Set up the www_perl Jail: Your Perl Web Application Server

Contents

Create the Jail

Issue as root from the base system (subsequently called host):

ezjail-admin create -f common www_perl 127.0.1.116

Edit /usr/local/etc/ezjail/www_perl on host as follows (only changed sections are shown):

# PROVIDE: www_perl_ezjail
# REQUIRE: secure_ezjail
# BEFORE:
#

export jail_www_perl_hostname="www_perl.jail.vlan"

From within the host, start the jail, which triggers flavourisation:

ezjail-admin start www_perl

Create a Mount Point for the Nginx Cache

From within the host, issue the following to create mount point, modify /etc/fstab and mount the cache directory:

mkdir -p /var/tmp/www_perl/nginx /usr/jails/www_perl/var/tmp/nginx
chown root:wheel /var/tmp/www_perl /usr/jails/www_perl/var/tmp/nginx
chmod 711 /var/tmp/www_perl /usr/jails/www_perl/var/tmp/nginx
chown root:www /var/tmp/www_perl/nginx /usr/jails/www_perl/var/tmp/nginx
chmod 770 /var/tmp/www_perl/nginx /usr/jails/www_perl/var/tmp/nginx
touch /var/tmp/www_perl/nginx/.do_not_delete
chmod 700 /var/tmp/www_perl/nginx/.do_not_delete
chflags sunlink /var/tmp/www_perl/nginx/.do_not_delete
echo "/var/tmp/www_perl/nginx                                          /usr/jails/www_perl/var/tmp/nginx                                                nullfs  rw,nosuid       0       0" >> /etc/fstab
umount -a
mount -a
ezjail-admin start www_perl
ezjail-admin console www_perl

Enter the www_perl jail, and make sure, the mount does not get deleted, when /var/tmp gets cleared by periodic. To achieve this, edit /etc/periodic.conf as follows (only changed sections are shown):

#daily_clean_tmps_ignore=".X*-lock quota.group quota.user .snap"
daily_clean_tmps_ignore=".X*-lock quota.group quota.user .snap .sujournal /var/tmp/nginx"

Install Midnight Commander

Enter the www_perl jail and install mc:

ezjail-admin console www_perl
cd /usr/ports/misc/mc-light && make deinstall install distclean

Program	System Prompt	Your Response
*mc-light*	Allow run mc inside mc	Yes
	Native language support	Yes
*gmake*	Native language support	Yes
*libiconv*	Include extra character sets	Yes
*gawk*	Native language support	Yes

Install nullmailer

From within the jail, issue as root:

cd /usr/ports/mail/nullmailer && make deinstall install distclean

Initialise the Package Audit Database

From within the jail, issue as root:

pkg audit -F

Note: pkg audit will automatically run via cron, and is executed daily.

Install portmaster

From within the jail, issue as root:

cd /usr/ports/ports-mgmt/portmaster && make deinstall install distclean

Note: We only mention configuration options, if they have been selected. Deselected entries are not listed to avoid clutter! Note: If you want to force the install or upgrade of a port with prevalent security warnings, launch portmaster with the “-m DISABLE_VULNERABILITIES=yes“ option.

Install unzip

From within the jail, issue as root:

cd /usr/ports/archivers/unzip && make deinstall install distclean

Install daemontools

From within the jail, issue as root:

cd /usr/ports/sysutils/daemontools && make deinstall install distclean

System Prompt	Your Response
Install Gerrit Pape's manual pages	Yes
Start normally in the usual boot sequence	Yes

From within the jail, issue the following to start up daemontools automatically:

echo '' >> /etc/rc.conf
echo '# Enable daemontools' >> /etc/rc.conf
echo 'svscan_enable="YES"' >> /etc/rc.conf

Create the daemontools service directory and start svscan:

mkdir -p /var/service
/usr/local/etc/rc.d/svscan start

Install the OpenLDAP Client

Issue the following from within the jail:

cd /usr/ports/net/openldap-24-client && make deinstall install distclean

Configure the OpenLDAP Client

From within the jail, backup original configuration files:

cp /usr/local/etc/openldap/ldap.conf.sample /usr/local/etc/openldap/ldap.conf
ln -fs /usr/local/etc/openldap/ldap.conf.sample /usr/local/etc/openldap/ldap.conf.orig

From within the jail, edit /usr/local/etc/openldap/ldap.conf as follows (only changed sections are shown):

#BASE           dc=example,dc=com
BASE            o=[my organisation]

Note: Replace [my] and [domain] with the appropriate domain components.

#URI            ldap://ldap.example.com ldap://ldap-master.example.com:666
URI             ldap://ldap.jail.vlan ldaps://ldap.jail.vlan

#SIZELIMIT      12
SIZELIMIT       12

#TIMELIMIT      15
TIMELIMIT       30
IDLE_TIMELIMIT  3600
BIND_TIMELIMIT  5

#DREF           never
DREF            never

Append the following to /usr/local/etc/openldap/ldap.conf:

echo "" >> /usr/local/etc/openldap/ldap.conf
echo "# Return immediately in case of error, to avoid blocking situations" >> /usr/local/etc/openldap/ldap.conf
echo "BIND_POLICY     soft" >> /usr/local/etc/openldap/ldap.conf
echo "" >> /usr/local/etc/openldap/ldap.conf
echo "# SSL/TLS configuration" >> /usr/local/etc/openldap/ldap.conf
echo "TLS_CACERT      /etc/ssl/cacerts/ca.jail.vlan.cacert.pem" >> /usr/local/etc/openldap/ldap.conf
echo "TLS_REQCERT     demand" >> /usr/local/etc/openldap/ldap.conf

Install Nginx

From within the jail issue:

cd /usr/ports/www/nginx-devel && make deinstall install distclean

Port	System Prompt	Your Response
nginx	Enable debug log	Yes
	IPv6 protocol	Yes
	Enable http module	Yes
	Enable http_cache module	Yes
	Enable http_realip module	Yes
	Enable http_rewrite module	Yes
	Enable http_stub_status module	Yes
	Enable http_sub module	Yes
	Enable html sample files	Yes
*pcre*	Use the stack for recursion during matching	Yes

Adjust Use of System Resources

From within the jail, backup original configuration files:

cp /etc/login.conf /etc/login.conf.orig

From within the jail, issue the following to effect system resource usage limits for Nginx:

echo '#' >> /etc/login.conf
echo '## Localised settings' >> /etc/login.conf
echo '## nginx class' >> /etc/login.conf
echo 'nginx:\' >> /etc/login.conf
echo '        :memoryuse=128M:\' >> /etc/login.conf
echo '        :tc=standard:' >> /etc/login.conf

Add the www user to the nginx class, and rebuild the login capabilities database from within the jail:

pw usermod www -L nginx
cap_mkdb /etc/login.conf

To start Nginx automatically, issue the following from within the jail:

echo '' >> /etc/rc.conf
echo '# nginx' >> /etc/rc.conf
echo 'nginx_enable="YES"' >> /etc/rc.conf
echo 'nginxlimits_enable="YES"' >> /etc/rc.conf

Perform Configuration of Nginx' System Defaults

From inside the jail, backup distribution configuration files:

ln -s /usr/local/etc/nginx/nginx.conf-dist /usr/local/etc/nginx/nginx.conf.orig
echo "" > /usr/local/etc/nginx/nginx.conf

Re-create /usr/local/etc/nginx/nginx.conf to look exactly like this:

# general runtime settings
user                                    www;
worker_processes                        3;
worker_rlimit_nofile                    8192;
events {
    worker_connections                  4096;
    # use optimised polling for FreeBSD
    use                                 kqueue;
} 


# general server parameters
http {
    # MIME types
    include                             mime.types;
    default_type                        application/octet-stream;
    index                               index.html index.htm index.php;

    # size limits
    client_body_buffer_size             1k;
    client_header_buffer_size           1k;
    client_max_body_size                10m;
    large_client_header_buffers         3 3k;
    connection_pool_size                256;
    request_pool_size                   4k;
    server_names_hash_bucket_size       128;

    # user limits
    # define table called default_limit_zone which uses < 1 MByte to store session information
    limit_conn_zone                     $binary_remote_addr zone=default_limit_zone:1m;
    # limit simultaneous connections from one remote address to 10
    limit_conn                          default_limit_zone 10;

    # timeouts
    client_body_timeout                 360;
    client_header_timeout               180;
    keepalive_timeout                   360 60;
    send_timeout                        360;

    # general options
    ignore_invalid_headers              on;
    recursive_error_pages               on;
    sendfile                            on;
    charset                             off;

    # enter list of trusted proxies (127.0.1.105)
    set_real_ip_from                    127.0.1.105;
    real_ip_header                      X-Forwarded-For;

    # tcp options
    tcp_nodelay                         on;
    tcp_nopush                          on;

    # log format
    log_format                          main    'From: $remote_addr | Time: $time_local | '
                                                'Cache status: $upstream_cache_status | Cache control: $upstream_http_cache_control | Cache expires: $upstream_http_expires | '
                                                'Request: $request | Status: $status | Body sent: ${body_bytes_sent}b | '
                                                'Requested: ${request_length}b | Total sent: ${bytes_sent}b | Referrer: $http_referer | '
                                                'User agent: $http_user_agent | Request time: ${request_time}ms | Compression: $gzip_ratio ';
    # access is logged to the default central location
    access_log                          /var/log/nginx-access.log main;
    # errors are logged to the default central location
    error_log                           /var/log/nginx-error.log crit;

    # spool settings
    # spool uploads to disk instead of clobbering downstream servers
    client_body_temp_path              /var/tmp/nginx/upload_temp 1 2;

    # fastcgi cache settings
    fastcgi_cache_use_stale             updating;
    fastcgi_cache_key                   "$scheme$request_method$host$request_uri";

    # include site-specific user limits and fastcgi cache settings
    include                             include/server/*;

    # virtual hosting
    include                             include/vhosts/*;
}

Note: For the sake of simplified administration, we are going to treat all hosted domains as virtual domains.
Note: In your virtual hosts configurations, define one of your virtual domain servers as default to avoid erratic forwarding of server names in http headers.From inside the jail, backup distribution configuration files:

ln -s /usr/local/etc/nginx/fastcgi_params-dist /usr/local/etc/nginx/fastcgi_params.orig

From within the jail, issue as root:

echo "" >> /usr/local/etc/nginx/fastcgi_params
echo "# Localised settings" >> /usr/local/etc/nginx/fastcgi_params 
echo "fastcgi_connect_timeout           60;" >> /usr/local/etc/nginx/fastcgi_params
echo "fastcgi_send_timeout              180;" >> /usr/local/etc/nginx/fastcgi_params
echo "fastcgi_read_timeout              180;" >> /usr/local/etc/nginx/fastcgi_params
echo "fastcgi_buffer_size               128k;" >> /usr/local/etc/nginx/fastcgi_params
echo "fastcgi_buffers                   4 256k;" >> /usr/local/etc/nginx/fastcgi_params
echo "fastcgi_busy_buffers_size         256k;" >> /usr/local/etc/nginx/fastcgi_params
echo "fastcgi_temp_file_write_size      256k;" >> /usr/local/etc/nginx/fastcgi_params
echo "fastcgi_intercept_errors          on;" >> /usr/local/etc/nginx/fastcgi_params

From inside the jail, have log rotation effected for each domain:

echo '/var/log/nginx-access.log root:wheel    644  7     *    $D0   GJ' >> /etc/newsyslog.conf
echo '/var/log/nginx-error.log root:wheel     644  7     *    $D0   GJ' >> /etc/newsyslog.conf

Install spawn-fcgi

From within the jail issue:

cd /usr/ports/www/spawn-fcgi && make deinstall install distclean

Install Perl

From within the jail, issue as root:

setenv PERL_VERSION 5.16
cd /usr/ports/lang/perl${PERL_VERSION} && make deinstall install distclean

System Prompt	Your Response
Use 64 bit integers	Yes
Build with -pthread	Yes
Build threaded perl	Yes

Install fcgiwrap

From within the jail issue:

cd /usr/ports/www/fcgiwrap && make deinstall install distclean

Install CPAN:App::cpanminus

From within the jail issue:

cd /usr/ports/devel/p5-App-cpanminus && make deinstall install distclean

Install CPAN:Locale::Maketext

Required by: Foswiki core
From within the jail issue:

cd /usr/ports/devel/p5-Locale-Maketext && make deinstall install distclean

Install CPAN:HTML::Parser

Required by: Foswiki core
From within the jail issue:

cd /usr/ports/www/p5-HTML-Parser && make deinstall install distclean

Install CPAN:HTML::Tree

Required by: Foswiki core
From within the jail issue:

cd /usr/ports/www/p5-HTML-Tree && make deinstall install distclean

Install CPAN:URI

Required by: Foswiki core
From within the jail issue:

cd /usr/ports/net/p5-URI && make deinstall install distclean

Install CPAN:libwww-perl

Required by: Foswiki core
From within the jail issue:

cd /usr/ports/www/p5-libwww && make deinstall install distclean

Program	System Prompt	Your Response
*p5-libwww*	HTTPS protocol support	Yes
*p5-IO-Socket-SSL*	IPv6 protocol support	Yes

Install CPAN:version

Required by: Foswiki core
From within the jail issue:

cd /usr/ports/devel/p5-version && make deinstall install distclean

Install CPAN:Digest:SHA1

Required by: Foswiki core
Issue the following from within the jail:

cd /usr/ports/security/p5-Digest-SHA1 && make deinstall install distclean

Install CPAN:Crypt::Eksblowfish

Required by: Foswiki core
Issue the following from within the jail:

cd /usr/ports/security/p5-Crypt-Eksblowfish && make deinstall install distclean

Install CPAN:FCGI

Required by: Foswiki - FastCGIEngineContrib
Issue the following from within the jail:

cd /usr/ports/www/p5-FCGI && make deinstall install distclean

Install CPAN:FCGI::ProcManager

Required by: Foswiki - FastCGIEngineContrib
Issue the following from within the jail:

cd /usr/ports/www/p5-FCGI-ProcManager && make deinstall install distclean

Install CPAN:Getopt::Long

Required by: Foswiki - FastCGIEngineContrib
Issue the following from within the jail:

cd /usr/ports/devel/p5-Getopt-Long && make deinstall install distclean

Install CPAN:Pod::Usage

Required by: Foswiki - FastCGIEngineContrib
Issue the following from within the jail:

cpanm Pod::Usage

Install CPAN:Time-modules

Required by: Foswiki - DBCacheContrib
Issue the following from within the jail:

cd /usr/ports/devel/p5-Time-modules && make deinstall install distclean

Install CPAN:BerkeleyDB

Required by: Foswiki - DBCacheContrib
From within the jail, issue as root:

cd /usr/ports/databases/p5-BerkeleyDB && make deinstall install distclean

Program	System Prompt	Your Response
db5	Cryptography support	Yes

Install CPAN:Net::LDAP

Required by: Foswiki LDAPContrib
Issue the following from within the jail:

cd /usr/ports/net/p5-perl-ldap && make deinstall install distclean

Install CPAN:DB_File::Lock

Required by: Foswiki LDAPContrib
Issue the following from within the jail:

cd /usr/ports/devel/p5-DB_File-Lock && make deinstall install distclean

Install CPAN:IO::Socket::INET6

Required by: Foswiki LDAPContrib
Issue the following from within the jail:

cd /usr/ports/net/p5-IO-Socket-INET6 && make deinstall install distclean

Install CPAN:File::MMagic

Required by: Foswiki XSendFileContrib
Issue the following from within the jail:

cd /usr/ports/devel/p5-File-MMagic && make deinstall install distclean

Install the OSSEC Agent

From within the jail, issue:

cd /usr/ports/security/ossec-hids-client && make deinstall install distclean

From with the jail, clean up and make configuration files more accessible:

ln -fs /usr/local/ossec-hids/etc/ossec.conf.sample /usr/local/etc/ossec.conf.orig
ln -fs /usr/local/ossec-hids/etc/ossec.conf /usr/local/etc/ossec.conf
ln -fs /usr/local/ossec-hids/logs /var/log/ossec-hids

Make /usr/local/etc/ossec.conf look exactly as follows:

<!--- LOCALISED CLIENT VERSION (WWW_PERL) --->

<ossec_config>
  <client>
    <server-ip>127.0.1.254</server-ip>
  </client>

  <syscheck>
    <!-- Frequency that syscheck is executed -- default every 2 hours -->
    <frequency>7200</frequency>

    <!-- Directories to check  (perform all possible verifications) -->
    <directories check_all="yes">/etc</directories>
    <directories check_all="yes">/usr/local/bin,/usr/local/sbin</directories>
    <directories check_all="yes">/root/bin</directories>

    <!-- Files/directories to ignore -->
    <ignore>/etc/mtab</ignore>
    <ignore>/etc/hosts.deny</ignore>
    <ignore>/etc/mail/statistics</ignore>
    <ignore>/etc/random-seed</ignore>
    <ignore>/etc/adjtime</ignore>
    <ignore>/etc/httpd/logs</ignore>
  </syscheck>

  <active-response>
    <repeated_offenders>30,60,120</repeated_offenders>
  </active-response>

  <rootcheck>
    <rootkit_files>/usr/local/ossec-hids/etc/shared/rootkit_files.txt</rootkit_files>
    <rootkit_trojans>/usr/local/ossec-hids/etc/shared/rootkit_trojans.txt</rootkit_trojans>
    <system_audit>/usr/local/ossec/etc/shared/system_audit_rcl.txt</system_audit>
  </rootcheck>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/auth.log</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/maillog</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/messages</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/security</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/xferlog</location>
  </localfile>
</ossec_config>

Open another terminal window, log into the server via SSH, and issue the following from inside host:

/usr/local/ossec-hids/bin/manage_agents

System Prompt	Your Response
Choose your action:	e
Provide the ID of the agent to extract the key:	116
Note: Keep this terminal window open and copy the key issued onto your workstation's clipboard!
	[Enter]
Choose an action:	q

From the previous terminal window, issue inside the jail:

/usr/local/ossec-hids/bin/manage_agents

System Prompt	Your Response
Choose your action:	i
Note: Paste the key issued by the OSSEC server here!
Confirm adding:	y
	[Enter]
Choose an action:	q

From within the jail, issue:

/usr/local/etc/rc.d/ossec-hids restart

Exit to host, and issue:

exit
/usr/local/etc/rc.d/ossec-hids restart

Test the OSSEC system from within the host. First, collect the server data by issuing:

/usr/local/ossec-hids/bin/agent_control -i 000

Now, collect data from the jail:

/usr/local/ossec-hids/bin/agent_control -i 116

Note: You should see up-to-date agent information for the server (ID: 000) and the erp jail (ID: 116) stating:
Status: Active

Clean up

As each newly installed program is compiled, which in turn uses a few auxiliary programs, it is necessary to clean up after each compilation. So, if all went well, issue the following from within the jail:

portmaster -s

Now, deploy portmaster's automatic clean-up mechanisms from within the jail to deal with the rest:

portmaster -y --clean-distfiles
portmaster --check-depends
portmaster --check-port-dbdir

Note: Reply "y" as prompted, to have all dependent packages purged.

Document Actions

Download KML

Personal tools

Sections

Views

Set up the www_perl Jail: Your Perl Web Application Server

Create the Jail

Create a Mount Point for the Nginx Cache

Install Midnight Commander

Install nullmailer

Initialise the Package Audit Database

Install portmaster

Install unzip

Install daemontools

Install the OpenLDAP Client

Configure the OpenLDAP Client

Install Nginx

Adjust Use of System Resources

Perform Configuration of Nginx' System Defaults

Install spawn-fcgi

Install Perl

Install fcgiwrap

Install CPAN:App::cpanminus

Install CPAN:Locale::Maketext

Install CPAN:HTML::Parser

Install CPAN:HTML::Tree

Install CPAN:URI

Install CPAN:libwww-perl

Install CPAN:version

Install CPAN:Digest:SHA1

Install CPAN:Crypt::Eksblowfish

Install CPAN:FCGI

Install CPAN:FCGI::ProcManager

Install CPAN:Getopt::Long

Install CPAN:Pod::Usage

Install CPAN:Time-modules

Install CPAN:BerkeleyDB

Install CPAN:Net::LDAP

Install CPAN:DB_File::Lock

Install CPAN:IO::Socket::INET6

Install CPAN:File::MMagic

Install the OSSEC Agent

Clean up

Document Actions