安装Jumpserver
4、Centos8上试用开源堡垒机Jumpserver 1.5.6(四):添加被管资源与运维帐户权限分配
5、Centos8上试用开源堡垒机Jumpserver 1.5.6(五):通过堡垒机进行运维管理
6、Centos8上试用开源堡垒机Jumpserver 1.5.6(六):试用批量命令和命令过滤功能
7、Centos8上试用开源堡垒机Jumpserver 1.5.6(七):服务器重启后的恢复操作(手工启动jumpserver等程序)
8、Centos8上试用开源堡垒机Jumpserver 1.5.6(八):创建用户时使用密码链接并发邮件给用户功能

===================================================================

Jumpserver 1.5.6支持批量命令及命令过滤两功能,在后期实际使用中相对较为实用。具体功能如下。

1、批量命令功能

当你对多台服务器进行巡检或者其它检测,需要输入多个相同的命令来查看各服务器的运行状态,就可以使用jumpserver自带的批量命令功能。

管理用户可以通过左菜单栏的“作业中心”-> “批量命令”进入,如下图:

jumpserver0221_26

若普通用户需要支持批量命令功能,需要管理员设置,进入“系统设置”->“安全设置”,在批量命令(允许用户批量执行命令)前打钩,启用该功能,如下图所示。

jumpserver0221_27

重启登陆user01用户,左边菜单会多一个命令执行,如下图,第一步选择一台需要批量执行命令的主机,这里以jumpserver服务器为例,第二步选择执行命令的用户,这里为jumpserver服务器上的root用户,最后一步输入需要批量执行的命令集合,这里为:

uname -a
cat /etc/redhat-release
uptime
clock
ifconfig -a
df –h

,如下图所示:

jumpserver0221_28

准备好后,点击上图的“执行”按扭,开始批量执行,等待几秒后,会提示任务结束,如下图所示:

jumpserver0221_29

输出的内容如下:

———- 任务开始 ———-
$ uname -a
cat /etc/redhat-release
uptime
clock
ifconfig -a
df -h (2020-02-21 21:31:57) ***********************************************************************************
jumpserver服务器 | CHANGED | rc=0 >>
Linux localhost.localdomain 4.18.0-147.5.1.el8_1.x86_64 #1 SMP Wed Feb 5 02:00:39 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
CentOS Linux release 8.1.1911 (Core)
  21:31:59 up  1:44,  3 users,  load average: 0.09, 0.04, 0.01
2020-02-21 21:31:56.742166+08:00
cni-podman0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.88.0.1  netmask 255.255.0.0  broadcast 10.88.255.255
        inet6 fe80::60d6:64ff:fec7:a941  prefixlen 64  scopeid 0x20<link>
        ether 62:d6:64:c7:a9:41  txqueuelen 1000  (Ethernet)
        RX packets 13681  bytes 7593510 (7.2 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 12823  bytes 2490995 (2.3 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

ens192: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.10.216  netmask 255.255.255.0  broadcast 192.168.10.255
        inet6 fe80::557b:33cd:8dee:1a73  prefixlen 64  scopeid 0x20<link>
        ether 00:50:56:9f:2d:92  txqueuelen 1000  (Ethernet)
        RX packets 121501  bytes 9618271 (9.1 MiB)
         RX errors 0  dropped 22  overruns 0  frame 0
        TX packets 23001  bytes 38267639 (36.4 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
         inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 188075  bytes 53606802 (51.1 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 188075  bytes 53606802 (51.1 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

veth11147d63: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet6 fe80::44d1:58ff:fe6d:ba4b  prefixlen 64  scopeid 0x20<link>
        ether 46:d1:58:6d:ba:4b  txqueuelen 0  (Ethernet)
        RX packets 9345  bytes 3513364 (3.3 MiB)
         RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 8062  bytes 1721601 (1.6 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

vethbd7b3c02: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet6 fe80::f896:fdff:fe5e:d467  prefixlen 64  scopeid 0x20<link>
        ether fa:96:fd:5e:d4:67  txqueuelen 0  (Ethernet)
        RX packets 3470  bytes 2597294 (2.4 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 3949  bytes 639376 (624.3 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

virbr0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
         inet 192.168.122.1  netmask 255.255.255.0  broadcast 192.168.122.255
        ether 52:54:00:8a:d4:98  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

virbr0-nic: flags=4098<BROADCAST,MULTICAST>  mtu 1500
         ether 52:54:00:8a:d4:98  txqueuelen 1000  (Ethernet)
         RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
         TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Filesystem           Size  Used Avail Use% Mounted on
devtmpfs             3.9G     0  3.9G   0% /dev
tmpfs                3.9G  340K  3.9G   1% /dev/shm
tmpfs                3.9G  9.4M  3.9G   1% /run
tmpfs                3.9G     0  3.9G   0% /sys/fs/cgroup
/dev/mapper/cl-root   48G  6.6G   42G  14% /
/dev/mapper/cl-home   24G  199M   24G   1% /home
/dev/sda1            976M  162M  748M  18% /boot
tmpfs                798M  1.2M  797M   1% /run/user/42
tmpfs                798M  4.0K  798M   1% /run/user/0
shm                   63M     0   63M   0% /var/lib/containers/storage/overlay-containers/9107b7603bf25c48bb939907882591cee524e22bd5c399781694863152fae72f/userdata/shm
overlay               48G  6.6G   42G  14% /var/lib/containers/storage/overlay/ceddc920de420069c5f06c3cc35c6f9340aaaebded87ec19a7eaa16d6a8eb38f/merged
shm                   63M     0   63M   0% /var/lib/containers/storage/overlay-containers/769148c0cec1cc8a6b227e9946f48613e3670c33b347862ae07e53d6b2e1ac99/userdata/shm
overlay               48G  6.6G   42G  14% /var/lib/containers/storage/overlay/f5ed548523b62468418ed179dad78ae2b5c29b3182473c3ed64a04bf00259219/merged

———- 任务结束 ———-
Task ops.tasks.run_command_execution[578268d7-7a59-474f-8f4a-f0fac574bcbb] succeeded in 3.988194374000159s: None

jumpserver0221_29

2、命令过滤功能

在维护Linux主机时,有一些命令不希望运维工程师执行,如reboot、rm –rf等高危险命令,就可以通过jumpserver自带的命令过滤功能来实现。

在管理界面中,进入“资产管理”->“命令过滤”,选择创建命令过滤器,如下:

jumpserver0221_30

输入名称,完成创建

jumpserver0221_31

点击刚才创建的过滤器名称,如下图

jumpserver0221_32

点击“规则”,再点击“创建规则”,如下图

jumpserver0221_33

类型选择命令,内容中输入需要过滤的命令,这里为

reboot
rm -rf
pwd

如下图:

jumpserver0221_34

点提交后,

jumpserver0221_35

再点击详情,在系统用户中绑定需要过滤命令的用户,这里选择jumpserver服务器的root用户,如下图,点击确认完成设置。

jumpserver0221_36

完成以上设置后,使用user01重启登陆后,再次打开jumpserver服务器的管理窗口,如下图:

jumpserver0221_37

如下所示,输入pwd、rm -rf、reboot三个命令,提示命令被禁止,说明命令阻止过滤已生效。

Centos8上试用开源堡垒机Jumpserver 1.5.6(五):通过堡垒机进行运维管理

===================================================================

开源堡垒机Jumpserver安装/配置系列:

1、Centos8上试用开源堡垒机Jumpserver 1.5.6(一):堡垒机概述
2、Centos8上试用开源堡垒机Jumpserver 1.5.6(二):安装Centos8(CentOS-8.1.1911-x86_64-dvd1.iso)
3、Centos8上试用开源堡垒机Jumpserver 1.5.6(三):在Centos8上安装Jumpserver
4、Centos8上试用开源堡垒机Jumpserver 1.5.6(四):添加被管资源与运维帐户权限分配
5、Centos8上试用开源堡垒机Jumpserver 1.5.6(五):通过堡垒机进行运维管理
6、Centos8上试用开源堡垒机Jumpserver 1.5.6(六):试用批量命令和命令过滤功能
7、Centos8上试用开源堡垒机Jumpserver 1.5.6(七):服务器重启后的恢复操作(手工启动jumpserver等程序)
8、Centos8上试用开源堡垒机Jumpserver 1.5.6(八):创建用户时使用密码链接并发邮件给用户功能

===================================================================

上一节完成了资产的添加、用户创建和授权后,就可以开始真正使用jumpserver堡垒机进行运维管理。

在浏览器中输入http://192.168.10.216,打开登陆界面,如下图,输入创建的运维帐记user01:

jumpserver0221_18

在”我的资产“中,会有授权的两个资产,如下图

jumpserver0221_19

在jumpserver服务器后面的动作点击绿色按扭, jumpserver将会自动打开web terminal,如下图所示:

jumpserver0221_20

在管理平台的命令记录界面中,也可以看到刚才输入的命令,说明命令记录功能正常,如下图所示。

jumpserver0221_21

连接WINDOWS的网管服务器,也能进入管理,如下图

jumpserver0221_24

在管理界面的历史会话中,也对操作进行了录屏,可以回放。

jumpserver0221_25

Centos8上试用开源堡垒机Jumpserver 1.5.6(四):添加被管资源与运维帐户权限分配

===================================================================

开源堡垒机Jumpserver安装/配置系列:

1、Centos8上试用开源堡垒机Jumpserver 1.5.6(一):堡垒机概述
2、Centos8上试用开源堡垒机Jumpserver 1.5.6(二):安装Centos8(CentOS-8.1.1911-x86_64-dvd1.iso)
3、Centos8上试用开源堡垒机Jumpserver 1.5.6(三):在Centos8上安装Jumpserver
4、Centos8上试用开源堡垒机Jumpserver 1.5.6(四):添加被管资源与运维帐户权限分配
5、Centos8上试用开源堡垒机Jumpserver 1.5.6(五):通过堡垒机进行运维管理
6、Centos8上试用开源堡垒机Jumpserver 1.5.6(六):试用批量命令和命令过滤功能
7、Centos8上试用开源堡垒机Jumpserver 1.5.6(七):服务器重启后的恢复操作(手工启动jumpserver等程序)
8、Centos8上试用开源堡垒机Jumpserver 1.5.6(八):创建用户时使用密码链接并发邮件给用户功能

===================================================================

完成了安装部署后,开始进行相关配置,包括添加被管资源设备、创建运维用户等,具体如下。

1、创建用户

在浏览器中输入http://192.168.10.216,进入“用户管理”->“用户列表”界面,点击”创建用户”按扭,如下图,包括名称、用户名、密码等。

jumpserver0221_01

如下所示,密码策略有两种,一种为生成密码链接发给用户,让用户修改为自己的密码;另一种为设置为静态密码,然后将静态密码直接告诉用户,用户进入后自己再修改密码,本次使用静态密码,如下图

jumpserver0221_02

jumpserver0221_03

2、创建管理用户

管理用户是用于jumpserver获取被管设备相关信息,一般针对LINUX的root等用户,如果是WINDOWS或其它设备,可以任意创建一个即可,进入“资产管理”->“管理用户”,点击“创建管理用户”按扭,如下图

jumpserver0221_05

jumpserver0221_06

jumpserver0221_07

3、被管资源创建

完成用户的创建后,开始创建被管资源,进入“资产管理”->“资产列表”界面,点击“资产创建”按扭,如下图

jumpserver0221_04

输入被管资产的主机名、IP等信息,如下所示:

jumpserver0221_08

jumpserver0221_09

4、创建系统用户

开始创建系统用户,系统用户即为堡垒机登陆被管设备时的帐户,也就是被管设备的本地帐户,进入“资产管理”->“系统用户”,点击“创建系统用户”按扭,如下图

jumpserver0221_10

jumpserver0221_22

jumpserver0221_23

5、资产授权

运维管理帐户和被管设备都已经完成创建,下面开始进行资产的授权,以使运维帐户有权限管理创建的设备,进入”权限管理“->”资产授权“界面,点击”创建授权规则“按扭,如下图

jumpserver0221_14

将网管服务器授权给运维user01用户,如下图

jumpserver0221_15

将jumpserver服务器授权给运维user01用户,如下图

jumpserver0221_16

完成后,授权列表中会有刚才创建的两个授权规则,如下图所示。

jumpserver0221_17

这样,整个用户创建、资产创建及权限分配工作基本完成,当然这只是最基本的功能配置,更多详细配置可查看官方文档

华为eNSP V100R003C00SPC100最新版本及相关软件下载

目前华为eNSP需要有权限才能下载,以下为目前的最新版本V100R003C00SPC100及相关软件下载。

下载地址(提取码:h1c9)。

ensp4

ensp3

Centos8上试用开源堡垒机Jumpserver 1.5.6(三):在Centos8上安装Jumpserver

===================================================================

开源堡垒机Jumpserver安装/配置系列:

1、Centos8上试用开源堡垒机Jumpserver 1.5.6(一):堡垒机概述
2、Centos8上试用开源堡垒机Jumpserver 1.5.6(二):安装Centos8(CentOS-8.1.1911-x86_64-dvd1.iso)
3、Centos8上试用开源堡垒机Jumpserver 1.5.6(三):在Centos8上安装Jumpserver
4、Centos8上试用开源堡垒机Jumpserver 1.5.6(四):添加被管资源与运维帐户权限分配
5、Centos8上试用开源堡垒机Jumpserver 1.5.6(五):通过堡垒机进行运维管理
6、Centos8上试用开源堡垒机Jumpserver 1.5.6(六):试用批量命令和命令过滤功能
7、Centos8上试用开源堡垒机Jumpserver 1.5.6(七):服务器重启后的恢复操作(手工启动jumpserver等程序)
8、Centos8上试用开源堡垒机Jumpserver 1.5.6(八):创建用户时使用密码链接并发邮件给用户功能

===================================================================

目前Jumpserver开源堡垒机的最新版本为1.5.6,本次将按照官方“CentOS 8 安装文档”来进行配置,具体配置如下(root用户登陆):

1、更新软件库

通过以下命令完成更新:

[root@localhost ~]# yum update –y

jumpserver27

2、关闭防火墙和关闭SELinux

Jumpserver需要开放80(nginx)和2222(SSH登陆端口koko)两个端口,后期远程管理也需要开放相应端口,这里直接将防火墙关闭:

[root@localhost ~]# firewall-cmd –state
running
[root@localhost ~]#

关闭firewall,并禁止防火墙开机启动,命令如下:

[root@localhost ~]# systemctl stop firewalld.service
[root@localhost ~]# systemctl disable firewalld.service

接着将SELinux关闭,运行如下命令编辑SELINUX配置文件:

[root@localhost ~]# vi /etc/selinux/config

并将SELINUX=enforcing改成SELINUX=disable,如下:

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing – SELinux security policy is enforced.
#     permissive – SELinux prints warnings instead of enforcing.
#     disabled – No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these three values:
#     targeted – Targeted processes are protected,
#     minimum – Modification of targeted policy. Only selected processes are protected.
#     mls – Multi Level Security protection.
SELINUXTYPE=targeted

jumpserver29

修改完成后,重启机器,重启后运行getenforce命令查看已经关闭SELinux。

3、安装依赖包

安装wget、gcc等依赖包:

[root@localhost ~]# yum -y install wget gcc epel-release git

jumpserver30

4、安装Redis

Jumpserver使用Redis做cache和celery broke,,安装redis,设置为开机启动模式,并启动程序,操作如下:

[root@localhost ~]# yum -y install redis
[root@localhost ~]# systemctl enable redis
Created symlink /etc/systemd/system/multi-user.target.wants/redis.service 鈫/usr/lib/systemd/system/redis.service.
[root@localhost ~]# systemctl start redis
[root@localhost ~]#

jumpserver31

5、安装并配置MySQL数据库

开始安装mysql,开源也叫mariadb,操作如下:

[root@localhost ~]# systemctl enable mariadb
[root@localhost ~]# systemctl enable mariadb
Created symlink /etc/systemd/system/mysql.service 鈫/usr/lib/systemd/system/mariadb.service.
Created symlink /etc/systemd/system/mysqld.service 鈫/usr/lib/systemd/system/mariadb.service.
Created symlink /etc/systemd/system/multi-user.target.wants/mariadb.service 鈫/usr/lib/systemd/system/mariadb.service.
[root@localhost ~]#
[root@localhost ~]# systemctl start mariadb
[root@localhost ~]#

接着开始创建数据库,并将数据库授权,操作如下:

生成随机数据库密码:

[root@localhost ~]# DB_PASSWORD=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 24`
[root@localhost ~]#
[root@localhost ~]# echo -e “\033[31m 你的数据库密码是 $DB_PASSWORD \033[0m”
  你的数据库密码是 vqMlQ8FhEkhXVCZHGgRatXIp
[root@localhost ~]#
[root@localhost ~]#

jumpserver32

创建jumpserver数据库,如下:

[root@localhost ~]# mysql -uroot -e “create database jumpserver default charset ‘utf8’; grant all on jumpserver.* to ‘jumpserver’@’127.0.0.1’ identified by ‘$DB_PASSWORD’; flush privileges;”
[root@localhost ~]#

到此,数据库创建完成。

6、安装Nginx

由于jumpserver整个软件安装了多个组件,除了jumpserver主站点外,还有koko、guacamole等,通过Nginx来整合各个组件,操作如下:

创建repo文件:

[root@localhost ~]# vi /etc/yum.repos.d/nginx.repo

输入如下内容:

[nginx-stable]
name=nginx stable repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true

开始安装nginx,并设置为开机自启动:

[root@localhost ~]# yum -y install nginx
[root@localhost ~]# systemctl enable nginx
Created symlink /etc/systemd/system/multi-user.target.wants/nginx.service 鈫/usr/lib/systemd/system/nginx.service.
[root@localhost ~]#

7、安装Python3.6

开始安装:

[root@localhost ~]# yum -y install python36 python36-devel

jumpserver33

配置并进入Python3虚拟环境,首先定义一个虚拟环境名称,本例为py3,如下:

[root@localhost opt]# cd /opt
[root@localhost opt]# python3.6 -m venv py3
[root@localhost opt]#

jumpserver34

接着进入py3虚拟环境,看到py3开头的提示符号代表成功进入,以后运行jumpserver都要先进入py3环境。

[root@localhost opt]# source /opt/py3/bin/activate
(py3) [root@localhost opt]#
(py3) [root@localhost opt]#

jumpserver35

注意:以下开始的步骤都需要在py3环境中执行。

8、安装Jumpserver

下载jumpserver,完成后/opt目录下会产生一个jumpserver的文件夹:

(py3) [root@localhost opt]# git clone –depth=1 https://github.com/jumpserver/jumpserver.git

jumpserver40

安装依据包:

[root@localhost opt]# yum -y install gcc krb5-devel libtiff-devel libjpeg-devel libzip-devel freetype-devel libwebp-devel tcl-devel tk-devel sshpass openldap-devel mariadb-devel libffi-devel openssh-clients telnet openldap-clients

接着安装Python库依赖包:

(py3) [root@localhost opt]#
(py3) [root@localhost opt]# pip install wheel

(py3) [root@localhost opt]# pip install –upgrade pip

编辑依赖包清单requirements.txt文件,暂时去掉python-gssapi==0.6.4:

(py3) [root@localhost opt]# vi /opt/jumpserver/requirements/requirements.txt

jumpserver42

安装依赖包清单里的软件:

(py3) [root@localhost opt]# pip install -r /opt/jumpserver/requirements/requirements.txt -i https://mirrors.aliyun.com/pypi/simple/

jumpserver43

完成后,将requirements.txt中将python-gssapi-0.6.4的注释去掉,再执行一次安装命令,完成安装。

(py3) [root@localhost opt]# pip install -r /opt/jumpserver/requirements/requirements.txt -i https://mirrors.aliyun.com/pypi/simple/

jumpserver44

9、配置和启动jumpserver

修改jumpserver配置文件,复制一份示例文件:

(py3) [root@localhost opt]# cd jumpserver
(py3) [root@localhost jumpserver]# cp config_example.yml config.yml
(py3) [root@localhost jumpserver]#

jumpserver45

然后对配置文件作如下修改:

(py3) [root@localhost jumpserver]#
(py3) [root@localhost jumpserver]# SECRET_KEY=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50`
(py3) [root@localhost jumpserver]# echo “SECRET_KEY=$SECRET_KEY” >> ~/.bashrc
(py3) [root@localhost jumpserver]# BOOTSTRAP_TOKEN=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16`
(py3) [root@localhost jumpserver]# echo “BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN” >> ~/.bashrc
(py3) [root@localhost jumpserver]#
(py3) [root@localhost jumpserver]# sed -i “s/SECRET_KEY:/SECRET_KEY: $SECRET_KEY/g” /opt/jumpserver/config.yml
(py3) [root@localhost jumpserver]# sed -i “s/BOOTSTRAP_TOKEN:/BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN/g” /opt/jumpserver/config.yml
(py3) [root@localhost jumpserver]# sed -i “s/# DEBUG: true/DEBUG: false/g” /opt/jumpserver/config.yml
(py3) [root@localhost jumpserver]# sed -i “s/# LOG_LEVEL: DEBUG/LOG_LEVEL: ERROR/g” /opt/jumpserver/config.yml
(py3) [root@localhost jumpserver]# sed -i “s/# SESSION_EXPIRE_AT_BROWSER_CLOSE: false/SESSION_EXPIRE_AT_BROWSER_CLOSE: true/g” /opt/jumpserver/config.yml
(py3) [root@localhost jumpserver]# sed -i “s/DB_PASSWORD: /DB_PASSWORD: $DB_PASSWORD/g” /opt/jumpserver/config.yml
(py3) [root@localhost jumpserver]# echo -e “\033[31m 你的SECRET_KEY是 $SECRET_KEY \033[0m”
  你的SECRET_KEY是 fKk8ZyJlq6UCQZqowD3tOHXoJ86BfEaY6fMVsMfDzY4kTLQLja
(py3) [root@localhost jumpserver]# echo -e “\033[31m 你的BOOTSTRAP_TOKEN是 $BOOTSTRAP_TOKEN \033[0m”
  你的BOOTSTRAP_TOKEN是 H4x1afiqgY3MXCiD
(py3) [root@localhost jumpserver]#

修改完成后,检查下配置,特别是以下行中DB_PASSWORD中是否有密码,正常是有刚才随机的密码:

DB_HOST: 127.0.0.1
DB_PORT: 3306
DB_USER: jumpserver
DB_PASSWORD: vqMlQ8FhEkhXVCZHGgRatXIp
DB_NAME: jumpserver

最后启动jumpserver,通过./jms start –d命令,如下:

(py3) [root@localhost /]# cd /opt/jumpserver/
(py3) [root@localhost jumpserver]#
(py3) [root@localhost jumpserver]# ./jms start -d
2020-02-09 09:32:35 Sun Feb  9 09:32:35 2020
2020-02-09 09:32:35 Jumpserver version 1.5.6, more see https://www.jumpserver.org

– Start Gunicorn WSGI HTTP Server
2020-02-09 09:32:35 Check database connection …
users
  [ ] 0001_initial
  [ ] 0002_auto_20171225_1157_squashed_0019_auto_20190304_1459 (18 squashed migrations)
  [ ] 0020_auto_20190612_1825
  [ ] 0021_auto_20190625_1104
  [ ] 0022_auto_20190625_1105
  [ ] 0023_auto_20190724_1525
  [ ] 0024_auto_20191118_1612
2020-02-09 09:32:41 Database connect success
2020-02-09 09:32:41 Check database structure change …
2020-02-09 09:32:41 Migrate model change to database …
Operations to perform:
   Apply all migrations: admin, applications, assets, audits, auth, authentication, captcha, common, contenttypes, django_celery_beat, ops, orgs, perms, sessions, settings, terminal, tickets, users
Running migrations:
   Applying contenttypes.0001_initial… OK
   Applying contenttypes.0002_remove_content_type_name… OK
   Applying auth.0001_initial… OK
   Applying auth.0002_alter_permission_name_max_length… OK
   Applying auth.0003_alter_user_email_max_length… OK
   Applying auth.0004_alter_user_username_opts… OK
   Applying auth.0005_alter_user_last_login_null… OK
   Applying auth.0006_require_contenttypes_0002… OK
   Applying auth.0007_alter_validators_add_error_messages… OK
   Applying auth.0008_alter_user_username_max_length… OK
   Applying users.0001_initial… OK
   Applying admin.0001_initial… OK
   Applying admin.0002_logentry_remove_auto_add… OK
   Applying admin.0003_logentry_add_action_flag_choices… OK
   Applying users.0002_auto_20171225_1157_squashed_0019_auto_20190304_1459… OK
   Applying assets.0001_initial… OK
   Applying perms.0001_initial… OK
   Applying assets.0002_auto_20180105_1807_squashed_0009_auto_20180307_1212… OK
   Applying assets.0010_auto_20180307_1749_squashed_0019_auto_20180816_1320… OK
   Applying perms.0002_auto_20171228_0025_squashed_0009_auto_20180903_1132… OK
   Applying perms.0003_action… OK
   Applying perms.0004_assetpermission_actions… OK
   Applying assets.0020_auto_20180816_1652… OK
   Applying assets.0021_auto_20180903_1132… OK
   Applying assets.0022_auto_20181012_1717… OK
   Applying assets.0023_auto_20181016_1650… OK
   Applying assets.0024_auto_20181219_1614… OK
   Applying assets.0025_auto_20190221_1902… OK
   Applying assets.0026_auto_20190325_2035… OK
   Applying applications.0001_initial… OK
   Applying perms.0005_auto_20190521_1619… OK
   Applying perms.0006_auto_20190628_1921… OK
   Applying perms.0007_remove_assetpermission_actions… OK
   Applying perms.0008_auto_20190911_1907… OK
   Applying assets.0027_auto_20190521_1703… OK
   Applying assets.0028_protocol… OK
   Applying assets.0029_auto_20190522_1114… OK
   Applying assets.0030_auto_20190619_1135… OK
   Applying assets.0031_auto_20190621_1332… OK
   Applying assets.0032_auto_20190624_2108… OK
   Applying assets.0033_auto_20190624_2108… OK
   Applying assets.0034_auto_20190705_1348… OK
   Applying assets.0035_auto_20190711_2018… OK
   Applying assets.0036_auto_20190716_1535… OK
   Applying assets.0037_auto_20190724_2002… OK
   Applying assets.0038_auto_20190911_1634… OK
   Applying perms.0009_remoteapppermission_system_users… OK
   Applying applications.0002_remove_remoteapp_system_user… OK
   Applying applications.0003_auto_20191210_1659… OK
   Applying applications.0004_auto_20191218_1705… OK
   Applying assets.0039_authbook_is_active… OK
   Applying assets.0040_auto_20190917_2056… OK
   Applying assets.0041_gathereduser… OK
   Applying assets.0042_favoriteasset… OK
   Applying assets.0043_auto_20191114_1111… OK
   Applying assets.0044_platform… OK
   Applying assets.0045_auto_20191206_1607… OK
   Applying assets.0046_auto_20191218_1705… OK
   Applying audits.0001_initial… OK
   Applying audits.0002_ftplog_org_id… OK
   Applying audits.0003_auto_20180816_1652… OK
   Applying audits.0004_operatelog_passwordchangelog_userloginlog… OK
   Applying audits.0005_auto_20190228_1715… OK
   Applying audits.0006_auto_20190726_1753… OK
   Applying audits.0007_auto_20191202_1010… OK
   Applying auth.0009_alter_user_last_name_max_length… OK
   Applying authentication.0001_initial… OK
   Applying authentication.0002_auto_20190729_1423… OK
   Applying authentication.0003_loginconfirmsetting… OK
   Applying captcha.0001_initial… OK
   Applying common.0001_initial… OK
   Applying common.0002_auto_20180111_1407… OK
   Applying common.0003_setting_category… OK
   Applying common.0004_setting_encrypted… OK
   Applying common.0005_auto_20190221_1902… OK
   Applying common.0006_auto_20190304_1515… OK
   Applying django_celery_beat.0001_initial… OK
   Applying django_celery_beat.0002_auto_20161118_0346… OK
   Applying django_celery_beat.0003_auto_20161209_0049… OK
   Applying django_celery_beat.0004_auto_20170221_0000… OK
   Applying django_celery_beat.0005_add_solarschedule_events_choices_squashed_0009_merge_20181012_1416… OK
   Applying django_celery_beat.0006_periodictask_priority… OK
   Applying ops.0001_initial… OK
   Applying ops.0002_celerytask… OK
   Applying ops.0003_auto_20181207_1744… OK
   Applying ops.0004_adhoc_run_as… OK
   Applying ops.0005_auto_20181219_1807… OK
   Applying ops.0006_auto_20190318_1023… OK
   Applying ops.0007_auto_20190724_2002… OK
   Applying ops.0008_auto_20190919_2100… OK
   Applying ops.0009_auto_20191217_1713… OK
   Applying ops.0010_auto_20191217_1758… OK
   Applying orgs.0001_initial… OK
   Applying orgs.0002_auto_20180903_1132… OK
   Applying orgs.0003_auto_20190916_1057… OK
   Applying users.0020_auto_20190612_1825… OK
   Applying users.0021_auto_20190625_1104… OK
   Applying users.0022_auto_20190625_1105… OK
   Applying users.0023_auto_20190724_1525… OK
   Applying users.0024_auto_20191118_1612… OK
   Applying perms.0010_auto_20191218_1705… OK
   Applying sessions.0001_initial… OK
   Applying settings.0001_initial… OK
   Applying terminal.0001_initial… OK
   Applying terminal.0002_auto_20171228_0025_squashed_0009_auto_20180326_0957… OK
   Applying terminal.0010_auto_20180423_1140… OK
   Applying terminal.0011_auto_20180807_1116… OK
   Applying terminal.0012_auto_20180816_1652… OK
   Applying terminal.0013_auto_20181123_1113… OK
   Applying terminal.0014_auto_20181226_1441… OK
   Applying terminal.0015_auto_20190923_1529… OK
   Applying terminal.0016_commandstorage_replaystorage… OK
   Applying terminal.0017_auto_20191125_0931… OK
   Applying terminal.0018_auto_20191202_1010… OK
   Applying terminal.0019_auto_20191206_1000… OK
   Applying terminal.0020_auto_20191218_1721… OK
   Applying tickets.0001_initial… OK
2020-02-09 09:34:58 Collect static files
2020-02-09 09:35:03 Collect static files done

– Start Celery as Distributed Task Queue: Ansible

– Start Celery as Distributed Task Queue: Celery

– Start Beat as Periodic Task Scheduler

– Start Flower as Task Monitor

– Start Daphne ASGI WS Server
gunicorn is running: 1353
celery_ansible is running: 1364
celery_default is running: 1372
beat is running: 1383
flower is running: 1388
daphne is running: 1402
(py3) [root@localhost jumpserver]#

jumpserver46


如上,完成了jumpserver的启动。

10、部署koko和guacamole

koko和guacamole用于远程管理LINUX或WINDOWS主机时使用的连接组件,有本地安装和docker两种方式,本次和官网文档相同,使用docker,不过不使用docker软件,使用podman,原理基本相同。

首先安装podman:

(py3) [root@localhost jumpserver]# yum install -y podman-docker

jumpserver47

修改别名,这样可以使用docker开头的命令,符合使用习惯:

(py3) [root@localhost jumpserver]# alias docker=podman
(py3) [root@localhost jumpserver]# echo “alias docker=podman” >> ~/.bashrc

配置podman镜像源,编辑/etc/containers/registries.conf文件,将

registries = [‘registry.access.redhat.com’, ‘registry.fedoraproject.org’, ‘registry.centos.org’, ‘docker.io’]

修改为

registries = [‘dockerhub.azk8s.cn’, ‘docker.mirrors.ustc.edu.cn’, ‘docker.io’]

获取服务器IP地址并输入koko和guacamole镜像:

(py3) [root@localhost jumpserver]# Server_IP=`ip addr | grep ‘state UP’ -A2 | grep inet | egrep -v ‘(127.0.0.1|inet6|docker)’ | awk ‘{print $2}’ | tr -d “addr:” | head -n 1 | cut -d / -f1`
(py3) [root@localhost jumpserver]# echo -e “\033[31m 你的服务器IP是 $Server_IP \033[0m”
  你的服务器IP是 192.168.10.216
(py3) [root@localhost jumpserver]#
(py3) [root@localhost jumpserver]#
(py3) [root@localhost jumpserver]# docker run –name jms_koko -d -p 2222:2222 -p 127.0.0.1:5000:5000 -e CORE_HOST=http://$Server_IP:8080 -e BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN wojiushixiaobai/jms_koko:1.5.6
Trying to pull dockerhub.azk8s.cn/wojiushixiaobai/jms_koko:1.5.6…
Getting image source signatures
Copying blob c6b215e57460 done
Copying blob 2f770ee5b9cf done
Copying blob ab5ef0e58194 done
Copying blob 5192265494e0 done
Copying config 2561f13977 done
Writing manifest to image destination
Storing signatures
769148c0cec1cc8a6b227e9946f48613e3670c33b347862ae07e53d6b2e1ac99
(py3) [root@localhost jumpserver]#
(py3) [root@localhost jumpserver]#
(py3) [root@localhost jumpserver]#
(py3) [root@localhost jumpserver]# docker run –name jms_guacamole -d -p 127.0.0.1:8081:8080 -e JUMPSERVER_SERVER=http://$Server_IP:8080 -e BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN wojiushixiaobai/jms_guacamole:1.5.6
Trying to pull dockerhub.azk8s.cn/wojiushixiaobai/jms_guacamole:1.5.6…
Getting image source signatures
Copying blob ab5ef0e58194 skipped: already exists
Copying blob 7e663ccfc7bd done
Copying blob 923a0bfa2671 done
Copying blob 9391bafc9b01 done
Copying config af71674d07 done
Writing manifest to image destination
Storing signatures
9107b7603bf25c48bb939907882591cee524e22bd5c399781694863152fae72f
(py3) [root@localhost jumpserver]#
(py3) [root@localhost jumpserver]#
(py3) [root@localhost jumpserver]# docker ps
CONTAINER ID  IMAGE                                                   COMMAND          CREATED         STATUS             PORTS                                             NAMES
9107b7603bf2  dockerhub.azk8s.cn/wojiushixiaobai/jms_guacamole:1.5.6  ./entrypoint.sh  21 minutes ago  Up 21 minutes ago  127.0.0.1:8081->8080/tcp                          jms_guacamole
769148c0cec1  dockerhub.azk8s.cn/wojiushixiaobai/jms_koko:1.5.6       ./entrypoint.sh  25 minutes ago  Up 25 minutes ago  0.0.0.0:2222->2222/tcp, 127.0.0.1:5000->5000/tcp  jms_koko
(py3) [root@localhost jumpserver]#
(py3) [root@localhost jumpserver]#
(py3) [root@localhost jumpserver]# docker images
REPOSITORY                                         TAG     IMAGE ID       CREATED      SIZE
dockerhub.azk8s.cn/wojiushixiaobai/jms_guacamole   1.5.6   af71674d07a4   7 days ago   678 MB
dockerhub.azk8s.cn/wojiushixiaobai/jms_koko        1.5.6   2561f1397767   7 days ago   367 MB
(py3) [root@localhost jumpserver]#

jumpserver48

11、安装WEB Terminal

(py3) [root@localhost jumpserver]# cd /opt
(py3) [root@localhost opt]# wget https://github.com/jumpserver/luna/releases/download/1.5.6/luna.tar.gz
(py3) [root@localhost opt]#
(py3) [root@localhost opt]# tar xf luna.tar.gz
(py3) [root@localhost opt]#
(py3) [root@localhost opt]# ls
jumpserver  luna  luna.tar.gz  py3
(py3) [root@localhost opt]#
(py3) [root@localhost opt]# chown -R root:root luna
(py3) [root@localhost opt]#

jumpserver49

12、配置并运行Nginx

通过NGINX来整合之前安装的各种组件,确保统一访问路径,操作如下:

(py3) [root@localhost opt]# rm -rf /etc/nginx/conf.d/default.conf
(py3) [root@localhost opt]#
(py3) [root@localhost opt]# vi /etc/nginx/conf.d/jumpserver.conf

添加如下内容:

server {
     listen 80;
     # server_name _;

    client_max_body_size 100m;  # 录像及文件上传大小限制

    location /luna/ {
         try_files $uri / /index.html;
         alias /opt/luna/;  # luna 路径, 如果修改安装目录, 此处需要修改
     }

    location /media/ {
         add_header Content-Encoding gzip;
         root /opt/jumpserver/data/;  # 录像位置, 如果修改安装目录, 此处需要修改
     }

    location /static/ {
         root /opt/jumpserver/data/;  # 静态资源, 如果修改安装目录, 此处需要修改
     }

    location /koko/ {
         proxy_pass       http://localhost:5000;
         proxy_buffering off;
         proxy_http_version 1.1;
         proxy_set_header Upgrade $http_upgrade;
         proxy_set_header Connection “upgrade”;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header Host $host;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         access_log off;
     }

    location /guacamole/ {
         proxy_pass       http://localhost:8081/;
         proxy_buffering off;
         proxy_http_version 1.1;
         proxy_set_header Upgrade $http_upgrade;
         proxy_set_header Connection $http_connection;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header Host $host;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         access_log off;
     }

    location /ws/ {
         proxy_pass http://localhost:8070;
         proxy_http_version 1.1;
         proxy_buffering off;
         proxy_set_header Upgrade $http_upgrade;
         proxy_set_header Connection “upgrade”;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header Host $host;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         access_log off;
     }

    location / {
         proxy_pass http://localhost:8080;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header Host $host;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         access_log off;
     }
}

完成后开始运行Nginx,先运行nginx -t查看,确保配置没有问题:

(py3) [root@localhost opt]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
(py3) [root@localhost opt]#
(py3) [root@localhost opt]#

jumpserver50

没问题后运行nginx:

(py3) [root@localhost opt]# systemctl start nginx
(py3) [root@localhost opt]#
(py3) [root@localhost opt]# systemctl status nginx
鈼[0m nginx.service – nginx – high performance web server
    Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled; vendor preset: disable>
    Active: active (running) since Sun 2020-02-09 10:36:28 CST; 6s ago
      Docs: http://nginx.org/en/docs/
   Process: 3559 ExecStart=/usr/sbin/nginx -c /etc/nginx/nginx.conf (code=exited, status=0>
  Main PID: 3560 (nginx)
     Tasks: 2 (limit: 26213)
    Memory: 2.3M
    CGroup: /system.slice/nginx.service
            鈹溾攢3560 nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf
            鈹斺攢3561 nginx: worker process

Feb 09 10:36:28 localhost.localdomain systemd[1]: Starting nginx – high performance web s>
Feb 09 10:36:28 localhost.localdomain systemd[1]: Started nginx – high performance web se>

(py3) [root@localhost opt]#

jumpserver51

完成后,打开浏览器,输入http://192.168.10.216,出现登陆界面,用户名密码默认都为admin,如下图,

jumpserver53

jumpserver54

进入后,打开“会话管理”->“终端管理”,由于装了KOKO和guacamole,故正常情况下会有两个终端设备,如下,若没有出现,则koko和guacamole可能安装没成功,如下图所示。

jumpserver55

至此,jumpserver在centos8上的部署已完成 ,下步就需要添加用户和设备资源,使jumpserver可以远程管理相应设备或系统。

参考文章:
1、CentOS 8 安装文档
https://jumpserver.readthedocs.io/zh/master/setup_by_centos8.html

2、Docker 使用说明
https://jumpserver.readthedocs.io/zh/master/faq_docker.html

3、pip install -r /opt/jumpserver/requirements/requirements.txt 安装python-gssapi-0.6.4报错
https://blog.csdn.net/a13568hki/article/details/103259532

4、Jumpserver单机快速部署前的准备工作及部署流程

Centos8上试用开源堡垒机Jumpserver 1.5.6(二):安装Centos8(CentOS-8.1.1911-x86_64-dvd1.iso)

===================================================================

开源堡垒机Jumpserver安装/配置系列:

1、Centos8上试用开源堡垒机Jumpserver 1.5.6(一):堡垒机概述
2、Centos8上试用开源堡垒机Jumpserver 1.5.6(二):安装Centos8(CentOS-8.1.1911-x86_64-dvd1.iso)
3、Centos8上试用开源堡垒机Jumpserver 1.5.6(三):在Centos8上安装Jumpserver
4、Centos8上试用开源堡垒机Jumpserver 1.5.6(四):添加被管资源与运维帐户权限分配
5、Centos8上试用开源堡垒机Jumpserver 1.5.6(五):通过堡垒机进行运维管理
6、Centos8上试用开源堡垒机Jumpserver 1.5.6(六):试用批量命令和命令过滤功能
7、Centos8上试用开源堡垒机Jumpserver 1.5.6(七):服务器重启后的恢复操作(手工启动jumpserver等程序)
8、Centos8上试用开源堡垒机Jumpserver 1.5.6(八):创建用户时使用密码链接并发邮件给用户功能

===================================================================

Jumpserver部署于LINUX环境中,支持多种版本,如下所示:

jumpserver02

本次中选择最新的CentOS8,选择1911版本,在VMware虚拟化平台中创建与运行,具体创建步骤如下:

1、下载并上传CentOS-8.1.1911-x86_64-dvd1.iso镜像

安装最新版本CentOS8:1911版本。下载地址

完成镜像的下载后,上传至VMware虚拟化平台中,以方便后期安装,由于镜像文件超过4T大小,用vCenter上传会出错,需进入ESXi完成上传,选择“存储”->“数据存储浏览器”,如下图:

jumpserver10

选择“上传”,选择刚才下载的镜像文件CentOS-8.1.1911-x86_64-dvd1.iso,完成上传。

jumpserver11

2、创建CentOS8虚拟机

在VMware vSphere6.7中创建,如下:

jumpserver03

选择“新建虚拟机”,在弹出的对话框中选择“创建虚拟机”,如下图

jumpserver04

输入虚拟机名称,如上图,并指定虚拟机创建位置

jumpserver05

选择虚拟机所创建的位置,这里只有一台ESXI主机192.168.10.80,选择这台主机

jumpserver06

选择虚拟机存储空间

jumpserver07

新的CD/DVD驱动器中选择“数据存储ISO文件”,如下

jumpserver08

选择刚才上传的

jumpserver09

选择好后,在“打开电源时连接”上打钩,如下图,完成整个设置。

jumpserver12

3、安装CentOS8

选择刚才新建的虚拟机开机,再选择“启动Romote Console”(需提前安装vmrc)按扭,如下图

jumpserver14

点击下图中的三角按扭,启动虚拟机

jumpserver15

出现CentOS8安装界面,开始安装

jumpserver16

默认英文

jumpserver17

完成相关设置,包括时区、安装选项等,如下图

jumpserver19

IP地址配置

jumpserver18

开始安装,设置root密码

jumpserver20

安装完成后重启

jumpserver21

同意许可,完成配置,如下图

jumpserver22

jumpserver23

启动完成

jumpserver25

4、连接并远程管理创建好的虚拟机CentOS8(192.168.10.216)

安装时已经设置好IP地址,故启动完成后,直接使用SecureCRT连接192.168.10.216即可,使用root用户登陆,如下图。

jumpserver26

至此,CentOS8安装完成,下步开始部署jumpserver。

aix上添加或删除默认路由

在服务器上PING其它网段的地址,发现是丢一个包通一个包,原因是服务器上设置了两个默认网关造成的,如下。

[P550]/ >#netstat -rn
Routing tables
Destination Gateway Flags Refs Use If Exp Groups

Route Tree for Protocol Family 2 (Internet):
default 192.0.0.253 UG 0 3858210 en0 – –
default 192.168.1.254 UG 0 23564 en2 – –
127/8 127.0.0.1 U 14 14363 lo0 – –
192.0.0.0 192.0.0.15 UHSb 0 0 en0 – – =
>
192.0.0/24 192.0.0.15 U 5 9129174 en0 – –
192.0.0.15 127.0.0.1 UGHS 2 7 lo0 – –
192.0.0.255 192.0.0.15 UHSb 0 4 en0 – –
192.168.1.0 192.168.1.8 UHSb 0 0 en2 – – =
>
192.168.1/24 192.168.1.8 U 0 4 en2 – –
192.168.1.8 127.0.0.1 UGHS 19 11138 lo0 – –
192.168.1.255 192.168.1.8 UHSb 0 4 en2 – –

只需删除其中一条无用的就可以,操作如下:

使用lsattr -EI inet0命令来查看服务器上的网络信息:

[P550]/ >#lsattr -El inet0
authm 65536 Authentication Methods
True
bootup_option no Use BSD-style Network Configurati
on True
gateway Gateway
True
hostname P550 Host Name
True
rout6 IPv6 Route
True
route net,-hopcount,0,,0,192.0.0.253 Route
True
route net,-hopcount,0,,0,192.168.1.254 Route
True

有两条默认路由(net,-hopcount开头),通过chdev命令来删除其中一条,使服务器网络正常:

[P550]/ >#chdev -l inet0 -a delroute=”net,-hopcount,0,,0,192.168.1.254″
inet0 changed

再使用netstat -rn来查看网络信息:

[P550]/ >#netstat -rn
Routing tables
Destination Gateway Flags Refs Use If Exp Groups

Route Tree for Protocol Family 2 (Internet):
default 192.0.0.253 UG 0 3858210 en0 – –
127/8 127.0.0.1 U 14 14363 lo0 – –
192.0.0.0 192.0.0.15 UHSb 0 0 en0 – – =
>
192.0.0/24 192.0.0.15 U 5 9129174 en0 – –
192.0.0.15 127.0.0.1 UGHS 2 7 lo0 – –
192.0.0.255 192.0.0.15 UHSb 0 4 en0 – –
192.168.1.0 192.168.1.8 UHSb 0 0 en2 – – =
>
192.168.1/24 192.168.1.8 U 0 4 en2 – –
192.168.1.8 127.0.0.1 UGHS 19 11138 lo0 – –
192.168.1.255 192.168.1.8 UHSb 0 4 en2 – –

可以看出,只剩下了一条到192.0.0.253的默认网关,再去PING其它网段的服务器地址就正常了。如果想把下一跳地址改为192.0.0.254,则需要先将253的这条先删除:

[P550]/ >#chdev -l inet0 -a delroute=”net,-hopcount,0,,0,192.0.0.253″
inet0 changed

再添加一条至192.0.0.254的默认路由:

[P550]/ >#chdev -l inet0 -a route=”net,-hopcount,0,,0,192.0.0.254″
inet0 changed

RouterOS上建立PPTP点对点隧道

by funpower,2009年1月4日23:33,funpower#gmail.com,转载请注明出处。水平有限,文中难免有错误,望指正。

网络说明:
1、RouterOS公网IP:218.50.45.xxx/248
2、企业内网服务器资源IP:192.168.0.0/04
3、远端用户端入后的IP:192.168.5.0/24
4、本例中建立一个pptp用户:用户名user,密码123456

简单网络拓扑图:

pptp4

首先介绍一下PPTP,字面意思理解就是一种点对点隧道协议,Point to Point Tunneling Protocol,用于在IP网络上建立PPP会话隧道。通常用在出差人员在外想使用公司内部资源,不可以通过拔入公司的PPTP SERVER,会话建立后,计算机就会多出一个VPN IP,如下图,这样就可以像在公司访问企业内部资源一样了。

pptp5

下面就开始简单介绍如何在RouterOS上建立公司的PPTP Server:

1、利用winbox登陆RouterOS服务器

pptp6

2、建立远端用户地址池
选择IP—>池,在打开的窗口中点击“+”,然后输入池名称pptp_pool,地址输入192.168.5.1-192.168.5.254,新的池输入none(默认),最后点击“OK”。

pptp7

pptp9

3、配置PPTP Server

配置Interfaces(启用PPTP Server):
点击主菜单的PPP,在弹出的菜单中选择Interfaces选项,然后点击PPTP Server,在enable上打钩,Max MTU和Max MRU都改成1460,其余设置参考下图,完成后点击“OK”。

pptp10

pptp18
再选择此窗口的“+”按扭,并选择“PPTP Server”,名称默认,直接点击“OK”,如下图。

pptp11

pptp12

这时Interfaces窗口下就多了个name为pptp-in1的项了,选择它点击右键选“启用”,如下图。

pptp13

配置Profiles(配置PPTP配置文件):
配置完刚才的Interfaces窗口后,点击窗口的Profiles选项栏,如下图:

pptp14

再点击“+”,Name设置为pptp-profiles,Local Address设置为公网IP218.50.45.xxx,Remote Address设置为刚才新建的地址池pptp_pool,其他设置参考如下两张图,设置完后点击“OK”。

pptp15

pptp16

配置Secrets(配置PPTP登陆用户名密码):
选择Secrets选项栏后,点击“+”按扭,name输入user,密码输入123456,Service选择pptp,Profile选择上一步建立的pptp_profiles,点击“OK”,这样就建立了一个用户名为user,密码为123456的pptp登陆用户。如下图。

pptp17

至此,企业服务器端RouterOS上的PPTP Server设置全部完成。

4、在远程移动办公的计算机上建立PPTP拔号连接

打开一个新建链接,点击下一步

pptpa

选择“连接到我的公共场所的网络”

pptpb

选择“虚拟专用网络连接”

pptpc

任意输入一个pptp连接名称

pptpd

选择“不拔初始连接”

pptpe

这里填入公司RouterOS Server的公网IP地址:218.50.45.xxx

pptpf

pptpg

点击完成,这样桌面上就会产生一个pptp拔号图标,双击后就能连接公司的PPTP Server,连接成功后右下角就会增加一个网络图标,并可以查看获取到的pptp信息,如下图。

pptph