Article Title: create a secure DNS server. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
Like other large software, BIND (DNS server) also has many problems due to its large size and complicated functions. Therefore, the number of system intrusions targeting the BIND Security Vulnerabilities is also greatly increased, and the most serious one can even obtain all remote control of the target host. Because the DNS server host has a great impact on the network system, it is also crucial to avoid these system intrusions.
The main purpose of this article is to describe how to use the chroot () environment to build a secure BIND 8. x server in RedHat Linux (or similar systems. This article mainly comes from Adam Shostack and his article in this regard (Solaris version ).
Step 1: obtain and install the software
Go to the isc ftp site to download the latest BIND version (this article has been tested in BIND 8. x ).
Download the free software required for this article from the Obtuse System FTP site: holelogd (and other useful tools ). This software is used to establish/dev/log socket (socket) in the chroot environment, so that syslogd can record the logs of the named process. Syslogd of OpenBSD has been built into this function ("syslogd-a/chroot/dev/log"), but this function has not been implemented in Linux. The Holelogd software is used to simulate this function of OpenBSD.
Install holelogd according to the software documentation (usually installed to/usr/local/sbin ).
Step 2: Construct static named and named-xfer binary files
After compilation and installation, You need to construct the static link version of the executable file. You only need to slightly modify the Makefile. set file in the % BIND %/src/port/linux directory.
Modify file content:
'Cdebug =-O2-G'
Replace:
'Cdebug =-O2-static'
Switch to the BIND source code path and run the "make clean" and "make" commands. In the following steps, these files will be copied to the chroot () directory.
The static link execution file constructed in this step does not need to load the dynamic link library at runtime. In the chroot () environment, this "independent" executable file can avoid the lack of linked library files. It does not require any static Link Library in the chroot () environment, which simplifies service configuration. All other network daemon can also compile and use this static link version.
Step 3: Construct the BIND directory
Construct the BIND directory for the chroot () environment. This directory will be treated as the system root directory by BIND in the chroot () environment.
/Dev
/Etc
/Namedb
/Usr
/Sbin
/Var
/Run
Copy the following files to the corresponding subdirectories and perform necessary processing:
/
None
/Etc
Copy the named. conf file in the/etc directory.
Copy the localtime file under the/etc directory (provide the correct named log record time For syslog)
Create a/etc/group file that only contains named GID
/Etc/namedb
Copy all "zone" databases and files under the/etc/namedb directory.
/Dev
Mknod./null c 1 3; chmod 666 null (see the mknod command of the corresponding version)
/Usr/sbin
Copy the system % BIND %/src/bin/named directory and the named and named-xfer binary files under the System % BIND %/src/bin/named-xfer directory (static link Version)
/Var/run
None
You can also specify the log record directory (for example,/var/log) as needed ).
Step 4: Add named users and groups
Add named users and groups to the/etc/passwd and/etc/group files. They are the UID/GID when the DNS server is running.
In this case, you can run the "chown-R named. named/etc/namedb" command in the chroot environment. In this way, when you send a kill-INT to the system, the named process can save the server cache and statistics. If the directory is root, the named process cannot write the output to the directory, but it does not affect the functions of the named server. Another option is to change the directory permission only (so that the named user has the write permission), and the owner is still root. This method is also feasible, but you must be careful to ensure that other users do not modify the named record!
* ** Important warning ***
Do not run named with an existing UID/GID (such as "nobody. Remember, using any existing UID/GID In the chroot environment may affect the Service Security. You must develop the habit of providing independent UID/GID for each daemon in the chroot environment.
Step 5: edit the Startup Script
Linux uses the sys v-style init file, so the command to run named can be placed in several places. (In most cases) it is best to place the named initialization script in/etc/rc. d/init. d/named. You will find the section about named startup. We need to add and modify some rows.
1. Insert a line before running named to start holelogd. Need to provide remote socket to holelogd
The chroot named dev directory created in the preceding step. Command Line
The content is as follows:
# Start daemons.
Echo-n "Staring holelogd :"
Daemon/usr/local/sbin/holelogd/chroot/named/dev/log
Echo
Echo-n "Starting named :"
Daemon named
Echo
Touch/var/lock/subsys/named
;;
2. You also need to modify the BIND startup parameters. BIND version 8. x allows you to specify the running user ID and group ID,
It should also be the UID/GID created in the above step:
# Start daemons.
Echo-n "Staring holelogd :"
Daemon/usr/local/sbin/holelogd/chroot/named/dev/log
Echo
Echo-n "Starting named :"
Daemon/chroot/named/usr/sbin/named-u named-g named-t/chroot/named
Echo
Touch/var/lock/subsys/named
;;
3. The "ndc" script attached to the named can be used to control the work of the named. You need to edit this file to change the PID
Change the file location from/var/run/named. pid to/chroot/named/var/run/named. pid.
Step 6: test the server
Run the following command to start the holelogd process:
/Usr/local/sbin/holelogd/chroot/named/dev/log
Enter the/chroot/named/dev/directory and enter ls-al. The output should be similar to the following:
Srw-rw-1 root wheel 0 Jan 01 log
The Set "s" bit indicates that this is a socket file. The named process in the chroot () Environment communicates with syslog through this socket.
If everything works, the named process starts and the log file records the named server "Ready to answer queries .".
Perform appropriate DNS tests to ensure that the server works correctly, restart the system, and verify all configurations. After the BIND starts normally, it will report its chroot () directory and run UID/GID. You can use programs such as lsof to list all network sockets in the host for inspection.
When everything works properly, we recommend that you change/etc/namedb to/etc/namedb. orig or other names, and chmod 000/usr/sbin/named at the same time, this ensures that these old versions of named will not be used by accidental errors.
<End>
Source:
ISC (Internet Software Consortium)
Steinar Haug
Bernhard Weisshuhn
Marc Heuse
Jan Gruber
Adam Shostack
Psionic
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.