Tuesday, January 31, 2012

Hardening LAMP stack (part 1)

This article begins series of posts which are meant to create very SECURE but also easy to manage web server on Linux box. I start from default Debian 6.0 Stable installation and move on configuring various parts of the system.

We start from:


# compile apache2
  ./configure --prefix=/usr/local/apache --disable-userdir --disable-include
 make install

# prepare new root environment for apache
  mkdir -p /srv/chroot/apache/

# create /usr/local directory in new environment
  mkdir -p /srv/chroot/apache/usr/local

# move built and installed apache to new environment
  mv /usr/local/apache /srv/chroot/apache/usr/local

# link it under old installation directory for easy updates
  ln -s /srv/chroot/apache/usr/local/apache /usr/local/apache

# stisfy all apache's library dependencies by copying it to new /lib directory
  mkdir -p /srv/chroot/apache/lib
 ldd /chroot/apache/usr/local/apache/bin/httpd
 (copy it to new /lib)

# copy strace (and it's dependencies) for debug purposes (remove it in production)
  mkdir -p /srv/chroot/apache/bin
 cp `which strace` /srv/chroot/apache/bin
 ldd `which strace`
 (copy it to new /lib)

# first launch (with strace), probably something will be missing
 chroot /srv/chroot/apache /bin/strace /usr/local/apache/bin/httpd

# name resolution
  mkdir -p /srv/chroot/apache/etc
 cp /etc/nsswitch.conf /srv/chroot/apache/etc/  #make sure that access to passwd is set to 'files'
 cp /lib/libnss_files.so.2 /srv/chroot/apache/lib

# dns name resolution
  cp /lib/libnss_dns.so.2 /srv/chroot/apache/lib
 cp /etc/hosts /srv/chroot/apache/etc
 cp /etc/resolv.conf /srv/chroot/apache/etc

# create special devices which apache uses
  mkdir /srv/chroot/apache/dev
 mknod -m 666 /srv/chroot/apache/dev/null c 1 3
 mknod -m 666 /chroot/apache/dev/zero c 1 5
 mknod -m 644 /chroot/apache/dev/random c 1 8

# create /tmp directory
  mkdir /srv/chroot/apache/tmp
 chmod +t /srv/chroot/apache/tmp
 chmod 777 /srv/chroot/apache/tmp

# create /etc/passwd & /etc/group files
  echo "www-data:x:33:33:Apache:/:/sbin/nologin" > /srv/chroot/apache/etc/passwd
 echo "www-data:x:33:" > /srv/chroot/apache/etc/group

# prepare /var directory in new environment (in jail) for test-site
  mkdir -p /srv/chroot/apache/var/www
 cd /srv/chroot/apache/var/www
 mkdir -p test-site/bin
 mkdir -p test-site/cgi-bin
 mkdir -p test-site/data
 mkdir -p test-site/htdocs
 mkdir -p test-site/logs

# link it for easier updates of future web applications
 ln -s /srv/chroot/apache/var/www /var/www

# second launch, now it should start, if not, use strace to find out why
 chroot /srv/chroot/apache /usr/local/apache/bin/httpd


# proper files & directories privilages
  chown -R root:root /usr/local/apache
 find /srv/chroot/apache/usr/local/apache -type d | xargs chmod 755
 find /srv/chroot/apache/usr/local/apache -type d | xargs chmod g-s
 find /srv/chroot/apache/usr/local/apache -type f | xargs chmod 644
 find /srv/chroot/apache/usr/local/apache/bin -type f | xargs chmod 744

# configuration and logs can be read only by root
  chmod -R go-r /srv/chroot/apache/usr/local/apache/conf
 chmod -R go-r /srv/chroot/apache/var/www/site-test/logs