2 Case 2: strengthening common security services
2.1 problem
This case requires optimization to enhance the security of common network services, mainly to complete the following task actions:
- Nginx configuration optimize security services
- MySQL database security configuration optimization
- Optimizing security configuration of Tomcat
2.2 program
Nginx security optimizations include: Do not delete the module, a modified version of the information, limiting concurrency, reject illegal request, to prevent buffer overflow.
MySQL security optimizations include: initialization script security, password security, backup and restore, data security.
Tomcat security optimizations include: Hide the version information, start down the right, delete the default test page.
Step 2.3
This case needs to be achieved in the following steps.
Step one: Nginx optimization services security configuration
1) Delete unnecessary modules
Nginx is a modular software design, as well as what features and modules do not need those modules required, can be customized at compile time to install the software, parameters can be opened using -with some modules, you can use -without disable certain modules. Minimizing installation program always right!
Here is disable certain modules Case:
[root@proxy ~]# tar -xf nginx-1.12.tar.gz
[root@proxy ~]# cd nginx-1.12
[root@proxy nginx-1.12]# ./configure \
>--without-http_autoindex_module \ //禁用自动索引文件目录模块
>--without-http_ssi_module
[root@proxy nginx-1.12]# make
[root@proxy nginx-1.12]# make install
2) a modified version information, and hide specific version number
by default Nginx will display the version information and version numbers, the information to the attacker to bring the convenience, ease them to find a specific version of the loopholes.
If the version number information needs to be shielded, to perform operations, the version number may be hidden.
[root@proxy ~]# vim /usr/local/nginx/conf/nginx.conf
… …
http{
server_tokens off; //在http下面手动添加这么一行
… …
}
[root@proxy ~]# nginx -s reload
[root@proxy ~]# curl -I http://192.168.4.5 //查看服务器响应的头部信息
However, the server software is used to show nginx, this information can be modified by the following method.
[root@proxy nginx-1.12]# vim +48 src/http/ngx_http_header_filter_module.c
//注意:vim这条命令必须在nginx-1.12源码包目录下执行!!!!!!
//该文件修改前效果如下:
static u_char ngx_http_server_string[] = "Server: nginx" CRLF;
static u_char ngx_http_server_full_string[] = "Server: " NGINX_VER CRLF;
static u_char ngx_http_server_build_string[] = "Server: " NGINX_VER_BUILD CRLF;
//下面是我们修改后的效果:
static u_char ngx_http_server_string[] = "Server: Jacob" CRLF;
static u_char ngx_http_server_full_string[] = "Server: Jacob" CRLF;
static u_char ngx_http_server_build_string[] = "Server: Jacob" CRLF;
//修改完成后,再去编译安装Nignx,版本信息将不再显示为Nginx,而是Jacob
[root@proxy nginx-1.12]# ./configure
[root@proxy nginx-1.12]# make && make install
[root@proxy nginx-1.12]# killall nginx
[root@proxy nginx-1.12]# /usr/local/nginx/sbin/nginx //启动服务
[root@proxy nginx-1.12]# curl -I http://192.168.4.5 //查看版本信息验证
3) limit the amount of concurrent
DDOS attacker sends a large number of concurrent connections, tying up server resources (including the number of connections, bandwidth, etc.), this will lead to a normal user in a state of waiting or can not access the server.
Providing a ngx_http_limit_req_module Nginx module, may reduce the risk of DDOS attack, operation is as follows:
[root@proxy ~]# vim /usr/local/nginx/conf/nginx.conf
… …
http{
… …
limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;
server {
listen 80;
server_name localhost;
limit_req zone=one burst=5;
}
}
//备注说明:
//limit_req_zone语法格式如下:
//limit_req_zone key zone=name:size rate=rate;
//上面案例中是将客户端IP信息存储名称为one的共享内存,内存空间为10M
//1M可以存储8千个IP信息,10M可以存储8万个主机连接的状态,容量可以根据需要任意调整
//每秒中仅接受1个请求,多余的放入漏斗
//漏斗超过5个则报错
[root@proxy ~]# /usr/local/nginx/sbin/nginx -s reload
The client software using ab test results:
[root@client ~]# ab -c 100 -n 100 http://192.168.4.5/
4) refuse the request is invalid
site uses the HTTP protocol, which is defined in many ways, allowing users to connect to the server, access to resources needed. But the practical application of generally only need to get and post.
Meanings of the HTTP request method is shown in Table.
Before unmodified server configuration, the client requests using different test methods:
[root@client ~]# curl -i -X GET http://192.168.4.5 //正常
[root@client ~]# curl -i -X HEAD http://192.168.4.5 //正常
//curl命令选项说明:
//-i选项:访问服务器页面时,显示HTTP的头部信息
//-X选项:指定请求服务器的方法
Nginx allows reject illegal request method provided by:
[root@proxy ~]# vim /usr/local/nginx/conf/nginx.conf
http{
server {
listen 80;
#这里,!符号表示对正则取反,~符号是正则匹配符号
#如果用户使用非GET或POST方法访问网站,则retrun返回444的错误信息
if ($request_method !~ ^(GET|POST)$ ) {
return 444;
}
}
}
[root@proxy ~]# /usr/local/nginx/sbin/nginx -s reload
After modifying the server configuration, the client requests using different test methods:
[root@client ~]# curl -i -X GET http://192.168.4.5 //正常
[root@client ~]# curl -i -X HEAD http://192.168.4.5 //报错
4) to prevent buffer overflow
when clients connect to the server, the server will enable various buffers used to store the status information of the connection.
If an attacker sends a large number of connection requests, and the server does not do caching restrictions, it is possible to overflow memory data (lack of space).
Nginx modify configuration files, adjust various buffer parameters, can effectively reduce the risk of spillage.
[root@proxy ~]# vim /usr/local/nginx/conf/nginx.conf
http{
client_body_buffer_size 1K;
client_header_buffer_size 1k;
client_max_body_size 1k;
large_client_header_buffers 2 1k;
… …
}
[root@proxy ~]# /usr/local/nginx/sbin/nginx -s reload
Step two: Database Security
1) initialization script security
after the installation of MariaDB or MySQL, the default root no password, and provides test test database that anyone can operate. There is a name for the mysql_secure_installation of script that can help us set a password for root, root login and prohibit a remote database from another host, and delete the test database test.
[root@proxy ~]# systemctl status mariadb
//确保服务已启动
[root@proxy ~]# mysql_secure_installation
//执行初始化安全脚本
2) security password
manually modify MariaDB or MySQL database password method:
[root@proxy ~]# mysqladmin -uroot -predhat password 'mysql'
//修改密码,旧密码为redhat,新密码为mysql
[root@proxy ~]# mysql -uroot -pmysql
MariaDB [(none)]>set password for root@'localhost'=password('redhat');
//使用账户登录数据库,修改密码
MariaDB [(none)]> select user,host,password from mysql.user;
+--------+---------+---------------------------------------------+
| user | host | password |
+--------+---------+---------------------------------------------+
| root | localhost | *84BB5DF4823DA319BBF86C99624479A198E6EEE9 |
| root | 127.0.0.1 | *84BB5DF4823DA319BBF86C99624479A198E6EEE9 |
| root | ::1 | *84BB5DF4823DA319BBF86C99624479A198E6EEE9 |
+--------+-----------+--------------------------------------------+
Change Password successful, and the password is encrypted in the database, what is the problem? The problem is that your password is expressly recorded, plaintext password below to see:
[root@proxy ~]# cat .bash_history
mysqladmin -uroot -pxxx password 'redhat'
//通过命令行修改的密码,bash会自动记录历史,历史记录中记录了明文密码
[root@proxy ~]# cat .mysql_history
set password for root@'localhost'=password('redhat');
select user,host,password from mysql.user;
flush privileges;
//通过mysql命令修改的密码,mysql也会有所有操作指令的记录,这里也记录了明文密码
In addition there is a binlog log database also has the plain text password (after 5.6 version fixes).
How to deal with it?
Good management of their own history, do not use clear text login, after selecting the appropriate version of the 5.6 version, log, conduct audits (to find the perpetrator), using the firewall settings ACL from the TCP layer (prohibit external network contacts database)
3) Data Backup and Restore
first, back up the database (Note that the user name is root, password is redhat):
[root@proxy ~]# mysqldump -uroot -predhat mydb table > table.sql
//备份数据库中的某个数据表
[root@proxy ~]# mysqldump -uroot -predhat mydb > mydb.sql
//备份某个数据库
[root@proxy ~]# mysqldump -uroot -predhat --all-databases > all.sql
//备份所有数据库
Next, restore the database (Note that the user name is root, password is redhat):
[root@proxy ~]# mysql -uroot -predhat mydb < table.sql //还原数据表
[root@proxy ~]# mysql -uroot -predhat mydb < mydb.sql //还原数据库
[root@proxy ~]# mysql -uroot -predhat < all.sql
4) Data security
on the server (192.168.4.5), create a database account:
[root@proxy ~]# mysql -uroot -predhat
//使用管理员,登陆数据库
MariaDB [(none)]> grant all on *.* to tom@'%' identified by '123';
//创建一个新账户tom
Use tcpdump packet capture (192.168.4.5)
[root@proxy ~]# tcpdump -w log -i any src or dst port 3306
//抓取源或目标端口是3306的数据包,保存到log文件中
The client (192.168.4.100) database from a remote login server (192.168.4.5)
[root@client ~]# mysql -utom -p123 -h 192.168.4.5
//在192.168.4.100这台主机使用mysql命令登陆远程数据库服务器(192.168.4.5)
//用户名为tom,密码为123
MariaDB [(none)]> select * from mysql.user;
//登陆数据库后,任意执行一条查询语句
Check back to the server to fetch data packets
[root@proxy ~]# tcpdump -A -r log
//使用tcpdump查看之前抓取的数据包,很多数据库的数据都明文显示出来
How to solve?
After using SSH remote connection to the server, and then log in from a local database (to avoid the transmission of data in the network, because the network environment does not capture those who do not know).
Or you may use SSL to encrypt MySQL server, as similar to HTTP + SSL, MySQL supports SSL encryption (to ensure that the data transmitted in the network are encrypted).
Step three: Tomcat Security
1) Hide the version information, modify the Tomcat main configuration file (hidden version information)
unmodified former version information, use the command to view the server version information
note: proxy IP address 192.168.2.5 is used here as a proxy client access 192.168.2.100 server.
[root@proxy ~]# curl -I http://192.168.2.100:8080/xx
//访问不存在的页面文件,查看头部信息
[root@proxy ~]# curl -I http://192.168.2.100:8080
//访问存在的页面文件,查看头部信息
[root@proxy ~]# curl http://192.168.2.100:8080/xx
//访问不存在的页面文件,查看错误信息
Modify Tomcat configuration files, a modified version information (operating at 192.168.2.100):
[root@web1 tomcat]# yum -y install java-1.8.0-openjdk-devel
[root@web1 tomcat]# cd /usr/local/tomcat/lib/
[root@web1 lib]# jar -xf catalina.jar
[root@web1 lib]# vim org/apache/catalina/util/ServerInfo.properties
//根据自己的需要,修改版本信息的内容
[root@web1 lib]# /usr/local/tomcat/bin/shutdown.sh //关闭服务
[root@web1 lib]# /usr/local/tomcat/bin/startup.sh //启动服务
After modification, the client again to see the version information (in operation 192.168.2.5):
[root@proxy ~]# curl -I http://192.168.2.100:8080/xx
//访问不存在的页面文件,查看头部信息
[root@proxy ~]# curl -I http://192.168.2.100:8080
//访问存在的页面文件,查看头部信息
[root@proxy ~]# curl http://192.168.2.100:8080/xx
//访问不存在的页面文件,查看错误信息
Modified again Tomcat server configuration file, the modified version information, manually add the server parameters (operating at 192.168.2.100):
[root@web1 lib]# vim /usr/local/tomcat/conf/server.xml
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000" redirectPort="8443" server="jacob" />
[root@web1 lib]# /usr/local/tomcat/bin/shutdown.sh //关闭服务
[root@web1 lib]# /usr/local/tomcat/bin/startup.sh //启动服务
After modification, the client again to see the version information (in operation 192.168.2.5):
[root@proxy ~]# curl -I http://192.168.2.100:8080/xx
//访问不存在的页面文件,查看头部信息
[root@proxy ~]# curl -I http://192.168.2.100:8080
//访问存在的页面文件,查看头部信息
[root@proxy ~]# curl http://192.168.2.100:8080/xx
//访问不存在的页面文件,查看错误信息
2) Start downgrade
default Tomcat using the advanced system administrator account root to start the service, start the service to make use of ordinary users.
[root@web1 ~]# useradd tomcat
[root@web1 ~]# chown -R tomcat:tomcat /usr/local/tomcat/
//修改tomcat目录的权限,让tomcat账户对该目录有操作权限
[root@web1 ~]# su -c /usr/local/tomcat/bin/startup.sh tomcat
//使用su命令切换为tomcat账户,以tomcat账户的身份启动tomcat服务
[root@web1 ~]# chmod +x /etc/rc.local //该文件为开机启动文件
[root@web1 ~]# vim /etc/rc.local //修改文件,添加如下内容
su -c /usr/local/tomcat/bin/startup.sh tomcat
3) Delete the default test page
[root@web1 ~]# rm -rf /usr/local/tomcat/webapps/*
