apache enhanced security configuration (using mod_chroot, mod_security)

Apache security enhancements configuration (using mod_chroot,mod_security)

Invasion of the LAMP environment, roughly after SQL injection, upload WebShell, local rights to the root, install a rootkit and other steps. The following configuration, mod_chroot and separate partition mount allows the local contingent was extremely difficult, and mod-security can block application level attacks such as SQL injection.

Following is a summary on ubuntu10.04 after practice, directly on the command will not do much to explain, and limited level, mistakes, please correct me.

First make sure that the Apache,PHP,MySQL has to work properly, if there is a problem, see/var/log/apache2,/var/log/syslog,/var/log/MySQL/error.log permission errors especially AppArmor, not easy to find.

1.mod_chroot installation and configuration

Goal is to chroot to/var/www.

(1) install:

sudo service apache2 stop

sudo apt-get libapache2-mod-chroot

sudo vi /etc/apache2/mod-available/mod_chroot.conf

Content for

LoadFile /lib/libgcc_s.so.1

ChrootDir /var/www

sudo a2enmodmod_chroot

/Etc/apache2/site-enabled/000-default DocumentRoot to/

sudo ln -s /var/www/var/run/apache2.pid /var/run/apache2.pid

And

ln -s /var/www/var/run/apache2.pid /var/run/apache2.pid

Added to the/etc/rc.local

/Tmp # session

sudo chmod 1777tmp

sudo mkdir -p /var/www/var/run/mysqld

sudo ln -s / /var/www/var/www

Install Apache, and PHP static page correctly, MySQL

1),sudo service mysql stop.

2)./etc/AppArmor.d/usr.sbin.mysqld modified,

“/Var/run/mysqld.sock w,” that line copy and read

“/var/www/var/run/mysqld.sock w,”

3),/etc/mysql/my.cnf

In the [client],[mysqld_safe],[mysqld] socket path in each section to

“socket = /var/www/var/run/mysqld/mysqld.sock”

4),sudo servicemysql start.

A number of other issues

Date () is not normal, the solution:

sudomkdir -p /var/www/usr/share /var/www/etc

sudo cp -rp /usr/share/zoneinfo /var/www/usr/share/

sudo cp /etc/localtime/var/www/etc/

DNS problems (never tried)

sudo cp /etc/resolv.conf/var/www/etc/resolv.conf

Not found error page

sudo cp -rp /usr/share/apache2//var/www/usr/share/

2.mod_security installation and configuration

Install

sudo aptitude install libapache2-mod-security2

sudo cp/usr/share/doc/mod-security-common/examples/rules/modsecurity_crs_10_config.conf /etc/apache2/mods-enabled/mod-security.conf

sudo a2enmod mod-security

sudo apache2ctl stop

Modify DEBUG_LOG and audit_log-path in the/etc/apache2/mods-available/mod-security.conf to the appropriate location, and add the following two lines

Include/usr/share/doc/mod-security-common/examples/rules/modsecurity_crs_10_global_config.conf

Include/usr/share/doc/mod-security-common/examples/rules/base_rules/*.conf

sudo apache2ctlstart

There are rules in the #/usr/share/doc/mod-security-common/examples/rules/directory is available

Reference to the Gentoo ebuild in the following (http://gentoo-portage.com/www-apache/mod_security/ChangeLog)

view plaincopy

if ! use vanilla; then
mv “${D}”${APACHE_MODULES_CONFDIR}/mod_security/modsecurity_*{41_phpids,50_outbound}*/
“${D}”${APACHE_MODULES_CONFDIR}/mod_security/optional_rules || die
fi

Modsecurity_*{41_phpids,50_outbound}* these rules are not good.

In addition, http://www.gotroot.com/Tiki-index.php?page=mod_security+rules provides some rules

3. in addition,/var/www/can be placed on a separate partition, Mount with noexec,Nosuid,nodev parameter, open the MySQL AppArmor, can significantly enhance security.

References:

/usr/share/doc/mod-chroot-common/

http://core.segfault.pl/~hobbit/mod_chroot/index.html

http://server.it168.com/a2010/0714/1077/000001077357.shtml

http://www.howtoforge.com/chrooting-apache2-mod-chroot-debian-etch

/usr/share/doc/mod-security-common

Late add:

Chroot is the key to ensure that the/var/www/,/var/www/var/www, and/var/www/var/www is pointer to/symlink

Apache chroot process, as I understand it (if not, please correct me) is
1, first initialize the other modules
2,chroot to/var/www
3, change the current directory to/var/www (at this time is actually change into the/var/www/var/www directory)
4, when the HTTP request arrives, such as http://127.0.0.1/index.php, according to the vhost configuration (if DocumentRoot is/, pages under actual in/var/www/), Apache find/index.php (actually/var/www/index.php)

In addition, there is a diagnostic method to view the/proc//root and/proc//CWD, a root path for Apache, one is the current directory of the Apache ( is Apache PID), and then look at Apache’s access logs