Introduction to cloud bastion machine
The bastion host, that is, in a specific network environment, in order to protect the network and data from intrusion and damage from external and internal users, various technical means are used to monitor and record the operation and maintenance personnel's access to servers, network devices, Operational behavior of security equipment, database and other equipment for centralized alarm, timely processing and audit determination.
Cloud Bastion Host (CBH) is a 4A unified security management and control platform that provides centralized account (Account), authorization (Authorization), authentication (Authentication) and audit (Audit) management services for enterprises.
Cloud Bastion Host is a cloud security service that can provide efficient operation and maintenance, authentication management, access control, security audit and report analysis functions. Cloud tenant O&M personnel can complete asset O&M and operation audit through the cloud bastion machine. The bastion host can record the data flow of common operation and maintenance protocols such as SSH, Windows remote desktop, and SFTP through the forward proxy based on the protocol, and then replay the video by resetting the data flow to achieve the purpose of operation and maintenance audit.
The cloud bastion machine provides cloud computing security management and control systems and components, including functional modules such as departments, users, resources, policies, operation and maintenance, and auditing, and integrates single sign-on, unified asset management, multi-terminal access protocols, file transfer, session collaboration, etc. All in one. Through a unified operation and maintenance login portal, based on protocol forward proxy technology and remote access isolation technology, centralized management and operation and maintenance audit of cloud resources such as servers, cloud hosts, databases, and application systems are realized.
The cloud bastion machine does not need to be installed and deployed, and can connect and manage multiple cloud servers through HTML5 technology. Enterprise users only need to use mainstream browsers or mobile APP s to achieve efficient operation and maintenance anytime, anywhere. The cloud bastion machine supports multiple protocols such as RDP/SSH/Telnet/VNC, and can access all Windows, Linux/Unix operating systems. Enterprise users can manage multiple cloud servers through the cloud bastion host to meet the requirements of the third-level protection for user identity authentication, access control, and security auditing.
In terms of function, it integrates the two main functions of core system operation and maintenance and security audit control. End computer access to networks and servers. Figuratively speaking, the terminal computer's access to the target needs to be translated by the operation and maintenance security audit. To use an analogy, the operation and maintenance security audit acts as a gatekeeper, and all requests for network devices and servers must pass through this gate. Therefore, the operation and maintenance security audit can intercept illegal access and malicious attacks, block illegal commands, filter out all illegal access behaviors to target devices, and audit and monitor internal personnel misoperations and illegal operations for post-event responsibility tracking .
Use the provided software package to configure the Yum source, and download the jumpserver.tar.gz software package to the /root directory of the Jumpserver node through the address
[root@jumpserver ~]# ls jumpserver.tar.gz
Unzip to the /opt directory
[root@jumpserver ~]# tar -zxvf jumpserver.tar.gz -C /opt/ [root@jumpserver ~]# cd /opt/ [root@jumpserver opt]# ls compose config docker docker.service images jumpserver jumpserver-repo static.env
Configure YUM source
[root@jumpserver ~]# cd /etc/yum.repos.d/ [root@jumpserver yum.repos.d]# mkdir bak [root@jumpserver yum.repos.d]# mv CentOS-* bak/ [root@jumpserver yum.repos.d]# cat local.repo [centos] name=centos baseurl=ftp://192.168.200.10/centos gpgcheck=0 [jumpserver ] name=jumpserver baseurl=file:///opt/jumpserver-repo gpgcheck=0
Install dependent environment
Install the pyhton database
[root@jumpserver ~]# yum install python2 -y
Install and configure the Docekr environment
[root@jumpserver opt]# cp -rf /opt/docker/* /usr/bin/ [root@jumpserver opt]# chmod 775 /usr/bin/docker* [root@jumpserver opt]# cp -rf /opt/docker.service /etc/systemd/system [root@jumpserver opt]# chmod 775 /etc/systemd/system/docker.service [root@jumpserver opt]# systemctl daemon-reload [root@jumpserver opt]# systemctl enable docker --now Created symlink from /etc/systemd/system/multi-user.target.wants/docker.service to /etc/systemd/system/docker.service.
Verify service status
[root@jumpserver opt]# docker -v Docker version 18.06.3-ce, build d7080c1 [root@jumpserver opt]# docker-compose -v docker-compose version 1.27.4, build 40524192 [root@jumpserver opt]#
Install the Jumpserver service
[root@jumpserver images]# ls jumpserver_core_v2.11.4.tar jumpserver_lion_v2.11.4.tar jumpserver_nginx_alpine2.tar jumpserver_koko_v2.11.4.tar jumpserver_luna_v2.11.4.tar jumpserver_redis_6-alpine.tar jumpserver_lina_v2.11.4.tar jumpserver_mysql_5.tar load.sh [root@jumpserver images]# cat load.sh #!/bin/bash docker load -i jumpserver_core_v2.11.4.tar docker load -i jumpserver_koko_v2.11.4.tar docker load -i jumpserver_lina_v2.11.4.tar docker load -i jumpserver_lion_v2.11.4.tar docker load -i jumpserver_luna_v2.11.4.tar docker load -i jumpserver_mysql_5.tar docker load -i jumpserver_nginx_alpine2.tar docker load -i jumpserver_redis_6-alpine.tar [root@jumpserver images]# sh load.sh
Create Jumpserver service component directory
[root@jumpserver images]# mkdir -p /opt/jumpserver/{core,koko,lion,mysql,nginx,redis}
[root@jumpserver images]# cp -rf /opt/config /opt/jumpserver/
The environment variable static.env takes effect, and the Jumpserver service is started using the provided script up.sh
[root@jumpserver compose]# ls config_static docker-compose-lb.yml docker-compose-network.yml down.sh docker-compose-app.yml docker-compose-mysql-internal.yml docker-compose-redis-internal.yml up.sh docker-compose-es.yml docker-compose-mysql.yml docker-compose-redis.yml docker-compose-external.yml docker-compose-network_ipv6.yml docker-compose-task.yml [root@jumpserver compose]# source /opt/static.env [root@jumpserver compose]# sh up.sh Creating network "jms_net" with driver "bridge" Creating jms_redis ... done Creating jms_mysql ... done Creating jms_core ... done Creating jms_lina ... done Creating jms_nginx ... done Creating jms_celery ... done Creating jms_lion ... done Creating jms_luna ... done Creating jms_koko ... done [root@jumpserver compose]#
Browser access http://192.168.200.30, Jumpserver Web login (admin/admin)
After successful login, you will be prompted to set a new password
change Password
After logging in to the platform, click the drop-down menu in the upper right corner of the page to switch the Chinese character setting
At this point, the Jumpserver installation is complete
manage assets
Log in to the Jumpserver management platform as the administrator admin user, click the left navigation bar, expand the "Asset Management" item, select "Manage User", and click the "Create" button on the right
manage users
Create a remote connection user, the user name is root and the password is "000000", click the "Submit" button to create
Create administrative user
Select "System User", click the "Create" button on the right to create a system user, select the host protocol "SSH", set the user name root, password is the server SSH password and click the "Submit" button
create system user
Click the left navigation bar, expand the "Asset Management" item, select "Asset List", and click the "Create" button on the right
Create an asset and add the cloud platform host (controller) to the asset
Create an asset controller
Asset Authorization
Click the navigation bar on the left, expand the "Rights Management" item, select "Asset Authorization", click the "Create" button on the right to create an asset authorization rule
Create asset authorization rules
test connection
Click the administrator user drop-down menu in the upper right corner and select "User Interface"
Create asset authorization rules
If the asset host under the Default project does not appear, click the "Refresh" button after favorites to refresh
Click on the left navigation bar, select "Web Terminal" to enter the remote connection page
Click Default on the left, expand the folder, click the controller host, and successfully connect to the host on the right
