linux web服务器
Building a LAMP server and getting it all nicely configured with reliable data handling, a domain, and a TLS certificate is only half the battle. You’ll also need to make sure your infrastructure is protected from the internet’s many frightening threats.
构建LAMP服务器并通过可靠的数据处理,域和TLS证书对所有配置进行良好配置仅是成功的一半。 您还需要确保您的基础结构受到保护,免受互联网的许多令人恐惧的威胁。
In this article — which was excerpted from chapter 9 of my Manning book, Linux in Action — I’ll explore website security through the proper use of system groups, process isolation, and regular audits of your system resources. It’s not the whole story (my Linux in Action book covers additional tools like installing TLS certificates and working with SELinux), but it’s a great start.
在本文(摘自我的曼宁书《 Linux in Action》第9章中)中,我将通过正确使用系统组,隔离进程以及定期审核系统资源来探索网站的安全性。 这还不是全部(我的Linux in Action书涵盖了其他工具,例如安装TLS证书和使用SELinux),但这是一个很好的开始。
系统组和最小特权原则 (System groups and the principle of least privilege)
The developers you support have (finally) come to realize that they need to restrict public access to the data and configuration files living on the application server while still allowing access to various dev and IT teams.
您支持的开发人员(最终)意识到,他们需要限制对应用程序服务器上存在的数据和配置文件的公共访问,同时仍然允许访问各个开发人员和IT团队。
The first part of the solution is groups. A group is a system object — much the same as a user — except that no one will ever log in to the system as a group. The power of groups is in how they, like users, can be “assigned” to files or directories, allowing any group members to share the group powers. This is illustrated in the figure.
解决方案的第一部分是组 。 组是一个系统对象,与用户基本相同,只是没有人会以组的身份登录到系统。 群组的力量在于他们如何像用户一样被“分配”到文件或目录,从而允许任何群组成员共享群组权限。 如图所示。
Try this yourself: use a text editor to create a new file. Add some “Hello world” text so you’ll be able to easily tell when you can successfully access it. Now edit its permissions using chmod 770 so that the file’s owner and group have full rights over the file, but others can’t even read it.
自己尝试:使用文本编辑器创建一个新文件。 添加一些“ Hello world”文本,以便您可以轻松判断何时可以成功访问它。 现在,使用chmod 770编辑其权限,以使文件的所有者和组拥有对该文件的完整权限,但其他人甚至无法读取该文件。
nano datafile.txt
chmod 770 datafile.txtIf your system doesn’t already have an extra user besides your account, create one using either adduser — the Debian/Ubuntu way — or useradd if you’re on CentOS. useradd will also work on Ubuntu.
如果您的系统除了帐户之外还没有其他用户,请使用adduser(Debian / Ubuntu方式)或useradd(如果您使用的是CentOS)创建一个。 useradd也可以在Ubuntu上使用。
The useradd command (as opposed to the Debian adduser) requires you togenerate a user password separately:
useradd命令(与Debian adduser相反)要求您分别 生成用户密码:
# useradd otheruser
# passwd otheruser
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfullyUse su to switch to your new user. Once you enter the user’s password, all the commands you execute will be run as that user. You’ll be working with only that user’s authority: no more and no less. If you try reading the datafile.txt file (using cat), you’ll have no luck since, as you remember, others were denied read permission. When you’re done, type exit to leave the new user shell and return to your original shell.
使用su切换到新用户。 输入用户密码后,您将执行的所有命令都将以该用户身份运行。 您将仅使用该用户的权限进行操作:不多也不少。 如果您尝试读取datafile.txt文件(使用cat),那么运气不佳,因为您还记得,其他人被拒绝了读取权限。 完成后,键入exit离开新的用户外壳程序并返回到原始外壳程序。
$ su otheruser
Password:
$ cat /home/ubuntu/datafile.txt
cat: /home/ubuntu/datafile.txt: Permission denied
$ exitAll this is expected and easy to understand. And, as you’ve seen, not being able to read the file belonging to a different reader can sometimes be a problem. Let’s see what we can do about it by associating the file with a group and then properly configuring the file’s permissions.
所有这些都是预期的并且易于理解。 而且,正如您所看到的,有时无法读取属于其他读取器的文件可能会引起问题。 让我们看看如何通过将文件与组关联,然后正确配置文件的权限来对此进行处理。
Create a new group you can use to manage your application data and then edit the properties of your data file using chown . The ubuntu:app-data-group argument leaves the file ownership in the hands of the ubuntu user, but changes its group to your new app-data-group.
创建一个可用于管理应用程序数据的新组,然后使用chown编辑数据文件的属性。 ubuntu:app-data-group参数将文件所有权交给ubuntu用户,但将其组更改为新的app-data-group。
groupadd app-data-group
chown ubuntu:app-data-group datafile.txtRun ls with “long” output against the file to view its new permissions and status. Note that, as expected, ubuntu is the file’s owner and app-data-group is its group.
针对文件运行带有“ long”输出的ls,以查看其新的权限和状态。 请注意,与预期的一样,ubuntu是文件的所有者,而app-data-group是文件的组。
$ ls -l | grep datafile.txt
-rwxrwx — — 1 ubuntu app-data-group 6 Aug 9 22:43 datafile.txtYou can use usermod to add your user to the app-data-group group and then, once again, su to switch to a shell deploying the other user’s account. This time, even though the file’s permissions lock others out — and you’re definitely acting as an “other” user right now — you should be able to read it thanks to your group membership.
您可以使用usermod将您的用户添加到app-data-group组,然后再次使用su切换到部署另一个用户帐户的Shell。 这次,即使文件的权限将其他人拒之门外-并且您现在肯定是“其他”用户-由于您的组成员身份,您应该能够阅读该文件。
# usermod -aG app-data-group otheruser
$ su otheruser
$ cat datafile.txt
Hello WorldUse su to switch between user accounts. These happened to be the contents of my datafile.txt file. This kind of organization is the correct and effective way to deal with many of the complicated permissions issues that will arise on a multi-user system.
使用su在用户帐户之间切换。 这些碰巧是我的datafile.txt文件的内容。 这种组织是处理多用户系统上出现的许多复杂权限问题的正确有效方法。
In fact, not only is it used to give individual users the access they need, but many system processes couldn’t do their jobs without special group memberships. Take a quick look through the /etc/group file and note how many system processes have their own groups.
实际上,它不仅用于为单个用户提供所需的访问权限,而且如果没有特殊的组成员身份,许多系统进程也无法完成其工作。 快速浏览/ etc / group文件,并注意有多少个系统进程具有自己的组。
A partial listing of the contents of the /etc/group file:
/ etc / group文件的内容的部分清单:
$ cat /etc/group
root:x:0:
daemon:x:1:
bin:x:2:
sys:x:3:
adm:x:4:syslog
tty:x:5:
disk:x:6:
lp:x:7:
mail:x:8:
news:x:9:
uucp:x:10:
man:x:12:
proxy:x:13:
[…]隔离容器中的过程 (Isolating processes within containers)
Worried that the multiple services you’ve got running on a single server will, should one service be breached, all be at risk? One way to limit the damage that careless or malicious users can cause is by isolating system resources and processes. This way, even if someone might want to expand their reach beyond a set limit, they won’t have physical access.
担心您在一台服务器上运行的多种服务是否会受到威胁,所有这些服务都将受到威胁? 限制粗心或恶意用户可能造成的破坏的一种方法是隔离系统资源和进程。 这样,即使某人可能想将其覆盖范围扩展到超出设定的限制,他们也将没有物理访问权限。
The old approach to the problem was provisioning a separate physical machine for each service. But virtualization can make it a lot easier -and more affordable - to build a “siloed” infrastructure.
解决该问题的旧方法是为每个服务配置单独的物理机。 但是虚拟化可以使构建“隔离的”基础架构变得容易得多,并且价格更便宜。
This architecture is often referred to as microservices and would have you launch multiple containers with one, perhaps, running only a database, another Apache, and a third containing media files that might be embedded in your web pages. Besides the many performance and efficiency benefits associated with microservice architectures, this can greatly reduce each individual component’s risk exposure.
这种体系结构通常称为微服务 ,可以让您启动多个容器,其中一个可能仅运行一个数据库,另一个运行Apache,而第三个则包含可能嵌入在您的网页中的媒体文件。 除了与微服务架构相关的许多性能和效率优势之外,这还可以大大减少每个单独组件的风险。
By “containers” I don’t necessarily mean those of the LXC persuasion.These days, for this kind of deployment, Docker containers are far morepopular. If you’re interested in learning more about Docker, check out my Pluralsight courses that touch on the topic.
我所说的“容器”并不一定是指LXC的说服力。如今,对于这种部署,Docker容器越来越受欢迎。 如果您有兴趣了解有关Docker的更多信息,请查看我涉及该主题的Pluralsight课程 。
扫描危险的用户ID值 (Scanning for dangerous User ID values)
While any admin user will be able to temporarily assume root authority using sudo, only root is actually root . As you’ve seen already, it isn’t safe to perform regular functions as root. But it can happen — whether by innocent accident or malicious tampering — that a regular user can effectively get admin rights full-time.
虽然任何管理员用户都可以使用sudo临时承担root权限,但实际上root只是root。 如您所见,以root身份执行常规功能并不安全。 但是,无论是无辜的事故还是恶意的篡改,普通用户都可以有效地全职获得管理员权限。
The good news is that it’s easy to spot imposters: their user and/or group ID numbers will, like root, be zero (0). Take a look at the passwd file in /etc/. This file contains a record for each regular and system user account that currently exists. The first field contains the account name (root and ubuntu in this case) and the second field might contain an x in place of a password (which, if it exists, will appear encrypted in the /etc/shadow file). But the next two fields contain the user and group IDs. In the case of ubuntu in this example, both IDs are 1000 . And, as you can see, root has zeroes.
好消息是,很容易发现冒名顶替者:他们的用户和/或组ID号与root一样为零(0)。 看一下/ etc /中的passwd文件。 该文件包含当前存在的每个常规和系统用户帐户的记录。 第一个字段包含帐户名(在这种情况下为root和ubuntu),第二个字段可能包含x代替密码(如果存在,它将在/ etc / shadow文件中显示为已加密)。 但是接下来的两个字段包含用户和组ID。 对于本示例中的ubuntu,两个ID均为1000。 而且,如您所见,根为零。
$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
[…]
ubuntu:x:1000:1000::/home/ubuntu:/bin/bashIf you ever see a regular user with a user or group ID of 0, however, then you know there’s something nasty going on and you should get to work fixing it.The quick and easy way to spot a problem is to run this awk command against the passwd file, which will print out any line whose third field contains only a 0. In this case, to my great relief, the only result was root . You can run it a second time substituting $4 for $3 to pick up the group ID field.
但是,如果您看到某个普通用户的用户或组ID为0,那么您就知道有麻烦的事情了,您应该着手解决它。发现问题的快速简便方法是运行以下awk命令针对passwd文件,该文件将打印出第三行仅包含0的任何行。在这种情况下,令我大为欣慰的是,唯一的结果是root。 您可以第二次运行它,用$ 4代替$ 3来获取组ID字段。
$ awk -F: ‘($3 == “0”) {print}’ /etc/passwd
root:x:0:0:root:/root:/bin/bash审核系统资源 (Auditing system resources)
The more things you’ve got running, the greater the odds of something breaking. So it makes sense that you’ll want to keep track of what’s running. This will apply to network ports (if they’re “open” then, by definition, there must be a way in), services (if they’re active, then people can run them), and installed software (if it’s installed, it can be executed).
您运行的东西越多,发生故障的几率就越大。 因此,有意义的是您要跟踪运行情况。 这将适用于网络端口(如果它们是“开放的”,那么根据定义,必须有一个入口),服务(如果它们是活动的,则人们可以运行它们)和已安装的软件(如果已安装,它可以执行)。
For audits to be useful you’ll have to remember to run them once in a while. Since you just know you’re going to forget, you’ll be much better off incorporating your auditing tools into a script that not only executes regularly but, ideally, also parses the results to make them more readable.
为了使审核有用,您必须记住不时进行一次审核。 因为您只知道自己会忘记,所以最好将审核工具合并到一个脚本中,该脚本不仅可以定期执行,而且理想情况下还可以分析结果以使其更具可读性。
Here, however, I’ll focus on introducing you to three key audit tools to help you scan for open ports, active services, and unnecessary software packages. Getting it automated will be your job.
但是,在这里,我将重点向您介绍三个关键的审核工具,以帮助您扫描开放端口,活动服务和不必要的软件包。 使它自动化将是您的工作。
扫描开放端口 (Scanning for open ports)
A port is considered “open” if there’s some process running on the host that’s listening on that port for requests. Keeping an eye on your open ports can keep you plugged into what’s really going on with your server.
如果主机上正在侦听某个端口上的请求的进程正在运行,则该端口被视为“开放”端口。 密切注意开放的端口,可以让您充分了解服务器的实际运行情况。
You already know that a regular web server is probably going to have HTTP (80) and SSH (22) open, so it shouldn’t come as a surprise to come across those. But you’ll really want to focus on other unexpected results. netstat will display open ports along with a wealth of information about how they’re being used.
您已经知道,常规的Web服务器可能会打开HTTP(80)和SSH(22),因此碰巧遇到这些不足为奇。 但是,您真的要专注于其他意外的结果。 netstat将显示打开的端口以及有关如何使用它们的大量信息。
In this example run against a fairly typical multi-purpose server, -n tells netstat to include the numeric ports and addresses. -l includes only listening sockets, and -p adds the process ID of the listening program. Naturally, if you see something, do something.
在此示例中,在相当典型的多用途服务器上运行,-n告诉netstat包括数字端口和地址。 -l仅包含侦听套接字,-p添加侦听程序的进程ID。 自然,如果您看到某些内容,请执行某些操作。
# netstat -npl
Active Internet connections (only servers)
Proto Local Address Foreign Address State PID/Program name
tcp 127.0.0.1:3306 0.0.0.0:* LISTEN 403/mysqld
tcp 0.0.0.0:139 0.0.0.0:* LISTEN 270/smbd
tcp 0.0.0.0:22 0.0.0.0:* LISTEN 333/sshd
tcp 0.0.0.0:445 0.0.0.0:* LISTEN 270/smbd
tcp6 :::80 :::* LISTEN 417/apache2
[…]In recent years, ss has begun to replace netstat for many uses. Just in case you find yourself at a party one day and someone asks you about ss , this example (which lists all established SSH connections) should give you enough information to save you from deep embarrassment:
近年来, SS已开始取代netstat进行许多用途。 以防万一您有一天参加聚会,有人问您有关ss的问题 ,此示例(列出了所有已建立的SSH连接)应为您提供足够的信息,以免您陷入尴尬的境地:
$ ss -o state established ‘( dport = :ssh or sport = :ssh )’
Netid Recv-Q Send-Q Local Address:Port Peer Address:Port
tcp 0 0 10.0.3.1:39874 10.0.3.96:ssh
timer:(keepalive,18min,0)扫描活动服务 (Scanning for active services)
Getting a quick snapshot of the systemd-managed services currently enabled on your machine can help you spot activity that doesn’t belong. systemctl can list all existing services, which can then be narrowed down to only those results whose descriptions include enabled. This will return only active services.
快速获取当前在您的计算机上启用的systemd管理的服务的快照,可以帮助您发现不属于您的活动。 systemctl可以列出所有现有服务,然后可以将其缩小到仅描述包括启用的那些结果。 这将仅返回活动服务。
# systemctl list-unit-files — type=service — state=enabled
autovt@.service enabled
bind9.service enabled
cron.service enabled
dbus-org.freedesktop.thermald.service enabled
docker.service enabled
getty@.service enabled
haveged.service enabled
mysql.service enabled
networking.service enabled
resolvconf.service enabled
rsyslog.service enabled
ssh.service enabled
sshd.service enabled
syslog.service enabled
systemd-timesyncd.service enabled
thermald.service enabled
unattended-upgrades.service enabled
ureadahead.service enabledIf you do find something that shouldn’t be there, you can use systemctl to both stop the service and make sure it doesn’t start up again with the next boot.
如果确实找到了不该存在的内容,则可以使用systemctl停止服务,并确保该服务不会在下次启动时再次启动。
systemctl stop haveged
systemctl disable havegedThere’s actually nothing dark and sinister about the haveged service I’mstopping in this example: it’s a very small tool I often install to generaterandom background system activity when I’m creating encryption keys.
在此示例中,我停止使用的强行服务实际上没有什么阴险和险恶的东西 :这是我在创建加密密钥时经常安装的用于生成随机后台系统活动的一个非常小的工具。
搜索已安装的软件 (Searching for installed software)
Could someone or something have installed software on your system without you knowing? Well, how would you know if you don’t look? yum list installed or, on Debian/Ubuntu, dpkg — list will give you the whole briefing, while remove <packagename> should delete any packages that don’t belong.
在您不知情的情况下,可能有人或某物在您的系统上安装了软件吗? 好吧,你怎么不知道呢? 安装了yum list,或者在Debian / Ubuntu上安装了dpkg-list将为您提供整个简介,而remove <packagename>应该删除所有不属于的软件包。
yum list installed
yum remove packageNameHere’s how it goes on Ubuntu:
这是在Ubuntu上的运行方式:
dpkg --list
apt-get remove packageNameIt’s also a good idea to be aware of changes to your system configuration files - which is something I cover in chapter 11.
了解系统配置文件的更改也是一个好主意-这是我在第11章中介绍的内容。
This article is excerpted from my Manning “Linux in Action” book. There’s lots more fun where this came from, including a hybrid course called Linux in Motionthat’s made up of more than two hours of video and around 40% of the text of Linux in Action. Who knows... You might also enjoy my recently published Learn Amazon Web Services in a Month of Lunches.
本文摘自我的 曼宁“ Linux in Action”一书 。 这有很多有趣的 地方 ,包括一个名为 Linux in Motion 的混合课程 , 它由两个多小时的视频和大约40%的Linux in Action文本组成。 谁知道呢?您可能还会 在一个月的午餐中 欣赏我最近发布的 Learn Amazon Web Services 。
翻译自: https://www.freecodecamp.org/news/securing-your-linux-web-server/
linux web服务器
193
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
