使用 mod_security 在 Debian Jessie 上 Chrooting Apache 2.4
有人建議我對我的 apache2 安裝進行 chroot,以更好地保護伺服器其餘部分上的敏感內容。我已經正確安裝和設置了 mod_security 並且可以在日誌中看到它正在正確地 chrooting apache2,但是 systemctl 在驗證服務是否正在執行時遇到問題。當我執行時:
service apache2 start
它掛起 20 秒,然後報告失敗:
The apache2 instance did not start within 20 seconds. Please read the log files to discover problems ... (warning).
但是如果我檢查程序,我可以看到各種 apache2 服務正在執行。如果我嘗試訪問我的網站,我會收到 403 Forbidden 錯誤。這是我的grep’ed /etc/apache2/apache2.conf:
Mutex file:${APACHE_LOCK_DIR} default PidFile ${APACHE_PID_FILE} SecChrootDir /var/www Timeout 300 KeepAlive On MaxKeepAliveRequests 100 KeepAliveTimeout 5 User ${APACHE_RUN_USER} Group ${APACHE_RUN_GROUP} HostnameLookups Off ErrorLog ${APACHE_LOG_DIR}/error.log LogLevel warn IncludeOptional mods-enabled/*.load IncludeOptional mods-enabled/*.conf Include ports.conf <Directory /> Options FollowSymLinks AllowOverride None Require all denied </Directory> <Directory /usr/share> AllowOverride None Require all granted </Directory> <Directory /var/www/> Options Indexes FollowSymLinks AllowOverride None Require all granted </Directory> AccessFileName .htaccess <FilesMatch "^\.ht"> Require all denied </FilesMatch> LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined LogFormat "%h %l %u %t \"%r\" %>s %O" common LogFormat "%{Referer}i -> %U" referer LogFormat "%{User-agent}i" agent IncludeOptional conf-enabled/*.conf IncludeOptional sites-enabled/*.conf ServerName localhost
這是我的 /etc/apache2/sites-enabled/site.com.conf:
<VirtualHost *:80> # The ServerName directive sets the request scheme, hostname and port that # the server uses to identify itself. This is used when creating # redirection URLs. In the context of virtual hosts, the ServerName # specifies what hostname must appear in the request's Host: header to # match this virtual host. For the default virtual host (this file) this # value is not decisive as it is used as a last resort host regardless. # However, you must set it for any further virtual host explicitly. #ServerName www.example.com ServerAdmin webmaster@localhost DocumentRoot /var/www # Available loglevels: trace8, ..., trace1, debug, info, notice, warn, # error, crit, alert, emerg. # It is also possible to configure the loglevel for particular # modules, e.g. #LogLevel info ssl:warn ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined # For most configuration files from conf-available/, which are # enabled or disabled at a global level, it is possible to # include a line for only one particular virtual host. For example the # following line enables the CGI configuration for this host only # after it has been globally disabled with "a2disconf". #Include conf-available/serve-cgi-bin.conf </VirtualHost> <Directory /var/www> AllowOverride None Require all granted </Directory> # vim: syntax=apache ts=4 sw=4 sts=4 sr noet
最近的一些/var/log/apache2/error.log:
[Mon Feb 22 00:26:02.746084 2016] [mpm_prefork:notice] [pid 2766] AH00169: caught SIGTERM, shutting down [Mon Feb 22 00:26:27.000946 2016] [:notice] [pid 2978] ModSecurity: chroot checkpoint #1 (pid=2978 ppid=2975) [Mon Feb 22 00:26:27.001010 2016] [:notice] [pid 2978] ModSecurity for Apache/2.8.0 (http://www.modsecurity.org/) configured. [Mon Feb 22 00:26:27.001016 2016] [:notice] [pid 2978] ModSecurity: APR compiled version="1.5.1"; loaded version="1.5.1" [Mon Feb 22 00:26:27.001022 2016] [:notice] [pid 2978] ModSecurity: PCRE compiled version="8.35 "; loaded version="8.35 2014-04-04" [Mon Feb 22 00:26:27.001028 2016] [:notice] [pid 2978] ModSecurity: LUA compiled version="Lua 5.1" [Mon Feb 22 00:26:27.001032 2016] [:notice] [pid 2978] ModSecurity: LIBXML compiled version="2.9.1" [Mon Feb 22 00:26:27.001068 2016] [:notice] [pid 2978] ModSecurity: StatusEngine call: "2.8.0,Apache/2.4.10 (Debian),1.5.1/1.5.1,8.35/8.35 2014-04-04,Lua 5.1,2.9.1,d5" [Mon Feb 22 00:26:27.223832 2016] [:notice] [pid 2978] ModSecurity: StatusEngine call successfully sent. For more information visit: http://status.modsecurity.org/ [Mon Feb 22 00:26:28.000065 2016] [:notice] [pid 2979] ModSecurity: chroot checkpoint #2 (pid=2979 ppid=1) [Mon Feb 22 00:26:28.000103 2016] [:notice] [pid 2979] ModSecurity: chroot successful, path=/var/www [Mon Feb 22 00:26:28.003129 2016] [mpm_prefork:notice] [pid 2979] AH00163: Apache/2.4.10 (Debian) configured -- resuming normal operations [Mon Feb 22 00:26:28.003162 2016] [core:notice] [pid 2979] AH00094: Command line: '/usr/sbin/apache2' [Mon Feb 22 00:26:51.576466 2016] [authz_core:error] [pid 2983] [client 65.29.162.224:50484] AH01630: client denied by server configuration: /var/www [Mon Feb 22 00:27:35.093394 2016] [authz_core:error] [pid 2984] [client 80.65.51.221:5624] AH01630: client denied by server configuration: /var/www [Mon Feb 22 00:27:35.108471 2016] [authz_core:error] [pid 2985] [client 80.65.51.221:10799] AH01630: client denied by server configuration: /var/www [Mon Feb 22 00:27:35.137950 2016] [authz_core:error] [pid 2986] [client 80.65.51.221:64057] AH01630: client denied by server configuration: /var/www [Mon Feb 22 00:28:48.924836 2016] [authz_core:error] [pid 2987] [client 150.70.173.47:53051] AH01630: client denied by server configuration: /var/www [Mon Feb 22 00:33:48.875421 2016] [authz_core:error] [pid 3032] [client 65.29.162.224:50567] AH01630: client denied by server configuration: /var/www [Mon Feb 22 00:33:49.977038 2016] [authz_core:error] [pid 3032] [client 65.29.162.224:50567] AH01630: client denied by server configuration: /var/www [Mon Feb 22 00:34:06.848570 2016] [mpm_prefork:notice] [pid 2979] AH00169: caught SIGTERM, shutting down [Mon Feb 22 00:34:28.000025 2016] [:notice] [pid 3821] ModSecurity: chroot checkpoint #1 (pid=3821 ppid=3818) [Mon Feb 22 00:34:28.000106 2016] [:notice] [pid 3821] ModSecurity for Apache/2.8.0 (http://www.modsecurity.org/) configured. [Mon Feb 22 00:34:28.000112 2016] [:notice] [pid 3821] ModSecurity: APR compiled version="1.5.1"; loaded version="1.5.1" [Mon Feb 22 00:34:28.000118 2016] [:notice] [pid 3821] ModSecurity: PCRE compiled version="8.35 "; loaded version="8.35 2014-04-04" [Mon Feb 22 00:34:28.000123 2016] [:notice] [pid 3821] ModSecurity: LUA compiled version="Lua 5.1" [Mon Feb 22 00:34:28.000128 2016] [:notice] [pid 3821] ModSecurity: LIBXML compiled version="2.9.1" [Mon Feb 22 00:34:28.000163 2016] [:notice] [pid 3821] ModSecurity: StatusEngine call: "2.8.0,Apache/2.4.10 (Debian),1.5.1/1.5.1,8.35/8.35 2014-04-04,Lua 5.1,2.9.1,d5" [Mon Feb 22 00:34:28.182087 2016] [:notice] [pid 3821] ModSecurity: StatusEngine call successfully sent. For more information visit: http://status.modsecurity.org/ [Mon Feb 22 00:34:29.000835 2016] [:notice] [pid 3822] ModSecurity: chroot checkpoint #2 (pid=3822 ppid=1) [Mon Feb 22 00:34:29.000871 2016] [:notice] [pid 3822] ModSecurity: chroot successful, path=/var/www [Mon Feb 22 00:34:29.003978 2016] [mpm_prefork:notice] [pid 3822] AH00163: Apache/2.4.10 (Debian) configured -- resuming normal operations [Mon Feb 22 00:34:29.004010 2016] [core:notice] [pid 3822] AH00094: Command line: '/usr/sbin/apache2' [Mon Feb 22 00:34:31.541762 2016] [authz_core:error] [pid 3827] [client 65.29.162.224:50568] AH01630: client denied by server configuration: /var/www [Mon Feb 22 00:51:43.647330 2016] [authz_core:error] [pid 3829] [client 65.29.162.224:50919] AH01630: client denied by server configuration: /var/www, referer: http://xxxxxxxxxx.com/ [Mon Feb 22 01:00:25.730427 2016] [authz_core:error] [pid 3831] [client 208.91.115.10:47458] AH01630: client denied by server configuration: /var/www
讓我知道我是否應該提供更多資訊。
不是您問題的直接答案……而是另一種選擇。
Chroot 很好,而且不是無用的(例如 LXC 之類的容器使用),但出於安全目的,這是一個非常不完整的想法,因為在遙遠的過去沒有其他選擇。擺脫 chroot很容易。grsecurity 中的添加,例如不允許 chroot、mount、pivot、chmod 等在 chroots 中有助於使它更像是監獄而不是簡單的 chroot,但仍然不完整。如今,人們並不認為 chroot 是一種安全功能。
使用 MAC(強制訪問控制,例如 apparmor 或 selinux)在保護服務方面要優越得多。在基於 debian 的 Linux 上,我建議使用 apparmor 而不是嘗試設置 SELinux。SELinux 在系統範圍內工作得最好,比如在基於 RedHat 的系統上,發行版為你工作。
理論上,您可以將兩者結合起來,但一些 apparmor 專家說單獨使用 apparmor 比使用 chroot 更好。這可能是主觀的。
如果您查看有關轉義 chroot 的連結,然後考慮 MAC,您會發現它會簡單地阻止它。MAC 不允許程序使用編譯器(您的 Web 伺服器不需要執行 gcc,對嗎?),但 chroot 根本不會阻止。但是沒有任何 MAC 的 grsecurity 也會阻止這種逃逸:
[858944.195371] grsec: denied fchdir outside of chroot to /root/chroot by /root/chroot/unchroot2[unchroot2:11415] uid/euid:0/0 gid/egid:0/0, parent /root/chroot/bin/sh[sh:11407] uid/euid:0/0 gid/egid:0/0
Grsecurity 需要更換核心,我認為這比使用 apparmor 更費力。但它們可以一起使用。