使用Jail构建
安全的Vsftpd
# ?0 o" Y) {4 }- I作者:★可乐∮(三轮车夫,easypp)
3 a) n6 a9 @0 QQQ:223480MSN:easy2go@msn.com
! I# P' o Z+ u' G, y5 s7 \' Q
版权声明:本文版权归★可乐∮(三轮车夫,easypp)所有,如需转载,请保留该声明,谢谢!
$ C- ], L+ w( U2 Qvsftpd有一些小小的缺点,就是一般是用
系统的帐号进行用户的验证!虽然vsftpd在安全方面非常不错,但是和系统的帐号分离,这样你对你的
服务器安全更加放心。我现在通过FreeBSD下面的jail来实现vsftpd和系统的帐号分离!这样不仅可以轻松的
管理ftp服务器,而且不必担心因为ftp的安全问题而导致你系统的安全隐患!
: ] j ~1 b2 ]: Z' n0 _2 w' L( r( q7 h. s4 x
软件需求:
8 j% f8 S" D: S% M9 {) JFreeBSD4.8Stable(Release也可以)vsftpd-1.2.0(可以到vsftpd的官方
网站下载)
# u: h" W) ^+ E2 ?! u( k
环境介绍:
0 b! b4 W. b. u- |# @* H* kFreeBSD4.8Stable
( a+ I: v% S) p6 \& ~
Ip:10.0.1.1hostname:powerbsd.org
, Q6 Y0 D0 m$ t/ u P" J& j下面是我
机器的一些
信息:
, I7 Q" q, Q2 h, R' N" b* u$ ~
powerbsd%26lt;Time:9:43am%26gt;[/]-root-%26gt;ifconfig
% C1 F2 a C2 w, r9 W; q8 Q
rl0:flags=8843%26lt;UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST%26gt;mtu1500
& R% c. u0 {) F. vinet10.0.1.1netmask0xff000000broadcast10.255.255.255
1 Z: V$ T/ g- c T* ~ |
ether00:60:67:76:fb:13
- i! E: B" y% N% T. }' e, m
media:Ethernetautoselect(100baseTX%26lt;full-duplex%26gt;)
5 X; \1 J! R+ H# T3 h1 n, y: Q$ _# N3 xstatus:active
) k9 H" n1 @5 m4 ~- R3 Vlo0:flags=8049%26lt;UP,LOOPBACK,RUNNING,MULTICAST%26gt;mtu16384
U" G! a4 l& g/ v$ W" f2 [inet127.0.0.1netmask0xff000000
: |7 b- Z4 C/ H/ j( q
powerbsd%26lt;Time:9:43am%26gt;[/]-root-%26gt;hostname
g! Q* a# ^: s6 z _% v) C
powerbsd.org
" u1 T. m$ B) i( U- _' H. @& Ypowerbsd%26lt;Time:9:43am%26gt;[/]-root-%26gt;uname-a
$ W) X8 Q! |: D# i9 |FreeBSDpowerbsd.org4.8-STABLEFreeBSD4.8-STABLE#7:MonJun2308:57:32CST2003root@powerbsd.org:/usr/src/sys/compile/PowerBSDi386
, x( R4 N! q1 q6 T4 F: W r4 l' d3 ~
OK,下面开始我们的jail之旅:
1 K, g. G% ?: s( n0 |/ L: l
1.安装vsftpd
8 |3 y& r* d% s. o j6 `
a)tarzxvfvsftpd-1.2.0.tar.gz
7 v4 f& F# N7 O5 h# I T3 L
b)cdvsftpd-1.2.0
+ L. z4 A+ T2 |c)make
3 i9 Q/ g. ] ^. f* c5 Dd)cpvsftpd/sbin
9 z4 ?+ b1 d! Le)cpvsftpd.conf/etc
9 ?4 T/ r6 w& b1 N% o/ X F; |f)mkdir/var/ftp
) w4 C* n$ k: s( j' ig)mkdir/usr/share/empty
5 \9 {* o* b5 ^4 d8 Z7 U, N2 rh)pwgroupaddftp
% g# p$ t P8 \/ D9 y6 B0 X. hi)pwuseraddftp–d/var/ftp–gftp–s/nonexistent
" G3 [- H, e8 @0 V3 I* i6 dj)
编辑/etc/vsftpd.conf在最后添加上:listen=YES
8 J# a% d8 Y, ^# i0 s/ Hk)
测试vsftpd是不是正常,启动vsftpd:/sbin/vsftpd%26然后使用ftp–a10.0.1.1下面是我测试的信息:
, g! k! `1 T2 K# ^' p' _ @powerbsd%26lt;Time:9:50am%26gt;[/source/src]-root-%26gt;ftp-a10.0.1.1
8 ^2 h- i' F) C4 q" o, f% u, UConnectedto10.0.1.1.
8 k. T/ E# L b" c220(vs
FTPd1.2.0)
# A, ^1 p1 }7 A( W( q331Pleasespecifythepassword.
$ T7 V9 K7 t7 |# m230Loginsuccessful.
, z! T: t2 H* u; T, N: |
Remotesystem
typeisUNIX.
8 F! _0 L6 |4 d: @& e, N4 c1 MUsingbinarymodetotransferfiles.
, B( s9 u( e( q1 u' Y8 x& K
ftp%26gt;
* }, w8 d/ F! @0 Z; T- Z
2.构建jail环境
3 Z7 h0 \* i: L/ [8 C% z3 u
a)建立jail的目录环境:
0 Z8 B1 o- R3 e+ n' n
mkdir-p/jail/{bin,sbin,etc,dev,var/log,var/ftp,usr/bin,usr/sbin/,usr/lib,usr/libexec,usr/share/empty}
# d/ X4 c" _3 ~; r9 gb)查看vsftpd需要哪些运行库
& i5 P% J6 g' |. J4 ~
powerbsd%26lt;Time:9:55am%26gt;[/jail/etc]-root-%26gt;ldd/sbin/vsftpd
' V7 w% U8 h- Q$ q5 A
/sbin/vsftpd:
; W5 l) B4 Q a1 }$ X" |& y
libpam.so.1=%26gt;/usr/lib/libpam.so.1(0x28076000)
9 f+ }9 V9 i5 s+ a! b% O- s) v! R: w
libcrypt.so.2=%26gt;/usr/lib/libcrypt.so.2(0x28080000)
7 ^$ T2 D' k6 f* `5 ^4 R
libutil.so.3=%26gt;/usr/lib/libutil.so.3(0x28099000)
4 ^0 I0 Z. Q x% Y8 a4 blibc.so.4=%26gt;/usr/lib/libc.so.4(0x280a2000)
. z% w6 j& Y( f. [( jc)建立vsftpd在jail下运行环境:
( x( J( s5 K. @
cp/usr/lib/libpam.so.1/jail/usr/lib/
) |. t: b0 D+ T
cp/usr/lib/libcrypt.so.2/jail/usr/lib/
# ~6 v1 F3 s1 V& H- F: ]cp/usr/lib/libutil.so.3/jail/usr/lib/
) E/ n9 v5 u. j5 _. } k0 Hcp/usr/lib/libc.so.4/jail/usr/lib/
# o9 O1 |- u0 N8 A
cp/dev/MAKEDEV*/jail/dev/
& K, F7 u* a A! t
sh/jail/dev/MAKEDEVjail
2 [( ~( V. [. acp/sbin/vsftpd/jail/sbin/vsftpd
6 G" p2 y& ^" |) {" C3 L7 d# Rcp/etc/vsftpd.conf/jail/etc/
% l) g0 N. `" }2 |cp/etc/passwd/jail/etc
0 {. ]% w# e4 z2 R* x% |5 tcp/etc/group/jail/etc
) p- h% F4 P& s) a, Lcp/etc/master.passwd/jail/etc
* A4 k4 R) N2 g0 S
cp/etc/pwd.db/jail/etc
" H& o3 N. K* m) c
cp/etc/spwd.db/jail/etc
4 y2 l2 A- r4 `* E; V/ Pd)运行jail测试:
4 \2 P: s5 @2 J, a5 {3 G7 a2 xkillallvsftpd
5 \) P6 z, k( V- s1 r( rjail-uroot/jail/powerbsd.org10.0.1.1/sbin/vsftpd%26
9 ` U: G D- D% l
出现错误的提示:ELFinterpreter/usr/libexec/ld-elf.so.1notfound
4 D8 N' |/ d8 Z) |% Ycp/usr/libexec/ld-elf.so.1/jail/usr/libexec/
: q x, S L6 A# K9 M再次运行:jail-uroot/jail/powerbsd.org10.0.1.1/sbin/vsftpd没有出现任何出错的信息!Ctrl+C终止
) J( T) f" ]4 x9 L- y0 V+ v运行:jail-uroot/jail/powerbsd.org10.0.1.1/sbin/vsftpd%26
+ K4 H0 m$ {% F0 P C2 S
netstat-na
: y3 j0 M' p: Q可以看到:
" k1 d& e4 |0 fProtoRecv-QSend-QLocalAddressForeignAddress(state)
; E4 j6 C- |$ H3 V7 ?& \9 g
tcp40010.0.1.1.21*.*LISTEN
- U. x# T: l% Q/ c( w6 v使用psauxww│grepvsftpd
/ S* e% H- N, t. Y( s
root4550.00.21132628p0IJ8:31下午0:00.01/sbin/vsftpd(IJ表示是在jail环境中运行)
+ ~* n( S" W, x5 J4 F# yftp-a10.0.1.1测试通过!
2 y' I+ I: u2 v9 @
2.可以在jail下面进行用户的管理:
/ A* d% u, B9 m* P
cp/bin/ls/jail/bin
/ c0 F3 w( S+ B* `9 r( A7 Tcp/bin/mkdir/jail/bin
* k5 K( h$ b7 g1 F9 f/ Zcp/bin/rmdir/jail/bin
" J3 L8 j* T" V! F# z0 e" N8 ]# N
cp/bin/sh/jail/bin
+ N$ A2 S& d2 j8 P
cp/bin/csh/jail/bin
* M4 z3 p' ?; wcp/usr/sbin/pw/jail/usr/sbin
5 `. @+ G8 k+ `7 a8 R
cp/usr/lib/libcrypt.so.2/jail/usr/lib/
9 x7 p% u, ?9 ~" {4 o. f. S
cp/usr/sbin/pwd_mkdb/jail/usr/sbin/
+ Z6 I% b6 q5 |1 h% J
cp/usr/sbin/vipw/jail/usr/sbin/
0 T2 \$ y4 g6 F' Q3 y
cp/usr/bin/chgrp/jail/usr/bin/
3 R j# |4 ~* J7 S" \' Hcp/usr/sbin/chown/jail/usr/sbin/
4 S6 M7 N T; Hcp/bin/chmod/jail/bin/
4 G! q" B4 O7 l0 r, ]9 r" ?% Hcpadduser.conf/jail/etc/
8 q" N. f; O8 h% q7 Ncpadduser.message/jail/etc/
! b7 X- q( H0 m" F- X. qcp/usr/bin/passwd/jail/usr/bin/
. c# m/ g! O5 e) A
cp/usr/lib/librpcsvc.so.2/jail/usr/lib/
! C0 A. L$ b K' u: S( P1 f9 S" H
cp/usr/lib/libutil.so.3/jail/usr/lib/
4 O3 Z$ U. c( mcp/etc/pam.conf/jail/etc
/ ^% Y6 u, l6 i: o
cp/usr/lib/pam_skey.so/jail/usr/lib/
1 M& Z/ A$ u* Acp/usr/lib/pam_opie.so/jail/usr/lib/
9 V' E1 Q' ^1 n, K- {5 c* P d: Qcp/usr/lib/pam_opieaccess.so/jail/usr/lib/
4 D' x( q4 z# |7 `cp/usr/lib/pam_cleartext_pass_ok.so/jail/usr/lib/
; X+ t, ?6 s( i
cp/usr/lib/pam_unix.so/jail/usr/lib/
$ g* l$ o* J L
H( m9 L3 H3 B- P Q8 _. M1 Y现在你可以通过如下命令进行用户的管理
# b. b: I! a; R* p6 v0 u: k5 Gjail/jail/powerbsd.org10.0.1.1/bin/sh
6 ?$ S5 `. f+ h9 E下面是我进行用户管理的过程:
! H% v# d% k- e; }2 `( A: _/ ]. fpowerbsd%26lt;Time:10:10am%26gt;[/]-root-%26gt;jail/jail/powerbsd.org10.0.1.1/bin/sh
7 B1 W6 T1 ^% n#pwusershow-a
' R, C2 o5 z! x$ N6 mroot:*:0:0::0:0:Charlie%26:/root:/bin/csh
4 P- y: _# n7 R* y- w; {3 Qnobody:*:65534:65534::0:0:Unprivilegeduser:/nonexistent:/sbin/nologin
+ _/ C' T/ A ~9 F5 U- `! i! Rftp:*:1004:1002::0:0:User%26:/var/ftp:/nonexitent
* o* L9 f) N+ N7 b- a& T2 L' l#pwgroupshow-a
7 [4 r2 m: y6 {4 H- t: N) e5 uwheel:*:0:root
+ u3 U8 U# _# C2 h" [nobody:*:65534:
; A' H% n0 Q3 t+ `1 ~ftp:*:1002:
# t$ b4 d8 _7 Q9 A5 R( \) P#pwgroupaddftpgroup
) r; T9 z1 D1 S5 d h% J#pwuseraddtest-d/home/test-gftpgroup-s/nonexistend
# V& ^- b7 Y% f# c- t
#pwusershow-a
- P/ M$ q! f L3 o' iroot:*:0:0::0:0:Charlie%26:/root:/bin/csh
! M5 V- `* v$ ~1 v/ P" U: m. Fnobody:*:65534:65534::0:0:Unprivilegeduser:/nonexistent:/sbin/nologin
0 e9 {* D, F! \8 x3 Bftp:*:1004:1002::0:0:User%26:/var/ftp:/nonexitent
3 r5 Y0 P$ @9 ~9 s3 X
test:*:1005:1003::0:0:User%26:/home/test:/nonexistend
% f9 q% i4 M W% I) G' z: W+ h3 r#pwgroupshow-a
3 \% |# S, }+ x L+ O+ ~4 Awheel:*:0:root
; a" `& p. s! B8 i2 R. D. N+ H x; I
nobody:*:65534:
' w$ |/ c% j6 N1 y/ h
ftp:*:1002:
% c9 b1 W% H/ E1 i5 P) R% j: Y
ftpgroup:*:1003:
8 Y/ _/ S3 p$ ~2 @#passwdtest
% i: C4 |+ |1 q- U
Changinglocalpasswordfortest.
5 Z" w" |/ _) ~7 l
Newpassword:
# {* k6 w. ]- e: W- z" a. iRetypenewpassword:
8 ]- V9 |5 G) }8 `passwd:updatingthedatabase...
" j3 I" u3 a2 ?$ q/ \5 rpasswd:done
) j, T- O. w, {) s9 S' J7 Z! o
J) w1 X. p3 e至此如何建立jail下面的vsftpd已经讲解完毕!至于vsftpd该如何进行设置,参考vsftpd的Example!该文只是我学习FreeBSD-jail的一点小小的笔记!就作为抛砖引玉吧!如有不足之处请多多指教,谢谢!
