Research on security configuration of LNMP virtual machine

Transferred from: http://www.leavesongs.com/PENETRATION/nginx-safe-dir.html

As we all know, the security of the virtual host is not good to do, especially to prevent cross-site become the focus. apache+php server to prevent cross-site way is relatively simple, all the mature virtual host solutions on the Web are based on Apache, such as DirectAdmin, cpanel.

But now is not the era of Apache, under the linux+nginx+mysql+php how to prevent different virtual host cross-site?

First of all, we must understand how nginx is running, and then consider how to do it. There is a good article in the Cloud Knowledge Base (http://drops.wooyun.org/tips/1323), introduced the Nginx security configuration, you can see.

Nginx is actually just a reverse proxy server, which receives a request to see if the current request is a. php file, and if so, it is forwarded to PHP-FPM for processing, and then sent to the user after the result is obtained. So there are two permissions to consider: The first is the permissions of Nginx, the second is PHP-FPM permissions. For example, Nginx and PHP-FPM are going to read this file, so permission assignment is an important item to consider.

Defensive cross-site to defend three points, the first is to prevent other users from listing the site directory, to prevent some of their sensitive file names are seen and access, the second is to prevent other users from reading their own files to prevent the configuration information disclosure; The third is to prevent other users from writing the shell in their own directory.

PHP clearly takes this into account, and the open_basedir in its config file is a directory listing that allows PHP to access only the directories given. By setting this open_basedir we can defend PHP from reading and writing web directories, such as/etc/passwd.

But now the problem is that Open_basedir is written in the php.ini in a configuration file, and all the virtual host using PHP is the same PHP, we can prevent PHP access to files outside the Web directory, but it does not prevent "virtual Host 1" Access to "virtual Host 2" files, Because both are within the Web directory. Even a bigger problem is that many versions of PHP's open_basedir are not reliable and can be easily bypassed.

This is the problem that is now being encountered. The workaround is to have each virtual host start php-fpm separatelywith different users .

To implement the above method, we need to make some changes to the installed LNMP. (I am using a relatively wide range of domestic "LNMP one-click installation Package").

For example, we have two virtual hosts on our server game01.com and game02.com, whose directories are/home/wwwroot/game01/and/home/wwwroot/game02/respectively.

Here to say, the new version of the LNMP one-click installation package has its own anti-cross-site function, because after PHP 5.3.3, you can add the following statement at the end of PHP.ini:

1	[HOST=www.vpser.net]

2	open_basedir=/home/wwwroot/www.vpser.net/:/tmp/

3	[PATH=/home/wwwroot/www.vpser.net]

4	open_basedir=/home/wwwroot/www.vpser.net/:/tmp/

can give different open_basedir to different host. But we don't use this method here, first its limit PHP version in 5.3.3 or more, the second open_basedir also has limitations and loopholes, can not rely entirely on this thing. So, after the virtual host is created, come to/usr/local/php/etc/php.ini to comment out the content. (annotation character;)

First, let the different virtual machines run with different php-fpm:

One, create a php-fpm.pid file for each site

1	cd/usr/local/php5/var/run

2	touchphp-fpm-game01.pid

3	touchphp-fpm-game02.pid

II. Create a php-fpm.conf file for each site

1	cd/usr/local/php5/etc/

2	cpphp-fpm.conf php-fpm-game01.conf

3	cpphp-fpm.conf php-fpm-game02.conf

Third, establish Php-cgi.sock file for each site

1	touch/tmp/php-cgi-game01.sock #建立php-cgi.sock文件

2	chownwww.www /tmp/php-cgi-game01.sock #设置文件所有者为www（必须与nginx的用户一致）

3	touch/tmp/php-cgi-game02.sock

4	chownwww.www /tmp/php-cgi-game02.sock

Iv. modification of relevant documents

01	vi/usr/local/php5/etc/php-fpm-game01.conf

02	pid = run/php-fpm-game01.pid

03	listen =/tmp/php-cgi-game01.sock;

04

05	vi/usr/local/php5/etc/php-fpm-game02.conf

06	pid = run/php-fpm-game02.pid

07	listen =/tmp/php-cgi-game02.sock;

08

09	vi/etc/init.d/php-fpm

10

vhost=$2

11	php_fpm_CONF=${prefix}/etc/php-fpm-$vhost.conf

12	php_fpm_PID=${prefix}/var/run/php-fpm-$vhost.pid

13	php_opts="-d open_basedir=/home/wwwroot/$vhost/:/tmp/ --fpm-config $php_fpm_CONF"

The last line above is the parameter that PHP-FPM executes, in which we set Open_basedir to/home/wwwroot/$vhost/:/tmp/, $vhost is the second parameter that we pass in when we run (GAME01 or GAME02).

Continue to modify

1	vi/usr/local/nginx/conf/vhost/game01.com.conf # 配置文件名可能不一样，要根据实际情况改变

2	fastcgi_pass unix:/tmp/php-cgi-game01.sock;

3

4	vi/usr/local/nginx/conf/vhost/game02.com.conf

5	fastcgi_pass unix:/tmp/php-cgi-game02.sock;

Five. Increase boot entry

vi/home/start.sh

1	#!/bin/bash

2

auto=$1

3	/bin/bash/etc/rc.d/init.d/php-fpm $auto game01

4	/bin/bash/etc/rc.d/init.d/php-fpm $auto game02

chmod +x/home/start.sh

Then edit/etc/rc.local to add start.sh to the startup item.

In this respect, different virtual hosts will run different php-fpm. We also need to run with a different user identity.

1	groupadd game01

2	groupadd game02

3	useraddgame01 -M -s /sbin/nologin -g game01

4	useraddgame02 -M -s /sbin/nologin -g game02

Added game01.game01 and game02.game02 two users.

Modify/usr/local/php/etc/php-fpm-game01.conf:

1	listen.owner = game01

2	listen.group = game01

3	user=game01

4	group=game01

Game02 the same change. So we let PHP-FPM run with a different user.

Then came/home/wwwroot/:

1	cd/home/wwwroot/

2	chowngame01.game01 -R game01

3	chowngame02.game02 -R game02

The GAME01 and GAME02 folders are given to users game01 and GAME02 respectively.

Again, our nginx is the default to the WWW user run, so is not able to read game01, game02 user files, if the file permissions set to 777, and can not prevent game01 read game02 files.

Therefore, we should add WWW users to the game01, GAME02 group, and then game01, GAME02 files set to 750 permissions, so you can allow WWW to read GAME01/GAME02 files (because in the same group, and the group permissions are 5,5 enough), It can also prevent game01 from reading game02 files.

Linux allows a user to join multiple groups, so the operation is as follows:

1	usermod-aG game01 www

2	usermod-aG game02 www

After execution we use "groups www" can see www:www game01 game02,www already in three user groups.

We also need to/usr/local/nginx/conf/nginx.conf in the user www www, modified to user www; Do not bring the user group.

Then we can safely set GAME01 and GAME02 to 750:

1	chmod750 -R game01

2	chmod750 -R game02

This time Our defenses actually have two layers.

01. Different PHP-FPM running two virtual host PHP program, they have their own open_basedir, so that it can not cross the directory.

02. Even if Open_basedir is bypassed, php-fpm running as a game01 user cannot write to, read GAME02 files because all file permissions for GAME02 are 750. Other users do not have any permissions (0).

When everything is set up, say how to use it.

First kill the existing PHP-FPM, and then restart the Nginx, and then/home/start.sh start the new php-fpm can.

/ETC/INIT.D/PHP-FPM start game01 separate launch game01

/ETC/INIT.D/PHP-FPM start game02 separate launch game02

/ETC/INIT.D/PHP-FPM stop game01 separate start game01

/ETC/INIT.D/PHP-FPM stop game02 separate start GAME02

Referer:

http://drops.wooyun.org/tips/1323

Http://www.dedecms.com/knowledge/servers/linux-bsd/2012/0819/8389.html

Http://yzs.me/2198.html

Research on security configuration of LNMP virtual machine