Linux system Jailkit Installation configuration usage method

Jailkit Combat

Jailkit is a toolset that enables you to quickly create a limited user account in a chroot jail. It contains a security log daemon that shells users, opens and sets the tools for the Chroot jail daemon.

Simple description

1, by Nginx Processing HTTP request, Nginx Run is the main identity for the www:www, the implementation of PHP proxy to the back-end PHP-FPM,PHP-FPM responsible for managing the PHP process between users, users run PHP group permissions for Nobody
2, the default for each user to provide SSH, user-friendly direct management. Limit the files that each SSH user can access only the home directory, and Access system-level commands and other non-host paths are displayed as having no permissions.
3, on the user directory permissions, the establishment of the user is the main identity of the User:nobody, home directory itself: Drwxr-x–x, its creation of directory permissions set to Drwx-r-x, file permissions set to-rw--r–. (User is current)
4, by setting the system Umask and FTP service Umask, to ensure that the user's home directory created under the file permissions for the-rw--r–, directory permissions for Drwx-r-x

Prerequisite: Already Installed LNMP

Download Installation Jailkit

Source Code
Cd/soft

Wget-c http://olivier.sessink.nl/jailkit/jailkit-2.11.tar.gz

Tar zxvf jailkit-2.11.tar.gz

CD jailkit-2.11

./configure

Make && make install

CP extra/jailkit/etc/init.d/

chmod 755/etc/init.d/jailkit

Chkconfig Jailkit on

Initialize the chroot environment and create a chroot directory:

Source Code
Mkdir-p/home/chroot
Chown Root:root/home/chroot
chmod 751/home/chroot

Jk_init-v-j/home/chroot sftp SCP jk_lsh netutils Extendedshell

Jk_cp-v/home/chroot/usr/bin/id
Jk_cp-v/home/chroot/usr/bin/unzip
Jk_cp-v/home/chroot/usr/bin/zip

Create a System user

Source Code
Useradd www-m

Echo www:123456|chpasswd

Jk_jailuser-m-n-j/home/chroot/--shell=/bin/bash www.

Check

[Root@localhost chroot]# grep www/home/chroot/etc/passwd

Www:x:503:503::/home/www:/bin/bash

[Root@localhost chroot]# grep www/etc/passwd

Www:x:503:503::/home/chroot/./home/www:/usr/sbin/jk_chrootsh

Creating a PHP-FPM configuration file

[Root@localhost etc]# cat/application/php-5.3.29/etc/php-fpm.conf

Include=etc/fpm.d/*.conf

[Global]

PID =/tmp/php-fpm.pid

Error_log = Log/php-fpm.log

Log_level = Waring

Emergency_restart_threshold = 10

Process_control_timeout = 5s

Process.max = 500

Daemonize = yes

Rlimit_files = 51200

Rlimit_core = 0

Events.mechanism = Epoll

B. Creating PHP-FPM Pool

Mkdir-p/APPLICATION/PHP-5.3.29/ETC/FPM.D

Cat/application/php-5.3.29/etc/fpm.d/default.conf

[WWW]

Listen = 127.0.0.1:9001

; listen =/usr/local/php5.4/var/run/php-fpm-www.sock

Listen.allowed_clients = 127.0.0.1

Listen.mode = 0666

Listen.owner = www

Listen.group = Nobody

user = www

Group = Nobody



Chroot =/home/chroot

; Choose How the Process manager would control the number of child processes.

PM = dynamic

Pm.max_children = 5

Pm.start_servers = 1

Pm.min_spare_servers = 1

Pm.max_spare_servers = 5

pm.max_requests = 1000

Request_terminate_timeout = 30s


; Pass Environment variables

Env[hostname] = $HOSTNAME

Env[path] =/usr/local/bin:/bin

ENV[TMP] =/var/www/tmp

Env[tmpdir] =/var/www/tmp

Env[temp] =/var/www/tmp


; Specific PHP ini settings here

Php_value[sendmail_path] = "/usr/sbin/sendmail-t-i-f noreply@evlit.com"

Php_admin_value[open_basedir] = ".:/ Var/www:/proc:/tmp "

Php_value[include_path] = ".:/ Var/www:/var/www/include "

Php_value[axis2.log_path] = "/var/www/tmp"

Php_value[session_pgsql.sem_file_name] = "/var/www/tmp/php_session_pgsql"

Php_value[soap.wsdl_cache_dir] = "/var/www/tmp"

Php_value[uploadprogress.file.filename_template] = "/var/www/tmp/upt_%s.txt"

Php_value[xdebug.output_dir] = "/var/www/tmp"

Php_value[xdebug.profiler_output_dir] = "/var/www/tmp"

Php_value[xdebug.trace_output_dir] = "/var/www/tmp"

Php_admin_value[disable_functions] = "exec,system,passthru,shell_exec,ini_alter,dl,proc_open,proc_exec,proc_ Close,chroot,scandir,chgrp,chown,ini_restore,dbmopen,dbase_open,curl_multi_exec,multi_exec,gzinflate,parse_ini _file,show_source,escapeshellarg,escapeshellcmd,stream_socket_server,popepassthru,pfsockopen,set_time_limit "


; UPLOAD

Php_admin_flag[file_uploads] = On

Php_admin_value[upload_tmp_dir] = "/var/www/tmp"

; Maximum allowed size for uploaded files.

Php_admin_value[upload_max_filesize] = "50M"

Php_admin_value[max_input_time] = "120"

Php_admin_value[post_max_size] = "50M"


; LOGS

Php_admin_value[error_log] = "/var/www/logs/error.log"

Php_admin_value[log_errors] = On

Php_admin_value[display_errors] = Off

Php_admin_value[html_errors] = Off

Php_admin_value[display_startup_errors] = Off

Php_admin_value[define_syslog_variables] = "1"

Php_value[error_reporting] = "6143"


; Maximum execution time of each script, in seconds (30)

Php_value[max_input_time] = "120"


; Maximum amount of time each script may spend parsing request data

Php_value[max_execution_time] = "300"


; Maximum amount of memory a script may consume (8MB)

Php_value[memory_limit] = "128M"



; Sessions:important reactivate garbage collector on Debian!!!

Php_value[session.gc_maxlifetime] = "3600"

Php_admin_value[session.gc_probability] = "1"

Php_admin_value[session.gc_divisor] = "100"


; Security

Php_admin_value[session.auto_start] = Off

Php_admin_value[mbstring.http_input] = Pass

Php_admin_value[mbstring.http_output] = Pass

Php_admin_value[mbstring.encoding_translation] = Off

Php_admin_value[expose_php] = Off

Php_admin_value[allow_url_fopen] = On

Php_admin_value[variables_order] = PGCSE

; Enforce filling Path_info & path_translated

; And not only Script_filename

Php_admin_value[cgi.fix_pathinfo] = "1"

; 1:will use path_translated instead of Script_filename

Php_admin_value[cgi.discard_path] = "0"

The actual root directory of the Web site:

/home/chroot/home/www

PHP-FPM Pool Settings

[Root@localhost 123]# grep ^chroot/application/php-5.3.29/etc/fpm.d/default.conf

Chroot =/home/chroot

nginx.conf Configuration

Location/{

root/home/chroot/home/www;

Index index.html index.htm;

}

Location ~ \.php$ {

Root/home/chroot;

Fastcgi_pass 127.0.0.1:9001;

Fastcgi_index index.php;

Fastcgi_param Script_filename/home/www$fastcgi_script_name;

Include Fastcgi_params;

}

[Root@localhost conf]# grep ' php_admin_value\[open_basedir\] '/application/php-5.3.29/etc/fpm.d/default.conf

Php_admin_value[open_basedir] = ".:/ Var/www:/proc:/tmp:/home/www "

In this way, the security of the site is relatively improved a lot