Introduction to Jumpserver
Official site: www.jumpserver.org
Jumpserver is the world's first fully open source fortress, using the GNU GPL v2.0 open source protocol, is a flavor security audit system compliant with 4A.
Jumpserver is developed using Python/Django, follows the Web 2.0 specification, adopts a distributed architecture, supports multi-room cross-regional deployment, supports horizontal expansion, and has no concurrent limit on the number of assets.
Jumpserver now supports SSH, Telnet, RDP, VNC protocol assets.
Jumpserver Core Features List
Authentication Authentication
Account Management Account
Authorization Control Authorization
Security Audit
Asset Management CMDB
Jumpserver Environment Requirements
Hardware configuration: 2 CPU cores, 4G memory, 50G hard disk (minimum standard)
Operating system: Linux distribution x86_64
Python = 3.6x
MySQL Server >= 5.6
Mariadb Server >= 5.5.56
Redis
Jumpserver Deployment
1. Installation Dependent Environment
yum install wget gcc-c++ epel-release git -y
2. Install python36
[root@Jumpserver ~]# yum install python36.x86_64 python36-devel.x86_64 -y [root@Jumpserver ~]# python36 -V Python 3.6.8
3. Set up python virtual environment
[root@Jumpserver ~]# python36 -m venv /opt/py3
4. Load python3 virtual environment
Each jumpserver operation requires the following command to load the py3 virtual environment
Seeing the following prompt will represent a successful entry into the virtual environment. After running jumpserver, you will now run the above source command. All of the following commands are run in the virtual environment
[root@Jumpserver ~]# source /opt/py3/bin/activate (py3) [root@Jumpserver ~]# #The python virtual environment is automatically loaded when you enter the jumpserver directory, so you do not need to enter the jumpser operation source command every time you enter it (py3) [root@Jumpserver ~]# echo "source /opt/py3/bin/activate" > /opt/jumpserver/.env
5. Get the Jumpserver code
(py3) [root@Jumpserver ~]# cd /opt/ (py3) [root@Jumpserver opt]# git clone --depth=1 https://github.com/jumpserver/jumpserver.git Cloning into 'jumpserver'... remote: Enumerating objects: 1156, done. remote: Counting objects: 100% (1156/1156), done. remote: Compressing objects: 100% (1028/1028), done. remote: Total 1156 (delta 193), reused 632 (delta 64), pack-reused 0 Receiving objects: 100% (1156/1156), 6.96 MiB | 13.00 KiB/s, done. Resolving deltas: 100% (193/193), done.
6. Install jumpserver dependent RPM packages
(py3) [root@Jumpserver opt]# cd /opt/jumpserver/requirements/ (py3) [root@Jumpserver requirements]# yum install $(cat rpm_requirements.txt) -y (py3) [root@Jumpserver requirements]# pip install --upgrade pip (py3) [root@Jumpserver requirements]# pip install -r requirements.txt
Install redis
Jumpserver wants to use redis
You can install using yum, or you can compile the installation. Here I use compile to install redis
1. Install redis
[root@Jumpserver src]# wget http://download.redis.io/releases/redis-5.0.5.tar.gz [root@Jumpserver redis-5.0.5]# make [root@Jumpserver redis-5.0.5]# cd src/ [root@Jumpserver src]# make install PREFIX=/usr/local/redis [root@Jumpserver src]# mkdir /usr/local/redis/etc [root@Jumpserver src]# cd /usr/local/src/redis-5.0.5 [root@Jumpserver redis-5.0.5]# cp -rf redis.conf /usr/local/redis/etc/
2. Modify the configuration file
cat << EOF > /usr/local/redis/etc/redis.conf daemonize yes port 6379 bind IP address protected-mode yes pidfile "/usr/local/redis/run/redis.pid" loglevel notice logfile "/usr/local/redis/logs/redis.log" save 900 1 stop-writes-on-bgsave-error yes rdbcompression yes rdbchecksum yes dbfilename dump.rdb dir "/usr/local/redis/data/rdb/" timeout 0 tcp-keepalive 300 EOF
3. Create a directory and start redis
#Create pid file directory, log directory, redis persistent directory
[root@Jumpserver redis-5.0.5]# mkdir -p /usr/local/redis/{run,logs}
[root@Jumpserver redis-5.0.5]# mkdir -p /usr/local/redis/data/rdb/
#Start redis
[root@Jumpserver redis-5.0.5]# /usr/local/redis/bin/redis-server /usr/local/redis/etc/redis.confInstall Mariadb
Jumpserver uses databases and you can choose MySQL or Mariadb.Mariadb versions that need to be equal to or greater than 5.56 and MySQL versions that need to be equal to or greater than 5.6
Here I choose to deploy Mariadb using yum
1. Check if the Mariadb version meets the standards

2. Install Mariadb
[root@Jumpserver /]# yum install mariadb.x86_64 mariadb-devel.x86_64 mariadb-server.x86_64 -y
3. Start Mariadb
[root@Jumpserver /]# systemctl enable mariadb [root@Jumpserver /]# systemctl start mariadb
4. Modify Mariadb database root password
[root@Jumpserver /]# mysql -uroot -p
Enter password: #Connect to the database for the first time and return directly
MariaDB [(none)]> set password for 'root'@localhost=password('xxxxxxxx');
MariaDB [(none)]> flush privileges;5. Create database Jumpserver and authorize
MariaDB [(none)]> grant all on jumpserver.* to 'jumpserver'@'127.0.0.1' identified by 'xxxxxxxx'; MariaDB [(none)]> flush privileges;
Modify Jumpserver configuration file
[root@Jumpserver /]# cp -rf /opt/jumpserver/config_example.yml /opt/jumpserver/config.yml [root@Jumpserver /]# grep -Ev "#|^$" /opt/jumpserver/config.yml SECRET_KEY: PwbiQAk0sQCStkR7FwauW3bYCBwJUqPEI4iVs6xyYczfEOWtH #Encryption key, which can be generated using commands in the configuration file BOOTSTRAP_TOKEN: PleasgeChangeSameWithJumpserver. #Pre-shared Token coco and guacamole are used to register service accounts instead of using the original registration acceptance mechanism DB_ENGINE: mysql #Use MySQL database DB_HOST: 127.0.0.1 #Database Connection Address DB_PORT: 3306 #Database Connection Port DB_USER: jumpserver #Database Connection User DB_PASSWORD: xxxxxxxx #Database Connection Password DB_NAME: jumpserver #Database Name HTTP_BIND_HOST: 0.0.0.0 #Address bound by the Jumpserver runtime, 0.0.0 means that all addresses are bound HTTP_LISTEN_PORT: 8080 #Ports bound by the Jumpserver runtime REDIS_HOST: xxx.xxx.xx.xxx #Jumpserver Connect redis Host Address REDIS_PORT: 6379 #Jumpserver connects redis host port
Start Jumpserver
#Make sure you enter the py3 virtual environment before starting jumpserver, -d option for background boot [root@Jumpserver jumpserver]# source /opt/py3/bin/activate (py3) [root@Jumpserver jumpserver]# cd /opt/jumpserver/ (py3) [root@Jumpserver jumpserver]# ./jms start -d
Test Access
Access address: http://xxxxx:8080/auth/login/?next=/
Account password defaults to admin/admin

The interface after successful login is still beautiful
Jumpserver Plugin Installation
Jumpserver itself is powerful enough, but it's complemented by the following components.
The components are as follows:
Coco:Coco is SSH Server and Web Terminal Server.Users can access authorized assets directly by logging into SSH or Web Terminal with their own account.You don't need to know the server's account and password. Coco has now been replaced by koko.
Luna:luna is a front-end page for Web Terminal Server, a plug-in that users need to log in using Web Terminal.
Guacamole: Guacamole is a Windows component that allows users to connect to Windows assets through Web Terminals (temporarily only accessible through Web Terminals)
Each component listens on the following ports:
Jumpserver: 8080/tcp Redis: 6379/tcp MySQL/Mariadb: 3306/tcp Nginx: 80/tcp Koko: SSH 2222/tcp,Web Terminal For 5000/tcp Guacamole: 8081/tcp
Koko Component Deployment
1.Koko component deployment
[root@Jumpserver ~]# source /opt/py3/bin/activate (py3) [root@Jumpserver ~]# cd /opt/ (py3) [root@Jumpserver opt]# wget https://github.com/jumpserver/koko/releases/download/1.5.2/koko-master-6d4e69b-linux-amd64.tar.gz (py3) [root@Jumpserver opt]# tar xf koko-master-6d4e69b-linux-amd64.tar.gz (py3) [root@Jumpserver opt]# chown -R root:root kokodir
2. Modify Koko Profile
(py3) [root@Jumpserver opt]# cd kokodir/ (py3) [root@Jumpserver kokodir]# cp -rf config_example.yml config.yml #The Koko configuration file is as follows: (py3) [root@Jumpserver kokodir]# grep -Ev "#|^$" /opt/kokodir/config.yml CORE_HOST: http://127.0.0.1:8080 BOOTSTRAP_TOKEN: PleasgeChangeSameWithJumpserver. #Bootstrap Token, pre-shared secret key to register service account s and terminal s used by coco, consistent with BOOTSTRAP_TOKEN in jumpserver configuration file, can be deleted after registration is complete
3. Start Koko
#Restart Jumpserver first
(py3) [root@Jumpserver jumpserver]# ./jms restart
#Start koko in the foreground first. If the foreground is OK, use the nohup & command to start in the background
(py3) [root@Jumpserver kokodir]# nohup ./koko &
#View koko ko process
(py3) [root@Jumpserver kokodir]# ps -ef|grep koko
root 24694 23736 0 04:44 pts/1 00:00:00 ./koko
root 24734 23736 0 04:45 pts/1 00:00:00 grep --color=auto koko
(py3) [root@Jumpserver kokodir]# ss -anplt | grep koko
LISTEN 0 128 :::5000 :::* users:(("koko",pid=24694,fd=7))
LISTEN 0 128 :::2222 :::* users:(("koko",pid=24694,fd=8))Luna component deployment
(py3) [root@Jumpserver /]# cd /opt/ (py3) [root@Jumpserver opt]# wget https://github.com/jumpserver/luna/releases/download/1.5.2/luna.tar.gz (py3) [root@Jumpserver opt]# tar xf luna.tar.gz (py3) [root@Jumpserver opt]# chown -R root:root luna
Guacamole Component Deployment
Guacamole deployed here using docker
1. Install docker
1)Uninstall older versions docker
yum remove docker \
docker-common \
docker-selinux \
docker-engine
2)Set up yum Warehouse
yum install -y yum-utils \
device-mapper-persistent-data \
lvm2
yum-config-manager \
--add-repo \
https://download.docker.com/linux/centos/docker-ce.repo
3)install docker-ce Edition
yum list docker-ce --showduplicates | sort -r #List docker versions
yum install docker-ce-18.06.3.ce -y #Select the latest version to install
4)modify docker pull Accelerated Files for Mirroring
mkdir /etc/docker
vim /etc/docker/daemon.json
{
"registry-mirrors": ["http://hub-mirror.c.163.com"]
}
5)start-up docker
systemctl start docker
systemctl enable docker2. Start Guacamole with docker
docker run --name jms_guacamole -d -p 127.0.0.1:8081:8081 \ -e JUMPSERVER_SERVER=http://127.0.0.1:8080 \ -e BOOTSTRAP_TOKEN=PleasgeChangeSameWithJumpserver \ jumpserver/jms_guacamole:1.5.2
Explanation of parameters:
docker run: Start a container --name: Specify the container name -d: Background startup container -p: Map port 127.0.0.1 of container listening to port 8081 of host machine -e: Set environment variables -e JUMPSERVER_SERVER=http://127.0.0.1:8080: Set the value http://127.0.0.1:8080 to JUMPSERVER_SERVER -e BOOTSTRAP_TOKEN=PleasgeChangeSameWithJumpserver: Set the value PleasgeChangeSameWithJumpserver to -e BOOTSTRAP_TOKEN Jumpserver/jms_u guacamole:1.5.2: Download the name and version of the image

Configure Nginx to integrate components
1. Install Nginx
1)Preparing the installation environment [root@Jumpserver ~]# yum install gcc-c++ libtool pcre-devel openssl-devel zlib-devel -y [root@Jumpserver ~]# useradd -d /home/nginx -M -s /sbin/nologin nginx [root@Jumpserver ~]# id nginx uid=1001(nginx) gid=1001(nginx) groups=1001(nginx) 2)Download and install Nginx [root@Jumpserver ~]# cd /usr/local/src/ [root@Jumpserver src]# wget http://nginx.org/download/nginx-1.15.10.tar.gz [root@Jumpserver src]# tar xf nginx-1.15.10.tar.gz -C /usr/local/src/ [root@Jumpserver src]# cd /usr/local/src/nginx-1.15.10 [root@Jumpserver nginx-1.15.10]# ./configure --prefix=/usr/local/nginx \ --sbin-path=/usr/local/nginx/sbin/nginx \ --conf-path=/usr/local/nginx/conf/nginx.conf \ --pid-path=/usr/local/nginx/logs/nginx.pid \ --error-log-path=/usr/local/nginx/logs/error.log \ --http-log-path=/usr/local/nginx/logs/access.log \ --with-pcre \ --user=nginx \ --group=nginx \ --with-file-aio \ --with-http_gzip_static_module \ --with-http_stub_status_module \ --with-http_v2_module \ --with-threads \ --with-http_realip_module \ --with-http_ssl_module [root@Jumpserver nginx-1.15.10]# make && make install [root@Jumpserver nginx-1.15.10]# echo $? 0
2. Configure Nginx
[root@Jumpserver /]# mv /usr/local/nginx/conf/nginx.conf /usr/local/nginx/conf/nginx.conf.defaults
[root@Jumpserver /]# vim /usr/local/nginx/conf/nginx.conf
#Global Field Configuration
user nginx nginx;
worker_processes auto;
error_log logs/error.log info;
pid logs/nginx.pid;
worker_rlimit_nofile 65535;
events {
use epoll;
worker_connections 65535;
multi_accept on;
}
http {
include mime.types;
default_type application/octet-stream;
charset utf-8;
server_tokens off;
#Define Nginx cache settings
client_header_buffer_size 4096;
large_client_header_buffers 4 128k;
client_header_timeout 15;
client_body_timeout 15;
send_timeout 65;
client_max_body_size 10m;
open_file_cache max=65535 inactive=60s;
open_file_cache_valid 30s;
open_file_cache_min_uses 1;
open_file_cache_errors on;
server_names_hash_bucket_size 128;
#Define the Nginx log access format
log_format main '$remote_addr" "$remote_user" "[$time_local]" "$request"'
' "$status" "$body_bytes_sent" "$http_referer"'
' "$http_user_agent" "$http_x_forwarded_for" "$gzip_ratio"'
' "$upstream_addr" "$request_time" "$upstream_response_time" "$http_host"';
access_log logs/access.log main;
#Network Connection Function
sendfile on;
autoindex on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
reset_timedout_connection on;
#Compression Configuration
gzip on;
gzip_min_length 1k;
gzip_buffers 16 64K;
gzip_http_version 1.1;
gzip_comp_level 6;
gzip_types text/plain application/x-javascript text/css application/xml application/javascript;
gzip_vary on;
gzip_proxied any;
underscores_in_headers on;
proxy_ignore_client_abort on;
include /usr/local/nginx/conf/conf.d/*.conf;
}3. Create Nginx files and integrate functionality
[root@Jumpserver /]# mkdir /usr/local/nginx/conf/conf.d
[root@Jumpserver /]# vim /usr/local/nginx/conf/conf.d/jumpserver.conf
server {
listen 80;
client_max_body_size 100m; #Video recording and file upload size limit
location /luna/ {
try_files $uri / /index.html;
alias /opt/luna/; #luna path, if you modify the installation directory, you need to modify it here
}
location /media/ {
add_header Content-Encoding gzip;
root /opt/jumpserver/data/; #Recording location, if you change the installation directory, you need to change it here
}
location /static/ {
root /opt/jumpserver/data/; #Static resource, if you modify the installation directory, you need to modify it here
}
location /socket.io/ {
proxy_pass http://localhost:5000/socket.io/;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /coco/ {
proxy_pass http://localhost:5000/coco/;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /guacamole/ {
proxy_pass http://localhost:8081/;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location / {
proxy_pass http://localhost:8080;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}4. Start the check and start Nginx_
[root@Jumpserver /]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@Jumpserver /]# /usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf
5. Enter the URL and log in
http://IP
Default account password: admin/admin