JumpServer是全球首款完全開(kāi)源的堡壘機(jī)，采用Python和Django進(jìn)行開(kāi)發(fā)，滿足4A規(guī)范，遵循GNU GPL v2.0開(kāi)源協(xié)議，是一款專業(yè)的運(yùn)維審計(jì)系統(tǒng)。站長(zhǎng)百科下文主要解讀JumpServer及安裝使用方法。

一、堡壘機(jī)是什么

根據(jù)百度百科介紹，堡壘機(jī)是在一個(gè)特定的網(wǎng)絡(luò)環(huán)境下，為了保障網(wǎng)絡(luò)和數(shù)據(jù)不受入侵和破壞，運(yùn)用各種技術(shù)手段監(jiān)控對(duì)網(wǎng)絡(luò)內(nèi)的服務(wù)器、網(wǎng)絡(luò)設(shè)備、安全設(shè)備、數(shù)據(jù)庫(kù)等設(shè)備的操作行為，以便于集中報(bào)警、及時(shí)處理及審計(jì)定責(zé)。

其從功能上講，它綜合了核心系統(tǒng)運(yùn)維和安全審計(jì)管控兩大主干功能，從技術(shù)實(shí)現(xiàn)上講，通過(guò)切斷終端計(jì)算機(jī)對(duì)網(wǎng)絡(luò)和服務(wù)器資源的直接訪問(wèn)，而采用協(xié)議代理的方式，接管了終端計(jì)算機(jī)對(duì)網(wǎng)絡(luò)和服務(wù)器的訪問(wèn)。形象地說(shuō)，終端計(jì)算機(jī)對(duì)目標(biāo)的訪問(wèn)，均需要經(jīng)過(guò)運(yùn)維安全審計(jì)的翻譯。打一個(gè)比方，運(yùn)維安全審計(jì)扮演著看門者的工作，所有對(duì)網(wǎng)絡(luò)設(shè)備和服務(wù)器的請(qǐng)求都要從這扇大門經(jīng)過(guò)。因此運(yùn)維安全審計(jì)能夠攔截非法訪問(wèn)和惡意攻擊，對(duì)不合法命令進(jìn)行命令阻斷，過(guò)濾掉所有對(duì)目標(biāo)設(shè)備的非法訪問(wèn)行為，并對(duì)內(nèi)部人員誤操作和非法操作進(jìn)行審計(jì)監(jiān)控，以便事后責(zé)任追蹤。

二、JumpServer簡(jiǎn)介

JumpServer是一個(gè)開(kāi)源的特權(quán)訪問(wèn)管理 （PAM） 工具，能夠通過(guò)網(wǎng)頁(yè)瀏覽器為DevOps和IT團(tuán)隊(duì)提供按需和安全的SSH、RDP、Kubernetes、數(shù)據(jù)庫(kù)和遠(yuǎn)程應(yīng)用程序端點(diǎn)訪問(wèn)。

1、JumpServer工作流程如下圖：

2、JumpServer堡壘機(jī)展示圖

3、JumpServer堡壘機(jī)支持的資產(chǎn)類型包括：

• SSH (Linux / Unix / 網(wǎng)絡(luò)設(shè)備 等)
• Windows (Web 方式連接 / 原生 RDP 連接)
• 數(shù)據(jù)庫(kù) (MySQL / MariaDB / Oracle / SQLServer / PostgreSQL / ClickHouse 等)
  • NoSQL (Redis / MongoDB 等)
• 云服務(wù) (Kubernetes / VMware vSphere 等)
• Web 站點(diǎn) (各類系統(tǒng)的 Web 管理后臺(tái))
• 應(yīng)用 (通過(guò) Remote App 連接各類應(yīng)用)

4、JumpServer優(yōu)勢(shì)

• 開(kāi)源：零門檻，線上快速獲取和安裝；
• 分布式：輕松支持大規(guī)模并發(fā)訪問(wèn)；
• 無(wú)插件：僅需瀏覽器，極致的 Web Terminal 使用體驗(yàn)；
• 多云支持：一套系統(tǒng)，同時(shí)管理不同云上面的資產(chǎn)；
• 云端存儲(chǔ)：審計(jì)錄像云端存儲(chǔ)，永不丟失；
• 多租戶：一套系統(tǒng)，多個(gè)子公司和部門同時(shí)使用；
• 多應(yīng)用支持：數(shù)據(jù)庫(kù)，Windows 遠(yuǎn)程應(yīng)用，Kubernetes。

三、JumpServer堡壘機(jī)安裝教程（離線安裝/在線安裝）

1、操作系統(tǒng)要求

（1）操作系統(tǒng)

支持主流 Linux 發(fā)行版本（基于 Debian / RedHat，包括國(guó)產(chǎn)操作系統(tǒng)）；Gentoo / Arch Linux 請(qǐng)通過(guò)源碼安裝。

Debian / Ubuntu：

apt-get update
apt-get install -y wget curl tar gettext iptables

RedHat / CentOS：

yum update
yum install -y wget curl tar gettext iptables

（2）數(shù)據(jù)庫(kù)

JumpServer堡壘機(jī)需要使用 PostgreSQL、MySQL 或 MariaDB 存儲(chǔ)數(shù)據(jù)，使用 Redis 緩存數(shù)據(jù)。

創(chuàng)建數(shù)據(jù)庫(kù)SQL參考：

PostgreSQL：

create database JumpServer with encoding=’UTF8′;

postgres=# \l
List of databases
Name | Owner | Encoding | Locale Provider | Collate | Ctype | ICU Locale | ICU Rules | Access privileges
————–+————+———-+—————–+————+————+————+———–+———————–
JumpServer | postgres | UTF8 | libc | en_US.utf8 | en_US.utf8 | | |
(1 rows)

MySQL：

create database JumpServer default charset ‘utf8’;

mysql> show create database JumpServer;
+————+———————————————————————+
| Database | Create Database |
+————+———————————————————————+
| JumpServer | CREATE DATABASE `JumpServer` /*!40100 DEFAULT CHARACTER SET utf8 */ |
+————+———————————————————————+
1 row in set (0.00 sec)

MariaDB：

create database JumpServer default charset ‘utf8’;

MariaDB> show create database JumpServer;
+————+———————————————————————–+
| Database | Create Database |
+————+———————————————————————–+
| JumpServer | CREATE DATABASE `JumpServer` /*!40100 DEFAULT CHARACTER SET utf8mb3*/ |
+————+———————————————————————–+
1 row in set (0.001 sec)

2、離線安裝JumpServer堡壘機(jī)

離線安裝目前只支持 linux/amd64 架構(gòu), 其他架構(gòu)請(qǐng)參考在線安裝。

下載最新的JumpServer堡壘機(jī)linux/amd64離線包，并上傳到部署服務(wù)器的 /opt 目錄。

cd /opt
tar -xf JumpServer-ce-v4.10.2-x86_64.tar.gz
cd JumpServer-ce-v4.10.2-x86_64

# 根據(jù)需要修改配置文件模板, 如果不清楚用途可以跳過(guò)修改
cat config-example.txt

# JumpServer configuration file example.
#
# If you don’t understand the purpose, you can skip modifying this configuration file, the system will automatically fill in
# Complete parameter documentation https://docs.JumpServer.org/zh/v3/guide/env/

################################# Image Configuration #################################
#
# The connection to docker.io in China will timeout or the download speed will be slow, enable this option to use Huawei Cloud image acceleration
# Replace the old version DOCKER_IMAGE_PREFIX
#
# DOCKER_IMAGE_MIRROR=1

# Image pull policy Always, IfNotPresent
# Always means that the latest image will be pulled every time, IfNotPresent means that the image will be pulled only if it does not exist locally
#
# IMAGE_PULL_POLICY=Always

############################## Installation Configuration #############################
#
# JumpServer database persistence directory, by default, recordings, task logs are in this directory
# Please modify according to the actual situation, the database file (.sql) and configuration file backed up during the upgrade will also be saved to this directory
#
VOLUME_DIR=/data/JumpServer

# Encryption key, please ensure that SECRET_KEY is consistent with the old environment when migrating, do not use special strings
# (*) Warning: Keep this value secret.
# (*) Do not disclose SECRET_KEY to anyone
#
SECRET_KEY=

# The token used by the component to register with core, please keep BOOTSTRAP_TOKEN consistent with the old environment when migrating,
# Do not use special strings
# (*) Warning: Keep this value secret.
# (*) Do not disclose BOOTSTRAP_TOKEN to anyone
#
BOOTSTRAP_TOKEN=

# Log level INFO, WARN, ERROR
#
LOG_LEVEL=ERROR

# The network segment used by the JumpServer container, please do not conflict with the existing network, modify according to the actual situation
#
DOCKER_SUBNET=192.168.250.0/24

# ipv6 nat, no need to enable under normal circumstances
# If the host does not support ipv6, enabling this option will prevent the real client ip address from being obtained
#
USE_IPV6=0
DOCKER_SUBNET_IPV6=fc00:1010:1111:200::/64

################################# DB Configuration ####################################
# For external databases, you need to enter the correct database information, the system will automatically handle the built-in database
# (*) The password part must not contain single quotes and double quotes
#
DB_ENGINE=postgresql
DB_HOST=postgresql
DB_PORT=5432
DB_USER=postgres
DB_PASSWORD=
DB_NAME=JumpServer

# If external MySQL needs to enable TLS/SSL connection, refer to https://docs.JumpServer.org/zh/v3/installation/security_setup/mysql_ssl/
#
# DB_USE_SSL=true

################################# Redis Configuration #################################
# For external Redis, please enter the correct Redis information, the system will automatically handle the built-in Redis
# (*) The password part must not contain single quotes and double quotes
#
REDIS_HOST=redis
REDIS_PORT=6379
REDIS_PASSWORD=

# If you are using external Redis Sentinel, please manually fill in the following content
#
# REDIS_SENTINEL_HOSTS=mymaster/192.168.100.1:26379,192.168.100.1:26380,192.168.100.1:26381
# REDIS_SENTINEL_PASSWORD=your_sentinel_password
# REDIS_PASSWORD=your_redis_password
# REDIS_SENTINEL_SOCKET_TIMEOUT=5

# If external Redis needs to enable TLS/SSL connection, refer to https://docs.JumpServer.org/zh/v3/installation/security_setup/redis_ssl/
#
# REDIS_USE_SSL=true

################################# Access Configuration ################################
# The service port provided to the outside, if it conflicts with the existing service, please modify it yourself
#
HTTP_PORT=80

################################# HTTPS Configuration #################################
# Refer to https://docs.JumpServer.org/zh/v3/installation/proxy/ for configuration
#
# HTTPS_PORT=443
# SERVER_NAME=your_domain_name
# SSL_CERTIFICATE=your_cert
# SSL_CERTIFICATE_KEY=your_cert_key
#

# Nginx file upload and download size limit
#
CLIENT_MAX_BODY_SIZE=4096m

################################# Component Configuration #############################
# Component registration use, by default, register to the core container, the cluster environment needs to be modified to the cluster vip address
#
CORE_HOST=http://core:8080
PERIOD_TASK_ENABLED=true

# Core Session definition,
# SESSION_COOKIE_AGE indicates how many seconds the session expires after idling,
# SESSION_EXPIRE_AT_BROWSER_CLOSE=true means that the session expires as soon as the browser is closed
#
# SESSION_COOKIE_AGE=86400
SESSION_EXPIRE_AT_BROWSER_CLOSE=false

# Trusted DOMAINS definition,
# Define the trusted access IP, please modify according to the actual situation, if it is a public IP, please change to the corresponding public IP,
# DOMAINS=”demo.JumpServer.org:443″
# DOMAINS=”172.17.200.191:80″
# DOMAINS=”demo.JumpServer.org:443,172.17.200.191:80″
DOMAINS=

# Configure the components that do not need to be started, by default all components will be started, if you do not need a certain component, you can set {component name}_ENABLED to 0 to turn it off
# CORE_ENABLED=0
# CELERY_ENABLED=0
# KOKO_ENABLED=0
# LION_ENABLED=0
# CHEN_ENABLED=0
# WEB_ENABLED=0

# Lion enables font smoothing to optimize the experience
#
JumpServer_ENABLE_FONT_SMOOTHING=true

################################# XPack Configuration #################################
# XPack package, invalid setting in open source version
#
SSH_PORT=2222
RDP_PORT=3389
XRDP_PORT=3390
MAGNUS_MYSQL_PORT=33061
MAGNUS_MARIADB_PORT=33062
MAGNUS_REDIS_PORT=63790
MAGNUS_POSTGRESQL_PORT=54320
MAGNUS_SQLSERVER_PORT=14330
MAGNUS_ORACLE_PORTS=30000-30030

################################## Other Configuration ################################
# The terminal uses the host HOSTNAME as the identifier, automatically generated during the first installation
#
SERVER_HOSTNAME=${HOSTNAME}

# Use built-in SLB, if the client IP address obtained by the Web page is not correct, please set USE_LB to 0
# When USE_LB is set to 1, use the configuration proxy_set_header X-Forwarded-For $remote_addr
# When USE_LB is set to 0, use the configuration proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for
USE_LB=1

# The current running version number of JumpServer, automatically generated after installation and upgrade
#
TZ=Asia/Shanghai
CURRENT_VERSION=

# 安裝
./jmsctl.sh install

# 啟動(dòng)
./jmsctl.sh start

安裝完成后 JumpServer 配置文件路徑為： /opt/JumpServer/config/config.txt

cd JumpServer-ce-v4.10.2-x86_64

# 啟動(dòng)
./jmsctl.sh start

# 停止
./jmsctl.sh down

# 卸載
./jmsctl.sh uninstall

# 幫助
./jmsctl.sh -h

安裝成功后，通過(guò)瀏覽器訪問(wèn)登錄JumpServer堡壘機(jī)：

地址: http://<JumpServer服務(wù)器IP地址>:<服務(wù)運(yùn)行端口>
用戶名: admin
密碼: ChangeMe

3、在線安裝JumpServer堡壘機(jī)

以中國(guó)大陸地區(qū)為例演示：

cd /opt
wget https://resource.fit2cloud.com/jumpserver/installer/releases/download/v4.10.2/jumpserver-installer-v4.10.2.tar.gz
tar -xf jumpserver-installer-v4.10.2.tar.gz
cd jumpserver-installer-v4.10.2

# 根據(jù)需要修改配置文件模板, 如果不清楚用途可以跳過(guò)修改
cat config-example.txt

# JumpServer configuration file example.
#
# If you don’t understand the purpose, you can skip modifying this configuration file, the system will automatically fill in
# Complete parameter documentation https://docs.jumpserver.org/zh/v3/guide/env/

################################# Image Configuration #################################
#
# The connection to docker.io in China will timeout or the download speed will be slow, enable this option to use Huawei Cloud image acceleration
# Replace the old version DOCKER_IMAGE_PREFIX
#
# DOCKER_IMAGE_MIRROR=1

# Image pull policy Always, IfNotPresent
# Always means that the latest image will be pulled every time, IfNotPresent means that the image will be pulled only if it does not exist locally
#
# IMAGE_PULL_POLICY=Always

############################## Installation Configuration #############################
#
# JumpServer database persistence directory, by default, recordings, task logs are in this directory
# Please modify according to the actual situation, the database file (.sql) and configuration file backed up during the upgrade will also be saved to this directory
#
VOLUME_DIR=/data/jumpserver

# Encryption key, please ensure that SECRET_KEY is consistent with the old environment when migrating, do not use special strings
# (*) Warning: Keep this value secret.
# (*) Do not disclose SECRET_KEY to anyone
#
SECRET_KEY=

# The token used by the component to register with core, please keep BOOTSTRAP_TOKEN consistent with the old environment when migrating,
# Do not use special strings
# (*) Warning: Keep this value secret.
# (*) Do not disclose BOOTSTRAP_TOKEN to anyone
#
BOOTSTRAP_TOKEN=

# Log level INFO, WARN, ERROR
#
LOG_LEVEL=ERROR

# The network segment used by the JumpServer container, please do not conflict with the existing network, modify according to the actual situation
#
DOCKER_SUBNET=192.168.250.0/24

# ipv6 nat, no need to enable under normal circumstances
# If the host does not support ipv6, enabling this option will prevent the real client ip address from being obtained
#
USE_IPV6=0
DOCKER_SUBNET_IPV6=fc00:1010:1111:200::/64

################################# DB Configuration ####################################
# For external databases, you need to enter the correct database information, the system will automatically handle the built-in database
# (*) The password part must not contain single quotes and double quotes
#
DB_ENGINE=postgresql
DB_HOST=postgresql
DB_PORT=5432
DB_USER=postgres
DB_PASSWORD=
DB_NAME=jumpserver

# If external MySQL needs to enable TLS/SSL connection, refer to https://docs.jumpserver.org/zh/v3/installation/security_setup/mysql_ssl/
#
# DB_USE_SSL=true

################################# Redis Configuration #################################
# For external Redis, please enter the correct Redis information, the system will automatically handle the built-in Redis
# (*) The password part must not contain single quotes and double quotes
#
REDIS_HOST=redis
REDIS_PORT=6379
REDIS_PASSWORD=

# If you are using external Redis Sentinel, please manually fill in the following content
#
# REDIS_SENTINEL_HOSTS=mymaster/192.168.100.1:26379,192.168.100.1:26380,192.168.100.1:26381
# REDIS_SENTINEL_PASSWORD=your_sentinel_password
# REDIS_PASSWORD=your_redis_password
# REDIS_SENTINEL_SOCKET_TIMEOUT=5

# If external Redis needs to enable TLS/SSL connection, refer to https://docs.jumpserver.org/zh/v3/installation/security_setup/redis_ssl/
#
# REDIS_USE_SSL=true

################################# Access Configuration ################################
# The service port provided to the outside, if it conflicts with the existing service, please modify it yourself
#
HTTP_PORT=80

################################# HTTPS Configuration #################################
# Refer to https://docs.jumpserver.org/zh/v3/installation/proxy/ for configuration
#
# HTTPS_PORT=443
# SERVER_NAME=your_domain_name
# SSL_CERTIFICATE=your_cert
# SSL_CERTIFICATE_KEY=your_cert_key
#

# Nginx file upload and download size limit
#
CLIENT_MAX_BODY_SIZE=4096m

################################# Component Configuration #############################
# Component registration use, by default, register to the core container, the cluster environment needs to be modified to the cluster vip address
#
CORE_HOST=http://core:8080
PERIOD_TASK_ENABLED=true

# Core Session definition,
# SESSION_COOKIE_AGE indicates how many seconds the session expires after idling,
# SESSION_EXPIRE_AT_BROWSER_CLOSE=true means that the session expires as soon as the browser is closed
#
# SESSION_COOKIE_AGE=86400
SESSION_EXPIRE_AT_BROWSER_CLOSE=false

# Trusted DOMAINS definition,
# Define the trusted access IP, please modify according to the actual situation, if it is a public IP, please change to the corresponding public IP,
# DOMAINS=”demo.jumpserver.org:443″
# DOMAINS=”172.17.200.191:80″
# DOMAINS=”demo.jumpserver.org:443,172.17.200.191:80″
DOMAINS=

# Configure the components that do not need to be started, by default all components will be started, if you do not need a certain component, you can set {component name}_ENABLED to 0 to turn it off
# CORE_ENABLED=0
# CELERY_ENABLED=0
# KOKO_ENABLED=0
# LION_ENABLED=0
# CHEN_ENABLED=0
# WEB_ENABLED=0

# Lion enables font smoothing to optimize the experience
#
JUMPSERVER_ENABLE_FONT_SMOOTHING=true

################################# XPack Configuration #################################
# XPack package, invalid setting in open source version
#
SSH_PORT=2222
RDP_PORT=3389
XRDP_PORT=3390
MAGNUS_MYSQL_PORT=33061
MAGNUS_MARIADB_PORT=33062
MAGNUS_REDIS_PORT=63790
MAGNUS_POSTGRESQL_PORT=54320
MAGNUS_SQLSERVER_PORT=14330
MAGNUS_ORACLE_PORTS=30000-30030

################################## Other Configuration ################################
# The terminal uses the host HOSTNAME as the identifier, automatically generated during the first installation
#
SERVER_HOSTNAME=${HOSTNAME}

# Use built-in SLB, if the client IP address obtained by the Web page is not correct, please set USE_LB to 0
# When USE_LB is set to 1, use the configuration proxy_set_header X-Forwarded-For $remote_addr
# When USE_LB is set to 0, use the configuration proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for
USE_LB=1

# The current running version number of JumpServer, automatically generated after installation and upgrade
#
TZ=Asia/Shanghai
CURRENT_VERSION=

# 安裝
./jmsctl.sh install

# 啟動(dòng)
./jmsctl.sh start

安裝完成后 JumpServer 配置文件路徑為： /opt/jumpserver/config/config.txt

cd /opt/jumpserver-installer-v4.10.2

# 啟動(dòng)
./jmsctl.sh start

# 停止
./jmsctl.sh down

# 卸載
./jmsctl.sh uninstall

# 幫助
./jmsctl.sh -h

安裝成功后，通過(guò)瀏覽器訪問(wèn)登錄JumpServer：

地址: http://<JumpServer服務(wù)器IP地址>:<服務(wù)運(yùn)行端口>
用戶名: admin
密碼: ChangeMe

相關(guān)閱讀：《Next Terminal堡壘機(jī)快速入門（簡(jiǎn)介+安裝+使用）》

• 

  廣告合作

• 

  QQ群號(hào)：4114653