BIND9 chrootインストール手順
http://extstrg.asabiya.net/pukiwiki/index.php?BIND9%20chroot%A5%A4%A5%F3%A5%B9%A5%C8%A1%BC%A5%EB%BC%EA%BD%E7BIND9をchrootして実行する設定手順。
root権限で稼動するBINDをchroot動作させることで、権限奪取のアタックを受けた場合の被害を最小限に抑えることが可能である。
- BINDのインストール
groupadd -g 400 named useradd -g named -u 400 named wget http://ftp.isc.org/isc/bind9/9.3.2/bind-9.3.2.tar.gz tar xfvz bind-9.3.2.tar.gz cd bind-9.3.2 ./configure make make install
- chroot先ディレクトリの作成
mkdir /var/chroot mkdir /var/chroot/named mkdir /var/chroot/named/etc mkdir /var/chroot/named/var mkdir /var/chroot/named/dev
- デバイスファイルの作成
mknod /var/chroot/named/dev/null c 1 3 mknod /var/chroot/named/dev/random c 1 8 cp /etc/localtime /var/chroot/named/etc
- syslogの設定
syslogへの出力用ポートを作成する
vi /etc/init.d/syslog
修正 start() { echo -n $"Starting system logger: " #daemon syslogd $SYSLOGD_OPTIONS daemon syslogd -m 0 -a /var/chroot/named/dev/log ←修正 RETVAL=$? echo echo -n $"Starting kernel logger: " daemon klogd $KLOGD_OPTIONS echo [ $RETVAL -eq 0 ] && touch /var/lock/subsys/syslog return $RETVAL }
syslogを再起動する
/etc/init.d/syslog restart
ps ax | grep syslog 13633 ? Ss 0:00 syslogd -m 0 -a /var/chroot/named/dev/log
- named.confとゾーンファイル
named.confとゾーンファイルはchrootディレクトリに実体を置き、所定位置にはリンクを張る
mv -f /var/named /var/chroot/named/var mv /etc/named.conf /var/chroot/named/etc cd /etc ln -s /var/chroot/named/etc/named.conf named.conf cd /var ln -s /var/chroot/named/var/named named
- 自動起動設定(bind.init)
下記スクリプトを使用
#!/bin/sh # # named This shell script takes care of starting and stopping # named (BIND DNS server). # # chkconfig: 345 55 45 # description: named (BIND) is a Domain Name Server (DNS) \ # that is used to resolve host names to IP addresses. # probe: true # Source function library. . /etc/rc.d/init.d/functions # Source networking configuration. . /etc/sysconfig/network # Check that networking is up. [ ${NETWORKING} = "no" ] && exit 0 [ -f /usr/local/sbin/named ] || exit 0 [ -f /var/chroot/named/etc/named.conf ] || exit 0 # See how we were called. case "$1" in start) # Start daemons. echo -n "Starting named: " daemon /usr/local/sbin/named -u named -t /var/chroot/named -c /etc/named.conf echo touch /var/lock/subsys/named ;; stop) # Stop daemons. echo -n "Shutting down named: " killall named rm -f /var/lock/subsys/named echo ;; status) status named exit $? ;; restart) $0 stop $0 start exit $? ;; reload) /usr/local/sbin/rndc reload exit $? ;; probe) # named knows how to reload intelligently; we don't want linuxconf # to offer to restart every time /usr/local/sbin/rndc reload >/dev/null 2>&1 || echo start exit 0 ;; *) echo "Usage: named {start|stop|status|restart|reload}" exit 1 esac exit 0
Last-modified: 2010-07-19 (月) 20:16:17 (5030d)