tomcat配置chroot加固
今天一个朋友说他项目的服务器在对外发包,让我帮忙检查下,要来ssh账号和密码,登录上去一看,原来是tomcat,并且tomcat的bin文件夹下有几个不正常的文件,再看进程,居然搞到服务器/etc下了,还是隐藏文件,删除后再给iptables重新配置了规则.最后告诉他让他自己再去检查下程序里有没有不正常的代码和文件,这很明显是一个典型的tomcat安全配置失败的案例,具体有那些我就不在这里说了,今天主要是说下让tomcat在chroot下运行,chroot的好处我就不再说了.下面来看看怎么配置chroot+tomcat吧.
系统:centos 5.x(64位)
需要的软件包:
server-jre-7u51-linux-x64.tar.gz
apache-tomcat-7.0.61.tar.gz
1. 配置java
tar zxf server-jre-7u51-linux-x64.tar.gz
mkdir -p /usr/java/
cp -a jdk1.7.0_51 /usr/java/
/usr/java/jdk1.7.0_51/bin/java -version
java version "1.7.0_51"
Java(TM) SE Runtime Environment (build 1.7.0_51-b13)
Java HotSpot(TM) 64-Bit Server VM (build 24.51-b03, mixed mode)
2.配置chroot环境
mkdir -p /chroot && cd /chroot/
mkdir -p lib lib64 etc tmp dev usr
chmod 755 etc dev usr
chmod 1777 tmp
cp -a /etc/{hosts,resolv.conf,nsswitch.conf} /chroot/etc/
mkdir -p /chroot/dev/pts
cd /dev/
./MAKEDEV -d /chroot/dev null radom urandom zero loop* log console (ps:这一步会报don't know how to make device "radom" 我没有管,继续做起走了的)
cp MAKEDEV /chroot/dev
cp -a /dev/shm /chroot/dev
2.配置java到chroot环境里
cd /chroot/
mkdir -p bin
cp /bin/bash /chroot/bin/
cp /bin/sh /chroot/bin/
cp /lib64/{libtinfo.so.5,libdl.so.2,libc.so.6,ld-linux-x86-64.so.2} /chroot/lib64
cp /bin/uname bin/
mkdir usr/bin
cp /usr/bin/dirname usr/bin
cp -a /etc/{hosts,resolv.conf,nsswitch.conf} etc/
cp -p /lib64/libresolv.so.2 lib64/
cp -p /lib64/libnss_dns.so.2 lib64/
cp -p /lib64/libnss_files.so.2 lib64/
cp -p /lib64/librt.so.1 lib64/
cp /usr/bin/tty usr/bin/
cp /bin/touch bin/
mkdir -p usr/java/
cp -a /usr/java/jdk1.7.0_51 usr/java/
查找拷贝java的依赖库
ldd /usr/java/jdk1.7.0_51/bin/java
linux-vdso.so.1 => (0x00007fff4f9fd000)
libpthread.so.0 => /lib64/libpthread.so.0 (0x00000038ed200000)
libjli.so => /usr/java/jdk1.7.0_51/bin/../lib/amd64/jli/libjli.so (0x00002b875e483000)
libdl.so.2 => /lib64/libdl.so.2 (0x00000038ec600000)
libc.so.6 => /lib64/libc.so.6 (0x00000038ec200000)
/lib64/ld-linux-x86-64.so.2 (0x00000038ebe00000)
拷贝上述4个lib64中的库,另外还需要拷贝2个JVM需要的库:
cp /lib64/{libpthread.so.0,libdl.so.2,libc.so.6,ld-linux-x86-64.so.2} lib64/
cp -p /lib64/libm.so.6 lib64/
cp -p /lib64/libnsl.so.1 lib64/
3.挂载/proc
mkdir /chroot/proc
mount -t proc proc /chroot/proc
chroot /chroot /usr/java/jdk1.7.0_51/bin/java -version
java version "1.7.0_51"
Java(TM) SE Runtime Environment (build 1.7.0_51-b13)
Java HotSpot(TM) 64-Bit Server VM (build 24.51-b03, mixed mode)
当然也可以进入chroot测试:
chroot /chroot
bash-3.2# /usr/java/jdk1.7.0_51/bin/java -version
java version "1.7.0_51"
Java(TM) SE Runtime Environment (build 1.7.0_51-b13)
Java HotSpot(TM) 64-Bit Server VM (build 24.51-b03, mixed mode)
4.配置tomcat到chroot环境里
cd /root/install/ && mkdir /chroot/usr/local && tar zxf apache-tomcat-7.0.61.tar.gz -C /chroot/usr/local/
mv apache-tomcat-7.0.61 tomcat
chmod 755 /chroot/usr/local
chmod 755 /chroot/usr/local/tomcat/bin/*.sh
在setclasspath.sh设置JAVA_HOME变量,不然tomcat无法启动:
vi /chroot/usr/local/tomcat/bin/setclasspath.sh
# Make sure prerequisite environment variables are set
export JAVA_HOME=/usr/java/jdk1.7.0_51
export JRE_HOME=/usr/java/jdk1.7.0_51/jre
if [ -z "$JAVA_HOME" -a -z "$JRE_HOME" ]; then
if $darwin; then
# Bugzilla 54390
if [ -x '/usr/libexec/java_home' ] ; then
export JAVA_HOME=`/usr/libexec/java_home`
# Bugzilla 37284 (reviewed).
elif [ -d "/System/Library/Frameworks/JavaVM.framework/Versions/CurrentJDK/Home" ]; then
export JAVA_HOME="/System/Library/Frameworks/JavaVM.framework/Versions/CurrentJDK/Home"
fi
else
JAVA_PATH=`which java 2>/dev/null`
if [ "x$JAVA_PATH" != "x" ]; then
JAVA_PATH=`dirname $JAVA_PATH 2>/dev/null`
JRE_HOME=`dirname $JAVA_PATH 2>/dev/null`
5.启动tomcat
chroot /chroot /usr/local/tomcat/bin/catalina.sh start
Using CATALINA_BASE: /usr/local/tomcat
Using CATALINA_HOME: /usr/local/tomcat
Using CATALINA_TMPDIR: /usr/local/tomcat/temp
Using JRE_HOME: /usr/java/jdk1.7.0_51/jre
Using CLASSPATH: /usr/local/tomcat/bin/bootstrap.jar:/usr/local/tomcat/bin/tomcat-juli.jar
Tomcat started.
ps auxf|grep java
root 4980 0.0 0.0 61232 736 pts/0 S+ 17:14 0:00 \_ grep java
root 4912 20.9 2.5 1394592 101020 pts/0 Sl 17:13 0:15 /usr/java/jdk1.7.0_51/jre/bin/java -Djava.util.logging.config.file=/usr/local/tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.endorsed.dirs=/usr/local/tomcat/endorsed -classpath /usr/local/tomcat/bin/bootstrap.jar:/usr/local/tomcat/bin/tomcat-juli.jar -Dcatalina.base=/usr/local/tomcat -Dcatalina.home=/usr/local/tomcat -Djava.io.tmpdir=/usr/local/tomcat/temp org.apache.catalina.startup.Bootstrap start
ps auxf|grep tomcat
[root@test bin]# ps auxf|grep tomcat
root 4982 0.0 0.0 61232 736 pts/0 S+ 17:14 0:00 \_ grep tomcat
root 4912 16.5 2.5 1394592 101020 pts/0 Sl 17:13 0:15 /usr/java/jdk1.7.0_51/jre/bin/java -Djava.util.logging.config.file=/usr/local/tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.endorsed.dirs=/usr/local/tomcat/endorsed -classpath /usr/local/tomcat/bin/bootstrap.jar:/usr/local/tomcat/bin/tomcat-juli.jar -Dcatalina.base=/usr/local/tomcat -Dcatalina.home=/usr/local/tomcat -Djava.io.tmpdir=/usr/local/tomcat/temp org.apache.catalina.startup.Bootstrap start
可以看到tomcat已经启动起来了.iptables放过tomcat的8080端口,然后去浏览器里访问http://ip:8080,如果有问题请检查tomcat日志看看到底是那里出错.也可以使用strace chroot /chroot /usr/local/tomcat/bin/catalina.sh start 来检查到底是那个文件有问题.
系统:centos 5.x(64位)
需要的软件包:
server-jre-7u51-linux-x64.tar.gz
apache-tomcat-7.0.61.tar.gz
1. 配置java
tar zxf server-jre-7u51-linux-x64.tar.gz
mkdir -p /usr/java/
cp -a jdk1.7.0_51 /usr/java/
/usr/java/jdk1.7.0_51/bin/java -version
java version "1.7.0_51"
Java(TM) SE Runtime Environment (build 1.7.0_51-b13)
Java HotSpot(TM) 64-Bit Server VM (build 24.51-b03, mixed mode)
2.配置chroot环境
mkdir -p /chroot && cd /chroot/
mkdir -p lib lib64 etc tmp dev usr
chmod 755 etc dev usr
chmod 1777 tmp
cp -a /etc/{hosts,resolv.conf,nsswitch.conf} /chroot/etc/
mkdir -p /chroot/dev/pts
cd /dev/
./MAKEDEV -d /chroot/dev null radom urandom zero loop* log console (ps:这一步会报don't know how to make device "radom" 我没有管,继续做起走了的)
cp MAKEDEV /chroot/dev
cp -a /dev/shm /chroot/dev
2.配置java到chroot环境里
cd /chroot/
mkdir -p bin
cp /bin/bash /chroot/bin/
cp /bin/sh /chroot/bin/
cp /lib64/{libtinfo.so.5,libdl.so.2,libc.so.6,ld-linux-x86-64.so.2} /chroot/lib64
cp /bin/uname bin/
mkdir usr/bin
cp /usr/bin/dirname usr/bin
cp -a /etc/{hosts,resolv.conf,nsswitch.conf} etc/
cp -p /lib64/libresolv.so.2 lib64/
cp -p /lib64/libnss_dns.so.2 lib64/
cp -p /lib64/libnss_files.so.2 lib64/
cp -p /lib64/librt.so.1 lib64/
cp /usr/bin/tty usr/bin/
cp /bin/touch bin/
mkdir -p usr/java/
cp -a /usr/java/jdk1.7.0_51 usr/java/
查找拷贝java的依赖库
ldd /usr/java/jdk1.7.0_51/bin/java
linux-vdso.so.1 => (0x00007fff4f9fd000)
libpthread.so.0 => /lib64/libpthread.so.0 (0x00000038ed200000)
libjli.so => /usr/java/jdk1.7.0_51/bin/../lib/amd64/jli/libjli.so (0x00002b875e483000)
libdl.so.2 => /lib64/libdl.so.2 (0x00000038ec600000)
libc.so.6 => /lib64/libc.so.6 (0x00000038ec200000)
/lib64/ld-linux-x86-64.so.2 (0x00000038ebe00000)
拷贝上述4个lib64中的库,另外还需要拷贝2个JVM需要的库:
cp /lib64/{libpthread.so.0,libdl.so.2,libc.so.6,ld-linux-x86-64.so.2} lib64/
cp -p /lib64/libm.so.6 lib64/
cp -p /lib64/libnsl.so.1 lib64/
3.挂载/proc
mkdir /chroot/proc
mount -t proc proc /chroot/proc
chroot /chroot /usr/java/jdk1.7.0_51/bin/java -version
java version "1.7.0_51"
Java(TM) SE Runtime Environment (build 1.7.0_51-b13)
Java HotSpot(TM) 64-Bit Server VM (build 24.51-b03, mixed mode)
当然也可以进入chroot测试:
chroot /chroot
bash-3.2# /usr/java/jdk1.7.0_51/bin/java -version
java version "1.7.0_51"
Java(TM) SE Runtime Environment (build 1.7.0_51-b13)
Java HotSpot(TM) 64-Bit Server VM (build 24.51-b03, mixed mode)
4.配置tomcat到chroot环境里
cd /root/install/ && mkdir /chroot/usr/local && tar zxf apache-tomcat-7.0.61.tar.gz -C /chroot/usr/local/
mv apache-tomcat-7.0.61 tomcat
chmod 755 /chroot/usr/local
chmod 755 /chroot/usr/local/tomcat/bin/*.sh
在setclasspath.sh设置JAVA_HOME变量,不然tomcat无法启动:
vi /chroot/usr/local/tomcat/bin/setclasspath.sh
# Make sure prerequisite environment variables are set
export JAVA_HOME=/usr/java/jdk1.7.0_51
export JRE_HOME=/usr/java/jdk1.7.0_51/jre
if [ -z "$JAVA_HOME" -a -z "$JRE_HOME" ]; then
if $darwin; then
# Bugzilla 54390
if [ -x '/usr/libexec/java_home' ] ; then
export JAVA_HOME=`/usr/libexec/java_home`
# Bugzilla 37284 (reviewed).
elif [ -d "/System/Library/Frameworks/JavaVM.framework/Versions/CurrentJDK/Home" ]; then
export JAVA_HOME="/System/Library/Frameworks/JavaVM.framework/Versions/CurrentJDK/Home"
fi
else
JAVA_PATH=`which java 2>/dev/null`
if [ "x$JAVA_PATH" != "x" ]; then
JAVA_PATH=`dirname $JAVA_PATH 2>/dev/null`
JRE_HOME=`dirname $JAVA_PATH 2>/dev/null`
5.启动tomcat
chroot /chroot /usr/local/tomcat/bin/catalina.sh start
Using CATALINA_BASE: /usr/local/tomcat
Using CATALINA_HOME: /usr/local/tomcat
Using CATALINA_TMPDIR: /usr/local/tomcat/temp
Using JRE_HOME: /usr/java/jdk1.7.0_51/jre
Using CLASSPATH: /usr/local/tomcat/bin/bootstrap.jar:/usr/local/tomcat/bin/tomcat-juli.jar
Tomcat started.
ps auxf|grep java
root 4980 0.0 0.0 61232 736 pts/0 S+ 17:14 0:00 \_ grep java
root 4912 20.9 2.5 1394592 101020 pts/0 Sl 17:13 0:15 /usr/java/jdk1.7.0_51/jre/bin/java -Djava.util.logging.config.file=/usr/local/tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.endorsed.dirs=/usr/local/tomcat/endorsed -classpath /usr/local/tomcat/bin/bootstrap.jar:/usr/local/tomcat/bin/tomcat-juli.jar -Dcatalina.base=/usr/local/tomcat -Dcatalina.home=/usr/local/tomcat -Djava.io.tmpdir=/usr/local/tomcat/temp org.apache.catalina.startup.Bootstrap start
ps auxf|grep tomcat
[root@test bin]# ps auxf|grep tomcat
root 4982 0.0 0.0 61232 736 pts/0 S+ 17:14 0:00 \_ grep tomcat
root 4912 16.5 2.5 1394592 101020 pts/0 Sl 17:13 0:15 /usr/java/jdk1.7.0_51/jre/bin/java -Djava.util.logging.config.file=/usr/local/tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.endorsed.dirs=/usr/local/tomcat/endorsed -classpath /usr/local/tomcat/bin/bootstrap.jar:/usr/local/tomcat/bin/tomcat-juli.jar -Dcatalina.base=/usr/local/tomcat -Dcatalina.home=/usr/local/tomcat -Djava.io.tmpdir=/usr/local/tomcat/temp org.apache.catalina.startup.Bootstrap start
可以看到tomcat已经启动起来了.iptables放过tomcat的8080端口,然后去浏览器里访问http://ip:8080,如果有问题请检查tomcat日志看看到底是那里出错.也可以使用strace chroot /chroot /usr/local/tomcat/bin/catalina.sh start 来检查到底是那个文件有问题.
cp /etc/passwd /usr/local/chroot/etc/
cp /etc/group /usr/local/chroot/etc/
编辑passwd,只剩一个受限账户,即为tomcat运行的账户
chroot –userspec=USERNAME:GROUP /usr/local/chroot/ /usr/apache-tomcat-5.5.28/bin/catalina.sh start
USERNAME为启动的用户名,GROUP为启动的GROUP