LAMP平臺安全加固：配置LAMP平臺的基礎加固

3.1 問題

本例要求針對CentOS 7系統，配置LAMP平臺的基礎加固，主要完成下列任務。

1. 增強mariadb數據庫的安全
2. 增強httpd網站的安全
3. 增強php網頁編程環境的安全
4. 其他安全措施，可以自行發揮

3.2 步驟

實現此案例需要按照如下步驟進行。

步驟一：增強mariadb數據庫的安全

1）執行mysql_secure_installation安全安裝

[root@svr7 ~]# mysql_secure_installation             //啓動安全安裝腳本

NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!

In order to log into MariaDB to secure it, we'll need the current
password for the root user. If you've just installed MariaDB, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.

Enter current password for root (enter for none)://輸入原密碼（默認爲空）
OK, successfully used password, moving on...

Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorisation.

Set root password? [Y/n]                 //直接Enter，爲root用戶設置密碼
New password:                         //輸入新密碼，比如 pwd@123
Re-enter new password:                 //再次輸入新密碼
Password updated successfully!
Reloading privilege tables..
... Success!

By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them. This is intended only for testing, and to make the installation
go a bit smoother. You should remove them before moving into a
production environment.

Remove anonymous users? [Y/n]            //直接Enter，刪除匿名用戶
... Success!

Normally, root should only be allowed to connect from 'localhost'. This
ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n]     //直接Enter，禁止數據庫root用戶遠程登錄
... Success!

By default, MariaDB comes with a database named 'test' that anyone can
access. This is also intended only for testing, and should be removed
before moving into a production environment.

Remove test database and access to it? [Y/n] //直接Enter，刪除test庫
- Dropping test database...
... Success!
- Removing privileges on test database...
... Success!

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

Reload privilege tables now? [Y/n]             //直接Enter，重新加載授權表
... Success!

Cleaning up...

All done! If you've completed all of the above steps, your MariaDB
installation should now be secure.

Thanks for using MariaDB!
[root@svr7 ~]#                                 //配置完畢

2）關閉網絡端口監聽

修改/etc/my.cnf文件，在[mysqld]配置部分添加skip-networking行：

[root@svr7 ~]# vim /etc/my.cnf
[mysqld]             
skip-networking                             //添加此行，跳過網絡功能
datadir=/var/lib/mysql                     //數據庫存儲目錄
socket=/var/lib/mysql/mysql.sock             //提供數據庫服務的接口文件
.. ..

重啓mariadb數據庫服務：

[root@svr7 ~]# systemctl restart mariadb     //重啓服務
.. ..

安裝nmap掃描工具，檢測本機的3306端口，會發現已經爲爲closed狀態，但是實際上本機的數據庫服務仍然可以使用。

[root@svr7 ~]# yum -y install nmap
.. ..
Running transaction
正在安裝 : 2:nmap-6.40-19.el7.x86_64 1/1
驗證中 : 2:nmap-6.40-19.el7.x86_64 1/1

已安裝:
nmap.x86_64 2:6.40-19.el7

完畢！
[root@svr7 ~]# nmap -p 3306 localhost

Starting Nmap 6.40 ( http://nmap.org ) at 2020-04-25 22:36 CST
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000031s latency).
Other addresses for localhost (not scanned): 127.0.0.1
PORT STATE SERVICE
3306/tcp closed mysql                         //數據庫端口已經關閉

Nmap done: 1 IP address (1 host up) scanned in 0.02 seconds

3）爲Web論壇設置專用數據庫用戶

授權數據庫用戶runbbs，對論壇庫ultrax（Discuz!論壇的默認庫，如果安裝時修改過，請改成實際使用的數據庫名）有所有權限，並設置好訪問密碼：

[root@svr7 ~]# mysql -uroot -ppwd@123            //連接本機數據庫
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 4
Server version: 5.5.64-MariaDB MariaDB Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> grant all on ultrax.* to runbbs@localhost identified by 'pwd@123';                                         //設置用戶授權
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> quit                         //斷開連接
Bye
[root@svr7 ~]#

找到Discuz!目錄下的數據庫連接配置，修改爲專用賬號密碼。注意：當Web系統的數據庫連接信息變更以後，必須做相應配置，否則Web系統可能無法正常使用。

[root@svr7 ~]# vim /var/www/html/bbs/config/config_global.php
<?php


$_config = array();

// ---------------------------- CONFIG DB ----------------------------- //
$_config['db']['1']['dbhost'] = 'localhost';
$_config['db']['1']['dbuser'] = 'runbbs';         //數據庫用戶名
$_config['db']['1']['dbpw'] = 'pwd@123’;             //數據庫密碼
$_config['db']['1']['dbcharset'] = 'utf8';
$_config['db']['1']['pconnect'] = '0';
$_config['db']['1']['dbname'] = 'ultrax';
$_config['db']['1']['tablepre'] = 'pre_';
.. ..

另外也建議調整文件權限，禁止其他人訪問密碼文件，提高安全性：

[root@svr7 ~]# chmod o-rwx /var/www/html/bbs/config/config_global.php

[root@svr7 ~]# ls -lh /var/www/html/bbs/config/config_global.php
-rw-r-----. 1 apache apache 4.8K 4月 25 22:44 /var/www/html/bbs/config/config_global.php

確認在調整完數據庫連接信息以後，從瀏覽器訪問Discuz!論壇系統，仍然可用，如圖-15所示。

圖-15

步驟二：增強httpd網站的安全

1）httpd默認網站的安全測試

在網頁目錄/var/www/html/下創建一個測試子目錄 vod，並建立幾個測試文件：

[root@svr7 ~]# mkdir /var/www/html/vod         //創建測試目錄
[root@svr7 ~]# cd /var/www/html/vod
[root@svr7 vod]# touch file1.mp4 file2.mp4     //創建2個測試文件
[root@svr7 vod]# ln -s / getroot.html         //創建一個連接到根目錄的鏈接文件

從瀏覽器訪問 http://虛擬機IP地址/vod/ ，能夠直接列出此目錄下的所有文件資源（因爲默認會自動生成一份列表網頁），如圖-16所示。

圖-16

而且，只要單擊網頁中的 getroot.html，就可以直接看到網站服務器整個根目錄下的文檔資源（因爲默認允許跟隨鏈接文件），如圖-17所示。

圖-17

另外，也可以使用nmap掃描工具檢測Web服務的軟件版本，從而方便採取進一步的攻擊措施。默認情況下，httpd服務會提供詳細的軟件版本信息。

[root@svr7 vod]# nmap sV -p 80 localhost

Starting Nmap 6.40 ( http://nmap.org ) at 2020-04-25 23:05 CST
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000027s latency).
Other addresses for localhost (not scanned): 127.0.0.1
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
                                //掃描結果中展示出httpd、php的版本信息

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.09 seconds
[root@svr7 vod]#

可以看出如果採用默認設置，風險還是比較大的。

2）基礎安全加固配置

修改httpd服務的配置文件，做一些小改動，就可以把上述安全風險排除。

[root@svr7 ~]# vim /etc/httpd/conf.d/sec.conf     
ServerTokens Prod                     //不顯示細節（默認爲Full，顯示全部信息）
ServerSignature off                     //添加此行，跳過網絡功能
.. ..
<Directory "/var/www/html">
Options -Indexes -FollowSymLinks     //添加 - 號表示禁用此項功能
.. ..
</Directory>

[root@svr7 ~]# systemctl restart httpd     //重啓服務

3）驗證加固效果

再次從瀏覽器訪問http://虛擬機IP地址/vod/，因爲沒有默認首頁，又不允許自動列表，所以會出現Forbidden禁止訪問的提示，如圖-18所示。

圖-18

如果直接訪問http://虛擬機IP地址/vod/getroot.html，也一樣會被拒絕，因爲不允許再跟隨鏈接了，如圖-19所示。

圖-19

如果再次用nmap掃描本Web服務器，會發現已經不顯示詳細的版本信息了。

[root@svr7 ~]# nmap -sV -p 80 localhost

Starting Nmap 6.40 ( http://nmap.org ) at 2020-04-25 23:15 CST
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000030s latency).
Other addresses for localhost (not scanned): 127.0.0.1
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd         
                                //掃描結果中看不到httpd、php的版本信息
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.10 seconds
[root@svr7 ~]#

步驟三：增強php網頁編程環境的安全

比如，可以禁用一些系統控制的函數；如果不需要上傳，可以直接關閉PHP的文件上傳功能。

[root@svr7 ~]# vim /etc/php.ini
disable_functions = passthru,exec,system,popen,chroot,escapeshellcmd,escapeshellarg,shell_exec,proc_open,proc_get_status                             //禁用一些系統控制函數
memory_limit = 128M                         //限制消耗內存大小
file_uploads = Off                         //禁止上傳文件
.. ..
[root@svr7 ~]# systemctl restart httpd     //重啓Web服務

步驟四：其他安全措施，可以自行發揮

略。