|
今天一个朋友说他项目的服务器在对外发包,让我帮忙检查下,要来ssh账号和密码,登录上去一看,原来是tomcat,并且tomcat的bin文件夹下有几个不正常的文件,再看进程,居然搞到服务器/etc下了,还是隐藏文件,删除后再给iptables重新配置了规则.最后告诉他让他自己再去检查下程序里有没有不正常的代码和文件,这很明显是一个典型的tomcat安全配置失败的案例,具体有那些我就不在这里说了,今天主要是说下让tomcat在chroot下运行,chroot的好处我就不再说了.下面来看看怎么配置chroot+tomcat吧. 系统:centos 5.x(64位) 需要的软件包: server-jre-7u51-linux-x64.tar.gz apache-tomcat-7.0.61.tar.gz 1. 配置java tar zxf server-jre-7u51-linux-x64.tar.gz mkdir -p /usr/java/ cp -a jdk1.7.0_51 /usr/java/ /usr/java/jdk1.7.0_51/bin/java -version java version "1.7.0_51" Java(TM) SE Runtime Environment (build 1.7.0_51-b13) Java HotSpot(TM) 64-Bit Server VM (build 24.51-b03, mixed mode) 2.配置chroot环境 mkdir -p /chroot && cd /chroot/ mkdir -p lib lib64 etc tmp dev usr chmod 755 etc dev usr chmod 1777 tmp cp -a /etc/{hosts,resolv.conf,nsswitch.conf} /chroot/etc/ mkdir -p /chroot/dev/pts cd /dev/ ./MAKEDEV -d /chroot/dev null radom urandom zero loop* log console (ps:这一步会报don't know how to make device "radom" 我没有管,继续做起走了的) cp MAKEDEV /chroot/dev cp -a /dev/shm /chroot/dev 2.配置java到chroot环境里 cd /chroot/ mkdir -p bin cp /bin/bash /chroot/bin/ cp /bin/sh /chroot/bin/ cp /lib64/{libtinfo.so.5,libdl.so.2,libc.so.6,ld-linux-x86-64.so.2} /chroot/lib64 cp /bin/uname bin/ mkdir usr/bin cp /usr/bin/dirname usr/bin cp -a /etc/{hosts,resolv.conf,nsswitch.conf} etc/ cp -p /lib64/libresolv.so.2 lib64/ cp -p /lib64/libnss_dns.so.2 lib64/ cp -p /lib64/libnss_files.so.2 lib64/ cp -p /lib64/librt.so.1 lib64/ cp /usr/bin/tty usr/bin/ cp /bin/touch bin/ mkdir -p usr/java/ cp -a /usr/java/jdk1.7.0_51 usr/java/ 查找拷贝java的依赖库 ldd /usr/java/jdk1.7.0_51/bin/java linux-vdso.so.1 => (0x00007fff4f9fd000) libpthread.so.0 => /lib64/libpthread.so.0 (0x00000038ed200000) libjli.so => /usr/java/jdk1.7.0_51/bin/../lib/amd64/jli/libjli.so (0x00002b875e483000) libdl.so.2 => /lib64/libdl.so.2 (0x00000038ec600000) libc.so.6 => /lib64/libc.so.6 (0x00000038ec200000) /lib64/ld-linux-x86-64.so.2 (0x00000038ebe00000) 拷贝上述4个lib64中的库,另外还需要拷贝2个JVM需要的库: cp /lib64/{libpthread.so.0,libdl.so.2,libc.so.6,ld-linux-x86-64.so.2} lib64/ cp -p /lib64/libm.so.6 lib64/ cp -p /lib64/libnsl.so.1 lib64/ 3.挂载/proc mkdir /chroot/proc mount -t proc proc /chroot/proc chroot /chroot /usr/java/jdk1.7.0_51/bin/java -version java version "1.7.0_51" Java(TM) SE Runtime Environment (build 1.7.0_51-b13) Java HotSpot(TM) 64-Bit Server VM (build 24.51-b03, mixed mode) 当然也可以进入chroot测试: chroot /chroot bash-3.2# /usr/java/jdk1.7.0_51/bin/java -version java version "1.7.0_51" Java(TM) SE Runtime Environment (build 1.7.0_51-b13) Java HotSpot(TM) 64-Bit Server VM (build 24.51-b03, mixed mode) 4.配置tomcat到chroot环境里 cd /root/install/ && mkdir /chroot/usr/local && tar zxf apache-tomcat-7.0.61.tar.gz -C /chroot/usr/local/ mv apache-tomcat-7.0.61 tomcat chmod 755 /chroot/usr/local chmod 755 /chroot/usr/local/tomcat/bin/*.sh 在setclasspath.sh设置JAVA_HOME变量,不然tomcat无法启动: vi /chroot/usr/local/tomcat/bin/setclasspath.sh # Make sure prerequisite environment variables are set export JAVA_HOME=/usr/java/jdk1.7.0_51 export JRE_HOME=/usr/java/jdk1.7.0_51/jre if [ -z "$JAVA_HOME" -a -z "$JRE_HOME" ]; then if $darwin; then # Bugzilla 54390 if [ -x '/usr/libexec/java_home' ] ; then export JAVA_HOME=`/usr/libexec/java_home` # Bugzilla 37284 (reviewed). elif [ -d "/System/Library/Frameworks/JavaVM.framework/Versions/CurrentJDK/Home" ]; then export JAVA_HOME="/System/Library/Frameworks/JavaVM.framework/Versions/CurrentJDK/Home" fi else JAVA_PATH=`which java 2>/dev/null` if [ "x$JAVA_PATH" != "x" ]; then JAVA_PATH=`dirname $JAVA_PATH 2>/dev/null` JRE_HOME=`dirname $JAVA_PATH 2>/dev/null` 5.启动tomcat chroot /chroot /usr/local/tomcat/bin/catalina.sh start Using CATALINA_BASE: /usr/local/tomcat Using CATALINA_HOME: /usr/local/tomcat Using CATALINA_TMPDIR: /usr/local/tomcat/temp Using JRE_HOME: /usr/java/jdk1.7.0_51/jre Using CLASSPATH: /usr/local/tomcat/bin/bootstrap.jar:/usr/local/tomcat/bin/tomcat-juli.jar Tomcat started. ps auxf|grep java root 4980 0.0 0.0 61232 736 pts/0 S+ 17:14 0:00 \_ grep java root 4912 20.9 2.5 1394592 101020 pts/0 Sl 17:13 0:15 /usr/java/jdk1.7.0_51/jre/bin/java -Djava.util.logging.config.file=/usr/local/tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.endorsed.dirs=/usr/local/tomcat/endorsed -classpath /usr/local/tomcat/bin/bootstrap.jar:/usr/local/tomcat/bin/tomcat-juli.jar -Dcatalina.base=/usr/local/tomcat -Dcatalina.home=/usr/local/tomcat -Djava.io.tmpdir=/usr/local/tomcat/temp org.apache.catalina.startup.Bootstrap start ps auxf|grep tomcat [root@test bin]# ps auxf|grep tomcat root 4982 0.0 0.0 61232 736 pts/0 S+ 17:14 0:00 \_ grep tomcat root 4912 16.5 2.5 1394592 101020 pts/0 Sl 17:13 0:15 /usr/java/jdk1.7.0_51/jre/bin/java -Djava.util.logging.config.file=/usr/local/tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.endorsed.dirs=/usr/local/tomcat/endorsed -classpath /usr/local/tomcat/bin/bootstrap.jar:/usr/local/tomcat/bin/tomcat-juli.jar -Dcatalina.base=/usr/local/tomcat -Dcatalina.home=/usr/local/tomcat -Djava.io.tmpdir=/usr/local/tomcat/temp org.apache.catalina.startup.Bootstrap start 可以看到tomcat已经启动起来了.iptables放过tomcat的8080端口,然后去浏览器里访问http://ip:8080,如果有问题请检查tomcat日志看看到底是那里出错.也可以使用strace chroot /chroot /usr/local/tomcat/bin/catalina.sh start 来检查到底是那个文件有问题. (责任编辑:IT) |