Build jumpserver fortress machine to manage tens of thousands of game servers

Time:2021-8-25

The article is a little long. Please read it patiently!

1 jumpserver fortress machine Overview – deploy jumpserver running environment

1.1 overview of springboard machine

The springboard machine is a server. In the maintenance process, developers or operation and maintenance personnel must log in to this server uniformly first, and then log in to
Maintain and operate the target equipment.
Build jumpserver fortress machine to manage tens of thousands of game servers
Disadvantages of the springboard machine: it does not realize the control and audit of the operation behavior of the operation and maintenance personnel, and misoperation will still occur in the process of using the springboard machine
For accidents caused by illegal operation, once an operation accident occurs, it is difficult to quickly locate the cause and responsible person;

Overview of Fortress machine:
Fortress machine, that is, in a specific network environment, in order to protect the network and data from intrusion and destruction from external and internal users,
Various technical means are used to collect and monitor the system status, security events and network activities of each component in the network environment in real time
Centralized alarm, timely handling and audit responsibility determination.

Summary: Fortress machine has more functions than springboard machine, such as real-time collection, monitoring network environment, centralized alarm and so on.
Jumpserver overview:
Jumpserver is an open source springboard system developed by Python and Django, which provides certification and authorization for Internet enterprises
Power, audit, automatic operation and maintenance and other functions. Jumpserver now supports the management of SSH, Telnet, RDP and VNC protocol assets

Official website:http://www.jumpserver.org
Build jumpserver fortress machine to manage tens of thousands of game servers
Jumpserver 2 environment requirements:
Hardware configuration: 4 CPU cores, 6G memory, 50g hard disk (minimum)

1.2 jumpserver experiment topology

Experimental environment:
Xuegod63 IP: 192.168.1.63 jumpserver server server 6G memory
Xuegod64 IP: 192.168.1.64 resources, 2G memory of the managed server
Build jumpserver fortress machine to manage tens of thousands of game servers

1.3 initialize system environment

Initialize system environment
Turn off firewall

[[email protected] ~]# systemctl stop firewalld && systemctl disable firewalld

Close SELinux

[[email protected] ~]# setenforce 0

Permanent shutdown (it takes effect after restart. Set temporary and then permanent.)

[[email protected] ~]# sed -i "s/SELINUX=enforcing/SELINUX=disabled/g"  /etc/selinux/config

1.4 related services required for installing jumpserver

Automatic deployment

[[email protected] ~]# curl -sSL https://github.com/jumpserver/jumpserver/releases/download/v2.10.2/quick_start.sh | bash

Build jumpserver fortress machine to manage tens of thousands of game servers
CD enter the installation management directory and start JMS

[[email protected] ~]# cd /opt/jumpserver-installer-v2.10.2/
[[email protected] jumpserver-installer-v2.10.2]# ./jmsctl.sh restart

Build jumpserver fortress machine to manage tens of thousands of game servers
Note: there is no need to configure startup, because the new version of jumpserver runs as docker. These docker instances are started automatically after startup.
For web access, the new version provides two access addresses, one HTTP and one HTTPS
http://192.168.1.63:8080/core…User: admin Password: admin
https://192.168.1.63:8443/cor…
Build jumpserver fortress machine to manage tens of thousands of game servers
The password needs to be changed for the first login. Here, we change the test environment to 123456
Build jumpserver fortress machine to manage tens of thousands of game servers

2 jumpserver platform system initialization

2.1 basic system settings

Write your own real URL address here, otherwise later users can’t access it.http://192.168.1.63, after setting,
And click the “submit” button.
You can select HTTP or HTTPS here
http://192.168.1.63:8080
https://192.168.1.63:8443
We use HTTPS
Build jumpserver fortress machine to manage tens of thousands of game servers

2.2 configuring the mail sending server

Click the “mail settings” tab at the top of the page to enter the mail settings page
Build jumpserver fortress machine to manage tens of thousands of game servers
Configure 163 mailboxes
Note: start SMTP and POP3 services in your mailbox and add authorization code:
To enable POP3 / SMTP / imap service:
Please log in to mailbox 163, click “Settings” in the upper right corner of the page – under “advanced”, click “POP3 / SMTP / imap” to open
There are two options in the figure, and enable the client to delete the email reminder. It can be opened successfully. After opening, you can receive it with lightning mail, outlook and other software
E-mail.
New authorization password:

Build jumpserver fortress machine to manage tens of thousands of game servers
ARYAOQXHFMXGBJVR
babrziluawkibaej
My authorization code is automatically generated by the system and needs to be copied and saved
Server address: POP3 server: pop.163.com | SMTP server: smtp.163.com | IMAP service
Organizer: imap.163.com
Build jumpserver fortress machine to manage tens of thousands of game servers
After submitting, test whether the mail can be sent normally.
Build jumpserver fortress machine to manage tens of thousands of game servers
View mail in mailbox
Build jumpserver fortress machine to manage tens of thousands of game servers

3 use jumpserver to manage tens of thousands of game servers

3.1 user management

1. Add a user group.

The user name is the jumpserver login account. User groups are used for asset authorization. When an asset authorizes a user group, this
All users under the user group can use this asset. Role is used to distinguish whether a user is an administrator or an ordinary user.
Click user management – > View user groups – > add user groups
Build jumpserver fortress machine to manage tens of thousands of game servers
Add a new team – > glory of the king – North China operation and maintenance department
Build jumpserver fortress machine to manage tens of thousands of game servers
View the group you just added
Build jumpserver fortress machine to manage tens of thousands of game servers

2. Add user

Click user management – > User List – > create user
Where, the name is the real name, and the user name is the jumpserver login account.
Build jumpserver fortress machine to manage tens of thousands of game servers
Build jumpserver fortress machine to manage tens of thousands of game servers
Then click Submit. You will receive an email successfully created by the user
Extension:
MFA, multi factor authentication, that is, multi factor authentication, is a simple and effective security authentication method. It can be in
In addition to the user name and password, another layer of protection is added. MFA equipment, also known as dynamic password card or token card, provides this kind of security authentication
Method and equipment.
MFA equipment such as:
Hardware MFA device
The hardware MFA device is shown in the figure below. The 6-digit dynamic security code on the front is updated every 30 seconds, and the hardware MFA device is on the back
Serial number of the.
Build jumpserver fortress machine to manage tens of thousands of game servers
Mobile phone verification code:
Build jumpserver fortress machine to manage tens of thousands of game servers
View added users
Build jumpserver fortress machine to manage tens of thousands of game servers
Using the traceless browser, open a new window and log in to the mailbox:
Build jumpserver fortress machine to manage tens of thousands of game servers
After the user information is successfully submitted, jumpserver will send an email setting “user password” to the mailbox you filled in.
Log in to mailbox 163 and check the mail as follows:
Build jumpserver fortress machine to manage tens of thousands of game servers
Click the link to change the password: 123456
Build jumpserver fortress machine to manage tens of thousands of game servers
Using the browser, the traceless mode opens:https://192.168.1.63:8443/User: MK password: 123456
Build jumpserver fortress machine to manage tens of thousands of game servers
Can log in successfully.
Switch to the admin user, give the new user MK, and configure the SSH key

Build jumpserver fortress machine to manage tens of thousands of game servers
Build jumpserver fortress machine to manage tens of thousands of game servers
Users can reset their password or SSH key to facilitate later login: I use MK on my other Linux
Users generate their own SSH keys.

[[email protected] ~]# useradd mk
[[email protected] ~]# echo 123456 | passwd --stdin mk
[[email protected] ~]# su - mk
[ [email protected] ~]$SSH keygen # all the way back
[[email protected] ~]$ cat ~/.ssh/id_rsa.pub
ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABAQDFMqCGfXDW8UW7Dd0QoXzvnny/4u9ET2sKBt2
SQf+wVVS6pLJHE3QNXzHxg+uI1KRJwVtGiPWPtOQ4yj3HiMsBSLsFjOWFoIcv1myXYtLFuw
ovLfUJgyCwD/LHfSgJ821bUQ2w9uUkAKirBJtjKFC/E4l9Z+GgZmLr9ckRWfZOt3g+xD3iNlh/l
D4FlTYz0U9hlb4GrpikP5WtsYZgpIImMTgPsxq3yspQGvTpzsj1ApfOgt0SEHsqd1yYv4K+2bok
MDrpTSmvsHXTWCBwpXsp2NQA2s1aDKJIOTY3mDCDQdJl9aMbBAjErdYFvEoNybNdH98K
TcEQeCsrCrI0SfR9 [email protected]

Paste the public key generated above here:

Build jumpserver fortress machine to manage tens of thousands of game servers
Submission complete

3.2 edit asset tree add node

Use the admin user to log in to jumpserver and add nodes. Nodes cannot have the same name. Right click the node to add, delete and rename
Node and perform asset related operations.
Build jumpserver fortress machine to manage tens of thousands of game servers
Name: King glory – North China – server
Build jumpserver fortress machine to manage tens of thousands of game servers

3.3 create management user

Description of each user in jumpserver:
Build jumpserver fortress machine to manage tens of thousands of game servers
The management user is the root of the server or the user with nopasswd: all sudo permission. Jumpserver uses this
Users can push system users and obtain asset hardware information.
Build jumpserver fortress machine to manage tens of thousands of game servers
Name: King glory – North China – server management user – root password: 123456
Build jumpserver fortress machine to manage tens of thousands of game servers
Premise: the root password of all servers in your king glory – North China – server node is 123456
This allows you to use this root user to manage the server.
Note: in the “password” when creating the management user, you need to specify the password as the real root user in the server linux system.

3.4 creating system users

The system user is the user used when jumpserver jumps to log in assets. It can be understood as the user logging in assets, jumpserver
Log in to the asset using the system user.

The sudo column of the system user fills in the program path that allows the current system user to execute without sudo password, such as the default
/SBIN / ifconfig means that the current system user can directly execute the ifconfig command or sudo ifconfig without entering
The password of the former system user, and the password is still required to execute other commands, so as to achieve the purpose of authority control.

The permissions here should be customized according to the user’s needs. In principle, the minimum permission can be given.

When the system user is created, if automatic push is selected, jumpserver will use ansible to automatically push the system user to the asset
If the asset (switch, windows) does not support ansible, please fill in the account password manually.

SSH must be selected for the Linux system protocol. If the user already exists in the system, please remove the check boxes of automatic key generation and automatic push
Choose.
Build jumpserver fortress machine to manage tens of thousands of game servers
Add a name: the user who checks the running status of the server;
User name: user
Permissions: / SBIN / ifconfig, / usr / bin / top, / usr / bin / free
Build jumpserver fortress machine to manage tens of thousands of game servers
Add system administrator user
Build jumpserver fortress machine to manage tens of thousands of game servers
Name: system administrator user
; User name: Manager
Sudo permissions: / usr / local / SBIN /, / usr / local / bin /, / usr / SBIN /, / usr / bin /, / root / bin/
Note: if you write a directory, you don’t need specific commands. Add a / at the end of the directory path to see more clearly. Of course not/
Yes, but sometimes / usr / local / SBIN may be regarded as a command. Must be separated by English commas.
Build jumpserver fortress machine to manage tens of thousands of game servers
Build jumpserver fortress machine to manage tens of thousands of game servers

3.5 creating assets

Note: before adding assets, you must run xuegod64 first

Build jumpserver fortress machine to manage tens of thousands of game servers
Build jumpserver fortress machine to manage tens of thousands of game servers
Open the virtual machine xuegod64.cn. This machine will be added to the platform as a resource.
Host name: game64.xuegod.cn – King glory – North China
IP: 192.168.1.64
System platform: Linux
Protocol group: SSH 22
Management user: King glory – North China – server management user – root (root)
Set up and click Submit.

Build jumpserver fortress machine to manage tens of thousands of game servers
After filling in and saving the asset creation information, press F5 to refresh the page. You can see that the asset can be connected, indicating that it is normal:
Build jumpserver fortress machine to manage tens of thousands of game servers
If the asset cannot be connected normally, check whether the user name and key of the management user are correct and whether the management user can use SSH
Log in to the asset host correctly from the jumpserver host.

3.6 creating authorization rules

Node, corresponding to assets, represents all assets under this node.
User group, corresponding to users, represents all users under the user group.
System users and users under the selected user group can use the assets under the selected node through the system users.
Nodes, user groups, and system users have a one-to-one relationship, so when you own different types of assets such as Linux and windows, you should
Create authorization rules for Linux assets and windows assets respectively.
Build jumpserver fortress machine to manage tens of thousands of game servers
Name: King glory – Huahua district – server authorization rules

Note: users and user groups refer to who is authorized. If a user group is authorized, all users in the group have permissions.

User: no need to write
User group: King glory – North China operation and maintenance department
The asset injection node can authorize a single asset, or it can be authorized according to the node. If the North China node is authorized, all servers under the North China node are authorized
Right.
assets:
Node: / default / King glory – North China – server
Action: check permission and click to assign detailed permission.

Build jumpserver fortress machine to manage tens of thousands of game servers
Other options, use the default, and then submit.
Build jumpserver fortress machine to manage tens of thousands of game servers
Note: the meaning of this authorization is: as long as the person in the group of “King glory – North China operation and maintenance department” is responsible for the node “King glory – China”
All servers in North Area – server have the permission of “system administrator user”.
After the authorization is successful, you can manually view it on xuegod64:

[[email protected] ~]# tail /etc/passwd -n 5
dbus:x:81:81:System message bus:/:/sbin/nologin
polkitd:x:999:998:User for polkitd:/:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
Manager: X: 1000:1000: system administrator user: / home / Manager: / bin / bash # automatically push an account from
Create a system user on the asset server
[ [email protected] ~]#Visudo #sudo related rules will also be automatically pushed
manager ALL=(ALL) NOPASSWD: /usr/local/sbin,/usr/local/bin,/usr/sbin,/usr/bin,/root/bin

3.7 assets used by users

Log in to jumpserver:https://192.168.1.63:8443User: MK password: 123456
When creating authorization rules, user groups are selected, so users under the selected user groups need to log in here to see the corresponding information
Production.
Use the traceless browser and open another window to log in:
Build jumpserver fortress machine to manage tens of thousands of game servers
Page after the user logs in correctly:
Build jumpserver fortress machine to manage tens of thousands of game servers
1. Use the web interface to connect assets, and click the Web terminal on the left of the page:
Build jumpserver fortress machine to manage tens of thousands of game servers
Open the node where the asset resides:
Double click the asset name to connect the asset:
If the connection timeout is displayed, check whether the system user name and key assigned to the asset are correct and whether the Linux operation is selected correctly
Make information about the system, Protocol SSH, port 22, and whether the firewall policy of the asset is configured correctly.
Build jumpserver fortress machine to manage tens of thousands of game servers
Next, you can operate the asset.

3.8 connect jumpserver management server under xshell character terminal

[ [email protected]  ~]# ssh -p2222  [email protected] #Link to jumpserver or use xshell to connect to jumpserver

Build jumpserver fortress machine to manage tens of thousands of game servers
Enter jumpserver user MK and password 123456
Build jumpserver fortress machine to manage tens of thousands of game servers
Click OK to start the connection
Build jumpserver fortress machine to manage tens of thousands of game servers
Opt > 64 # enter a 64 to log in directly: 192.168.1.64
Connecting to mailto:[email protected]. CN – glory of the king – North China 0.3
Last login: Thu Jun 7 23:15:13 1718 from xuegod63.cn
[ [email protected] ~]$whoamI # found that the login is using the system user manager
manager
[[email protected] ~]$ exit
Logout
Opt > P # displays the hosts for which you have permission
Build jumpserver fortress machine to manage tens of thousands of game servers
Opt > G # displays the host groups for which you have permission
Build jumpserver fortress machine to manage tens of thousands of game servers

3.9 viewing historical command records

Build jumpserver fortress machine to manage tens of thousands of game servers

3.10 viewing historical sessions and playing back videos

Online session
Build jumpserver fortress machine to manage tens of thousands of game servers

Historical conversation
Build jumpserver fortress machine to manage tens of thousands of game servers

3.11 document management function

Build jumpserver fortress machine to manage tens of thousands of game servers
Here, you can create a new folder or upload files to the server. These created files and uploaded files will have targets
Under the / tmp directory of the server

[[email protected] ~]# ls /tmp/

3.12 operation center

1. Task list
Jobs are instructions sent by jumpserver to the assets under its management, such as testing asset connectivity and obtaining asset hardware information
Information, test management user connectivity and test system user connectivity. The job records of the last 7 days are displayed by default.
Click the job name to view the specific details of the job, the historical version of the job and the history of job execution
Build jumpserver fortress machine to manage tens of thousands of game servers
2. Batch command
You can quickly issue commands to assets through this function. At present, only assets that can be managed by ansible are supported, and the system user is required to log in
Type is automatic login
Build jumpserver fortress machine to manage tens of thousands of game servers
For more information, please refer to the official parameter Manual:
https://jumpserver.readthedoc…
https://docs.jumpserver.org/z…

4. Use jumpserver to manage MySQL database

4.1 installing MariaDB database

[[email protected] ~]# yum install -y mariadb-server
[[email protected] ~]# systemctl enable --now
mariadb
Set root password
[[email protected] ~]# mysqladmin -uroot password "123456"
Create ECSHOP database and xuegod user. To specify xuegod user, you can log in to MySQL database from anywhere.
[[email protected] ~]# mysql -uroot -p123456
MariaDB [(none)]> create database ecshop;
MariaDB [(none)]> use ecshop;
#Create e-commerce website database ECSHOP
MariaDB [(none)]> create table user(id int (20),name char(40));   # Create a table user
MariaDB [(none)]> grant all privileges on *.* to 'xuegod'@'%'
identified   by '123456';

4.2 jumpserver management database

Add MySQL system user
Build jumpserver fortress machine to manage tens of thousands of game servers
Name: xuegod MySQL
Login mode: automatic login

The account information is the authorized user created after installing the database

User name: xuegod
Password: 123456
Build jumpserver fortress machine to manage tens of thousands of game servers
Create application
Build jumpserver fortress machine to manage tens of thousands of game servers
Name: xuegod MySQL
Host: 192.168.1.64
Port: 3306
Note: the database here refers to which database in MySQL. We can select the MySQL database for the test environment.
Specify the database to use after logging in: ECSHOP
Build jumpserver fortress machine to manage tens of thousands of game servers
Application authorization
Build jumpserver fortress machine to manage tens of thousands of game servers
Name: xuegod MySQL
User group: King glory – North China operation and maintenance department
Application: xuegod MySQL
System user: xuegod MySQL
Build jumpserver fortress machine to manage tens of thousands of game servers
After the authorization is completed, log in as MK user and you can manage the MySQL application in the Web terminal.
Build jumpserver fortress machine to manage tens of thousands of game servers
Summary:
17.1 jumpserver fortress machine Overview – deploy jumpserver running environment
17.2 jumpserver platform system initialization
17.3 actual combat: use jumpserver to manage tens of thousands of game servers
17.4 using jumpserver to manage MySQL database

To get relevant video tutorials, + V replies: “jumpserver” to get them!
Build jumpserver fortress machine to manage tens of thousands of game servers