最新下载
热门教程
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
Linux系统jailkit安装配置使用方法
时间:2016-06-14 编辑:简简单单 来源:一聚教程网
jailkit实战
jailkit 是一款能够在一个chroot jail中快速创建受限用户帐户的工具集。它包含了一个安全日志守护进程,shells可以限制用户,开启和设置chroot jail守护进程的工具。
简单说明
1、由Nginx处理http请求,nginx运行属主身份为www:www,执行php代理到后端php-fpm,php-fpm负责管理各用户间的php进程,用户运行php的组权限为nobody
2、默认为每个用户提供了SSH,方便用户直接进行管理。限定各SSH用户只能访问家目录的文件,访问系统级命令和访问其他非属主身份的路径显示为无权限。
3、关于用户目录权限的说明,建立的用户属主身份为user:nobody,家目录自身权限:drwxr-x–x,其创建的目录权限设置为drwx—r-x,文件权限设定为-rw—-r–。(user为当前用户)
4、通过设定系统umask及ftp服务umask,确保用户家目录下创建的文件权限为-rw—-r–,目录权限为drwx—r-x
前提:已经安装好了LNMP
下载安装jailkit
Source code
cd /soft
wget -c http://olivier.sessink.nl/jailkit/jailkit-2.11.tar.gz
tar zxvf jailkit-2.11.tar.gz
cd jailkit-2.11
./configure
make && make install
cp extra/jailkit /etc/init.d/
chmod 755 /etc/init.d/jailkit
chkconfig jailkit on
初始化chroot环境,创建个chroot目录:
Source code
mkdir -p /home/chroot
chown root:root /home/chroot
chmod 751 /home/chroot
jk_init -v -j /home/chroot sftp scp jk_lsh netutils extendedshell
jk_cp -v /home/chroot /usr/bin/id
jk_cp -v /home/chroot /usr/bin/unzip
jk_cp -v /home/chroot /usr/bin/zip
创建系统用户
Source code
useradd www -m
echo www:123456|chpasswd
jk_jailuser -m -n -j /home/chroot/ --shell=/bin/bash www
检查
[root@localhost chroot]# grep www /home/chroot/etc/passwd
www:x:503:503::/home/www:/bin/bash
[root@localhost chroot]# grep www /etc/passwd
www:x:503:503::/home/chroot/./home/www:/usr/sbin/jk_chrootsh
创建php-fpm配置文件
[root@localhost etc]# cat /application/php-5.3.29/etc/php-fpm.conf
include=etc/fpm.d/*.conf
[global]
pid = /tmp/php-fpm.pid
error_log = log/php-fpm.log
log_level = waring
emergency_restart_threshold = 10
process_control_timeout = 5s
process.max = 500
daemonize = yes
rlimit_files = 51200
rlimit_core = 0
events.mechanism = epoll
b.创建php-fpm pool
mkdir -p /application/php-5.3.29/etc/fpm.d
cat /application/php-5.3.29/etc/fpm.d/default.conf
[www]
listen = 127.0.0.1:9001
;listen = /usr/local/php5.4/var/run/php-fpm-www.sock
listen.allowed_clients = 127.0.0.1
listen.mode = 0666
listen.owner = www
listen.group = nobody
user = www
group = nobody
chroot = /home/chroot
; Choose how the process manager will control the number of child processes.
pm = dynamic
pm.max_children = 5
pm.start_servers = 1
pm.min_spare_servers = 1
pm.max_spare_servers = 5
pm.max_requests = 1000
request_terminate_timeout = 30s
; Pass environment variables
env[HOSTNAME] = $HOSTNAME
env[PATH] = /usr/local/bin:/bin
env[TMP] = /var/www/tmp
env[TMPDIR] = /var/www/tmp
env[TEMP] = /var/www/tmp
; Specific php ini settings here
php_value[sendmail_path] = "/usr/sbin/sendmail -t -i -f noreply@evlit.com"
php_admin_value[open_basedir] = ".:/var/www:/proc:/tmp"
php_value[include_path] = ".:/var/www:/var/www/include"
php_value[axis2.log_path] = "/var/www/tmp"
php_value[session_pgsql.sem_file_name] = "/var/www/tmp/php_session_pgsql"
php_value[soap.wsdl_cache_dir] = "/var/www/tmp"
php_value[uploadprogress.file.filename_template] = "/var/www/tmp/upt_%s.txt"
php_value[xdebug.output_dir] = "/var/www/tmp"
php_value[xdebug.profiler_output_dir] = "/var/www/tmp"
php_value[xdebug.trace_output_dir] = "/var/www/tmp"
php_admin_value[disable_functions] = "exec,system,passthru,shell_exec,ini_alter,dl,proc_open,proc_exec,proc_close,chroot,scandir,chgrp,chown,ini_restore,dbmopen,dbase_open,curl_multi_exec,multi_exec,gzinflate,parse_ini_file,show_source,escapeshellarg,escapeshellcmd,stream_socket_server,popepassthru,pfsockopen,set_time_limit"
; UPLOAD
php_admin_flag[file_uploads] = On
php_admin_value[upload_tmp_dir] = "/var/www/tmp"
;Maximum allowed size for uploaded files.
php_admin_value[upload_max_filesize] = "50M"
php_admin_value[max_input_time] = "120"
php_admin_value[post_max_size] = "50M"
; LOGS
php_admin_value[error_log] = "/var/www/logs/error.log"
php_admin_value[log_errors] = On
php_admin_value[display_errors] = Off
php_admin_value[html_errors] = Off
php_admin_value[display_startup_errors] = Off
php_admin_value[define_syslog_variables] = "1"
php_value[error_reporting] = "6143"
; Maximum execution time of each script, in seconds (30)
php_value[max_input_time] = "120"
; Maximum amount of time each script may spend parsing request data
php_value[max_execution_time] = "300"
; Maximum amount of memory a script may consume (8MB)
php_value[memory_limit] = "128M"
; Sessions: IMPORTANT reactivate garbage collector on Debian!!!
php_value[session.gc_maxlifetime] = "3600"
php_admin_value[session.gc_probability] = "1"
php_admin_value[session.gc_divisor] = "100"
; SECURITY
php_admin_value[session.auto_start] = Off
php_admin_value[mbstring.http_input] = pass
php_admin_value[mbstring.http_output] = pass
php_admin_value[mbstring.encoding_translation] = Off
php_admin_value[expose_php] = Off
php_admin_value[allow_url_fopen] = On
php_admin_value[variables_order] = PGCSE
; enforce filling PATH_INFO & PATH_TRANSLATED
; and not only SCRIPT_FILENAME
php_admin_value[cgi.fix_pathinfo] = "1"
; 1: will use PATH_TRANSLATED instead of SCRIPT_FILENAME
php_admin_value[cgi.discard_path] = "0"
网站实际的根目录:
/home/chroot/home/www
php-fpm pool设置
[root@localhost 123]# grep ^chroot /application/php-5.3.29/etc/fpm.d/default.conf
chroot = /home/chroot
nginx.conf配置
location / {
root /home/chroot/home/www;
index index.html index.htm;
}
location ~ \.php$ {
root /home/chroot;
fastcgi_pass 127.0.0.1:9001;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /home/www$fastcgi_script_name;
include fastcgi_params;
}
[root@localhost conf]# grep ‘php_admin_value\[open_basedir\]’ /application/php-5.3.29/etc/fpm.d/default.conf
php_admin_value[open_basedir] = “.:/var/www:/proc:/tmp:/home/www”
这样,网站的安全性就相对提高了不少
-
上一个: 大数据异地迁移企业级实战案例
相关文章
- 在Linux服务器上安装配置socks5代理的教程 12-20
- linux中Netdata配置安装使用详解 09-05
- linux中srs流媒体服务器安装配置教程 07-07
- RStudio Linux Server安装配置详解说明 01-25
- Linux系统下Kafka单机安装配置详解 12-13
- linux系统中安装配置redis图文详解 09-18