|
|
- 使用Jail和ipfilter结合构建高安全服务器
- 作者信息:
- 三轮车夫(★可乐∮,EasyPP,Easy2go)
- MSN:easy2go@msn.com QQ:223480 Mail:postmaster@easy2go.org
- 版权声明:
- 本文档版权归三轮车夫(★可乐∮,EasyPP,Easy2go)所有!如需转载,请保留该声明,谢谢!
- 前言:
- 以前写过一份《使用jail构建安全的Vsftpd》的文章(见[url]www.cnfug.org[/url])!对jail的使用有了一个初步的了解!这篇文章应该是上一篇文章的姐妹篇吧!闲话少说!步入正题!
- 上一篇文章只是通过jail来chroot一个服务(vsftpd)以实现服务的安全管理!这篇文章着重点在jail一个独立的系统!构建的网络大体的拓扑结构如下!
-
- 具体实现方法:通过Jail做一个独立的系统,在该系统上面提供一些网络服务,然后在该FreeBSD系统上通过ipfilter构建一个防火墙,同时通过ipnat对jail的系统做相应的端口映射!
- 系统配置参数:
- OS:FreeBSD 4.8 Stable
- IP: fxp0 10.0.1.1 192.168.1.201
- Dns:10.0.0.251
- Defaultrouter:10.0.1.1
- ifconfig显示的信息:
- /**
- fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
- inet 10.0.1.1 netmask 0xff000000 broadcast 10.255.255.255
- inet 192.168.1.201 netmask 0xffffff00 broadcast 192.168.1.255
- ether 00:00:e2:2d:8b:a5
- media: Ethernet autoselect (100baseTX <full-duplex>)
- status: active
- lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
- inet 127.0.0.1 netmask 0xff000000
- **/
- 实现步骤:
- 一:建立jail环境:(安装系统的全部源代码)
- mkdir –p /jail/Jail-A/
- 建立一个shell脚本jail.sh,内容如下:
- D=/jail/Jail-A
- cd /usr/src
- mkdir -p $D
- make world DESTDIR=$D
- cd etc
- make distribution DESTDIR=$D -DNO_MAKEDEV_RUN
- cd $D/dev
- sh MAKEDEV jail
- cd $D
- ln -sf dev/null kernel
- 编辑/etc/make.conf将一些不需要的东西去掉!(可以根据你具体情况进行设定)
- CPUTYPE=i686
- COPTFLAGS= -O –pipe
- INSTALL=install –C
- NO_CVS= true # do not build CVS
- NO_BIND= true # do not build BIND
- NO_FORTRAN= true # do not build g77 and related libraries
- NO_I4B= true # do not build isdn4bsd package
- NO_LPR= true # do not build lpr and related programs
- NO_MAILWRAPPER=true # do not build the mailwrapper(8) MTA selector
- NO_SENDMAIL= true # do not build sendmail and related programs
- NO_SHAREDOCS= true # do not build the 4.4BSD legacy docs
- NO_X= true # do not compile in XWindows support (e.g. doscmd)
- NOGAMES= true # do not build games (games/ subdir)
- NOINFO= true # do not make or install info files
- NOLIBC_R= true # do not build libc_r (re-entrant version of libc)
- NOMAN= true # do not build manual pages
- NOUUCP= true # do not build uucp related programs
- 执行jail.sh,开始建立jail的基本环境
- #sh jail.sh
- 执行完毕以后进行如下操作:
- #ifconfig fxp0 alias 192.168.1.201 netmask 255.255.255.0
- 或者在/etc/rc.conf中加入:
- ifconfig_fxp0_alias0="inet 192.168.1.201 netmask 255.255.255.0"
- #mkdir –p /jail/Jail-A/stand
- #cp /stand/sysinstall /jail/Jail-A/stand/
- #touch /jail/Jail-A/etc/fstab
- #vi /jail/Jail-A/etc/rc.conf 加入如下内容:
- sendmail_enable=”NONE”
- sshd_enable=”YES” //这个一定需要!可以远程进行管理
- inetd_enable=”YES” //如果打开一定要添加下面一行
- inetd_flags=”-wW –a 192.168.1.201” //这个修改成你jail的系统的地址!
- syslogd_enable=”YES”
- syslogd_flags=”-ss”
- 开始配置jail的系统:
- #jail /jail/Jail-A/ powerbsd.org 192.168.1.201 /bin/csh
- 如果没有任何错误,执行:
- #passwd root 修改root密码
- #/stand/sysinstall ->Configure->
- 选择: Time Zone 设置时区
- 选择: Networking 配置网络的一些信息
- 选择User Management 建立一个wheel组的帐号
- 选择: Startup 配置需要的一些服务
- 退出,编辑/jail/Jail-A/etc/rc.conf去掉一些无用的信息!
- 可以参照如上的一些信息!
- 测试启动jail的系统:
- #jail /jail/Jail-A/ powerbsd.org 192.168.1.201 /bin/sh /etc/rc
- 如下是我机器上面启动jail的信息!
- /**
- #jail /jail/Jail-A/ powerbsd.org 192.168.1.201 /bin/sh /etc/rc
- Skipping disk checks ...
- adjkerntz[662]: sysctl(set_disrtcset): Operation not permitted
- Doing initial network setup:.
- ifconfig: ioctl (SIOCDIFADDR): permission denied
- lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
- Additional routing options: TCP keepalive=YESsysctl: net.inet.tcp.always_keepalive: Operation not permitted
- .Routing daemons:.
- Additional daemons: syslogd.
- Doing additional network setup:.
- Starting final network daemons:.
- ELF ldconfig path: /usr/lib /usr/lib/compat
- a.out ldconfig path: /usr/lib/aout /usr/lib/compat/aout
- Starting standard daemons: inetd cron sshd.
- Initial rc.i386 initialization:.
- Additional ABI support:.
- Local package initialization:.
- Additional TCP options:.
- 2003年 7月14日 星期一 16时26分43秒 ICT
- **/
- 现在你可以通过ssh登陆到jail的系统了!为了测试方便,我通过inetd.conf提供了ftp和telnet的服务!
- 下面是我通过ssh登陆到jail系统上面的一些信息:
- /**
- powerbsd# id
- uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest)
- powerbsd# uname -a
- FreeBSD powerbsd.org 4.8-STABLE FreeBSD 4.8-STABLE #1: Mon Jul 14 14:27:53 CST 2003 [email]root@powerbsd.org[/email]:/usr/src/sys/compile/PowerBSD i386
- powerbsd# ifconfig
- fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
- inet 192.168.1.201 netmask 0xffffff00 broadcast 192.168.1.255
- ether 00:00:e2:2d:8b:a5
- media: Ethernet autoselect (100baseTX <full-duplex>)
- status: active
- lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
- powerbsd# ps auxww
- USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND
- root 748 0.0 0.1 400 252 p1 R+J 4:30PM 0:00.00 ps auxww
- root 709 0.0 0.3 1092 788 ?? IsJ 4:26PM 0:00.00 /usr/sbin/inetd -wW -a 192.168.1.201
- root 711 0.0 0.3 1032 764 ?? SsJ 4:26PM 0:00.00 /usr/sbin/cron
- root 713 0.0 0.8 2632 2080 ?? IsJ 4:26PM 0:00.12 /usr/sbin/sshd
- root 727 0.0 0.9 5332 2296 ?? IJ 4:27PM 0:00.03 sshd: PowerBSD [priv] (sshd)
- PowerBSD 729 0.0 0.9 5332 2352 ?? SJ 4:27PM 0:00.03 sshd: PowerBSD@ttyp1 (sshd)
- PowerBSD 730 0.0 0.4 1364 972 p1 IsJ 4:27PM 0:00.01 -csh (csh)
- root 732 0.0 0.4 1368 972 p1 SJ 4:27PM 0:00.02 -su (csh)
- root 702 0.0 0.3 992 664 ?? SsJ 4:26PM 0:00.00 /usr/sbin/syslogd -ss
- powerbsd#
- **/
- 到现在为止,jail的基本系统已经配置完毕!
- 现在开始配置ipfilter,来实现端口的映射!
- 二.配置FreeBSD的ipfiter和ipnat
- #cd /sys/i386/conf
- #cp GENERIC PowerBSD
- 在PowerBSD这个核心配置文件中加入:
- options IPFILTER #ipfilter support
- options IPFILTER_LOG #ipfilter logging
- #config PowerBSD
- #cd ../../compile/PowerBSD/
- #make depend;make;make install
- vi /etc/rc.conf 在改文件中添加如下参数:
- ipfilter_enable="YES" //ipfilter
- ipfilter_program="/sbin/ipf"
- ipfilter_rules="/etc/ipf.rules"
- ipnat_enable="YES" //ipnat
- ipnat_program="/sbin/ipnat -CF"
- ipnat_rules="/etc/ipnat.rules"
- ipmon_enable="YES" //ipfilter log
- ipmon_program="/sbin/ipmon"
- ipmon_flags="-Ds"
- 建立ipfilter需要的文件:
- touch /etc/ipf.rules
- //因本篇文章重点不在ipfiter防火墙的建立,具体的信息可以参照/usr/share/example/ipfilter/中的文档
- touch /etc/ipnat.rules
- touch /var/log/ipflog
- vi /etc/ipf.rules(如下规则是我测试的规则,不是很完善!具体请参照ipfilter的文档)
- pass out on fxp0 all
- pass in on fxp0 all
- pass out quick on lo0 all
- pass in quick on lo0 all
- block in proto icmp from any to 10.0.1.1
- pass in quick on fxp0 proto tcp from any to any port = 22 flags S/SA keep state
- pass in quick on fxp0 proto tcp from any to any port = 80 flags S/SA keep state
- pass in quick on fxp0 proto tcp from any to any port = 23 flags S/SA keep state
- pass in quick on fxp0 proto tcp from any to any port = ftp flags S/SA keep state
- pass in quick on fxp0 proto tcp from any to any port = ftp-data flags S/SA keep state
- pass out quick on fxp0 proto udp from any to any port = 53
- block in log quick on fxp0 proto tcp form any to any port = 3306
- block in quick all
- vi /etc/ipnat.rules 添加nat的规则
- rdr fxp0 10.0.1.1/32 port 21 -> 192.168.1.201 port 21
- rdr fxp0 10.0.1.1/32 port 23 -> 192.168.1.201 port 23
- rdr fxp0 10.0.1.1/32 port 80 -> 192.168.1.201 port 80
- vi /etc/rc.local 在该文件中添加启动jail的代码
- jail /jail/Jail-A/ powerbsd.org 192.168.1.201 /bin/sh /etc/rc
- 注意不要忘记在/etc/rc.conf中添加:
- ifconfig_fxp0_alias0="inet 192.168.1.201 netmask 255.255.255.0"
- 三.最后重新启动你的系统,进行测试:
- telnet 10.0.1.1
- ftp –A 10.0.1.1
- 如果成功,一切OK!
- 总结:
- 以上通过ipfilter的nat功能,结合jail强大的功能,可以构建非常安全的服务器系统!但是具体服务在jail下面执行的效率怎么样?我没有具体进行测试!希望测试过的朋友多多指点!如上只是记录我的一个测试过程!在整理的过程中难免会有一些错误!请发现的朋友告诉我,我进行修改!谢谢!
- 如果你们在按照该文档配置过程中遇到什么问题,可以发邮件给我,邮件地址在这篇文档的刚开始已经说明!
|
本帖子中包含更多资源
您需要 登录 才可以下载或查看,没有帐号?注册
x
|
IP卡
狗仔卡
发表于 2003-7-14 18:48:54
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡