The article is a little long, please read it patiently!
1 JumpServer Fortress Overview – Deploy the JumpServer runtime environment
1.1 Overview of the jumper
Jumping machine is a server, development or operation and maintenance personnel in the maintenance process must first unified login to this server, and then login to
Maintenance and operation of target equipment.
Disadvantages of jumper: there is no control and audit of operation and maintenance personnel’s operation behavior, and there will still be misoperation in the process of using the jumper.
In case of accidents caused by illegal operation, it is difficult to locate the cause and responsible person quickly.
Bastion fortress machine overview: machine, that is, in a specific network environment, in order to ensure network and data from the invasion and destruction from external and internal users, and use various technical means for real-time collection and monitoring network environment state of each component of the system, the security incidents, the network activities, in order to set alarm, timely treatment and auditing proportional amount.
Summary: Bastion machine has more functions such as real-time collection, monitoring network environment and centralized alarm than jumper machine. JumpServer Overview: JumpServer is an open source jumper system developed in Python and Django that provides authentication, authorization, auditing, and automated operations for Internet businesses. JumpServer now supports managing SSH, Telnet, RDP, and VNC protocol assets
Official Website:http://www.jumpserver.org
JumpServer 2 environment requirements:
Hardware: 4 CPU cores, 6GB RAM, 50GB hard disk (minimum)
1.2 JumpServer experimental topology
Experimental environment:
XueGod63 IP: 192.168.1.63 JumpServer Server 6GB memory
Xuegod64 IP: 192.168.1.64 resource, managed server 2G memory
1.3 Initialize the system environment
Initialize the system environment to close the firewall
[root@xuegod63 ~]# systemctl stop firewalld && systemctl disable firewalld
Close the selinux
[root@xuegod63 ~]# setenforce 0
Permanent shutdown (effective after reboot, first set temporary then set permanent.)
[root@xuegod63 ~]# sed -i "s/SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config
1.4 Install the relevant services required for JumpServer
Automatic deployment
/ root @ xuegod63 ~ # curl - sSL https://github.com/jumpserver/jumpserver/releases/download/v2.10.2/quick_start.sh | bash
CD goes to the installation administration directory to start JMS
[root@xuegod63 ~]# CD /opt/ jumpser-installer-v2.10.2 #./jmsctl.sh restart
Note: You do not need to configure boot because the new version of JumpServer runs as Docker. These Docker instances are automatically started after boot.
Web access, the new version provides two access addresses – one HTTP and one HTTPS
http://192.168.1.63:8080/core…User: admin Password: admin
https://192.168.1.63:8443/cor…
For the first login, you need to change the password. Here we change the password to 123456 for the test environment
2 JumpServer platform system initialization
2.1 Basic System Settings
Here to write their real URL address, or later users can not access.http://192.168.1.63, when the setting is complete,
And click the “Submit” button.
Here you can choose HTTP or HTTPS
http://192.168.1.63:8080
https://192.168.1.63:8443
We use HTTPS
2.2 Configure the mail sending server
Click the “Mail Settings” TAB at the top of the page to enter the Mail Settings page
163 mailbox configuration
Note: Please enable SMTP and POP3 services and add authorization code to your mailbox:
To enable POP3/SMTP/IMAP service:
Please log in to 163, click “Settings” at the top right corner of the page – under “Advanced”, click “POP3/SMTP/IMAP” to open it
Figure two options, and enable the client to delete the message reminder. You can unlock success. After opening can use lightning mail, Outlook and other software to receive
Sent an email.
New authorization password:
ARYAOQXHFMXGBJVR
babrziluawkibaej
My authorization code is automatically generated by the system and needs to be copied and saved
The server address: POP3 server: pop.163.com | SMTP server: smtp.163.com | IMAP service
Editor: imap.163.com
After submitting, test whether the mail can be sent normally.
Check your email in your mailbox
3. Use JumpServer to manage tens of thousands of King of Glory game servers
3.1 User Management
1. Add user groups.
The user name is the Jumpserver login account. User groups are used for asset authorization, when an asset is authorized to a user group
This asset is available to all users under the user group. Roles are used to distinguish a user from an administrator or a normal user.
Click User Management — > View User Groups — > Add User Groups
Added a new team – BBB 0 King of Glory – North China Operations Department
Look at the group you just added
2. Add users
Click User Management — > User List — > to create a user
Where, the name is the real name, and the user name is the JumpServer login account.
Then click Submit. You will receive an email saying the user created it successfully
Extension:
MFA, Multi-FactorAuthentication, is a simple and effective security authentication method. It can be
Add another layer of protection to your username and password. MFA devices, also known as dynamic password cards or Token cards, provide this kind of security authentication
Method of equipment.
MFA equipment such as:
Hardware MFA devices
The hardware MFA device is shown in the figure below. The 6-digit dynamic security code on the front is updated every 30 seconds, and the hardware MFA device is on the back
The serial number of.
Mobile phone verification code:
View the added user
To use the Traceless Browser, open a new window and log in to:
Upon successful submission of user information, JumpServer will send an email with “User Password” set to the mailbox you filled out.
Log in to 163 to see the following email:
Click the link to jump to Change Password: 123456
Using the browser, open in traceless mode:https://192.168.1.63:8443/User: mk Password: 123456
Log in successfully.
Switch to the admin user, give the new user mk, and configure the SSH key
Users can reset their passwords as well as their SSH keys for later logins: I’m on my other Linux machine, using mk
The user generates his or her own SSH key.
[root@xuegod63 ~]# useradd mk [root@xuegod63 ~]# echo 123456 | passwd --stdin mk [root@xuegod63 ~]# su - mk [mk@xuegod63 ~]$ssh-keygen # Go all the way [mk@xuegod63 ~]$cat ~/.ssh/id_rsa.pub ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDFMqCGfXDW8UW7Dd0QoXzvnny/4u9ET2sKBt2 SQf+wVVS6pLJHE3QNXzHxg+uI1KRJwVtGiPWPtOQ4yj3HiMsBSLsFjOWFoIcv1myXYtLFuw ovLfUJgyCwD/LHfSgJ821bUQ2w9uUkAKirBJtjKFC/E4l9Z+GgZmLr9ckRWfZOt3g+xD3iNlh/l D4FlTYz0U9hlb4GrpikP5WtsYZgpIImMTgPsxq3yspQGvTpzsj1ApfOgt0SEHsqd1yYv4K+2bok MDrpTSmvsHXTWCBwpXsp2NQA2s1aDKJIOTY3mDCDQdJl9aMbBAjErdYFvEoNybNdH98K TcEQeCsrCrI0SfR9 [email protected]
Paste the public key generated above into this:
Submit completed
3.2 Edit the asset tree to add nodes
Log in to JumpServer with the admin user to add a node. Nodes cannot be renamed. Right-click nodes can be added, removed, and renamed
Node, and perform asset-related operations.
The name is: King of Glory – North China – server
3.3 Create administrative users
Description of each user in JumpServer:
The administrative user is root of the server, or a user with NOPASSWD: ALL sudo permissions, which is used by JumpServer
Users to push system users, access to asset hardware information.
Name: King of Glory – North China – Server Management User -root password is: 123456
Presumably, all server root users on your King of Glory — North China — server node have a password of 123456
This enables you to use this root user to administer the server.
Note: When creating the “password” for the administrative user, you need to specify the password for the real root user on the server’s Linux system.
3.4 Create system users
The system user is the user that JumpServer uses to log on to the asset, which can be interpreted as the logging on asset user, and JumpServer uses the system user to log on to the asset.
The Sudo field of the system user is filled with the program path that allows the current system user to execute without the Sudo password, such as the default /sbin/ifconfig, which means that the current system user can directly execute the ifconfig command or Sudo ifconfig without the need to input the password of the former system user. Executing other commands still requires a password for access control purposes.
The permissions here should be customized after summarizing the needs of users. In principle, the minimum permissions can be given.
When the system user is created, if automatic push is selected, JumpServer will use Ansible to automatically push the system user into the asset. If the asset (switch, Windows) does not support Ansible, please manually fill in the account password.
The Linux system protocol must select SSH. If the user already exists in the system, remove the automatic key generation and automatic push tick
Optional.
Add a name: the user who checks the health of the server;
User name: user
Jurisdiction: / sbin/ifconfig, / usr/bin/top, / usr/bin/free
Add the system administrator user
Name: System Administrator User
; User name: manager
Sudo permissions: / usr/local/sbin /, / usr/local/bin /, / usr/sbin /, / usr/bin /, / root/bin /
Note: If you are writing a directory, you do not need a specific command. Add a/at the end of the directory path to make it easier to see. Of course not /
You can do that, but sometimes you might think of /usr/local/sbin as a command. Must be separated by English commas.
3.5 Creating Assets
Note: Before adding assets, be sure to run xuegod64 first
Start the virtual machine xuegod64.cn. This machine will be added to the platform as a resource later.
Host name: game64.xuegod.cn- King of Glory – North China
IP: 192.168.1.64
System platform: Linux
Protocol group: SSH 22
Admin user: King of Glory – North China – server admin user -root(root)
Set to complete and click “Submit”.
After the asset creation information is filled in and saved, press F5 to refresh the page. You can see that the asset can be connected and the description is normal:
If the asset does not connect properly, check that the admin user’s username and key are correct and that the admin user is able to use SSH
Login correctly from the JumpServer host to the asset host.
3.6 Create authorization rules
A node, which corresponds to an asset, represents all assets under that node.
A user group, which corresponds to a user, represents all users under that user group.
System users, and users under the selected user group, can use the assets under the selected node through the system users.
Nodes, user groups, and system users have a one-to-one relationship, so when you have different types of Linux and Windows assets, you should
Create authorization rules for Linux assets and Windows assets separately.
Name: King of Glory – Huahua Zone – Server Authorization Rules
Note: Users and user groups refer to who is to be authorized. If a user group is authorized, all users in that group have permissions.
User: No need to write User Group: King of Honor – North China Operations Department Note that assets and nodes can be authorized individually or on a node basis. If the North China node is authorized, all servers under the North China node are authorized. Asset: Node: /Default/ King of Glory – North China – Server Action: Check permissions, click to assign detailed permissions.
For other options, use the default and submit.
Note: the meaning of this authorization is: as long as the person in the group of “King of Glory – North China Operation and Maintenance Department”, the node “King of Glory – Hua”
All servers in North Region – Server have the privileges of System Administrator User.
After successful authorization, you can manually check it on XueGod64:
[root@xuegod64 ~]# tail /etc/passwd -n 5 dbus:x:81:81:System message bus:/:/sbin/nologin polkitd:x:999:998:User for polkitd:/:/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin Postfix: x: : 89-89: / var/spool/postfix: / sbin/nologin manager: x: 1000-1000: the system administrator users: / home/manager: / bin/bash # automatically push one account, [root@xuegod64 ~]# visudo #sudo () Manager ALL=(ALL) NOPASSWD: /usr/local/sbin,/usr/local/bin,/usr/sbin,/usr/bin,/root/bin
3.7 User’s use of assets
Login Jumpserver:https://192.168.1.63:8443User: mk Password: 123456
When creating the authorization rule, the user group was selected, so you need to log in to the user below the selected user group to see the corresponding assets
Production.
Using the Traceless Browser, open another window and log in:
The page after the user has logged in correctly:
1. Use the Web interface to connect the assets, and click the Web Terminal on the left side of the page:
Open the node where the asset resides:
Double-click the asset name to connect the asset:
If the connection timeout is shown, check that the system user username and key assigned to the asset are correct and that the Linux operator is selected correctly
System, protocol SSH, port 22, and whether the firewall policy of the asset is properly configured.
Next, you can manipulate the asset.
3.8 Connect to the JumpServer administration server under the Xshell character terminal
[root@xuegod63 ~]# ssh-p2222 tag # Link to JumpServer or use Xshell to connect to JumpServer
Enter JumpServer user mk and password 123456
Click OK to start the connection
192.168.1.64: Opt> = 192.168.1.64: Opt> = 192.168.1.64
Connecting to mailto:[email protected] King of Glory – North China 0.3
Last login: Thu Jun 7 23:15:13 1718 from xuegod63.cn
[manager@xuegod64 ~]$whoami # Found that the login is using the system user manager
manager
[manager@xuegod64 ~]$ exit
logout
Opt> p # displays the hosts you have permissions on
Opt> g # displays the host group you have permissions on
3.9 View the historical command record
3.10 View the history session and play back the video
Online session
Session history
3.11 File management function
From here, you can create new folders or upload files to the server. These created files and uploaded files, there will be a target
Server/TMP directory
[root@xuegod64 ~]# ls /tmp/
3.12 Operation center
1. Tasks list
A job is an instruction that JumpServer sends to an asset under its management, for example, to test asset connectivity, to get asset hardware messages
, test management user connectivity, and test system user connectivity. Displays the last 7 days of job records by default.
Click on the job name to view the details of the job, the historical version of the job, and the history of the job execution
2. Batch command
Through this function, you can quickly issue commands to assets. Currently, only the assets that can be managed by Ansible are supported, and the system user is required to log in
Equation is automatic login
For more information, you can parameter the official manual:
https://jumpserver.readthedoc…
https://docs.jumpserver.org/z…
4 Use JumpServer to manage the MySQL database
4.1 Install the MariaDB database
[root@xuegod64 ~]# yum install -y mariadb-server [perl ~]# systemctl enable --now mariadb set root password [root@xuegod64 ~]# mysqladmin-uroot password "123456" Create an ecshop database and a xuegod user. To specify a xuegod user, you can log into the MySQL database from anywhere. [root@xuegod64 ~]# mysql -uroot -p123456 MariaDB [(none)]> create database ecshop; MariaDB [(none)]> use ecshop; Ecshop MariaDB [(none)]> create table user(id int (20),name char(40)); GRANT ALL PRIVILEGES ON *.* TO 'xuegod'@'%' IDENTIFIED BY '123456';
4.2 JumpServer manages the database
Mysql > add user to Mysql system
Name: xuegod – mysql
Login mode: automatic login
The account information is the authorized user created after installing the database
User name: xuegod
Password: 123456
Create an
Name: xuegod – mysql
Host: 192.168.1.64
Port: 3306
Note: Here the database refers to the MySQL library, we test the environment select the MySQL database.
Specify the database to use after logging in: ecshop
Application of authorization
Name: xuegod – mysql
User Group: King of Glory – North China Operation and Maintenance Department
Application: xuegod – mysql
System user: xuegod-mysql
Once the authorization is complete, log in as an MK user and you can manage your MySQL application from your Web terminal.
Conclusion:
17.1 JumpServer Fortress Overview – Deploy the JumpServer runtime environment
17.2 JumpServer platform system initialization
17.3 Practice: Use JumpServer to manage tens of thousands of King of Glory game servers
17.4 Use JumpServer to manage the MySQL database
If you want to get the video tutorial, +V reply: “JumpServer” to get it!