使用Jail和ipfilter结合构建高安全服务器
作者信息:
三轮车夫(★可乐∮,EasyPP,Easy2go)
MSN:easy2go@msn.com QQ:223480 Mail:postmaster@easy2go.org
版权声明:
本文档版权归三轮车夫(★可乐∮,EasyPP,Easy2go)所有!如需转载,请保留该声明,谢谢!
前言:
以前写过一份《使用jail构建安全的Vsftpd》的文章(见www.cnfug.org)!对jail的使用有了一个初步的了解!这篇文章应该是上一篇文章的姐妹篇吧!闲话少说!步入正题!
上一篇文章只是通过jail来chroot一个服务(vsftpd)以实现服务的安全管理!这篇文章着重点在jail一个独立的系统!构建的网络大体的拓扑结构如下!
具体实现方法:通过Jail做一个独立的系统,在该系统上面提供一些网络服务,然后在该FreeBSD系统上通过ipfilter构建一个防火墙,同时通过ipnat对jail的系统做相应的端口映射!
系统配置参数:
OS:FreeBSD 4.8 Stable
IP: fxp0 10.0.1.1 192.168.1.201
Dns:10.0.0.251
Defaultrouter:10.0.1.1
ifconfig显示的信息:
/**
fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 10.0.1.1 netmask 0xff000000 broadcast 10.255.255.255
inet 192.168.1.201 netmask 0xffffff00 broadcast 192.168.1.255
ether 00:00:e2:2d:8b:a5
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet 127.0.0.1 netmask 0xff000000
**/
实现步骤:
一:建立jail环境:(安装系统的全部源代码)
mkdir –p /jail/Jail-A/
建立一个shell脚本jail.sh,内容如下:
D=/jail/Jail-A
cd /usr/src
mkdir -p $D
make world DESTDIR=$D
cd etc
make distribution DESTDIR=$D -DNO_MAKEDEV_RUN
cd $D/dev
sh MAKEDEV jail
cd $D
ln -sf dev/null kernel
编辑/etc/make.conf将一些不需要的东西去掉!(可以根据你具体情况进行设定)
CPUTYPE=i686
COPTFLAGS= -O –pipe
INSTALL=install –C
NO_CVS= true # do not build CVS
NO_BIND= true # do not build BIND
NO_FORTRAN= true # do not build g77 and related libraries
NO_I4B= true # do not build isdn4bsd package
NO_LPR= true # do not build lpr and related programs
NO_MAILWRAPPER=true # do not build the mailwrapper(8) MTA selector
NO_SENDMAIL= true # do not build sendmail and related programs
NO_SHAREDOCS= true # do not build the 4.4BSD legacy docs
NO_X= true # do not compile in XWindows support (e.g. doscmd)
NOGAMES= true # do not build games (games/ subdir)
NOINFO= true # do not make or install info files
NOLIBC_R= true # do not build libc_r (re-entrant version of libc)
NOMAN= true # do not build manual pages
NOUUCP= true # do not build uucp related programs
执行jail.sh,开始建立jail的基本环境
#sh jail.sh
执行完毕以后进行如下操作:
#ifconfig fxp0 alias 192.168.1.201 netmask 255.255.255.0
或者在/etc/rc.conf中加入:
ifconfig_fxp0_alias0="inet 192.168.1.201 netmask 255.255.255.0"
#mkdir –p /jail/Jail-A/stand
#cp /stand/sysinstall /jail/Jail-A/stand/
#touch /jail/Jail-A/etc/fstab
#vi /jail/Jail-A/etc/rc.conf 加入如下内容:
sendmail_enable=”NONE”
sshd_enable=”YES” //这个一定需要!可以远程进行管理
inetd_enable=”YES” //如果打开一定要添加下面一行
inetd_flags=”-wW –a 192.168.1.201” //这个修改成你jail的系统的地址!
syslogd_enable=”YES”
syslogd_flags=”-ss”
开始配置jail的系统:
#jail /jail/Jail-A/ powerbsd.org 192.168.1.201 /bin/csh
如果没有任何错误,执行:
#passwd root 修改root密码
#/stand/sysinstall ->Configure->
选择: Time Zone 设置时区
选择: Networking 配置网络的一些信息
选择User Management 建立一个wheel组的帐号
选择: Startup 配置需要的一些服务
退出,编辑/jail/Jail-A/etc/rc.conf去掉一些无用的信息!
可以参照如上的一些信息!
测试启动jail的系统:
#jail /jail/Jail-A/ powerbsd.org 192.168.1.201 /bin/sh /etc/rc
如下是我机器上面启动jail的信息!
/**
#jail /jail/Jail-A/ powerbsd.org 192.168.1.201 /bin/sh /etc/rc
Skipping disk checks ...
adjkerntz[662]: sysctl(set_disrtcset): Operation not permitted
Doing initial network setup:.
ifconfig: ioctl (SIOCDIFADDR): permission denied
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
Additional routing options: TCP keepalive=YESsysctl: net.inet.tcp.always_keepalive: Operation not permitted
.Routing daemons:.
Additional daemons: syslogd.
Doing additional network setup:.
Starting final network daemons:.
ELF ldconfig path: /usr/lib /usr/lib/compat
a.out ldconfig path: /usr/lib/aout /usr/lib/compat/aout
Starting standard daemons: inetd cron sshd.
Initial rc.i386 initialization:.
Additional ABI support:.
Local package initialization:.
Additional TCP options:.
2003年 7月14日 星期一 16时26分43秒 ICT
**/
现在你可以通过ssh登陆到jail的系统了!为了测试方便,我通过inetd.conf提供了ftp和telnet的服务!
下面是我通过ssh登陆到jail系统上面的一些信息:
/**
powerbsd# id
uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest)
powerbsd# uname -a
FreeBSD powerbsd.org 4.8-STABLE FreeBSD 4.8-STABLE #1: Mon Jul 14 14:27:53 CST 2003 root@powerbsd.org:/usr/src/sys/compile/PowerBSD i386
powerbsd# ifconfig
fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 192.168.1.201 netmask 0xffffff00 broadcast 192.168.1.255
ether 00:00:e2:2d:8b:a5
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
powerbsd# ps auxww
USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND
root 748 0.0 0.1 400 252 p1 R+J 4:30PM 0:00.00 ps auxww
root 709 0.0 0.3 1092 788 ?? IsJ 4:26PM 0:00.00 /usr/sbin/inetd -wW -a 192.168.1.201
root 711 0.0 0.3 1032 764 ?? SsJ 4:26PM 0:00.00 /usr/sbin/cron
root 713 0.0 0.8 2632 2080 ?? IsJ 4:26PM 0:00.12 /usr/sbin/sshd
root 727 0.0 0.9 5332 2296 ?? IJ 4:27PM 0:00.03 sshd: PowerBSD [priv] (sshd)
PowerBSD 729 0.0 0.9 5332 2352 ?? SJ 4:27PM 0:00.03 sshd: PowerBSD@ttyp1 (sshd)
PowerBSD 730 0.0 0.4 1364 972 p1 IsJ 4:27PM 0:00.01 -csh (csh)
root 732 0.0 0.4 1368 972 p1 SJ 4:27PM 0:00.02 -su (csh)
root 702 0.0 0.3 992 664 ?? SsJ 4:26PM 0:00.00 /usr/sbin/syslogd -ss
powerbsd#
**/
到现在为止,jail的基本系统已经配置完毕!
现在开始配置ipfilter,来实现端口的映射!
二.配置FreeBSD的ipfiter和ipnat
#cd /sys/i386/conf
#cp GENERIC PowerBSD
在PowerBSD这个核心配置文件中加入:
options IPFILTER #ipfilter support
options IPFILTER_LOG #ipfilter logging
#config PowerBSD
#cd ../../compile/PowerBSD/
#make depend;make;make install
vi /etc/rc.conf 在改文件中添加如下参数:
ipfilter_enable="YES" //ipfilter
ipfilter_program="/sbin/ipf"
ipfilter_rules="/etc/ipf.rules"
ipnat_enable="YES" //ipnat
ipnat_program="/sbin/ipnat -CF"
ipnat_rules="/etc/ipnat.rules"
ipmon_enable="YES" //ipfilter log
ipmon_program="/sbin/ipmon"
ipmon_flags="-Ds"
建立ipfilter需要的文件:
touch /etc/ipf.rules
//因本篇文章重点不在ipfiter防火墙的建立,具体的信息可以参照/usr/share/example/ipfilter/中的文档
touch /etc/ipnat.rules
touch /var/log/ipflog
vi /etc/ipf.rules(如下规则是我测试的规则,不是很完善!具体请参照ipfilter的文档)
pass out on fxp0 all
pass in on fxp0 all
pass out quick on lo0 all
pass in quick on lo0 all
block in proto icmp from any to 10.0.1.1
pass in quick on fxp0 proto tcp from any to any port = 22 flags S/SA keep state
pass in quick on fxp0 proto tcp from any to any port = 80 flags S/SA keep state
pass in quick on fxp0 proto tcp from any to any port = 23 flags S/SA keep state
pass in quick on fxp0 proto tcp from any to any port = ftp flags S/SA keep state
pass in quick on fxp0 proto tcp from any to any port = ftp-data flags S/SA keep state
pass out quick on fxp0 proto udp from any to any port = 53
block in log quick on fxp0 proto tcp form any to any port = 3306
block in quick all
vi /etc/ipnat.rules 添加nat的规则
rdr fxp0 10.0.1.1/32 port 21 -> 192.168.1.201 port 21
rdr fxp0 10.0.1.1/32 port 23 -> 192.168.1.201 port 23
rdr fxp0 10.0.1.1/32 port 80 -> 192.168.1.201 port 80
vi /etc/rc.local 在该文件中添加启动jail的代码
jail /jail/Jail-A/ powerbsd.org 192.168.1.201 /bin/sh /etc/rc
注意不要忘记在/etc/rc.conf中添加:
ifconfig_fxp0_alias0="inet 192.168.1.201 netmask 255.255.255.0"
三.最后重新启动你的系统,进行测试:
telnet 10.0.1.1
ftp –A 10.0.1.1
如果成功,一切OK!
总结:
以上通过ipfilter的nat功能,结合jail强大的功能,可以构建非常安全的服务器系统!但是具体服务在jail下面执行的效率怎么样?我没有具体进行测试!希望测试过的朋友多多指点!如上只是记录我的一个测试过
