BestHub
Sign in
Information Security 9 min read

How to Install and Configure JumpServer 3.0 Bastion Host on CentOS

This step‑by‑step guide shows how to install JumpServer 3.0, an open‑source Python bastion host, on CentOS 6.5, configure its dependencies, database, web interface, user and asset management, and secure it with an Nginx reverse proxy.

MaGe Linux Operations
MaGe Linux Operations
MaGe Linux Operations
How to Install and Configure JumpServer 3.0 Bastion Host on CentOS

What is JumpServer?

JumpServer is an open‑source bastion (jump) host written in Python that manages SSH access without requiring agents on client machines.

JumpServer 3.0 Installation

Compared with version 2.0, JumpServer 3.0 removes LDAP authentication, uses SSH for user push, and offers a simplified installation process.

1. Install dependencies

yum -y install epel-release && yum clean all && yum makecache
yum -y update
yum -y install git python-pip MySQL-devel gcc automake autoconf python-devel vim sshpass lrzsz readline-devel

2. Download JumpServer

Run:

cd /opt
git clone https://github.com/jumpserver/jumpserver.git

If the clone fails, download the zip package from GitHub and unzip it.

3. Run the quick‑install script

cd /opt/jumpserver/install
pip install -r requirement.txt

Check installed packages with pip freeze.

Execute the installer: python install.py Enter the JumpServer address (default 192.168.1.200) and confirm MySQL installation by choosing “y”.

4. Configure MySQL and mail

After MySQL starts, provide the mail server and account information (used for sending usernames, SSH passwords, web passwords, and SSH keys). Use an authorized password for 163.com mail, not the login password.

If you encounter a pycrypto error, reinstall it:

pip uninstall pycrypto
easy_install pycrypto

5. Complete installation

Run python install.py again, set the web admin username and password, and finish.

6. Set up scheduled tasks

Run the following to add crontab jobs for cleaning expired connections and updating asset information:

cd /opt/jumpserver
python manage.py crontab add

7. Web login

Access the web UI at http://192.168.1.200. Ensure client servers have Python and sudo installed; if SELinux is enabled, install libselinux-python.

8. Update code

cd /opt/jumpserver
git pull

Detailed Operations

User Management

Add users via “User Management → View Users → Add User”, fill in username, name, permissions, email, and save.

Add user groups via “User Management → View User Groups → Add Group”.

Asset Management

Create asset groups, assets, and data centers through the “Asset Management” menu, providing host name, IP, admin username, port, and group.

Permission Management

Define sudo aliases under “Permission Management → sudo → Add Alias”.

Add system users under “Authorization Management → System Users → Add System User”, then push the credentials to target servers.

Create authorization rules via “Authorization Management → Authorization Rules → Add Rule”, specifying user/group, asset/group, system user, and notes.

Login

Users can log in via the web UI to see their ID, permissions, keys, and authorized hosts, then connect to a host.

Alternatively, download the SSH key from the email, import it via “Tools → User Key Management”, and connect to the bastion host with the key password.

Secure the Service with Nginx

log_format jumpserver '$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$request_time" $request_body "$http_referer" "$http_user_agent" "$http_x_forwarded_for" $scheme $http_host';
server {
    listen 8080 ssl;
    listen 80;
    deny all;
    server_name jumpserver.example.com;
    index index.html index.htm index.php;
    ssl_certificate ssl/example.com.crt;
    ssl_certificate_key ssl/example.com.key;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;
    if ($scheme = http) {
        rewrite ^(.*)$ https://$host:8090$request_uri? permanent;
    }
    location / {
        proxy_set_header Connection "";
        proxy_http_version 1.1;
        proxy_pass http://10.43.12.31:8090;
    }
    location ^~ /ws/ {
        proxy_pass http://10.43.12.31:8090/ws/;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
    access_log /data0/logs/jumpserver.log jumpserver;
    error_log /data0/logs/jumpserver_error.log debug;
}

After configuring Nginx, restart both Nginx and JumpServer services.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

PythonsecurityInstallationCentOSJumpServerBastion Host
MaGe Linux Operations
Written by

MaGe Linux Operations

Founded in 2009, MaGe Education is a top Chinese high‑end IT training brand. Its graduates earn 12K+ RMB salaries, and the school has trained tens of thousands of students. It offers high‑pay courses in Linux cloud operations, Python full‑stack, automation, data analysis, AI, and Go high‑concurrency architecture. Thanks to quality courses and a solid reputation, it has talent partnerships with numerous internet firms.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment