顯示具有 RedHat 標籤的文章。 顯示所有文章
顯示具有 RedHat 標籤的文章。 顯示所有文章

2011年1月11日 星期二

Secure Apache Web Server

1. Secure Apache Web Server

    要保護 Apache Web Server ,除了可以使用一般的存取控制及適當設定Apache Web Server 的設定檔『/etc/httpd/conf/httpd.conf』中的安全相關設定外,還可以使用FirewallSELinux 來增強 Apache Web Server 的安全性。


2. Firewall


    先確認一下Firewall是否已開放 WWW(HTTPport 80)及 Secure WWW(HTTPSport 443)。

    在GUI 執行[System]-->[Security Level and Firewall] 或在TUI執行system-config-securitylevel』命令啟動『Security Level Configuration』。





    確認或開放WWW(HTTPport 80)Secure WWW(HTTPSport 443) 的防火牆規 則設定。    
    
    也可以在TUI執行『iptables -L』命令檢視防火牆規則。
[root@lab2 ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere


Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere


Chain OUTPUT (policy ACCEPT)
target prot opt source destination


Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT esp -- anywhere anywhere
ACCEPT ah -- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
[root@lab2 ~]#

    確認下列兩行防火牆規則已存在於防火牆規則清單中。
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
3. 確認SELinux 的現行模式

  接著確認 SELinux的現行運作模式是否為『Enforcing』。


 在GUI 執行[System]-->[Security Level and Firewall] 或在TUI執行
system-config-securitylevel』命令啟動『Security Level Configuration』,檢視 SELinux 的現行模式。

 確認SELinux 的模式為『Enforcing』。


    或在 TUI 執行『getenforce』命令檢視SELinux 模式設定值。
[root@lab2 ~]# getenforce
Enforcing
4.Apache Web Server 主要目錄及檔案的security contexts    



    使用『ls -dZ』檢視『/etc/httpd/』、『/etc/httpd/conf/』、
/etc/httpd/conf.d/』、『 /var/www/html/』等目錄的security contexts
[root@lab2 ~]# ls -dZ /etc/httpd/ /etc/httpd/conf/ /etc/httpd/conf.d/ /var/www/html/
drwxr-xr-x root root system_u:object_r:httpd_config_t /etc/httpd/
drwxr-xr-x root root system_u:object_r:httpd_config_t /etc/httpd/conf/
drwxr-xr-x root root system_u:object_r:httpd_config_t /etc/httpd/conf.d/
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t /var/www/html/
    整理如下表,
DirectoryName
Identify
Role
Typr
/etc/httpd
system_u
object_r
httpd_config_t
/etc/httpd/conf
system_u
object_r
httpd_config_t
/etc/httpd/conf.d/
system_u
object_r
httpd_config_t
/var/www/html
system_u
object_r
httpd_sys_content_t

    先在『/var/www/html』目錄中建立『index.html』。
[root@lab2 ~]# touch /var/www/html/index.html

    使用『ls -lZ』檢視『/etc/httpd/conf/httpd.conf』、 /var/www/html/index.html』等檔案的security contexts
[root@lab2 ~]# ls -Z /etc/httpd/conf/httpd.conf /var/www/html/index.html
-rw-r--r-- root root system_u:object_r:httpd_config_t /etc/httpd/conf/httpd.conf
-rw-r--r-- root root user_u:object_r:httpd_sys_content_t /var/www/html/index.html
    整理如下表,
FileName
Identify
Role
Typr
/etc/httpd/conf/httpd.conf
system_u
object_r
httpd_config_t
/var/www/html/index.html
system_u
object_r
httpd_sys_content_t
5. security contexts 設定錯誤時如何修正


    security contexts 設定錯誤導致設定檔或網頁無法被存取時可以使用 chcon』及『restorecon』進行修正。


7. 修正個人網頁存放目錄及個人網頁檔的security contexts 設定錯誤


    a.修改 「/etc/httpd/conf/httpd.conf」的下列Directive,並重新啟動 httpd
<IfModule mod_userdir.c>
#
# UserDir is disabled by default since it can confirm the presence
# of a username on the system (depending on home directory
# permissions).
#
#UserDir disable
加上井號
#
# To enable requests to /~user/ to serve the user's public_html
# directory, remove the "UserDir disable" line above, and uncomment
# the following line instead:
#
#UserDir public_html
UserDir html
去除井號,設定使用者個人網頁目錄名稱
</IfModule>


    b. 建立個人網頁放置目錄
[max@lab2 ~]$ mkdir html

    c. 建立個人網頁
[max@lab2 ~]$ touch html/index.html
[max@lab2 ~]$ echo "Privat Test Page" >> html/index.html

    d. 檢視個人網頁

    出現無檢視權限的錯誤


    e. 檢視個人網頁放置目錄權限設定

[max@lab2 ~]$ ls -ld html/
drwxrwxr-- 2 max max 4096 Jan 11 03:48 html/
[max@lab2 ~]$ ls -l html/index.html
-rw-rw-r-- 1 max max 17 Jan 11 03:49 html/index.html

    個人網頁放置目錄的other 無『x』權限,所以無法存取個人網頁。

    f. 在家目錄及個人網頁放置目錄增加other的『x』權限
[[max@lab2 ~]$ ls -ld ~/ ~/html
drwx------ 19 max max 4096 Jan 11 03:47 /home/max/
drwxrwxr-- 2 max max 4096 Jan 11 03:48 /home/max/html
[max@lab2 ~]$ chmod o+x ~/ ~/html
[max@lab2 ~]$ ls -ld ~/ ~/html
drwx-----x 19 max max 4096 Jan 11 03:47 /home/max/
drwxrwxr-x 2 max max 4096 Jan 11 03:48 /home/max/html
    但仍是出現無存取權限的錯誤



    g. 檢視個人網頁放置目錄及個人網頁的security contexts 設定
[max@lab2 ~]$ ls -dZ html/
drwxrwxr-x max max user_u:object_r:user_home_t html/
[max@lab2 ~]$ ls -Z html/index.html
-rw-rw-r-- max max user_u:object_r:user_home_t html/index.html

h. 修正個人網頁放置目錄及個人網頁的security contexts 設定
[max@lab2 ~]$ chcon -R --referenc=/var/www/html/ ~/html/
[max@lab2 ~]$ ls -dZ html/
drwxrwxr-x max max system_u:object_r:httpd_sys_content_t html/
[max@lab2 ~]$ ls -Z html/index.html
-rw-rw-r-- max max system_u:object_r:httpd_sys_content_t html/index.html

i. 這樣就看得到個人網頁了


張貼者: 沒有留言:
標籤: , , , , ,

2010年12月9日 星期四

同時新增多組帳號及Disk Quota limit的實驗 (四)

  • LAB C :


    7. 在 /dev/hda5 啟動 Disk Quota limit
    8. 實施Disk Quota limit usrer1 user2 兩個使用者帳號。
    9. /dev/hda5 soft limit 20MBhard limit 30 MB。
    10. usrer1 user2 兩個使用者帳號的家目錄Disk Quota limit 如下,soft limit 10MBhard limit 20 MB。
  • 操作步驟 :


    STEP 1. 於/home 所在檔案系統加上usrquota、grpquota 掛載選項  
    [root@lab-2 /]# mount -o remount,usrquota,grpquota /
    [root@lab-2 /]# mount | grep hdb2
    /dev/hdb2 on / type ext3 (rw,usrquota,grpquota)

STEP 2. 建立配額資料庫
[root@lab-2 ~]# quotacheck -ugvm /
quotacheck: Scanning /dev/hdb2 [/] done
quotacheck: Checked 15168 directories and 137285 files
[root@lab-2 ~]# quotacheck -ugvm /media/hdb5/
quotacheck: Scanning /dev/hdb5 [/media/hdb5] done
quotacheck: Checked 3 directories and 4 files
[root@lab-2 ~]#

          ※  第一次執行時因為 / /media/hdb5 目錄中均無配額資料庫檔 aquota.user
                 aquota.group 所以會出現錯誤訊息,然後系統會自動產生配額資料庫檔
[root@lab-2 ~]# quotacheck -ugvm /
quotacheck: Scanning /dev/hdb2 [/] done
quotacheck: Checked 15168 directories and 137285 files
[root@lab-2 ~]# quotacheck -ugvm /
quotacheck: Scanning /dev/hdb2 [/] quotacheck: Cannot stat old user quota file: No such file or directory
quotacheck: Cannot stat old group quota file: No such file or directory
quotacheck: Cannot stat old user quota file: No such file or directory
quotacheck: Cannot stat old group quota file: No such file or directory
done
quotacheck: Checked 15168 directories and 137283 files
quotacheck: Old file not found.
quotacheck: Old file not found.
[root@lab-2 ~]# quotacheck -ugvm /media/hdb5/
quotacheck: Scanning /dev/hdb5 [/media/hdb5] quotacheck: Cannot stat old user quota file: No such file or directory
quotacheck: Cannot stat old group quota file: No such file or directory
quotacheck: Cannot stat old user quota file: No such file or directory
quotacheck: Cannot stat old group quota file: No such file or directory
done
quotacheck: Checked 3 directories and 2 files
quotacheck: Old file not found.
quotacheck: Old file not found.
[root@lab-2 ~]# ls -l /aquota.* /media/hdb5/aquota.*
-rw------- 1 root root 8192 Dec 9 01:39 /aquota.group
-rw------- 1 root root 11264 Dec 9 01:39 /aquota.user
-rw------- 1 root root 6144 Dec 9 01:39 /media/hdb5/aquota.group
-rw------- 1 root root 6144 Dec 9 01:39 /media/hdb5/aquota.user

STEP 3. 啟動Disk Quota

[root@lab-2 ~]# quotaon / /media/hdb5

STEP 4. 設定 user1 user2 Disk Quota limit
[root@lab-2 /]# edquota -u user1
Disk quotas for user user1 (uid 506):
Filesystem blocks soft hard inodes soft hard
/dev/hdb2 76 10240 20480 10 0 0
/dev/hdb5 0 30720 40960 0 0 0
[root@lab-2 /]# edquota -u user2
Disk quotas for user user2 (uid 507):
Filesystem blocks soft hard inodes soft hard
/dev/hdb2 76 10240 20480 10 0 0
/dev/hdb5 0 30720 40960 0 0 0


STEP 5. 變更 /media/hdb5 的目錄權限,使 user1 user2具檔案新增權限,並確認user1
user2 的家目錄權限
[root@lab-2 ~]# ls -ld /media/hdb5/
drwxr-xr-x 3 root root 1024 Dec 9 01:39 /media/hdb5/
[root@lab-2 ~]# chmod o+w /media/hdb5/
[root@lab-2 ~]# ls -ld /media/hdb5/
drwxr-xrwx 3 root root 1024 Dec 9 01:39 /media/hdb5/
[root@lab-2 /]# ls -ld /home/user1
drwx------ 3 user1 labuser 4096 Dec 6 14:40 /home/user1
[root@lab-2 /]# ls -ld /home/user2
drwx------ 3 user2 labuser 4096 Dec 6 14:39 /home/user2

STEP 6. 測試 user1 Disk Quota limit 是否生效
[user1@lab-2 ~]$ dd if=/dev/zero of=file-1 bs=1M count=11
hdb2: warning, user block quota exceeded.
11+0 records in
11+0 records out
11534336 bytes (12 MB) copied, 0.0448105 seconds, 257 MB/s
[user1@lab-2 ~]$ dd if=/dev/zero of=file-2 bs=1M count=11
hdb2: write failed, user block limit reached.
dd: writing `file-2': Disk quota exceeded
9+0 records in
8+0 records out
9318400 bytes (9.3 MB) copied, 0.0372815 seconds, 250 MB/s

[user1@lab-2 ~]$ dd if=/dev/zero of=/media/hdb5/file-user1-1 bs=1M count=21
21+0 records in
21+0 records out
22020096 bytes (22 MB) copied, 0.156971 seconds, 140 MB/s
[user1@lab-2 ~]$ dd if=/dev/zero of=/media/hdb5/file-user1-2 bs=1M count=11
hdb5: warning, user block quota exceeded.
11+0 records in
11+0 records out
11534336 bytes (12 MB) copied, 0.0659443 seconds, 175 MB/s
[user1@lab-2 ~]$ quota
Disk quotas for user user1 (uid 506):
Filesystem blocks quota limit grace files quota limit grace
/dev/hdb2 20480* 10240 20480 12 0 0
/dev/hdb5 32900* 30720 40960 7days 2 0 0

STEP 7. 測試 user2 Disk Quota limit 是否生效
[user2@lab-2 ~]$ dd if=/dev/zero of=file-1 bs=1M count=11
hdb2: warning, user block quota exceeded.
11+0 records in
11+0 records out
11534336 bytes (12 MB) copied, 0.0328104 seconds, 352 MB/s
[user2@lab-2 ~]$ dd if=/dev/zero of=file-2 bs=1M count=11
hdb2: write failed, user block limit reached.
dd: writing `file-2': Disk quota exceeded
9+0 records in
8+0 records out
9318400 bytes (9.3 MB) copied, 0.0291954 seconds, 319 MB/s
[user2@lab-2 ~]$ dd if=/dev/zero of=/media/hdb5/file-user2-1 bs=1M count=21
21+0 records in
21+0 records out
22020096 bytes (22 MB) copied, 0.101413 seconds, 217 MB/s
[user2@lab-2 ~]$ dd if=/dev/zero of=/media/hdb5/file-user2-2 bs=1M count=11
hdb5: warning, user block quota exceeded.
11+0 records in
11+0 records out
11534336 bytes (12 MB) copied, 0.0535639 seconds, 215 MB/s
[user2@lab-2 ~]$ dd if=/dev/zero of=/media/hdb5/file-user2-3 bs=1M count=11
hdb5: write failed, user block limit reached.
hdb5: write failed, user block limit reached.
dd: writing `/media/hdb5/file-user2-3': Disk quota exceeded
8+0 records in
7+0 records out
8216576 bytes (8.2 MB) copied, 0.0546072 seconds, 150 MB/s
[user2@lab-2 ~]$ quota
Disk quotas for user user2 (uid 507):
Filesystem blocks quota limit grace files quota limit grace
/dev/hdb2 20480* 10240 20480 12 0 0
/dev/hdb5 40958* 30720 40960 6days 3 0 0
張貼者: 沒有留言:
標籤: , , , , , , , , , , ,
訂閱: 文章 (Atom)
Powered By Blogger