**1.系统安装
**
jrasp系统各个组件,均提供一键部署的脚本,免去各种复杂环境配置,降低运维安装压力。全部安装过程大约耗时30分钟。
## jdk8安装
http://www.jrasp.com/developer/software.html
## 安装zookeeper集群
节点1: 10.8.0.4(内网) 4c8g30g 节点2: 10.8.0.5(`内网`) 4c8g30g 节点3: 10.8.0.6(`内网`) 4c8g30g
一键安装脚本
`## 下载解压``mkdir -p /opt/zookeeper;``mkdir -p /tmp/zookeeper;` `wget https://repo.huaweicloud.com/apache/zookeeper/zookeeper-3.7.0/apache-zookeeper-3.7.0-bin.tar.gz;``tar -zxvf apache-zookeeper-3.7.0-bin.tar.gz -C /opt/zookeeper;` `mkdir -p /opt/zookeeper;``mkdir -p /tmp/zookeeper;` `## 配置zoo.cfg``cat << EOF > /opt/zookeeper/apache-zookeeper-3.7.0-bin/conf/zoo.cfg;``tickTime=2000``initLimit=10``syncLimit=5``dataDir=/tmp/zookeeper``clientPort=2181``server.1=10.8.0.4:2888:3888``server.2=10.8.0.5:2888:3888``server.3=10.8.0.6:2888:3888``EOF``## myid``cat << EOF > /tmp/zookeeper/myid;``1``EOF``## 自动拉起与开启启动` `cat << EOF > /usr/lib/systemd/system/zookeeper.service;``[Unit]``Description=Zookeeper server manager`` ``[Service]``Type=forking``Environment=JAVA_HOME=/usr/local/java/jdk1.8.0_181``ExecStart=/opt/zookeeper/apache-zookeeper-3.7.0-bin/bin/zkServer.sh start``ExecStop=/opt/zookeeper/apache-zookeeper-3.7.0-bin/bin/zkServer.sh stop``ExecReload=/opt/zookeeper/apache-zookeeper-3.7.0-bin/bin/zkServer.sh restart``Restart=always`` ``[Install]``WantedBy=multi-user.target``EOF`` ``systemctl daemon-reload``systemctl enable zookeeper``systemctl start zookeeper``systemctl stop zookeeper``systemctl restart zookeeper``systemctl status zookeeper`
(复制上面的命令在终端执行即可)
需要注意的是:/tmp/zookeeper/myid文件的节点编号每个节点不一样,依次为
1、2、3
安装结果验证:观察 /opt/zookeeper/apache-zookeeper-3.7.0-bin/logs/zookeeper--server-{机器名称}.log 是否有错误日志,没有就是安装成功。
**## 安装kafka集群(与zk在同一机器上)
**
`## 下载解压``mkdir -p /opt/kafka;` `wget https://repo.huaweicloud.com/apache/kafka/2.8.0/kafka_2.13-2.8.0.tgz;``tar -zxvf kafka_2.13-2.8.0.tgz -C /opt/kafka;``## 配置server.properties``cat << EOF > /opt/kafka/kafka_2.13-2.8.0/config/server.properties;``broker.id=1``listeners=PLAINTEXT://10.8.0.4:9092``advertised.listeners=PLAINTEXT://{公网ip}:9092``num.network.threads=3``num.io.threads=8``socket.send.buffer.bytes=102400``socket.receive.buffer.bytes=102400``socket.request.max.bytes=104857600``log.dirs=/tmp/kafka-logs``num.partitions=1``num.recovery.threads.per.data.dir=1``offsets.topic.replication.factor=1``transaction.state.log.replication.factor=1``transaction.state.log.min.isr=1``log.retention.hours=168``log.segment.bytes=1073741824``log.retention.check.interval.ms=300000``zookeeper.connect=10.8.0.4:2181,10.8.0.5:2181,10.8.0.6:2181``zookeeper.connection.timeout.ms=18000``group.initial.rebalance.delay.ms=0``EOF``## 自动拉起与开启启动` `cat << EOF > /usr/lib/systemd/system/kafka.service;``[Unit]``Description=kafka service`` ``[Service]``Type=simple``Environment=JAVA_HOME=/usr/local/java/jdk1.8.0_181``ExecStart=/opt/kafka/kafka_2.13-2.8.0/bin/kafka-server-start.sh /opt/kafka/kafka_2.13-2.8.0/config/server.properties``ExecStop=/opt/kafka/kafka_2.13-2.8.0/bin/kafka-server-stop.sh``Restart=always`` ``[Install]``WantedBy=multi-user.target``EOF`` ``systemctl daemon-reload``systemctl enable kafka``systemctl stop kafka` `systemctl start kafka``systemctl status kafka`
执行上面的脚本前,请修改broker.id、listeners、advertised.listeners、zookeeper.connect为对应zk节点信息
broker.id 是节点编号依次为1、2、3
listeners 是该节点的内网地址
advertised.listeners 是该节点的外网地址
zookeeper.connect 是zk集群的节点内网地址
安装验证:查看各个节点的日志是否有错误信息:/opt/kafka/kafka_2.13-2.8.0/logs/server.log
创建 jrasp-daemon、jrasp-agent、jrasp-module 三个 topic
`### topic 创建``./kafka-topics.sh --zookeeper 10.8.0.4:2181,10.8.0.5:2181,10.8.0.6:2181 --create --topic jrasp-daemon --partitions 3 --replication-factor 3``./kafka-topics.sh --zookeeper 10.8.0.4:2181,10.8.0.5:2181,10.8.0.6:2181 --create --topic jrasp-agent --partitions 3 --replication-factor 3``./kafka-topics.sh --zookeeper 10.8.0.4:2181,10.8.0.5:2181,10.8.0.6:2181 --create --topic jrasp-module --partitions 3 --replication-factor 3`
误操作时执行:
`./kafka-topics.sh --zookeeper 10.8.0.4:2181,10.8.0.5:2181,10.8.0.6:2181 --delete --topic jrasp-daemon`` `
**## nacos 安装
**
整个公司机器数量在200台左右,单个节点可以支持
`wget https://jrasp-daemon-1254321150.cos.ap-shanghai.myqcloud.com/nacos-server-2.0.3.tar.gz;``tar -zxvf nacos-server-2.0.3.tar.gz -C /opt/;``cd /opt/nacos/bin;``sh startup.sh -m standalone`
## 管理端安装 (目前不开放,联系我们免费获取)
## mysql 数据库安装初始化 mysql5.7
### 后台安装 springboot+ security
### 前端安装 antd design pro +nginx
**## jrasp-agent 安装
**
`## 安装包下载``wget https://jrasp-daemon-1254321150.cos.ap-shanghai.myqcloud.com/2022-05-05/1.0.4/jrasp-1.0.4.tar.gz``tar -xvf jrasp-1.0.4.tar.gz -C /usr/local/``## 配置守护进程` `cat << EOF > /usr/lib/systemd/system/jrasp-daemon.service``[Unit]``Description=jrasp-daemon service`` ``[Service]``Type=simple``WorkingDirectory=/usr/local/jrasp/bin``ExecStart=/usr/local/jrasp/bin/startup.sh``ExecStop=/usr/local/jrasp/bin/shutdown.sh``Restart=always`` ``[Install]``WantedBy=multi-user.target``EOF`` ``## 设置开机启动与自动拉起``systemctl daemon-reload;``systemctl enable jrasp-daemon.service;``systemctl stop jrasp-daemon.service;``systemctl start jrasp-daemon.service;``systemctl status jrasp-daemon.service;`` `
**## filebeat 一键安装
**
`## 日志目录``logDir=/usr/local/jrasp/logs``## fileBeat 安装目录``fileBeatHome=/opt/filebeat``cd /opt/ && yum install wget -y && wget https://repo.huaweicloud.com/filebeat/7.9.1/filebeat-7.9.1-linux-x86_64.tar.gz;``tar -zxvf filebeat-7.9.1-linux-x86_64.tar.gz -C /opt/ && mv filebeat-7.9.1-linux-x86_64 filebeat && rm -rf filebeat-7.9.1-linux-x86_64.tar.gz;``cat << EOF > ${fileBeatHome}/filebeat.yml``filebeat.inputs:``- type: log` `fields:` `kafka_topic: "jrasp-daemon"` `paths:` `- ${logDir}/jrasp-daemon.log``- type: log` `fields:` `kafka_topic: "jrasp-agent"` `paths:` `- ${logDir}/jrasp-agent.log``- type: log` `fields:` `kafka_topic: "jrasp-module"` `paths:` `- ${logDir}/jrasp-module.log``filebeat.config.modules:` `path: \${path.config}/modules.d/*.yml` `reload.enabled: false``setup.template.settings:` `index.number_of_shards: 1``output.kafka:` `enabled: true` `hosts: ["kafka_ip_1:9092","kafka_ip_2:9092","kafka_ip_3:9092"]` `topic: '%{[fields.kafka_topic]}'``processors:` `- add_host_metadata:` `when.not.contains.tags: forwarded` `- add_cloud_metadata: ~` `- add_docker_metadata: ~` `- add_kubernetes_metadata: ~`` ``processors:` `- decode_json_fields:` `fields: ['message']` `target: ''` `overwrite_keys: true` `- drop_fields:` `fields: ["host","agent","log","input","ecs","@timestamp"]`` ``logging.level: info``EOF``## systemctl``cat << EOF > /usr/lib/systemd/system/filebeat.service``[Unit]``Description=filebeat``Wants=network-online.target``After=network-online.target``[Service]``User=root``ExecStart=${fileBeatHome}/filebeat -c ${fileBeatHome}/filebeat.yml``Restart=always``[Install]``WantedBy=multi-user.target``EOF``systemctl daemon-reload && systemctl enable filebeat.service;``systemctl stop filebeat.service && systemctl start filebeat.service;``systemctl status filebeat.service;`` `
**2.管理端配置
**
安全总览
实例管理
**主机详情
**
(用户机器配置较高,一台上机器上安装较多服务)
策略配置
插件管理
用户使用的web容器是 undertow,我们临时开发了这个插件 ;
其他插件会陆续上线,增强系统安全能力,值得一提的是,新插件上线无需用户重启服务;
攻击日志
测试环境目前安装了18台机器,稳定运行,漏洞测试拦截符合预期,用户反馈不错。
申请试用请联系:sear2022,提供技术支持。