Install Bastillion Jump Server on CentOS 7 - CentLinux

Latest

Wednesday, 13 November 2019

Install Bastillion Jump Server on CentOS 7

Install Bastillion Jump Server on CentOS 7

Bastillion is a web-based SSH Terminal emulator. By using Bastillion we can configure a jump server that provides centrally managed administrative access to systems. Bastillion layers TLS/SSL on top of SSH and acts as a bastion host for administration. Bastillion is a freemium software and we can add maximum 6 users and 12 systems without acquiring a subscription.

In this article, we are installing Bastillion Jump Server on CentOS 7. Bastillion is the fork of Keybox and the same steps can be used to install Keybox software on CentOS 7.

 

This Article Provides:

 

Bastillion Features:

Core features of Bastillion are.

  • Centralized user control
  • Prevent SSH key sprawl and access mismanagement
  • Infrastructure protection
  • Layered Protocols
  • Auditable

 

Environment Specification:

We have configured a CentOS 7 based virtual machine for this tutorial.

  • CPU - 3.4 Ghz (2 cores)
  • Memory - 2 GB
  • Storage - 20 GB
  • Operating System - CentOS 7.7
  • Hostname - bastillion-01.recipes.com
  • IP Address - 192.168.116.213 /24

 

Installing Java 9 on CentOS 7:

Bastillion is a Java based web application and it requires OpenJDK / Oracle JDK 1.9 or later.

Oracle JDK 1.9 is available to download at Oracle website.

We are required an Oracle User Account for downloading Oracle JDK 1.9. Therefore, login to Oracle website and download Oracle JDK 1.9 (RPM).

Transfer the downloaded file to bastillion-01.recipes.com using WinSCP.

Connect to bastillion-01.recipes.com using ssh as root user and install Oracle JDK using rpm command.

[root@bastillion-01 ~]# rpm -ivh jdk-9.0.4_linux-x64_bin.rpm Preparing... ################################# [100%] Updating / installing... 1:jdk-9.0.4-2000:9.0.4-ga ################################# [100%] Unpacking JAR files... plugin.jar... javaws.jar... deploy.jar...

Set JAVA_HOME environment variable.

[root@bastillion-01 ~]# echo "export JAVA_HOME=/usr/java/jdk-9.0.4/" >> /etc/profile

Verify Java installation.

[root@bastillion-01 ~]# java -version java version "9.0.4" Java(TM) SE Runtime Environment (build 9.0.4+11) Java HotSpot(TM) 64-Bit Server VM (build 9.0.4+11, mixed mode)

Oracle JDK 9 has been installed on CentOS 7.

 

Installing Bastillion on CentOS 7:

Bastillion is available to download at GitHub .

Download the Bastillion-Jetty using wget command.

[root@bastillion-01 ~]# wget https://github.com/bastillion-io/Bastillion/releases/download/v3.08.01/bastillion-jetty-v3.08_01.tar.gz --2019-11-11 19:55:03-- https://github.com/bastillion-io/Bastillion/releases/download/v3.08.01/bastillion-jetty-v3.08_01.tar.gz Resolving github.com (github.com)... 140.82.113.4 Connecting to github.com (github.com)|140.82.113.4|:443... connected. HTTP request sent, awaiting response... 302 Found Location: https://github-production-release-asset-2e65be.s3.amazonaws.com/8083731/0aaf9e00-de42-11e9-9c7b-f1077b02ff54?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20191111%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20191111T145505Z&X-Amz-Expires=300&X-Amz-Signature=f5a6cbd0b455305d4e316f242e4f5e18562ebb38ce81d6543b17ac5ec7fab9bf&X-Amz-SignedHeaders=host&actor_id=0&response-content-disposition=attachment%3B%20filename%3Dbastillion-jetty-v3.08_01.tar.gz&response-content-type=application%2Foctet-stream [following] --2019-11-11 19:55:05-- https://github-production-release-asset-2e65be.s3.amazonaws.com/8083731/0aaf9e00-de42-11e9-9c7b-f1077b02ff54?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20191111%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20191111T145505Z&X-Amz-Expires=300&X-Amz-Signature=f5a6cbd0b455305d4e316f242e4f5e18562ebb38ce81d6543b17ac5ec7fab9bf&X-Amz-SignedHeaders=host&actor_id=0&response-content-disposition=attachment%3B%20filename%3Dbastillion-jetty-v3.08_01.tar.gz&response-content-type=application%2Foctet-stream Resolving github-production-release-asset-2e65be.s3.amazonaws.com (github-production-release-asset-2e65be.s3.amazonaws.com)... 52.216.99.83 Connecting to github-production-release-asset-2e65be.s3.amazonaws.com (github-production-release-asset-2e65be.s3.amazonaws.com)|52.216.99.83|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 19016060 (18M) [application/octet-stream] Saving to: âbastillion-jetty-v3.08_01.tar.gzâ 100%[======================================>] 19,016,060 232KB/s in 2m 20s 2019-11-11 19:57:27 (132 KB/s) - âbastillion-jetty-v3.08_01.tar.gzâ saved [19016060/19016060]

Extract TARball using tar command.

[root@bastillion-01 ~]# tar xvf bastillion-jetty-v3.08_01.tar.gz ... Bastillion-jetty/jetty/modules/alpn-impl/alpn-1.8.0_172.mod Bastillion-jetty/jetty/modules/alpn-impl/alpn-1.8.0_222.mod Bastillion-jetty/jetty/modules/alpn-impl/alpn-1.8.0_05.mod Bastillion-jetty/jetty/modules/alpn-impl/alpn-1.8.0_40.mod Bastillion-jetty/jetty/modules/alpn-impl/alpn-1.8.0_151.mod Bastillion-jetty/jetty/modules/gcloud-datastore.mod Bastillion-jetty/jetty/modules/apache-jsp.mod Bastillion-jetty/jetty/modules/ssl/ Bastillion-jetty/jetty/modules/ssl/keystore Bastillion-jetty/jetty/modules/jstl.mod Bastillion-jetty/jetty/modules/threadlimit.mod Bastillion-jetty/jetty/modules/customrequestlog.mod Bastillion-jetty/jetty/modules/infinispan-remote.mod Bastillion-jetty/jetty/modules/client.mod Bastillion-jetty/jetty/modules/deprecated.properties Bastillion-jetty/jetty/modules/logback-impl.mod Bastillion-jetty/jetty/modules/infinispan-remote-query.mod Bastillion-jetty/jetty/modules/jminix/ Bastillion-jetty/jetty/modules/jminix/jminix.xml Bastillion-jetty/startBastillion.sh Bastillion-jetty/README.md Bastillion-jetty/3rdPartyLicenses.md Bastillion-jetty/LICENSE.md

Move the extracted directory to /usr/lib directory.

[root@bastillion-01 ~]# mv Bastillion-jetty/ /usr/lib/

 

Configure CentOS 7 Firewall for Bastillion:

Allow Bastillion default service port 8443/tcp in CentOS 7 firewall.

[root@bastillion-01 ~]# firewall-cmd --permanent --add-port=8443/tcp success [root@bastillion-01 ~]# firewall-cmd --reload success

 

Configuring Bastillion Service on CentOS 7:

Start Bastillion as follows.

[root@bastillion-01 ~]# cd /usr/lib/Bastillion-jetty/ [root@bastillion-01 Bastillion-jetty]# ./startBastillion.sh 2019-11-11 20:02:52.788:INFO::main: Logging initialized @3947ms to org.eclipse.jetty.util.log.StdErrLog 2019-11-11 20:02:53.605:WARN:oejx.XmlConfiguration:main: Deprecated method public void org.eclipse.jetty.server.HttpConfiguration.setBlockingTimeout(long) in file:///root/Bastillion-jetty/jetty/etc/jetty.xml 2019-11-11 20:02:54.188:INFO::main: Console stderr/stdout captured to /root/Bastillion-jetty/jetty/logs/2019_11_11.jetty.log Please enter database password: Please confirm database password:

Since, we are starting Bastillion for the first time, therefore we have to set the database password here.

Press Ctrl+C to break the process. Because, we will start Bastillion as a service.

Configure Bastillion startup service on CentOS 7 as follows.

[root@bastillion-01 Bastillion-jetty]# cd [root@bastillion-01 ~]# cp /usr/lib/Bastillion-jetty/jetty/bin/jetty.sh /etc/init.d/bastillion [root@bastillion-01 ~]# echo JETTY_HOME=/usr/lib/Bastillion-jetty/jetty > /etc/default/bastillion [root@bastillion-01 ~]# chkconfig --add bastillion [root@bastillion-01 ~]# service bastillion start Starting Jetty: 2019-11-11 21:36:04.745:INFO::main: Logging initialized @1380ms to org.eclipse.jetty.util.log.StdErrLog 2019-11-11 21:36:05.184:WARN:oejx.XmlConfiguration:main: Deprecated method public void org.eclipse.jetty.server.HttpConfiguration.setBlockingTimeout(long) in file:///usr/lib/Bastillion-jetty/jetty/etc/jetty.xml 2019-11-11 21:36:05.400:INFO::main: Console stderr/stdout captured to /usr/lib/Bastillion-jetty/jetty/logs/2019_11_11.jetty.log . OK Mon Nov 11 21:36:11 PKT 2019

 

Accessing Bastillion Web Console:

Browse URL https://bastillion.recipes.com:8443 in a client's browser. Browser may displays a security warning because of the self-signed SSL certificate.

Ignore the warning and proceed to website.

01-install-bastillion-centos-7-login

Login to Bastillion Web UI using default username/password i.e. admin/changeme

02-install-bastillion-centos-7-default-user-login

After successful login, we are now at the next configuration page and here we are being asked to setup two-factor authentication for Android and iOS.

03-install-bastillion-centos-7-two-factor-authentication

We are not required it now. therefore, we are skipping this step by clicking on Skip for now button.

04-install-bastillion-centos-7-main-page

Click on Systems.

05-install-bastillion-centos-7-manage-systems

Click on Add System to add a machine in Bastillion jump server.

06-install-bastillion-centos-7-adding-system

Another dialog box will show up and asked for the password of the machine we are adding to Bastillion.

Provide the password and click on Submit.

07-install-bastillion-centos-7-system-password

Our machine has been added into Bastillion.

08-install-bastillion-centos-7-manage-systems

Click on Home to go back to main page.

04-install-bastillion-centos-7-main-page

Click on Users.

09-install-bastillion-centos-7-manage-users

Click on Add User to add a new user in Bastillion.

10-install-bastillion-centos-7-adding-user

Add a user as per the above screenshot.

11-install-bastillion-centos-7-manage-users

Click on Home.

04-install-bastillion-centos-7-main-page

Click on Composite SSH Terms.

12-install-bastillion-centos-7-manage-ssh-terminals

Select your machine and click on Create SSH Terminals.

07-install-bastillion-centos-7-system-password

System will ask you for the password.

Enter the password and click on Submit.

13-install-bastillion-centos-7-ssh-terminal

After successful authentication, an SSH terminal has been spawned for the machine.

We have successfully installed Bastillion jump server on CentOS 7.

3 comments:

  1. Thanks for your article. Do you know how I can add a new system when password authentication on this system is disabled.
    I first added the Public SSH Key used for application authentication when registering systems (menu settings) in the .ssh/authorized_keys file of the new system (before registering it). After that I thought I could register the new system without providing any password. However this did not work. Do you have any idea? Thanks.

    ReplyDelete