Author: Mark Nielsen
Translator: Blue Wind
Original source: Linuxfocus.org
Summary: When some people invade your system, Chroot will improve the security of the system by limiting the loss of intruders.
Introduction: What is Chroot? It is actually redefined from a program. More accurately, it redefines the "root" directory or "/" or log for a program. When you use Chroot, a program is no longer so much.
Why it is useful, if some people invade your computer, they can't see all the files in your system, and they can limit their use of commands to access files, and they cannot use files under unsafe. . The only disadvantage of Chroot is: it cannot stop those invaders that are peeking in the network connection and other components. This way, you have to do some things you can't understand from this article.
1. Protect your network port.
2. Let all your services run in the case of a non-root account, in addition, all service chrooted.
3. Copy the system log file to another machine.
4. Analyze log files.
5. Analyze people try to detect the behavior of any port on your computer.
6. Restrict the CPU and memory of each service.
7. Activate the account assignment.
The reason why I think Chroot (in the Non-root service) can play a protection to protect the program, if some people invade your computer, in the case of the non-root account, there is no file to use it for them. To enter root, then the damage caused by the intrinsic area will be limited. Similarly, if they invade all the fields of the area, all of the ROOT accounts are reduced, and the destruction of options will also be reduced. Obviously, if some people invade your account, then protect the damage you are minimized.
Remember: My method is not 100% effective. This is my first try to do this, and if there is a part of this, then the remaining will be very simple. How to do it below.
are you ready?
Ok, let's create a directory, "/ chroot", then we put all our services below it. Next, do the following:
The system log file will be Chroot with each service.
Apache is placed in / chroot / httpd.
SSH is placed in / chroot / sshd.
PostgreSQL is placed in / chroot / postmaster.
Sendmail will also be Chroot, but unfortunately, it cannot be run under a non-root privilege.
NTPD is chroot to / chroot / ntpd.
Named is chroot to / chroot / named.
Every service will completely isolated.
My Perl script will generate a chrooted environment.
Config_chroot.pl.txt (download address See this article) Renamed config_chroot.pl after downloading. The Perl script will install each service list, browse the configuration file, configure each service. In short, the following is what you need to do.
1. Generate a chroot directory. MKDIR -P / Chroot / Config / Backup
2. Download config_chroot.pl.txt to /chroot/config_chroot.pl
3. Change the $ home variable in Perl script, if your root directory is not / chroot
4. Download the profile I write.
Now, the most important thing is: I only test in RedHat 7.2 and Redhat 6.2. So please modify the Perl script based on your version.
I don't want to place a lot of files in Chroot, and finally my Perl scripts become very small. Basically, I noticed that when Chroot is a lot of services, they actually repeat a lot of similar files and structures. A method of distinguishing from those files require copying to a special service is to read manual, and type the "LDD / USR / BIN / FILE" command for the applicable library file. Of course, you can also Chroot you are installing the service, and you can manually, look at the mistakes you make, the latter look at its log file. In short, installing a service operation is as follows:
Cd /chroot./config_chroot.pl config service./config_chroot.pl install service./config_chroot.pl start servicechroot NTPD
NTPD is just a time service project, which allows your machine and other machines to be consistent with real time. Chroot It is very simple.
CD / chroot # If you don't want to use my profile, the following command line does not work #. / config_chroot.pl config ntpd./config_chroot.pl installation NTPD
./Config_chroot.pl start ntpdchroot DNS or NAMED
Already done, you can be repaid in the following URL:
Http://www.linuxdoc.org/howto/chroot-bind8-howto.html
Or
http://www.linuxdoc.org/howto/chroot-bind-howto.html
Or, you can also use my script,
CD / chroot # If you don't want to use my profile, the following command line does not work together #. / config_chroot.pl config named./config_chroot.pl install named./config_chroot.pl start named
Chroot system log files also have my complaint
I want chroot log files, but there is a problem that the log file is default / dev / log, and it cannot be monitored by Chroot Service, so Chroot is not an easy task, which is possible to effectively method:
1. CHROOT log file with each service. I have tested it really feasible. But I don't like this, because I have a continuous running root service.
2. See if we can connect a disconnected log tool.
3. Record files to a file rather than through the system log file. This may be the most reliable solution. Although, if someone else has broken into the system, they can do whatever the log files.
4. Configure the main system log files to see if you can get all the service. Please use the -a option at the same time.
My only workaround is to confirm the system log file and each service together chroot. I think some ways can log backups on their own chroot environments in non-root privileges, just like a network port. It is feasible, but I want to find a better solution.
If you don't want to separate each service's log file, please add the following command when the system log is started, add the following command when the main log file is running in the system:
Syslogd -a / chroot / service / dev / log
If you run SSH and DNS, it can be written,
Syslogd -a / chroot / ssh / dev / log -a / chroot / named / dev / log -a / dev / log
Finally, in the system log file, I want it to run under a non-root account. I experchentric a few simple operations, but I can't do it. I finally gave up. If you can really run the system log backup in a non-root account, the security issue will be more perfect. Chroot Apache
It is very easy. As long as you set it, you can run my perl script. Now my profile is quite big, because I put the Perl script and the Postgersql database into the area where you have already chrooted. One thing you have to pay attention to, if you connect to a database, confident that your database is running in the 127.0.0.1 closed loop, and you have to be sure that your host must be 127.0.0.1 for the DBI module in the Perl script. Below is the connection to connect to a database in Apache:
$ dbh || = DBI-> Connect ('DBI: PG: DBNAME = Database', "," "", {printerror => 0}; if ($ dbh) {$ dbh -> {printerror} = 1; } else {$ dbh || = DBI-> Connect ('DBI: PG: DBNAME = Database; Host = 127.0.0.1', ",", ", {printerror => 1});
source:
http://httpd.apache.org/dist/httpd/
Compile and install apache to / usr / local / apache in your main system. Then run the Perl script.
CD / chroot # If you don't want to use my profile, the following command line does not work # ./config_chroot.pl config httpd./config_chroot.pl install httpd./config_chroot.pl start httpd
I change my httpd.conf file to get these materials:
ExtendedStatus On
Then, specify your browser to http://127.0.0.1/server-status or http://127.0.0.1/server-info.
First, in the case of ideal, we connect SSH to port 22 to port 2222. Then, when you start SSH, connect it to port 2222 under a non-root account. In the start-up SSH connection, we use your password to ensure a secure account, this password only does it limit the role of the people entering the system, thereby can't play other roles. When they log in to the system, it is the second SSH program. This program runs at ports 127.0.0.1 to 127.0.0.2322, so that they can connect to the real system - this second SSH program only listened to the circulation device. Now, these must do it. I will no longer do these things. What I want to do is Chroot SSH. Need you to do, including SSH under a non-root account, install the second SSH program, and this SSH program only listened to the loop device, so that people can enter the real system.
Then, we plan to only chroot ssh, and you can also consider considering the consequences of this (if you do this, you can't see the entire system). Similarly, I can use OpenSSH, but I am using business SSH (this is not a good excuse).
source:
http://www.ssh.com/products/ssh/download.cfm
Install SSH in / usr / local / ssh_chroot. Then use the Perl script.
CD / chroot # If you don't want to use my profile, the following command line does not work # ./config_chroot.pl config sshd./config_chroot.pl install sshd./config_chroot.pl start sshd
If you want to use it in a chroot, you will be a good thing, it will limit people to your territory. RSYNC and SCP are well running with each other, let people upload documents. I don't really like to put an FTP to people to run. Many FTP services have been Chroot, but they can still pass the password transparent, this is what I don't like.
Chroot PostgreSQL
It is as simple as Perl, except that it requires more library files. Overall, it is not difficult to do. What I must do is to open PostgreSQL on the network and can only be on the loop device. Because it is chroot, the other Chrooted service cannot reach it, like the Apache Web service. I compile Perl into PostgreSQL, so I need to add a lot of Perl materials into the configuration file.
source:
ftp://ftp.us.postgreSQL.org/source/v7.1.3/postgreSQL-7.1.3.tar.gz
Compile and install Apache under / usr / local / postgres in your main system. Then run the Perl script.
Cd / chroot # If you don't want to use my profile, the following command line does not work # ./config_chroot.pl config postgres./config_chroot.pl install postgres./config_chroot.pl start postgreschroot Sendmail
Continue, perform scripts.
CD / chroot # If you don't want to use my profile, the following command line does not work # ./config_chroot.pl config sendmail./config_chroot.pl install sendmail./config_chroot.pl start sendmail
do you understand? Yes, it has been run as root. Patch, similar, some files are changed by the /etc/rc.d/init.d/sendmail file when it starts running. My script does not deal with this problem. Any changes you have made to Sendmail under / etc / mail, please change to / chroot / sendmail / etc. Similarly, you must specify / var / spool / mail to / chroot / sendmail / var / spool / mail like Sendmail programs and users (when they enter) can see the same file.
The advantage is that you can send emails, but it is a problem. I can install Sendmail with apache without any problems. I sent some perl scripts, so I need to copy the Sendmail file to the CHROOT field of Apache.
The following is my philosophy below.
1. Anything can be written by Chrooted, including Sendmail, SSH, Apache, PostgreSQL, Syslog, and all services running in your computer. 2. All things can be placed under a non-root account (what you need is to connect the protected port to the non-protection port). This includes Sendmail and Syslog.
3. Log backups can be OFFSITE.
4. Each service can set an interval allocation so that there is a disk space limit when the hacker is overwritten over the disk space overwriting files.
5. ROOT can have all files that have no change.
Now, about endmail and syslog, I still think they should be able to run in a non-root account. For Sendmail. This is completely possible, but I am sending, it is still quite difficult. In the non-root account, I haven't run since SENDMAIL, I think there is a serious mistake. I have a problem until I do this, but I think they must be solved. The file has been licensed, I don't understand why Sendmail It is necessary to run in root. Maybe I ignore some problems, I suspect that there are some obstacles that cannot be overchaused.
As for Syslog, I didn't tried it, but I believe it can be run under a non-root account, I don't believe it can't run. At least I can use the syslog of each service for chrooted.
All services can be set under non-root accounts. Even NFS, there are all services.
Recommendation: 1. Register SSH twice, and runs two SSHDs.
2. Find out how to run Sendmail and other mail programs under non-root.
3. Remove unnecessary library files in / lib. I have copied all things in order to save power. In fact, there are many things inside.
4. Remotely log in to Syslo, and figure out how we can connect syslogd to a network port, and all Services can be connected to the port of the network on the loop device. See if you can run under non-root account Syslogd.
Conclusion: I think Chroot is valid for all services. I believe that if all services are Chroot to non-root account, I hope that whenever a professional version is still a small version. : Narious version. Mandrake starts from Redhat from Redhat, then expand it, so people can use Mandrake and expand Chroot and disconnect them. Nothing can stop people from reassuring others in GNU / Linux, so I Think, this is completely feasible. If there is a company is willing to make Chroot anything, create a loose and systematic environment to facilitate people to manage their Chrooted service, I believe they will have nothing to sell! Live, even if Linux has become a mainstream, people still don't want to see the command line, so if all things can be done under the graphical interaction interface, they don't have to see all things "internal organs", no need to know what is How to do step-by-step - what they have to do just configured and know it is working!
I am 100% support: All services can be chroot under non-root account, and there is no version that can be provided to a real-use environment. I am going to chroot all things - in fact, I do this.
I plan to write an article about how Chroot, I would like to ask who you can help me, convert this article into a LYX format, so that it can be placed in Linux's HOWTOS.
Reference: If this article has changed, you can find it here:
http://www.gnujobs.com/articles/23/chroot.html
This article is related to the configuration file download address:
http://www.linuxfocus.org/common/src/article225/
