l 让服务器支持安全 HTTP 协议( HTTPS )
l 病毒查杀系统的构建( Clam AntiVirus )
l 入侵监测系统的构建( chkrootkit )
CentOS系统安装步骤(2)
作者:88443
( http://bbs.88443.net/ ShowPost.asp?ThreadID=2184 )
发表时间:2006-11-30 23:54:00
l 让服务器支持安全 HTTP 协议( HTTPS )
l 病毒查杀系统的构建( Clam AntiVirus )
l 入侵监测系统的构建( chkrootkit )
让服务器支持安全 HTTP 协议( HTTPS )
“http://”这样的方式来访问网站的时候,传输内容是可能被别人截获的,因为其内容是通过平文传输,所以在传递一些隐私、以及密码相关的信息时,就显得非常的不安全。在一些比较正式的网站、以及一些银行相关的网站中,一些需要提交隐私或者重要级别比较高的密码时,都采用 “https://”的方式,来将传输内容加密,从而保证用户安全和避免隐私的泄漏。
在这里,我们通过mod_ssl来使我们的服务器也支持HTTPS。
yum来在线安装mod_ssl。
[root@localhost html]# yum -y install mod_ssl ← 在线安装mod_ssl
Setting up Install Process
Setting up repositories
Reading repository metadata in from local files
Reducing Dag RPM Repository for Red Hat Enterprise Linux to included packages only
Finished
Parsing package install arguments
Resolving Dependencies
--> Populating transaction set with selected packages. Please wait.
---> Downloading header for mod_ssl to pack into transaction set.
mod_ssl- 2.0.52-28.ent.cen 100% |=========================| 25 kB 00:00
---> Package mod_ssl.i386 1:2.0.52-28.ent.centos4 set to be updated
--> Running transaction check
--> Processing Dependency: libnal.so.1 for package: mod_ssl
--> Processing Dependency: libdistcache.so.1 for package: mod_ssl
--> Restarting Dependency Resolution with new changes.
--> Populating transaction set with selected packages. Please wait.
---> Downloading header for distcache to pack into transaction set.
distcache-1.4.5-6.i386.rp 100% |=========================| 7.2 kB 00:00
---> Package distcache.i386 0:1.4.5-6 set to be updated
--> Running transaction check Dependencies Resolved
=============================================================================
Package Arch Version Repository Size
=============================================================================
Installing:
mod_ssl i386 1: 2.0.52-28.ent.centos4 base 98 k
Installing for dependencies:
distcache i386 1.4.5-6 base 111 k Transaction Summary
=============================================================================
Install 2 Package(s)
Update 0 Package(s)
Remove 0 Package(s)
Total download size: 209 k
Downloading Packages:
(1/2): distcache- 1.4.5-6. 100% |=========================| 111 kB 00:00
(2/2): mod_ssl-2.0.52-28. 100% |=========================| 98 kB 00:00
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing: distcache ######################### [1/2]
Installing: mod_ssl ######################### [2/2] Installed: mod_ssl.i386 1: 2.0.52-28.ent.centos4
Dependency Installed: distcache.i386 0:1.4.5-6
Complete!
|
[1] 建立服务器密钥
[root@localhost conf]# cd /etc/httpd/conf ← 进入HTTP服务器配置文件所在目录
[root@localhost conf]# rm -f ssl.*/server.* ← 删除默认或残留的服务器证书相关文件
[root@localhost conf]# make genkey ← 建立服务器密钥
umask 77 ;
/usr/bin/openssl genrsa -des3 1024 > /etc/httpd/conf/ssl.key/server.key
Generating RSA private key, 1024 bit long modulus
................++++++
.................................................................................................++++++
e is 65537 (0x10001)
Enter pass phrase: ← 在这里输入口令
Verifying - Enter pass phrase: ← 确认口令,再次输入
[root@localhost conf]# openssl rsa -in ssl.key/server.key -out ssl.key/server.key ← 从密钥中删除密码(以避免系统启动后被询问口令)
Enter pass phrase for ssl.key/server.key: ← 输入口令
writing RSA key
|
[2] 建立服务器公钥
[root@localhost conf]# make certreq ← 建立服务器密钥
umask 77 ;
/usr/bin/openssl req -new -key /etc/httpd/conf/ssl.key/server.key -out /etc/httpd/conf/ssl.csr/server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN ← 输入国名
State or Province Name (full name) [Berkshire]:Heilongjiang ← 输入省名
Locality Name (eg, city) [Newbury]:Harbin ← 输入城市名
Organization Name (eg, company) [My Company Ltd]:www.centospub.com ← 输入组织名(任意)
Organizational Unit Name (eg, section) []: ← 不输入,直接回车
Common Name (eg, your name or your server's hostname) []:www.centospub.com ← 输入通称(任意)
Email Address []:yourname@yourserver.com ← 输入电子邮箱地址 Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: ← 不输入,直接回车
An optional company name []: ← 不输入,直接回车
|
[3] 建立服务器证书
[root@localhost conf]# openssl x509 -in ssl.csr/server.csr -out ssl.crt/server.crt -req -signkey ssl.key/server.key -days 365 ← 建立服务器证书
Signature ok
subject=/C=CN/ST=Heilongjiang/L=Harbin/O=myserver.digeast.com/CN=myserver.digeast.com/emailAddress=yourname@yourserver.com
Getting Private key
|
[4] 设置SSL
[root@localhost conf]# vi /etc/httpd/conf.d/ssl.conf ← 修改SSL的设置文件
#DocumentRoot "/var/www/html" ← 找到这一行,将行首的“#”去掉
↓
DocumentRoot "/var/www/html" ← 变为此状态
|
[5] 重新启动HTTP服务器,让SSL生效
[root@localhost conf]# /etc/rc.d/init.d/httpd restart ← 重新启动HTTP服务器
Stopping httpd: [ OK ]
Starting httpd:[ OK ]
|
[6] 设置防火墙允许SSL
[root@localhost conf]# vi /etc/sysconfig/iptables ← 编辑防火墙配置文件
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT ← 添加这一行,开放433号端口,允许SSL
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
[root@localhost conf]# /etc/rc.d/init.d/iptables restart ← 重新启动防火墙,使设置生效
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: filter [ OK ]
Unloading iptables modules: [ OK ]
Applying iptables firewall rules: [ OK ]
|
PC来测试SSL。打开浏览器,在地址栏输入“https://服务器IP地址”或者“https://你的域名”后,如果出现提示安装服务器证明书的窗口(图样如下),说明服务器已经支持SSL。
这时,如果选择“永远接受此证书”,然后点击确定后,再次通过HTTPS协议访问该站点,将不会再弹出此窗口提示安装服务器证书。
病毒查杀系统的构建( Clam AntiVirus )
UNIX下的杀毒软件有好多是商业版本的。但和Windows系统下一样,杀毒软件的质量决定于病毒库的量已及更新的速度。在这里,我们使用自由软件 Clam AntiVirus 来建立Linux下的病毒查杀系统。并且为了消除后来的隐患,建议务必在服务器公开以前构建病毒查杀系统。
yum来在线安装 Clam Antivirus 。
[root@localhost ~]# rpm --import http://dag.wieers.com/packages/RPM-GPG-KEY.dag.txt ← 导入dag的GPG数字签名
[root@localhost ~]# vi /etc/yum.repos.d/dag.repo ← 建立dag的yum库文件
[dag]
name=Dag RPM Repository for Red Hat Enterprise Linux
baseurl=http://apt.sw.be/redhat/el$releasever/en/$basearch/dag
gpgcheck=1
enabled=1
includepkgs=clamd clamav* [root@localhost ~]# yum -y install clamd ← 在线安装 Clam AntiVirus
Setting up Install Process
Setting up repositories
dag 100% |=========================| 1.1 kB 00:00
update 100% |=========================| 951 B 00:00
base 100% |=========================| 1.1 kB 00:00
addons 100% |=========================| 951 B 00:00
extras 100% |=========================| 1.1 kB 00:00
Reading repository metadata in from local files
primary.xml.gz 100% |=========================| 1.6 MB 00:08
dag : ################################################## 4610/4610
Added 4610 new packages, deleted 0 old in 94.91 seconds
primary.xml.gz 100% |=========================| 103 kB 00:05
update : ################################################## 256/256
Added 56 new packages, deleted 0 old in 4.25 seconds
Reducing Dag RPM Repository for Red Hat Enterprise Linux to included packages only
Finished
Parsing package install arguments
Resolving Dependencies
--> Populating transaction set with selected packages. Please wait.
---> Downloading header for clamd to pack into transaction set.
clamd-0.88.4-1.el4.rf.i38 100% |=========================| 5.3 kB 00:00
---> Package clamd.i386 0:0.88.4-1.el4.rf set to be updated
--> Running transaction check
--> Processing Dependency: clamav = 0.88.4-1.el4.rf for package: clamd
--> Processing Dependency: libclamav.so.1 for package: clamd
--> Restarting Dependency Resolution with new changes.
--> Populating transaction set with selected packages. Please wait.
---> Downloading header for clamav to pack into transaction set.
clamav-0.88.4-1.el4.rf.i3 100% |=========================| 8.1 kB 00:00
---> Package clamav.i386 0:0.88.4-1.el4.rf set to be updated
--> Running transaction check
--> Processing Dependency: clamav-db = 0.88.4-1.el4.rf for package: clamav
--> Restarting Dependency Resolution with new changes.
--> Populating transaction set with selected packages. Please wait.
---> Downloading header for clamav-db to pack into transaction set.
clamav-db-0.88.4-1.el4.rf 100% |=========================| 3.2 kB 00:00
---> Package clamav-db.i386 0:0.88.4-1.el4.rf set to be updated
--> Running transaction check Dependencies Resolved
=============================================================================
Package Arch Version Repository Size
=============================================================================
Installing:
clamd i386 0.88.4-1.el4.rf dag 64 k
Installing for dependencies:
clamav i386 0.88.4-1.el4.rf dag 724 k
clamav-db i386 0.88.4-1.el4.rf dag 5.6 M Transaction Summary
=============================================================================
Install 3 Package(s)
Update 0 Package(s)
Remove 0 Package(s)
Total download size: 6.4 M
Downloading Packages:
(1/3): clamd-0.88.4-1.el4 100% |=========================| 64 kB 00:01
(2/3): clamav-0.88.4-1.el 100% |=========================| 724 kB 00:04
(3/3): clamav-db-0.88.4-1 100% |=========================| 5.6 MB 00:25
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing: clamav-db ######################### [1/3]
Installing: clamav ######################### [2/3]
Installing: clamd ######################### [3/3] Installed: clamd.i386 0:0.88.4-1.el4.rf
Dependency Installed: clamav.i386 0:0.88.4-1.el4.rf clamav-db.i386 0:0.88.4-1.el4.rf
Complete! ← 安装完毕!
|
Clam Antivirus 。
[root@localhost ~]# vi /etc/clamd.conf ← 修改clamd的配置文件
User clamav ← 找到这一行,在行首加上“#”(不允许一般用户控制)
↓
#User clamav ← 变为此状态
ArchiveBlockMax ← 找到这一行,在行首加上“#”(不把大容量的压缩文件看作被感染病毒的文件)
↓
#ArchiveBlockMax ← 变为此状态
|
Clam Antivirus 开始运行,并设置其为自启动。
[root@localhost ~]# /etc/rc.d/init.d/clamd start ← 启动clamd服务(运行Clam AntiVirus)
Starting Clam AntiVirus Daemon: [ OK ] ← 启动成功
[root@localhost ~]# chkconfig clamd on ← 将其设置为自系统启动后启动
[root@localhost ~]# chkconfig --list clamd
clamd 0:off 1:off 2:on 3:on 4:on 5:on 6:off ← 确认2--5为on的状态就OK
|
[root@localhost ~]# freshclam ← 更新clam的病毒库
ClamAV update process started at Fri Aug 25 18:39:26 2006
Downloading main.cvd [*]
main.cvd updated (version: 40, sigs: 64138, f-level: 8, builder: tkojm)
Downloading daily.cvd [*]
daily.cvd updated (version: 1728, sigs: 2565, f-level: 8, builder: ccordes)
Database updated (66703 signatures) from db.cn.clamav.net (IP: 58.221.253.171)
Clamd successfully notified about the update.
|
[root@localhost ~]# clamdscan ← 进行病毒扫描
/root: OK ----------- SCAN SUMMARY -----------
Infected files: 0 ← 没有发现病毒
Time: 5.074 sec ( 0 m 5 s)
[root@localhost ~]# wget http://www.eicar.org/download/eicar.com ← 下载带毒文件
[root@localhost ~]# wget http://www.eicar.org/download/eicar.com.txt ← 下载带毒文件
[root@localhost ~]# wget http://www.eicar.org/download/eicar_com.zip ← 下载带毒文件
[root@localhost ~]# wget http://www.eicar.org/download/eicarcom2.zip ← 下载带毒文件
|
“remove”选项后,会在查出病毒后自动删除染毒文件。
[root@localhost ~]# clamdscan --remove ← 再次进行病毒扫描,并附加删除选项
/root/eicarcom2.zip: Eicar-Test-Signature FOUND ← 发现被病毒感染的文件
/root/eicarcom2.zip: Removed.← 删除被病毒感染的文件
/root/eicar.com: Eicar-Test-Signature FOUND← 发现被病毒感染的文件
/root/eicar.com: Removed.← 删除被病毒感染的文件
/root/eicar.com.txt: Eicar-Test-Signature FOUND← 发现被病毒感染的文件
/root/eicar.com.txt: Removed.← 删除被病毒感染的文件
/root/eicar_com.zip: Eicar-Test-Signature FOUND← 发现被病毒感染的文件
/root/eicar_com.zip: Removed.← 删除被病毒感染的文件 ----------- SCAN SUMMARY -----------
Infected files: 4
Time: 2.201 sec ( 0 m 2 s)
|
[root@localhost ~]# vi clamscan ← 建立自动扫描脚本,如下:
#!/bin/bash
PATH=/usr/bin:/bin
CLAMSCANTMP=`mktemp`
clamdscan --recursive --remove / > $CLAMSCANTMP
[ ! -z "$(grep FOUND$ $CLAMSCANTMP)" ] &&
grep FOUND $CLAMSCANTMP | mail -s "Virus Found in `hostname`" root
rm -f $CLAMSCANTMP
[root@localhost ~]# chmod +x clamscan ← 赋予脚本可被执行的权限
[root@localhost ~]# mv ./clamscan /etc/cron.daily/ ← 移动脚本到每天自动运行的目录中
|
入侵监测系统的构建( chkrootkit )
rootkit,是一类入侵者经常使用的工具。这类工具通常非常的隐秘、令用户不易察觉,通过这类工具,入侵者建立了一条能够总能够入侵系统,或者说对系统进行实时控制的途径。所以,我们用自由软件chkrootkit来建立入侵监测系统,来保证对系统是否被安装了rootkit进行监测。
chkrootkit在监测rootkit是否被安装的过程中,需要使用到一些操作系统本身的命令。但不排除一种情况,那就是入侵者有针对性的已经将 chkrootkit使用的系统命令也做修改,使得chkrootkit无法监测rootkit,从而达到即使系统安装了chkrootkit也无法检测 出rootkit的存在,从而依然对系统有着控制的途径,而达到入侵的目的。那样的话,用chkrootkit构建入侵监测系统将失去任何意义。对此,我们在操作系统刚被安装之后,或者说服务器开放之前,让chkrootkit就开始工作。而且,在服务器开放之前,备份chkrootkit使用的系统命 令,在一些必要的时候(怀疑系统命令已被修改的情况等等),让chkrootkit使用初始备份的系统命令进行工作。
chkrootkit 工具。
[root@localhost ~]# wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz ← 下载chkrootkit
--03:05:31-- ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
=> `chkrootkit.tar.gz'
Resolving ftp.pangeia.com.br... 200.239.53.35
Connecting to ftp.pangeia.com.br|200.239.53.35|:21... connected.
Logging in as anonymous ... Logged in!
==> SYST ... done. ==> PWD ... done.
==> TYPE I ... done. ==> CWD /pub/seg/pac ... done.
==> PASV ... done. ==> RETR chkrootkit.tar.gz ... done.
Length: 37,140 (36K) (unauthoritative) 100%[====================================>] 37,140 5.67K/s ETA 00:00
03:05:46 (5.30 KB/s) - `chkrootkit.tar.gz' saved [37140]
[root@localhost ~]# tar zxvf chkrootkit.tar.gz ← 展开被压缩的源代码
[root@localhost ~]# cd chkrootkit* ← 进入chkrootkit源代码的目录
[root@localhost chkrootkit -0.46a]# make sense ← 编译
[root@localhost chkrootkit -0.46a]# cd .. ← 返回上层目录
[root@localhost ~]# cp -r chkrootkit-* /usr/local/chkrootkit ← 复制编译后文件所在的目录到指定位置
[root@localhost ~]# rm -rf chkrootkit* ← 删除遗留的源代码目录及相关文件
|
chkrootkit 是否能够正常运行。
[root@localhost ~]# cd /usr/local/chkrootkit ← 进入chkrootkit的目录
[root@localhost chkrootkit]# ./chkrootkit | grep INFECTED ← 测试运行chkrootkit
稍等片刻…如果没有显示“INFECTED”字样,而直接出现命令行提示符,说明一切OK!
[root@localhost chkrootkit]# cd ← 回到root用户目录 |
Shell Script编写一段脚本,通过这个脚本让chkrootkit的监测自动化。如有rootkit被发现的时候,发送邮件通知root用户,并且将运行结果保存在/var/log/messages文件中。
[root@localhost ~]# vi chkrootkit ← 建立chkrootkit自动运行脚本
#!/bin/bash PATH=/usr/bin:/bin
TMPLOG=`mktemp`
# Run the chkrootkit
/usr/local/chkrootkit/chkrootkit > $TMPLOG # Output the log
cat $TMPLOG | logger -t chkrootkit # bindshe of SMTPSllHow to do some wrongs
if [ ! -z "$(grep 465 $TMPLOG)" ] &&
[ -z $(/usr/sbin/lsof -i:465|grep bindshell) ]; then
sed -i '/465/d' $TMPLOG
fi # If the rootkit have been found,mail root
[ ! -z "$(grep INFECTED $TMPLOG)" ] &&
grep INFECTED $TMPLOG | mail -s "chkrootkit report in `hostname`" root rm -f $TMPLOG
[root@localhost ~]# chmod 700 chkrootkit ← 赋予脚本可被执行的权限
[root@localhost ~]# mv chkrootkit /etc/cron.daily/ ← 将脚本移动到每天自动运行的目录中
|
chkrootkit使用的系统命令被入侵者更改后,chkrootkit对 rootkit的监测将失效。所以,我们事前将chkrootkit使用的系统命令进行备份,在需要的时候使用备份的原始命令,让chkrootkit对 rootkit进行检测。
[root@localhost ~]# mkdir /root/commands/ ← 建立暂时容纳命令备份的目录
[root@localhost ~]# cp `which --skip-alias awk cut echo egrep find head id ls netstat ps strings sed uname` /root/commands/ ← (连续输入无换行)备份系统命令到建立好的目录
[root@localhost ~]# /usr/local/chkrootkit/chkrootkit -p /root/commands|grep INFECTED ← 用备份的命令运行chkrootkit
[root@localhost ~]# tar cvf /root/commands.tar /root/commands/ ← 将命令打包
[root@localhost ~]# gzip /root/commands.tar ← 将打包的文件压缩
然后将压缩后的commands.tar.gz用SCP软件下载到安全的地方
[root@localhost ~]# rm -rf commands* ← 为安全起见,删除服务器端备份的系统命令及相关文件
|
chkrootkit的时候,只需用SCP软件将备份的命令打包压缩文件上传至服务器端已知位置并解压缩,然后运行在chkrootkit的时候指定相应的目录即可。例如,假设已经将备份上传至root用户目录的情况如下:
[root@localhost ~]# tar zxvf /root/commands.tar.gz ← 解开压缩的命令备份
[root@localhost ~]# /usr/local/chkrootkit/chkrootkit -p /root/commands|grep INFECTED ← 用备份的命令运行chkrootkit
|
