The article is a little long. Please read it patiently!
1 jumpserver fortress machine Overview – deploy jumpserver running environment
1.1 overview of springboard machine
The springboard machine is a server. In the maintenance process, developers or operation and maintenance personnel must log in to this server uniformly first, and then log in to
Maintain and operate the target equipment.
Disadvantages of the springboard machine: it does not realize the control and audit of the operation behavior of the operation and maintenance personnel, and misoperation will still occur in the process of using the springboard machine
For accidents caused by illegal operation, once an operation accident occurs, it is difficult to quickly locate the cause and responsible person;
Overview of Fortress machine:
Fortress machine, that is, in a specific network environment, in order to protect the network and data from intrusion and destruction from external and internal users,
Various technical means are used to collect and monitor the system status, security events and network activities of each component in the network environment in real time
Centralized alarm, timely handling and audit responsibility determination.
Summary: Fortress machine has more functions than springboard machine, such as real-time collection, monitoring network environment, centralized alarm and so on.
Jumpserver is an open source springboard system developed by Python and Django, which provides certification and authorization for Internet enterprises
Power, audit, automatic operation and maintenance and other functions. Jumpserver now supports the management of SSH, Telnet, RDP and VNC protocol assets
Jumpserver 2 environment requirements:
Hardware configuration: 4 CPU cores, 6G memory, 50g hard disk (minimum)
1.2 jumpserver experiment topology
Xuegod63 IP: 192.168.1.63 jumpserver server server 6G memory
Xuegod64 IP: 192.168.1.64 resources, 2G memory of the managed server
1.3 initialize system environment
Initialize system environment
Turn off firewall
[[email protected] ~]# systemctl stop firewalld && systemctl disable firewalld
[[email protected] ~]# setenforce 0
Permanent shutdown (it takes effect after restart. Set temporary and then permanent.)
[[email protected] ~]# sed -i "s/SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config
1.4 related services required for installing jumpserver
[[email protected] ~]# curl -sSL https://github.com/jumpserver/jumpserver/releases/download/v2.10.2/quick_start.sh | bash
CD enter the installation management directory and start JMS
[[email protected] ~]# cd /opt/jumpserver-installer-v2.10.2/ [[email protected] jumpserver-installer-v2.10.2]# ./jmsctl.sh restart
Note: there is no need to configure startup, because the new version of jumpserver runs as docker. These docker instances are started automatically after startup.
For web access, the new version provides two access addresses, one HTTP and one HTTPS
http://192.168.1.63:8080/core…User: admin Password: admin
The password needs to be changed for the first login. Here, we change the test environment to 123456
2 jumpserver platform system initialization
2.1 basic system settings
Write your own real URL address here, otherwise later users can’t access it.http://192.168.1.63, after setting,
And click the “submit” button.
You can select HTTP or HTTPS here
We use HTTPS
2.2 configuring the mail sending server
Click the “mail settings” tab at the top of the page to enter the mail settings page
Configure 163 mailboxes
Note: start SMTP and POP3 services in your mailbox and add authorization code:
To enable POP3 / SMTP / imap service:
Please log in to mailbox 163, click “Settings” in the upper right corner of the page – under “advanced”, click “POP3 / SMTP / imap” to open
There are two options in the figure, and enable the client to delete the email reminder. It can be opened successfully. After opening, you can receive it with lightning mail, outlook and other software
New authorization password:
My authorization code is automatically generated by the system and needs to be copied and saved
Server address: POP3 server: pop.163.com | SMTP server: smtp.163.com | IMAP service
After submitting, test whether the mail can be sent normally.
View mail in mailbox
3 use jumpserver to manage tens of thousands of game servers
3.1 user management
1. Add a user group.
The user name is the jumpserver login account. User groups are used for asset authorization. When an asset authorizes a user group, this
All users under the user group can use this asset. Role is used to distinguish whether a user is an administrator or an ordinary user.
Click user management – > View user groups – > add user groups
Add a new team – > glory of the king – North China operation and maintenance department
View the group you just added
2. Add user
Click user management – > User List – > create user
Where, the name is the real name, and the user name is the jumpserver login account.
Then click Submit. You will receive an email successfully created by the user
MFA, multi factor authentication, that is, multi factor authentication, is a simple and effective security authentication method. It can be in
In addition to the user name and password, another layer of protection is added. MFA equipment, also known as dynamic password card or token card, provides this kind of security authentication
Method and equipment.
MFA equipment such as:
Hardware MFA device
The hardware MFA device is shown in the figure below. The 6-digit dynamic security code on the front is updated every 30 seconds, and the hardware MFA device is on the back
Serial number of the.
Mobile phone verification code:
View added users
Using the traceless browser, open a new window and log in to the mailbox:
After the user information is successfully submitted, jumpserver will send an email setting “user password” to the mailbox you filled in.
Log in to mailbox 163 and check the mail as follows:
Click the link to change the password: 123456
Using the browser, the traceless mode opens:https://192.168.1.63:8443/User: MK password: 123456
Can log in successfully.
Switch to the admin user, give the new user MK, and configure the SSH key
Users can reset their password or SSH key to facilitate later login: I use MK on my other Linux
Users generate their own SSH keys.
[[email protected] ~]# useradd mk [[email protected] ~]# echo 123456 | passwd --stdin mk [[email protected] ~]# su - mk [ [email protected] ~]$SSH keygen # all the way back [[email protected] ~]$ cat ~/.ssh/id_rsa.pub ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDFMqCGfXDW8UW7Dd0QoXzvnny/4u9ET2sKBt2 SQf+wVVS6pLJHE3QNXzHxg+uI1KRJwVtGiPWPtOQ4yj3HiMsBSLsFjOWFoIcv1myXYtLFuw ovLfUJgyCwD/LHfSgJ821bUQ2w9uUkAKirBJtjKFC/E4l9Z+GgZmLr9ckRWfZOt3g+xD3iNlh/l D4FlTYz0U9hlb4GrpikP5WtsYZgpIImMTgPsxq3yspQGvTpzsj1ApfOgt0SEHsqd1yYv4K+2bok MDrpTSmvsHXTWCBwpXsp2NQA2s1aDKJIOTY3mDCDQdJl9aMbBAjErdYFvEoNybNdH98K TcEQeCsrCrI0SfR9 [email protected]
Paste the public key generated above here:
3.2 edit asset tree add node
Use the admin user to log in to jumpserver and add nodes. Nodes cannot have the same name. Right click the node to add, delete and rename
Node and perform asset related operations.
Name: King glory – North China – server
3.3 create management user
Description of each user in jumpserver:
The management user is the root of the server or the user with nopasswd: all sudo permission. Jumpserver uses this
Users can push system users and obtain asset hardware information.
Name: King glory – North China – server management user – root password: 123456
Premise: the root password of all servers in your king glory – North China – server node is 123456
This allows you to use this root user to manage the server.
Note: in the “password” when creating the management user, you need to specify the password as the real root user in the server linux system.
3.4 creating system users
The system user is the user used when jumpserver jumps to log in assets. It can be understood as the user logging in assets, jumpserver
Log in to the asset using the system user.
The sudo column of the system user fills in the program path that allows the current system user to execute without sudo password, such as the default
/SBIN / ifconfig means that the current system user can directly execute the ifconfig command or sudo ifconfig without entering
The password of the former system user, and the password is still required to execute other commands, so as to achieve the purpose of authority control.
The permissions here should be customized according to the user’s needs. In principle, the minimum permission can be given.
When the system user is created, if automatic push is selected, jumpserver will use ansible to automatically push the system user to the asset
If the asset (switch, windows) does not support ansible, please fill in the account password manually.
SSH must be selected for the Linux system protocol. If the user already exists in the system, please remove the check boxes of automatic key generation and automatic push
Add a name: the user who checks the running status of the server;
User name: user
Permissions: / SBIN / ifconfig, / usr / bin / top, / usr / bin / free
Add system administrator user
Name: system administrator user
; User name: Manager
Sudo permissions: / usr / local / SBIN /, / usr / local / bin /, / usr / SBIN /, / usr / bin /, / root / bin/
Note: if you write a directory, you don’t need specific commands. Add a / at the end of the directory path to see more clearly. Of course not/
Yes, but sometimes / usr / local / SBIN may be regarded as a command. Must be separated by English commas.
3.5 creating assets
Note: before adding assets, you must run xuegod64 first
Open the virtual machine xuegod64.cn. This machine will be added to the platform as a resource.
Host name: game64.xuegod.cn – King glory – North China
System platform: Linux
Protocol group: SSH 22
Management user: King glory – North China – server management user – root (root)
Set up and click Submit.
After filling in and saving the asset creation information, press F5 to refresh the page. You can see that the asset can be connected, indicating that it is normal:
If the asset cannot be connected normally, check whether the user name and key of the management user are correct and whether the management user can use SSH
Log in to the asset host correctly from the jumpserver host.
3.6 creating authorization rules
Node, corresponding to assets, represents all assets under this node.
User group, corresponding to users, represents all users under the user group.
System users and users under the selected user group can use the assets under the selected node through the system users.
Nodes, user groups, and system users have a one-to-one relationship, so when you own different types of assets such as Linux and windows, you should
Create authorization rules for Linux assets and windows assets respectively.
Name: King glory – Huahua district – server authorization rules
Note: users and user groups refer to who is authorized. If a user group is authorized, all users in the group have permissions.
User: no need to write
User group: King glory – North China operation and maintenance department
The asset injection node can authorize a single asset, or it can be authorized according to the node. If the North China node is authorized, all servers under the North China node are authorized
Node: / default / King glory – North China – server
Action: check permission and click to assign detailed permission.
Other options, use the default, and then submit.
Note: the meaning of this authorization is: as long as the person in the group of “King glory – North China operation and maintenance department” is responsible for the node “King glory – China”
All servers in North Area – server have the permission of “system administrator user”.
After the authorization is successful, you can manually view it on xuegod64:
[[email protected] ~]# tail /etc/passwd -n 5 dbus:x:81:81:System message bus:/:/sbin/nologin polkitd:x:999:998:User for polkitd:/:/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin postfix:x:89:89::/var/spool/postfix:/sbin/nologin Manager: X: 1000:1000: system administrator user: / home / Manager: / bin / bash # automatically push an account from Create a system user on the asset server [ [email protected] ~]#Visudo #sudo related rules will also be automatically pushed manager ALL=(ALL) NOPASSWD: /usr/local/sbin,/usr/local/bin,/usr/sbin,/usr/bin,/root/bin
3.7 assets used by users
Log in to jumpserver:https://192.168.1.63:8443User: MK password: 123456
When creating authorization rules, user groups are selected, so users under the selected user groups need to log in here to see the corresponding information
Use the traceless browser and open another window to log in:
Page after the user logs in correctly:
1. Use the web interface to connect assets, and click the Web terminal on the left of the page:
Open the node where the asset resides:
Double click the asset name to connect the asset:
If the connection timeout is displayed, check whether the system user name and key assigned to the asset are correct and whether the Linux operation is selected correctly
Make information about the system, Protocol SSH, port 22, and whether the firewall policy of the asset is configured correctly.
Next, you can operate the asset.
3.8 connect jumpserver management server under xshell character terminal
[ [email protected] ~]# ssh -p2222 [email protected] #Link to jumpserver or use xshell to connect to jumpserver
Enter jumpserver user MK and password 123456
Click OK to start the connection
Opt > 64 # enter a 64 to log in directly: 192.168.1.64
Connecting to mailto:[email protected]. CN – glory of the king – North China 0.3
Last login: Thu Jun 7 23:15:13 1718 from xuegod63.cn
[ [email protected] ~]$whoamI # found that the login is using the system user manager
[[email protected] ~]$ exit
Opt > P # displays the hosts for which you have permission
Opt > G # displays the host groups for which you have permission
3.9 viewing historical command records
3.10 viewing historical sessions and playing back videos
3.11 document management function
Here, you can create a new folder or upload files to the server. These created files and uploaded files will have targets
Under the / tmp directory of the server
[[email protected] ~]# ls /tmp/
3.12 operation center
1. Task list
Jobs are instructions sent by jumpserver to the assets under its management, such as testing asset connectivity and obtaining asset hardware information
Information, test management user connectivity and test system user connectivity. The job records of the last 7 days are displayed by default.
Click the job name to view the specific details of the job, the historical version of the job and the history of job execution
2. Batch command
You can quickly issue commands to assets through this function. At present, only assets that can be managed by ansible are supported, and the system user is required to log in
Type is automatic login
For more information, please refer to the official parameter Manual:
4. Use jumpserver to manage MySQL database
4.1 installing MariaDB database
[[email protected] ~]# yum install -y mariadb-server [[email protected] ~]# systemctl enable --now mariadb Set root password [[email protected] ~]# mysqladmin -uroot password "123456" Create ECSHOP database and xuegod user. To specify xuegod user, you can log in to MySQL database from anywhere. [[email protected] ~]# mysql -uroot -p123456 MariaDB [(none)]> create database ecshop; MariaDB [(none)]> use ecshop; #Create e-commerce website database ECSHOP MariaDB [(none)]> create table user(id int (20),name char(40)); # Create a table user MariaDB [(none)]> grant all privileges on *.* to 'xuegod'@'%' identified by '123456';
4.2 jumpserver management database
Add MySQL system user
Name: xuegod MySQL
Login mode: automatic login
The account information is the authorized user created after installing the database
User name: xuegod
Name: xuegod MySQL
Note: the database here refers to which database in MySQL. We can select the MySQL database for the test environment.
Specify the database to use after logging in: ECSHOP
Name: xuegod MySQL
User group: King glory – North China operation and maintenance department
Application: xuegod MySQL
System user: xuegod MySQL
After the authorization is completed, log in as MK user and you can manage the MySQL application in the Web terminal.
17.1 jumpserver fortress machine Overview – deploy jumpserver running environment
17.2 jumpserver platform system initialization
17.3 actual combat: use jumpserver to manage tens of thousands of game servers
17.4 using jumpserver to manage MySQL database
To get relevant video tutorials, + V replies: “jumpserver” to get them!