Create a super secure LAMP server under Linux
Create time:
2004-09-04
Article Property: Original article Submitted: FATB (FATB_AT_SECURITY.ZZ.ha.CN) Welcome, please retain the author packet @ 郑州 University Network Safety Park http://secu.zzu.edu.cn This article has been submitted to the hacking line 03 11 articles, the comparison of the comparative foundation, interested friends, squeezing :) I would like to give the leaders and teachers of Zhengzhou University Network Center and wish all friends, teachers and students in the new year. , Good health, smooth work, academic success, new year new weather! Before editing: This article introduces the method of reinforcing Apache PHP MySQL under Linux, by carefully reading this article, you can quickly grasp the security configuration Apache, PHP, and MySQL, and the frontier technology of Chroot Relying on these knowledge, you can completely allow your WWW server to stand out of SQL injection (SQL Injection) and CROSS Site Script, a few vulnerabilities that do not fall from the mobile network to the solitary website. The script attack is boiling, it can be seen that it has finally showed his importance in the cyber attack. Due to the unintentional or intention of the program developers, the scripts written by Perl, PHP, ASP, etc., such as erroneous, and lightly cause the leak path, which causes the entire server to be captured and even spread throughout the network. Don't we read the scripts used by the scripts used, seriously analyze? I believe that everyone has this skill, even if there is such a skill, there will be so many time and energy. You may ask: "I want to use online free procedures, and I don't want to be hit hard. Is there a two full way?" For Windows host, we can use IISLOCKDOWN, Secureiis, etc., to give everyone a target * NIX host Two programs are proposed, one is to install the MOD-Security module for Apache, and another way is to place the LAMP in a chroot jail environment. Of course, the strongest is also combined with two programs :) Next, let us share these two programs: We only need to have ordinary Linux operation experience, including the use of VI, first, let's clarify Several concepts What is Debian: A completely free Linux operating system, his most made me the favorite is his APT package management tool, let you install or upgrade the software! If you are a CERNET user, I recommend you to the electronic capital http://debian.ustc.edu.cn or my website http://secu.zzu.edu.cn Upgrade, CHINANET users can at http: // mirror. GennkBone.org Upgrade What is Lamp: It is the abbreviation of Linux Apache MySQL PHP, almost the strongest standing station combination What is Chroot: It is the abbreviation of Change root, which is to limit a process daemon to a particular root environment. This is almost close to any file or space that is exceeded by Chroot. This root directory (that is, the jail we said) contains all the files needed to execute the process daemon, in you correct After configuration, most intruders are unlikely to jump out of Jail and come into contact with the outside. This way we can maximize the invaders to protect themselves.
This article mainly involved software makejail http://www.floc.net/makejail/ is a software that automatically puts the program you need to establish Jail into Jail, written using Python, he has Debian and OpenBSD version Zend Performance Suit Http://www.zend.com Zend Developed a set of PHP accelerated things, including a code optimizer (Optimizer) and an accelerator (ACCELERATOR), and cache features, very good, with him, The PHP program runs together! You can apply for a 30-day trial version. If you feel easy to use, buy it :) mod-security http://www.modsecurity.org/ He is a module of Apache, he has the function of requesting filter, log audit, etc. You can prevent SQL INJECTION, cross-station script attack, a very good module OK, do we assume that we have a debian Woody in hand, and have set up the APT source I don't say, first upgrade to Debian Sarge, also It is a Testing version, I think this version is still good, because his software is new, and there is security support, the main version of the software list contains Makejail, first SU to root upgrade system and install Apache, PHP, MySQL, GD Update an APT source, I am in education, so use the APT source of China University Debian.ustc.edu.cn quickly [root @ debian /] APT-GET UPDATE (Figure Update.jpg) All packages [root @ DEBIAN /] APT-GET DIST-UPGRADE (Figure Upgrade.jpg) [Root @ Debian /] APT-GET Install Apache PHP4 PHP4-GD2 PHP4-MySQL MySQL-Server MySQL-Client and Extension = GD.SO and EXTENSION = MySQL.so added to php.ini Your system has already installed Apache-1.3.27
, PHP-4.1.2, Mysql-4.0.13 such a basic LAMP is coming, simple.
Add a system user, this user is our waiting for Chroot [root @ Debian /] adduser --home / chroot / apache --shell / dev / null - no-create-home --system - country Chrapax then edits the httpd.conf file and make some modifications, delete the extra Apache module and activates the PHP module [root @ Debian /] vi /etc/apache/httpd.conf comment out in addition to mod_access, mod_Auth, mod_dir, mod_log_config, mod_mime, All modules outside MOD_ALIAS Remove LoadModule PHP4_Module /usr/lib/apache/1.3/libphp4.so to support PHP (as shown in Figure Apache_Mod.jpg) Set ServerAdmin Fatb@zzu.edu.cn Setting ServerName SECU.ZZU.EDU.CN the following Options indexes Includes FollowSymLinks MultiViews of indexes removed, thus avoiding the user by others and the group index directory into chrapax user chrapax group chrapax add the following to the following index.php DirectoryIndex index.php index.html index.htm index.shtml Index.cgi defaults to use Chinese character set addDefault, the user will be reached to your specified page errordocument 404 http://secu.zzu.edu.cn when the following errors appear /index.php errordocument 402 http://secu.zzu.edu.cn/index.php errordocument 403 http://secu.zzu.edu.cn/index.php errordocument 500 http://secu.zzu.edu. CN / INDEX.PHP turns off the Signature Off If SIGNATURE is open, when someone visits a ban or does not exist The page, there will be some information about the error message, not good, remove him (as shown in Figure 40.jpg) If you do not need CGI support, remove Scriptalias / CGI-BIN / / / USR / LIB / CGI-BIN / ALLOWERRIDE NONE Options execci -multiViews Order Allow, Deny Allow from ALL This line is removed, because we need PHP support to put the addtype application / x-httpd-php .php finally remove excess Alias, Directory, Location, save OK, Apache If the configuration is complete, I prefer a clean configuration file. The following command can remove the httpd.conf # headed in httpd.conf [root @ Debian /] mv httpd.conf httpd.conf.bak [root @ debian /] grep -v ' # 'httpd.conf.bak> httpd.conf to this, the Apache configuration file editor then we started reinforcing PHP, we open php.ini [root @ debian /] vi /etc/php4/apache/php.ini first open Safety mode, open his advantage is that the PHP file can only access the owner and the PHP files all the same files,
Even in the Chroot environment, it is not possible to access a different file in Jail. It is similar to the back door like PHP shell. It is a very popular PHP back door. He can execute system commands, just like his Like the name, and shell is very close (as shown in PHPSHELL.JPG) SAFE_MODE = ON If the PHP program does not specify if register_global, it is best to set the register_globals to OFF, so that many security issues can be given, we have one like this. PHP file fragment is called Test.php // The previous code IF ($ authorised) {/ / Execute some protected action} // The rest of the code}?> If register_globle is open, the intruder can submit such a request To bypass the verification http://www.test.com/test.php?authorised=1 Of course, if you have to use register_globle, we can also use mod-security to limit Open_BaseDir = / var / www / The above setting limits the directory range of fopen (), file () and other functions, avoiding intruders illegally reading files, must add "/" after / var / wwww, otherwise / var / wwww The file can also be accessed to prohibit the use of PHPINFO and GET_CFG_VAR functions, which avoids leak service information disable_functions = phpinfo, Get_cfg_var If we use the PHPINFO function that is forbidden to use, we can see such an error Warning: phpinfo () HAS been disabled FOR Security Reasons In /Var/www/info.php on line 1 Set PHP program error log so we can know the program problem Error_Reporting = e_all log_ERRORS = on error_log = /VAR/LOG/PHP_ERR.LOG Default Display_ERROR is Open, we didn't get him before Jail, or the error message can give us a little prompt, but remember to close this option after completion, because some of his error messages may expose your physical path. of.
In this process, what is the most important thing to pay is to use root as the primary owner of the PHP program, otherwise the PHP program can access his home owner, that is, all the files of root, so that it is completely lost SAFE_MODE. Do not open the remote address, remember the vulnerability of the recent PHP INCLUDE? It is in a PHP program, which can use this control server to perform remote PHP programs locally, such as PHPSHELL, so we turn off this allow_url_fopen = OFF OK, save exit to this, for PHP security Optimization is basically completed, let's start to give mysql "do your hands". Debian's mysql is used by APT. The default has been banned from connecting MySQL from the network. We can see from his profile my.cnf, but pay attention to , Redhat's RPM, FreeBSD's ports installation, Skip-networking is comment, that is, listening to 3306 port, if Mysql has problems, others can have the opportunity to use [root @ Debian /] GREP NET / ETC /mysql/my.cnf # the skip-networkin option will no longer be set via debconf menu. # You Have to manually change it t You Want Networking ie the server skip-networking in this aspect of debian DEBIAN, but Debian and FreeBSD The system-loaded mysqld is dynamic link, while the RPM installation of Redhat is static, we can view [root @ Debian ~] file `Which mysqld: ELF 32-bit: ELF 32-bit: ELF 32-bit: ELF 32-bit LSB Executable, Intel 80386, Version 1 (Sysv), for GNU / Linux 2.2.0, DynamicalLinked (Uses Shared Libs), Stripped We can see the words "DynamicalLinked", which is more troublesome when Chroot MySQL, Because there is a lot of shared libraries, we have made Makejail :), we can see his power next to us, then we will modify the mysql database, but no matter what, we first give mysql to set a password. And modify the administrator username (default is root), but must remember, no matter how to modify the password, there will be recorded, if you have changed by mysqladmin, there will be it, if you log in to MySQL After modifying, in ~ / .mysql_history will record, we must handle these two history files, we delete them, and then make a soft connection from / dev / null to solve the problem [root @ Debian /] cd ~ [root @ Debian ~] ll total 13k -rw ------- 1 root root 1.8k Sep 28 21:05 .bash_history -rw ------- 1 root root 14 Sep 29 09:29. Mysql_history We can see something in these two files, let's handle them [root @ Debian ~] rm .bash_history [root @
Debian ~] rm .mysql_history [root @ Debian ~] ln -s / dev / null .bash_history [root @ Debian ~] ln -s / dev / null .mysql_history Let's take a look [root @ Debian ~] [root @ Debian ~] ll total 10k lrwrwxrwx 1 root root 9 Sep 29 09:29 .bash_history -> / dev / null lrwxrwxrwx 1 root root 9 Sep 29 09:29 .mysql_history -> / dev / null Now you can set your password [root @Debian ~] mysqladmin -u root password mypasswd so that we will have to access the mysql database through the "mypasswd" password, then we delete extra databases and remove anonymous account [root @ debian ~] mysql -u root -p enter Password: xxxxxx Mysql> DROP DATABASE TEST; MYSQL> Use mysql; mysql> delete from user where not (host = "localhost" and user = "root"); mysql> flush privilegeq; then modify the default Administrator account root For you, I changed into FATB mysql> update user set user = "fatb" where user = "root"; mysql> flush privilege; after we have to access the mysql database through the FATB account [root @ Debian ~] mysql -u root -p enter password: error 1045: Access Denied for User: 'root @ localhost' (Using password: yes) [root @ Debian ~] mysql -u fatb -p Enter Password: Welcome To The mysql monitor. Commands end with; or g. Your mysql connection ID is 14 to server version: 4.0.13-log here, MySQL security settings basically completely installed MOD-Security, Debian is equally simple, And automatically add the module to httpd.conf [root @ Debian /] APT-GET Install libapache-mod-security defaults this module is not activated, edit the httpd.conf file and remove the following row LoadModule Security_Module / USR /LIB/APACHE/1.3/mod_security.so then adds the default action SecfilterDefaultAction "Deny, Log, Status: 404" at the end of HTTPD.CONF.
# Pass set to word directory SecFilterInheritance Off # detect URL-encoded correctly SecFilterCheckURLEncoding On # detect content-length to avoid stack overflow attacks the location and name SecAuditLog logs SecFilterForceByteRange 32 126 # log file / audit_log # debug settings SecFilterDebugLog logs / modsec_debug_log SecFilterDebugLevel 0 # Detecting Post Data Secfilterscanpost On # When matching SH, reordbound to a special page, let the attacker know difficult to retreat Secfilter sh redirect: http: //secu.zzu.edu.cn/hack/fu.htm # ONLY Check The Body of the Post Request # is filtered some sensitive things, we use * is to use /etc/./passwd to use /etc/./passwd to wind a SECFILTER / ETC / * Passwd secfilter / bin / * sh # prevent Double Dot attack, That is, http://www.test.com/openfile.php? Path = / .. / .. / .. :) secfilter "../" "Prevents Cross-Stand Script (CSS) Attack Secfilter <(|) * Script" Secfilter "<(. |) >" # Prevent SQL Injection Attack Secfilter "Delete |) from "Secfilter" insert (space |) INTO "Secfilter" SELECT (Space |) from "Secfilter" Union (space |) from "# below is limited to UPLOAD.PHP files can only be used to upload JPEG .BMP and GIF Picture of SECFIL Terinheritance Off Secfilterselective Post_PayLoad "! Image / (JPEG | BMP | GIF)" With mod-security, you can improve your site security, in the manual you can find more settings In the CD, a more detailed rule is included (mod-security.rule.txt) and then we loaded Zend Performance Suit, when he was installed, he asked the users you used, remember to write Chrapax instead of www-data order allow Deny Allow from 211.43.125.63 (your IP) Deny from all Options all the following weights, Chroot, a very important step, but may be more simple step, first copy a few Python written configuration files to / etc / Under Makejail [root @ debian / etc / makejail] cp /usr/share/doc/makejail/examples/apache.py. / Edit Apache.py file Add to modify the appropriate information = ["chrapax"] groups = [" Chrapax "
] packages = ["apache", "apache-commit", "php4", "php4-gd", "mysql-compon", "libaPache-mod-security] then execute the makejail command [root @ Debian / etc / makejail After Makejail Apache.py, we have to make a soft connection and separate Chrapax from passwd and group files [root @ Debian / etc / makejail] ln -s / var / chroot / apache / apache [root @ Debian / ETC / Makejail] grep chrapax / etc / passwd> / apache / etc / passwd [root @ Debian / etc / makejail] grep chrapax / etc / group> / apache / etc / group [root @ Debian / etc / makejail] CP / ETC / MIME.TYPES / APACHE / ETC / then build a file called Chrapax in /etc/init.d and let him execry, see Chrapax in the CD [root @ Debian / etc / makejail] cat> / ETC / Init.d / Chrapax [root @ debian / etc / makejail] chmod x /etc/init.d/chrapax then uses the rcconf command to activate him when the system is started (Figure Rcconf.bmp) [root @ Debian / etc / makejail] Rcconf starts chroot Apache [root @ Debian /etc/makejail]/etc/init.d/chrapax Start first tests if there is a problem with PHP and MySQL connections [root @ Debian / etc / makejail] cat> / Apache / var / www / mysql.php $ conn = mysql_connect ("localhost", "fatb", "urpassword") or die; print "php can work with mysql now"; mysql_close ($ conn); PHPINFO (); ?> Result browser returns Warning: can't connect to local mysql server through socket '/var/run/mysqld/mysqld.sock' (2) in / www/mysql.php on line 2 But we can see There is a mysqld.sock file in / var / run / mysqld /, is actually because we have chroot apache, he can only visit the things in Apache root jail, that is, / var / chroot / apache below, and mysqld . Sock is obviously outside Jail, so it is not of course normal, and the method of solving this problem is also very simple. It is a hard connection. [Root @ Debian / Apache / Var / Run / mysqld] ln / var / Run / mysqld / mysqld.sock mysqld.sock and visit mysql.php to see, Sure enough, it's very troublesome to do hard connectivity, and when accessing mysqld, it leads to a good resource.
