Apache-2.4

使用 mod_security 在 Debian Jessie 上 Chrooting Apache 2.4

  • February 22, 2016

有人建議我對我的 apache2 安裝進行 chroot,以更好地保護伺服器其餘部分上的敏感內容。我已經正確安裝和設置了 mod_security 並且可以在日誌中看到它正在正確地 chrooting apache2,但是 systemctl 在驗證服務是否正在執行時遇到問題。當我執行時:

service apache2 start

它掛起 20 秒,然後報告失敗:

The apache2 instance did not start within 20 seconds. Please read the log files to discover problems ... (warning).

但是如果我檢查程序,我可以看到各種 apache2 服務正在執行。如果我嘗試訪問我的網站,我會收到 403 Forbidden 錯誤。這是我的grep’ed /etc/apache2/apache2.conf:

Mutex file:${APACHE_LOCK_DIR} default
PidFile ${APACHE_PID_FILE}
SecChrootDir /var/www
Timeout 300
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 5
User ${APACHE_RUN_USER}
Group ${APACHE_RUN_GROUP}
HostnameLookups Off
ErrorLog ${APACHE_LOG_DIR}/error.log
LogLevel warn
IncludeOptional mods-enabled/*.load
IncludeOptional mods-enabled/*.conf
Include ports.conf
<Directory />
       Options FollowSymLinks
       AllowOverride None
       Require all denied
</Directory>
<Directory /usr/share>
       AllowOverride None
       Require all granted
</Directory>
<Directory /var/www/>
       Options Indexes FollowSymLinks
       AllowOverride None
       Require all granted
</Directory>
AccessFileName .htaccess
<FilesMatch "^\.ht">
       Require all denied
</FilesMatch>
LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %O" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
IncludeOptional conf-enabled/*.conf
IncludeOptional sites-enabled/*.conf
ServerName localhost

這是我的 /etc/apache2/sites-enabled/site.com.conf:

<VirtualHost *:80>
   # The ServerName directive sets the request scheme, hostname and port that
   # the server uses to identify itself. This is used when creating
   # redirection URLs. In the context of virtual hosts, the ServerName
   # specifies what hostname must appear in the request's Host: header to
   # match this virtual host. For the default virtual host (this file) this
   # value is not decisive as it is used as a last resort host regardless.
   # However, you must set it for any further virtual host explicitly.
   #ServerName www.example.com

   ServerAdmin webmaster@localhost
   DocumentRoot /var/www

   # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
   # error, crit, alert, emerg.
   # It is also possible to configure the loglevel for particular
   # modules, e.g.
   #LogLevel info ssl:warn

   ErrorLog ${APACHE_LOG_DIR}/error.log
   CustomLog ${APACHE_LOG_DIR}/access.log combined

   # For most configuration files from conf-available/, which are
   # enabled or disabled at a global level, it is possible to
   # include a line for only one particular virtual host. For example the
   # following line enables the CGI configuration for this host only
   # after it has been globally disabled with "a2disconf".
   #Include conf-available/serve-cgi-bin.conf
</VirtualHost>

<Directory /var/www>
 AllowOverride None
 Require all granted
</Directory>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

最近的一些/var/log/apache2/error.log:

[Mon Feb 22 00:26:02.746084 2016] [mpm_prefork:notice] [pid 2766] AH00169: caught SIGTERM, shutting down
[Mon Feb 22 00:26:27.000946 2016] [:notice] [pid 2978] ModSecurity: chroot checkpoint #1 (pid=2978 ppid=2975)
[Mon Feb 22 00:26:27.001010 2016] [:notice] [pid 2978] ModSecurity for Apache/2.8.0 (http://www.modsecurity.org/) configured.
[Mon Feb 22 00:26:27.001016 2016] [:notice] [pid 2978] ModSecurity: APR compiled version="1.5.1"; loaded version="1.5.1"
[Mon Feb 22 00:26:27.001022 2016] [:notice] [pid 2978] ModSecurity: PCRE compiled version="8.35 "; loaded version="8.35 2014-04-04"
[Mon Feb 22 00:26:27.001028 2016] [:notice] [pid 2978] ModSecurity: LUA compiled version="Lua 5.1"
[Mon Feb 22 00:26:27.001032 2016] [:notice] [pid 2978] ModSecurity: LIBXML compiled version="2.9.1"
[Mon Feb 22 00:26:27.001068 2016] [:notice] [pid 2978] ModSecurity: StatusEngine call: "2.8.0,Apache/2.4.10 (Debian),1.5.1/1.5.1,8.35/8.35 2014-04-04,Lua 5.1,2.9.1,d5"
[Mon Feb 22 00:26:27.223832 2016] [:notice] [pid 2978] ModSecurity: StatusEngine call successfully sent. For more information visit: http://status.modsecurity.org/
[Mon Feb 22 00:26:28.000065 2016] [:notice] [pid 2979] ModSecurity: chroot checkpoint #2 (pid=2979 ppid=1)
[Mon Feb 22 00:26:28.000103 2016] [:notice] [pid 2979] ModSecurity: chroot successful, path=/var/www
[Mon Feb 22 00:26:28.003129 2016] [mpm_prefork:notice] [pid 2979] AH00163: Apache/2.4.10 (Debian) configured -- resuming normal operations
[Mon Feb 22 00:26:28.003162 2016] [core:notice] [pid 2979] AH00094: Command line: '/usr/sbin/apache2'
[Mon Feb 22 00:26:51.576466 2016] [authz_core:error] [pid 2983] [client 65.29.162.224:50484] AH01630: client denied by server configuration: /var/www
[Mon Feb 22 00:27:35.093394 2016] [authz_core:error] [pid 2984] [client 80.65.51.221:5624] AH01630: client denied by server configuration: /var/www
[Mon Feb 22 00:27:35.108471 2016] [authz_core:error] [pid 2985] [client 80.65.51.221:10799] AH01630: client denied by server configuration: /var/www
[Mon Feb 22 00:27:35.137950 2016] [authz_core:error] [pid 2986] [client 80.65.51.221:64057] AH01630: client denied by server configuration: /var/www
[Mon Feb 22 00:28:48.924836 2016] [authz_core:error] [pid 2987] [client 150.70.173.47:53051] AH01630: client denied by server configuration: /var/www
[Mon Feb 22 00:33:48.875421 2016] [authz_core:error] [pid 3032] [client 65.29.162.224:50567] AH01630: client denied by server configuration: /var/www
[Mon Feb 22 00:33:49.977038 2016] [authz_core:error] [pid 3032] [client 65.29.162.224:50567] AH01630: client denied by server configuration: /var/www
[Mon Feb 22 00:34:06.848570 2016] [mpm_prefork:notice] [pid 2979] AH00169: caught SIGTERM, shutting down
[Mon Feb 22 00:34:28.000025 2016] [:notice] [pid 3821] ModSecurity: chroot checkpoint #1 (pid=3821 ppid=3818)
[Mon Feb 22 00:34:28.000106 2016] [:notice] [pid 3821] ModSecurity for Apache/2.8.0 (http://www.modsecurity.org/) configured.
[Mon Feb 22 00:34:28.000112 2016] [:notice] [pid 3821] ModSecurity: APR compiled version="1.5.1"; loaded version="1.5.1"
[Mon Feb 22 00:34:28.000118 2016] [:notice] [pid 3821] ModSecurity: PCRE compiled version="8.35 "; loaded version="8.35 2014-04-04"
[Mon Feb 22 00:34:28.000123 2016] [:notice] [pid 3821] ModSecurity: LUA compiled version="Lua 5.1"
[Mon Feb 22 00:34:28.000128 2016] [:notice] [pid 3821] ModSecurity: LIBXML compiled version="2.9.1"
[Mon Feb 22 00:34:28.000163 2016] [:notice] [pid 3821] ModSecurity: StatusEngine call: "2.8.0,Apache/2.4.10 (Debian),1.5.1/1.5.1,8.35/8.35 2014-04-04,Lua 5.1,2.9.1,d5"
[Mon Feb 22 00:34:28.182087 2016] [:notice] [pid 3821] ModSecurity: StatusEngine call successfully sent. For more information visit: http://status.modsecurity.org/
[Mon Feb 22 00:34:29.000835 2016] [:notice] [pid 3822] ModSecurity: chroot checkpoint #2 (pid=3822 ppid=1)
[Mon Feb 22 00:34:29.000871 2016] [:notice] [pid 3822] ModSecurity: chroot successful, path=/var/www
[Mon Feb 22 00:34:29.003978 2016] [mpm_prefork:notice] [pid 3822] AH00163: Apache/2.4.10 (Debian) configured -- resuming normal operations
[Mon Feb 22 00:34:29.004010 2016] [core:notice] [pid 3822] AH00094: Command line: '/usr/sbin/apache2'
[Mon Feb 22 00:34:31.541762 2016] [authz_core:error] [pid 3827] [client 65.29.162.224:50568] AH01630: client denied by server configuration: /var/www
[Mon Feb 22 00:51:43.647330 2016] [authz_core:error] [pid 3829] [client 65.29.162.224:50919] AH01630: client denied by server configuration: /var/www, referer: http://xxxxxxxxxx.com/
[Mon Feb 22 01:00:25.730427 2016] [authz_core:error] [pid 3831] [client 208.91.115.10:47458] AH01630: client denied by server configuration: /var/www

讓我知道我是否應該提供更多資訊。

不是您問題的直接答案……而是另一種選擇。

Chroot 很好,而且不是無用的(例如 LXC 之類的容器使用),但出於安全目的,這是一個非常不完整的想法,因為在遙遠的過去沒有其他選擇。擺脫 chroot很容易。grsecurity 中的添加,例如不允許 chroot、mount、pivot、chmod 等在 chroots 中有助於使它更像是監獄而不是簡單的 chroot,但仍然不完整。如今,人們並不認為 chroot 是一種安全功能

使用 MAC(強制訪問控制,例如 apparmor 或 selinux)在保護服務方面要優越得多。在基於 debian 的 Linux 上,我建議使用 apparmor 而不是嘗試設置 SELinux。SELinux 在系統範圍內工作得最好,比如在基於 RedHat 的系統上,發行版為你工作。

理論上,您可以將兩者結合起來,但一些 apparmor 專家說單獨使用 apparmor 比使用 chroot 更好。這可能是主觀的。

如果您查看有關轉義 chroot 的連結,然後考慮 MAC,您會發現它會簡單地阻止它。MAC 不允許程序使用編譯器(您的 Web 伺服器不需要執行 gcc,對嗎?),但 chroot 根本不會阻止。但是沒有任何 MAC 的 grsecurity 也會阻止這種逃逸:

[858944.195371] grsec: denied fchdir outside of chroot to /root/chroot by /root/chroot/unchroot2[unchroot2:11415] uid/euid:0/0 gid/egid:0/0, parent /root/chroot/bin/sh[sh:11407] uid/euid:0/0 gid/egid:0/0

Grsecurity 需要更換核心,我認為這比使用 apparmor 更費力。但它們可以一起使用。

引用自:https://serverfault.com/questions/758851