Jailkit Combat
Jailkit is a toolset that enables you to quickly create a limited user account in a chroot jail. It contains a security log daemon that shells users, opens and sets the tools for the Chroot jail daemon.
Simple description
1, by Nginx Processing HTTP request, Nginx Run is the main identity for the www:www, the implementation of PHP proxy to the back-end PHP-FPM,PHP-FPM responsible for managing the PHP process between users, users run PHP group permissions for Nobody
2, the default for each user to provide SSH, user-friendly direct management. Limit the files that each SSH user can access only the home directory, and Access system-level commands and other non-host paths are displayed as having no permissions.
3, on the user directory permissions, the establishment of the user is the main identity of the User:nobody, home directory itself: Drwxr-x–x, its creation of directory permissions set to Drwx-r-x, file permissions set to-rw--r–. (User is current)
4, by setting the system Umask and FTP service Umask, to ensure that the user's home directory created under the file permissions for the-rw--r–, directory permissions for Drwx-r-x
Prerequisite: Already Installed LNMP
Download Installation Jailkit
Source Code
Cd/soft
Wget-c http://olivier.sessink.nl/jailkit/jailkit-2.11.tar.gz
Tar zxvf jailkit-2.11.tar.gz
CD jailkit-2.11
./configure
Make && make install
CP extra/jailkit/etc/init.d/
chmod 755/etc/init.d/jailkit
Chkconfig Jailkit on
Initialize the chroot environment and create a chroot directory:
Source Code
Mkdir-p/home/chroot
Chown Root:root/home/chroot
chmod 751/home/chroot
Jk_init-v-j/home/chroot sftp SCP jk_lsh netutils Extendedshell
Jk_cp-v/home/chroot/usr/bin/id
Jk_cp-v/home/chroot/usr/bin/unzip
Jk_cp-v/home/chroot/usr/bin/zip
Create a System user
Source Code
Useradd www-m
Echo www:123456|chpasswd
Jk_jailuser-m-n-j/home/chroot/--shell=/bin/bash www.
Check
[Root@localhost chroot]# grep www/home/chroot/etc/passwd
Www:x:503:503::/home/www:/bin/bash
[Root@localhost chroot]# grep www/etc/passwd
Www:x:503:503::/home/chroot/./home/www:/usr/sbin/jk_chrootsh
Creating a PHP-FPM configuration file
[Root@localhost etc]# cat/application/php-5.3.29/etc/php-fpm.conf
Include=etc/fpm.d/*.conf
[Global]
PID =/tmp/php-fpm.pid
Error_log = Log/php-fpm.log
Log_level = Waring
Emergency_restart_threshold = 10
Process_control_timeout = 5s
Process.max = 500
Daemonize = yes
Rlimit_files = 51200
Rlimit_core = 0
Events.mechanism = Epoll
B. Creating PHP-FPM Pool
Mkdir-p/APPLICATION/PHP-5.3.29/ETC/FPM.D
Cat/application/php-5.3.29/etc/fpm.d/default.conf
[WWW]
Listen = 127.0.0.1:9001
; listen =/usr/local/php5.4/var/run/php-fpm-www.sock
Listen.allowed_clients = 127.0.0.1
Listen.mode = 0666
Listen.owner = www
Listen.group = Nobody
user = www
Group = Nobody
Chroot =/home/chroot
; Choose How the Process manager would control the number of child processes.
PM = dynamic
Pm.max_children = 5
Pm.start_servers = 1
Pm.min_spare_servers = 1
Pm.max_spare_servers = 5
pm.max_requests = 1000
Request_terminate_timeout = 30s
; Pass Environment variables
Env[hostname] = $HOSTNAME
Env[path] =/usr/local/bin:/bin
ENV[TMP] =/var/www/tmp
Env[tmpdir] =/var/www/tmp
Env[temp] =/var/www/tmp
; Specific PHP ini settings here
Php_value[sendmail_path] = "/usr/sbin/sendmail-t-i-f noreply@evlit.com"
Php_admin_value[open_basedir] = ".:/ Var/www:/proc:/tmp "
Php_value[include_path] = ".:/ Var/www:/var/www/include "
Php_value[axis2.log_path] = "/var/www/tmp"
Php_value[session_pgsql.sem_file_name] = "/var/www/tmp/php_session_pgsql"
Php_value[soap.wsdl_cache_dir] = "/var/www/tmp"
Php_value[uploadprogress.file.filename_template] = "/var/www/tmp/upt_%s.txt"
Php_value[xdebug.output_dir] = "/var/www/tmp"
Php_value[xdebug.profiler_output_dir] = "/var/www/tmp"
Php_value[xdebug.trace_output_dir] = "/var/www/tmp"
Php_admin_value[disable_functions] = "exec,system,passthru,shell_exec,ini_alter,dl,proc_open,proc_exec,proc_ Close,chroot,scandir,chgrp,chown,ini_restore,dbmopen,dbase_open,curl_multi_exec,multi_exec,gzinflate,parse_ini _file,show_source,escapeshellarg,escapeshellcmd,stream_socket_server,popepassthru,pfsockopen,set_time_limit "
; UPLOAD
Php_admin_flag[file_uploads] = On
Php_admin_value[upload_tmp_dir] = "/var/www/tmp"
; Maximum allowed size for uploaded files.
Php_admin_value[upload_max_filesize] = "50M"
Php_admin_value[max_input_time] = "120"
Php_admin_value[post_max_size] = "50M"
; LOGS
Php_admin_value[error_log] = "/var/www/logs/error.log"
Php_admin_value[log_errors] = On
Php_admin_value[display_errors] = Off
Php_admin_value[html_errors] = Off
Php_admin_value[display_startup_errors] = Off
Php_admin_value[define_syslog_variables] = "1"
Php_value[error_reporting] = "6143"
; Maximum execution time of each script, in seconds (30)
Php_value[max_input_time] = "120"
; Maximum amount of time each script may spend parsing request data
Php_value[max_execution_time] = "300"
; Maximum amount of memory a script may consume (8MB)
Php_value[memory_limit] = "128M"
; Sessions:important reactivate garbage collector on Debian!!!
Php_value[session.gc_maxlifetime] = "3600"
Php_admin_value[session.gc_probability] = "1"
Php_admin_value[session.gc_divisor] = "100"
; Security
Php_admin_value[session.auto_start] = Off
Php_admin_value[mbstring.http_input] = Pass
Php_admin_value[mbstring.http_output] = Pass
Php_admin_value[mbstring.encoding_translation] = Off
Php_admin_value[expose_php] = Off
Php_admin_value[allow_url_fopen] = On
Php_admin_value[variables_order] = PGCSE
; Enforce filling Path_info & path_translated
; And not only Script_filename
Php_admin_value[cgi.fix_pathinfo] = "1"
; 1:will use path_translated instead of Script_filename
Php_admin_value[cgi.discard_path] = "0"
The actual root directory of the Web site:
/home/chroot/home/www
PHP-FPM Pool Settings
[Root@localhost 123]# grep ^chroot/application/php-5.3.29/etc/fpm.d/default.conf
Chroot =/home/chroot
nginx.conf Configuration
Location/{
root/home/chroot/home/www;
Index index.html index.htm;
}
Location ~ \.php$ {
Root/home/chroot;
Fastcgi_pass 127.0.0.1:9001;
Fastcgi_index index.php;
Fastcgi_param Script_filename/home/www$fastcgi_script_name;
Include Fastcgi_params;
}
[Root@localhost conf]# grep ' php_admin_value\[open_basedir\] '/application/php-5.3.29/etc/fpm.d/default.conf
Php_admin_value[open_basedir] = ".:/ Var/www:/proc:/tmp:/home/www "
In this way, the security of the site is relatively improved a lot