ЛУЧШИХ ВИРУСОВ - Xakep Online
05.11.2014 Views
Share Embed Flag

ЛУЧШИХ ВИРУСОВ - Xakep Online

ЛУЧШИХ ВИРУСОВ - Xakep Online

ЛУЧШИХ ВИРУСОВ - Xakep Online

SHOW MORE
SHOW LESS
ePAPER READ
DOWNLOAD ePAPER
xakep.ru

You also want an ePaper? Increase the reach of your titles

YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.

START NOW

ХАКЕР.PRO<br />

SYN/ACK<br />

Ïàðà ñëîâ îá nginx<br />

Nginx (engine x) — âûñîêîïðîèçâîäèòåëüíûé è íåòðåáîâàòåëüíûé<br />

ê ðåñóðñàì HTTP-ñåðâåð è ïî÷òîâûé ïðîêñè. Îáû÷íî èñïîëüçóåòñÿ<br />

â êà÷åñòâå HTTP-àêñåëåðàòîðà, ïåðåäàþùåãî âñå çàïðîñû<br />

ê apache, èëè ëåãêîâåñíîãî ñåðâåðà äëÿ îòäà÷è ñòàòè÷åñêîãî<br />

êîíòåíòà. Ïðèìåíÿåòñÿ íà wordpress.com è áîëüøèíñòâå ñåðâåðîâ<br />

Ðàìáëåðà. Ðàçðàáàòûâàåòñÿ Èãîðåì Ñûñîåâûì ñ 2002-ãî ãîäà.<br />

# mkdir $JAIL/{dev,tmp}<br />

# chmod 7777 $JAIL/tmp<br />

Ñìîíòèðóåì ôàéëîâóþ ñèñòåìó devfs:<br />

# mount -t devfs devfs $JAIL/dev<br />

Ñîçäàäèì IP-ïñåâäîíèì è íàñòðîèì áðàíäìàóýð íà ðåäèðåêò HTTP-òðàôèêà<br />

íà IP-àäðåñ òþðüìû:<br />

# ifconfig ed0 inet alias 192.168.0.1/16<br />

# ipfw add fwd 192.168.0.1,80 tcp from any to âíåøíèé-ip 80<br />

Îòêðîåì êîíôèãóðàöèîííûé ôàéë nginx è ïðèâåäåì ñåêöèþ server ê ñëåäóþùåìó<br />

âèäó:<br />

# vi /usr/jail/nginx/etc/nginx/nginx.conf<br />

server {<br />

listen 80;<br />

server_name www.host.ru;<br />

location / {<br />

proxy_pass http://127.0.0.1:8080/;<br />

proxy_redirect off;<br />

proxy_set_header Host $host;<br />

proxy_set_header X-Real-IP $remote_addr;<br />

proxy_set_header X-Forwarded-For $proxy_add_x_<br />

forwarded_for;<br />

client_max_body_size 10m;<br />

client_body_buffer_size 128k;<br />

Ïåðåìåííûå sysctl,<br />

î êîòîðûõ íóæíî<br />

çíàòü<br />

1 security.jail.set_hostname_allowed — ìîæåò ëè jail-ñóïåðïîëüçîâàòåëü<br />

èçìåíÿòü ñåòåâîå èìÿ (hostname) jail-ñåðâåðà. Èìååò<br />

ñìûñë îòêëþ÷èòü, åñëè äëÿ òþðüìû âûäåëåíî íàñòîÿùåå ñåòåâîå<br />

èìÿ, ïðîïèñàííîå â DNS-çîíàõ. 2 security.jail.allow_raw_sockets —<br />

ðàçðåøèòü jail-ñóïåðïîëüçîâàòåëþ ñîçäàâàòü raw-ñîêåòû. Â öåëÿõ<br />

áåçîïàñíîñòè îïöèÿ îòêëþ÷åíà, íî îíà ìåøàåò ïðàâèëüíîé ðàáîòå<br />

íåêîòîðûõ èíñòðóìåíòîâ, ïðåäíàçíà÷åííûõ äëÿ îòëàäêè ñåòè.<br />

3 security.jail.chflags_allowed — ïîçâîëèòü jail-ïðîöåññàì ìîäèôèöèðîâàòü<br />

ôëàãè ÔÑ (chflags). Ïî óìîë÷àíèþ âûêëþ÷åíà, ÷òî<br />

îòêðûâàåò èíòåðåñíûå âîçìîæíîñòè äëÿ ïîìåùåíèÿ â jail íåóäàëÿåìûõ,<br />

íå÷èòàåìûõ èëè íåçàïèñûâàåìûõ ôàéëîâ.<br />

×òîáû nginx ñòàðòîâàë ïðè çàãðóçêå, äîáàâèì â /etc/rc.conf ñëåäóþùå<br />

çàïèñè:<br />

# vi /etc/rc.conf<br />

ifconfig_ed0_alias0="inet 192.168.0.1"<br />

jail_enable="YES"<br />

jail_list="nginx"<br />

jail_nginx_rootdir="/usr/jail/nginx"<br />

jail_nginx_hostname="nginx.jail"<br />

jail_nginx_ip="192.168.0.1"<br />

// Ïîëíàÿ èíèöèàëèçàöèÿ îêðóæåíèÿ íå íóæíà, äîñòàòî÷íî<br />

ñðàçó çàïóñòèòü ñåðâèñ<br />

jail_nginx_exec_start="/sbin/nginx -c /etc/nginx/nginx.<br />

conf"<br />

// Îñòàíàâëèâàòü nginx âðó÷íóþ òàêæå íå òðåáóåòñÿ, ïåðåä<br />

çàâåðøåíèåì ðàáîòû jail àêêóðàòíî óáüåò âñå ñâîè ïðîöåññû<br />

ñ ïîìîùüþ kill<br />

jail_nginx_exec_stop=""<br />

// Íàì ïîíàäîáèòñÿ òîëüêî devfs<br />

jail_nginx_devfs_enable="YES"<br />

jail_nginx_fdescfs_enable="NO"<br />

jail_nginx_procfs_enable="NO"<br />

}<br />

}<br />

114<br />

proxy_connect_timeout 90;<br />

proxy_send_timeout 90;<br />

proxy_read_timeout 90;<br />

proxy_buffer_size 4k;<br />

proxy_buffers 4 32k;<br />

proxy_busy_buffers_size 64k;<br />

proxy_temp_file_write_size 64k;<br />

Ó÷òè, ÷òî õèòðàÿ ñèñòåìà ïîðòîâ èçìåíèëà äåôîëòîâûå ïóòè ïîèñêà ôàéëîâ â<br />

nginx, äîáàâèâ ê íèì ïðåôèêñ /usr/jail/nginx. Ïîýòîìó âñå îòíîñèòåëüíûå ïóòè<br />

â ôàéëå êîíôèãóðàöèè ïðèäåòñÿ çàìåíèòü íà àáñîëþòíûå, òî åñòü — ïðîïèñàòü<br />

âìåñòî «include mime.types;» ñòðîêó «include /etc/nginx/mime.types;». Âñå,<br />

òåïåðü âèðòóàëüíûé ñåðâåð ñ nginx ìîæíî çàïóñòèòü (îïöèÿ ‘-c’ ïîçâîëÿåò ïåðåïèñàòü<br />

íåâåðíûé äåôîëòîâûé ïóòü ïîèñêà êîíôèãóðàöèîííîãî ôàéëà):<br />

# jail /usr/jail/nginx nginx.jail 192.168.0.1 /sbin/nginx<br />

-c /etc/nginx/nginx.conf<br />

Ïî îïèñàííîé ñõåìå â òþðüìó ìîæíî ïîñàäèòü ïðàêòè÷åñêè ëþáîé ñåðâèñ,<br />

íå îòÿãîùåííûé ìíîæåñòâîì çàâèñèìîñòåé.  íåêîòîðûõ ñëó÷àÿõ<br />

ïðèäåòñÿ ïîâîçèòüñÿ ñ ñîçäàíèåì ôàéëîâ è êàòàëîãîâ, à òàêæå ñ îòñëåæèâàíèåì<br />

íåîáõîäèìûõ áèáëèîòåê (íåêîòîðûå ñåòåâûå ñåðâåðû, íàïðèìåð<br />

sshd, çàãðóæàþò áèáëèîòåêè âî âðåìÿ èñïîëíåíèÿ, òàê ÷òî ldd ïîêàæåò íå<br />

âñå, è ïðèäåòñÿ âîñïîëüçîâàòüñÿ lsof). Ïðîáëåìó òàêæå ïðåäñòàâëÿåò /dev.<br />

Âåñüìà îïðîìåò÷èâî îòêðûâàòü âñå ôàéëû ýòîãî êàòàëîãà íà ÷òåíèå, à óæ<br />

òåì áîëåå, íà çàïèñü, — ïîýòîìó äëÿ ðåãóëèðîâàíèÿ ïðàâ äîñòóïà íåîáõîäèìî<br />

èñïîëüçîâàòü ñïåöèàëüíûå íàñòðîéêè devfs. Ôàéë /etc/defaults/<br />

devfs.rules ñîäåðæèò áàçîâûå ïðàâèëà devfs äëÿ jail. Ïî óìîë÷àíèþ îí îòêðûâàåò<br />

äîñòóï ê ïîäñîáíûì ñèíòåòè÷åñêèì ôàéëàì, òàêèì êàê /dev/<br />

null è /dev/random, à òàêæå ïñåâäîòåðìèíàëàì. Äëÿ áîëüøèíñòâà êîíôèãóðàöèé<br />

íàñòðîéêè äàæå íå ïðèäåòñÿ ðåäàêòèðîâàòü, äîñòàòî÷íî ñêîïèðîâàòü<br />

ôàéë â êàòàëîã /etc è äîáàâèòü â /etc/rc.conf ñëåäóþùóþ çàïèñü:<br />

jail_èìÿ_devfs_ruleset="devfsrules_jail"<br />

Åñëè æå ïîíàäîáÿòñÿ äîïîëíèòåëüíûå ôàéëû óñòðîéñòâ, òî devfs.rules<br />

ëåãêî îòðåäàêòèðîâàòü, äîáàâèâ íåîáõîäèìûå ïðàâèëà. Ñèíòàêñèñ ôàéëà<br />

è ïðàâèë îïèñàíû íà man-ñòðàíèöàõ devfs(8) è devfs.rules(5). z<br />

XÀÊÅÐ 04 /124/ 09

logo

products

Resources

Company

Terms of service
Privacy policy
Cookie policy
Cookie settings
Imprint
Change language
Made with love in Switzerland
© 2024 Yumpu.com all rights reserved

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!