How to Set Up Jumpserver Bastion Host on Alibaba Cloud ECS

By Thomas Poon, Solutions Architect

Many customers have raised the requirement to have a bastion host to manage the login of Elastic Compute Service (ECS), with the auditing/reply features of the login users. This article will teach you how to do this; in particular, we’ll show you how to install and configure Jumpserver on an Alibaba Cloud ECS server. Jumpserver is a sophisticated bastion host software from FIT2CLOUD, it is open sourced, and customer can purchase the enterprise support from them directly.

Prerequisites

Before you proceed with this tutorial, you should have basic understanding of Alibaba Cloud’s products and services. This includes familiarity with ECS, Security Groups, terminal commands, SSH, and to name a few.

Setting Up ECS

Purchase an ECS instance. For this article, I have chosen a Centos OS server with public internet bandwidth.

For this blog, I used PAYG instance, g5 instance type with 2VCPU 8Gb RAM, click “Next: Networking”

After choosing the VPC and VSwitch, select the “Assign public IP” and assign 50Mb to the instance

At this moment, you can select the default Security Group first. We will need to create a new Jumpserver security group later for this ECS as it is a bastion host.

Accept the Term of Service and “Create instance”

After few minutes, the instance will be up and running, copy the public IP and SSH to the machine.

Login with root and the password you defined

Setting Up Jumpserver on ECS

Copy and paste the following command and execute it, which will setup the firewall and selinux

You should see this screen after executing the command.

And then copy and paste the following command and execute it for setting up environment

You should see this screen after executing the command.

Continue to download the components required by Jumpserver. You can do this by copying and pasting the following commands and running it

You should see this screen after executing the command.

Run the following commands to process and setup configuration files

You should see this screen after executing the command.

Setting Up Jumpserver

It’s time to start Jumpserver! Use the following script to start the jump server.

You can copy the information displayed.

Now use the browser to access the page with the ECS public IP

Login with the default user admin and password admin, now change your admin password.

We will start to configure the Login for ECS, click Assets > Admin user, “Create admin user”

Input the username or password of the target ECS root account, and click “Submit”

You will see the root-for-linux name here.

We will also need to create System user, which the jumpserver will switch to this user after logging in the target ECS.

We input root as the Username, leave others as default, and click “Submit”

You will see the system user “root” created

Now, we want to setup jumpserver to login the “TP-OwnCloud” ECS, we copy the private IP (192.168.1.119) of the OwnCloud ECS.

Then we go to the Asset list > “Create asset” to create the asset of TP-OwnCloud ECS

Copy and paste the internal IP of TP-OwnCloud to IP, choose the Admin user as “root-for-linux”, and “Submit”

Then you should see the asset is ready

We will also need to make sure the Security Group of TP-OwnCloud allow the inbound 22 port from jumpserver

Now everything is ready, time to create the jumpserver user and use the service, go to User list > “Create user”

Create the user with Username: kwpoon, input the email address and click “Submit”

Since the smtp server has not configured yet, so the jumpserver is not able to send emails. Instead, we can use the following command to change the password of the user.

Now we will need to associate the asset with user kwpoon. Click “Create permission” under Asset permission

Input the name, and then select User kwpoon, Asset “Owncloud”, System user as root, and then click “Submit”

Then the permission should be ready

Testing Jumpserver

Now we login to the Jumpserver bastion host again using user kwpoon

Accept the terms and conditions for the first login

You should see the Owncloud asset there, click “Connect”

You should be seeing this screen, already logged in to Owncloud ECS without prompting username/password, then I typed 3 commands here:

Audit/playback checking, now I logging again using user: admin

A very cool dashboard showing the information of the user and login hosts

I can even replay the session that what kwpoon did previously

This is what exactly kwpoon did.

You can check the login audit log as well

Hope you find this tutorial useful!

Reference:https://www.alibabacloud.com/blog/how-to-set-up-jumpserver-bastion-host-on-alibaba-cloud-ecs_594787?spm=a2c41.12860609.0.0

Follow me to keep abreast with the latest technology news, industry insights, and developer trends.