How to Set Up Jumpserver Bastion Host on Alibaba Cloud ECS

By Thomas Poon, Solutions Architect

Many customers have raised the requirement to have a bastion host to manage the login of Elastic Compute Service (ECS), with the auditing/reply features of the login users. This article will teach you how to do this; in particular, we’ll show you how to install and configure Jumpserver on an Alibaba Cloud ECS server. Jumpserver is a sophisticated bastion host software from FIT2CLOUD, it is open sourced, and customer can purchase the enterprise support from them directly.

Prerequisites

Before you proceed with this tutorial, you should have basic understanding of Alibaba Cloud’s products and services. This includes familiarity with ECS, Security Groups, terminal commands, SSH, and to name a few.

Setting Up ECS

Purchase an ECS instance. For this article, I have chosen a Centos OS server with public internet bandwidth.

Image for post
Image for post

For this blog, I used PAYG instance, g5 instance type with 2VCPU 8Gb RAM, click “Next: Networking”

Image for post
Image for post

After choosing the VPC and VSwitch, select the “Assign public IP” and assign 50Mb to the instance

Image for post
Image for post

At this moment, you can select the default Security Group first. We will need to create a new Jumpserver security group later for this ECS as it is a bastion host.

Image for post
Image for post

Accept the Term of Service and “Create instance”

Image for post
Image for post

After few minutes, the instance will be up and running, copy the public IP and SSH to the machine.

Image for post
Image for post

Login with root and the password you defined

Image for post
Image for post

Setting Up Jumpserver on ECS

Copy and paste the following command and execute it, which will setup the firewall and selinux

You should see this screen after executing the command.

Image for post
Image for post

And then copy and paste the following command and execute it for setting up environment

You should see this screen after executing the command.

Image for post
Image for post

Continue to download the components required by Jumpserver. You can do this by copying and pasting the following commands and running it

You should see this screen after executing the command.

Image for post
Image for post

Run the following commands to process and setup configuration files

You should see this screen after executing the command.

Image for post
Image for post

Setting Up Jumpserver

It’s time to start Jumpserver! Use the following script to start the jump server.

You can copy the information displayed.

Image for post
Image for post

Now use the browser to access the page with the ECS public IP

Image for post
Image for post

Login with the default user admin and password admin, now change your admin password.

Image for post
Image for post
Image for post
Image for post

We will start to configure the Login for ECS, click Assets > Admin user, “Create admin user”

Image for post
Image for post

Input the username or password of the target ECS root account, and click “Submit”

Image for post
Image for post

You will see the root-for-linux name here.

Image for post
Image for post

We will also need to create System user, which the jumpserver will switch to this user after logging in the target ECS.

Image for post
Image for post

We input root as the Username, leave others as default, and click “Submit”

Image for post
Image for post

You will see the system user “root” created

Image for post
Image for post

Now, we want to setup jumpserver to login the “TP-OwnCloud” ECS, we copy the private IP (192.168.1.119) of the OwnCloud ECS.

Image for post
Image for post

Then we go to the Asset list > “Create asset” to create the asset of TP-OwnCloud ECS

Image for post
Image for post

Copy and paste the internal IP of TP-OwnCloud to IP, choose the Admin user as “root-for-linux”, and “Submit”

Image for post
Image for post
Image for post
Image for post

Then you should see the asset is ready

Image for post
Image for post

We will also need to make sure the Security Group of TP-OwnCloud allow the inbound 22 port from jumpserver

Image for post
Image for post
Image for post
Image for post

Now everything is ready, time to create the jumpserver user and use the service, go to User list > “Create user”

Image for post
Image for post

Create the user with Username: kwpoon, input the email address and click “Submit”

Image for post
Image for post

Since the smtp server has not configured yet, so the jumpserver is not able to send emails. Instead, we can use the following command to change the password of the user.

Image for post
Image for post

Now we will need to associate the asset with user kwpoon. Click “Create permission” under Asset permission

Image for post
Image for post

Input the name, and then select User kwpoon, Asset “Owncloud”, System user as root, and then click “Submit”

Image for post
Image for post

Then the permission should be ready

Image for post
Image for post

Testing Jumpserver

Now we login to the Jumpserver bastion host again using user kwpoon

Image for post
Image for post

Accept the terms and conditions for the first login

Image for post
Image for post

You should see the Owncloud asset there, click “Connect”

Image for post
Image for post

You should be seeing this screen, already logged in to Owncloud ECS without prompting username/password, then I typed 3 commands here:

Image for post
Image for post

Audit/playback checking, now I logging again using user: admin

Image for post
Image for post

A very cool dashboard showing the information of the user and login hosts

Image for post
Image for post

I can even replay the session that what kwpoon did previously

Image for post
Image for post

This is what exactly kwpoon did.

Image for post
Image for post

You can check the login audit log as well

Image for post
Image for post

Hope you find this tutorial useful!

Reference:https://www.alibabacloud.com/blog/how-to-set-up-jumpserver-bastion-host-on-alibaba-cloud-ecs_594787?spm=a2c41.12860609.0.0

Written by

Follow me to keep abreast with the latest technology news, industry insights, and developer trends.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store