From e4938ffc8584e9c185f445384eac0ae4590c7170 Mon Sep 17 00:00:00 2001 From: noon Date: Sat, 27 Mar 2021 20:14:45 +0800 Subject: [PATCH] Update README_EN.md (#5856) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Update README_EN.md Translate parts of the README.md * Update README_EN.md * Update README_EN.md change the word PAM to Bastion host * Update README_EN.md * Update README_EN.md Clip the bug part to JumpServer 远程执行漏洞 2021-01-15 --- README_EN.md | 390 +++++++++++++++++++++++++++++++++++---------------- 1 file changed, 268 insertions(+), 122 deletions(-) diff --git a/README_EN.md b/README_EN.md index 5f2539c9f..072aaadea 100644 --- a/README_EN.md +++ b/README_EN.md @@ -1,143 +1,245 @@ -## Jumpserver +# Jumpserver - The Bastion Host for Multi-Cloud Environment [![Python3](https://img.shields.io/badge/python-3.6-green.svg?style=plastic)](https://www.python.org/) [![Django](https://img.shields.io/badge/django-2.2-brightgreen.svg?style=plastic)](https://www.djangoproject.com/) [![Docker Pulls](https://img.shields.io/docker/pulls/jumpserver/jms_all.svg)](https://hub.docker.com/u/jumpserver) ----- -## CRITICAL BUG WARNING +- [中文版](https://github.com/jumpserver/jumpserver/blob/master/README.md) -Recently we have found a critical bug for remote execution vulnerability which leads to pre-auth and info leak, please fix it as soon as possible. - -Thanks for **reactivity from Alibaba Hackerone bug bounty program** report us this bug - -**Vulnerable version:** -``` -< v2.6.2 -< v2.5.4 -< v2.4.5 -= v1.5.9 ->= v1.5.3 -``` - -**Safe and Stable version:** -``` ->= v2.6.2 ->= v2.5.4 ->= v2.4.5 -= v1.5.9 (version tag didn't change) -< v1.5.3 -``` - -**Bug Fix Solution:** -Upgrade to the latest version or the version mentioned above - - -**Temporary Solution (upgrade asap):** - -Modify the Nginx config file and disable the vulnerable api listed below - -``` -/api/v1/authentication/connection-token/ -/api/v1/users/connection-token/ -``` - -Path to Nginx config file - -``` -# Previous Community version -/etc/nginx/conf.d/jumpserver.conf - -# Previous Enterprise version -jumpserver-release/nginx/http_server.conf - -# Latest version -jumpserver-release/compose/config_static/http_server.conf -``` - -Changes in Nginx config file - -``` -### Put the following code on top of location server, or before /api and / -location /api/v1/authentication/connection-token/ { - return 403; -} - -location /api/v1/users/connection-token/ { - return 403; -} -### End right here - -location /api/ { - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_pass http://core:8080; - } - -... -``` - -Save the file and restart Nginx - -``` -docker deployment: -$ docker restart jms_nginx - -rpm or other deployment: -$ systemctl restart nginx - -``` - -**Bug Fix Verification** - -``` -# Download the following script to check if it is fixed -$ wget https://github.com/jumpserver/jumpserver/releases/download/v2.6.2/jms_bug_check.sh - -# Run the code to verify it -$ bash jms_bug_check.sh demo.jumpserver.org -漏洞已修复 (It means the bug is fixed) -漏洞未修复 (It means the bug is not fixed and the system is still vulnerable) -``` - - -**Attack Simulation** - -Go to the logs directory which should contain gunicorn.log file. Then download the "attack" script and execute it - -``` -$ pwd -/opt/jumpserver/core/logs - -$ ls gunicorn.log -gunicorn.log - -$ wget 'https://github.com/jumpserver/jumpserver/releases/download/v2.6.2/jms_check_attack.sh' -$ bash jms_check_attack.sh -系统未被入侵 (It means the system is safe) -系统已被入侵 (It means the system is being attacked) -``` +|![notification](https://raw.githubusercontent.com/goharbor/website/master/docs/img/readme/bell-outline-badged.svg)Security Notice| +|------------------| +|On 15th January 2021, JumpServer found a critical bug for remote execution vulnerability. Please fix it asap! [For more detail](https://github.com/jumpserver/jumpserver/issues/5533) Thanks for **reactivity of Alibaba Hackerone bug bounty program** report use the bug| -------------------------- ----- - -- [中文版](https://github.com/jumpserver/jumpserver/blob/master/README.md) - -Jumpserver is the world's first open-source PAM (Privileged Access Management System) and is licensed under the GNU GPL v2.0. It is a 4A-compliant professional operation and maintenance security audit system. +Jumpserver is the world's first open-source Bastion Host and is licensed under the GNU GPL v2.0. It is a 4A-compliant professional operation and maintenance security audit system. Jumpserver uses Python / Django for development, follows Web 2.0 specifications, and is equipped with an industry-leading Web Terminal solution that provides a beautiful user interface and great user experience Jumpserver adopts a distributed architecture to support multi-branch deployment across multiple cross-regional areas. The central node provides APIs, and login nodes are deployed in each branch. It can be scaled horizontally without concurrency restrictions. -Change the world, starting from little things. +Change the world by taking every little step ---- +### Advantages -### Features +- Open Source: huge transparency and free to access with quick installation process. +- Distributed: support large-scale concurrent access with ease. +- No Plugin required: all you need is a browser, the ultimate Web Terminal experience. +- Multi-Cloud supported: a unified system to manage assets on different clouds at the same time +- Cloud storage: audit records are stored in the cloud. Data lost no more! +- Multi-Tenant system: multiple subsidiary companies or departments access the same system simultaneously. +- Many applications supported: link to databases, windows remote applications, and Kubernetes cluster, etc. - ![Jumpserver 功能](https://jumpserver-release.oss-cn-hangzhou.aliyuncs.com/Jumpserver148.jpeg "Jumpserver 功能") +## Features List + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
AuthenticationLoginUnified way to access and authenticate resources
LDAP/AD Authentication
RADIUS Authentication
OpenID Authentication(Single Sign-On)
CAS Authentication (Single Sign-On)
MFA (Multi-Factor Authentication)Use Google Authenticator for MFA
RADIUS (Remote Authentication Dial In User Service)
Login SupervisionAny user’s login behavior is supervised and controlled by the administrator:small_orange_diamond:
AccountingCentralized Accounts ManagementAdmin Users management
System Users management
Unified Password ManagementAsset password custody (a matrix storing all asset password with dense security)
Auto-generated passwords
Automatic password handling (auto login assets)
Password expiration settings
Password change SchedularSupport regular batch Linux/Windows assets password changing:small_orange_diamond:
Implement multiple password strategies:small_orange_diamond:
Multi-Cloud ManagementAutomatically manage private cloud and public cloud assets in a unified platform :small_orange_diamond:
Users Acquisition Create regular custom tasks to collect system users in selected assets to identify and track the privileges ownership:small_orange_diamond:
Password Vault Unified operations to check, update, and test system user password to prevent stealing or unauthorised sharing of passwords:small_orange_diamond:
AuthorizationMulti-DimensionalGranting users or user groups to access assets, asset nodes, or applications through system users. Providing precise access control to different roles of users
AssetsAssets are arranged and displayed in a tree structure
Assets and Nodes have immense flexibility for authorizing
Assets in nodes inherit authorization automatically
child nodes automatically inherit authorization from parent nodes
ApplicationProvides granular access control for privileged users on application level to protect from unauthorized access and unintentional errors
Database applications (MySQL, Oracle, PostgreSQL, MariaDB, etc.) and Remote App:small_orange_diamond:
ActionsDeeper restriction on the control of file upload, download and connection actions of authorized assets. Control the permission of clipboard copy/paste (from outer terminal to current asset)
Time BoundSharply limited the available (accessible) time for account access to the authorized resources to reduce the risk and attack surface drastically
Privileged AssignmentAssign the denied/allowed command lists to different system users as privilege elevation, with the latter taking the form of allowing particular commands to be run with a higher level of privileges. (Minimize insider threat)
Command FilteringCreating list of restriction commands that you would like to assign to different authorized system users for filtering purpose
File Transfer and ManagementSupport SFTP file upload/download
File ManagementProvide a Web UI for SFTP file management
Workflow ManagementManage user login confirmation requests and assets or applications authorization requests for Just-In-Time Privileges functionality:small_orange_diamond:
Group Management Establishing a multi-tenant ecosystem that able authority isolation to keep malicious actors away from sensitive administrative backends:small_orange_diamond:
AuditingOperationsAuditing user operation behaviors for any access or usage of given privileged accounts
SessionSupport real-time session audit
Full history of all previous session audits
VideoComplete session audit and playback recordings on assets operation (Linux, Windows)
Full recordings of RemoteApp, MySQL, and Kubernetes:small_orange_diamond:
Supports uploading recordings to public clouds
CommandCommand auditing on assets and applications operation. Send warning alerts when executing illegal commands
File TransferFull recordings of file upload and download
DatabaseHow to connectCommand line
Built-in Web UI:small_orange_diamond:
Supported DatabaseMySQL
Oracle :small_orange_diamond:
MariaDB :small_orange_diamond:
PostgreSQL :small_orange_diamond:
Feature HighlightsSyntax highlights
Prettier SQL formmating
Support Shortcuts
Support selected SQL statements
SQL commands history query
Support page creation: DB, TABLE
Session AuditingFull records of command
Playback videos
+ +**Note**: Rows with :small_orange_diamond: at the end of the sentence means that it is X-PACK features exclusive ([Apply for X-PACK Trial](https://jinshuju.net/f/kyOYpi)) ### Start @@ -162,6 +264,50 @@ We provide the SDK for your other systems to quickly interact with the Jumpserve - [Python](https://github.com/jumpserver/jumpserver-python-sdk) Jumpserver other components use this SDK to complete the interaction. - [Java](https://github.com/KaiJunYan/jumpserver-java-sdk.git) Thanks to 恺珺 for providing his Java SDK vesrion. +## JumpServer Component Projects +- [Lina](https://github.com/jumpserver/lina) JumpServer Web UI +- [Luna](https://github.com/jumpserver/luna) JumpServer Web Terminal +- [KoKo](https://github.com/jumpserver/koko) JumpServer Character protocaol Connector, replace original Python Version [Coco](https://github.com/jumpserver/coco) +- [Guacamole](https://github.com/jumpserver/docker-guacamole) JumpServer Graphics protocol Connector,rely on [Apache Guacamole](https://guacamole.apache.org/) + +## Contribution +If you have any good ideas or helping us to fix bugs, please submit a Pull Request and accept our thanks :) + +Thanks to the following contributors for making JumpServer better everyday! + + + + + + +## Thanks to +- [Apache Guacamole](https://guacamole.apache.org/) Web page connection RDP, SSH, VNC protocol equipment. JumpServer graphical connection dependent. +- [OmniDB](https://omnidb.org/) Web page connection to databases. JumpServer Web database dependent. + + +## JumpServer Enterprise Version +- [Apply for it](https://jinshuju.net/f/kyOYpi) + +## Case Study + +- [JumpServer 堡垒机护航顺丰科技超大规模资产安全运维](https://blog.fit2cloud.com/?p=1147); +- [JumpServer 堡垒机让“大智慧”的混合 IT 运维更智慧](https://blog.fit2cloud.com/?p=882); +- [携程 JumpServer 堡垒机部署与运营实战](https://blog.fit2cloud.com/?p=851); +- [小红书的JumpServer堡垒机大规模资产跨版本迁移之路](https://blog.fit2cloud.com/?p=516); +- [JumpServer堡垒机助力中手游提升多云环境下安全运维能力](https://blog.fit2cloud.com/?p=732); +- [中通快递:JumpServer主机安全运维实践](https://blog.fit2cloud.com/?p=708); +- [东方明珠:JumpServer高效管控异构化、分布式云端资产](https://blog.fit2cloud.com/?p=687); +- [江苏农信:JumpServer堡垒机助力行业云安全运维](https://blog.fit2cloud.com/?p=666)。 + +## For safety instructions + +JumpServer is a security product. Please refer to [Basic Security Recommendations](https://docs.jumpserver.org/zh/master/install/install_security/) for deployment and installation. + +If you find a security problem, please contact us directly: + +- ibuler@fit2cloud.com +- support@fit2cloud.com +- 400-052-0755 ### License & Copyright Copyright (c) 2014-2019 Beijing Duizhan Tech, Inc., All rights reserved.