LinuxSir.cn,穿越时空的Linuxsir!

 找回密码
 注册
搜索
热搜: shell linux mysql
查看: 2616|回复: 0

[原创翻译]加固Apache2.0[终于可以为社区做点贡献了]

[复制链接]
发表于 2008-1-3 16:56:24 | 显示全部楼层 |阅读模式
+-------------------------------------------------+
|  Securing Apache 2: Step-by-Step  |
|        Artur Maj 2004-06-21             |
|           加固Apache2                     |
+--------------------------------------------------+
==================================================
原创文章:可自由转载,转载请注明来源www.haohaoxiansheng.com
作      者:黄永兵                 日    期:2008年1月3日
本人能力有限,如读者朋友发现本文有错误,敬请来信mr-hao@live.cn或直接回复指出
===================================================
When choosing a web server, Apache very often wins against its competitors because of stability, performance, that fact that it's open source, and many other advantages. But when deciding on which version of Apache to use, the choice is not always so simple. On the one hand there is a very
popular, stable version used by millions of users, version 1.3, and on the other hand, there is an enhanced and re-designed version 2.0.
在选择web服务器时,Apache靠稳定性高,性能好,开源和其它优势通常赢得它的竞争对手。但是在选择使用哪一个Apache版本时,总不是那么容易。一方面,流行的,稳定的版本被许多人使用,比如1.3版本,另一方面还有功能加强的,重新设计的2.0版本也被许多人使用。

And even if the new version has got a lot more extensions and features, some people still decide to use version 1.3, because in their opinion this branch is more stable and secure. As a matter of fact, there is some truth in this statement. Since version 1.3 has been used by millions of users for a long time, most security holes in this version are very likely to be already discovered. At the same time version 2.0 may have many more as-yet undiscovered vulnerabilities, just sleeping and waiting to be found.
即使新版本包含更多的扩展和新特性,仍然有一部分人决定使用1.3版本,因为在他们看来这个版本更稳定和安全。事实上,有一些事情需要指出,至丛1.3版本被长时间大量使用以来,大多数安全漏洞在这个版本已经被发现,同时2.0版本或许还有许多迄今为止没有被发现的漏洞,它们仅仅在某个地方沉睡等待被发现。

Continuing the step-by-step fashion from the previous series (Securing Apache, Securing PHP, and Securing MySQL), this article shows how to install and configure Apache 2.0 to minimize the risk of unauthorized access or successful break-in, even if new security vulnerabilities in Apache web server are found. Thus, it will be possible to enjoy the new features of Apache 2.0 without worrying too much about its security bugs, regardless if they are only imaginary, or are in fact real and serious threats.
继续保持前面一步一步文章系列(加固Apache,加固PHP,加固Mysql)的风格,本文展示如何安装和配置Apache2.0来降低未经验证的访问或被成功入侵的风险,即使在Apache服务器中发现新的漏洞也不用害怕。因此,尝试Apache2.0的新特性是合理的,不用太担心它安全方面的bug,即使它们是虚构的或者是实实在在的严重威胁。

Functionality requirements
In the world of security, there are a few golden principles that should always be followed. One such principle is the rule which says that only absolutely required parts of the software should be used. All other components should be disabled, made inaccessible or not even be installed at all.
功能要求
在安全领域,有一些重要原则总是应该遵守。其中一条就是仅仅提供要用的软件部分,其它部分都应被禁用掉,不要被轻易接触到,甚至干脆不安装它们。

The logic behind this rule is very simple -- if there is software with dozens of components that are enabled by default, finding only one security vulnerability in any one of these components can put the whole system at risk of a successful break-in. On the other hand, if only a few absolutely necessary components are enabled, finding a new security bug doesn't necessary mean that the software is vulnerable -- because the discovered bug may affect components that are not enabled, or are not installed. The probability of a successful break-in in this case is obviously much lower than in case of the default installation.
这个原则下的逻辑是非常简单的-假如软件在默认情况下许多组件被启用,只要在这些组件中的任一个发现漏洞的话就会将整个系统推向被入侵的危险境地。另一方面,如果仅仅是要用的组件才被启用的话,发现一个新的安全漏洞是不容易影响到软件的-因为发现的bug影响的组件可能没有被启用或没有安装。这种情况明显比默认安装时更不容易被入侵。

Therefore, before starting to secure Apache 2, it is very important to know what functionality we really expect from the web server. This will allow us to prepare the list of modules that we will leave enabled, while the rest will be disabled during compilation time.
因此,在开始加固Apache2之前,要清楚地知道究竟需要些什么功能,我们必须要整理一份需要启用的模块列表,当编译时其它模块就会被禁用掉。

According to this rule, this article assumes that very basic functionality of Apache will be used:
根据这个原则,本文假定Apache只提供最基本的功能以供使用。

Only static HTML pages will be served.
仅静态HTML页面被支持
The server must support the virtual hosting mechanism.
服务器必须支持虚拟主机
Access to some web pages will be restricted to selected IP addresses or users (basic authentication).
访问某些页面必须进行IP认证或用户认证
The server must log all web requests (including information about web browsers).
服务器必须对所有web请求进行日志记录(包括web浏览器信息)
One can note that the above functionality doesn't support CGI scripts, the SSL protocol or other useful Apache features. This is because the main purpose of the article is to present a general method of securing Apache 2.0, without focusing on a particular implementation. If there is a need for additional functionality, readers can still use the presented solution as a starting point, and enhance it by enabling additional modules, for example, mod_ssl, mod_cgi or others.
注意上面提到的功能不包含对CGI脚本,SSL协议或其它Apache有用的特性的支持,这是因为本文的主要目的是给出一个加固Apache2.0的通用方法,而不是集中于一个特定的应用。如果还需要附加的功能,读者朋友仍然可以使用本方案作为开始,启用附加模块增强功能,例如启用mod_ssl,mod_cgi或其它。

Security assumptions
To provide as many security layers as possible, and at the same time keep this solution portable among many different Linux/BSD systems, the following layers of security will be used:
安全设想
为了尽可能提供足够多的安全保护层,同时保持本方案可在不同的Linux/BSD系统上进行移植,下面的安全保护层将被用到。

the network environment
网络环境
The web server should be protected by a firewall; the rules should accept incoming requests to port 80/tcp and allow outgoing HTTP responses. Except for certain ICMP messages (e.g. source-quench, time-exceed, parameter-problem, destination-unreachable), all other packets should be dropped or denied.
web服务器应该被防火墙保护;防火墙规则应允许tcp/80端口进站请求和http出站响应。除了被确认的ICMP消息(如:source-quench, time-exceed, parameter-problem, destination-unreachable),所有其它的包都应被丢弃或拒绝。
An intrusion detection (or prevention) system should be used; Apache's log files should also be monitored.
还应有一个入侵检测系统(或入侵预防系统);Apache日志文件应该被监控。
the operating system
操作系统
The operating system should be hardened as much as possible; all unnecessary components should be removed from the system.
操作系统应该被尽可能加固,所有不需要的组件都应将其移除系统。
If supported, the operating system should not allow executing programs on the stack.
如果可能,操作系统应不允许在堆栈上执行程序。
All unnecessary network services should be disabled.
所有不需要的网络服务都应被禁用掉。
The number of SUID/SGID files should be minimized.
SUID/SGID文件数量应减少到最少。
the Apache web server
Apache服务器
Only absolutely necessary Apache modules should be enabled; the rest should be disabled during compilation time.
仅仅启用要用的Apache模块,其他模块都应在编译时禁用掉。
All diagnostic web pages and the automatic directory indexing service must be turned off.
所有诊断web页面和自动化目录索引服务都必须关掉。
The server should disclose the least amount of information about itself as possible -- security through obscurity. Although this is not a real security layer, applying it will at least make the attacks a little bit more difficult to perform.
服务器应尽可能暴露最少的自身信息,尽管这不是一个安全层次的问题,但至少在执行攻击时会显得更困难。
The web server must run under a dedicated UID/GID, not one used by any other system process.
web服务器必须运行在专用的UID/GID下,不应该被其它系统进程使用。
Apache's processes must have limited access to the file systems (chrooting).
Apache进程必须被限制所能访问的文件系统(使用chroot)
In the Apache chrooted environment there cannot be any shell program present (/bin/sh, /bin/csh etc.) -- it makes the process of executing exploits much more difficult to perform.
在Apache chroot环境下,不存在任何shell程序(如/bin/sh,/bin/csh等)了,导致执行攻击时变得更加困难。
Installing the operating system
安装操作系统
First and foremost, we must choose an operating system upon which the web server will run. The rest of article presents how to secure Apache on FreeBSD (5.1), however readers are free to use their favorite Unix, BSD, Linux or Linux-like operating system.
首先,我们必须选择一个将要运行web服务器的操作系统,本文剩余部分展示如何在FreeBSD(5.1)上加固Apache,但是读者可以自由应用到他们感兴趣的Unix,BSD,Linux或类Linux操作系统。

With regards to our security assumptions, after installing the operating system it must be hardened against both remote and local attacks. Regardless of the chosen UNIX/Linux/BSD distribution, it is very important to install only the core operating system, remove any redundant packages and apply up-to-date patches to the kernel and all installed software.
随我们的安全设想,在安装操作系统后必须加固以对付本地和远程的攻击,无论选择UNIX/Linux/BSD,仅仅安装核心操作系统是非常重要的,去除冗余的包并打上内核和所有软件的补丁。
It is also recommended to periodically synchronize the local clock against a trusted time server, using the Network Time Protocol (NTP), and to send log files to a remote, dedicated log server.
使用NTP协议定期与一个信任的时间服务器同步本地时钟,并且将日志文件发送到一个台远程的,专用的日志服务器。

After the system is prepared, we can start installing Apache 2.0. The first step is to add a new group and regular user called apache. An example from FreeBSD has been shown below:
系统准备好之后,我们可以开始安装Apache2.0了,第一步需要创建一个新组和用户Apache,在FreeBSD下创建的例子如下:

pw groupadd apache
pw useradd apache -c "Apache Server" -d /dev/null -g apache -s /sbin/nologin

The Apache child processes will run with the privileges of the group and user apache. Since the above account will be dedicated to the Apache web server, this will provide separation of privileges and avoid potential security problems when several different processes are being run under the same account, e.g. user nobody.
Apache子进程将以apche组和apache用户权限运行,因此上面创建的账户应作为Apache服务器专用,可以防备权限分割和避免当一个账户同时被几个不同的进程使用时潜在的安全问题,例如用户nobody。

Downloading the software
下载软件
Next, the latest version of Apache 2.0 software should be downloaded from the Apache website, and then unpacked. Since we want to disable unnecessary modules during compilation time, it is very important to download the source code, not binaries. It is also important to test the downloaded software against a PGP signature, to make sure that the downloaded version is complete and unmodified.
下一步,可以在Apache站点下载最新的Apache2.0版本,然后解压。因为我们想在编译时禁用掉不需要的模块,所有下载源代码包而不是二进制包非常重要。同时校验下载的软件包PGP签名也非常重要,它可以确保下载的版本完整和未经修改。
lynx http://httpd.apache.org/download.cgi
    <download: httpd-2.0.xx.tar.gz, httpd-2.0.xx.tar.gz.asc, KEYS>
gpg --import KEYS
gpg httpd-2.0.49.tar.gz.asc
    gpg: Good signature from "Sander Striker <striker@apache.org>"
tar zxvf httpd-2.0.49.tar.gz
cd ./httpd-2.0.49/

Choosing Apache's modules
选择Apache模块
After the Apache source code is unpacked, we must choose which modules will remain enabled, and which will be removed. A short description of all modules available in Apache 2.0 can be found at http://httpd.apache.org/docs-2.0/mod/.
在解压Apache源码包后,我们必须选择要启用的模块和要移除的模块。所有Apache2.0有效的模块及简短描述都在http://httpd.apache.org/docs-2.0/mod/找到。
To fulfill the functionality and security requirements assumed at the beginning of this article, we will compile only the following modules:
为了实现本文前面设想的功能和安全要求,我们将仅仅编译以下模块:
---------------------+----------------------------------------------------------------------------------
模块名                     描述
---------------------+----------------------------------------------------------------------------------
core                    The core Apache features, required in every Apache installation.
---------------------+----------------------------------------------------------------------------------
http_core             The core http support, required in every Apache 2.0 installation.
--------------------+---------------------------------------------------------------------------------------
prefork                   Multi-Processing Module (MPM) that implements a non-threaded, pre-forking web server. Can be replaced by other multiprocessing                           module, e.g. worker , threadpool etc. The MPM module is required in every Apache 2.0 installation.
---------------------+---------------------------------------------------------------------------------------
mod_access            Provides access control based on client hostname, IP address, or other characteristics of the client request. Because this module is needed to use "order", "allow" and "deny" directives, it should remain enabled.
--------------------+-----------------------------------------------------------------------------------
mod_auth              Required in order to implement user authentication using text files (HTTP Basic Authentication), which was specified in functionality assumptions.
---------------------+----------------------------------------------------------------------------------
mod_dir                   Required to search and serve directory index files: "index.html", "default.htm", etc.
---------------------+---------------------------------------------------------------------------------------
mod_log_config         Required to implement logging of the requests made to the server.
---------------------+-------------------------------------------------------------------------------------
mod_mime               Required to set the character set, content- encoding, handler, content-language, and MIME types of documents.
---------------------+----------------------------------------------------------------------------------------

Since we want to enable only the minimal number of modules, we will compile all the modules statically. Thanks to that, we will eliminate possibility of occurring vulnerabilities in one more module -- mod_so.
因为我们想启用最少的模块数量,我们将静态编译所有模块,希望那样,我们能消除在一个或更多模块中出现漏洞的可能。
Compiling and installing the software
编译和安装软件
In this step we will configure, compile, and install the Apache web server as follows:
在这一步,我们将使用如下命令配置,编译和安装Apache服务器:
./configure \
--prefix=/usr/local/apache2 \
--with-mpm=prefork \
--disable-charset-lite \
--disable-include \
--disable-env \
--disable-setenvif \
--disable-status \
--disable-autoindex \
--disable-asis \
--disable-cgi \
--disable-negotiation \
--disable-imap \
--disable-actions \
--disable-userdir \
--disable-alias \
--disable-so
make
su
umask 022
make install
chown -R root:sys /usr/local/apache2

After Apache is installed, we should make sure that only the following modules are enabled:
在Apache安装好后,我们将确认仅仅以下模块被启用了:
/usr/local/apache2/bin/httpd -l
Compiled in modules:
  core.c
  mod_access.c
  mod_auth.c
  mod_log_config.c
  prefork.c
  http_core.c
  mod_mime.c
  mod_dir.c

Configuring Apache
配置Apache
Before running Apache for the first time, we also need to modify the Apache configuration file. We need to do this because the default configuration file uses modules that we disabled, and without modifications Apache will not run.
在第一次运行Apache之前,我们应该修改Apache配置文件,因为默认配置文件会使用我们禁用掉的模块,并且不修改Apache运行不起来。
Thus, we must remove the /usr/local/apache2/conf/httpd.conf file and create a new httpd.conf in its place, with the following content:
因此,我们必须移除/usr/local/apache2/conf/httpd.conf文件并在相同位置创建一个新的httpd.conf文件,文件内容如下:
# =================================================
# Basic settings 基本设置部分
# =================================================
Listen 0.0.0.0:80
User apache
Group apache
ServerAdmin webmaster@www.ebank.lab
UseCanonicalName Off
ServerSignature Off
HostnameLookups Off
ServerTokens Prod
ServerRoot "/usr/local/apache2"
DocumentRoot "/www"
PidFile /usr/local/apache2/logs/httpd.pid
ScoreBoardFile /usr/local/apache2/logs/httpd.scoreboard
<IfModule mod_dir.c>
    DirectoryIndex index.html
</IfModule>

# =================================================
# HTTP and performance settings http和性能设置部分
# =================================================
Timeout 300
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 15
<IfModule prefork.c>
    MinSpareServers 5
    MaxSpareServers 10
    StartServers 5
    MaxClients 150
    MaxRequestsPerChild 0
</IfModule>

# =================================================
# Access control 访问控制部分
# =================================================
<Directory />
Options None
    AllowOverride None
    Order deny,allow
    Deny from all
</Directory>
<Directory "/www/www.ebank.lab">
    Order allow,deny
    Allow from all
</Directory>
<Directory "/www/www.test.lab">
    Order allow,deny
    Allow from all
</Directory>

# =================================================
# MIME encoding MIME编码设置部分
# =================================================
<IfModule mod_mime.c>
    TypesConfig /usr/local/apache2/conf/mime.types
</IfModule>
DefaultType text/plain
<IfModule mod_mime.c>
    AddEncoding x-compress .Z
    AddEncoding x-gzip .gz .tgz
    AddType application/x-compress .Z
    AddType application/x-gzip .gz .tgz
    AddType application/x-tar .tgz
</IfModule>

# =================================================
# Logs 日志设置部分
# =================================================
LogLevel warn
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
ErrorLog /usr/local/apache2/logs/error_log
CustomLog /usr/local/apache2/logs/access_log combined

# =================================================
# Virtual hosts 虚拟主机部分
# =================================================
NameVirtualHost *
<VirtualHost *>
    DocumentRoot "/www/www.ebank.lab"
    ServerName "www.ebank.lab"
    ServerAlias "www.e-bank.lab"
    ErrorLog logs/www.ebank.lab/error_log
    CustomLog logs/www.ebank.lab/access_log combined
</VirtualHost>
<VirtualHost *>
    DocumentRoot "/www/www.test.lab"
    ServerName "www.test.lab"
    ErrorLog logs/www.test.lab/error_log
    CustomLog logs/www.test.lab/access_log combined
</VirtualHost>  


Compared to the default configuration file, the following important changes have been made:
与默认的配置文件比较,做了以下重要的修改:

The number of enabled modules has been reduced to minimum.
启用的模块数量被减少到最小了。
Apache's processes (except for the root process) are set to be executed with unique regular user/group privileges.
Apache进程(除了根进程)被设置为以唯一的,正规的用户/组权限进行运行。
Apache discloses the least information about itself as possible.
Apache尽可能暴露了最小的自身信息。
Access rights to the website's content are set to be more restrictive.
访问站点内容的权限被设置了更多限制。
According to our functionality requirements, the above configuration assumes that there are two virtual hosts supported by Apache:
按照我们的功能要求,上面的配置设定了Apache支持两个虚拟主机。

www.ebank.lab (alias: www.e-bank.lab)
www.test.lab
The content of the above virtual hosts will be physically kept under the /www directory, so before running Apache we also need to create the corresponding directories with sample web pages:
上面的虚拟主机的内容将被放在/www目录下,因此在开始运行Apache之前,我们还需要创建对应的目录:
mkdir -p /www/www.ebank.lab
mkdir -p /www/www.test.lab
echo "<html><head><title>eBank.lab</title></head><body>eBank.lab
     works!</body></html>" > /www/www.ebank.lab/index.html
echo "<html><head><title>test.lab</title></head><body>Test.lab
     works!</body></html>" > /www/www.test.lab/index.html
chmod -R 755 /www
chown -R root:sys /www  

We must also prepare directories for storing our log files:
我们还必须为存储日志文件准备目录:
mkdir -p /usr/local/apache2/logs/www.ebank.lab
mkdir -p /usr/local/apache2/logs/www.test.lab
chmod -R 755 /usr/local/apache2/logs
chown -R root:sys /usr/local/apache2/logs  

Finally, we can try to run Apache, and test if everything works properly:
最后,我们试着运行Apache,并测试所有工作是否正常:
/usr/local/apache2/bin/apachectl start

If the www.ebank.lab website is accessible from a web browser, we can shutdown Apache:
如果www.ebank.lab站点能从web浏 ... 可以关闭Apache:
/usr/local/apache2/bin/apachectl stop  

and then proceed to chroot the server. If there are problems, log files should be analyzed, or the truss command (for BSD and Solaris users) should be used, as follows:
然后执行chroot,如果不出现问题,日志文件将被分析,或使用truss命令(BSD和Solaris用户有效),如下:
truss /usr/local/apache2/bin/httpd  

Note that for Linux users, the equivalent command is strace. Either way, analyzing the output of the truss (or strace) command should help with finding the reason of failure.
Linux用户请注意,相同功能的命令是strace,任何情况下,分析truss(或strace)命令的输入对发现问题非常有帮助的。
Chrooting the server
chroot服务器
The next step is to limit the Apache processes' access to the filesystems. The chrooting technique was described in detail in the previous article, so at this point we will simply create a directory structure for our new Apache:
下一步是限制Apache进程访问文件系统,chroot技术在前面已经提到,因此在这里我们将只给出简单的为新的Apache创建目录结构的命令:
mkdir -p /chroot/httpd/dev
mkdir -p /chroot/httpd/etc
mkdir -p /chroot/httpd/var/run
mkdir -p /chroot/httpd/usr/lib
mkdir -p /chroot/httpd/usr/libexec
mkdir -p /chroot/httpd/usr/local/apache2/bin
mkdir -p /chroot/httpd/usr/local/apache2/lib
mkdir -p /chroot/httpd/usr/local/apache2/logs/www.ebank.lab
mkdir -p /chroot/httpd/usr/local/apache2/logs/www.test.lab
mkdir -p /chroot/httpd/usr/local/apache2/conf
mkdir -p /chroot/httpd/usr/local/lib
mkdir -p /chroot/httpd/www  

The owner of all the above directories should be root, and access rights should not allow regular users to perform any changes in these directories:
以上所有目录的所有者都必须是root,并且访问权限不允许被专用用户改变。
chown -R root:sys /chroot/httpd
chmod -R 0755 /chroot/httpd

Next, we will create the special device file, /dev/null:
下一步,我们将创建特殊的设备文件/dev/null。
ls -al /dev/null
  crw-rw-rw- 1 root wheel 2, 2 Mar 14 12:53 /dev/null
mknod /chroot/httpd/dev/null c 2 2
chown root:sys /chroot/httpd/dev/null
chmod 666 /chroot/httpd/dev/null  

We also need to create a /chroot/httpd/dev/log device that is needed for the server to work properly. In the case of our FreeBSD system, the following line should be added to /etc/rc.conf :
我们还需要创建一个/chroot/httpd/dev/log设备,否则服务器无法正常运行,在这里的FreeBSD系统中,下面这一行应被添加到/etc/rc.conf中。
syslogd_flags="-l /chroot/httpd/dev/log"  

In order for the changes to take effect, we also need to restart the syslogd daemon with the new parameter:
为了使改变生效,我们必须用新的参数重新启动syslogd后台进程:
kill `cat /var/run/syslog.pid`
/usr/sbin/syslogd -ss -l /chroot/httpd/dev/log  

The next step is to copy all necessary programs, libraries and configuration files into the new directory tree. In the case of FreeBSD 5.1 the list of required files is as follows:
下一步是拷贝所有必须的程序,库和配置文件到新的目录树,在FreeBSD5.1下需要以下一些文件:
cp /usr/local/apache2/bin/httpd /chroot/httpd/usr/local/apache2/bin/
cp /usr/local/apache2/lib/libaprutil-0.so.9 /chroot/httpd/usr/local/apache2/lib/
cp /usr/local/apache2/lib/libapr-0.so.9 /chroot/httpd/usr/local/apache2/lib/
cp /usr/local/apache2/conf/mime.types /chroot/httpd/usr/local/apache2/conf/
cp /usr/local/apache2/conf/httpd.conf /chroot/httpd/usr/local/apache2/conf/
cp /usr/local/lib/libexpat.so.4 /chroot/httpd/usr/local/lib/
cp /usr/lib/libc.so.5 /chroot/httpd/usr/lib/
cp /usr/lib/libcrypt.so.2 /chroot/httpd/usr/lib/
cp /usr/lib/libm.so.2 /chroot/httpd/usr/lib/
cp /usr/libexec/ld-elf.so.1 /chroot/httpd/usr/libexec/
cp /var/run/ld-elf.so.hints /chroot/httpd/var/run/
cp /etc/hosts /chroot/httpd/etc/
cp /etc/nsswitch.conf /chroot/httpd/etc/
cp /etc/resolv.conf /chroot/httpd/etc/
cp /etc/group /chroot/httpd/etc/
cp /etc/master.passwd /chroot/httpd/etc/passwords  

In the case of other Unix, BSD, Linux and Linux-like systems, the list of required files can be determined by using commands like ldd, strace, truss or strings, as was described in the previous article.
在其他Unix,BSD,Linux和类Linux系统中,可以使用命令ldd,strace,truss或strings来决定需要拷贝哪些文件,前面的文章也描述过了。
After the above steps are done, we need to prepare the password database that must be present in the chrooted filesystem. Thus, from /chroot/httpd/etc/passwords and /chroot/httpd/etc/group we have to remove all the lines except apache. Next, we should build the password database as follows:
以上步骤完成后,我们需要为chroot文件系统准备密码数据库,因此从/chroot/httpd/etc/passwords和/chroot/httpd/etc/group中移除除了apache之外的所有行,下一步,我们将用如下命令来创建密码数据库:
cd /chroot/httpd/etc
pwd_mkdb -d /chroot/httpd/etc passwords
rm -rf /chroot/httpd/etc/master.passwd  

The above commands should be executed when using FreeBSD. In other systems it may be sufficient to edit the /chroot/httpd/etc/passwd and /chroot/httpd/etc/shadow files.
上面的命令在FreeBSD下可以执行。在其他系统下,可以直接编辑/chroot/httpd/etc/passwd 和 /chroot/httpd/etc/shadow 文件
Finally, we can copy the sample website content to the chrooted environment:
最后,我们可以拷贝一个简单的站点内容到chroot环境:
cp -R /www/* /chroot/httpd/www/  

and test if the Apache web server runs correctly:
并且测试Apache服务器运行是否正常:
chroot /chroot/httpd /usr/local/apache2/bin/httpd  

Final steps
If your Apache now works properly, the only thing that is left to do is to create a script that will start Apache during system boot. In order to do this, the apache.sh script can be used, with the following content:
最后一步
如果你的Apache现在工作正常,唯一要做的事情就是创建一个Apache随系统启动的脚本。可以使用apache.sh脚本,内容如下:
#!/bin/sh
CHROOT=/chroot/httpd
HTTPD=/usr/local/apache2/bin/httpd
PIDFILE=/usr/local/apache2/logs/httpd.pid

echo -n " apache"

case "$1" in
start)
      /usr/sbin/chroot $CHROOT $HTTPD
      ;;
stop)
      kill `cat ${CHROOT}/${PIDFILE}`
      ;;
*)
      echo ""
      echo "Usage: `basename $0` {start|stop}" >&2
      exit 64
      ;;
esac

exit 0  


The above script should be copied to the directory where by default startup scripts are held. In the case of FreeBSD it is the /usr/local/etc/rc.d directory. The access rights to that file should be set as follows:
上面的脚本应被拷贝到默认启动脚本目录,在FreeBSD下位置是/usr/local/etc/rc.d目录,脚本文件访问权限应如如下设置:
chown root:sys /usr/local/etc/rc.d/apache.sh
chmod 711 /usr/local/etc/rc.d/apache.sh  

Summary
The main goal of this article was to present a method of securing Apache 2.0 that lets readers mitigate the risk of a successful break-in, even if new vulnerabilities in this software are found. It has been shown how to install Apache with a minimal number of modules, how to set up a more restrictive configuration, and how to implement protection against a large number of exploits by running the web server in a chrooted environment, without the use of any shell programs. And although no method can assure a 100% security, applying the above recommendations will at least make performing a web attack against Apache 2.0 much more difficult, as compared to the default installation.
总结
本文的主要目标是提供一个加固Apache2.0的方法,让读者降低被攻破的风险,甚至在这个软件中发现新的漏洞。它展示了如何以最小化模块安装Apache,如何建立限制设置,如何运用chroot环境实施保护来对付更多的攻击。但是没有一个方法能保证100%安全,实施以上建议以后攻击Apache2.0至少比默认安装变得更加困难。


Relevant links
相关链接
Securing Apache: Step-by-Step: http://www.securityfocus.com/infocus/1694

Securing PHP: Step-by-Step: http://www.securityfocus.com/infocus/1706

Securing MySQL: Step-by-Step: http://www.securityfocus.com/infocus/1726

Apache HTTP Server Project: http://httpd.apache.org

Sample httpd.conf: httpd.conf

Sample apache.sh: apache.sh



About the author

Artur Maj works as a Principal Software Engineer for Oracle Corporation, in the EMEA Mobile, Wireless & Voice Center of Expertise. He is experienced in designing computer systems, performing security audits as well as providing security training. He is also author of many articles and publications devoted to securing computer systems and software against intruders.
您需要登录后才可以回帖 登录 | 注册

本版积分规则

快速回复 返回顶部 返回列表