作者 主題: apache 2 安全實做  (閱讀 5865 次)

0 會員 與 1 訪客 正在閱讀本文。

fz150n

  • 憂鬱的高中生
  • ***
  • 文章數: 111
    • 檢視個人資料
apache 2 安全實做
« 於: 2006-05-20 16:36 »
前陣子想升級apache 2,但因受限於Fedora Core 3的關係,
沒有更新的版本可升級,所以萌生了自行編譯的念頭。

我覺得這篇文章寫得很好,包括mysql, PHP,所以其實它是一系列的:

http://www.securityfocus.com/infocus/1786

有興趣的可以把它印下來,放在手邊當參考。

另外,也強烈建議大家,如果要增強系統安全的認知以及英文能力的話,
可以訂閱那家公司的maillist,最近就是看了他們的文章,才知道原來
RealVNC 4.1.1有安全大漏洞。

fz150n

  • 憂鬱的高中生
  • ***
  • 文章數: 111
    • 檢視個人資料
apache 2 安全實做
« 回覆 #1 於: 2006-05-21 21:58 »
今天實做了一下,但是版上並好像沒有很多這方面的文章,於是我到
GOOGLE找了一個下午,看來暫時是沒有解答了。

我的作業系統是Fedora Core 3,一般安裝,
想安裝的是apache-2.2.2,依照我先前找到的文章一步一步做,
光是chroot到/chroot/httpd時就困難重重,最後停在http- error-log:

代碼: [選擇]
[Sun May 21 12:20:30 2006] [crit] (6)No such device or address: apr_proc_detach failed
Pre-configuration failed


這裡有片段的strace紀錄:
代碼: [選擇]

uname({sys="Linux", node="rhel", ...})  = 0
stat64("/root", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
stat64(".", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
getcwd("/", 4096)                       = 2
getpid()                                = 20678
open("/usr/lib/gconv/gconv-modules.cache", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/lib/gconv/gconv-modules", O_RDONLY) = -1 ENOENT (No such file or directory)
getppid()                               = 20677
getpgrp()                               = 20677
rt_sigaction(SIGCHLD, {0x8077263, [], SA_RESTORER, 0xb6ca48}, {SIG_DFL}, 8) = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8)  = 0
open("/usr/local/apache2/bin/apachectl", O_RDONLY|O_LARGEFILE) = 3
ioctl(3, SNDCTL_TMR_TIMEBASE or TCGETS, 0xbffeb5c8) = -1 ENOTTY (Inappropriate ioctl for device)
_llseek(3, 0, [0], SEEK_CUR)            = 0
read(3, "#!/bin/sh\n#\n# Copyright 2000-200"..., 80) = 80
_llseek(3, 0, [0], SEEK_SET)            = 0
getrlimit(RLIMIT_NOFILE, {rlim_cur=1024, rlim_max=1024}) = 0
dup2(3, 255)                            = 255
close(3)                                = 0
fcntl64(255, F_SETFD, FD_CLOEXEC)       = 0
fcntl64(255, F_GETFL)                   = 0x8000 (flags O_RDONLY|O_LARGEFILE)
fstat64(255, {st_mode=S_IFREG|0755, st_size=3282, ...}) = 0
_llseek(255, 0, [0], SEEK_CUR)          = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8)  = 0
read(255, "#!/bin/sh\n#\n# Copyright 2000-200"..., 3282) = 3282


代碼: [選擇]

stat64("/usr/local/apache2/bin/envvars", {st_mode=S_IFREG|0644, st_size=837, ...}) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
stat64("/usr/local/apache2/bin/envvars", {st_mode=S_IFREG|0644, st_size=837, ...}) = 0
access("/usr/local/apache2/bin/envvars", X_OK) = -1 EACCES (Permission denied)
open("/usr/local/apache2/bin/envvars", O_RDONLY|O_LARGEFILE) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=837, ...}) = 0
read(3, "# Copyright 2001-2005 The Apache"..., 837) = 837
close(3)                                = 0

....

pipe([3, 4])                            = 0
rt_sigprocmask(SIG_BLOCK, [INT CHLD], [], 8) = 0
_llseek(255, -877, [2405], SEEK_CUR)    = 0
clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0xb7ff1708) = 20679
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
rt_sigaction(SIGCHLD, {0x8077263, [], SA_RESTORER, 0xb6ca48}, {0x8077263, [], SA_RESTORER, 0xb6ca48}, 8) = 0
close(4)                                = 0
read(3, "1024\n", 128)                  = 5
read(3, "", 128)                        = 0
close(3)                                = 0
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigaction(SIGINT, {0x807603b, [], SA_RESTORER, 0xb6ca48}, {SIG_DFL}, 8) = 0
waitpid(-1, [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0) = 20679
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
--- SIGCHLD (Child exited) @ 0 (0) ---
waitpid(-1, 0xbffeac9c, WNOHANG)        = -1 ECHILD (No child processes)
sigreturn()                             = ? (mask now [])
rt_sigaction(SIGINT, {SIG_DFL}, {0x807603b, [], SA_RESTORER, 0xb6ca48}, 8) = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8)  = 0
read(255, "# --------------------          "..., 3282) = 877
rt_sigprocmask(SIG_BLOCK, NULL, [], 8)  = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8)  = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8)  = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8)  = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8)  = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
getrlimit(RLIMIT_NOFILE, {rlim_cur=1024, rlim_max=1024}) = 0
getrlimit(RLIMIT_NOFILE, {rlim_cur=1024, rlim_max=1024}) = 0
setrlimit(RLIMIT_NOFILE, {rlim_cur=1024, rlim_max=1024}) = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8)  = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8)  = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8)  = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8)  = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8)  = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8)  = 0
rt_sigprocmask(SIG_BLOCK, [INT CHLD], [], 8) = 0
_llseek(255, -14, [3268], SEEK_CUR)     = 0
clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0xb7ff1708) = 20680
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
--- SIGCHLD (Child exited) @ 0 (0) ---
waitpid(-1, [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], WNOHANG) = 20680
waitpid(-1, 0xbffead0c, WNOHANG)        = -1 ECHILD (No child processes)
sigreturn()                             = ? (mask now [])
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigaction(SIGINT, {0x807603b, [], SA_RESTORER, 0xb6ca48}, {SIG_DFL}, 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
rt_sigaction(SIGINT, {SIG_DFL}, {0x807603b, [], SA_RESTORER, 0xb6ca48}, 8) = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8)  = 0
read(255, "\nexit $ERROR\n\n", 3282)    = 14
rt_sigprocmask(SIG_BLOCK, NULL, [], 8)  = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
exit_group(0)                           = ?



好難喔,是不是FC3的關係?

fz150n

  • 憂鬱的高中生
  • ***
  • 文章數: 111
    • 檢視個人資料
apache 2 安全實做
« 回覆 #2 於: 2006-05-30 20:42 »
終於找到原因了,是suexec在作怪,
只要把suexec摳到對應的目錄也就行了。

如今在FC3上面終於可以將httpd-2.2.2關到監獄了~
 :D

php 5.1.4 試了好久,總算也放進去了:

代碼: [選擇]
./configure --prefix=/usr/local/php5 --with-mysql=/usr/local/mysql/bin --with-apxs2=/usr/local/apache2/bin/apxs --with-zlib-dir=/usr/local

我不確定我需要用的是否都import進去了,可能要等phpBB2放進去之後再試一下。

[root@fz150n ] chroot /chroot /usr/local/apache2/bin/apachectl -k start

這是啟動後的紀錄:

代碼: [選擇]
[Tue May 30 12:35:54 2006] [notice] mod_security/1.9.4 configured
[Tue May 30 12:35:54 2006] [notice] Apache/2.2.2 (Unix) PHP/5.1.4 configured -- resuming normal operations


安裝httpd的時候順便把mod_security也放進去了。

接下來想測試mysql
mysql-standard-5.0.22-linux-i686-glibc23

加油~ :D