如何在 Ubuntu 20.04 安裝 JumpServer / Bastion Host
16 min readNov 9, 2023
JumpServer 是一套開源解決方案幫助企業以更安全的方式管控和登錄各種類型的資產,允許使用者通過堡壘主機安全地訪問目標伺服器,而無需直接連接到目標伺服器。這種方法可以提高網絡安全性,減少潛在的攻擊面,確保敏感數據的保密性。
主要功能包括:
- 遠端訪問管理:允許管理員為不同使用者設定遠端訪問權限,控制使用者可以連接到哪些伺服器,以及可以執行哪些操作。
- 連線側錄和審計:可以記錄使用者與目標伺服器之間的所有連線,包括輸入和輸出。這些記錄可以用於審計、調查和故障排除。
- 多因素認證:支援多種認證方式,包括使用者名稱密碼、金鑰、雙因素認證等,增加了系統的安全性。
- 訪問控制:管理員可以定義訪問策略,限制特定使用者只能訪問特定伺服器或特定服務,提高網絡安全性。
- 集中式管理:提供集中式的管理界面可以方便地管理所有的遠端訪問權限,以確保安全政策的一致性。
JumpServer 符合 4A 規範支援事前授權、事中監察、事後審計等合規要求。
- 身分驗證 Authentication:防止身分冒和復用
- 權限控制 Authorization:防止內部錯誤操作和權限濫用
- 帳號管理 Accounting:人員和資產的管理
- 安全審計 Auditing:追溯的保障和事故分析的依據
帶有 X-Pack 標誌為企業版功能
環境要求
支援主流 Linux 發行版本,基於 Debian 或 RedHat。
我們採用最小化硬體配置並安裝以下套件
sudo apt-get update
sudo apt-get install -y wget curl tar gettext iptables線上安裝
使用 root 帳號執行下列命令一建安裝 JumpServer,若用於生產環境建議使用離線安裝。
sudo -i
cd /opt
curl -sSL https://github.com/jumpserver/jumpserver/releases/latest/download/quick_start.sh | bash安裝下載 Docker Image 需要耗時較久,請耐心等待。
download install script to /opt/jumpserver-installer-v3.8.1
██╗██╗ ██╗███╗ ███╗██████╗ ███████╗███████╗██████╗ ██╗ ██╗███████╗██████╗
██║██║ ██║████╗ ████║██╔══██╗██╔════╝██╔════╝██╔══██╗██║ ██║██╔════╝██╔══██╗
██║██║ ██║██╔████╔██║██████╔╝███████╗█████╗ ██████╔╝██║ ██║█████╗ ██████╔╝
██ ██║██║ ██║██║╚██╔╝██║██╔═══╝ ╚════██║██╔══╝ ██╔══██╗╚██╗ ██╔╝██╔══╝ ██╔══██╗
╚█████╔╝╚██████╔╝██║ ╚═╝ ██║██║ ███████║███████╗██║ ██║ ╚████╔╝ ███████╗██║ ██║
╚════╝ ╚═════╝ ╚═╝ ╚═╝╚═╝ ╚══════╝╚══════╝╚═╝ ╚═╝ ╚═══╝ ╚══════╝╚═╝ ╚═╝
Version: v3.8.1
1. Check Configuration File
Path to Configuration file: /opt/jumpserver/config
/opt/jumpserver/config/config.txt [ √ ]
/opt/jumpserver/config/nginx/cert/server.crt [ √ ]
/opt/jumpserver/config/nginx/cert/server.key [ √ ]
complete
>>> Install and Configure Docker
1. Install Docker
Starting to download Docker engine ...
>>> Install and Configure Docker
1. Install Docker
Starting to download Docker engine ...
Starting to download Docker Compose binary ...
complete
2. Configure Docker
Do you want to support IPv6? (y/n) (default n): complete
3. Start Docker
Created symlink /etc/systemd/system/multi-user.target.wants/docker.service → /etc/systemd/system/docker.service.
complete
>>> Loading Docker Image
[jumpserver/core:v3.8.1] pulling
[jumpserver/mariadb:10.6] pulling
[jumpserver/redis:6.2] pulling
[jumpserver/magnus:v3.8.1] pulling
[jumpserver/lion:v3.8.1] pulling
[jumpserver/kael:v3.8.1] pulling
[jumpserver/chen:v3.8.1] pulling
[jumpserver/koko:v3.8.1] pulling
[jumpserver/web:v3.8.1] pulling
...
complete開始自動安裝與配置 JumpServer
注意 SECRETE_KEY 與 BOOTSTRAP_TOKEN 記得保存下來
>>> Install and Configure JumpServer
1. Configure Private Key
SECRETE_KEY: ZGExODRkNTYtMWIwMS1mNjVhLTlmNTctZDVjOTVhMjg0OGQ3
BOOTSTRAP_TOKEN: ZGExODRkNTYtMWIwMS1mNjVh
complete
2. Configure Persistent Directory
Do you need custom persistent store, will use the default directory /data/jumpserver? (y/n) (default n): complete
3. Configure MySQL
Do you want to use external MySQL? (y/n) (default n): complete
4. Configure Redis
Do you want to use external Redis? (y/n) (default n): complete
5. Configure External Access
Do you need to customize the JumpServer external port? (y/n) (default n): complete
6. Init JumpServer Database
[+] Running 4/4
✔ Network jms_net Created 5.4s
✔ Container jms_redis Started 6.5s
✔ Container jms_core Started 6.6s
✔ Container jms_mysql Started 6.5s
2023-11-06 17:10:05 Collect static files
2023-11-06 17:10:05 Collect static files done
2023-11-06 17:10:05 Check database structure change ...
2023-11-06 17:10:05 Migrate model change to database ...
ALLOWED_HOSTS:
- localhost
- core:8080
- 127.0.0.1
- 127.0.0.1:8080
- 127.0.0.1:80
- localhost:8080
- localhost:80
- core:8080
- core:80
ALLOWED_HOSTS:
- localhost
- core:8080
- 127.0.0.1
- 127.0.0.1:8080
- 127.0.0.1:80
- localhost:8080
- localhost:80
- core:8080
- core:80
Operations to perform:
Apply all migrations: accounts, acls, admin, applications, assets, audits, auth, authentication, captcha, common, contenttypes, django_cas_ng, django_celery_beat, notifications, ops, orgs, perms, rbac, sessions, settings, terminal, tickets, users
...
After migration, update builtin role permissions
- Update builtin roles
complete安裝完成並列出相關管理指令
>>> The Installation is Complete
1. You can use the following command to start, and then visit
cd /opt/jumpserver-installer-v3.8.1
./jmsctl.sh start
2. Other management commands
./jmsctl.sh stop
./jmsctl.sh restart
./jmsctl.sh backup
./jmsctl.sh upgrade
For more commands, you can enter ./jmsctl.sh --help to understand接下我們就可以透過 Web access 來登入 JumpServer
3. Web access
http://192.168.0.9:80
Default username: admin Default password: admin
4. SSH/SFTP access
ssh -p2222 admin@192.168.0.9
sftp -P2222 admin@192.168.0.9
5. More information
Official Website: https://www.jumpserver.org/
Documentation: https://docs.jumpserver.org/
[+] Running 10/10
✔ Container jms_magnus Started 3.7s
✔ Container jms_kael Started 3.7s
✔ Container jms_koko Started 3.7s
✔ Container jms_lion Started 3.7s
✔ Container jms_mysql Running 0.0s
✔ Container jms_chen Started 3.7s
✔ Container jms_core Started 6.0s
✔ Container jms_redis Running 0.0s
✔ Container jms_web Started 3.7s
✔ Container jms_celery Started 3.7sJumpServer 拆分了許多容器來提供服務,使用 docker ps 驗證一下。
sudo docker ps -aCONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
b3d630042d1a jumpserver/core:v3.8.1 "./entrypoint.sh sta…" 7 minutes ago Up 7 minutes (healthy) 8080/tcp jms_celery
c28ffc2977c9 jumpserver/core:v3.8.1 "./entrypoint.sh sta…" 7 minutes ago Up 7 minutes (healthy) 8080/tcp jms_core
fef3bd942aa7 jumpserver/lion:v3.8.1 "./entrypoint.sh" 7 minutes ago Up 7 minutes (healthy) 4822/tcp, 8081/tcp jms_lion
51d22050e146 jumpserver/koko:v3.8.1 "./entrypoint.sh" 7 minutes ago Up 7 minutes (healthy) 0.0.0.0:2222->2222/tcp, :::2222->2222/tcp, 5000/tcp jms_koko
2a68c0bb0307 jumpserver/chen:v3.8.1 "./entrypoint.sh" 7 minutes ago Up 7 minutes (healthy) 8082/tcp jms_chen
07b298d80704 jumpserver/web:v3.8.1 "/docker-entrypoint.…" 7 minutes ago Up 7 minutes (healthy) 0.0.0.0:80->80/tcp, :::80->80/tcp jms_web
7d6859f40a1a jumpserver/magnus:v3.8.1 "./entrypoint.sh" 7 minutes ago Up 5 minutes (healthy) 0.0.0.0:33061-33062->33061-33062/tcp, :::33061-33062->33061-33062/tcp, 0.0.0.0:63790->63790/tcp, :::63790->63790/tcp jms_magnus
d1971cd6f90c jumpserver/kael:v3.8.1 "./entrypoint.sh" 7 minutes ago Up 7 minutes (healthy) 8083/tcp jms_kael
4a2d9293aa11 jumpserver/mariadb:10.6 "docker-entrypoint.s…" 18 minutes ago Up 18 minutes (healthy) 3306/tcp jms_mysql
9130b66f1e03 jumpserver/redis:6.2 "docker-entrypoint.s…" 18 minutes ago Up 18 minutes (healthy) 6379/tcp jms_redis可以使用下列指令重啟 JumpServer,容器會依照相依性進行啟動。
cd /opt/jumpserver-installer-v3.8.1
./jmsctl.sh restartJumpServer 分散式架構如下
網路連接埠列表
再了解每個容器的作用之後,我們就可以針對發生問題的功能進行排查,例如使用 Web RDP 發生連線錯誤,便可使用 docker logs 來進行故障排除。
docker logs -f jms_lion --tail 200[GIN] 2023/11/07 - 16:15:57 | 200 | 66.967812ms | 10.7.3.52 | GET "/lion/connect/?token=6c3ce1bc-5a4d-49cf-b20b-f2cc9bac42e6"
2023-11-07 16:15:58 tunnel server.go [ERROR] Create token session err: connect API core err: POST http://core:8080/api/v1/authentication/super-connection-token/applet-option/ failed, get code: 400, {"error":"No host account available"}預設所有的組態設定會存放於此
/opt/jumpserver/config容器所映射的資料夾會存放於此
/data/jumpserver/備份指令如下
cd /opt/jumpserver-installer-v3.8.1/
sudo ./jmsctl.sh backup_dbBacking up...
[SUCCESS] Backup succeeded! The backup file has been saved to: /data/jumpserver/db_backup/jumpserver-v3.8.1-2023-11-21_06:32:59.sql還原指令如下
sudo ./jmsctl.sh restore_db /data/jumpserver/db_backup/jumpserver-v3.8.1-2023-11-21_06:32:59.sql[ WARNING ] Make sure you have a backup of data, this operation is not reversible!
Start restoring database: /data/jumpserver/db_backup/jumpserver-v3.8.1-2023-11-21_06:32:59.sql
[+] Running 4/4
✔ Network jms_net Created 0.3s
✔ Container jms_redis Started 1.8s
✔ Container jms_core Started 1.8s
✔ Container jms_mysql Started 1.8s
[SUCCESS] Database recovered successfully!我們快速地介紹了如何在 Ubuntu 20.04 安裝 JumpServer,下一篇再來分享基本的系統操作與功能介紹了,感謝收看。
