ubuntu18.04伺服器安裝教程（Ubuntu18.04搭建jumpserver）

2023-04-17 08:46:12 1

安裝 ubuntu18.04

1 install默認安裝即可

jumpserver

堡壘機簡介

Jumpserver 為管理後臺, 管理員可以通過 Web 頁面進行資產管理、用戶管理、資產授權等操作,

用戶可以通過 Web 頁面進行資產登錄, 文件管理等操作koko 為 SSH Server 和 Web Terminal Server 。用戶可以使用自己的帳戶通過 SSH 或者 Web Terminal 訪問 SSH 協議和 Telnet 協議資產

Luna 為 Web Terminal Server 前端頁面, 用戶使用 Web Terminal 方式登錄所需要的組件Guacamole

為 RDP 協議和 VNC 協議資產組件, 用戶可以通過 Web Terminal 來連接 RDP 協議和 VNC 協議資產

(暫時只能通過 Web Terminal 來訪問)

Jumpserver 默認埠為 8080/tcp 配置文件 jumpserver/config.yml

koko 默認 SSH 埠為 2222/tcp, 默認 Web Terminal 埠為 5000/tcp 配置文件在 koko/config.yml

Guacamole 默認埠為 8081/tcp, 配置文件 /config/tomcat9/conf/server.xml

Nginx 默認埠為 80/tcp

Redis 默認埠為 6379/tcp

Mysql 默認埠為 3306/tcp

Protocol Server name Port

TCP Jumpserver 8080

TCP koko 2222, 5000

TCP Guacamole 8081

TCP Db 3306

TCP Redis 6379

TCP Nginx 80

1、 創建python3.6虛擬環境

2、 安裝python3.6

1 安裝依賴包：

配置apt源

sudo mv /etc/apt/sources.list /etc/apt/sources.list.bak

cd /etc/apt/sources.list.d/

安裝vim

apt-get install vim

sudo vim aliyun.list(不做也可以)

(deb http://mirrors.aliyun.com/ubuntu/ bionic main restricted universe multiverse

deb http://mirrors.aliyun.com/ubuntu/ bionic main restricted universe multiverse

deb-src http://mirrors.aliyun.com/ubuntu/ bionic main restricted universe multiverse

deb http://mirrors.aliyun.com/ubuntu/ bionic-security main restricted universe multiverse

deb-src http://mirrors.aliyun.com/ubuntu/ bionic-security main restricted universe multiverse

deb http://mirrors.aliyun.com/ubuntu/ bionic-updates main restricted universe multiverse

deb-src http://mirrors.aliyun.com/ubuntu/ bionic-updates main restricted universe multiverse

deb http://mirrors.aliyun.com/ubuntu/ bionic-proposed main restricted universe multiverse

deb-src http://mirrors.aliyun.com/ubuntu/ bionic-proposed main restricted universe multiverse

deb http://mirrors.aliyun.com/ubuntu/ bionic-backports main restricted universe multiverse

deb-src http://mirrors.aliyun.com/ubuntu/ bionic-backports main restricted universe multiverse

更新升級

設置root密碼

sudo passwd root

安裝openssh-server

Sudo apt-get install openssh-server

配置IP位址

apt-get update && apt-get -y upgrade

apt-get -y install wget gcc libffi-dev git

修改字符集

apt-get -y install language-pack-zh-hans

echo' > /etc/default/locale

重新打開終

端驗證 echo $LANG

2 安裝python3.6 (ubuntu安裝了python3.6.9)

apt-get -y install python3.6 python3.6-dev python3.6-venv

3 建立python虛擬環境

cd /opt

apt-get install python3-venv -y

python3.6 -m venv py3

source /opt/py3/bin/activate

此時提示符發生變化

4 自動載入python虛擬環境

cd /opt

git clone

echo 'source /opt/autoenv/activate.sh' >> ~/.bashrc

source ~/.bashrc

5 下載安裝Jumpserver

cd /opt

source /opt/py3/bin/activate

git clone

echo "source /opt/py3/bin/activate" > /opt/jumpserver/.env

安裝jumpserver依賴包

cd /opt/jumpserver/requirements

#首次進入會有按Y提示

apt-get -y install $(cat deb_requirements.txt)

6 安裝 Python 庫依賴

pip install --upgrade pip setuptools

pip install -r requirements.txt

# 如果下載速度很慢, 可以換國內源

(pipinstall–upgradepipsetuptools-i

pipinstall-rrequirements.txt-i )

這一步可能會報錯（執行apt-get install python3.6-dev libmysqlclient-dev）

在執行pip install -r requirements.txt，如果報超時錯誤，多執行幾遍直到完全安裝

7 安裝Redis，jumpserver使用Redis做cache

apt-get -y install redis-server

3、 安裝資料庫

1. 安裝並初始化資料庫

apt-get -y install mysql-server

初始化mysql, mysql_secure_installation

之後會有一下提示，選擇自己合適的

root@localhost:/# sudo mysql_secure_installation （修改root密碼）

Securing the MySQL server deployment.

Enter password for user root:

VALIDATE PASSWORD PLUGIN can be used to test passwords

and improve security. It checks the strength of password

and allows the users to set only those passwords which are

secure enough. Would you like to setup VALIDATE PASSWORD plugin?

Press y|Y for Yes, any other key for No: y（是否安裝密碼安全插件，開發環境可以選n）

There are three levels of password validation policy:

LOW Length >= 8

MEDIUM Length >= 8, numeric, mixed case, and special characters

STRONG Length >= 8, numeric, mixed case, special characters and dictionary file

Please enter 0 = LOW, 1 = MEDIUM and 2 = STRONG: （安全模式0低，1中等，2強）

Invalid option provided.

There are three levels of password validation policy:

LOW Length >= 8

MEDIUM Length >= 8, numeric, mixed case, and special characters

STRONG Length >= 8, numeric, mixed case, special characters and dictionary file

Please enter 0 = LOW, 1 = MEDIUM and 2 = STRONG: 2

Using existing password for root.

Estimated strength of the password: 25

Change the password for root ? ((Press y|Y for Yes, any other key for No) : n

… skipping.

By default, a MySQL installation has an anonymous user,

allowing anyone to log into MySQL without having to have

a user account created for them. This is intended only for

testing, and to make the installation go a bit smoother.

You should remove them before moving into a production

environment.

Remove anonymous users? (Press y|Y for Yes, any other key for No) : n（是否刪除匿名用戶）

… skipping.

Normally, root should only be allowed to connect from

'localhost'. This ensures that someone cannot guess at

the root password from the network.

Disallow root login remotely? (Press y|Y for Yes, any other key for No) : n（是否禁止root遠程登錄）

… skipping.

By default, MySQL comes with a database named 'test' that

anyone can access. This is also intended only for testing,

and should be removed before moving into a production

environment.

Remove test database and access to it? (Press y|Y for Yes, any other key for No) : n（是否刪除測試資料庫）

… skipping.

Reloading the privilege tables will ensure that all changes

made so far will take effect immediately.

Reload privilege tables now? (Press y|Y for Yes, any other key for No) : y（是否重新加載權限）

Success.

All done!

到此MySql資料庫安裝完成！

2. 創建資料庫jumpserver並授權

mysql -uroot -p

create database jumpserver default charset 'utf8';

grant all on jumpserver.* to 'jumpserver'@'127.0.0.1' identified by '123456';（密碼有複雜度要求）（jumpserver為資料庫名稱）

flush privileges;

quit

3. 修改jumpserver配置文件

cd /opt/jumpserver

cp config_example.yml config.yml

vim config.yml

如下：（記住你的BOOTSTRAP_TOKEN:*******隨機選項數字加字母）

# SECURITY WARNING: keep the secret key used in production secret!

# 加密秘鑰 生產環境中請修改為隨機字符串，請勿外洩, 可使用命令生成

# cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 49;echo

SECRET_KEY: W5Ic3fMXNZ0p5RIy5DhJYJllppTfcfkW8Yuf94VBMfpcssbfu

# SECURITY WARNING: keep the bootstrap token used in production secret!

# 預共享Token coco和guacamole用來註冊服務帳號，不在使用原來的註冊接受機制

BOOTSTRAP_TOKEN: zxffNymGjP79j6BN

# Development env open this, when error occur display the full process track, Production disable it

# DEBUG 模式 開啟DEBUG後遇到錯誤時可以看到更多日誌

DEBUG: false

# DEBUG, INFO, WARNING, ERROR, CRITICAL can set. See https://docs.djangoproject.com/en/1.10/topics/logging/

# 日誌級別

LOG_LEVEL: ERROR

# LOG_DIR:

# Session expiration setting, Default 24 hour, Also set expired on on browser close

# 瀏覽器Session過期時間，默認24小時, 也可以設置瀏覽器關閉則過期

# SESSION_COOKIE_AGE: 86400

SESSION_EXPIRE_AT_BROWSER_CLOSE: true

# Database setting, Support sqlite3, mysql, postgres ....

# 資料庫設置

# See https://docs.djangoproject.com/en/1.10/ref/settings/#databases

# SQLite setting:

# 使用單文件sqlite資料庫

# DB_ENGINE: sqlite3

# DB_NAME:

# MySQL or postgres setting like:

# 使用Mysql作為資料庫

DB_ENGINE: mysql

DB_HOST: 127.0.0.1

DB_PORT: 3306

DB_USER: jumpserver

DB_PASSWORD: rBi41SrDqlX4zsx9e1L0cqTP（資料庫中創建的密碼）

DB_NAME: jumpserver

# When Django start it will bind this host and port

# ./manage.py runserver 127.0.0.1:8080

# 運行時綁定埠

HTTP_BIND_HOST: 0.0.0.0

HTTP_LISTEN_PORT: 8080

WS_LISTEN_PORT: 8070

# Use Redis as broker for celery and web socket

# Redis配置

REDIS_HOST: 127.0.0.1

REDIS_PORT: 6379

REDIS_PASSWORD: ZhYnLrodpmPncovxJTnRyiBs

# REDIS_DB_CELERY: 3

# REDIS_DB_CACHE: 4

# Use OpenID authorization

# 使用OpenID 來進行認證設置

# BASE_SITE_URL: http://localhost:8080

# AUTH_OPENID: false # True or False

# AUTH_OPENID_SERVER_URL: https://openid-auth-server.com/

# AUTH_OPENID_REALM_NAME: realm-name

# AUTH_OPENID_CLIENT_ID: client-id

# AUTH_OPENID_CLIENT_SECRET: client-secret

# AUTH_OPENID_IGNORE_SSL_VERIFICATION: True

# AUTH_OPENID_SHARE_SESSION: True

# Use Radius authorization

# 使用Radius來認證

# AUTH_RADIUS: false

# RADIUS_SERVER: localhost

# RADIUS_PORT: 1812

# RADIUS_SECRET:

# CAS 配置

# AUTH_CAS': False,

# CAS_SERVER_URL': "http://host/cas/",

# CAS_ROOT_PROXIED_AS': 'http://jumpserver-host:port',

# CAS_LOGOUT_COMPLETELY': True,

# CAS_VERSION': 3,

# LDAP/AD settings

# LDAP 搜索分頁數量

# AUTH_LDAP_SEARCH_PAGED_SIZE: 1000

#

# 定時同步用戶

# 啟用 / 禁用

# AUTH_LDAP_SYNC_IS_PERIODIC: True

# 同步間隔 (單位: 時) (優先）

# AUTH_LDAP_SYNC_INTERVAL: 12

# Crontab 表達式

# AUTH_LDAP_SYNC_CRONTAB: * 6 * * *

#

# LDAP 用戶登錄時僅允許在用戶列表中的用戶執行 LDAP Server 認證

# AUTH_LDAP_USER_LOGIN_ONLY_IN_USERS: False

#

# LDAP 認證時如果日誌中出現以下信息將參數設置為 0 (詳情參見：https://www.python-ldap.org/en/latest/faq.html)

# In order to perform this operation a successful bind must be completed on the connection

# AUTH_LDAP_OPTIONS_OPT_REFERRALS: -1

# OTP settings

# OTP/MFA 配置

# OTP_VALID_WINDOW: 0

# OTP_ISSUER_NAME: Jumpserver

# Perm show single asset to ungrouped node

# 是否把未授權節點資產放入到 未分組 節點中

# PERM_SINGLE_ASSET_TO_UNGROUP_NODE: false

#

# 啟用定時任務

# PERIOD_TASK_ENABLE: True

#

# 啟用二次複合認證配置

# LOGIN_CONFIRM_ENABLE: False

#

# Windows 登錄跳過手動輸入密碼

#WINDOWS_SKIP_ALL_MANUAL_PASSWORD: True

完成

啟動jumpserver服務

cd /opt/jumpserver

./jms start -d

4、 正常部署KOKO組件

1. 安裝部署koko

cd /opt && \

wgethttps://github.com/jumpserver/koko/releases/download/v2.0.2/koko-v2.0.2-linux-amd64.tar.gz

解壓

tar -xf koko-v2.0.2-linux-amd64.tar.gz && \

mv koko-v2.0.2-linux-amd64 koko && \

chown -R root:root koko && \

cd koko

2. 配置config.yml文件

cp config_example.yml config.yml && \

vi config.yml

如下 （BOOTSTRAP_TOKEN為jumpserver中的一致）

# 項目名稱, 會用來向Jumpserver註冊, 識別而已, 不能重複

# NAME: {{ Hostname }}

# Jumpserver項目的url, api請求註冊會使用

CORE_HOST: http://127.0.0.1:8080

# Bootstrap Token, 預共享秘鑰, 用來註冊coco使用的service account和terminal

# 請和jumpserver 配置文件中保持一致，註冊完成後可以刪除

BOOTSTRAP_TOKEN: zxffNymGjP79j6BN

# 啟動時綁定的ip, 默認 0.0.0.0

# BIND_HOST: 0.0.0.0

# 監聽的SSH埠號, 默認2222

# SSHD_PORT: 2222

# 監聽的HTTP/WS埠號，默認5000

# HTTPD_PORT: 5000

# 項目使用的ACCESS KEY, 默認會註冊,並保存到 ACCESS_KEY_STORE中,

# 如果有需求, 可以寫到配置文件中, 格式 access_key_id:access_key_secret

# ACCESS_KEY: null

# ACCESS KEY 保存的地址, 默認註冊後會保存到該文件中

# ACCESS_KEY_FILE: data/keys/.access_key

# 設置日誌級別 [DEBUG, INFO, WARN, ERROR, FATAL, CRITICAL]

LOG_LEVEL: ERROR

# SSH連接超時時間 (default 15 seconds)

# SSH_TIMEOUT: 15

# 語言 [en,zh]

# LANG: zh

# SFTP的根目錄, 可選 /tmp, Home其他自定義目錄

# SFTP_ROOT: /tmp

# SFTP是否顯示隱藏文件

# SFTP_SHOW_HIDDEN_FILE: false

# 是否復用和用戶後端資產已建立的連接(用戶不會復用其他用戶的連接)

# REUSE_CONNECTION: true

# 資產加載策略, 可根據資產規模自行調整. 默認異步加載資產, 異步搜索分頁; 如果為all, 則資產全部加載, 本地搜索分頁.

# ASSET_LOAD_POLICY:

# zip壓縮的最大額度 (單位: M)

# ZIP_MAX_SIZE: 1024M

# zip壓縮存放的臨時目錄 /tmp

# ZIP_TMP_PATH: /tmp

# 向 SSH Client 連接發送心跳的時間間隔 (單位: 秒)，默認為30, 0則表示不發送

# CLIENT_ALIVE_INTERVAL: 30

# 向資產發送心跳包的重試次數，默認為3

# RETRY_ALIVE_COUNT_MAX: 3

# 會話共享使用的類型 [local, redis], 默認local

SHARE_ROOM_TYPE: redis

# Redis配置

REDIS_HOST: 127.0.0.1

REDIS_PORT: 6379

#REDIS_PASSWORD: ZhYnLrodpmPncovxJTnRyiBs

# REDIS_CLUSTERS:

REDIS_DB_ROOM: 6

完成

啟動服務 ./koko -d

3. 正常部署 Guacamole 組件

下載

cd /opt && \wget -O docker-guacamole-v2.1.1.tar.gz https://github.com/jumpserver/docker-guacamole/archive/master.tar.gz

解壓

mkdir /opt/docker-guacamole && \

tar -xf docker-guacamole-v2.1.1.tar.gz -C /opt/docker-guacamole --strip-components 1 && \

rm -rf /opt/docker-guacamole-v2.1.1.tar.gz && \

cd /opt/docker-guacamole && \

wget http://download.jumpserver.org/public/guacamole-server-1.2.0.tar.gz && \

tar -xf guacamole-server-1.2.0.tar.gz && \

wget http://download.jumpserver.org/public/ssh-forward.tar.gz && \

tar -xf ssh-forward.tar.gz -C /bin/ && \

chmod x /bin/ssh-forward

cd /opt/guacamole/guacamole-server-1.2.0

./configure --with-init-dir=/etc/init.d && \

make && \

make install

5、 部署tomcat

1. 安裝java環境

apt-get -y install default-jre default-jdk

mkdir -p /config/guacamole /config/guacamole/extensions /config/guacamole/record /config/guacamole/drive && \

chown daemon:daemon /config/guacamole/record /config/guacamole/drive && \

cd /config

2. 配置Tomcat9

下載

wget http://mirrors.tuna.tsinghua.edu.cn/apache/tomcat/tomcat-9/v9.0.36/bin/apache-tomcat-9.0.36.tar.gz

tar -xf apache-tomcat-9.0.36.tar.gz && \

mv apache-tomcat-9.0.36 tomcat9 && \

rm -rf /config/tomcat9/webapps/* && \

sed -i 's/Connector/Connector/g' /config/tomcat9/conf/server.xml && \

echo "java.util.logging.ConsoleHandler.encoding = UTF-8" >> /config/tomcat9/conf/logging.properties

wget

tar -xf guacamole-client-v2.1.1.tar.gz

rm -rf guacamole-client-v2.1.1.tar.gz

cp guacamole-client-v2.1.1/guacamole-*.war /config/tomcat9/webapps/ROOT.war

cp guacamole-client-v2.1.1/guacamole-*.jar /config/guacamole/extensions/

mv /opt/docker-guacamole/guacamole.properties /config/guacamole/

rm -rf /opt/docker-guacamole

3. 設置 Guacamole 環境

export JUMPSERVER_SERVER=http://127.0.0.1:8080

echo "export JUMPSERVER_SERVER=http://127.0.0.1:8080" >> ~/.bashrc

export BOOTSTRAP_TOKEN={jumpserver的一致}

echo "export BOOTSTRAP_TOKEN={jumpserver的一致}" >> ~/.bashrc

export JUMPSERVER_KEY_DIR=/config/guacamole/keys

echo "export JUMPSERVER_KEY_DIR=/config/guacamole/keys" >> ~/.bashrc

export GUACAMOLE_HOME=/config/guacamole

echo "export GUACAMOLE_HOME=/config/guacamole" >> ~/.bashrc

export GUACAMOLE_LOG_LEVEL=ERROR

echo "export GUACAMOLE_LOG_LEVEL=ERROR" >> ~/.bashrc

export JUMPSERVER_ENABLE_DRIVE=true

echo "export JUMPSERVER_ENABLE_DRIVE=true" >> ~/.bashrc

環境變量說明

JUMPSERVER_SERVER 指 core 訪問地址

BOOTSTRAP_TOKEN 為 Jumpserver/config.yml 裡面的 BOOTSTRAP_TOKEN 值

JUMPSERVER_KEY_DIR 認證成功後 key 存放目錄

GUACAMOLE_HOME 為 guacamole.properties 配置文件所在目錄

GUACAMOLE_LOG_LEVEL 為生成日誌的等級

JUMPSERVER_ENABLE_DRIVE 為 rdp 協議掛載共享盤

啟動Guacamole

/etc/init.d/guacd start

sh /config/tomcat9/bin/startup.sh

4. 下載Lina luna組件

lina

cd /opt

wget https://github.com/jumpserver/lina/releases/download/v2.0.2/lina-v2.0.2.tar.gz

wget

tar -xf lina-v2.0.2.tar.gz

mv lina-v2.0.2 lina

chown -R nginx:nginx lina

luna

cd /opt

wget https://github.com/jumpserver/luna/releases/download/v2.0.2/luna-v2.0.2.tar.gz

tar -xf luna-v2.0.2.tar.gz

mv luna-v2.0.2 luna

chown -R nginx:nginx luna

6、 安裝nginx整合組件

1. 安裝nginx

$ apt-get update

$ apt-get -y install nginx

2. 準備配置文件

$ rm -rf /etc/nginx/conf.d/default.conf

$ vim /etc/nginx/conf.d/jumpserver.conf

如下

server {

listen 80;

client_max_body_size 100m; # 錄像及文件上傳大小限制

location /ui/ {

try_files $uri / /index.html;

alias /opt/lina/;

}

location /luna/ {

try_files $uri / /index.html;

alias /opt/luna/; # luna 路徑, 如果修改安裝目錄, 此處需要修改

}

location /media/ {

add_header Content-Encoding gzip;

root /opt/jumpserver/data/; # 錄像位置, 如果修改安裝目錄, 此處需要修改

}

location /static/ {

root /opt/jumpserver/data/; # 靜態資源, 如果修改安裝目錄, 此處需要修改

}

location /koko/ {

proxy_pass http://localhost:5000;

proxy_buffering off;

proxy_http_version 1.1;

proxy_set_header Upgrade $http_upgrade;

proxy_set_header Connection "upgrade";

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header Host $host;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

access_log off;

}

location /guacamole/ {

proxy_pass http://localhost:8081/;

proxy_buffering off;

proxy_http_version 1.1;

proxy_set_header Upgrade $http_upgrade;

proxy_set_header Connection $http_connection;

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header Host $host;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

access_log off;

}

location /ws/ {

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header Host $host;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_pass http://localhost:8070;

proxy_http_version 1.1;

proxy_buffering off;

proxy_set_header Upgrade $http_upgrade;

proxy_set_header Connection "upgrade";

}

location /api/ {

proxy_pass http://localhost:8080;

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header Host $host;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

}

location /core/ {

proxy_pass http://localhost:8080;

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header Host $host;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

}

location / {

rewrite ^/(.*)$ /ui/$1 last;

}

}

完成

重啟nginx服務

nginx -t

nginx -s reload

打開Google 輸入http://IP:8080登陸jumpserver 默認用戶admin 密碼 admin

如果出現nginxwelcome界面 編輯vim /etc/nginx/nginx.conf 只保留include /etc/nginx/conf.d/*.conf;項

如果登錄客戶端是 macOS 或 Linux, 登錄語法如下

$ ssh -p2222 admin@IP

$ sftp -P2222 admin@IP

密碼: admin

如果登錄客戶端是 Windows, Xshell Terminal 登錄語法如下

$ ssh [email protected] 2222

$ sftp [email protected] 2222

密碼: admin

如果能登陸代表部署成功

sftp默認上傳的位置在資產的 /tmp 目錄下

windows拖拽上傳的位置在資產的 Guacamole RDP上的 G 目錄下