|
|
|
|
|
À̸§ : È£¼® (211.¢½.74.31) |
|
³¯Â¥ : 2006-03-29 08:51:07 |
|
Á¦¸ñ : [¹æ¾î] prevent ÇÁ·Î±×·¥ ssh 5¹ø ÀÌ»ó½ÇÆнà ÀÚµ¿µî·Ï |
|
prevent ÇÁ·Î±×·¥
prevent ÇÁ·Î±×·¥ ¿î¿µ½Ã /var/log/secureÀÇ ·Î±×°¡ log rotation µÇ¸é,
secure·Î±×¸¦ ºÐ¼®ÇÏÁö ¸øÇÏ´Â Çö»ó ¹ß°ß.
ÀÌ Çö»óÀ» ±Øº¹Çϱâ À§Çؼ
[root@manpage root]# vi /etc/logrotate.d/syslog
{
/var/log/messages /var/log/secure /var/log/maillog /var/log/spooler /var/log/boot.log /var/log/cron {
sharedscripts
postrotate
/bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
/bin/sleep 1 --> 1ÃÊ°£ ´ë±âÇÑ´Ù.
/root/prevent stop --> prevent°¡ ¼³Ä¡µÈ Àý´ë °æ·Î¸¦ ÀÔ·Â
/root/prevent stop --> Àý´ë °æ·Î ÀÔ·Â
/root/prevent start & --> Àý´ë °æ·Î ÀÔ·Â
endscript
}
#hostway.kh
#2005-03-11
È£½ºÆ®¿þÀÌ ¿¡¼´Â ssh bruteforce attack¿¡ ´ëÇÑ ¹æ¾î¸¦ ÇÒ¼ö ÀÖ´Â
ÇÁ·Î±×·¥À» °³¹ß ¹èÆ÷ ÇÕ´Ï´Ù.
ÇÊ¿äÇϽŠºÐÀº ¹Þ¾Æ¼ »ç¿ëÇϽñ⠹ٶø´Ï´Ù.
< prevent-0.6 °£´Ü ¼³¸í >
prevent-0.6Àº /var/log/secure ·Î±×¸¦ ½Ç½Ã°£À¸·Î ºÐ¼®ÇÏ¿©,
sshÀÇ Á¢±Ù ½ÇÆи¦ °¨ÁöÇÏ¿©, ºÒ¹ýÀûÀÎ Á¢±Ù½ÃµµÀÎ
bruteforce attackÀ» ŽÁöÇÏ°í Â÷´ÜÇϱâ À§ÇÑ ÇÁ·Î±×·¥ ÀÔ´Ï´Ù.
(Á¢±Ù ¾ÆÀÌÇÇ¿¡ ´ëÇÑ clipping levelÀ» ÁöÁ¤ÇØ ÁÖ´Â ÇÁ·Î±×·¥ ÀÔ´Ï´Ù.)
< ½ÇÇà >
chmod 700 prevent ¶ó°í Æ۹̼ÇÀ» Áصڿ¡,
½ÇÇàÀº ./prevent start & ¶ó°í Çϸç, background¿¡¼ µ¹¼ö ÀÖµµ·Ï µ¿ÀÛÀ» ½ÃÄÑÁֽøé ÁÁ½À´Ï´Ù.
Á¤Áö´Â ./prevent stop À̸ç, ./prevent¶ó°í Ä¡¸é ÇÁ·Î±×·¥ÀÇ ½ÇÇà ¹æ¹ýÀ» ¾Ë¼ö ÀÖ½À´Ï´Ù.
< ÇÁ·Î±×·¥ µ¿ÀÛ °³¿ä >
staticÀ¸·Î ÄÄÆÄÀÏ µÇ¾îÀֱ⠶§¹®¿¡, ¾î¶² VersionÀÇ Redhat ¹èÆ÷ÆÇ ¿¡¼µµ
µ¹¾Æ°©´Ï´Ù. (Redhat °ú ºñ½ÁÇÑ ±¸Á¶¸¦ °¡Áø ¹èÆ÷Æǵµ °¡´ÉÇÒ°ÍÀ¸·Î
ÆǴܵ˴ϴÙ.)
´Ù¸¸ ±Ç°íÇÒ°ÍÀÌ ÀÖ´Ù¸é,
/var/log/secure ÆÄÀÏÀÌ ÀÖ¾î¾ß Çϸç,
Â÷´ÜÀ» À§Çؼ /etc/hosts.deny¸¦ »ç¿ëÇϸç, /etc/hosts.deny ¾È¿¡
´ÙÀ½°ú °°ÀÌ ¼³Á¤µÇ¾î¾ß ÇÕ´Ï´Ù.
vi /etc/hosts.deny
-------------
sshd: . /etc/denyip
-------------
/etc/denyip ÆÄÀÏÀº ÇÁ·Î±×·¥ÀÌ µ¿ÀÛÇÒ¶§ ÀÚµ¿ »ý¼ºµÇ¸ç, Æ۹̼ÇÀº 0600
À¸·Î root¸¸ ÀÐ°í ¾²±â°¡ µÇµµ·Ï ¼³Á¤ÇØ ÁÝ´Ï´Ù.
ssh Á¢¼Ó ½ÇÆп¡ ´ëÇؼ´Â clipping level 5¸¦ Àû¿ëÇÏ¿´±â ¶§¹®¿¡,
´Ù¼¸¹øÀÇ ¿¬°á ½ÇÆа¡ ÀÖ´Ù¸é, ÀÚµ¿À¸·Î denyip ¿¡ µî·ÏÀÌ µÇ°í,
Â÷´ÜÀÌ µÇ°Ô µË´Ï´Ù.
(À̶§ ipÀÇ Á¢¼Ó ½ÇÆи¦ countÇϴ°÷Àº /var/log/prevent/(Á¢¼Ó ½ÇÆÐ °æÇèÀÌ ÀÖ´Â ip) ¿¡¼ °¢ ipº°·Î counting µË´Ï´Ù.)
(prevent µð·ºÅ丮´Â ÀÚµ¿»ý¼º µË´Ï´Ù.)
* ´Ü 5¹øÁß ÇѹøÀÌ¶óµµ Á¤»óÀûÀÎ Á¢¼ÓÀÌ ÀÌ·ç¾îÁ³´Ù¸é, ½ÇÆÐ ±â·ÏÀº clear µË´Ï´Ù.
(Á¤»ó »ç¿ëÀÚÀÇ Â÷´Ü ¹æÁö)
/var/log/prevent/IPS¿¡ µî·Ï µÇ°í »èÁ¦µÇ´Â Á¶°Ç
- µî·Ï : ssh ¿¬°áÀÌ ÇѹøÀÌ¶óµµ ½ÇÆÐÇϰԵǸé, ÀÚµ¿ÀûÀ¸·Î µî·ÏµÇ°í countingµÊ.
- »èÁ¦ : 1) ssh ¿¬°áÀÌ 5¹ø ½ÇÆÐÇÏ¿©, denyip¿¡ µî·ÏµÇ´Â °æ¿ì »èÁ¦µÊ.
2) ssh ¿¬°áÀÌ 5¹ø¾È¿¡ ÇѹøÀÌ¶óµµ ¼º°øÇÏ°Ô µÇ¸é, »èÁ¦µÊ.
| |
|
|
È£¼® |
|
|
|
1) #####################
# vi /etc/logrotate.d/syslog
/var/log/messages /var/log/secure /var/log/maillog /var/log/spooler /var/log/boot.log /var/log/cron {
sharedscripts
postrotate
/bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
/bin/sleep 1
/etc/init.d/prevent stop
/etc/init.d/prevent stop
/etc/init.d/prevent start &
endscript
}
2) ##################
cp prevent /etc/init.d/prevent
chmod 700 prevent
./prevent start & --> ¹æ¾î½ÃÀÛ
3) ##################
vi /etc/hosts.deny
-------------
sshd: . /etc/denyip |
06-03-29 09:00
211.¢½.74.31
|
|
|