All services in Chroot Linux

Source: Internet
Author: User
Tags postgresql function perl script
What is chroot? Chroot basically defines the running environment of a program. More specifically, it redefines the "root" directory or "/" of a program (or login session).
That is to say, for a chroot program or shell, directories outside the chroot environment do not exist.

So what's the purpose? If intruders intrude into your computer, they will not be able to see all the files in your system.
In this way, intruders may be restricted from executing commands, thus prohibiting them from overwriting insecure files. But the only drawback is that,
I think this cannot prevent them from viewing network connections and other information. Therefore, you should do something that is not deeply involved in this article:

Protect Network Ports.

Check whether all services run with non-root permissions. In addition, are all services chroot?

Transfers System logs to other computers.

Analyze log files.

Analyze people trying to detect random ports on your computer.

Restrict the CPU and memory resources occupied by the Service.

Activate the user quota.

In my opinion, the reason why chroot can be used as a security defense line is,
If the intruders get a non-root account but do not get the root permission for the files, they can only cause damage to the intruded areas.
Moreover, if the root account is the owner of most files in the intrusion region, there are not many attacks for intruders. Apparently, if your account is compromised,
There must be something wrong, but it is best to reduce the damage that intruders can cause.

Remember that what I did is not 100% correct. This is my first attempt to do so, even if it is only partially valid,
It should also be easy to complete basic configurations. I want to be a chroot howto. Now I am talking about some basic things.

How can we make all services chroot?

Okay, let's create a directory "/chroot" first, and put all our services under it in the following format:

Syslogd runs together with each service in the hroot environment.

Apache runs under/chroot/httpd.

Ssh runs under/chroot/sshd.

PostgreSQL runs under/chroot/postmaster.

Sendmail runs in the chroot environment, but unfortunately it must run as root.

Ntpd runs under/chroot/ntpd.

Named runs under/chroot/named.
Every service is completely isolated from the outside world.

The Perl script used to create the chroot environment.

Download href = "http://main.linuxfocus.org/common/src/article225/Config_Chroot.pl.txt"> Config_Chroot.pl.txt and rename it Config_Chroot.pl. This Perl script lets you list all installed services, view configuration files, configure services, and start and stop services. Generally, this is what you should do.

Create a chroot directory
Mkdir-p/chroot/Config/Backup

Download href = "http://main.linuxfocus.org/common/src/article225/Config_Chroot.pl.txt"> Config_Chroot.pl.txt
And renamed it/chroot/Config_Chroot.pl.

If your home directory is not/chroot, change the $ Home variable in the Perl script accordingly.

Download my href = "http://main.linuxfocus.org/common/src/article225/"> configuration file.

Now, it is important that I only
7.2 and RedHat 6.2 have been tested ..

Make changes in the Perl script to adapt to your release.

I wrote a long article about chroot, but with my script, it became much shorter. After many chroot services, I noticed that the files and configurations for chroot services are similar. For a specific service, the easiest way to determine which files need to be copied is to view man. If the program needs to use library files, enter "ldd/usr/bin/file". You can also run the chroot command on the service you are installing and start it manually to check the error or check its log file.

You can install a Service as follows:

Cd/chroot
./Config_Chroot.pl config SERVICE
./Config_Chroot.pl install SERVICE
./Config_Chroot.pl start SERVICE

Chroot Ntpd

Ntpd is a time service that Synchronizes time between your computer and other computers. It is very easy to chroot it.

Cd/chroot
# If you do not use my configuration file, remove the comments in the next line.
#./Config_Chroot.pl config ntpd
./Config_Chroot.pl install ntpd
./Config_Chroot.pl start ntpd

Chroot DNS and named

The howto file already exists. Please refer
Href = "http://www.linuxdoc.org/HOWTO/Chroot-BIND8-HOWTO.html"> http://www.linuxdoc.org/HOWTO/Chroot-BIND8-HOWTO.html

Or
Href = "http://www.linuxdoc.org/HOWTO/Chroot-BIND-HOWTO.html"> http://www.linuxdoc.org/HOWTO/Chroot-BIND-HOWTO.html

If you want to use my script

Cd/chroot
# If you do not use my configuration file, remove the comments in the next line.
#./Config_Chroot.pl config named
./Config_Chroot.pl install named
./Config_Chroot.pl start named

Perform chroot with Syslog and other services, as well as the difficulties I encountered.

I want to chroot syslogd. The difficulty I encountered is that syslogd uses the/dev/log directory by default, and the chroot service cannot see this directory. Therefore, it is not convenient to use syslogd for logging. The following are possible solutions.

Perform the chroot operation on syslogd and each service respectively. I actually tested it in this way and recorded some logs. I don't like this because I have a service that runs with root permissions.

Check whether we can connect to an external Logging Device.

Directly record logs to files instead of syslogd. This may be the best security option, although intruders can modify logs if they are intruded.

Configure syslogd to view a few places to get all services. You can use the-A option of syslogd to do this.

My only solution is to ensure that syslogd performs the chroot operation on each service separately. I like this solution. It records logs in its own chroot environment (such as network ports) with non-root permissions. This may be feasible, but I am stopping what I do and then seeking for a better solution.

If you do not want to assign an independent syslogd to each service, run the following command at the beginning of syslogd when your system runs syslogd:

Syslogd-A/chroot/service/dev/log

If SSH and DNS are running, it looks like this:
Syslogd-A/chroot/ssh/dev/log-A/chroot/named/dev/log-A/dev/log

For Syslogd, I want to say that I want it to run under a non-root account. I tried a few simple things,
But they failed, so they gave up. If syslogd can run with each service under a non-root account,
I will be satisfied with my security measures. If possible, it is best to record the log to an external device.

Chroot Apache

Very simple. Once I run it, I can execute the Perl script. Now, my configuration file is very long,
Because I have to include Perl and PostgreSQL function libraries in the chroot environment. One thing to note: If you want to connect to the database,
Make sure that your database service runs on the 127.0.0.1 loopback device, and specify the host as 127.0.0.1 In the Perl script about DBI.
The following example shows how to connect Apache to a database permanently:

$ Dbh | = DBI-> connect (dbi: Pg: dbname = DATABASE, "", "", {PrintError => 0 });

If ($ dbh) {$ dbh-> {PrintError} = 1 ;}
Else
{$ Dbh | = DBI-> connect (dbi: Pg: dbname = DATABASE; host = 127.0.0.1 ,"","",
{PrintError => 1 });}

Source Address: http://httpd.apache.org/dist/httpd/

Compile and install apache in the/usr/local/apache directory of your system, and then run the Perl script.

Cd/chroot
# If you do not use my configuration file, remove the comments in the next line.
#./Config_Chroot.pl config httpd
./Config_Chroot.pl install httpd
./Config_Chroot.pl start httpd

The httpd. conf file contains the following lines:
ExtendedStatus On

<Location/server-status>
SetHandler server-status
Order deny, allow
Deny from all
Allow from 127.0.0.1
</Location>

<Location/server-info>
SetHandler server-info
Order deny, allow
Deny from all
Allow from 127.0.0.1
</Location>

Then, enter http: // 127.0.0.1/server-status or
Http: // 127.0.0.1/server-info and check!

Chroot over Ssh

First, it would be ideal to redirect ssh from port 22 to port 2222. Then, when you start ssh,
Let it listen to port 2222 under a non-root account. When initializing an ssh connection, we only want to connect a security account with a password, but do not do anything else.
After they log on, the second ssh program running on port 127.0.0.1: 2222 connects them to the real system-the second ssh program should only listen on the loopback device.
This is what you should do. We don't plan to do it now. The only thing we need to do is use the chroot ssh as an example.
The exercise mentioned above should be completed by the reader: Let the sshd run under a non-root account, and then install the sshd of the second listening loop device to connect people to the real system.

In addition, we only need to chroot ssh and let you have a look at the results (if you only do this, you do not have to observe the entire system ).
Of course, it would be better to record logs on external devices. We should use OpenSSH, but for convenience (this does not seem to be a good excuse), I use a commercial SSH.

Source Address: http://www.ssh.com/products/ssh/download.cfm

Install ssh and run the script under/usr/local/ssh_chroot.

Cd/chroot
# If you do not use my configuration file, remove the comments in the next line.
#./Config_Chroot.pl config sshd
./Config_Chroot.pl install sshd
./Config_Chroot.pl start sshd

I think the real benefit of placing ssh in the chroot environment is that if you replace the ftp server with it, people only have limited permissions in your region.
Rsync and SCP run very well when people upload files. I am not very fond of setting up an ftp server for people to log on. Many ftp servers run in the chroot environment,
But I don't like the plaintext password they still send.

Chroot PostSQL

This is almost as simple as perl, except that it requires some additional function libraries. In general, this is not difficult to do.
One thing I have to do is to put PostgreSQL on the network, but only on the loopback device. Because it is chroot,
Therefore, other services that are already chroot cannot be connected to them, just like apache on the web server.
I compiled Perl into PostgreSQL, so I have to add a lot of Perl stuff to my configuration file.

Source code: href = "ftp://ftp.us.postgresql.org/source/v7.1.3/postgresql-7.1.3.tar.gz"> ftp://ftp.us.postgresql.org/source/v7.1.3/postgresql-7.1.3.tar.gz

Compile and install apache in the/usr/local/postgres directory in your system. Then run the Perl script.

Cd/chroot
# If you do not use my configuration file, remove the comments in the next line.
#./Config_Chroot.pl config postgres
./Config_Chroot.pl install ipvs
./Config_Chroot.pl start postgres

Run Sendmail for Chroot

Execute my Perl script.
Cd/chroot
# If you do not use my configuration file, remove the comments in the next line.
#./Config_Chroot.pl config sendmail
./Config_Chroot.pl install sendmail
./Config_Chroot.pl start sendmail

What have you found? Yes, he still runs with the root account. In addition, when sendmail is started, the program/etc/rc. d/init. d/sendmail will recreate some files.
My script does not solve this problem. At any time, if you have made any changes under/etc/mail, copy the changed files to the/chroot/sendmail/etc directory.
You must also direct/var/spool/mail to/chroot/sendmail/var/spool/mail for sendmail programs and users (when they log in) see the same file.

Fortunately, you can send emails at any time. problems may occur only when you receive emails. Therefore, I can install sendmail and apache together without any problems.
Some of my Perl scripts will send emails out, so I want to copy the sendmail program to apache's chroot environment.

Other things about Chroot.

My point is as follows:

Your machine includes sendmail, ssh, apache,
All services, including postgresql and syslog, must run in the chroot environment.

Every service must run with a non-root Account (you may need to redirect protected ports to unprotected ports. This includes sendmail and syslog.

Logs should be kept away from the site.

Each service is assigned a disk quota to limit the disk occupied by intruders. When the disk is full, you should install the file system for some services on the loopback device.

The owner of all files that do not need to be modified should be the root account.
Now, speaking of sendmail and syslogd, I still think they should not run under the root account.
This may be possible for sendmail, but I found it extremely difficult to run it under a non-root account. At least I have not succeeded.
I think sendmail cannot run under a non-root account. It should be a very serious error. Although I know it is very difficult to make it run under a non-root account,
But I think all the difficulties can be solved. As long as the File Permission problem is solved, I don't think sendmail needs to run with root permission.
I must have ignored something. I don't believe that these obstacles are insurmountable.

I have not tried syslog, but I think it is feasible to record logs with a non-root account.
At least I can record logs for each service in the chroot environment.

All services must run under non-root accounts, or even NFS. Remember, it is all services.

Suggestions

Run two sshd Daemon Processes and perform Secondary Logon.

Try to make sendmail or other emails run under a non-root account.

Delete unnecessary function libraries under/lib. I copied the library I needed. In fact, you don't need most of them.

Use syslogd for remote logging to check whether syslogd can connect to the network port and obtain logs of all services running on the network port of the loopback device.
Check whether syslogd can run in a non-root account.

Conclusion

I think chroot is so cool for all services. I think it should be a big mistake not to allow all services to run in a non-root account chroot environment.
I hope that the major releases should do this, and of course, other releases should do the same. Since Mandrake started and developed with RedHat compatibility, people can follow Mandrake's example,
Expand chroot Based on others. I think this is feasible, because in GNU/Linux, nothing will prevent you from redo the work of others.
If a company wants all the services of chroot and creates an environment for people to easily manage the services of chroot, it has an ideal release.
Remember, Linux is becoming mainstream and people don't want to see the command line any more. So if everything can be done in the gui environment, people don't need to understand the internal structure,
And you don't need to know what is running, as long as they can configure and know that this is effective.

I absolutely support running all services in a non-root chroot environment, and I will not consider using it in a production environment.
I am making all the services run in the chroot environment and try my best to make more and more things run like this-in the end, I will achieve my ideal.

I plan to write a HOWTO for chroot. I am sending a request. I hope someone can convert my article to the LyX format so that it can be put on Linux's HOWTO.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.