#!/bin/sh # # rev 0.6 # # dxr@brutalsec.net # 01-09-2009 # # We can create a script for configure chroot environment but, # YOU MUST UNDERSTAND HOW TO WORK IT for can solve possible # problems in the future. # # Every service has its own chroot environment: # BIND -> chroot # Apache -> chroot # Dovecot -> chroot # Pureftpd -> Apache's chroot # # Only apache and php packages aren't installed in real system, # only in chroot environment with symbolic links from real system. # # PLEASE, CONFIGURE CHROOT ENVIROMENT IF SECURITY IS REALLY # IMPORTANT FOR YOU AND YOU KNOWN HOW TO WORK IT! # exit 1 1. BACKUP before changing anything on the system 2. Create partitions 3. Remove possible Apache or PHP installations on real system 4. Prepare Chroot environment 5. Linking Webserver aplication from real system 6. mini_sendmail 7. Test services 8. Howto install ispconfig3 9. Migration 1. BACKUP before changing anything on the system # If is not a new installation, then BACKUP BACKUP BACKUP BACKUP BACKUP BACKUP BACKUP BACKUP BACKUP BACKUP BACKUP BACKUP BACKUP BACKUP BACKUP BACKUP BACKUP BACKUP BACKUP BACKUP BACKUP BACKUP BACKUP BACKUP 2. Create partitions /var/www/ Chroot partition (ext3) /var/www/html/ Chroot system /var/www/html/var/log/apache2 Log partition (ext3) /var/www/html/var/www/html Webs partition (xfs) /var/www/html/tmp Temporal dir (tmpfs, options: ) /dev/lvm_foobar1/chroot_lv -> /var/www/ (ext3) /dev/lvm_foobar2/apachelogs_lv -> /var/www/html/var/log/apache2 (ext3) /dev/lvm_foobar3/hosting_lv -> /var/www/html/var/www/html (xfs) mount /dev/lvm_foobar1/chroot_lv /var/www/ mkdir -p /var/www/html/var/log/apache2 /var/www/html/var/www/html mount /dev/lvm_foobar2/apachelogs_lv /var/www/html/var/log/apache2 mount /dev/lvm_foobar3/hosting_lv /var/www/html/var/www/html 3. Remove possible Apache or PHP installations on real system # We never wont install apache or php in non-chroot system, if we have installed, we only have do a backup of configurations, uninstall, and check every symbolic link dpkg -l|egrep --color -i 'apache|php' 4. Prepare Chroot environment # Install packages in real system apt-get install debootstrap libpcre3 libaprutil1 libxml2 mime-support patch make gcc mysql-server subversion ssh openssh-server ntp ntpdate vim libdbd-mysql libdbi-perl dnsutils # The non webserver will install outside of chroot apt-get install postfix postfix-mysql postfix-doc mysql-client openssl getmail4 rkhunter amavisd-new spamassassin clamav clamav-daemon zoo unzip bzip2 arj nomarch lzop cabextract apt-listchanges libnet-ldap-perl libauthen-sasl-perl clamav-docs daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl pure-ftpd-common pure-ftpd-mysql quota quotatool # If you will use courier: apt-get install courier-authdaemon courier-authlib-mysql courier-pop courier-pop-ssl courier-imap courier-imap-ssl libsasl2-2 libsasl2-modules libsasl2-modules-sql sasl2-bin libpam-mysql courier-maildrop # If you will use dovecot: #apt-get install dovecot-imapd dovecot-pop3d # If you will use BIND: apt-get install bind9 bind9utils # # If we want execute php from real system (crontabs for example) we need install php dependencies in real system: # libgd2-xpm libt1-5 libmagick10 libc-client2007b libmcrypt4 # cat /var/log/ispconfig/cron.log # ldd /usr/lib/php5/20060613/mcrypt.so # time debootstrap --arch=amd64 lenny /var/www/html/ ftp://ftp.fr.debian.org/debian/ echo "/proc /var/www/html/proc proc defaults 0 0">>/etc/fstab echo "devpts /var/www/html/dev/pts devpts defaults 0 0">>/etc/fstab mount -a # We must create sshusers group echo "@sshusers - chroot /var/www/html/">>/etc/security/limits.conf chroot /var/www/html apt-get update chroot /var/www/html apt-get install fakeroot --force-yes -y chroot /var/www/html apt-get install locales chroot /var/www/html dpkg-reconfigure locales mv /usr/lib/apache2 /usr/lib/apache2_old mv /var/log/apache2 /var/log/apache2_old mv /var/lock/apache2 /var/lock/apache2_old mv /var/lib/apache2 /var/lib/apache2_old mv /usr/lib/php5 /usr/lib/php5_old mv /etc/apache2 /etc/apache2_old mv /etc/suphp /etc/suphp_old chroot /var/www/html apt-get install apache2 apache2.2-common apache2-doc apache2-mpm-prefork apache2-utils libexpat1 ssl-cert libapache2-mod-php5 php5 php5-common php5-gd php5-mysql php5-imap phpmyadmin php5-cli php5-cgi libapache2-mod-fcgid apache2-suexec php-pear php-auth php5-mcrypt mcrypt php5-imagick imagemagick libapache2-mod-suphp libopenssl-ruby libapache2-mod-chroot php-apc libtimedate-perl chroot /var/www/html /etc/init.d/apache2 stop chroot /var/www/html a2enmod mod_chroot chroot /var/www/html a2enmod suexec echo "ChrootDir /var/www/html" > /var/www/html/etc/apache2/conf.d/mod_chroot.conf sed -i -e 's#DocumentRoot /var/www/#DocumentRoot /var/www/html/#' /var/www/html/etc/apache2/sites-enabled/000-default sed -i -e 's#x-httpd-php=php:/usr/bin/php-cgi#x-httpd-php=php:/usr/bin/php-cgi\nx-httpd-suphp=php:/usr/bin/php-cgi\nx-httpd-php=php:/usr/bin/php-cgi#' /var/www/html/etc/suphp/suphp.conf sed -i -e 's#/var/run/apache2.pid#/var/run/apache2/apache2.pid#' /var/www/html/etc/apache2/envvars sed -i -e 's/^"syntax on/syntax on/' /etc/vim/vimrc sed -i -e 's/^"syntax on/syntax on/' /var/www/html/etc/vim/vimrc # Protect apache configuration. ONLY root can read it chown root:root /var/www/html/etc/apache2/ && chmod 700 /var/www/html/etc/apache2/ chmod 711 /var/www/html/etc/php5/ 5. # Is good idea to add Nagios alarm for check every symbolic link is correct. ln -s /var/www/html/etc/apache2 /etc/apache2 ln -s /var/www/html/etc/suphp /etc/suphp ln -s /var/www/html/var/run/apache2 /var/run/apache2 ln -s /var/www/html/var/run/apache2.pid /var/run/apache2.pid ln -s /var/www/html/usr/sbin/apache2ctl /usr/sbin/apache2ctl ln -s /var/www/html/usr/sbin/apache2 /usr/sbin/apache2 ln -s /var/www/html/usr/lib/apache2 /usr/lib/apache2 ln -s /var/www/html/usr/sbin/a2enmod /usr/sbin/a2enmod ln -s /var/www/html/usr/sbin/a2dismod /usr/sbin/a2dismod ln -s /var/www/html/usr/sbin/a2ensite /usr/sbin/a2ensite ln -s /var/www/html/usr/sbin/a2dissite /usr/sbin/a2dissite ln -s /var/www/html/var/log/apache2 /var/log/apache2 ln -s /var/www/html/var/lock/apache2 /var/lock/apache2 ln -s /var/www/html/var/lib/apache2 /var/lib/apache2 ln -s /var/www/html/usr/lib/php5 /usr/lib/php5 ln -s /var/www/html/etc/init.d/apache2 /etc/init.d/apache2 # Neccessary for to install ispconfig3 from real system: ln -s /var/www/html/usr/bin/php5 /usr/bin/php5 ln -s /var/www/html/etc/alternatives/php /etc/alternatives/php ln -s /var/www/html/usr/bin/php /usr/bin/php ln -s /var/www/html/etc/php5 /etc/php5 6. # Install mini_sendmail for chroot # We can use mini_sendmail for delivery emails directy in remote servers, but i prefer to control it in central mailserver for check spammers and limit it. cd /tmp/ wget http://acme.com/software/mini_sendmail/mini_sendmail-1.3.6.tar.gz tar xzf mini_sendmail-1.3.6.tar.gz wget http://users1.leipzig.freifunk.net/%7Efirmware-build/brcm_2_4_Broadcom_default/build/openwrt_packages/mail/mini_sendmail/patches/200-fullname.patch patch -p0 < 200-fullname.patch cd mini_sendmail-1.3.6 make # 2e555b2573c3ea65a467a5960f0b51f6 mini_sendmail mv /var/www/html/usr/lib/sendmail /var/www/html/usr/lib/sendmail_old mv /var/www/html/usr/sbin/sendmail /var/www/html/usr/sbin/sendmail_old cp mini_sendmail /var/www/html/usr/sbin/mini_sendmail cd /var/www/html/usr/lib/ && ln -s ../sbin/mini_sendmail sendmail cd /var/www/html/usr/sbin && ln -s mini_sendmail sendmail # ./mini_sendmail -h # usage: ./mini_sendmail [-f] [-t] [-s] [-p] [-T] [-v] [address ...] #add to php.ini (/var/www/html/etc/php5/apache2/php.ini /var/www2/etc/php5/cli/php.ini /var/www2/etc/php5/cgi/php.ini line :672) # sendmail_path = /usr/sbin/mini_sendmail -t -i -fhosting@alojamientotecnico.com -s127.0.0.1 sed -i -e 's#^;sendmail_path =$#sendmail_path = /usr/sbin/mini_sendmail -t -i -fhosting@alojamientotecnico.com -s127.0.0.1#' /var/www/html/etc/php5/apache2/php.ini /var/www/html/etc/php5/cli/php.ini /var/www/html/etc/php5/cgi/php.ini 7. # Test apache2ctl restart # php -i|grep --color sendmail #sendmail_from => no value => no value #sendmail_path => /usr/sbin/mini_sendmail -t -i -fhosting@alojamientotecnico.com -s127.0.0.1 => /usr/sbin/mini_sendmail -t -i -fhosting@alojamientotecnico.com -s127.0.0.1 #Path to sendmail => /usr/sbin/mini_sendmail -t -i -fhosting@alojamientotecnico.com -s127.0.0.1 # Sould be good idea check /var/www/html/usr/lib/sendmail /var/www/html/usr/sbin/sendmail and /var/www/html/usr/sbin/mini_sendmail with nagios alarm ;) 8. Install ispconfig ........ cd /tmp/ svn co svn://svn.ispconfig.org/ispconfig3 svn.ispconfig.org mv /usr/local/ispconfig /var/www/html/usr/local/ ln -s /var/www/html/usr/local/ispconfig /usr/local/ispconfig mv /var/www/apps /var/www/html/var/www/ mv /var/www/php-fcgi-scripts /var/www/html/var/www/ mv /var/www/ispconfig /var/www/html/var/www/ ln -s /var/www/html//var/www/ispconfig /var/www/ispconfig ln -s /var/www/html/var/www/php-fcgi-scripts /var/www/php-fcgi-scripts ln -s /var/www/html/var/www/apps /var/www/apps # After copy, we must clean unnecessary users and groups cp -r /etc/{passwd,group,apt} /var/www/html/etc/ apache2ctl stop apache2ctl start ### Migration to other server ### Really easy: Do step 1 And after do a simple rsync: screen time rsync -a --progress root@host1:/var/www/ /var/www/ # Install some apache's dependencies apt-get install debootstrap libpcre3 libaprutil1 libxml2 mime-support Do step 5 Do step 6