Open source stepping stone Jumpserver

Source: Internet
Author: User
Tags install node openldap rsyslog

Open source stepping stone Jumpserver

I believe you are familiar with the bastion host. To ensure server security, we have added a bastion host. All ssh connections are completed through the bastion host, the bastion host also needs functions such as identity authentication, authorization, access control, and auditing. the above functions are basically implemented using Python.
Architecture:


The main backend technology is LDAP, Which is configured with the LDAP centralized authentication server. All server authentication is performed by ldap. In my practice, each user has a password and the password is encrypted into the database, when a user enters an ip address to log on to the server from the stepping stone, the stepping stone system obtains the password and decrypts it. The pexpect module sends the password to complete the login.

Logon interface and Method

The user logs on to the stepping stone and uses the key for authentication. After logging on to the stepping stone, the system automatically runs the stepping stone.


You can enter a complete IP address or some IP addresses to log on. If some of the ip addresses you enter are not unique, a prompt is displayed. If you do not have the permission, a prompt is displayed, indicating that you do not have the permission.


Enter P/p to view the ip address of the server with permissions.

Enter E/E to run the same command on several servers. IP addresses are separated by commas (,).


Log records

Pexpect is used for logging. The recorded logs store both the command output and the command output, and are not careful about the sent password record (not satisfied ), pexpect module processing is a little difficult. My idea is to process the log again every day, remove the password, and save the log under the logs directory. The file name is ip_date_username ps: when I log on with chinaren, the prompt window is baidutest, which is caused by my personal reasons.

If you are interested in this project, you can download it through the following link:
Https://github.com/ibuler/jumpserver
The following is the configuration manual:
Test Environment
Centos6.5 mini, iptables, selinux disabled
Jumpserver: 192.168.0000130
Testserver: 192.168.20.131

1. Deploy ldapserver
1.1 install ldapserver
Default
# Rpm-ivh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
# Yum install-y vim automake autoconf gcc xz ncurses-devel \
Patch python-devel git python-pip gcc-c ++ # Install the basic environment, which is later dependent on
# Yum install-y openldap-servers openldap-clients openldap-devel
1.2 prepare the configuration file
Default
# Cp/usr/share/openldap-servers/slapd. conf. obsolete/etc/openldap/slapd. conf # This file is the Server Load balancer configuration file.
# Cp/usr/share/openldap-servers/DB_CONFIG.example/var/lib/ldap/DB_CONFIG # Database Configuration File
1.3 modify the configuration file
Default
# Vim/etc/openldap/slapd. conf... loglevel 1... suffix "dc = jumpserver, dc = org" rootdn "cn = admin, dc = jumpserver, dc = org" rootpw secret234... # Note: loglevel: Set the Log Level suffix: Actually it is BaseDN rootdn: Super administrator's dn rootpw: Super administrator's password
1.4 modify the system log configuration file
Default
# Vim/etc/rsyslog. conf local4. */var/log/ldap. log
# Add a row under local7. *
# Service rsyslog restart
1.5 start slapd and check the startup status

Default# service slapd start# rm -rf /etc/openldap/slapd.d/# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d# chown -R ldap:ldap /etc/openldap/slapd.d/# service slapd restartDefault


# Netstat-tulnp | grep slapd # Note: The ldap database will be initialized at the first startup. in/var/lib/ldap, if you want to delete the ldap database, delete the directory, retain the DB_CONFIG configuration file. The new version of ldap uses the configuration file under/etc/openldap/slapd. d to delete the original configuration file. slaptest is used to regenerate the new configuration file.
1.6 import the ldif database framework and test the user. You can use the migrationtools export framework or export it with me.

Defaultbase. ldif, group. ldif, passwd. ldif replace dc = jumpserver, dc = org with your baseDN, and then import it. The password is secret234 set by rootpw # ldapadd-x-W-D "cn = admin, dc = jumpserver, dc = org "-f base. ldif # ldapadd-x-W-D "cn = admin, dc = jumpserver, dc = org"-f group. ldif # ldapadd-x-W-D "cn = admin, dc = jumpserver, dc = org"-f passwd. ldif # Description: The test user is testuser and the password is testuser123.


2. Deploy ldapclient on testserver
-CentOS6 settings-
2.1 install the LDAP Client
Default
# Yum-y install openldap-clients nss-pam-ldapd pam_ldap

2.2 set Automatic Directory Creation
Default
# Echo "session required pam_mkhomedir.so skel =/etc/skel umask = 0077">/etc/pam. d/system-auth
2.3 back up the original authconfig and set LDAP Authentication
Default# authconfig --savebackup=auth.bak# authconfig --enableldap --enableldapauth --enablemkhomedir --enableforcelegacy --disablesssd --disablesssdauth --ldapserver=192.168.20.130 --ldapbasedn="dc=jumpserver,dc=org" --update

-CentOS5 settings-
2.1 install the LDAP Client
Default
# Yum-y install openldap-clients nss_ldap
2.2 set Automatic Directory Creation
Default
# Echo "session required pam_mkhomedir.so skel =/etc/skel umask = 0077">/etc/pam. d/system-auth
2.3 set LDAP Authentication
Default
# Authconfig -- enableldap -- enableldapauth -- enablemkhomedir -- ldapserver = 192.168.20.130 -- ldapbasedn = "dc = jumpserver, dc = org" -- update
2.4 connect testuser test from jumpserver # ssh testuser@192.168.20.131 # password is testuser123 continue if the connection is successful
For deployment in production, note that creating a disaster recovery account is not described here
Iii. LDAP is responsible for sudo
3.1 copy the sudo schema. The centos version is different. The sudo version may not be 1.8.6. Other versions can also be used.
Default
# Cp/usr/share/doc/sudo-1.8.6p3/schema. OpenLDAP/etc/openldap/schema/sudo. schema
3.2 modify the file to import schema # vim/etc/openldap/slapd. conf include/etc/openldap/schema/sudo. schema
3.3 regenerate the configuration file and restart slapd
Default# rm -rf /etc/openldap/slapd.d/*# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d# chown -R ldap:ldap /etc/openldap/slapd.d/*# service slapd restart

3.4 import sudo. ldif to ldapserver
# Ldapadd-x-W-D "cn = admin, dc = jumpserver, dc = org"-f sudo. ldif # Description: Set sudo. in ldif, dc = jumpserver, dc = org for your baseDN
3.5 set sudo to use ldap on testserver
(Centos6 on the use of the ldap configuration file is/etc/sudo-1.7.4p5, sudo version of different use of configuration files may also be different, sudo-V | grep 'ldap. conf' view)
Default # sudo-V | grep 'ldap. conf 'ldap. conf path:/etc/sudo-ldap.conf # The known version is/etc/nslcd. conf. The following changes should be made .. -CentOS6-Default # echo-e "uri ldap: // 192.168.20.130 \ nSudoers_base ou = Sudoers, dc = jumpserver, dc = org">/etc/sudo-ldap.conf # echo "Sudoers: files ldap ">/etc/nsswitch. conf-CentOS5-Default # echo "Sudoers_base ou = Sudoers, dc = jumpserver, dc = org">/etc/ldap. conf # echo "Sudoers: files ldap">/etc/nsswitch. conf3.6 test sudoDefault # ssh testuser@192.168.20.131 # sudo su # Note: The password is testuser123, sudo su if you do not prompt to enter the password, then success 4. deploy jumpserver4.1 to install the mysql database, and create the database Default # yum-y install mysql-server mysql-devel # service mysqld start # mysqlmysql> create database jumpserver charset = 'utf8 '; mysql> grant all on jumpserver. * to 'jumpserver' @ '127. 0.0.1 'identified by 'mysql234'; 4.2 download the latest Jumpserver project Default # cd/opt # git clone https://github.com/ibuler/jumpserver.git# Cd jumpserver4.3 installation dependency module Default # cd/opt/jumpserver/docs # pip install-r requirements.txt-I http://pypi.douban.com/simple# Note: if an error is reported, manually install each module 4.4 to modify the Jumpserver configuration file # cd .. default # vim jumpserver. conf # coding: utf8 [base] ip = 192.168.20.130port = 80key = Listen [db] host = 127.0.0.1port = 3306 user = jumpserverpassword = mysql234database = jumpserver [ldap] ldap_enable = 1host_url = ldap: // 127.0.0.1: 389base_dn = dc = jumpserver, dc = orgroot_dn = cn = admin, dc = jumpserver, dc = orgroot_pw = secret234 [websocket] web_socket_host = 192.168.20.130: 3000 [mail] email_host = smtp. exmail. qq. comemail_port = 25email_host_user = noreply@jumpserver.orgemail _ host_password = jumpserver123email_use_tls = False

# Note:
# [Base] ip, port is the ip address and port number used to access the web, and key is a random string used to encrypt. If you change it, make sure it is a 16-bit
# [Db] is the database setting. I believe you will know it at a glance.
# [Ldap] Enable ldap for ldap_enable, host_url is the address of ldapserver, and base_dn root_dn root_pw is consistent with the ldapserver configured earlier
# [Websocket] The websocket address is the server address that allows the node index. js program to run together with the web. The default port number is 3000.
# [Mail] configure the mail server to send emails. Users added in this version will automatically send emails to users.
4.5 create a logs directory and modify permissions
Default
# Cd/opt/jumpserver/
# Mkdir logs; chmod 777 logs
4.6 django sync db to database
Default
# Python manage. py syncdb wocould you like to create one now? (Yes/no): no
4.7 test run
Default
# Python manage. py runserver 0.0.0.0: 80
# Python log_handler.py # Note: The two windows are opened separately.
4.8 initialize the jumpserver browser and open http: // 192.168.1.209/install

 

Show installation successful test continue
5. Install node. js
To achieve real-time monitoring, node. js is used to complete websocket
5.1 install node. js in yum
Default
# Yum-y install nodejs npm # Many Dependencies
# Cd websocket
Default
# Npm install # Note
5.2 start websocket Test
# Node index. js
6. Use jumpserver
6.1 login account password: admin
6.2 create a department
6.3 create a user
6.4 create an IDC
6.5 Add a host
6.6 create a user group
6.7 create a host Group
6.8 authorize a host group to a user group
6.9 authorize sudo
6.10 create a department Administrator
6.11 authorize the host to the department
6.12 Department Administrator Login
6.13 Add a user and authorize a department Administrator
6.14 view monitoring
6.15 View statistics
6.16 normal user login
VII. Ending
7.1 modify sshd configuration and disable Password Logon
Default
# Vim/etc/sshd/sshd_config... PasswordAuthentication no... # service sshd restart
7.2 log on to jumpserver and run the system automatically.
Default
# Cd/opt/jumpserver/docs # vim jumpserver. sh... if [$ USER = 'guanghongwei']; then # modify a special USER and do not exit after the end...
Default
# Cp jumpserver. sh/etc/profile. d/
7.3 run the jumpserver system normally
Default
# Cd/opt/jumpserver/
Default
#./Service. sh start # Note: If you want to end the system./service. sh stop; # What is not running? Do you have the execution permission?
8. Production considerations
8.1 it is best to set up a disaster recovery backup account for each server to prevent maintenance interruption due to the inability to connect to the ldap server due to network conditions.
8.2 When the ldap server creates a Master/Slave image, this part of the content is beyond the scope of this topic. The client needs to write two addresses at a scheduled time.
Default
-- Ldapserver = 192.168.0000130, 192.168.0000xxx
8.3 database backup or Master/Slave
8.4 nginx + uwsgi + django running, the above server. sh is the Development Mode and can only be single-concurrency
This update Log
-Logon script-
1.1 Use the native ssh protocol of paramiko to log on to the backend host (the original version uses pexpect to simulate logon)
1.2 add an alias or remarks for Logon
1.3 Add a host group for viewing, making it easier to use
1.4 multi-thread batch Command Execution
1.5 optimize logon scripts
-Web management-
1.6 more beautiful Web Interface
1.7 add Department administrators to manage Department members
1.8 add dashboard statistics
1.9 add departments, user groups, and host groups
1.10 more detailed user information and host information
1.11 Add the logon map mode for host login, which is used to log on to hosts that do not support ldap
1.12 host authorization. Change sudo authorization to inter-group authorization.
1.13 add batch host modification and batch Addition
1.14 Add a user to automatically generate a random password and then send an email automatically
1.15 add various searches
1.16 Add a Web page Authorization application for normal users
1.17 more user-friendly audit Interface
1.18 Add the filter search function to the host
1.19 Add User portraits
1.20 upload in batches
1.21 Add a department administrator page
1.22 richer page content for common users
II.
2.1 login page

2.2 administrator Homepage


 
2.3 view users

2.4 view assets

 
2.5 monitoring page

 
2.6 command statistics

 
2.7 General user Homepage

 
2.8 Personal Information of common users

 
2.9 File Upload

2.9 jump Interface

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.