LAMP平台安全加固：配置LAMP平台的基础加固

3.1 问题

本例要求针对CentOS 7系统，配置LAMP平台的基础加固，主要完成下列任务。

1. 增强mariadb数据库的安全
2. 增强httpd网站的安全
3. 增强php网页编程环境的安全
4. 其他安全措施，可以自行发挥

3.2 步骤

实现此案例需要按照如下步骤进行。

步骤一：增强mariadb数据库的安全

1）执行mysql_secure_installation安全安装

[root@svr7 ~]# mysql_secure_installation             //启动安全安装脚本

NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!

In order to log into MariaDB to secure it, we'll need the current
password for the root user. If you've just installed MariaDB, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.

Enter current password for root (enter for none)://输入原密码（默认为空）
OK, successfully used password, moving on...

Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorisation.

Set root password? [Y/n]                 //直接Enter，为root用户设置密码
New password:                         //输入新密码，比如 pwd@123
Re-enter new password:                 //再次输入新密码
Password updated successfully!
Reloading privilege tables..
... Success!

By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them. This is intended only for testing, and to make the installation
go a bit smoother. You should remove them before moving into a
production environment.

Remove anonymous users? [Y/n]            //直接Enter，删除匿名用户
... Success!

Normally, root should only be allowed to connect from 'localhost'. This
ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n]     //直接Enter，禁止数据库root用户远程登录
... Success!

By default, MariaDB comes with a database named 'test' that anyone can
access. This is also intended only for testing, and should be removed
before moving into a production environment.

Remove test database and access to it? [Y/n] //直接Enter，删除test库
- Dropping test database...
... Success!
- Removing privileges on test database...
... Success!

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

Reload privilege tables now? [Y/n]             //直接Enter，重新加载授权表
... Success!

Cleaning up...

All done! If you've completed all of the above steps, your MariaDB
installation should now be secure.

Thanks for using MariaDB!
[root@svr7 ~]#                                 //配置完毕

2）关闭网络端口监听

修改/etc/my.cnf文件，在[mysqld]配置部分添加skip-networking行：

[root@svr7 ~]# vim /etc/my.cnf
[mysqld]             
skip-networking                             //添加此行，跳过网络功能
datadir=/var/lib/mysql                     //数据库存储目录
socket=/var/lib/mysql/mysql.sock             //提供数据库服务的接口文件
.. ..

重启mariadb数据库服务：

[root@svr7 ~]# systemctl restart mariadb     //重启服务
.. ..

安装nmap扫描工具，检测本机的3306端口，会发现已经为为closed状态，但是实际上本机的数据库服务仍然可以使用。

[root@svr7 ~]# yum -y install nmap
.. ..
Running transaction
正在安装 : 2:nmap-6.40-19.el7.x86_64 1/1
验证中 : 2:nmap-6.40-19.el7.x86_64 1/1

已安装:
nmap.x86_64 2:6.40-19.el7

完毕！
[root@svr7 ~]# nmap -p 3306 localhost

Starting Nmap 6.40 ( http://nmap.org ) at 2020-04-25 22:36 CST
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000031s latency).
Other addresses for localhost (not scanned): 127.0.0.1
PORT STATE SERVICE
3306/tcp closed mysql                         //数据库端口已经关闭

Nmap done: 1 IP address (1 host up) scanned in 0.02 seconds

3）为Web论坛设置专用数据库用户

授权数据库用户runbbs，对论坛库ultrax（Discuz!论坛的默认库，如果安装时修改过，请改成实际使用的数据库名）有所有权限，并设置好访问密码：

[root@svr7 ~]# mysql -uroot -ppwd@123            //连接本机数据库
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 4
Server version: 5.5.64-MariaDB MariaDB Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> grant all on ultrax.* to runbbs@localhost identified by 'pwd@123';                                         //设置用户授权
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> quit                         //断开连接
Bye
[root@svr7 ~]#

找到Discuz!目录下的数据库连接配置，修改为专用账号密码。注意：当Web系统的数据库连接信息变更以后，必须做相应配置，否则Web系统可能无法正常使用。

[root@svr7 ~]# vim /var/www/html/bbs/config/config_global.php
<?php


$_config = array();

// ---------------------------- CONFIG DB ----------------------------- //
$_config['db']['1']['dbhost'] = 'localhost';
$_config['db']['1']['dbuser'] = 'runbbs';         //数据库用户名
$_config['db']['1']['dbpw'] = 'pwd@123’;             //数据库密码
$_config['db']['1']['dbcharset'] = 'utf8';
$_config['db']['1']['pconnect'] = '0';
$_config['db']['1']['dbname'] = 'ultrax';
$_config['db']['1']['tablepre'] = 'pre_';
.. ..

另外也建议调整文件权限，禁止其他人访问密码文件，提高安全性：

[root@svr7 ~]# chmod o-rwx /var/www/html/bbs/config/config_global.php

[root@svr7 ~]# ls -lh /var/www/html/bbs/config/config_global.php
-rw-r-----. 1 apache apache 4.8K 4月 25 22:44 /var/www/html/bbs/config/config_global.php

确认在调整完数据库连接信息以后，从浏览器访问Discuz!论坛系统，仍然可用，如图-15所示。

图-15

步骤二：增强httpd网站的安全

1）httpd默认网站的安全测试

在网页目录/var/www/html/下创建一个测试子目录 vod，并建立几个测试文件：

[root@svr7 ~]# mkdir /var/www/html/vod         //创建测试目录
[root@svr7 ~]# cd /var/www/html/vod
[root@svr7 vod]# touch file1.mp4 file2.mp4     //创建2个测试文件
[root@svr7 vod]# ln -s / getroot.html         //创建一个连接到根目录的链接文件

从浏览器访问 http://虚拟机IP地址/vod/ ，能够直接列出此目录下的所有文件资源（因为默认会自动生成一份列表网页），如图-16所示。

图-16

而且，只要单击网页中的 getroot.html，就可以直接看到网站服务器整个根目录下的文档资源（因为默认允许跟随链接文件），如图-17所示。

图-17

另外，也可以使用nmap扫描工具检测Web服务的软件版本，从而方便采取进一步的攻击措施。默认情况下，httpd服务会提供详细的软件版本信息。

[root@svr7 vod]# nmap sV -p 80 localhost

Starting Nmap 6.40 ( http://nmap.org ) at 2020-04-25 23:05 CST
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000027s latency).
Other addresses for localhost (not scanned): 127.0.0.1
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
                                //扫描结果中展示出httpd、php的版本信息

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.09 seconds
[root@svr7 vod]#

可以看出如果采用默认设置，风险还是比较大的。

2）基础安全加固配置

修改httpd服务的配置文件，做一些小改动，就可以把上述安全风险排除。

[root@svr7 ~]# vim /etc/httpd/conf.d/sec.conf     
ServerTokens Prod                     //不显示细节（默认为Full，显示全部信息）
ServerSignature off                     //添加此行，跳过网络功能
.. ..
<Directory "/var/www/html">
Options -Indexes -FollowSymLinks     //添加 - 号表示禁用此项功能
.. ..
</Directory>

[root@svr7 ~]# systemctl restart httpd     //重启服务

3）验证加固效果

再次从浏览器访问http://虚拟机IP地址/vod/，因为没有默认首页，又不允许自动列表，所以会出现Forbidden禁止访问的提示，如图-18所示。

图-18

如果直接访问http://虚拟机IP地址/vod/getroot.html，也一样会被拒绝，因为不允许再跟随链接了，如图-19所示。

图-19

如果再次用nmap扫描本Web服务器，会发现已经不显示详细的版本信息了。

[root@svr7 ~]# nmap -sV -p 80 localhost

Starting Nmap 6.40 ( http://nmap.org ) at 2020-04-25 23:15 CST
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000030s latency).
Other addresses for localhost (not scanned): 127.0.0.1
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd         
                                //扫描结果中看不到httpd、php的版本信息
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.10 seconds
[root@svr7 ~]#

步骤三：增强php网页编程环境的安全

比如，可以禁用一些系统控制的函数；如果不需要上传，可以直接关闭PHP的文件上传功能。

[root@svr7 ~]# vim /etc/php.ini
disable_functions = passthru,exec,system,popen,chroot,escapeshellcmd,escapeshellarg,shell_exec,proc_open,proc_get_status                             //禁用一些系统控制函数
memory_limit = 128M                         //限制消耗内存大小
file_uploads = Off                         //禁止上传文件
.. ..
[root@svr7 ~]# systemctl restart httpd     //重启Web服务

步骤四：其他安全措施，可以自行发挥

略。