tomcat配置chroot加固

post by rocdk890 / 2015-4-22 17:46 Wednesday linux技术
  今天一个朋友说他项目的服务器在对外发包,让我帮忙检查下,要来ssh账号和密码,登录上去一看,原来是tomcat,并且tomcat的bin文件夹下有几个不正常的文件,再看进程,居然搞到服务器/etc下了,还是隐藏文件,删除后再给iptables重新配置了规则.最后告诉他让他自己再去检查下程序里有没有不正常的代码和文件,这很明显是一个典型的tomcat安全配置失败的案例,具体有那些我就不在这里说了,今天主要是说下让tomcat在chroot下运行,chroot的好处我就不再说了.下面来看看怎么配置chroot+tomcat吧.
  系统:centos 5.x(64位)
  需要的软件包:
  server-jre-7u51-linux-x64.tar.gz
  apache-tomcat-7.0.61.tar.gz
1. 配置java
tar zxf server-jre-7u51-linux-x64.tar.gz
mkdir -p /usr/java/
cp -a jdk1.7.0_51 /usr/java/
/usr/java/jdk1.7.0_51/bin/java -version
java version "1.7.0_51"
Java(TM) SE Runtime Environment (build 1.7.0_51-b13)
Java HotSpot(TM) 64-Bit Server VM (build 24.51-b03, mixed mode)

2.配置chroot环境
mkdir -p /chroot && cd /chroot/
mkdir -p lib lib64 etc tmp dev usr
chmod 755 etc dev usr
chmod 1777 tmp
cp -a /etc/{hosts,resolv.conf,nsswitch.conf} /chroot/etc/
mkdir -p /chroot/dev/pts
cd /dev/
./MAKEDEV -d /chroot/dev null radom urandom zero loop* log console  (ps:这一步会报don't know how to make device "radom" 我没有管,继续做起走了的)
cp MAKEDEV /chroot/dev
cp -a /dev/shm /chroot/dev

2.配置java到chroot环境里
cd /chroot/
mkdir -p bin
cp /bin/bash /chroot/bin/
cp /bin/sh /chroot/bin/
cp /lib64/{libtinfo.so.5,libdl.so.2,libc.so.6,ld-linux-x86-64.so.2} /chroot/lib64
cp /bin/uname bin/
mkdir usr/bin
cp /usr/bin/dirname usr/bin

cp -a /etc/{hosts,resolv.conf,nsswitch.conf} etc/
cp -p /lib64/libresolv.so.2 lib64/  
cp -p /lib64/libnss_dns.so.2 lib64/  
cp -p /lib64/libnss_files.so.2 lib64/

cp -p /lib64/librt.so.1 lib64/
cp /usr/bin/tty usr/bin/  
cp /bin/touch bin/

mkdir -p usr/java/
cp -a /usr/java/jdk1.7.0_51 usr/java/

查找拷贝java的依赖库
ldd /usr/java/jdk1.7.0_51/bin/java
    linux-vdso.so.1 =>  (0x00007fff4f9fd000)
    libpthread.so.0 => /lib64/libpthread.so.0 (0x00000038ed200000)
    libjli.so => /usr/java/jdk1.7.0_51/bin/../lib/amd64/jli/libjli.so (0x00002b875e483000)
    libdl.so.2 => /lib64/libdl.so.2 (0x00000038ec600000)
    libc.so.6 => /lib64/libc.so.6 (0x00000038ec200000)
    /lib64/ld-linux-x86-64.so.2 (0x00000038ebe00000)

拷贝上述4个lib64中的库,另外还需要拷贝2个JVM需要的库:
cp /lib64/{libpthread.so.0,libdl.so.2,libc.so.6,ld-linux-x86-64.so.2} lib64/
cp -p /lib64/libm.so.6 lib64/
cp -p /lib64/libnsl.so.1 lib64/

3.挂载/proc
mkdir /chroot/proc
mount -t proc proc /chroot/proc
chroot /chroot /usr/java/jdk1.7.0_51/bin/java -version
java version "1.7.0_51"
Java(TM) SE Runtime Environment (build 1.7.0_51-b13)
Java HotSpot(TM) 64-Bit Server VM (build 24.51-b03, mixed mode)

当然也可以进入chroot测试:
chroot /chroot
bash-3.2# /usr/java/jdk1.7.0_51/bin/java -version
java version "1.7.0_51"
Java(TM) SE Runtime Environment (build 1.7.0_51-b13)
Java HotSpot(TM) 64-Bit Server VM (build 24.51-b03, mixed mode)

4.配置tomcat到chroot环境里
cd /root/install/ && mkdir /chroot/usr/local && tar zxf apache-tomcat-7.0.61.tar.gz -C /chroot/usr/local/
mv apache-tomcat-7.0.61 tomcat
chmod 755 /chroot/usr/local
chmod 755 /chroot/usr/local/tomcat/bin/*.sh

在setclasspath.sh设置JAVA_HOME变量,不然tomcat无法启动:
vi /chroot/usr/local/tomcat/bin/setclasspath.sh
# Make sure prerequisite environment variables are set
export JAVA_HOME=/usr/java/jdk1.7.0_51
export JRE_HOME=/usr/java/jdk1.7.0_51/jre
if [ -z "$JAVA_HOME" -a -z "$JRE_HOME" ]; then
  if $darwin; then
    # Bugzilla 54390
    if [ -x '/usr/libexec/java_home' ] ; then
      export JAVA_HOME=`/usr/libexec/java_home`
    # Bugzilla 37284 (reviewed).
    elif [ -d "/System/Library/Frameworks/JavaVM.framework/Versions/CurrentJDK/Home" ]; then
      export JAVA_HOME="/System/Library/Frameworks/JavaVM.framework/Versions/CurrentJDK/Home"
    fi
  else
    JAVA_PATH=`which java 2>/dev/null`
    if [ "x$JAVA_PATH" != "x" ]; then
      JAVA_PATH=`dirname $JAVA_PATH 2>/dev/null`
      JRE_HOME=`dirname $JAVA_PATH 2>/dev/null`

5.启动tomcat
chroot /chroot /usr/local/tomcat/bin/catalina.sh start
Using CATALINA_BASE:   /usr/local/tomcat
Using CATALINA_HOME:   /usr/local/tomcat
Using CATALINA_TMPDIR: /usr/local/tomcat/temp
Using JRE_HOME:        /usr/java/jdk1.7.0_51/jre
Using CLASSPATH:       /usr/local/tomcat/bin/bootstrap.jar:/usr/local/tomcat/bin/tomcat-juli.jar
Tomcat started.

ps auxf|grep java
root      4980  0.0  0.0  61232   736 pts/0    S+   17:14   0:00          \_ grep java
root      4912 20.9  2.5 1394592 101020 pts/0  Sl   17:13   0:15 /usr/java/jdk1.7.0_51/jre/bin/java -Djava.util.logging.config.file=/usr/local/tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.endorsed.dirs=/usr/local/tomcat/endorsed -classpath /usr/local/tomcat/bin/bootstrap.jar:/usr/local/tomcat/bin/tomcat-juli.jar -Dcatalina.base=/usr/local/tomcat -Dcatalina.home=/usr/local/tomcat -Djava.io.tmpdir=/usr/local/tomcat/temp org.apache.catalina.startup.Bootstrap start

ps auxf|grep tomcat
[root@test bin]# ps auxf|grep tomcat
root      4982  0.0  0.0  61232   736 pts/0    S+   17:14   0:00          \_ grep tomcat
root      4912 16.5  2.5 1394592 101020 pts/0  Sl   17:13   0:15 /usr/java/jdk1.7.0_51/jre/bin/java -Djava.util.logging.config.file=/usr/local/tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.endorsed.dirs=/usr/local/tomcat/endorsed -classpath /usr/local/tomcat/bin/bootstrap.jar:/usr/local/tomcat/bin/tomcat-juli.jar -Dcatalina.base=/usr/local/tomcat -Dcatalina.home=/usr/local/tomcat -Djava.io.tmpdir=/usr/local/tomcat/temp org.apache.catalina.startup.Bootstrap start

可以看到tomcat已经启动起来了.iptables放过tomcat的8080端口,然后去浏览器里访问http://ip:8080,如果有问题请检查tomcat日志看看到底是那里出错.也可以使用strace chroot /chroot /usr/local/tomcat/bin/catalina.sh start 来检查到底是那个文件有问题.
夜空- 本站版权
1、本站所有主题由该文章作者发表,该文章作者与夜空享有文章相关版权
2、其他单位或个人使用、转载或引用本文时必须同时征得该文章作者和夜空的同意
3、本帖部分内容转载自其它媒体,但并不代表本站赞同其观点和对其真实性负责
4、如本帖侵犯到任何版权问题,请立即告知本站,本站将及时予与删除并致以最深的歉意
5、原文链接:blog.slogra.com/post-586.html

标签: 配置 tomcat 安全 加固 chroot

  1. 2015-04-23 15:51
    看到有篇文章说勿以root执行tomcat,否则chroot形同虚设,所以建议大家执行下面的命令:
    cp /etc/passwd /usr/local/chroot/etc/
    cp /etc/group /usr/local/chroot/etc/
    编辑passwd,只剩一个受限账户,即为tomcat运行的账户

    chroot –userspec=USERNAME:GROUP /usr/local/chroot/ /usr/apache-tomcat-5.5.28/bin/catalina.sh start
    USERNAME为启动的用户名,GROUP为启动的GROUP

评论: