Jump to content
aelius

Tutorial configurare debian

By aelius, in Tutoriale in romana

Recommended Posts

aelius Grand Master

aelius

Posted
Posted (edited)

Acest tutorial este adresat celor care doresc sa isi configureze un server cu Debian. O sa acopar in in el urmatoarele aspecte:

1. Instalare kernel cu grsec.

2. Instalare si configurare apache.

3. Instalare si configurare php.

4. Instalare si module php (extensii).

5. Configurare suhosin.

6. Instalare MySQL Server.

7. Modificari diverse permisiuni pentru un nivel mai bun de securitate

8. Instalare nginx si folosirea lui ca frontend pentru apache (dual strat web server)

----------------

1. Instalare kernel cu grsec.

Daca nu stiti inca ce este grsec/grsecurity, un bun punct de plecare este Grsecurity. Pentru linux, grsecurity este un fel de "sfantul graal" in materie de securitate. In plus, va scapa de o problema ce o are linux si care pe mine ma irita: ps aux dupa user, arata toate procesele.


root@tex:~# echo "deb http://debian.cr0.org/repo/ kernel-security/" >> /etc/apt/sources.list
root@tex:~# wget http://kernelsec.cr0.org/kernel-security.asc
root@tex:~# apt-key add kernel-security.asc
OK
root@tex:~# apt-get update
root@tex:~# apt-cache search grsec
linux-source-2.6.32.15-1-grsec - Linux kernel source for version 2.6.32.15-1-grsec
linux-source-2.6.25.10-1-grsec - Linux kernel source for version 2.6.25.10-1-grsec
linux-image-2.6.32.15-1-grsec - Linux kernel binary image for version 2.6.32.15-1-grsec
linux-headers-2.6.32.15-1-grsec - Header files related to Linux kernel, specifically,
linux-source-2.6.27.29-4-grsec - Linux kernel source for version 2.6.27.29-4-grsec
root@tex:~# apt-get install linux-image-2.6.32.15-1-grsec linux-headers-2.6.32.15-1-grsec
root@tex:~# init 6 # aici dam reboot pentru a boota noul kernel.

// Dupa reboot


root@tex:~# uname -a
Linux tex 2.6.32.15-1-grsec #2 SMP Mon Jun 28 09:05:30 CEST 2010 x86_64 GNU/Linux
root@tex:~# su - tex
tex@tex:~$ ps aux
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
tex       2103  0.6  0.1  36908  1276 pts/0    S    00:58   0:00 su - tex
tex       2104 13.0  0.6  23380  6200 pts/0    S    00:58   0:00 -su
tex       2129  0.0  0.1  16332  1176 pts/0    R+   00:58   0:00 ps aux

Din cate observati, vad doar procesele mele dupa user.

2. Instalare si configurare apache.


root@tex:~# apt-get install apache2-mpm-prefork apache2.2-common apache2.2-bin
root@tex:~# rm /etc/apache2/sites-available/default
root@tex:~# cat >> /etc/apache2/sites-available/default << EOF
> NameVirtualHost *
>
> <Directory "/var/www">
>   AllowOverride AuthConfig FileInfo Options Indexes Limit
>   Options FollowSymLinks
>   Options -Indexes
> </Directory>
>
> <VirtualHost *>
>   DocumentRoot /var/www
>   ServerName 10.0.0.220
>   CustomLog /var/log/apache2/access_log combined
>   ErrorLog /var/log/apache2/error_log
> </VirtualHost>
> EOF
root@tex:~#

Apache o sa-l listam pe 127.0.0.1 port 81 si o sa fie backend.


root@tex:~# echo "Listen 127.0.0.1:81" > /etc/apache2/ports.conf
root@tex:~# /etc/init.d/apache2 start

3. Instalare si configurare php (plus libapache2-mod-php5, necesar la apache (mod php))

PHP-ul o sa-l instalez de la dotdeb.


root@tex:~# echo "deb http://packages.dotdeb.org stable all" >> /etc/apt/sources.list
root@tex:~# echo "deb-src http://packages.dotdeb.org stable all" >> /etc/apt/sources.list
root@tex:~# wget http://www.dotdeb.org/dotdeb.gpg
root@tex:~# cat dotdeb.gpg |apt-key add - && rm dotdeb.gpg
OK
root@tex:~# apt-get update
root@tex:~# apt-get install php5 php5-cli libapache2-mod-php5 php5-common php5-suhosin

Inlocuiesc "expose_php = On" cu "expose_php = Off" / "short_open_tag = Off" cu "short_open_tag = On" si "session.name = PHPSESSID" cu "session.name = SERVLET" in php.ini pentru apache2.


root@tex:~# perl -pi -e 's/expose_php = On/expose_php = Off/' /etc/php5/apache2/php.ini
root@tex:~# perl -pi -e 's/short_open_tag = Off/short_open_tag = On/' /etc/php5/apache2/php.ini
root@tex:~# perl -pi -e 's/PHPSESSID/SERVLET/' /etc/php5/apache2/php.ini

4. Instalare si configurare module php (extensii).

O sa instalez urmatoarele extensii php: curl, gd, mcrypt, mysql.


root@tex:~# apt-get install php5-curl php5-gd php5-mcrypt php5-mysql

5. Configurare suhosin.

Din motive de securitate, o sa adaug in blacklisted utilizand suhosin urmatoarele functii: 

exec,shell_exec,passthru,show_source,dl,leak,ini_alter,ini_restore,proc_open,proc_nice,proc_terminate,proc_close,proc_get_status,symlink,system,popen,pcntl_getpriority,pcntl_wait,diskfreespace,disk_free_space,disk_total_space,get_current_user,stream_socket_accept,stream_socket_client,stream_socket_get_name,stream_socket_recvfrom,stream_socket_sendto,stream_socket_server,stream_socket_shutdown


root@tex:~# cat >> /etc/php5/conf.d/suhosin.ini << EOF
>
> suhosin.executor.func.blacklist = "exec,shell_exec,passthru,show_source,dl,leak,ini_alter,ini_restore,proc_open,proc_nice,proc_terminate,proc_close,proc_get_status,symlink,system,popen,pcntl_getpriority,pcntl_wait,diskfreespace,disk_free_space,disk_total_space,get_current_user,stream_socket_accept,stream_socket_client,stream_socket_get_name,stream_socket_recvfrom,stream_socket_sendto,stream_socket_server,stream_socket_shutdown"
> suhosin.cookie.max_array_depth = 256
> suhosin.cookie.max_array_index_length = 256
> suhosin.cookie.max_name_length = 256
> suhosin.cookie.max_totalname_length = 512
> suhosin.cookie.max_value_length = 20000
> suhosin.cookie.max_vars = 200
> suhosin.get.max_array_depth = 200
> suhosin.get.max_totalname_length = 1024
> suhosin.get.max_value_length = 1024
> suhosin.get.max_vars = 1024
>
>
> suhosin.post.max_array_depth = 1024
> suhosin.post.max_array_index_length = 1024
> suhosin.post.max_name_length = 1024
> suhosin.post.max_totalname_length = 1024
> suhosin.post.max_value_length = 95000
> suhosin.post.max_vars = 1024
>
> suhosin.request.max_vars = 512
> suhosin.request.max_value_length = 90000
> suhosin.request.max_totalname_length = 1024
> suhosin.upload.max_uploads = 400
>
> suhosin.executor.include.max_traversal = 2
>
> EOF
root@tex:~#

Cam asa arata php in cli:


root@tex:~# php -v
PHP 5.3.8-1~dotdeb.2 with Suhosin-Patch (cli) (built: Aug 25 2011 13:30:46)
Copyright (c) 1997-2011 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2011 Zend Technologies
    with Suhosin v0.9.32.1, Copyright (c) 2007-2010, by SektionEins GmbH
root@tex:~#

6. Instalare MySQL Server si MySQL Client


root@tex:~# apt-get install mysql-client-5.5 mysql-server-5.5

7. Modificari diverse permisiuni pentru un nivel mai bun de securitate

Mountam tmpfs in /tmp cu flag-urile "noexec,nosuid,nodev" din motive de securitate.


root@tex:~# echo "tmpfs /tmp tmpfs noexec,nosuid,nodev 2 2" >> /etc/fstab
root@tex:~# mount /tmp
root@tex:~# mount |grep "/tmp"
tmpfs on /tmp type tmpfs (rw,noexec,nosuid,nodev)

Stergem "/var/tmp" si il facem simlink catre tmp.


root@tex:~# rm -rf /var/tmp/ && ln -s /tmp /var/tmp

Dam chmod 640 la "/dev/shm" din motive de securitate.


root@tex:~# chmod 640 /dev/shm

8. Instalare nginx si folosirea lui ca frontend pentru apache (dual strat web server)

O sa listam port 80 cu nginx si o sa-l folosim ca frontend pentru apache, care se listeaza pe 127.0.0.1 port 81. (reverse proxy)


root@tex:~# apt-get install nginx
root@tex:~# rm /etc/nginx/sites-enabled/default
root@tex:~# pico /etc/nginx/sites-enabled/default
# fisier configuratie
server {
 listen               0.0.0.0:80 default;
 server_name          _;
 access_log           off;
 error_log            /dev/null;
    location / {
       proxy_pass         http://127.0.0.1:81;
       proxy_redirect     off;
       proxy_set_header   Host             $host;
       proxy_set_header   X-Real-IP        $remote_addr;
       proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
     }
   }

Pornim nginx-ul.


root@tex:~# /etc/init.d/nginx start
Starting nginx: nginx.
root@tex:~#


[URL="http://i42.tinypic.com/121zmtx.png"]O sa pun un phpinfo in "/var/www/"[/URL] pentru a vedea daca este totul in ordine si o sa sterg index.html (default)
root@tex:~# echo "<?php phpinfo(); ?>" >> /var/www/index.php
root@tex:~# rm /var/www/index.html
// restart la apache.
root@tex:~# /etc/init.d/apache2 restart

---------

Note:

- Daca aveti intrebari legate de acest tutorial, va raspund cu cea mai mare placere.

- Imi cer scuze pentru eventualele greseli legate de exprimare (am cam tras chiulul de la somn)

- Nu am specificat sursa acestui tutorial pentru ca este facut de mine.

Edited by aelius
// formatare corecta
  • Upvote 2

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...