I. background
I recently think of the bastion host system that my company has previously used. I think it is very convenient to use. However, my company has not set up such a system. I think it may be useful in the future. And it has been a bit of time recently, therefore, I am interested in building a bastion host system. I have referenced many documents during the building process. The most detailed document is the official document. The address is as follows:
- Jumpserver document
Ii. Operation overview
1. system running 2. Getting started with configuration 3. test and verification
Iii. System Operation
There are many ways to install the bastion host in the official documentation, which makes the author somewhat confused. In addition, the installation methods in different systems are inconsistent, but they are not scheduled, A common installation method is docker. Therefore, in this article, I will take docker installation as an example.
3.1 download an image
Jumpserver is not included in the official docker image library. Therefore, the command to download the image is as follows:
docker pull registry.jumpserver.org/public/jumpserver:1.0.0
The download process may be slow. It takes about 14 minutes for the author to complete the download. The result is as follows:
1.0.0: Pulling from public/jumpserveraf4b0a2388c6: Pull completeaa66a3d10fd2: Pull complete1d4c6a27f2ac: Pull complete2490267572de: Pull completeb00f1599768d: Pull complete398fc903cdc3: Pull completef8490bbfc09a: Pull complete86d238b365f5: Pull complete2cd3b1ef59b2: Pull complete4a21434eeb73: Pull completeae8cf3e909e0: Pull complete7c440776471a: Pull complete0a5e895f91af: Pull completeb86672241685: Pull completeaf16a4945f95: Pull complete0374e723cd6c: Pull completee18b86849df9: Pull complete648aa832cb74: Pull completeb52364a5c704: Pull completeDigest: sha256:0f26e439c492ac52cbc1926aa950a59730607c947c79557ab3da51bfc2c7b5d4Status: Downloaded newer image for registry.jumpserver.org/public/jumpserver:1.0.0
3.2 run the image
After the download, I need to run the downloaded container. To prevent port 80 from being occupied by other processes on the host machine, the container port is mapped to port 8011 on the host machine, run the following command:
docker run --name jms_server -d -p 8011:80 -p 2222:2222 registry.jumpserver.org/public/jumpserver:1.0.0
Background running parameters are added to the parameters.-d
After the container runs, the terminal will not enter the bash container. After the command is executed successfully, docker will return the container ID. if the message is returned, An Exception error may occur. The normal return result is as follows:
4709a7d85af28bf05a63fb3e42541a41c30edda6668fd54a446cfab006c35b9e
3.3 run check
After the container runs, I need to check it to ensure that it runs successfully. There are two ways to check whether the container runs normally, and then check whether the bastion host can be accessed by the browser.
First, run the following command to view the currently running container:
docker ps
If the container runs normally, the ID of the bastion host container that is just running on the author will appear. For the normal return result, refer to the following
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES4709a7d85af2 registry.jumpserver.org/public/jumpserver:1.0.0 "/opt/start_jms.sh" 8 minutes ago Up 8 minutes 443/tcp, 0.0.0.0:2222->2222/tcp, 0.0.0.0:8011->80/tcp jms_server
In the returned results, we can see that the container ID returned by docker is in the running state, and then we can determine whether the container runs normally. Then, we need to check whether the container runs successfully using a browser and open the following address in the browser:
http://127.0.0.1:8011/
When the following page appears in the browser, the operation is successful.
4. Getting started with configuration
After confirming that the system is running normally, you can configure the system. The bastion host configuration is relatively simple. The following configuration will be the most basic configuration for using the bastion host, configuration is mainly to add some assets for management, which requires adding management users, common system users, account authorization, and other operations.
4.1 log on to the system
In the previous test run, you can see that you need to log on, but the account and password I did not see in the official documentation. I tried it and found that the user name and password areadmin
Andadmin
, As shown in
After the logon is successful, go to the page shown in figure
4.2 Manage Users
Next, I need to add some assets. The prerequisite for adding assets is that there is a management user who is the highest permission account for assets, the bastion host will use this account to log on to and manage assets and obtain some statistical information.Asset Management
->Manage Users
Click in the listCreate a system user
To create and manage users, as shown in
In the form, you can see that you must enter the username, password or private key used for authentication, and enter it according to the actual situation.song
, Password123456Ab
, Then fill in the information.
4.3 Asset Management
After adding a management user, you can add assets. Adding assets is also very simple. In the asset list, clickCreate asset
Button to go to the asset adding page, as shown in
To add an asset, enter the IP address of the asset and the ssh port number, and select the operating system type of the asset.
4.4 system users
There is also a system user management under Asset Management. This system user scenario is that sometimes it is very troublesome to create a common account in many target assets; in this case, you can create a system user through the System user management on the bastion host, and then deliver the user to the target asset. In this way, you do not need to log on to the target host one by one and then create the user. This is very convenient, shows how to add a system user.
To create a system user, you must enter the account you want to create and select the authentication method. The default mode is the key method. You can also select the option box and use the password to authenticate the account.
V. test and verification
After completing the preceding configuration steps, you can perform some common functional verification to enhance understanding of the jumpserver system, these function test points include asset connection tests, user authorization, Web terminals, online sessions, Command records, and other functions.
5.1 connection test
The purpose of the connection test is to check whether the asset can be accessed by the bastion host. You can click the asset name in the asset list to go to the asset details page. There are two buttons on the right and clickRefresh
Button, as shown in figure
If the hardware information on the left is changed, it indicates that the management user of the previous configuration has no problem. Otherwise, an error prompt box is displayed;
5.2 user authorization
After an asset is configured, If You Want To directly connect to the terminal on the bastion host, you still need to authorize the user. Authorization is divided into two steps. The first step is to authorize the Web terminal account.Session management
->Terminal Management
, As shown in
The second step is to authorize the user inAuthorization management
->Asset Permissions
->Create permission rules
Configure, as shown in
5.3 web Terminal
After the user is authorized, the user canSession management
->Web Terminal
To interact with the system, as shown in
5.4 online sessions
In some cases, you can easily use the online session function to view who is operating the server.Session management
->Online sessions
List, as shown in
5.5 Command records
I think one of the greatest roles of the bastion host is auditing. If you want to know which commands a user has executed in the system, you can easilySession management
->Command record
, As shown in
6. Book recommendation
If you are interested in my practical articles, you can follow my new book "PHP Web security development practices", which is now available for sale on various platforms, as shown in the cover.
Tang qingsong
: Songboy8888
Date:
Build a jumpserver bastion host based on docker