Building secure Web servers under FreeBSD (1)

Preface

When we run the Web server, we may all agree that it is a good choice to use linux+mysql+apache+php whole open source system, but I personally think it is unreasonable, first of all according to your application to think you use what service. If you need to run large applications such as Oracle, and Oracle is better supported under Linux, then using Linux is a good option because it's a hassle to install Oracle under FreeBSD. Then if it is running ordinary website application, I think the use of freebsd+mysql+apache+php is a good choice, because for a website, stable security is the first, otherwise your site when people have been modified do not know what is going on, or hacked, The data to modify or delete, that is bad, after all, now what red, hackers, a bunch of, can not help. Of course, not to say that Linux is not safe, but in the Linux is a lot of unsafe programs, resulting in its insecurity, but if set good, Linux can be very safe. In the China Network Emergency Response Center (http://www.cert.org.cn) These months of data, the most successful invasion every month is the Linux system, accounting for more than 60%, and then came to the Windows system, accounted for more than 30%, and FreeBSD the proportion of the invasion is a few percent.

Any system can be very safe, also can be very insecure, the key is how the administrator to do, the world does not have the safest system, only a more secure system. The following article is
In the FreeBSD platform to build a more secure Web server, I hope that network management and Internet security enthusiasts can have some inspiration, the right to be a good idea, I hope to have a better exposition of the article.

I. Installation of systems and service programs

1. System Installation

In order to ensure the security of the system, our system is ready to use the latest FreeBSD version, first is security, system compatibility is also better, this is mainly personal habits and needs, for simplicity, here we choose the latest FreeBSd5.3 version to install. The entire installation process I will not say, if not clear friends can refer to the FreeBSD Chinese Manual (http://www.freebsd.org.cn), the whole process is not very complicated, although no windows/linux system security simple, But it's a lot more human than some UNIX installations. Installation must be the basic package and the kernel source code are installed, in order to compile the kernel later, if in addition, if you like the use of ports installation software, but also to ports installed, but as far as possible some unnecessary procedures do not install. If you want to install Webmin, and so on, but also Perl and other packaging. System files after the copy, will require some settings, such as IP address, name server set up, do not open IPv6, do not need DHCP and other services, do not use the system default FTP service, configure/etc/inetd.conf SSH service open, convenient for us to remote management, If you don't want to use inetd to manage it, you can turn it off, add inetd_enable= "NO" in/etc/rc.conf, and then set sshd_enable= "YES" to open the SSH service. We'll talk about SSH settings in detail later.

After the system installed, in the/etc/inetd.conf in addition to SSH service all shut down, especially Telnet and rlogin services, must be prudent, or very likely every few days the system will be invaded. After installing the system, it is recommended that you upgrade the system, such as using make World or CVSup to upgrade the system kernel and ports. This step and Windows after the installation of the patch almost.

2, service program installation

After the system is installed, we begin to install our application software, and our policy is the most secure for the latest software, for example, to prevent the overflow in some old versions and so on. We basically want our system to have the database, simultaneously can handle the Web service, simultaneously can remotely to the website file Management FTP service. The programs that we basically choose are the more common programs. In addition, in order to have a visual management tool, we can also install a browser-based management tool webmin, to facilitate the absence of SSH client and so on when the management.

First of all we choose the Web service is Apache httpd 2.0.53, this is the latest version, of course, you can also consider the 1.3 version, mainly to look at personal habits. Our website is a PHP program to write, so to install PHP, version is 4.3.11, is also the latest version, if your site program needs PHP5 support, then you can download php5.0.4. Database is also the fastest MySQL, the selected version is the latest 4.0.23, if you need foreign keys, transactions, subqueries, stored procedures and other support, then you can consider the 4.1 and 5.0 versions. Finally our FTP to choose the safest vsftpd, because it is the most secure and fast, I test it in the LAN of the highest rate of creation can reach 10mb/s,proftpd only 8mb/s,vsftpd for small FTP server support very good, after all, I don't have many users, A few update sites, of course, if you like simple and convenient, you can also consider using FreeBSD ftpd, features and ease of use is also good. If you have more users, and functional requirements are relatively high, the proposed use of PROFTPD, PURE-FTPD, WU-FTPD, etc., but some FTPd is not very safe, the choice must be carefully considered.

List of server programs:

Apache 2.0.53 Download Address: http://httpd.apache.org

PHP 4.3.11 Download Address: http://www.php.net

Mysql 4.0.23 Download Address: http://dev.mysql.com

VSFTPD 2.0.2 Download Address: http://vsftpd.beasts.org

Anyway, the least service + minimum port + security settings = maximum security, try to be able to do not need to use the services do not install, such as telnetd, Rlogind, and so on the contrary will pose a threat to server security.

Install the above program you can use manual compile installation, also can use FreeBSD ports to install, this look personal hobby, I personally prefer to use manual installation, if you do not understand the specific installation of friends can refer to my blog on the installation of Apache+php+mysql method.

Second, system security settings

1, User control

As few users as possible, our FTP account is tied to the system account, so we create a directory when we add the user, and then point the new user home directory to the directory. Assuming I need a user to be able to manage my site, and the directory of my site is in the/usr/www directory, then our newly created user Www_user's home directory is pointing to the/usr/www directory, and its shell is not:/usr/sbin/nologin, The main purpose is to prevent it from accessing the system via SSH. At the same time, the FTP password also set a very complex to prevent hackers through brute force to obtain FTP permissions. In addition to the password of our root user, I think at least should not be less than 10 digits + letter + character password (my password is 18 bits), otherwise it is very unsafe, if the password is simple, then hackers through a short period of violence to break the root account in SSH, not a few days, The system may be compromised, and it is recommended that the root user's password be changed at least one months. (It is strongly recommended that the general account do not have access to the system, the shell is set to/usr/sbin/nologin)
In general, if you want to use root authority to recommend the establishment of a small user belonging to the wheel group, and then after landing through the SU command to promote the management of root users, if the hacker through the power of our ordinary users after the landing system, also can not directly through the root authority to manage, This is a simple way to guard against security.

2. File access control

Sometimes hacked to get the small permissions of users, such as a webshell to the system, then the other side is likely to/etc/passwd and other content directly read out, while viewing/etc/ In master.passwd, the password hash of the encrypted root user is cracked, and the password is then logged into the system. Then we have to control some files only root can access, other users do not have access. such as UNAME,GCC, if the hacker has access to small rights users will look at the system version, and then find the version of the system corresponding to the overflow program, using GCC to compile, if we can limit the hacker access to uname and GCC procedures, to a certain extent to slow the pace of the hacker invasion.

Use chmod to change permission information for a file, such as I want/etc/passwd and/etc/master.passwd files can only allow root access:

Use the octal number to set the

# chmod 700/ETC/PASSWD

# chmod 700/ETC/MASTER.PASSWD

Use character markers to set up

# chmod U+w+r+x,go-w-r-x/etc/passwd

# chmod U+w+r+x,go-w-r-x/etc/master.passwd

There are several important files in the system need to set control access rights, must be controlled, otherwise it will constitute a major threat.

3, System services and port control

The more the port is open, the more opportunities the hacker has to invade, the more services, the greater the danger, because you do not know whether those services are potential vulnerabilities or found new vulnerabilities, so as little as possible services, such as sendmail default is open, then some suggest you put sendmail off, off guard is in Add in/etc/rc.conf:

Sendmail_enable = "None", if set to "NO", you can only turn off the POP3 service, and you cannot turn off the SMTP service, so set to none.

It is best to not open any other ports and services other than the Apache, Mysql, vsftpd, ssh that we can see. The basic way is to use netstat-a to view open ports, and then from the corresponding port to find the relevant services, such as we should be allowed to open only the port 21, 22, 80, 3306, etc., if there are other ports, then must be carefully checked, It could be a backdoor for hackers or a service that poses a threat to system security. At the same time some services do not need to listen to network connections, just need local connections, such as MySQL, then you can turn off socket monitoring, this will be explained in the MySQL security settings, in addition, through the firewall to control the partial port access and connectivity status, For example, MySQL's 3306 ports allow only 192.168.0.1 access, then we add the rules in the IPFW:

IPFW add 10001 allow TCP from 192.168.0.1 to 10.10.10.1

This will prevent hackers from accessing the MySQL service on the server. The settings for a specific firewall are explained in more detail in the following "Firewall settings."

4, log management and control

5, File fingerprint detection

File fingerprint is the basic information of our files, such as file permissions, file-owned users/groups, file last modified date, file size and so on, these are important information, the general hacker may modify the file after the invasion, then the file fingerprint is not the same. In addition, the MD5 checksum value of the file is also a kind of fingerprint of the file.

To prevent hackers from tampering with some of the core files in the system, such as/etc/passwd,/etc/shadow,/etc/inetd.conf, and so on, we can consider backing up some of the important files and making a fingerprint reservation of the files that are currently in place, such as the/etc ,/bin,/usr/bin the files under the directory for fingerprint retention:

# ls-l/etc >/var/back/etc.txt

# ls-l/bin >/var/back/bin.txt

# ls-l/bin >/var/back/usrbin.txt

Of course, there is to each important file plus MD5 check value, if it feels wrong when the match, to ensure the security of the file.

You can make a backup of the directory that you feel you need to do a fingerprint backup, generally this is to later be hacked after the system detection and system recovery. For example, the file can be modified by the time to determine whether the intrusion, such as can be compared to see the/etc/inetc.conf file and back up the file is different to determine whether the installation of a service-type backdoor.

6, System fingerprint leakage and prevention

General hackers in order to invade a system, will certainly first scan and so on, scanning, including the target system port opening and server use service program and operating system situation. For example, simple manual detection of Web services fingerprint:

# telnet Target.com 80

It is likely that the version information of Apache and PHP will be returned, and the scanning tool may also be used to scan the ports of MySQL, VSFTPD, SSH and other services to obtain the fingerprint of these services. More exposure to a system of information, then the system is a more dangerous. The solution is to banner all the servers on the server, thereby confusing the hacker.
Here are some simple ways to modify the service banner.

* Apache

Modify the httpd.conf file and set the following options:

Serversignature off

Servertokens Prod

The above applies apache1***, Apache 2.0 These are the default, but still have server=apache typeface, want to completely remove need to be translatable again. Completely remove banner, modify Httpd.h:

The following are the referenced contents: Include/httpd.h Define Server_basevendor "Apache Group" Define Server_productvendor "Apache" Define server_baseversion "1.3.27"

After the new compilation Apache can be completely removed.

* PHP
If you set expose_php = off in php.ini, you will not be able to see the version information of PHP in the HTTP header information.

* Mysql

* VSFTPD

Vsftpd basically can't get some banner information about VSFTPD, but because vsftpd the default banner information is "Welcome to FTP server!" For the master, or can guess a little, so we want to completely get rid of. Modify the following options in the VSFTPD profile vsftpd.conf:

Ftpd_banner=xxxxx

Change the following xxxxx to the banner information you want.

* SSH

Like FreeBSD under the default installation of SSH is Telnet target.com 22 will display SSH and FreeBSD information, is simply a great evil, what all tell others, but so far I do not know how to modify, know the master please advice.

7. System Kernel Security

FreeBSD has a relatively strong function, is to be able to define the system kernel security level, mainly in order to prevent the kernel back door specifically customized, through different levels to restrict access to the kernel and changes to the firewall. We start with the security level of the system, and then we set the security level, and we open the/etc/rc.conf:

# ee/etc/rc.conf

Add the following content:

Kern_securelevel_enable= "YES"

Kern_securelevel= "-1"

The first sentence is to open the security level, the second sentence is to define the level. It's a total of five grades, and here's what's different about it.

* KERN_SECURELEVEL-1: This is the system default level and does not provide any kernel protection errors;

* Kern_securelevel 0: The basic function is not much, when your system just started is 0 level, when entering multi-user mode will automatically become 1 level.

* Kern_securelevel 1: At this level, there are several limitations:

A. Can not load or unload the Loadable kernel module through kldload or kldunload;

B. Applications cannot write memory directly through/dev/mem or/DEV/KMEM;

C. You cannot write to a disk that is already installed in (mounted), that is, you cannot format a disk, but you can perform a write operation through a standard kernel interface;

D. Can not start x-windows, at the same time can not use Chflags to modify file properties;

* Kern_securelevel 2: On the basis of level 1 can not write not loaded disk, and can not be in 1 seconds to create multiple warnings, this is to prevent the DOS console;

* Kern_securelevel 3: IPFW firewall rules are not allowed at level 2.

If you have installed a firewall, and set the rules, do not easily change, then recommend the use of Level 3, if you do not install a firewall, but also ready to install a firewall, do not recommend use. We recommend using level 2 to avoid more attacks on the kernel.

8. System security Optimization

The general optimization system is mainly to recompile the kernel, remove some of the driver and so on, you can refer to my blog on the compilation of the kernel of the article. Here we have some options for network and kernel optimization and security settings. Edit the/etc/sysctl.conf file and add the following: (with comments)

The following are the referenced contents: #最大的待发送TCP数据缓冲区空间 net.inet.tcp.sendspace=65536 #最大的接受TCP缓冲区空间 net.inet.tcp.recvspace=65536 #最大的接受UDP缓冲区大小 net.inet.udp.sendspace=65535 #最大的发送UDP数据缓冲区大小 net.inet.udp.maxdgram=65535 #本地套接字连接的数据发送空间 net.local.stream.sendspace=65535 #加快网络性能的协议 Net.inet.tcp.rfc1323=1 Net.inet.tcp.rfc1644=1 Net.inet.tcp.rfc3042=1 Net.inet.tcp.rfc3390=1 #最大的套接字缓冲区 kern.ipc.maxsockbuf=2097152 #系统中允许的最多文件数量 kern.maxfiles=65536 #每个进程能够同时打开的最大文件数量 kern.maxfilesperproc=32768 #当一台计算机发起TCP连接请求时, the system responds to an ACK reply packet. This option sets whether the ACK reply packet is deferred, sent along with the packet containing the data, and slightly improves performance in the case of a high speed network and low load, but when the network connection is poor, the other computer's no answer will continue to initiate the connection request, which will degrade performance. Net.inet.tcp.delayed_ack=0 #屏蔽ICMP重定向功能 Net.inet.icmp.drop_redirect=1 Net.inet.icmp.log_redirect=1 Net.inet.ip.redirect=0 Net.inet6.ip6.redirect=0 #防止ICMP广播风暴 Net.inet.icmp.bmcastecho=0 Net.inet.icmp.maskrepl=0 #限制系统发送ICMP速率 net.inet.icmp.icmplim=100 #安全参数, when compiling the kernel, add options Tcp_drop_synfin to use Net.inet.icmp.icmplim_output=0 Net.inet.tcp.drop_synfin=1 #设置为1会帮助系统清除没有正常断开的TCP连接, this increases the use of some network bandwidth, but some dead connections can eventually be identified and erased. A dead TCP connection is a special problem for a dial-up user-accessed system because the user often disconnects the modem without properly closing the active connection Net.inet.tcp.always_keepalive=1 #若看到net. Inet.ip.intr_queue_drops this is increasing, it is necessary to adjust the Net.inet.ip.intr_queue_maxlen, for 0 best net.inet.ip.intr_queue_maxlen=1000 #防止DOS攻击, defaults to 30000 net.inet.tcp.msl=7500 #接收到一个已经关闭的端口发来的所有包, direct drop, if set to 1, is for TCP packets only net.inet.tcp.blackhole=2 #接收到一个已经关闭的端口发来的所有UDP包直接drop Net.inet.udp.blackhole=1 #为网络数据连接时提供缓冲 Net.inet.tcp.inflight.enable=1 #如果打开的话每个目标地址一次转发成功以后它的数据都将被记录进路由表和arp数据表, save routing time, but will require a large amount of kernel memory space to save the routing table Net.inet.ip.fastforwarding=0 #kernel编译打开options polling function, using low load under high load does not recommend SMP not with polling #kern. polling.enable=1 #并发连接数, the default is 128, recommended between 1024-4096, the larger the number of memory is larger kern.ipc.somaxconn=32768 #禁止用户查看其他用户的进程 Security.bsd.see_other_uids=0 #设置kernel安全级别 Kern.securelevel=0 #记录下任何TCP连接 Net.inet.tcp.log_in_vain=1 #记录下任何UDP连接 Net.inet.udp.log_in_vain=1 #防止不正确的udp包的攻击 Net.inet.udp.checksum=1 #防止DOS攻击 Net.inet.tcp.syncookies=1 #仅为线程提供物理内存支持, requires more than 256 megabytes of memory Kern.ipc.shm_use_phys=1 # Maximum shared memory that threads can use kern.ipc.shmmax=67108864 # Maximum number of threads kern.ipc.shmall=32768