Building secure Web servers under FreeBSD (1)

Preface

When we run the Web server, we may all agree that it is a good choice to use linux+mysql+apache+php whole open source system, but I personally think it is unreasonable, first of all according to your application to think you use what service. If you need to run large applications such as Oracle, and Oracle is better supported under Linux, then using Linux is a good option because it's a hassle to install Oracle under FreeBSD. Then if it is to run the ordinary site application, I think the use of freebsd+ mysql+apache+php is a good choice, because for a website, stable security is the first, otherwise your site when people have been modified do not know what is going on, or hacked, The data to modify or delete, that is bad, after all, now what red, hackers, a bunch of, can not help. Of course, not to say that Linux is not safe, but in the Linux is a lot of unsafe programs, resulting in its insecurity, but if set good, Linux can be very safe. In the China Network Emergency Response Center (http://www.cert.org.cn) These months of data, the most successful invasion every month is the Linux system, accounting for more than 60%, and then came to the Windows system, accounted for more than 30%, and FreeBSD the proportion of the invasion is a few percent.

Any system can be very safe, also can be very insecure, the key is how the administrator to do, the world does not have the safest system, only a more secure system. The following article is

In the FreeBSD platform to build a more secure Web server, I hope that network management and Internet security enthusiasts can have some inspiration, the right to be a good idea, I hope to have a better exposition of the article.

I. Installation of systems and service programs

1. System Installation

In order to ensure the security of the system, our system is ready to use the latest FreeBSD version, first is security, system compatibility is also better, this is mainly personal habits and needs, for simplicity, here we choose the latest FreeBSd5.3 version to install. The entire installation process I will not say, if not clear friends can refer to the FreeBSD Chinese Manual (http://www.freebsd.org.cn), the whole process is not very complicated, although no windows/linux system security simple, But it's a lot more human than some UNIX installations. Installation must be the basic package and the kernel source code are installed, in order to compile the kernel later, if in addition, if you like the use of ports installation software, but also to ports installed, but as far as possible some unnecessary procedures do not install. If you want to install Webmin, and so on, but also Perl and other packaging. System files after the copy, will require some settings, such as IP address, name server set up, do not open IPv6, do not need DHCP and other services, do not use the system default FTP service, configure/etc/inetd.conf SSH service open, convenient for us to remote management, If you don't want to use inetd to manage it, you can turn it off, add inetd_enable= "NO" in/etc/rc.conf, and then set sshd_enable= "YES" to open the SSH service. We'll talk about SSH settings in detail later.

After the system installed, in the/etc/inetd.conf in addition to SSH service all shut down, especially Telnet and rlogin services, must be prudent, or very likely every few days the system will be invaded. After installing the system, it is recommended that you upgrade the system, such as using make World or CVSup to upgrade the system kernel and ports. This step and Windows after the installation of the patch almost.

2. Service Program Installation

After the system is installed, we begin to install our application software, and our policy is the most secure for the latest software, for example, to prevent the overflow in some old versions and so on. We basically want our system to have the database, simultaneously can handle the Web service, simultaneously can remotely to the website file Management FTP service. The programs that we basically choose are the more common programs. In addition, in order to have a visual management tool, we can also install a browser-based management tool webmin, to facilitate the absence of SSH client and so on when the management.

First of all we choose the Web service is Apache httpd 2.0.53, this is the latest version, of course, you can also consider the 1.3 version, mainly to look at personal habits. Our website is a PHP program to write, so to install PHP, version is 4.3.11, is also the latest version, if your site program needs PHP5 support, then you can download php5.0.4. Database is also the fastest MySQL, the selected version is the latest 4.0.23, if you need foreign keys, transactions, subqueries, stored procedures and other support, then you can consider the 4.1 and 5.0 versions. Finally our FTP to choose the safest vsftpd, because it is the most secure and fast, I test it in the LAN of the highest rate of creation can reach 10mb/s,proftpd only 8mb/s,vsftpd for small FTP server support very good, after all, I don't have many users, A few update sites, of course, if you like simple and convenient, you can also consider using FreeBSD ftpd, features and ease of use is also good. If you have more users, and functional requirements are relatively high, the proposed use of PROFTPD, PURE-FTPD, WU-FTPD, etc., but some FTPd is not very safe, the choice must be carefully considered.

List of server programs:

Apache 2.0.53 Download Address: http://httpd.apache.org

PHP 4.3.11 Download Address: http://www.php.net

Mysql 4.0.23 Download Address: http://dev.mysql.com

VSFTPD 2.0.2 Download Address: http://vsftpd.beasts.org

Anyway, the least service + minimum port + security settings = maximum security, try to be able to do not need to use the services do not install, such as telnetd, Rlogind, and so on the contrary will pose a threat to server security.

Install the above program you can use manual compile installation, also can use FreeBSD ports to install, this look personal hobby, I personally prefer to use manual installation, if you do not understand the specific installation of friends can refer to my blog on the installation of Apache+php+mysql method.