Build a jumpserver bastion host based on docker

I. background

I recently think of the bastion host system that my company has previously used. I think it is very convenient to use. However, my company has not set up such a system. I think it may be useful in the future. And it has been a bit of time recently, therefore, I am interested in building a bastion host system. I have referenced many documents during the building process. The most detailed document is the official document. The address is as follows:

1. Jumpserver document

Ii. Operation overview

1. system running 2. Getting started with configuration 3. test and verification

Iii. System Operation

There are many ways to install the bastion host in the official documentation, which makes the author somewhat confused. In addition, the installation methods in different systems are inconsistent, but they are not scheduled, A common installation method is docker. Therefore, in this article, I will take docker installation as an example.

3.1 download an image

Jumpserver is not included in the official docker image library. Therefore, the command to download the image is as follows:

docker pull registry.jumpserver.org/public/jumpserver:1.0.0

The download process may be slow. It takes about 14 minutes for the author to complete the download. The result is as follows:

1.0.0: Pulling from public/jumpserveraf4b0a2388c6: Pull completeaa66a3d10fd2: Pull complete1d4c6a27f2ac: Pull complete2490267572de: Pull completeb00f1599768d: Pull complete398fc903cdc3: Pull completef8490bbfc09a: Pull complete86d238b365f5: Pull complete2cd3b1ef59b2: Pull complete4a21434eeb73: Pull completeae8cf3e909e0: Pull complete7c440776471a: Pull complete0a5e895f91af: Pull completeb86672241685: Pull completeaf16a4945f95: Pull complete0374e723cd6c: Pull completee18b86849df9: Pull complete648aa832cb74: Pull completeb52364a5c704: Pull completeDigest: sha256:0f26e439c492ac52cbc1926aa950a59730607c947c79557ab3da51bfc2c7b5d4Status: Downloaded newer image for registry.jumpserver.org/public/jumpserver:1.0.0

3.2 run the image

After the download, I need to run the downloaded container. To prevent port 80 from being occupied by other processes on the host machine, the container port is mapped to port 8011 on the host machine, run the following command:

docker run --name jms_server -d -p 8011:80 -p 2222:2222 registry.jumpserver.org/public/jumpserver:1.0.0

Background running parameters are added to the parameters.-dAfter the container runs, the terminal will not enter the bash container. After the command is executed successfully, docker will return the container ID. if the message is returned, An Exception error may occur. The normal return result is as follows:

4709a7d85af28bf05a63fb3e42541a41c30edda6668fd54a446cfab006c35b9e

3.3 run check

After the container runs, I need to check it to ensure that it runs successfully. There are two ways to check whether the container runs normally, and then check whether the bastion host can be accessed by the browser.

First, run the following command to view the currently running container:

docker ps

If the container runs normally, the ID of the bastion host container that is just running on the author will appear. For the normal return result, refer to the following

CONTAINER ID        IMAGE                                             COMMAND               CREATED             STATUS              PORTS                                                   NAMES4709a7d85af2        registry.jumpserver.org/public/jumpserver:1.0.0   "/opt/start_jms.sh"   8 minutes ago       Up 8 minutes        443/tcp, 0.0.0.0:2222->2222/tcp, 0.0.0.0:8011->80/tcp   jms_server

In the returned results, we can see that the container ID returned by docker is in the running state, and then we can determine whether the container runs normally. Then, we need to check whether the container runs successfully using a browser and open the following address in the browser:

http://127.0.0.1:8011/

When the following page appears in the browser, the operation is successful.

4. Getting started with configuration

After confirming that the system is running normally, you can configure the system. The bastion host configuration is relatively simple. The following configuration will be the most basic configuration for using the bastion host, configuration is mainly to add some assets for management, which requires adding management users, common system users, account authorization, and other operations.

4.1 log on to the system

In the previous test run, you can see that you need to log on, but the account and password I did not see in the official documentation. I tried it and found that the user name and password areadminAndadmin, As shown in

After the logon is successful, go to the page shown in figure

4.2 Manage Users

Next, I need to add some assets. The prerequisite for adding assets is that there is a management user who is the highest permission account for assets, the bastion host will use this account to log on to and manage assets and obtain some statistical information.Asset Management->Manage UsersClick in the listCreate a system userTo create and manage users, as shown in

In the form, you can see that you must enter the username, password or private key used for authentication, and enter it according to the actual situation.song, Password123456Ab, Then fill in the information.

4.3 Asset Management

After adding a management user, you can add assets. Adding assets is also very simple. In the asset list, clickCreate assetButton to go to the asset adding page, as shown in

To add an asset, enter the IP address of the asset and the ssh port number, and select the operating system type of the asset.

4.4 system users

There is also a system user management under Asset Management. This system user scenario is that sometimes it is very troublesome to create a common account in many target assets; in this case, you can create a system user through the System user management on the bastion host, and then deliver the user to the target asset. In this way, you do not need to log on to the target host one by one and then create the user. This is very convenient, shows how to add a system user.

To create a system user, you must enter the account you want to create and select the authentication method. The default mode is the key method. You can also select the option box and use the password to authenticate the account.

V. test and verification

After completing the preceding configuration steps, you can perform some common functional verification to enhance understanding of the jumpserver system, these function test points include asset connection tests, user authorization, Web terminals, online sessions, Command records, and other functions.

5.1 connection test

The purpose of the connection test is to check whether the asset can be accessed by the bastion host. You can click the asset name in the asset list to go to the asset details page. There are two buttons on the right and clickRefreshButton, as shown in figure

If the hardware information on the left is changed, it indicates that the management user of the previous configuration has no problem. Otherwise, an error prompt box is displayed;

5.2 user authorization

After an asset is configured, If You Want To directly connect to the terminal on the bastion host, you still need to authorize the user. Authorization is divided into two steps. The first step is to authorize the Web terminal account.Session management->Terminal Management, As shown in

The second step is to authorize the user inAuthorization management->Asset Permissions->Create permission rulesConfigure, as shown in

5.3 web Terminal

After the user is authorized, the user canSession management->Web TerminalTo interact with the system, as shown in

5.4 online sessions

In some cases, you can easily use the online session function to view who is operating the server.Session management->Online sessionsList, as shown in

5.5 Command records

I think one of the greatest roles of the bastion host is auditing. If you want to know which commands a user has executed in the system, you can easilySession management->Command record, As shown in

6. Book recommendation

If you are interested in my practical articles, you can follow my new book "PHP Web security development practices", which is now available for sale on various platforms, as shown in the cover.

Tang qingsong

: Songboy8888

Date:

Build a jumpserver bastion host based on docker