Article Title: Build a secure Web server under FreeBSD. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
Preface
When we run Web servers, everyone may agree that using Linux + Mysql + Apache + PHP as the entire open-source system is a good choice, but I personally think this is unreasonable, first, you must consider what services you use based on your application. If you need to run Oracle and other large applications, and Oracle supports better in Linux, it is a good choice to use Linux, it is very troublesome to install Oracle under FreeBSD. If you are running common website applications, I think using FreeBSD + Mysql + Apache + PHP is a good choice, because for a website, stability and security are the first priority, otherwise, when your website is modified, you will not know what is going on, or when the website is hacked to modify or delete the data, after all, there are a bunch of hackers and hackers that cannot be prevented. Of course, it does not mean that Linux is insecure, but it is encapsulated into many insecure programs in Linux, which leads to its insecurity. However, if it is set properly, Linux can be as secure as it is. According to data from the China Network Emergency Response Center (http://www.cert.org.cn) over the past few months, the most successful intrusion every month is the Linux system, accounting for more than 60%, and then the Windows system, accounting for more than 30%, freeBSD's intrusion rate is a few percent.
Any system can be very secure or insecure. The key is how administrators do it. There is no safest system in the world, only a safer system. The following article is about building a secure Web server on the FreeBSD platform, hoping to inspire network administrators and cybersecurity enthusiasts, and hope to have a better explanation.
1. Installation of systems and service programs
1. System Installation
To ensure the security of the system, we prepare to adopt the latest FreeBSD version. First, it is secure and the system compatibility is good. This is mainly personal habits and needs. For the sake of simplicity, the latest FreeBSd5.3 version is used for installation. I will not talk about the entire installation process, if not clear friends can refer to FreeBSD Chinese manual (http://www.freebsd.org.cn), the entire process is not very complex, although there is no Windows/Linux system security simple, however, compared with some Unix installations, it is more humane. During installation, the basic package and kernel source code must be installed. To facilitate later compilation of the kernel, if you prefer to use ports to install software, you must install ports, but try not to install unnecessary programs. If you want to install Webmin and so on, you also need to package perl and so on. After the system file is copied, You need to configure some settings, such as setting the IP address and name server. do not enable IPv6, or use DHCP or other services. Do not use the default FTP service, configure/etc/inetd. open the SSH service in conf to facilitate remote management. If you do not want to use the inetd super service for management, you can disable it in/etc/rc. add inetd_enable = "NO" to the conf file, and set sshd_enable = "YES" to enable the SSH service. We will discuss the SSH settings in detail later.
After the system is installed, go to/etc/inetd. in conf, all services except ssh should be closed, especially telnet and rlogin services. Otherwise, the system may be intruded every few days. After installing the system, we recommend that you upgrade the system, such as using make world or cvsup to upgrade the system kernel and ports. This step is similar to patching after Windows is installed.
2. Install the Service Program
After the system is installed, we start to install our application software. Our policy is that the latest software is the safest, for example, to prevent overflow in some old versions. We basically want to make our system have a database and be able to process Web services while Remotely Managing website files. The programs we basically choose are common programs. In addition, to have a visual management tool, we can also install a browser-based management tool Webmin to facilitate management without an ssh client.
The first Web service we selected is Apache httpd 2.0.53, which is the latest version. Of course, you can also consider version 1.3, mainly depending on your personal habits. Our website is written in PHP, so we need to install PHP with the version 4.3.11 and the latest version. If your website program requires the support of PHP5, you can download php5.0.4. the database is still the fastest Mysql, and the latest version is 4.0.23. If you need support for foreign keys, transactions, subqueries, and stored procedures, you can consider versions 4.1 and 5.0. Finally, we chose the safest vsFTPd for FTP, because it is the safest and fastest. I tested it in the LAN, and its maximum data rate could reach 10 MB/S. proFTPd only had 8 MB/S, vsFTPd provides excellent support for small FTP servers. After all, I have a few users and only a few websites to update. Of course, if you like it easily, you can also consider using the FTPd that comes with FreeBSD, features and ease of use are also good. If you have a large number of users and have high functional requirements, we recommend that you use proFTPd, pure-FTPd, wu-FTPd, and so on. However, some FTPd are not very secure, so be careful when selecting them.
Server program list:
Apache 2.0.53: http://httpd.apache.org
PHP 4.3.11 http://www.php.net
Mysql 4.0.23: http://dev.mysql.com
VsFTPd 2.0.2: http://vsftpd.beasts.org
Anyway, the minimum number of services + the minimum number of ports + the maximum number of Security Settings = maximum security. Do not install services that are not needed, such as telnetd and rlogind, on the contrary, it will pose a threat to server security.
To install the above programs, you can use manual compilation and installation, or use FreeBSD ports for installation. This is my personal hobby. I personally prefer to use manual installation, if you do not understand how to install Apache + PHP + Mysql, refer to my Blog.
Ii. System Security Settings
1. User Control
As few users as possible, our FTP account is bound with the system account, so we should first create a directory when adding users, then point the new user home directory to this directory. Suppose I need a user to manage my website, and the directory of my website is under the/usr/www directory, the Home Directory of the newly created user www_user points to the/usr/www directory, and its shell does not have:/usr/sbin/nologin, it is mainly used to prevent it from logging on to the system through ssh. At the same time, the FTP password should be set very complicated to prevent hackers from obtaining FTP permissions through brute force cracking. I also want to talk about the password of our root user. I think the password should be at least 10 digits, letters, and characters (my password is 18 characters ), otherwise, the password is very insecure. If the password is simple, hackers can use a short period of brute force cracking to crack the root account in SSH. In a few days, the system may be cracked, we recommend that you change the password of the root user at least once a month. (It is strongly recommended that the general account do not have the permission to log on to the system, that is, set the shell to/usr/sbin/nologin)
Generally, if you want to use the root permission, we recommend that you create a small user in the wheel group, and then use the su command to promote the user to the root user for management, if hackers log on to the system after cracking the permissions of common users, and cannot directly manage them through the root permission, this is a simple method of security defense.
2. File Access Control
Sometimes a hacker gets a small-privilege user after intrusion. For example, if a WebShell is passed to the system, the other party may directly read/etc/passwd and other content, view/etc/master at the same time. passwd cracks the encrypted root user's password hash, and finally obtains the password to log on to the system. In this case, only root users can access some files and other users cannot access them. For example, uname and gcc. If a hacker obtains a small-privilege user, the hacker will view the system version, find the overflow program corresponding to the system version, and use gcc for compilation, if we can restrict hacker access to uname, gcc, and other programs, it can reduce the pace of hacker intrusion to a certain extent.
Use chmod to change the permission information of a file. For example, I want to allow only root access to the/etc/passwd and/etc/master. passwd files:
Set with Octal numbers
# Chmod 700/etc/passwd
# Chmod 700/etc/master. passwd
Set with Character Mark
# Chmod u + w + r + x, go-w-r-x/etc/passwd
# Chmod u + w + r + x, go-w-r-x/etc/master. passwd
Multiple important files in the system must be configured with access control permissions. Otherwise, they may constitute an important threat.
3. System Service and Port Control
The more ports opened, the more chance hackers will be attacked. The more services there are, the more dangerous the hackers will be, because you do not know whether the services have potential vulnerabilities or new vulnerabilities, try to use as few services as possible. For example, sendmail is enabled by default. We recommend that you disable sendmail, disable the protection in/etc/rc. add the following to conf:
Sendmail_enable = "NONE". If it is set to "NO", you can only disable the pop3 service, but not the smtp service. Therefore, you must set it to "NONE ".
In the system, it is best not to open any ports or services except Apache, Mysql, vsFTPd, and SSH. The basic method is to use netstat-a to view the opened port and then find the relevant service from the corresponding port. For example, we should only allow ports 21, 22, 80,330 6 and so on. If there are other ports, you must check them carefully. It may be a hacker's backdoor or a service that threatens system security. At the same time, some services do not need to listen to network connections, but only need local connections, such as Mysql, so you can disable Socket listening. This will be explained in Mysql Security Settings. In addition, some port access and connection conditions can be controlled through the firewall. For example, if Mysql port 3306 only allows access from 192.168.0.1, we will add rules in ipfw:
Ipfw add 10001 allow tcp from 192.168.0.1 to 10.10.10.1 80 in
This prevents hackers from accessing the Mysql service on the server. The specific firewall settings are described in the "firewall settings" section below.
4. Log Management and Control (omitted)
[1] [2] [3] [4] [5] [6] [7] [8] Next page