Connecting the OpenStack platform to the bastion host

Introduction to cloud bastion machine
The bastion host, that is, in a specific network environment, in order to protect the network and data from intrusion and damage from external and internal users, various technical means are used to monitor and record the operation and maintenance personnel's access to servers, network devices, Operational behavior of security equipment, database and other equipment for centralized alarm, timely processing and audit determination.
Cloud Bastion Host (CBH) is a 4A unified security management and control platform that provides centralized account (Account), authorization (Authorization), authentication (Authentication) and audit (Audit) management services for enterprises.

Cloud Bastion Host is a cloud security service that can provide efficient operation and maintenance, authentication management, access control, security audit and report analysis functions. Cloud tenant O&M personnel can complete asset O&M and operation audit through the cloud bastion machine. The bastion host can record the data flow of common operation and maintenance protocols such as SSH, Windows remote desktop, and SFTP through the forward proxy based on the protocol, and then replay the video by resetting the data flow to achieve the purpose of operation and maintenance audit.

The cloud bastion machine provides cloud computing security management and control systems and components, including functional modules such as departments, users, resources, policies, operation and maintenance, and auditing, and integrates single sign-on, unified asset management, multi-terminal access protocols, file transfer, session collaboration, etc. All in one. Through a unified operation and maintenance login portal, based on protocol forward proxy technology and remote access isolation technology, centralized management and operation and maintenance audit of cloud resources such as servers, cloud hosts, databases, and application systems are realized.

The cloud bastion machine does not need to be installed and deployed, and can connect and manage multiple cloud servers through HTML5 technology. Enterprise users only need to use mainstream browsers or mobile APP s to achieve efficient operation and maintenance anytime, anywhere. The cloud bastion machine supports multiple protocols such as RDP/SSH/Telnet/VNC, and can access all Windows, Linux/Unix operating systems. Enterprise users can manage multiple cloud servers through the cloud bastion host to meet the requirements of the third-level protection for user identity authentication, access control, and security auditing.

In terms of function, it integrates the two main functions of core system operation and maintenance and security audit control. End computer access to networks and servers. Figuratively speaking, the terminal computer's access to the target needs to be translated by the operation and maintenance security audit. To use an analogy, the operation and maintenance security audit acts as a gatekeeper, and all requests for network devices and servers must pass through this gate. Therefore, the operation and maintenance security audit can intercept illegal access and malicious attacks, block illegal commands, filter out all illegal access behaviors to target devices, and audit and monitor internal personnel misoperations and illegal operations for post-event responsibility tracking .

Use the provided software package to configure the Yum source, and download the jumpserver.tar.gz software package to the /root directory of the Jumpserver node through the address

[root@jumpserver ~]# ls
jumpserver.tar.gz

Unzip to the /opt directory

[root@jumpserver ~]# tar -zxvf jumpserver.tar.gz -C /opt/
[root@jumpserver ~]# cd /opt/
[root@jumpserver opt]# ls
compose  config  docker  docker.service  images  jumpserver  jumpserver-repo  static.env

Configure YUM source

[root@jumpserver ~]# cd /etc/yum.repos.d/
[root@jumpserver yum.repos.d]# mkdir bak
[root@jumpserver yum.repos.d]# mv CentOS-* bak/
[root@jumpserver yum.repos.d]# cat local.repo 
[centos]
name=centos
baseurl=ftp://192.168.200.10/centos
gpgcheck=0
[jumpserver ]
name=jumpserver
baseurl=file:///opt/jumpserver-repo
gpgcheck=0

Install dependent environment

Install the pyhton database

[root@jumpserver ~]# yum install python2 -y

Install and configure the Docekr environment

[root@jumpserver opt]# cp -rf /opt/docker/* /usr/bin/
[root@jumpserver opt]# chmod 775 /usr/bin/docker*
[root@jumpserver opt]# cp -rf /opt/docker.service /etc/systemd/system
[root@jumpserver opt]# chmod 775 /etc/systemd/system/docker.service 
[root@jumpserver opt]# systemctl daemon-reload
[root@jumpserver opt]# systemctl enable docker --now
Created symlink from /etc/systemd/system/multi-user.target.wants/docker.service to /etc/systemd/system/docker.service.

Verify service status

[root@jumpserver opt]# docker -v
Docker version 18.06.3-ce, build d7080c1
[root@jumpserver opt]# docker-compose -v
docker-compose version 1.27.4, build 40524192
[root@jumpserver opt]# 

Install the Jumpserver service

[root@jumpserver images]# ls
jumpserver_core_v2.11.4.tar  jumpserver_lion_v2.11.4.tar  jumpserver_nginx_alpine2.tar
jumpserver_koko_v2.11.4.tar  jumpserver_luna_v2.11.4.tar  jumpserver_redis_6-alpine.tar
jumpserver_lina_v2.11.4.tar  jumpserver_mysql_5.tar       load.sh
[root@jumpserver images]# cat load.sh 
#!/bin/bash
docker load -i jumpserver_core_v2.11.4.tar
docker load -i jumpserver_koko_v2.11.4.tar
docker load -i jumpserver_lina_v2.11.4.tar
docker load -i jumpserver_lion_v2.11.4.tar
docker load -i jumpserver_luna_v2.11.4.tar
docker load -i jumpserver_mysql_5.tar
docker load -i jumpserver_nginx_alpine2.tar
docker load -i jumpserver_redis_6-alpine.tar
[root@jumpserver images]# sh load.sh 

Create Jumpserver service component directory

[root@jumpserver images]# mkdir -p /opt/jumpserver/{core,koko,lion,mysql,nginx,redis}
[root@jumpserver images]# cp -rf /opt/config /opt/jumpserver/

The environment variable static.env takes effect, and the Jumpserver service is started using the provided script up.sh

[root@jumpserver compose]# ls
config_static                docker-compose-lb.yml              docker-compose-network.yml         down.sh
docker-compose-app.yml       docker-compose-mysql-internal.yml  docker-compose-redis-internal.yml  up.sh
docker-compose-es.yml        docker-compose-mysql.yml           docker-compose-redis.yml
docker-compose-external.yml  docker-compose-network_ipv6.yml    docker-compose-task.yml
[root@jumpserver compose]# source /opt/static.env 
[root@jumpserver compose]# sh up.sh 
Creating network "jms_net" with driver "bridge"
Creating jms_redis ... done
Creating jms_mysql ... done
Creating jms_core  ... done
Creating jms_lina   ... done
Creating jms_nginx  ... done
Creating jms_celery ... done
Creating jms_lion   ... done
Creating jms_luna   ... done
Creating jms_koko   ... done
[root@jumpserver compose]#

Browser access http://192.168.200.30, Jumpserver Web login (admin/admin)

After successful login, you will be prompted to set a new password

change Password

After logging in to the platform, click the drop-down menu in the upper right corner of the page to switch the Chinese character setting

At this point, the Jumpserver installation is complete

manage assets

Log in to the Jumpserver management platform as the administrator admin user, click the left navigation bar, expand the "Asset Management" item, select "Manage User", and click the "Create" button on the right

manage users

Create a remote connection user, the user name is root and the password is "000000", click the "Submit" button to create

Create administrative user

Select "System User", click the "Create" button on the right to create a system user, select the host protocol "SSH", set the user name root, password is the server SSH password and click the "Submit" button

create system user

Click the left navigation bar, expand the "Asset Management" item, select "Asset List", and click the "Create" button on the right

Create an asset and add the cloud platform host (controller) to the asset

Create an asset controller

Asset Authorization

Click the navigation bar on the left, expand the "Rights Management" item, select "Asset Authorization", click the "Create" button on the right to create an asset authorization rule

Create asset authorization rules

test connection

Click the administrator user drop-down menu in the upper right corner and select "User Interface"

Create asset authorization rules

If the asset host under the Default project does not appear, click the "Refresh" button after favorites to refresh

Click on the left navigation bar, select "Web Terminal" to enter the remote connection page

Click Default on the left, expand the folder, click the controller host, and successfully connect to the host on the right

Tags: Operation & Maintenance server cloud computing

Posted by mdmann on Mon, 20 Feb 2023 02:21:11 +1030