Linux Security

Linux Server Security
Hardware
Software 4 Linux 4 Internet Server
4? Open source EE F
H 4F Linux Server
Security 4EE4
4 (Tools)
H ? Software Open source F
(Update)
F4?EE F4 H
4 E
.4 .. 2550
F 4 Centralize Log Server
EE 4
4 Configuration
4 ?4
2551 E
E
2551
1 Overview 1
2 Network Model 17
3 Kernel Harden 43
4 Web Server Security 81
5 Mail Server Security 99
6 DNS Server Security 115
7 FTP Server Security 135
8 Secure Shell 147
9 Firewall Using IPTABLES 155
10 sXid 189
11 Log check 195
12 Port Sentry 203
13 Tripwire 221
14 Snort (IDS) 233
15 Backup and Restore 255
279
C
) 1 Overview
Server
#$%'
*,'%
(Overview)
/0%/$ 0$ *
$ Internet 9/'$ $0
*#:$$<
/$'*$$0,'
//:/90 /0
Hardware Software /$/$/$ </
900#%$ /0$:$
9*%$,$
$$$*$/$/
$%0*$/,$%%90$,/
%:$,< 09/,'$
I$,,/#//#/*
/,$/* ///0$//
) 1 Overview .....: 1
$% %$0$ Update patch 9#%</

/ Security OS Application $/*T
%$ Server %$<' ,$
Linux $$,/$$ $
I %$$$ Update patch %$
* Linux $/0$,#%$
//$ $/* $$///
/* /*/0$
9$#$/0
1. ///$#/
$/,$% (Service) ,<
$//$*%$$
:$,$%//*/0
1.1 (Physical Security) */
,,,/ Server ,' Network
1.2 / ' ' (Files and File System
Security) //%0'%%$ 9
'
1.3 9%//
(Data Encryption, Cryptography and Authentication) /9 /
%%/%////,/
1.4 Kernel Security ////%/
# Kernel 90,$$
) 1 Overview .....: 2
1.5 Network Security /9///%/$/

%////,*#%% Linux /
/ Network
1.6 ,,'/%90 (Incident Control) /$%/
,,'/%$$ 6 0 6 0/0
/$/990,'%90%$
1.7 Exploits //,,$
%/,,$0$/9
$/
1.8 Security Sources /*$//
* (Linux Security Administrator)
1.9 Firewall and Border Patrol /*//%
Firewall //* Linux /$,
1.10 *'/ ///*' $ /
$*$
1.11 /9* *<:$ /%90

,0:0$
1.12 *$ log file
/var/log/messages 9$/**$0
1.13 / < / Update /
/%0$0/// * Update
,$
) 1 Overview .....: 3
2. Host Security $/0,$$/

/, ,$/%90 Server */#
$//$ host-based /<,, $*
$// /#$ Service # User account / Update
/*/ $/0//$
$$
3. Network Security /0</*$$ 2 $$
///*/$/*$*
9 Internet $/*
Network </*,,9 host-based $$ 9/
* # 0 $ * % % $ 9
%0 Firewall //</ $$$/$$
9*#< /0$9*
/
4. //%9 ///$$
$0$/%// login
name root toor * root $ login 9$
%$*/0$*% root
, *$ $ OS Application $/ root $
*%$$ $<*/0% <
*$$/ root *,0 $ service
/ root /var/log/secure $%/0%/,,
) 1 Overview .....: 4
9 Server $$$//$$/$
/, site <
5. *9 //
Data communication / $ Internet / / /
Software 9/*$ 9
00%' $/$
$$$%'9/9$
Internet //%, /*%% User account
/%%$%* /
account /$,<% 9,/%/,$//
$ Cracker * account 9
$$ %'# 0$/*/$/*$
Cracker Hacker $$I$I* $
*$ 9//*
/$$:$/$$$
*#, $*/0$$$
'/%/
6. %$/,$$ /,$$
0/$/0/$,$/0
- $ web site //,$#,$
$ The Computer Emergency Response Team web site $
//%
) 1 Overview .....: 5
- TCP UDP 90 $ /
0$%$z
- : Version Software /%'/
//,$ <://
*,,*%//,#$
- */$:$$ $
*#$* Service //$<*
$/ */**/90/
7. *$9/$/ %/*9<
$/% ' /// ' $ % $
*%/%%% ' // Linux $$
$: Cracker //% * profile linux user
* %/*/ //
$% $' %90 account /$/
/$/,<
, $ *,$
% % / , /
%'/$/$/
$ % ' $ , / / $ / , login
%' 9/ security policy *, policy
%$$
,***99%$ /0
) 1 Overview .....: 6
- // password $0$
- /,$
- /* guess password $
- / Backdoor $
9,*, site <<$$$*
account / $/%%%<
$$/ password $$9/<
,$//%$ $/0<9<$,
$/
8. # $/*
/*#/$ /
$$ ,,$$ ,%'%/
# $ * # / $ / /
' // %$ $/0
- / (Risk) %/,,
*< $ /' execute /
$$/9 account ,<
- , (Threat) %/$,/%%|
%/$/%% $%
,,,%$ / /0
1. < /0/$#
OS /$
) 1 Overview .....: 7
2. ' /0$$/$ %/,$

T /< /%$ ,%
3. % /0,90/#
/' *%/*
4. $ /0,$*,
% //*%
- $ /,/
$///#,,/$/
/,0,, %//$/%/ /
% $ $ Hardware, Software $,$ 9
$ $ Network bandwidth, disk space
9. /*99$
*/$$$*
#/ $$ 0
%$9$$$ account
,% 0
$/ 0*
/*/'/0
- /$/
- %//$#$
- ,//,*/,,
- $$$,$
- ,$$
) 1 Overview .....: 8
- ,,$/
/*/* /
:/%/ *:,,'
$%/%
10. /*//*
*/,$$
9$$ $ ,%$$',
// /,,*$%0
,,*/<//
*$%*% 0$*%0
$'$ * 9 9 ' $ $ /0
%$/%0%'$ 9
host security network security
11. ///9//%90
* :$0< 9* 9#
%<#:%'%90$<$0
$* 9* $ $/*
$/$
%0$ *0 11 /$
,*$%%% $$/
%%% /9 $ 6 $ /0
1. Server Security $////
$,/0$/*/%$/, ,$
) 1 Overview .....: 9
,'90 Server 90<%$$ /$

/,// Server ,'//
9/9 Server 2 %//0
1.1 Physical Access %//0$%/*/
,,$$ Server 0$/$0 99%//0 #
%//0#$9$
1.2 Remote Access 9 Server %//0%/9
$,,$$// Server $
$$/$ Internet /%$
$/ /%$ $$/$9$/$
$<$:*<#/
/ $<9 Server $//
<*/*#
//0*$
1.2.1 Server /, Access $
1.2.2 //%%%$9 Server
$<$/%
,/%%/$ $/ %/*/
#*%//0<9/$
2. Operating System Security %%//$:,/$
/% $$<,$$ ,'
%*$9$
%'/$//*// $
) 1 Overview .....: 10
$/0$//
%%<$90 %%//
</$$ $ Microsoft UNIX //
Novell $ 0/0*$$//%%
/0/$$,:$ $ Bug :
//$9$$//* 9/*
%% Open Source *9$/%
,$$ ,,$/
/$:#%%/
<*$$/%:/,/,*$
"Harden" 9//9$
3. Communications Security /0%/%
% / % Server *: , /
/$<%/%90 0/%
/0/%'$ ///$$
/$*/ /$$/0
,$ Hardware 0$ Hardware /0
$$9$/%*#$
9$/*< Digital Certificate
/$9$
Digital Certificate //0, /0
3.1 Electronic ID $/ Server Site /* //
*$$<
) 1 Overview .....: 11
3.2 Certification Authority (CA) /%$

/%%$0
3.3 //0$ * $ Server
$ Domain Name, Serial Number, Expiration Date 9 Public Key //
<%%/
3.4 Certificate-issuing Authority (CA) /$$ /$
/%$0
3.5 /0/ X.509
/ 1.1 *
) 1 Overview .....: 12
/ 1.2 Secure Socket Layer (SSL)
4. Service Security /0,/*/00*

$ Server ,%$ /$
%/*$$$/
/0/%/# Service / Internet $0
9/ Service /$$/$$$:,$ Web
Server, Mail Server, DNS Server FTP Server #
/////:$ /*
*%
5. Application Security * /0 9 / $ /
/* Application $ %$ Internet
) 1 Overview .....: 13
*$< $ PHP $ MySQL Java Web

Application 0/**<$ %0$9/$
0///$ */ Protocol Port
99%/# Application 0 $/
<// PHP Nuke $$9/$
$$//$$ $%/# 9//
Application Server 0/9#$
$/$9$99%$$ 9%90
#$ $ $# Application $ * $
%%/$ /090%$$
$/$< Hack $* /0$*
$$$*# $$<
$$ Application Server *$//
$
6. User Security $9$ User $$<
*% %'$$$
$ Internet $ %//
Username Password ,$*% $$%$
$$%*<*/0$ $
$ (Password Policy) 0 $ Policy User
$/0
6.1 $ (Password strength) /$/$
/'%0/0$$ 8
) 1 Overview .....: 14
$ $/0/ User 0%0$%

$0$**$$/ %'<
//$ $ ' z%/
/09,,$$//'*
$$0$/0$*$ Login
Random $//$/ < Login $
$
6.2 *$$, *$
User $,/$ //$, 45 ,,
$%$ <:
/$$/$%$<$$$0
<0$%/</$/$
<$$*/$$
6.3 ,// User Security Server
$$*
6.4 *$* Update anti-spy ware anti-
virus $$*$/
6.5 ,%%%'/
9:(Audit) 9
%%$ User $ ///%%
%////<0/'
*$ 6 /0
) 1 Overview .....: 15
1. Authentication
2. Confidentiality (Privacy)
3. Integrity
4. Availability
5. Non-Repudation
6. Auditing
*///$* $/
9 $,0,,/%90$ :,
/0/ ,%$$
9%%%%%//:, $*
,'9%%/*0/ /$$$% $$*
% /* $$$/
//0 ,$<%:I,$/
Network '$$$//*
$/$ * 9 /
:/</ /<* 9$*$
* /*0/9$$'
'$
) 1 Overview .....: 16
!2 2 Network Model
Internet Server

,./
!%'
1. Data communication /
2. .= (Specification)
3. // .=/
4. / /EG,
Network Model
,I/GII/ /
1 , L/,
/I G,
,.=
/=/I / ,
E Model / /,
!2 2 Network Model .....: 17

/ I / / I /
.III
2.1
Prevention /ES ,
E ,/,/GS/
./
/=,/LI (Detection)
(Response) / ./.S//GI/I
,//,S
Detection GS=GI
X//GIS (Prevention)
,E/X/
,XLI

Response =
/,ESX
X/ E
E.E/
SGI
/ ISO/OSI Model . .
OSI Model 7 Layers ,, Model I
/SLS / Model /I/
1 IE Layer 8 / People Layer
2.2 OSI Model + People layer

, Layer 8 GI OSI Model / 7 Layers E

People Layer EI,/ ..= /
/G,I/ OSI Model /
// People Layer E,II//E.
./ ./ . ./ E = .
EX,/,.II
/E/ Router ,L, Router /
/ GE
// I/ Router , / /
. = Router , Packet filtering G /
L./ . /,GG/
Router L/G/
/ Protocol ,/ 1 hop G Router ./
L,/
2.3 IP Traffic flowing over a router

G / , Packet Filtering L
.=, Firewall , Router G/,EI Firewall
E Hardware engine /= Software ,
Firewall , , / I Version
.=/
../. ,/
// /..//=
/ /I,E/
I/SI
Denial-of-Service Attacks (DoS)
///IE User ,/
E,/
/ /, 2
1. SYN Flood E/ TCP packet /
/ TCP three-way handshake Server /S.
// new TCP connections LI ( S
Firewall iptables:state NEW )

2.4 / TCP three-way handshake
2.5 SYN flood

2.6 SYN flood Firewall
2. Smurf attack E persistent S

/I . smurfing SL
=L / (Attacker) ,,
/E,/ Broadcast address ip address GI//
ICMP packet S

2.7 / Smurf attack
IP Fragmentation Attacks: Ping of Death //,

IP packet fragmentation ,/ packet / IP address
E, /S /S/
Packet /E,/ Reply I,
.,

2.8 / Ping of death
Distributed Denial-of-Service Attacks , / Internet

/S
2.9 / DdoS

S//I ,
/I
1. Filter packets broadcast address
2. z broadcasts Network
3. Block . packet Internet / address
4. Block firewall . packet protocol port //
, Internet network
5. Block packets ./ source address //
Spoofing E/ IP address,
MAC address / // /
1. IP address spoofing
2. ARP poisoning
3. Web spoofing
4. DNS spoofing

2.10 /I packet
2.11 / Web spoofing

/IE/ L LE 3 /
/ E/ / (Internet or Network Uplink) / E Firewall
/E/ (Internal Network)
S/ Firewall I IPTABLES Linux ,,
/ Configuration .= /I 6 /
I
1. Single Layer Firewall
2.12 Single Layer Firewall

E / / / , S
Firewall G/=,I Firewall
, packet filtering Router I= IPTABLES ,

E Firewall L I../
/ S,../ Internal network
I . . , / Bastion host G/
Internal network /
2. Two Layer Firewall
2.13 Two Layer firewall
ELGI Firewall 2 (I
Firwall 2 .) S.. S Internal network /

packet /EI DMZ ,I Server

service / GI.. Bastion host DMZ
3. Merge Interior & Exterior
2.14 Merge interior & exterior
E Firewall 2 .
,I/ E=/ NIC 3
,E Exterior, DMZ Interior , Configuration /

Zone , / Firewall = Firewall Using

IPTABLES I,L //
packet I, Firewall ,
,/ Configuration /LX
IPTABLES IX NIC /,
Internal network ,
4. Two Layer with two internal network
2.15 Two layer with two internal network

I,L/I Firewall 2 .
/ Firewall NIC / Internal netwok E.
5. Two Layer with merge Bastion Host & Exterior
2.16 Two layer with merge bastion host & exterior

.L /I
. . Bastion host Firewall . E
=SG.
I 5 / E , Configuration firewall . = ,
Gateway / / E Router Manage Switch ./ Option

Firewall E,X.G// .
., firewall 6
6. Packet filtering and stateful firewall (Gateway Server)
2.17 Linux gateway and firewall (Gateway Server)
,E Internet ISP
/ , E , I Server , E
gateway / Private IP address /, ,
Firewall S/ /,I/ IP Address
.= Router /,.=/

Network Model W
/IEI//I/
GX . GE/
/=,I/
2.18 Home Network
2.19 Share Broadband Internet

2.20 Share Broadband / Proxy/Firewall

2.21 Share Broadband Internet serial port

2.22 single layer / Gateway/Firewall
IE single layer /I firewall / server G

I gateway server //, firewall GE//L/
, configuration / server /.SI..
,/.. ./S

2.23 , Packet filtering Router

IE, Packet Filtering Router G///
=L,G, Packet filtering router

I L E / . = I G / /
Configure / Router
II
,. . (Intrusion Detection System : IDS) / L
G//,/ network
packet / / I ,
/ IDS snort GI/I ,/
/I
2.24 // Firewall Switch

2.25 I IDS span port switch
2.26 I IDS packet

,I log server L log file . /

,= L,GG log file I
log server / DMZ , Configuration Firewall . /
UDP packet / port 514 port ,..
log /, log server L
,//I server /
log file LL,
2.27 Centralize Log server DMZ

I/=/ ,G
/.=/ G Operating
System G Software ./
Configuration E/
/ G / Version G
. I Software Open Source I //
,/, Software
II //G/ Software
,

!1 3 Kernel Harden
Kernel
!#$'' Kernel
$''
-!'#!!
!%'
1. ## vsftpd : Open source
2. A- ftp, telnet
3. E#E '#:!E : (Bold)
4. !!E# # -!! '
!E!#'-E-
(*%
# # E ' M Server '
(Administrator) - $# S ' E
E' Router A' E'#E-:E
###S'#- '''!#- VM
'-' E!'#':
!1 3 Kernel Harden .....: 43

!###S '# '-$ !

!E Server 'S -!#
AE' #A format !E OS 'M#
(1!1 BIOS
!# 'M E'# BIOS ' Boot Floppy
Disk, USB, CD ROM Remove media ' ' password
BIOS $''#E --#E'a'
E' BIOS # '#''E''
S Boot Sc' #'#' Security E
Password #'E-S##!! Password #E:
'E $#ESS!##a Battery Backup
Reset CMOS Switch #- BIOS Reset :'!'#
Network Server C
'! #A ' !- :
# #S-!E!!' '
'# NIC - #' Server S
Access #S-! '
' '# ': !#E# '
#() E'h# -!S'E
##' ' LAN MS!
'

# ifdown eth0 Enter -'M

# ifup eth0 Enter
# /etc/rc.d/init.d/network stop -'M
# /etc/rc.d/init.d/network start
#M'#E'-S# ##'
'c#Sa (Back Door) #E'
!!E #E'Sa#E #' M
' !
LMLM Service !1 O
!EM## Service #' '
!E- #a Port #''#
$ -'#' ' service ' #E
'C ! Service % !1 'C ( mode 3)
# chkconfig --list | awk /3:on/ { print $1}
gpm
kudzu
netfs
atd
apmd
pcmcia
nfslock
isdn
autofs <- % C% usb %M

portmap
rhnsd
service '#E
# /etc/init.d/<L1 service> stop
# chkconfig <L1 service> off
' service #-#'
crond, anacron, haldaemon, mcstrans, messagebus, network, restorecond, smartd, syslogd
S service #- Mode 3 'E#
C (Password) C
## Download # Hacker #
Server #'# Crack Password - Crack
password cE ' password #''#S
!A #--# 'E' #
##E'M' password ''
- S # password '' ' 'E
c!'-E
C !1!
1. #' (Password Length) '' 6 #
# 8 # c!''
A oS PAM -''' 8

2. '-#'':-##! ' S
# # c S!!
3. #-S'##''-
#E
4. # Lock ' #$!-E
#E
(! C (Password Length)
Version ' # ' ' M ' c# M

password #ME User name password 'M#c
password # shadow AE #-'
-'# login c login.defs Ac
#E #-''#- (Default password length)
#''' 5 PASS_MIN_LENGTH = 5 A'#S
password ' #'##E#'#E
/etc/login.defs PASS_MAX_DAYS 60 Maximum number of days a password is
valid.
/etc/login.defs PASS_MIN_DAYS 7 Minimum number of days before a user can
change the password since the last change.
/etc/login.defs PASS_MIN_LEN n/a This parameter does not work. It is
superseded by the PAM module
"pam_cracklib"

/etc/login.defs PASS_WARN_AGE 7 Number of days when the password change

reminder starts.
/etc/default/useradd INACTIVE 14 Number of days after password expiration
that account is disabled.
/etc/default/useradd EXPIRE Account expiration date in the format
YYYY-MM-DD.
oSc shadow -
' PAM (Pluggable Authentication Module) E##'
''#-#c /etc/pam.d/system_auth A'#
: module #' pam_cracklib -!'##E
pam_cracklib.so minlen=8 Minimum length of password is 8

pam_cracklib.so lcredit=-1 Minimum number of lower case letters is 1
pam_cracklib.so ucredit=-1 Minimum number of upper case letters is 1
pam_cracklib.so dcredit=-1 Minimum number of digits is 1
pam_cracklib.so ocredit=-1 Minimum number of other characters is 1
'' -!!c system_auth -

:#'#E
# vi /etc/pam.d/system_auth

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 <- ! c '
#E
minlen=8 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1
' ' # password ' - passwd
#'#! ''# login root #E
# password E- ' ! # ' # E # '
PASS_MIN_DAYS = 7 c /etc/login.defs :---S#-
# password = 7 - password ! 26 EM- '
remember=26 -# password '#'
password !- 3 ! difok=3 !E'#Ec!#E
# vi /etc/pam.d/system_auth
.
password requisite pam_cracklib.so try_first_pass retry=3

minlen=8 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 difok=3 <- !c!

password sufficient pam_unix.so nullok use_authtok md5 shadow
remember=26
E'#c /etc/security/opasswd '':c# M'
password ''#AE'- touch - permission = 600
# ls -l /etc/security/opasswd
-rw------- 1 root root 0 Dec 8 06:54 /etc/security/opasswd
!1 root account
Root : account ## !! S OS UNIX EA' #
S S log in root !E S#'c#
- !!S'#- '':aa!
c# !-S'
S''''' log in !EM
':!#' --'E##
% root login
-' login timeout root ##
- login root E#'#- login !E
:' logout c profile
#E
# vi /etc/profile
.

HISTSIZE=1000
TMOUT = 3600
export PATH USER LOGNAME MAIL HOSTNAME HISTSIZE TMOUT
INPUTRC
** %!*!sCL1% logout % login % root % C **
' 3600 !# ' login root account !E'#-
1 ( 60 x 60 = 3600 !#) '#- linux logout
# M'#EM# #'M
logout - login root '' profile '-#
t Boot loader (GRUB)

oS Boot loader Linux ! GRUB (GRand Unified Bootloader)
LILO (Linux Loader) A##:#
' boot $!c' e boot $ b
:'#E'-:' boot single mode
M-'###-' kernel $ e !c-'
single '
kernel /vmlinuz-2.6.22.14-72.fc6 ro root=LABEL=/ single
M enter $ b - boot #' #EM-
single user root password (# root password) M:'
#'# A-$'
GRUB #' #'
(password) #' #E'#E

# grub-md5-crypt
Password: <!c'#>
$1$0WXVJ$siSTEUxO.X7qx56RIwggD1 <- '
- grub-md5-crypt M#'#
!c : MD5 #''''#!-' -
EM''''#c grub.conf #E
# vi /boot/grub/grub.conf
# grub.conf generated by anaconda
#
# Note that you do not have to rerun grub after making changes to this file
# NOTICE: You have a /boot partition. This means that
# all kernel and initrd paths are relative to /boot/, eg.
# root (hd0,0)
# kernel /vmlinuz-version ro root=/dev/hda9
# initrd /initrd-version.img
#boot=/dev/hda
password --md5 $1$0WXVJ$siSTEUxO.X7qx56RIwggD1
default=0
timeout=5 <- %%O 0 % C %% 'L% boot !
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
title Linux Server (2.6.22.14-72.fc6)
root (hd0,0)

kernel /vmlinuz-2.6.22.14-72.fc6 ro root=LABEL=/

initrd /initrd-2.6.22.14-72.fc6.img
title Linux Server 3.0 (2.6.22.4-45.fc6)
root (hd0,0)
kernel /vmlinuz-2.6.22.4-45.fc6 ro root=LABEL=/
initrd /initrd-2.6.22.4-45.fc6.img
M reboot boot '#
'' '' ##'#
#S$ p ''E'# e
! $ p #' #
grub-md5-crypt ' - $ ' GRUB M
#
( t Ctrl+Alt+Del L1 reboot
E!c'!##E-- M#'
'# Reboot cold start -# '-
# Server ! ' Server '#SV
Reset #'SV Power 'E# PC - Server #SV#
S- Internet Server a! 24 '' #
M#' UPS Server 'E '#EASM' #
## server :'!c M!c#
M !c'c#M'E
!c:-E a c '#!AEM''

Hang S V Reset ' M ! E ! Ctrl+Alt+Del

Reboot M#S !#E':'
Server SS! Reboot ' # - !
Key #Ec inittab #E
# vi /etc/inittab
## ''
ca::ctrlaltdel:/sbin/shutdown -t3 -r now
! #
# ca::ctrlaltdel:/sbin/shutdown -t3 -r now
Ac
# /sbin/init q
terminal !1% Server

!E Linux Server M virtual console (ttys)
keyboard E 6 ttys A:- # ! ' #
- :# 2 ttys 'E tty1 #oM login ' tty2
o '#E#'E #S
-# tty #'E '- ttys # c /etc/inittab
#E
# vi /etc/inittab
.. ' ttys a #
# Run gettys in standard runlevels
1:2345:respawn:/sbin/mingetty tty1

2:2345:respawn:/sbin/mingetty tty2
# 3:2345:respawn:/sbin/mingetty tty3
Ac
# /sbin/init q
! # - ' S login virtual console (vc or

ttys)#S#c A A # # - login M c
/etc/securetty #E
# vi /etc/securetty
# console
vc/1
# vc/2
# vc/3
# vc/4
# vc/5
# vc/6
# vc/7
# vc/8
# vc/9
# vc/10

# vc/11
tty1
# tty2
# tty3
# tty4
# tty5
# tty6
t user !% C C Console
#-' Console M:'# Hacker
user -' #-' poweroff, reboot halt
-!# Server -!'''#'
login reboot poweroff a'
S Linux OS '$S#E''-!$E
'c# script !' console ## Authenticate
' PAM E -#E
rm -f /etc/security/console.apps/halt
rm -f /etc/security/console.apps/poweroff
rm -f /etc/security/console.apps/reboot
rm -f /etc/security/console.apps/shutdown
( % C Console * pam.d

!E Linux - Internet Server # linux !E Linux-PAM

library authenticate user, password user A Server
! Ac ' console A'!
' : ' A ! A ' E ! # -
# # # -' pam_console.so /etc/pam.d/ ##E
# shell script ! # Sc /etc/pam.d/ #E
script # /root #E
# vi disable
# !/bin/sh
cd /etc/pam.d
for i in * ; do
sed '/[^#].*pam_console.so/s/^/#/' < $i > foo && mv foo $i
done
A-
# chmod 700 disable
script -
./disable
' script --M' -
# grep pam_console.so /etc/pam.d/*
% TCP Wrappers

Linux OS S'!E tcp wrappers :

E #c#--'# Host '' 2
c hosts.deny hosts.allow #-#E
- S daemon, client #'#- hosts.allow Server
- 'S daemon, client #'#- hosts.deny Server
- #ESE
!#-'-#E
# vi /etc/hosts.deny
ALL: ALL
'SA Server E-'c
hosts.allow ''#E
# vi /etc/hosts.allow
#
# hosts.allow This file describes the names of the hosts which are
# allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#
sendmail: 127.0.0.1
vsftpd: 203. 202. 205. 61. 192.168. 125.
sshd: 203. 192.168. : spawn (echo -e "Login from %c to %s" | /bin/mail -s
"Login Info for %s" root) &
' ' sshd : S client ## ip address
203.xxx.xxx.xxx 192.168.xxx.xxx ! sshd mail root

' %c (client) A %s (server) ! mail

root #'EM# log file ' mail # root (%p = process id)
sshd: 192.168.1. : spawn (echo -e "Illegal connection attempt from %c to %s %d
%p at `date`" >> /var/log/unauthorized.log | /bin/mail -s "SSH Info from %c to %s
%d %p `date`" root) &
L1 C host
!E Internet Server M !##' ip
address . host -# c /etc/host.conf '
host '# ip address '' M dns '
dns 'M#' hosts bind A-'#-
ip address ! '
# vi /etc/host.conf
order hosts, bind ( hosts ' DNS)
multi on (## ip address)
nospoof on
( nospoof on : ' ip address host )
t %C
' ! (Service Name) port protocol
RFC 1700 Assigned Number !' Server
client #!' ! port protocol #

M'c /etc/services S$'SS#'c#E

SS c
# chattr +i /etc/services
account !1C%%
!E Linux - Internet Server E :##
-!E''!E UNIX A:S'#-
!##'!-: ' ''M! -
:'a'c#S#' #'
' OS '- #E-- special user
account #!-:o# login
#!!' user ## SE user group #'-:
-
# userdel username
# groupdel groupname
#E'cS' #
M
# userdel adm
# userdel lp
# userdel shutdown
# userdel halt
# userdel news
# userdel operator

# userdel mailnull
# userdel games
# userdel gopher
# userdel ftp
# userdel vcsa
- userdel ' home directory home
directory parameter -r ' : userdel -r username E group
#E
# groupdel adm
# groupdel lp
# groupdel news
# groupdel games
# groupdel dip
# groupdel pppusers
# groupdel popusers
# groupdel slipusers
: Version '# User Group '
'M!E E user account #-# root
login root login -AE (!M user
!E ) -#E
# useradd admin
# passwd admin

t % su O root
linux ' S root - login tty A '
remote login SS login user -
#!! su : root !!# S$ su : root
'#! -#E
# vi /etc/pam.d/su
#%PAM-1.0
auth sufficient pam_rootok.so
# ncomment the following line to implicitly trust users in the "wheel" group.
#auth sufficient pam_wheel.so trust use_uid
#Uncomment the following line to require a user to be in the "wheel" group.
auth required pam_wheel.so use_uid
auth include system-auth
account sufficient pam_succeed_if.so uid = 0 use_uid quiet
account include system-auth
password include system-auth
session include system-auth
session optional pam_xauth.so
! group wheel su : root ' '

password (##E'--) #
auth sufficient pam_wheel.so trust use_uid
' admin user wheel group - su

# usermod -G10 admin

-#E user ' login - su : root
S admin - '' Hacker
- password ' S S S ' user
account c'#E
# chattr +i /etc/passwd
# chattr +i /etc/shadow
# chattr +i /etc/group
# chattr +i /etc/gshadow
!## -E user account !AE!E package
' squid !E user, group squid ES# attribute +i M
-!E package S'#''E add user C%
-:-!E packet '! User account !
$ -i '#E
# chattr -i /etc/passwd
# chattr -i /etc/shadow
# chattr -i /etc/group
# chattr -i /etc/gshadow
M!M +i !
% % 'C
OS linux # -
- memory - process id # SS

'#E$S###' Denial of Service Attacks (DoS) -'

E#E#S User account ## server # login -#E
# vi /etc/security/limits.conf
* hard core 0
* hard rss 5000
* hard nproc 35
-' hard core 0 A user core file
-' hard rss 5000 AS memory 5 MB
-' hard nproc 35 AS# process id '! 35
-' * AS user # login Server % root
-': * #o account service ' ' apache, mysql
squid ##E-a!'c service
'#- A' - * '# : group name (@users)
#E
@users hard core 0
@users hard rss 5000
@users hard nproc 35
' users L1 group #'' @student
Partition !1! !%'

!E Linux #' Partition ' ' Partition M#
-# '#' 2 Partition #S user
' # M Partition home tmp SS''a

##E 'c - '##SS 'c

- /tmp :-' # ' ' ls , netstat, route ,
login a- root 'MA
' login root #M login '- login
!E
' option ##- partition ##E
1. defaults S-S' ' quota, read-write suid
2. noquota ' users quota
3. nosuid ' SUID/SGID
4. nodev '#Sc! (special devices)
5. noexec ' binary file
6. quota S- users quota
7. ro S'#'#'E
8. rw S'#
9. suid S SUID/SGID
# vi /etc/fstab
'!:' '''#- disk quota M':
LABEL=/tmp /tmp ext3 defaults 1 2
LABEL=/home /home ext3 defaults 1 2
!-## defaults
LABEL=/tmp /tmp ext3 defaults,nosuid,noexec 1 2
LABEL=/home /home ext3 defaults,nosuid 1 2

c fstab #' Partition MS remount

partition E'-#E
#mount /tmp -oremount
#mount /home -oremount
remount -'-
#cat /proc/mounts
/dev/sda11 /tmp ext3 rw,nosuid,noexec 1 2
/dev/sda6 /home ext3 rw,nosuid 1 2
!#-'#!# ' fstab $ '

Partition Boot :'#-'SS server S
' partition #E #-SE# reboot -!'
server a( Backdoor) SS''
update kernel - mount : default ! !#$-' #E
#vi /etc/fstab
'!:' '''#- disk quota M':
LABEL=/boot /boot ext3 defaults 1 2
:
LABEL=/boot /boot ext3 defaults,ro 1 2
A' remount
#mount /boot -oremount
'
#cat /proc/mounts

/dev/sda1/boot ext3 ro 0 0
E!''#!'
$ server '#''! '- Linux
#-' CD ROM Hacker #' M:
!#''!' partition ##'
'$#EM!ES'M'!
mount /usr : ro $'#-' compile server M'
:#- CD '!EM- mount :
default !'
% RPM %!1
RedHat Linux ' # - ' '
#-# Install, Erase Update package ' #M E
SSM#-#E-!E' #' Server A
'!##$# !E A
compress file ' S '
# chmod 700 /bin/rpm
# mount /dev/fd0
# mv /bin/rpm /mnt/floppy
# umount /dev/fd0
!#M:# mode rpm root 'S
user # # '# /mnt/floppy SS'
#! c# ' Hacker #'c# Server :

c##S .tar .gz '#:c rpm E--

#E tar, gzip, gunzip ':#$
rpm '''# #ES rpm, tar S'#
/bin ' !' M M
M ' # #E'c
c! /bin -#a''
Server # ' ! E ## compile
server -:M!
%C Shell Logging
-# linux ' #!##-!##
' $AE (Up arrow key) !'
- # S' ' linux --! A 1000 -# '! #
# :'' S user - ##'
' password #!AE M-M #:
ac#M'#EM password S'' !#S
M '# c .bash_history A home directory S user E S
-'-'#-:M!'#- -' -#E
# vi /etc/profile
-' HISTSIZE #'
HISTSIZE=10
HISTFILESIZE=0

export PATH USER LOGNAME MAIL HOSTNAME HISTSIZE

HISTFILESIZE TMOUT INPUTRC
c#E#M'- logout login root '
s log file L1(

c syslog.conf #E
# vi /etc/syslog.conf
!c#E'c
authpriv.*;mail.*;local7.*;auth.*;daemon.info /dev/lp0
A #/etc/rc.d/init.d/syslog restart
permission % script file

c##-'S start , stop, restart daemon '
##-#'# /etc/rc.d/init.d : script #-
root #'E '' user !#
# chmod -R 700 /etc/rc.d/init.d/*
M %' OS
boot # login #-!S! OS
' : Fedora Release 8.x ' version - :'
'c#-SS Server :'# S-a
''#E
# rm -f /etc/issue

# rm -f /etc/issue.net
logout - login ' ' #'
login '## version ' M#
*C % root O% 1C *
!E Linux ' permission ##' -
'!# Linux #'-M '!
E' ' !S! A#-' permission
-' S user #' A:
' Back door ' c # S S server '
permission 'E permission # bit : +s E user group #' SUID
SGID #' root-owned program AE' permission # root
# # # bits # ' : +s - : : 04000 02000
(SUID/SGID : -rwsr-xr-x, -r-xr-sr-x) S ! - chmod a-s
<program name> ' #-'# root ES
-'' -'#E
- S''#E
- S' user #'' root #
- S#E'' su : root #
!#!-#E
*!1 1 file ## flag +s - find ' -##
Ac##- aa flag +s - su

' '-:M! :##'' S'
# find / -type f $ -perm -04000 -o -perm -02000 $ -exec ls -lg {} \;

-rwxr-sr-x 1 root root 5872 Nov 29 2006 /sbin/netreport
-rwsr-xr-x 1 root root 12280 May 30 2007 /sbin/pam_timestamp_check
-rwsr-xr-x 1 root root 18668 May 30 2007 /sbin/unix_chkpwd
-rwsr-xr-x 1 root root 38616 Aug 2 18:57 /bin/umount
-rwsr-sr-x 1 root root 24060 Apr 17 2007 /bin/su
-rwsr-xr-x 1 root root 41652 Apr 12 2007 /bin/ping
-rwsr-xr-x 1 root root 57652 Aug 2 18:57 /bin/mount
-rwsr-xr-x 1 root root 36680 Apr 12 2007 /bin/ping6
--wsr-x--- 1 root root 0 Nov 5 14:14 /media/.hal-mtab-lock
-rwsr-xr-x 1 root root 172200 Mar 31 2007 /usr/libexec/openssh/ssh-keysign
-rwx--s--x 1 root utmp 6944 Jul 28 2006 /usr/libexec/utempter/utempter
---s--x--x 2 root root 159096 Oct 2 2006 /usr/bin/sudo
-rwsr-xr-x 1 root root 24556 May 23 2007 /usr/bin/newgrp
-rwsr-xr-x 1 root root 9100 Dec 13 2006 /usr/bin/rsh
-rwsr-sr-x 1 root root 315384 Aug 6 14:16 /usr/bin/crontab
-rwx--s--x 1 root slocate 23856 Nov 26 2006 /usr/bin/locate
-rwsr-xr-x 1 root root 46748 May 23 2007 /usr/bin/chage
-rwsr-xr-x 1 root root 14388 Dec 13 2006 /usr/bin/rlogin
-rws--x--x 1 root root 19128 Aug 2 18:57 /usr/bin/chsh
-rwsr-xr-x 1 root root 22932 Jul 17 2006 /usr/bin/passwd

-rwxr-sr-x 1 root nobody 79388 Mar 31 2007 /usr/bin/ssh-agent

---s--x--x 2 root root 159096 Oct 2 2006 /usr/bin/sudoedit
-rwxr-sr-x 1 root mail 16020 Jul 13 2006 /usr/bin/lockfile
-r-xr-sr-x 1 root tty 10420 Sep 4 20:19 /usr/bin/wall
-rwsr-xr-x 1 root root 44040 Aug 23 2006 /usr/bin/at
-rws--x--x 1 root root 17900 Aug 2 18:57 /usr/bin/chfn
-rwsr-xr-x 1 root root 18736 Dec 13 2006 /usr/bin/rcp
-rwsr-xr-x 1 root root 47352 May 23 2007 /usr/bin/gpasswd
-rwxr-sr-x 1 root tty 10984 Aug 2 18:57 /usr/bin/write
-rwsr-xr-x 1 root root 7048 Nov 29 2006 /usr/sbin/usernetctl
-rwxr-sr-x 1 root lock 16572 Jul 20 2006 /usr/sbin/lockdev
-rwsr-xr-x 1 root root 312956 Jul 25 2006 /usr/sbin/pppd
-r-s--x--- 1 root apache 11740 Jul 14 22:28 /usr/sbin/suexec
-rwxr-sr-x 1 root smmsp 827324 Sep 17 22:59 /usr/sbin/sendmail.sendmail
-rws--x--x 1 root root 34796 Oct 3 2006 /usr/sbin/userhelper
-rwsr-xr-x 1 root root 6416 Aug 22 2006 /usr/sbin/ccreds_validate
-rwsr-xr-x 1 root root 144548 Sep 5 01:20 /usr/kerberos/bin/ksu
-rwsr-x--- 1 root squid 15452 Jul 14 22:31 /usr/lib/squid/pam_auth
-rwsr-x--- 1 root squid 17360 Jul 14 22:31 /usr/lib/squid/ncsa_auth
*!1 2 ! chmod
# chmod a-s /usr/bin/chage
# chmod a-s /usr/bin/gpasswd

# chmod a-s /usr/bin/wall

# chmod a-s /usr/bin/chfn
# chmod a-s /usr/bin/chsh
# chmod a-s /usr/bin/newgrp
# chmod a-s /usr/bin/write
# chmod a-s /usr/sbin/usernetctl
# chmod a-s /bin/ping6
# chmod a-s /bin/mount
# chmod a-s /bin/umount
# chmod a-s /bin/ping
# chmod a-s /sbin/netreport
CC kernel parameter %
!E Linux Server S'S version #
'' parameter ' kernel !AE
'''# network '### OS
--!'- 2 '' echo c
' #' /proc/sys - network -#S
-SE# reboot # linux --' #c /etc/rc.local !##
##-''' kernel # reboot '#SE
S-##S! ''
parameter ' #c /etc/sysctl.conf ##E!'': '
SS Server ( !# ''

Parameter kernel # boot # - kernel ' A '

- Restart network ! ' # ' ' ' ' 1 ' ping
'# 1 !'' 0 ''' # )
1. (!t 1 ping
:! # $ ' package ' ' Server ## ' Ping of
Death A#:# Server '# Script
firewall a ping !##E'' -#E
# vi /etc/sysctl.conf
!'c
net.ipv4.icmp_echo_ignore_all = 1
A''
# /etc/rc.d/init.d/network restart
#' restart network #E
# sysctl -w net.ipv4.icmp_echo_ignore_all = 1
2. % Broadcasts
Network c# #'c#'
Broadcasts (# ip S ' 192.168.1.255) package S ip
address Network -S! S$'#E
!'c
net.ipv4.icmp_echo_ignore_broadcasts = 1

A''
#/etc/rc.d/init.d/network restart
# sysctl -w net.ipv4.icmp_echo_ignore_broadcasts = 1
3. t Source route
Routing Routing Protocol o Server :' IP
Source Routing -:#S##' packet S
A:'#'c#''#
source route packet M'A$#-
SS# A:'!##!' ip routing EA
#a#E '#E
!'c
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
A''
# sysctl -w net.ipv4.conf.all.accept_source_route = 0
# sysctl -w net.ipv4.conf.default.accept_source_route = 0

4. t TCP SYN Cookie Attack

! DoS (Denial of Service) ' '#' package !-
Server - - server S!'' M
Hacker # TCP SYN Cookie Attack M : A DoS
:!#' Package # Traffic
''!' 'M Reboot A#a
#'## -#E
!'c
net.ipv4.tcp_syncookies = 1
A''
# sysctl -w net.ipv4.tcp_syncookies = 1
5. t Redirect Package
##' packet !!AE
icmp redirect packet !# (Redirect) router '#'#
SS' package #EM# -#
routing table # host ' -'$
EA$' Server ' Redirect # ping -#E
!'c

net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
A''
# sysctl -w net.ipv4.conf.all.accept_redirects=0
# sysctl -w net.ipv4.conf.default.accept_redirects=0
6. Enable bad error message Protection

Linux #''' # Sc# #o
linux ' -S- E
S#SE##S! Network '# OS
-#E
!'c
net.ipv4.icmp_ignore_bogus_error_responses = 1
A''
# sysctl -w net.ipv4.icmp_ignore_bogus_error_responses = 1

7. Enable IP spoofing protection

ES IP Address SS
Server Log file '#aSS A :
'#-!oS#S- (DoS) S
$#E
!'c
net.ipv4.conf.all.rp_filter = 1
A''
# sysctl -w net.ipv4.conf.all.rp_filter = 1
8. Enable Log Spoofed, Source Routed and Redirect Packets

Server -!M' '#o
- Ao#!AE ESA!' log
file ' # # IP Server - ! ! # icmp
redirect packet 5 -#E
!'c
net.ipv4.conf.all.log_martians = 1
A''


# sysctl -w net.ipv4.conf.all.log_martians = 1
9. % !1C!%
M# '#c directory #'#' Server
M'#-c#'#' server #SS'
Server -!!'#'! -#'
' Sc#'#!E:-'M
- chown ': user E#!E
Server -#E
# find / -nouser -o -nogroup
E-#E#c' /dev ''
10. % .rhosts
Server ''#c .rhosts ':c# ! Remote
server '#!E-SS:''#
:#-#!E -#E
# find /home .rhosts
S crontab Ec#E #' '
# script ' mail S#c#EAE Server ''#E
# vi /etc/cron.daily/rhosts.cron
!c script '#E root S#c .rhosts
#!/bin/sh
/usr/bin/find /home -name .rhosts | (cat <<EOF

This is an automated report of possible existent ..rhosts files on

the server deep.openna.com, generated by the find utility command.
New detected ..rhosts. files under the ./home/. directory include:
EOF
cat
) | /bin/mail -s "Content of .rhosts file audit report" root
M# mode : 550
# chmod 550 /etc/cron.daily/rhosts.cron
'#-'' kernel M'-!

' 100% kernel ' version # bug ' !AE
#-'EA#SS#A kernel M#
-o'E patch ' E# Linux
'o'M patch kernel ''
!'M! 'o' o'
'#''o kernel #' #-'
- ##' Server #-!!'#o# S
''#'M-#!'E - Linux
Version ' o! ! A-#M
A E ' ! ' Version ' M - Update kernel M
#

4 Web Server Security
Web Server
$
,0$
!%'
1. httpd : Open source
2. BB $:B : (Bold)
3. B ,$
B$,B,
(*%
B Web Server , $ B Linux , Internet
Server B $B,B Apache Web Server BR R
Web Server R,$ add
user webmaster , ( Change Owner ) /home/httpd
: webmaster webmaster Upload Webpage ftp $
$,$$$
Port 80 0$, ` $
!1 4 Web Server Security .....: 81

Server ,$ $ 2
`$$` Firewall ,B
20 (! % Web Server !
1. (Update) httpd : Version $$
:c$ `B Version $
2. $ Version 0
httpd.conf B
# vi /etc/httpd/conf/httpd.conf

ServerSignature On
:
ServerSignature Off

ServerTokens OS
:
ServerTokens Prod
:wq
BR$ Error 4xx
$ Web Browser : Server B

Bad Request
Your browser sent a request that this server could not understand.
Apache/2.2.0 (Fedora) Server at 192.168.1.11 Port 80
$$$$
OS Apache Version , Web Server
3. $ $ httpd , , User Group
apache $, User nobody $$ mail
server $R 0 httpd.conf
User apache
Group apache
4.$0$ Web root R
0 httpd.conf B

<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
:
<Directory />

Order Deny,Allow
Deny from all
Options None
AllowOverride None
</Directory>
:wq
$:B Options Override B
Directory ,$ Option R Options $B
5. s Directory $ ,$ tag Options
$ tag B$$: None 4 ,B
Options -Indexes
6. $ SSI (Server Side Include) R
, $ tag Options $ tag B$$: None 4
,B
Options -Includes
7. $ cgi ,, CGI ,$
tag Options $ tag B$$: None 4 ,B
Options -ExecCGI
8. $ apache , link $
,$ tag Options $ tag B$$: None 4
,B
Options -FollowSymLinks

9. , $ tag Options $ $ B $
None $,$$ 5,6,7 8 ,
$$ $$ 1 B
Options -ExecCGI -FollowSymLinks -Indexes
10. $$0 .htaccess .htpasswd $
0`B .ht B
AccessFileName .htaccess
<Files ~ "^\.ht">
Order allow,deny
Deny from all
</Files>
11. Module $ :
,$ mod_security download http://www.modsecurity.org/ `
$$ B
Simple filtering
Regular Expression based filtering
URL Encoding Validation
Unicode Encoding Validation
Auditing
Null byte attack prevention
Upload memory limits
Server identity masking
Built in Chroot support

R
http://gotroot.com/ http://www.tatica.org/
$B Fedora R Download 0 mod_security
R0 http://hany.sk/mirror/fedora/extras/6/i386/ `0 mod_security-2.1.3-
1.fc6.i386.rpm `,B,
# rpm -ivh mod_security-2.1.3-1.fc6.i386.rpm
R $ $ module Download 0
B$$ $$ ($
) R 0 http://www.gotroot.com B R
http://www.tatica.org/tux/manual/mod_security-fc6_HOWTO.html ,:B
$ B$B
BR , Directory ,R$ Configuration
B
# mkdir /etc/modsecurity
# cd /etc/modsecurity
# wget http://www.gotroot.com/downloads/ftp/mod_security/
2.0/apache2/exclude.conf
2.0/apache2/rules.conf
2.0/apache2/blacklist.conf
2.0/apache2/blacklist2.conf

2.0/apache2/useragents.conf
2.0/apache2/rootkits.conf
2.0/apache2/apache2-rules.conf
B0 mod_security.conf B
# vi /etc/httpd/conf.d/mod_security.conf
copy $R wget download
0 conf $B
# Example configuration file for the mod_security Apache module
LoadFile /usr/lib/libxml2.so.2
LoadModule security2_module modules/mod_security2.so
#LoadModule unique_id_module modules/mod_unique_id.so
#<IfModule mod_security2.c>
# This is the ModSecurity Core Rules Set.
# Basic configuration goes in here
# Include modsecurity.d/modsecurity_crs_10_config.conf
# Protocol violation and anomalies.
# These are disabled as there's a bug in REQUEST_FILENAME handling
# causing the "+" character to be incorrectly handled.
# Include modsecurity.d/modsecurity_crs_20_protocol_violations.conf
# Include modsecurity.d/modsecurity_crs_21_protocol_anomalies.conf

# HTTP policy rules

# Include modsecurity.d/modsecurity_crs_30_http_policy.conf
# Here comes the Bad Stuff...
# Include modsecurity.d/modsecurity_crs_35_bad_robots.conf
# Include modsecurity.d/modsecurity_crs_40_generic_attacks.conf
# Include modsecurity.d/modsecurity_crs_45_trojans.conf
# Include modsecurity.d/modsecurity_crs_50_outbound.conf
# Search engines and other crawlers. Only useful if you want to track
# Google / Yahoo et. al.
# Include modsecurity.d/modsecurity_crs_55_marketing.conf
# Put your local rules in here.
# The existing example is for the CVE-2007-1359 vulnerability
# Include modsecurity.d/modsecurity_localrules.conf
#</IfModule>
<IfModule mod_security.c>
# Only inspect dynamic requests
# (YOU MUST TEST TO MAKE SURE IT WORKS AS EXPECTED)
#SecFilterEngine DynamicOnly
SecFilterEngine On
# Reject requests with status 500
SecFilterDefaultAction "deny,log,status:500"
# Some sane defaults
SecFilterScanPOST On

SecFilterCheckURLEncoding On
SecFilterCheckCookieFormat On
SecFilterCheckUnicodeEncoding Off
SecFilterNormalizeCookies On
# enable version 1 (RFC 2965) cookies
SecFilterCookieFormat 1
SecServerResponseToken Off
#If you want to scan the output, uncomment these
SecFilterScanOutput On
SecFilterOutputMimeTypes "(null) text/html text/plain"
# Accept almost all byte values
SecFilterForceByteRange 1 255
# Server masking is optional
#fake server banner - NOYB used - no one needs to know what we are using
SecServerSignature "NOYB"
#SecUploadDir /tmp
#SecUploadKeepFiles Off
# Only record the interesting stuff
SecAuditEngine RelevantOnly
SecAuditLog logs/audit_log
# You normally won't need debug logging
SecFilterDebugLevel 0
SecFilterDebugLog logs/modsec_debug_log

#And now, the rules

#Remove any of these Include lines you do not use or have rules for.
#First, add in your exclusion rules:
#These MUST come first!
Include /etc/modsecurity/exclude.conf
#Application protection rules
Include /etc/modsecurity/rules.conf
#Comment spam rules
Include /etc/modsecurity/blacklist.conf
#Bad hosts, bad proxies and other bad players
Include /etc/modsecurity/blacklist2.conf
#Bad clients, known bogus useragents and other signs of malware
Include /etc/modsecurity/useragents.conf
#Known bad software, rootkits and other malware
Include /etc/modsecurity/rootkits.conf
#Signatures to prevent proxying through your server #only rule these rules if your server is
NOT a proxy
#Include /etc/modsecurity/proxy.conf
#Additional rules for Apache 2.x ONLY! Do not add this line if you use Apache 1.x
Include /etc/modsecurity/apache2-rules.conf
</IfModule>
R
# /etc/init.d/httpd restart

$B$ Filter Download $$

0 Configuration B 7 0B$ Default
12. module $ 0 httpd.conf B

# grep LoadModule httpd.conf
$ Module `B, Server ,,
Module $ $
mod_imap, mod_include, mod_info, mod_userdir, mod_status, mod_cgi,
mod_autoindex
$0 httpd.conf B
Load Module $ # $
#LoadModule autoindex_module modules/mod_autoindex.so
:wq
13. root : Read, Write
Execute $ Configuration $B
# chown -R root.root /usr/lib/httpd
#chmod 511 /usr/sbin/httpd
#chmod 700 /etc/httpd/conf/
#chmod 700 /var/log/httpd/
14. ,$R
Denial of Service $ default , 300 $
: 45 0 httpd.conf B

Timeout 45
15. Upload 0$ : Denial
of Service $ default : Unlimited :$ 1 MB
0 httpd.conf B
LimitRequestBody 1048576
$ Upload 0,$B
, $ $ LimitRequestFields LimitRequestFieldSize
` http://httpd.apache.org/docs/2.0/mod/core.html
16. ,,0 XML $ default , 1 MB $
mod_dav $ WebDAV , $ : 0 $
WebDAV ,` 10 MB tag 0 httpd.conf B
LimitXMLRequestBody 10485760
17. ,$,R tag MaxClients 0
httpd.conf ,$$,
Server $,R tag ,B$
$ B MaxSpareServers, MaxRequestPerChild, ThreadsPerChild, ServerLimit
MaxSpareThreads `$$ $B, Hardware
18. ,, IP Address Server R
,`B$B:$ Network IP Address 203.172
R$ 203.172.0.0/16 0 httpd.conf B
Order Deny,Allow
Deny from all
Allow from 203.172.0.0/16

: IP Address B
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
19. , $ KeepAlive :$ ` connect
B$ ,: Off $
tag B ,: On ,$ MaxKeepAliveRequests ,
: 100 ,: 0 $: Unlimited $B,,
$0 tag KeepAliveTimeout ,: 15 `:
$B$ $BB Server
$,$B$$ 50 % `
0$B log file
20. Secure Socket Layer (SSL) , Web Application $
cB$R0$$
R User/Password ,
$ ,$$ Software
Sniffer $ $ Network $ Segment $
Layer 3 Switch `$ $R, Port 80
(Wireless) R$
BB 19 $$
$$ $`R
Login , (Link) $B
, Port 443 (SSL) ,`B $R

R ,$ Parameter R: No cache page expire

$ Refresh ,$ Server $ $
,B: Web Browser $$$
BACK Refresh $$ Web Browser $$
$ , $$ Client Server
,B B
Apache : Web Server ,B Port
80 Port 443 $BR $$$ Default Configuration
B$$$ ,
Server $B $RR$R,
B$, $$ $R$ Hack Port
443 R (Key)
B:$, local host Start Service
$ ,$
Server ,$ Server R$,
`,$ B,,B$$
B
20.1 B Apache + SSL ,,
Server , openssl B
# openssl genrsa -des3 1024 > /etc/pki/tls/private/server.key
.
Enter pass phrase: $
Verifying - Enter pass phrase: B

0 server.key R$0`BBB
# openssl rsa -in /etc/pik/tls/privat/server.key -out
/etc/pki/tls/private/server.key
Enter pass phrase for /etc/pki/tls/private/server.key: $B
R0 server.key , permission
root B
# chmod 600 /etc/pki/tls/private/server.key
20.2 B$,
server.csr ,'%'n'% !%o Web Server B
# openssl req -new -key /etc/pki/tls/private/server.key -out
/etc/pki/tls/certs/server.csr
.. $R Enter $
Country Name (2 letter code) [GB]:TH
State or Province Name (full name) [Berkshire]:Phitsanulok
Locality Name (eg, city) [Newbury]:Muang
Organization Name (eg, company) [My Company Ltd]:Technical College
Organizational Unit Name (eg, section) []:Electrical Power
Common Name (eg, your name or your server's hostname) []:fbi.mine.nu
Email Address []:webmaster@mine.nu
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:

An optional company name []:

20.3 B$:,0R
0 server.key $B, 1 (365 ) B
# openssl x509 -in /etc/pki/tls/certs/server.csr -out
/etc/pki/tls/certs/server.crt -req -signkey /etc/pki/tls/private/server.key -days 365
:RB, Server $
,`B B Restart Boot Server $$
$`, Web Server ,
20.4 B $ R $ configuration
B$$0`B B
# vi /etc/httpd/conf.d/ssl.conf

SSLCertificateFile /etc/pki/tls/certs/localhost.crt
:
SSLCertificateFile /etc/pki/tls/certs/server.crt
$
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
:
SSLCertificateKeyFile /etc/pki/tls/private/server.key
:wq
Configuration file , $$$
$ B
# apachectl configtest

Syntax OK
Syntax OK $ $ 0
$$
Syntax OK ` Server ,$
,R,
$ Configuration File ,B
# chattr +i /etc/httpd/conf/httpd.conf
# chattr +i /etc/httpd/conf.d/ssl.conf
,c$c$s$
,$ Web Server $ $:`
$ ,R Server $ Access $
Web Browser R$ Hacker Port 80,443 `:
Port HTTP, HTTPS $$ OS Software R:
Hacker BB B`,
,B ,:$
SSL ` Apache c$ httpd Linux
$ Compile module SSL BB

1!1 n%%
ifup <ethx> ; eth0 or eth1 ethernet ,
ifdown <ethx> ; eth0 or eth1 ethernet ,
chkconfig < service> [on,off] service on,off boot
chattr [+,-] i file/dir attributes $
useradd <username> user account
passwd <username> ,/$
userdel <username> user account
groupdel <groupname> group
mount ,B0$ CD Drive,USB
unmount ,B0 mount
mv ,0 directories
chmod +,- r,w,x [file,dir] ,$ permission file/dir
rm -f(r) file/dir file directories
find , file/dir

!1 5 Mail Server Security
Mail Server
) Mail Server
03
!%'
1. sendmail < Open source
2. D00 admin newaliases, makemap mailq
3. D00 user mailstats praliases
4. NN <N < (Bold)
5. N 0
N0N0
(*%
N D Mail Server
0 Mail Server Sendmail N
Install Linux N protocol SMTP port 25 0 N \ N
<0 Configure N
N 00
!1 5 Mail Server Security .....: 99

< Mail Server N Linux OS \ mail

N sendmail D0 N 0
mail service root 0< Mail Server
0 ) Download
Webbase e-mail site N\
sendmail.cf 0e
0 Server 0 forward mail 0
Bandwidth \<)
Fishing mail 0 \
mail D 3N<
. 0 3 Mail
server 7 N
1. email (Eavesdropping)
2. mail 00 mailbox \ (Mail-bombing)
3. <<
4. Mail Server
5. (hoaxes)
6. D Mail Server
7. email (Spam)
\
Update N0 senmail-8.14.x D
Configure DN 1 0

0 port 25 2 SSL
(Secure Socket Layer) 0NN
!1 1 0 Sendmail Port 25 0N
N
*!1 1 Update 0
Server N
# yum update sendmail
N0 link 30 mail shell
3 sendmail.cf smrsh sh
User smrsh 0 forward mail 3 .forward home
directory
# cd /etc/smrsh
# ln -s /bin/mail mail
# cd /etc/smrsh
# ln -s /usr/bin/procmail procmail
*!1 2 Maildir procmail
# mkdir -p /etc/skel/Maildir/new
# mkdir -p /etc/skel/Maildir/cur
# mkdir -p /etc/skel/Maildir/tmp
# chmod -R 700 /etc/skel/Maildir/
*!1 3 Configuration file procmail
# vi /etc/procmailrc

PATH=/usr/bin:/bin
SHELL=/bin/bash
MAILDIR=$HOME/Maildir
DEFAULT=$MAILDIR/
DROPPRIVS=yes
*!1 4 service saslauthd 0
# /etc/init.d/saslauthd restart
# chkconfig saslauthd on
*!1 5 3 access
# vi /etc/mail/access
# Check the /usr/share/doc/sendmail/README.cf file for a description
# of the format of this file. (search for access_db in that file)
# The /usr/share/doc/sendmail/README.cf is part of the sendmail-doc
# package.
#
# by default we allow relaying from localhost...
Connect:localhost.localdomain RELAY
Connect:localhost RELAY
Connect:127.0.0.1 RELAY
# N < IP Address >
Connect:192.168.1.0/24 RELAY
D3 vi
:wq

N database makemap
# makemap hash /etc/mail/access.db < /etc/mail/access
*!1 6 N3 local-host-names domain
alias host
# vi /etc/mail/local-host-names
# local-host-names - include all aliases for your machine here.
# 3
sample.co.th
mail.sample.co.th
\D3 vi
:wq
*!1 7 3 authinfo
# vi /etc/mail/authinfo
AuthInfo:mail.sample.co.th "U:<username>" "I:<identity>" "P:<password>"
"M:LOGIN PLAIN"
:wq
*!1 8 mode 3 authinfo < 600
# chmod 600 /etc/mail/authinfo
*!1 9 3 authinfo.db 0 makemap
# makemap hash /etc/mail/authinfo.db < /etc/mail/authinfo
*!1 10 senmail.mc
# vi /etc/mail/sendmail.mc
.

.
dnl # Do not advertize sendmail version.
dnl #
define(`confSMTP_LOGIN_MSG',ùnknown')dnl
.
define(`SMART_HOST', `mail.sample.co.th')dnl
..
TRUST_AUTH_MECH(ÈXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN
PLAIN')dnl
define(`confAUTH_MECHANISMS', ÈXTERNAL GSSAPI DIGEST-MD5
CRAM-MD5 LOGIN PLAIN')dnl
FEATURE(àuthinfo', `hash -o /etc/mail/authinfo.db')dnl
..
FEATURE(`blacklist_recipients')dnl
# blacklist http://www.technoids.org/dnsbl.html
FEATURE(dnsbl,`relays.ordb.org')dnl
FEATURE(dnsbl,`list.dsbl.org')dnl
FEATURE(dnsbl,`sbl-xbl.spamhaus.org')dnl
dnl EXPOSED_USER(`root')dnl
.
dnl # 127.0.0.1 and not on any other network devices. Remove the loopback
dnl # address restriction to accept email from the internet or intranet.

dnl #
dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl
DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl
..
DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl
.
dnl # that do not have 24x7 DNS do need this.
dnl #
dnl FEATURE(àccept_unresolvable_domains')dnl
.
LOCAL_DOMAIN(`localhost.localdomain')dnl
define(`confDOMAIN_NAME', `mail.sample.co.th')dnl
dnl #
dnl # The following example makes mail from this host and any additional
dnl # specified domains appear to be sent from mydomain.com
dnl #
MASQUERADE_AS(`sample.co.th')dnl
dnl #
dnl # masquerade not just the headers, but the envelope as well
dnl #
FEATURE(masquerade_envelope)dnl
dnl #

dnl # masquerade not just @mydomainalias.com, but @*.mydomainalias.com as

well
dnl #
FEATURE(masquerade_entire_domain)dnl
dnl #
MASQUERADE_DOMAIN(localhost)dnl
MASQUERADE_DOMAIN(localhost.localdomain)dnl
MASQUERADE_DOMAIN(`server1.sample.co.th')dnl
MASQUERADE_DOMAIN(`mail.sample.co.th')dnl
define(`confRECEIVED_HEADER',`$?sfrom $s $.$?_($?s$|from $.$_)
$.$?{auth_type}(authenticated)
$.by $j (unknown)$?r with $r$. id $i$?u
for $u; $|;
$.$b')dnl
define(`confMAX_MESSAGE_SIZE',`10485760')dnl
\D3 vi
:wq
*!1 11 helpfile
# vi /etc/mail/helpfile
#vers 2
cpyr
cpyr Copyright (c) 1998-2000, 2002, 2004-2006 Sendmail, Inc. and its
suppliers.

cpyr All rights reserved.

cpyr Copyright (c) 1983, 1995-1997 Eric P. Allman. All rights reserved.
cpyr Copyright (c) 1988, 1993
cpyr The Regents of the University of California. All rights reserved.
cpyr
cpyr
cpyr By using this file, you agree to the terms and conditions set
cpyr forth in the LICENSE file which can be found at the top level of
cpyr the sendmail distribution.
cpyr
#smtp This is sendmail
smtp Topics:
smtp HELO EHLO MAIL RCPT DATA
smtp RSET NOOP QUIT HELP VRFY
smtp EXPN VERB ETRN DSN AUTH
smtp STARTTLS
smtp For more info use "HELP <topic>".
#smtp To report bugs in the implementation see
#smtp http://www.sendmail.org/email-addresses.html
#smtp For local information send email to Postmaster at your site.
*!1 12 3 senmail.cf 0 m4
# m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf
restart sendmail

# /etc/init.d/sendmail restart
Shutting down sm-client: [ OK ]
Shutting down sendmail: [ OK ]
Starting sendmail: [ OK ]
Starting sm-client: [ OK ]
*!1 13 00 mail root
# vi /etc/aliases

# trap decode to catch security attacks
decode: root
# Person who should get root's mail
root: admin,admin@sample.co.th
D3 vi
:wq
\0 newaliases
# newaliases
0\3 13 N<0 sendmail
03N
Configure NN\
)N
1. account 3 aliases 0<
3 aliases < (Bold) NN 9 N
# vi /etc/aliases

# Basic system aliases -- these MUST be present.

MAILER-DAEMON: postmaster
postmaster: root
# General redirections for pseudo accounts.
bin: root
daemon: root
games: root
ingres: root
nobody: root
system: root
toor: root
uucp: root
# Well-known aliases.
manager: root
dumper: root
operator: root
# trap decode to catch security attacks
decode: root
# Person who should get root's mail
#root: marc
00
N
# newaliases

2. Ne
Server SMTP Sendmail localhost
0N
3 sendmail.cf (vi /etc/mail/sendmail.cf) N
# vi /etc/mail/sendmail.cf
O SmtpGreetingMessage=$j Sendmail $v/$Z; $b
<
O SmtpGreetingMessage=$j
D30 restart
Shutting down sendmail: [ OK ]
Starting sendmail: [ OK ]
3. 0N set flag
3 N
# chattr +i /etc/mail/sendmail.cf
# chattr +i /etc/mail/local-host-names
# chattr +i /etc/aliases
# chattr +i /etc/mail/access
!1 2 Sendmail 0 smtps SSL Port 465
Dovecot 0 imaps 0 Port 993 0 0 Web
Base e-mail D0N 0N
*!1 1 N Linux Server \ Sendmail N

0 Mail Server Dovecot N

popt imap version Update
# yum update sendmail
N0 copy 3\
# cp /etc/mail/sendmail.cf /etc/mail/sendmail.cf.org
# cp /etc/mail/sendmail.mc /etc/mail/sendmail.mc.org
*!1 2 3 sendmail.mc
# vi /etc/mail/sendmail.mc
.. 3 N < macro N dnl (delete
through newline) DN sendmail.cf
0 AUTH p A password
login
define(`confAUTH_OPTIONS', À p')dnl
. 2 N dnl
TRUST_AUTH_MECH(ÈXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN
PLAIN')dnl
define(`confAUTH_MECHANISMS', ÈXTERNAL GSSAPI DIGEST-MD5
CRAM-MD5 LOGIN PLAIN')dnl
.. 4 N dnl
define(`confCACERT_PATH',`/etc/pki/tls/certs')dnl
define(`confCACERT',`/etc/pki/tls/certs/ca-bundle.crt')dnl
define(`confSERVER_CERT',`/etc/pki/tls/certs/sendmail.pem')dnl
define(`confSERVER_KEY',`/etc/pki/tls/certs/sendmail.pem')dnl

smtp port 25 < smtps port 465 dnl N

DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl
smtp unsecure N
DAEMON_OPTIONS(`Port=smtp, Addr=127.0.0.1, Name=MTA')dnl
\\D3 vi
:wq
N3 sendmail.cf
# make -C /etc/mail
*!1 3 3 sendmail.pem
# cd /etc/pki/tls/certs
# make sendmail.pem
State or Province Name (full name) [Berkshire]:Boonlue Yookong
Locality Name (eg, city) [Newbury]:Phitsanulok
Organization Name (eg, company) [My Company Ltd]:No Company
Organizational Unit Name (eg, section) []:Linux Server
Common Name (eg, your name or your server's hostname) []:test.sample.co.th
Email Address []:admin@sample.co.th
\ Enter
*!1 4 3 dovecot.conf
# vi /etc/dovecot.conf
03N # D
3

ssl_disable = no
ssl_verify_client_cert = no
ssl_parameters_regenerate = 168
ssl_cipher_list = ALL:!LOW
ssl_cert_file = /etc/pki/tls/certs/sendmail.pem <- N
ssl_key_file = /etc/pki/tls/certs/sendmail.pem <- N
disable_plaintext_auth = yes <- N no < yes
protocols = imaps pop3s
D3 vi
:wq
*!1 5 \0 restart service
# /etc/init.d/dovecot restart
*!1 6 00 port 465 993
Firewall 0 Port N
# vi /etc/sysconfig/iptables
.. port 25, 465 993 N
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --syn --dport 25 -j ACCEPT
\D vi
:wq
restart service

# /etc/init.d/iptables restart
0 Firewall \ 3 port NN
iptables -A INPUT -i eth0 -m state --state NEW -m tcp -p tcp --syn --dport 25 -j
ACCEPT <-- for TLS encryption (and basic SMTP)
ACCEPT <-- for SSL encryption
ACCEPT <-- for SSL encryption
\D restart firewall
< sendmail server

0 Server
Password Sniffer e0
** 0 sendmail-8.13.x DN
sendmail.cf default < Addr=127.0.0.1 port
25 localhost N host address 0 Server
local server 0 mail 0 Web base e-mail
Host < Addr=x.x.x.x (ip address mail server) \
IP DN localhost IP Address Server <
user sendmail Web
base email 0 localhost N***

!1 6 DNS Server Security
DNS Server
Configuration
0247
!%'
1. bind > Open source
2. E0 nslookup, host
3. MM 7>M > (Bold)
4. M 07
M70M0
(*%
0 Linux 0 DNS Server 77 0X
7MZ72
0Z \ DNS 7 Domain Name 7M
7 Web site > Domain 2 MZ
7 DNS M7 >02Z7
7
!1 6 DNS Server Security .....: 115

DNS Server ZEM 700 DNS

Server Linux 277 bind EX2> Version 9.x.x E
X777 77Z
7 Server 007 Internet
0 0 Security DNS Server M 0
700>0M2
Z7 M 7
M77 M Server 7E
>2 (Key) 7 7772>
7M20 DNS 0 DNS Server 7
2 (Key) 2 70
M 7 M
6.1 DNS Server 7

!1 1 ;*
7M>0 Service 7
Internet Server 07MM7M
0 Configuration 0 bind 9.x.x X20M0
> Chroot jail 0 7 0 /var/named/chroot M
7E7 version 7 /var/named 7
1. 7 702 0
Update
# yum update bind
2. 40 named mode > 750
# ls -l /usr/sbin/named
777 750 0 chmod
# chmod 750 /usr/sbin/named
3. 72 Account named ftp service M
7\ ftp server vsftpd
# echo "named" >> /etc/vsftpd/ftpusers
4. 7 permission Directory 7 /var/named 72
group write 2 7M
! Primary DNS
# chown -R root.named /var/named/chroot/var/named
# chmod 750 /var/named/chroot/var/named
# chmod -R go-w /var/named/chroot/var/named

! Secondary DNS
# chown -R root.named /var/named/chroot/var/named
# chmod 770 /var/named/chroot/var/named
5. 0 SUID/SGID (70 3 Kernel
harden)
# find /usr/sbin f -exec chmod ug-s {} \;
!1 2 (1 % Caching Name Server

0 Gateway Server 7 DoS (Denial
of Service) 0 7 tcp-clients 32 E client connect
protocol tcp 7 32 4 named.conf 7
>(Bold) 77 tools 77
# vi /var/named/chroot/etc/named.conf
// Authorized source addresses.
acl "trusted" {
localhost;
};
// Known fake source addresses shouldn't be replied to.
acl "blocked" {
0.0.0.0/8;
1.0.0.0/8;
2.0.0.0/8;

192.0.2.0/24;
224.0.0.0/3;
169.254.0.0/16;
// Enterprise networks may or may not be bogus.
10.0.0.0/8;
172.16.0.0/12;
192.168.0.0/16;
};
options {
directory "/var/named";
allow-transfer { none; };
allow-query { trusted; };
allow-recursion { trusted; };
blackhole { blocked; };
tcp-clients 32;
forwarders { 192.168.1.5; 192.168.1.6; };
version "New version";
};
logging {
category lame-servers { null; };
};
// Root server hints
zone "." { type hint; file "db.cache"; };

// Provide a reverse mapping for the loopback address 127.0.0.1/24

zone "localhost" {
type master;
file "db.localhost";
notify no;
};
zone "0.0.127.in-addr.arpa" {
type master;
file "0.0.127.in-addr.arpa";
notify no;
};
!1 3 % Transaction Signatures (TSIG)

M BIND 9 0 Primary Secondary Name Server
Transaction key EM7 0
Configuration 74 4 Key 7Z7
Server 77 Primary Secondary DNS 0
1 M00 DNS Server 2 Primary
Secondary Update Primary Secondary
27>07
770 Update M0M 4 MM
*!1 1 Transaction Key 0 128 bit (16 byte)
# dnssec-keygen -a hmac-md5 -b 128 -n HOST ns1-ns2

Kns1-ns2.+157+45508
4Z key
Kns1-ns2.+157+45508.key
Kns1-ns2.+157+45508.private
*!1 2 \4 private key
# cat Kns1-ns2.+157+45508.private
Private-key-format: v1.2
Algorithm: 157 (HMAC_MD5)
Key: EJF5ryfnLcD6XwUbh+JE4g= = <- (Bold)
*!1 3 4M
# rm -f Kns1-ns2.+157+45508.key
# rm -f Kns1-ns2.+157+45508.private
*!1 4 07 key named.conf
4 named.conf (vi /var/named/chroot/etc/named.conf) M Primary
Secondary 7 3 774
key ns1-ns2 {
algorithm hmac-md5;
secret "EJF5ryfnLcD6XwUbh+JE4g= =";
};
74 named.conf Primary/Master name server :

192.168.100.4
Private IP : 192.168.0.0/24

#vi /var/named/chroot/etc/named.conf
key ns1-ns2 {
algorithm hmac-md5;
};
acl "trusted" {
localhost;
192.168.100.0/24;
192.168.0.0/24;
};
acl "blocked" {
0.0.0.0/8;
1.0.0.0/8;
2.0.0.0/8;
192.0.2.0/24;
224.0.0.0/3;
169.254.0.0/16;
10.0.0.0/8;
172.16.0.0/12;
192.168.0.0/16;

};
options {
allow-transfer { 192.168.100.5; };
tcp-clients 1024;
forwarders { none; };
};
logging {
};
// Provide a reverse mapping for the loopback address 127.0.0.1
type master;
file "db.127.0.0";
notify no;
};
zone "sample.co.th" {

type master;
file "db.sample";
allow-query { any; };
};
type master;
file "db.192.168.100";
};
74 named.conf 0 Secondary/Slave name server :

192.168.100.5 Private IP : 192.168.0.0/24
key ns1-ns2 {
algorithm hmac-md5;
};
acl "trusted" {
localhost;
192.168.100.0/24;
192.168.0.0/24;
};


acl "blocked" {
0.0.0.0/8;
1.0.0.0/8;
2.0.0.0/8;
192.0.2.0/24;
224.0.0.0/3;
169.254.0.0/16;
10.0.0.0/8;
172.16.0.0/12;
192.168.0.0/16;
};
options {
allow-transfer { none; };
tcp-clients 1024;
forwarders { none; };
};

logging {
};
// Provide a reverse mapping for the loopback address 127.0.0.1
type master;
file "db.127.0.0";
notify no;
};
type slave;
file "db.sample";
masters { 192.168.100.4; };
};
type slave;
file "db.192.168.100";
masters { 192.168.100.4; };
};

*!1 5 07 IP Address DNS Server

4 named.conf (vi /var/named/chroot/etc/named.conf) M Primary
Secondary 7 3 77M 4
server x.x.x.x {
keys { ns1-ns2 ;};
};
0 x.x.x.x > IP address DNS Server
74 named.conf 0 Primary/Master name server :
192.168.100.4 Private IP : 192.168.0.0/24 ( o;1;(%(1 o!1q
(Bold))
key ns1-ns2 {
algorithm hmac-md5;
};
server 192.168.100.4 {
keys { ns1-ns2 ;};
};
74 /var/named/chroor/etc/named.conf 0 Secondary/Slave
name server : 192.168.100.5 Private IP : 192.168.0.0/24 ( o;1;(%(1
o!1q (Bold))

key ns1-ns2 {
algorithm hmac-md5;
};
server 192.168.100.5 {
keys { ns1-ns2 ;};
};
* ! 1 6 M 2 7 0 Permission 4 named
0M Primary Secondary
# chmod 600 /var/named/chroot/etc/named.conf
# /etc/init.d/named restart
Shutting down named: [OK]
Starting named: [OK]
% TSIG 0EE77
Primary Secondary M70
key E0 77 7 0 4
named.conf allow-transfer { 192.168.100.5; }; Primary Name Server
M
allow-transfer { 192.168.100.5; };
>

allow-transfer { key ns1-ns2; };
2 7 named.conf Primary/Master Name Server7 M 3

7 (Bold) M
key ns1-ns2 {
algorithm hmac-md5;
};
server 192.168.100.4 {
keys { ns1-ns2 ;};
};
options {
allow-transfer { key ns1-ns2; };
};
2 Update Zone Dynamic 07 key Zone
type master;
file "db.sample";

allow-update { key ns1-ns2; };

};
!1 4 % Encryption Algorithm
M 7 BIND 9 24
named.conf 07 key 7 algorithm secret 77>
DNS Server Version 9 7E7
Z727 0227 key 7\2
207 key 7 EM
0 6 MM
*!1 1 version 7 key 128 bit E
EM key 0 bit M7 1-512 bit M7M
0 key 352 bit (60 byte) 7EM
# dnssec-keygen -a hmac-md5 -b 352 -n user rndc
Krndc.+157+44283
4 Krndc.+157+44283.key Krndc.+157+44283.private
*!1 2 \4 Krndc.+157+44283.private 7 key
#cat Krndc.+157+44283.private
Private-key-format: v1.2
Algorithm: 157 (HMAC_MD5)
Key: RZfsvIRU0DY8/tC0OcXXISiYUO0rWtizlEoP49cw6PTTYBWVhh4hjiCxcKo=

*!1 3 4MM
# rm -f Krndc.+157+44283.key
# rm -f Krndc.+157+44283.private
*!1 4 07 key 74 rndc.conf (74 rndc.conf

EM7)
#vi /etc/rndc.conf
options {
default-server localhost;
default-key "rndckey";
};
server localhost {
key "rndckey";
};
key "rndckey" {
algorithm hmac-md5;
secret " RzfsvIRU0DY8/tC0OcXXISiYUO0rWtizlEoP49cw6PTTYBWVhh4
hjiCxcKo=";
};
*!1 5 07 key 74 named.conf
4 named.conf M
key ns1-ns2 {

algorithm hmac-md5;
};
server 192.168.100.4 {
keys { ns1-ns2 ;};
};
key rndckey {
algorithm hmac-md5;
secret "
RzfsvIRU0DY8/tC0OcXXISiYUO0rWtizlEoP49cw6PTTYB
WVhh4hjiCxcKo=";
};
controls {
inet 127.0.0.1 allow { 127.0.0.1; } keys { rndckey; };
};
*!1 6 74 rndc.key rndc.conf /etc 7 secret

77ZZ Restart
# /etc/init.d/named restart
Shutting down named: [OK]
Starting named: [OK]

40 DNS Server 77 70EE

E Hacker \7>0 2 Internet 7
7 Internet 7 Proxy Server 7 77 DNS 7
7 Proxy Server Name Server 727
2 ping Z42 2
7M7 Domain 2 Internet Z E DNS 7
0 4 M>4 27Z 0
4277X2 Domain Name
77>E7MZ>

0 VI Editor 77
7 insert mode 0
i dd Cursor 7
07 Cursor 7
7 insert mode 0
a 707 Cursor u (undo)
7
7 insert mode 0
o yy copy cursor 7
EM7
copy cursor 70 n
:set number nyy
buffer
7 buffer 7
:set nonumber p
cursor 7
/(0
0 :w E4
)
0 E4
ESC :wq
07 vi
:q! 7E

!1 7 FTP Server Security
FTP Server
$& Configuration &
7&
!%'
1. vsftpd C Open source
2. H7 ftp, telnet
3. $$ &C$ C (Bold)
4. $ 7&
$&7$7
(*%
$ Linux Internet Server $ & Linux
H Linux $& $
Server Server WWW, FTP, Proxy, Mail
configuration 7 $HCH C
&]& C&&^&
& Server && &H$_
!1 7 FTP Server Security .....: 135

& Linux C Internet Server &&_ $

FTP Server Hacker & Version d&
CD Linux _&
C& d Version OS &$ C
d&C 7
&&
C UNIX File Transfer Protocol (FTP) &^
&^^&& d_ C
&^& Software
77&^ platform
UNIX Linux 7 ^ & 7 UNIX H
Server & 7&&
& & linux ]& ftp Server &H Server _
_]
C&
&$H&& web data & $&
&7C Web Server _& Web
Browser 7 E-Learning , E-Education 7
&]&& &$&&
7 Configuration FTP Server & Default 7
anonymous ftp & directory & User &
$& User login &
directory & Chroot Jail

7.1 7 FTP Server
&7 7 Update vsftpd

# yum update vsftpd
_H7 Configuration &

!1 1 C7 Configuration $ ^
vsftpd.conf
# cp /etc/vsftpd/vsftpd.conf /etc/vsftpd/vsftpd.orig
# vi /etc/vsftpd/vsftpd.conf
&$7 FTP Server $
ftpd_banner=Welcome to FTP service.
anon_umask=077
local_umask=022
nopriv_user=ftp
pasv_enable=YES
anon_root=/var/ftp
&C User
Anonymous User (& default=NO) ]
anonymous_enable=YES
7&7 500
max_clients=500
max_per_ip=4 <- connect & ip address
.. 7 chroot jail user & directory && home directory
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd/chroot_list <- ^ user
.. User account & $ server & 2
&7$
chroot_local_user=YES

7.2 7 Chroot Jail
!1 2 C TLS/SSL
&& 7$
&&7 SSL $&
# ldd /usr/sbin/vsftpd |grep ssl
libssl.so.6 => /lib/libssl.so.6 (0x0012c000)
$ libssl 7 private key digital certificate

# openssl req -x509 -nodes -days 365 -newkey rsa:1024 \

-keyout /etc/vsftpd/vsftpd.pem \
-out /etc/vsftpd/vsftpd.pem
&7 X509 SSL certificate H$ 365
State or Province Name (full name) [Berkshire]:Boonlue
Locality Name (eg, city) [Newbury]:Phitsanulok
Organization Name (eg, company) [My Company Ltd]:No Company
Organizational Unit Name (eg, section) []:Linux Server
Common Name (eg, your name or your server's hostname) []:ftp.sample.co.th
Email Address []:admin@sample.co.th
& Enter & ^ vsftpd.pem
_]$&
# cat /etc/pki/tls/certs/vsftpd.pem
-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQDm76qjNTi7M7XSUf1RmjBHJaM29as1WlKsa/SpfX4E1
FQuMADNnzPmhLYOSmI+jN7Sdc8pIsRmtKjNERNX9wU/mV85h6eAOuG
3Yp0cAvlJhy4NthwT+l/ZIWx+gxE/1Xe7F1YYPBHy/i2jUHAti9A2TkejQIDAQ
AoGAa8m/jqIZ21UGcgu9L2lOqVRGjEIaHn5px41MdDE4SE0VpJ31TJ2RM
EnLI75qPqHHutlGOesqeMnheCXXeruR7GSNUun/rmwvylC/umNQf2EyMih
QXe2oBf7Rk2IisHFniZhAgQbUeJpow94oEKA7C27le+0ECQQD6k8MPV05
PfObBkiGF/gom+5CJ/EjLD7W3lj7znXMqMiPscXQu5P8GXovRRwUqItPwp
/lynGcTdAkEA6+8XHtDzWuAOA/GsZhuwU+LEx4OnQHs2UAGqaS+LWv4

rIv7gIakIT0y4HahOMZyMnl41DlDxKNcQJBAOzhsT4Yd/QWn94COAAuwX
3Yp2/fQVSNaR3ic1+m09xFF00Ybvwx+NEJoj3WWOCLijZv89DCGPArQRp
fJOn4kQJXNuNp9VJNaNf0CqBf9QtZTb1u1ofXmkpjayPi5t47R8+JoeoSxMl
UcgauqDSI+1qJW8E2wyRAkAtc5VWxAJkRJEMHerRTpyjznBav5BD/US8+
/FGh7L1/HdUikn2WJaSZt5oB6u/mjtcTvixg85zt6gKV
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIID1DCCAz2gAwIBAgIJAN+qqIj7BqKMA0GCSqGSIb3DQEBBQUAMIGj
VQQGEwJUSDEQMA4GA1UECBHQm9vbmx1ZTEUMBIGA1UEBxMLUG
EzARBgNVBAoTCk5vIGNvbXBhbnkxGAXBgNVBAsTEGZ0cC5zYW1wbG
GTAXBgNVBAMTEGZ0cC5zYW1wbGUuY28udGgxITAfBgkqhkiG9w0BCQ
QHNhbXBsZS5jby50aDAeFw0wNzEyzAxMzU4NTFaFw0wOTEyMjkxMzU
MQswCQYDVQQGEwJUSDEQMA4A1UECBMHQm9vbmx1ZTEUMBIGA1
bnVsb2sxEzARBgNVBAoTCk5vIGNbXBhbnkxGTAXBgNVBAsTEGZ0cC5z
Y28udGgxGTAXBgNVBAMTEGZ0cC5zYW1wbGUuY28udGgxITAfBgkqhki
EmFkbWluQHNhbXBsZS5jby50aDBnzANBgkqhkiG9w0BAQEFAAOBjQAw
5u+qo6DU4uzO10lH9UZowRyWjvWrNVpSrGv0qX1+BNV61L/yBULjAAzZ
kpiPoze0nSwnPKSLEZrSozRETV/P5lfOYengDrhp/1DgXKLd2KdHAL5SYcu
cE/pf2SFsfoMRP9V3uxdWGDwRv4to1BwLYvQNk5Ho0CAwEAAaOCAQw
A1UdDgQWBBSIpEdNg2Y0U70jGzm0k8QMMAXB3TCB2AYDVR0jBIHQM
g2Y0U70jGzm0k8QMMAXB3aGBqSBpjCBozELMAkGA1UEBhMCVEgxED
B0Jvb25sdWUxFDASBgNVBAcT1BoaXRzYW51bG9rMRMwEQYDVQQKE
YW55MRkwFwYDVQQLExBmdHAuc2FtcGxlLmNvLnRoMRkwFwYDVQQD

cGxlLmNvLnRoMSEwHwYJKoZIcNAQkBFhJhZG1pbkBzYW1wbGUuY28u
gKqiI+waijAMBgNVHRMBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBA
pQto7C4GGMiCs04GNob+x7+npl5Eo6eNSnIFYnt4TxS6be+GMUDUpnA
jqwly2zQhlOue7H6/a8aPth5EgRvgYUZtV6v9+NySwibVnyILmSw07/C0gy6
maBPC6t5ejK3uAiC+cyDaU5eR7tzSNDH
-----END CERTIFICATE-----
$&&&& $
# openssl x509 -in /etc/pki/tls/certs/vsftpd.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
df:80:aa:a2:23:ec:1a:8a
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=TH, ST=Boonlue, L=Phitsanulok, O=No Company, OU=Linux
Srever, CN=ftp.sample.co.th/emailAddress=admin@sample.co.th
Validity
Not Before: Dec 30 13:58:51 2007 GMT
Not After : Dec 29 13:58:51 2009 GMT
Subject: C=TH, ST=Boonlue, L=Phitsanulok, O=No company, OU=Linux
Server, CN=ftp.sample.co.th/emailAddress=admin@sample.co.th
Subject Public Key Info:
Public Key Algorithm: rsaEncryption

RSA Public Key: (1024 bit)

Modulus (1024 bit):
00:e6:ef:aa:a3:a0:d4:e2:ec:ce:d7:49:47:f5:46:
68:c1:1c:96:8c:db:d6:ac:d5:69:4a:b1:af:d2:a5:
f5:f8:13:55:eb:52:ff:c8:15:0b:8c:00:33:67:cc:
f9:a1:2d:83:92:98:8f:a3:37:b4:9d:2c:27:3c:a4:
8b:11:9a:d2:a3:34:44:4d:5f:dc:14:fe:65:7c:e6:
1e:9e:00:eb:86:9f:f5:0e:05:ca:2d:dd:8a:74:70:
0b:e5:26:1c:b8:36:d8:70:4f:e9:7f:64:85:b1:fa:
0c:44:ff:55:de:ec:5d:58:60:f0:47:cb:f8:b6:8d:
41:c0:b6:2f:40:d9:39:1e:8d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
88:A4:47:4D:83:66:34:53:BD:23:1B:39:B4:93:C4:0C:30:05:C1:DD
X509v3 Authority Key Identifier:
keyid:88:A4:47:4D:83:66:34:53:BD:23:1B:39:B4:93:C4:0C:30:05:C1:DD
DirName:/C=TH/ST=Boonlue/L=Phitsanulok/O=No company/OU=Linux
Server/CN=ftp.sample.co.th/emailAddress=admin@sample.co.th
serial:DF:80:AA:A2:23:EC:1A:8A
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha1WithRSAEncryption

5f:13:bf:c3:c9:ae:55:34:a5:0b:68:ec:2e:06:18:c8:82:b3:
4e:06:36:86:fe:c7:bf:a7:a5:4a:96:97:91:28:e9:e3:52:9c:
81:58:9e:de:13:c5:2e:9b:7b:e1:8c:50:35:29:9c:0c:35:00:
29:56:8e:ac:25:cb:6c:d0:86:53:ae:7b:b1:fa:fd:af:1a:3e:
d8:79:13:07:60:46:f8:18:51:9b:55:ea:ff:7e:37:24:b0:89:
b5:67:c8:82:e6:4b:0d:3b:fc:2d:20:cb:a3:5d:99:a0:4f:0b:
ab:79:7a:32:b7:b8:08:82:f9:cc:83:69:4e:5e:47:bb:73:48:
d0:c7
^ Mode C 600
# chmod 600 /etc/pki/tls/certs/vsftpd.pem
^ vsftpd.pem _^^ vsftpd.conf
# &
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=NO
force_local_logins_ssl=YES <- NO & SSL _
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
rsa_cert_file=/etc/pki/tls/certs/vsftpd.pem <-
_H^ vi
:wq

$ restart service
# /etc/init.d/vsftpd restart
7 FTP Client TLS/SSL $ Linux

gFTP Microsoft Windows C SmartFTP, CoreFTP Firefox
$ Plugin & FireFTP TLS/SSL download
Webmaster Tools Webpage &^& FTP Tool _
7& Option & TLS/SSL H login &
TLS/SSL & SFTP & SFTP
7 SSH Port 22 &$ 7 Port 21 7 &
& Port 22 7&
& Security Hacker &

& && Port 21 &
& & $ NOS __]
FTP, WWW, Mail ]&$ 7C File Server
& d_] Port 21 &
^ Script Server 7&
&& FTP Server Login 7__7 Directory
Directory d 7 pwd &
7& Login C / & FTP Server &&
Directory Server & && /home/username , /home/ftp/

/var/ftp &&&& & cd /etc

ls & _^ & FTP Server & &
_&^ Server download ^7 &^
passwd ^ Web Server $7& &
7^$ H$
Chroot jail 7 TLS/SSL
User/Password &&&7&
Firewall TCP Wrappers H_H$

!1 8 Secure Shell
Server
%&* Configuration *
7%*%%
!%'
1. Openssh ? Open source
2. C7 slogin, sftp
3. 7%* Client MS Windows OS
4. && *?%& ? (Bold)
5. %%& 7%% *
%&%*7&7
(*%
% Server T**
&* (Hardware) C Kernel X*X
*%?*X TT
Z*7 Server CZ
!1 8 Secure Shell .....: 147

Z Server C%* * telnet, rcp, rlogin *

*%*\?* *
*&* 7%
?* Paint Text **%
%*C*7 Login *
* C\Z &C7X
C& *%* Server **
XZ? Service * *C&X Shell
C& Software * Secure Shell (SSH) ? Linux
* Openssh (? Open Source) &Z7 OS Linux
UNIX %&? Server %****e
* Linux *e% inetd (Internet Daemon)
7* Super Server *X? xinetd C&
*X?*7%** \Z Secure Shell *e
%* xinetd T&X&
3 Firewall, TCP wrappers SSH &*&7C
e%
OpenSSH 7*&? Application C
%** Workstation
Server ** %*Z* &*% login
C%*7* *%**%
Secure copy (scp) Secure Ftp (sftp)
7*& OpenSSH 77* %*
!1 8 Secure Shell .....: 148

SSH Daemon (sshd) ? 7 \ % *

** 7 Configuration File C%&
7* Default Z&*&**
?7%ee** *%* Default
7* Z7
Z* & C%&*7
?**
*&
*!1 1 *%C7Z 7o
Configure %XC% * Default %
* 7&
# cp /etc/ssh/sshd_config /etc/ssh/sshd_config.original
*!1 2 %7* Configuration *& (7

? <Bold> Version X*7)
login root Super User (su) *&
# vi /etc/ssh/sshd_config
# *%
# 7o&%o*-X 7**
Port 22
#Protocol 2,1
Protocol 2
#AddressFamily any
!1 8 Secure Shell .....: 149

#ListenAddress 0.0.0.0
#ListenAddress ::
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 1h
ServerKeyBits 1024
# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
LogLevel INFO
# Authentication:
LoginGraceTime 30s
PermitRootLogin no
#StrictModes yes
MaxAuthTries 4
#RSAAuthentication yes
#PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
!1 8 Secure Shell .....: 150

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
PermitEmptyPasswords no
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
GSSAPIAuthentication yes
!1 8 Secure Shell .....: 151

#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication mechanism.
# Depending on your PAM configuration, this may bypass the setting of
# PasswordAuthentication, PermitEmptyPasswords, and
# "PermitRootLogin without-password". If you just want the PAM account and
# session checks to run without PAM authentication, then enable this but set
# ChallengeResponseAuthentication=no
#UsePAM no
UsePAM yes
# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE
LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE
LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11Forwarding yes
#X11DisplayOffset 10
!1 8 Secure Shell .....: 152

#X11UseLocalhost yes
PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
#UseDNS yes
#PidFile /var/run/sshd.pid
............
# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server
AllowUsers admin
AllowGroups admin
DenyUsers hacker hack
DenyGroups hackgroup
7* Configuration *\?*
*% *** Z*%
!1 8 Secure Shell .....: 153

*Z C?7 User Group %% login

Secure Shell AllowUsers AllowGroups * *
Z User Group * Server DenyUsers
DenyGroups 7* 1 user 1 group * User Group
1 (Space)
*\Z Hacker Port 22

&X7X ***
7* Configuration Secure Shell %&XX
* 7 * Default * Z * *
sshd_config %&*7eT e7
Port 22 *& *7 7 Server ZX*
C&Ze Port 23 * telnet e Port 21 * ftp ZXC
Server SSH client * slogin login sftp ftp *
* OS Microsoft X download Secure Shell
for windows http://www.ssh.com/ ZXC Server X
* telnet % %7*%*
Secure Shell 7 * 2 TCP Wrappers
Firewall 7* Port 22 ?* *
* TCP Wrappers Firewall **&
*%%
!1 8 Secure Shell .....: 154

!1 9 Firewall Using IPTABLES
IPTABLES Firewall
)+ Server +2
3+433
!%'
1. 44 iptables ? Open source
2. G ftp, telnet, nmap, netstat
3. N4N +4?3N ? (Bold)
4. 33N44 33+
3N34+N
(*%
X Y 4 N 4 4 Firewall Free Software 4 +
IPTABLES 44 Linux OS 2 + 3 +
Application ++ Configuration + Openwall, IPCOP
4 ++Y N 4 +4^ +
IPTABLES NN 4+2+ Configure +GN
!1 9 Firewall Using IPTABLES .....: 155

4G IPTABLES 4GN43
Y_Y+^3 42
4+4 3++ IPTABLES +4 N4^4
IPTABLES 2+ XY4N4+GN
4 Network 44GN+XY
IPTABLES + IPV6 G+ IPV4 +
G4GN+3 4
3+ IPTABLES Kernel 2.4 ^ Kernel 2.6 4
4N4+4Y4334GN^GN
4 Version + _
Version 42++^ Version +N+Y Version N
GX+ 34+ Y34
3 ^++ 42 4N2434
+ IPTABLES 1.3.x (444N iptables 1.4 2++ Test)
Y33+4
N Y Server 4 3 G Firewall
Server N +N +NY
+34+4332+^
? 24Y+N+4 4+
++ +343GNY+ 42
++4+ Firewall IPTABLES 4+
4 3 Policy YGY_ ipchains
2 Firewall Model +

'!1 9.1 Firewall placement in the TCP/IP reference model

2_GNG44 4
+N 3 4 IPTABLES 44+^ Module
GN rule table + packet 3
? 3 Table filter table, nat table mangle table 444N
Filter Table ? Table + Table 2Y33 option
Command Line 4 filter table 4?N44N
1. Chain-relate operation INPUT, OUTPUT, FORWARD
user-defined chain
2. Target disposition ACCEPT DROP
3. IP header field match operations + protocol, source destination
address, input output interface, fragment handling
4. Match operation TCP, UDP ICMP header field
NAT table 4N 3 24N

1. Unidirectional outbound NAT Private IP Address + 2
1.1 Basic NAT map local private source address Y+ Public IP
address
1.2 NAPT (Network Address Port Translation) map local private IP
address Public IP Address 1 _ ( linux masquerading
34 ipchains )
2. Bidirectional NAT ?N+ inbound
outbound bidirectional mapping + IPV4 IPV6 address
4

3. Twice NAT ?Y N N inbound outbound

Source Destination
NAT support N SNAT (Source NAT) DNAT (Destination

NAT) G build-in chains 3
- PREROUTING Y44 destination
incoming packet ++ packet routing function (DNAT)
4 Address localhost + transparent proxy,
port redirection
- OUTPUT Y+44 packet
local +4+ (DNAT, REDIREC)
- POSTROUTING Y4
Outgoing packet 4 (SNAT, MASQUERADE)
Mangle table + Y+++ netfilter

4+ packet ++ build-in chain 4N
1. PREROUTING Y4 packet 4 interface +
3++ local IP Address
2. INPUT Y4 packet Y process 4+
PREROUTING
3. POSTROUTING Y4 packet 4 Firewall
4+ OUTPUT
4. FORWARD Y4 packet 4+ Firewall

5. OUTPUT Y4 +4 GN++ packet

3 N Network 44 N 2 G G
2? ^4++ 23
4 ? Internet )+44
34?+ +4 2 42 YY44
Y Server Y Reconfiguration +
442YY4 + OS 44
Network )G2+ 323 OS
+4 ^+423_N +4
4 Linux ^? OS G4 UNIX G4
XY IPTABLES ?
+G (Firewall) SElinux 42
Kernel 4 2 G N + Version 3
4+?N G2?
Y _ 3 N Server Service + +
N?_4223
+ Policy 4 4N 5 chain
Y chain +N chain 442+4N
- INPUT
- OUTPUT
- FORWARD

- PREROUTING
- POSTROUTING
Y ipchains Version 4+ YN4 +
Firewall Y+Y+ Chain 4+?
++
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
2444N
iptables [-t|--table table] -command [chain] [-i interface] [-p protocol]
[-s address [port[:port]]] [-d address [port[:port]]] -j policy
24^?4 +Y+4
+44 Pipe [|] N+++
+ G + -t --table ^ 4 + 4 4 +
[port[:port]] G+ port N+ port : G port Y + 0:1023
G N+ port 0 G port 1023 42N + 1024: 4NG
port 1024 ? +2+ ?
table G3+N 4 +43+
filter ?+ default packet
+Y+ -t +?+4N
nat ?4 Network Address Translation
mangle QOS (Quality of Service) 444Y

raw 4^4YN
kernel 444 port 4
+4+
command [chain] G44+4+N
+ chain ^+ chain 44N 5 chain G chain 4GN 2+
command +4N4N
-A --append G3 rule chain
-D --delete G rule chain
-I --insert G rule +4
-R --replace G 4 rule
-F --flush G 3++
N
-L --list G 42 rule N
-N --new-chain G chain +
-X --delete-chain G chain 4GN
-P --policy G N+ chain
-E --rename-chain G4 chain +4+ command
^ command option 4+4?
-i G interface 4 packet
-o G interface 4+ packet
-p G protocol + tcp, udp, icmp
-s G IP packet (Source)
-d G IP packet (Destination)

-m G match state + packet

-j G jump + packet policy G -j ^
policy 4+ packet 4++ 4N
ACCEPT G packet +
DROP G + packet ++4
REJECT G + packet +4
RETURN G)4
MASQUERADE + NAT DHCP
SNAT + PREROUTING
REDIRECT + NAT 4 output port
DNAT + POSTROUTING
3+2+
Common options used in Rule Specifications
Option Description
Match if the packet originated from sourceIP. sourceIP may be an IP
-s sourceIP address (e.g., 192.168.200.201), network address (e.g.,
192.168.200.0/24), or hostname (e.g., woofgang.dogpeople.org). If not
specified, defaults to 0/0 (which denotes "any").
Match if packet is destined for destinationIP. destinationIP may take
-d destinationIP
the same forms as sourceIP, listed earlier in this table. If not specified,
defaults to 0/0.


Option Description
-i ingressInterface Match if packet entered system on ingressInterfacee.g., eth0.
Applicable only to INPUT, FORWARD, and PREROUTING chains.
-o egressInterface Match if packet is to exit system on egressInterface. Applicable only to
FORWARD, OUTPUT, and POSTROUTING chains.
-p tcp | udp | icmp
Match if the packet is of the specified protocol. If not specified,
| all
defaults to all.
Match if the packet is being sent to TCP/UDP port destinationPort. Can

--dport
be either a number or a service name referenced in /etc/services. If
destinationPort
numeric, a range may be delimited by a colone.g., 137:139 to denote
ports 137-139. Must be preceded by a -p (protocol) specification.
Match if the packet was sent from TCP/UDP sourcePort. The format of
--sport sourcePort
sourcePort is the same as with destinationPort, listed earlier in this
table. Must be preceded by a -p [udp | tcp] specification.
Look for flags listed in mask; if match is set, match the packet. Both
--tcp-flags mask
mask and match are comma-delimited lists containing some
match
combination of SYN, ACK, PSH, URG, RST, FIN, ALL, or NONE.
Must be preceded by -p tcp.


Option Description
Match if the packet is icmp-type type. type can be a numeric ICMP
--icmp-type type
type or a name. Use the command iptables -p icmp -h to see a list of
allowed names. Must be preceded by -p icmp.
-m state --state Load state module, and match packet if packet's state matches
statespec statespec. statespec is a comma-delimited list containing some
combination of NEW, ESTABLISHED, INVALID, or RELATED.
-j accept | drop |
log | reject | Jump to the specified action (accept, drop, log, or reject) or to a custom
[chain_name] chain named chain_name.
+4N?+)4Y
3 G442++42424
++? script Run 4+
Command line +3 +Y
G24+4N
V !1 1 N+342 (Initializing netfilter)

# vi /root/test_firewall

33_N+4N?
#!/bin/sh
# Script Created by: Mr.Boonlue Yookong
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack_ftp
# +3
IPTS="/sbin/iptables"
# Flush old rules, old custom tables
$IPTS -F
$IPTS -F -t nat
$IPTS -X
# Firewall 44Y+N42+2Y Chain
$IPTS -P INPUT DROP
$IPTS -P FORWARD DROP
$IPTS -P OUTPUT DROP
^G vi
:wq
N4 mode file ? 700
# chmod 700 /root/test_firewall
run script
# /root/test_firewall
# iptables -L -n

^+ chain N 3 2 DROP 4^
++
V !1 2 Policy Loopback interface

# loopback interfaces -+ packet +3
$IPTS -A INPUT -i lo -j ACCEPT
$IPTS -A OUTPUT -o lo -j ACCEPT
V !1 3 ) IP (Anti-IP-spoofing rules) 22
4G+4 log file Y2
+
# ?+NY+ ip address 4
$IPTS -A INPUT -s 255.0.0.0/8 -j LOG --log-prefix "Spoofed source IP!"
$IPTS -A INPUT -s 255.0.0.0/8 -j DROP
$IPTS -A INPUT -s 172.16.0.0/12 -j LOG --log-prefix " Spoofed source IP!"
$IPTS -A INPUT -s 10.0.0.0/8 -j LOG --log-prefix " Spoofed source IP!"


$IPTS -A INPUT -s 208.13.201.2 -j LOG --log-prefix "Spoofed Woofgang!"
$IPTS -A INPUT -s 208.13.201.2 -j DROP
442+ IP Address 4+^3+4N+
$IPTS -A INPUT -s xxx.xxx.xxx.xxx -j DROP
xxx.xxx.xxx.xxx IP 4+
V !1 4 ) scan stealth (Anti-stealth-scanning rule)

?34)+Y24 scan +
TCP header syn bit 44 -m state ?24
++N (NEW) +242+ (! --syn)
log file
$IPTS -A INPUT -p tcp ! --syn -m state --state NEW \
-j LOG --log-prefix "Stealth scan attempt?"
$IPTS -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
V !1 5 + rule INPUT chain

2 command option -m + +4? INPUT
chain + state 44 OUTPUT chain + state ?+
G2_
# Connection 42++ rule 4N+
$IPTS -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED
# Accept inbound packets which initiate SSH sessions

$IPTS -A INPUT -p tcp -j ACCEPT --dport 22 -m state --state NEW

# Accept inbound packets which initiate FTP sessions
# Accept inbound packets which initiate HTTP sessions
# Log anything not accepted above
$IPTS -A INPUT -j LOG --log-prefix "Dropped by default:"
++Y+ source ip address 34?
Bastion host 4N server 2+Y+ DMZ G+ source ip address 4
3+ service + server 43 Secure shell port 22 4N
$IPTS -A INPUT -p tcp -j ACCEPT -s <source IP> --dport 22 -m state --state NEW
V !1 6 rule OUTPUT chain

+ command option -m + + TCP Header bit
rule 4 INPUT chain +244
3 ) + 4 N ^ + 4 state RELATED
ESTABLISHED 44 4 connection 4 +
INPUT chain 4 connect ^2++4 4 rule 4N+
packet 4_ 4N
$IPTS -I OUTPUT 1 -m state --state RELATED,ESTABLISHED -j ACCEPT
ping Y protocol type 4N
$IPTS -A OUTPUT -p icmp -j ACCEPT --icmp-type echo-request

+ packet + service Y state ? NEW G +

connection 43GN++N 2+ DNS Server IP
Y4N
$IPTS -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
Y rule Y chain ^+4 ++
rule 44 log file
$IPTS -A OUTPUT -j LOG --log-prefix "Dropped by default:"
4442244 port Privilege
port + Non-privileged port port 1024 GN+ INPUT
OUTPUT chain +
$IPTS -A INPUT -p tcp --sport 1024: --dport 1024: -m state --state \
ESTABLISHED -j ACCEPT
$IPTS -A OUTPUT -p tcp --sport 1024: --dport 1024: -m state --state \
ESTABLISHED,RELATED -j ACCEPT
+4+? Firewall 4YN 3 Policy

44 chain rule N incoming outgoing packets 44
N Server ++) Service 4 Server 3
)24 scan 2+ +2 +42+
Server port 4 +3N +4 G+2 4
4 Scan port + 44+43^
nmap 444 Linux 2+ G34N
^ Firewall ^

nmap +? World champion port scanner scan port

34N
1. TCP Connect scan
2. TCP SYN scan
3. TCP FIN scan
4. TCP NULL scan
5. TCP Xmas Tree scan
6. UDP scan
7. RPC scan
424N
nmap [-s scan-type] [-p port-range]|-F options target
-s 4N T = TCP Connect scan S = TCP SYN scan
U = UDP scan (can be combined with the previous flags)
R = RPC scan (can be combined with previous flags)
F, N, X, L, W, O, V, P Fin, Null, Xmas Tree, List, Window, IP Protocol,
Version Ping scans
+ -sSUR G SYN scan, UDP scan
RPC scan + -p port 4?Y+ range + -p 20-
23,80,53,600-1024 G nmap scan N+ port 20 G 23, 80, 53, 600 G 1024
+ -F G fast scan + target ip address )
+ 192.168.1.* GN 255 IP addresses 43? 192.168.17.0/24
^ 10.13.[1,2,4].* G 10.13.1.0/24, 10.13.2.0/24 10.13.4.0/24 44+

nmap + ping tager -P0 4+ -O ? OS

++ ++4N
V !1 1 nmap ++ (Simple scan against a bastion host )

# nmap -sT -F -P0 -O 192.168.1.11
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2008-01-03 13:03 ICT
Insufficient responses for TCP sequencing (0), OS detection may be less accurate
Interesting ports on 192.168.1.11:
Not shown: 1013 closed ports, 219 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
465/tcp open smtps
993/tcp open imaps
995/tcp open pop3s
3306/tcp open mysql
MAC Address: 00:C1:28:01:9C:4E (Unknown)
Too many fingerprints match this host to give specific OS details
Nmap finished: 1 IP address (1 host up) scanned in 38.046 seconds

V !1 2 nmap 43
# nmap -sURT -F -P0 -O 192.168.1.11
Warning: OS detection will be MUCH less reliable because we did not find at least 1 open
and 1 closed TCP port
Not shown: 1239 filtered ports, 1010 open|filtered ports
PORT STATE SERVICE VERSION
1379/udp closed dbreporter
1399/udp closed cadkey-licman
2045/udp closed cdfunc
5011/udp closed telelpathattack
32773/udp closed sometimes-rpc10
32779/udp closed sometimes-rpc22
MAC Address: 00:C1:28:01:9C:4E (Unknown)
Too many fingerprints match this host to give specific OS details
Nmap finished: 1 IP address (1 host up) scanned in 809.294 seconds
V !1 3 Version (Nmap Version Scan)

# nmap -sV -p 80 192.168.1.10
PORT STATE SERVICE VERSION

80/tcp open http Apache httpd 2.2.4 ((Fedora))

Nmap finished: 1 IP address (1 host up) scanned in 19.153 secondsds
G) iptables +N
Scan port +4 Firewall +34
22G Firewall 4
3 Y +24 Script 4Y )++ 2
N 5 +4N
1. Host Forwarding Destination NAT DNAT 2
Host Forwarding GXY 44N+Y_ Network +
344N Site ^4 Public IP Address 4_4^
4N Server +2+ Private IP Address DNAT
Y 4 connected Service 3 4 4 4 +
Transparent forward Server 43 N 2 + DMZ 4 Public Service +
32+44 Firewall
24 9.2 Transparent forward

^+44 Public IP Address 1 IP IP 43N

Firewall N Firewall Private IP Address
N Server G + ? Zone 44Y 4 3 2+
(Remote Client) Firewall ++3^ mail 4N
Server 3+_ 43N2+ Private IP Address
4 packet + Firewall 2 4 Address (Destination
Address) local server 43N + packet 4
rule 4N24+ packet local server Firewall
N Firewall 4 4 Source Address 4? Private IP ? Public IP
Address Firewall + packet Remote Client +
Script iptables + 4N? forward web server
3 ^4 port 3
iptables -t nat -A PREROUTING -i <public interface> -p tcp \
--sport 1024:65535 -d <public address> --dport 80 \
-j DNAT --to-destination <local web server>
4 4 3+ 4 + NAT 4 4 Address
N4N ^ DNAT 34+ Address N++
+ packet forward chain NG rule forward chain +
+ Server 42+ Private IP Address Public IP Address
firewall +
iptables -A FORWARD -i <public interface> -o <DMZ interface> -p tcp \
--sport 1024:65535 -d <local web server> --dport 80 \
-m state --state NEW -j ACCEPT

4 Server + packet 2+ Internet 2_N4

forward rule ACCEPT +N+4+G+
iptables -A FORWARD -i <DMZ interface> -o <public interface> \
-m state --state ESTABLISHED,RELATED -j ACCEPT
+ ^ + + Remote Client forward + 4
2_ Server ACCEPT NEW state
++ rule N4+^ (ESTABLISHES RELATED state)
+
iptables -A FORWARD -i <public interface> -o <DMZ interface> \
Y^4 1 4N Script N 5 G
+2_ (+4N? Web Server +4+N)
2. Host Forwarding and Port Redirection 4N?+ 4 DNAT

+ 4 4 Destination port Address
4 N Address Port script NAT 4 2
rules + port 4 Remote Client ? port 80 3 server ++4
port 80 4 traffic 43? G4
+ packet server 4? ++4N++
port 81 firewall match 4? port 80 + Client
++
-s <allowed remote host> --sport 1024:65535 \_

-d <public address> --dport 80 \

-j DNAT --to-destination <local web server>:81
--sport 1024:65535 -d <public address> --dport 80 \
-j DNAT --to-destination <local web server>
NAT ^+4 forward packet server 4 port 81
firewall 4? Public IP 4? port 80 ++ client +
+ ^ + + Remote Client forward + 4
2_ Server ACCEPT NEW state
+ + rule N 4 + ^ (ESTABLISHES RELATED state)
+ 1 + 2 rule 4N

3. Host Forwarding to a Server Farm 4N?+ DNAT

+ Destination IP Address IP + 192.168.2.1-192.168.2.5 4N4
_432+ +
e-auction 44 ?^42 2 server
+4 (Max connection) XN server
(Server Farm) 44 4++4NN 5
DNAT ++ Server + N^4344N+
Load Balance +
--sport 1024:65535 -d <public Web address> --dport 80 \
-j DNAT --to-destination 192.168.2.1-192.168.2.5
--sport 1024:65535 -d 192.168.2.0/29 --dport 80 \
4. V Logical mapping 4N+4 Public

IP Address 8 _ firewall 43N server Private IP Address 5 IP
IP 4++4N

4 1. Firewall 44 8 IP Addresses
ADDRESS BLOCK IP ADDRESS
Network Address 203.254.25.80/29
Network Mask 255.255.255.248
Router Address 203.254.25.81
Firewall/DNS Address 203.254.25.82
First Host Address 203.254.25.83
Last Host Address 203.254.25.86
Broadcast Address 203.254.25.87
Total Local Hosts 5
4 2. Logical Mapping + Public and Private Server Addresses

SERVER PUBLIC ADDRESS PRIVATE DMZ ADDRESS
Public Web Server(80) 203.254.25.83 192.168.1.3
Customer Web Server(443) 203.254.25.84 192.168.1.4
FTP Server(21) 203.3254.25.85 192.168.1.5
Mail Server(25) 203.254.25.86 192.168.1.6


--sport 1024:65535 -d $PUBLIC_WEB_SERVER --dport 80 \
-j DNAT --to-destination $DMZ_PUBLIC_WEB_SERVER
--sport 1024:65535 -d $CUSTOMER_WEB_SERVER --dport 443 \
-j DNAT --to-destination $DMZ_CUSTOMER_WEB_SERVER
--sport 1024:65535 -d $FTP_SERVER --dport 21 \
-j DNAT --to-destination $DMZ_FTP_SERVER
--sport 1024:65535 -d $MAIL_SERVER --dport 25 \
-j DNAT --to-destination $DMZ_MAIL_SERVER
--sport 1024:65535 -d $DMZ_PUBLIC_WEB_SERVER --dport 80 \
--sport 1024:65535 -d $DMZ_CUSTOMER_WEB_SERVER --dport 443 \
--sport 1024:65535 -d $DMZ_FTP_SERVER --dport 21 \
--sport 1024:65535 -d $DMZ_MAIL_SERVER --dport 25 \


5. Local Port Redirection Transparent Proxy +Y nat table

4 Redirect port Transparent Proxy 43+_
+ + + 4 N ? 4 Script Proxy Server 43 N 2 + Private IP
Address + Firewall Server G+243N Proxy Server
Public IP Address 22 script ++4N
iptables -t nat -A PREROUTING -i <lan interface> -p tcp \
-s <lan hosts> --sport 1024:65535 --dport 80 \
-j REDIRECT --to-port 8080
iptables -A INPUT -i <lan interface> -p tcp \
-s <lan hosts> --sport 1024:65535 -d <lan address> --dport 8080 \
-m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o <public interface> -p tcp \
-s <public address> --sport 1024:65535 --dport 80 \
-m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i <public interface> -p tcp \
--sport 80 -d <public address> --dport 1024:65535 \

iptables -A OUTPUT -o <lan interface> -p tcp \

-s <lan address> --sport 80 --dport 1024:65535 \
Tip & Tricks

iptables Firewall )+ Service Server
)Y+4 Scan port +3+ Service Y
(Denial of Service) + packet Service
Process 43GN4 +GY
244N44+G+ syn-flood 22 iptables )
++4N
EXT_IF=eth0 <- Public IP Address
INT_IF=eth1 <- Private IP Address
DEST_IP=xxx.xxx.xxx.xxx <- + ip address server
$IPTS -t nat -N syn-flood
$IPTS -t nat -A syn-flood -m limit --limit 12/s --limit-burst 24 -j RETURN
$IPTS -t nat -A syn-flood -j DROP
$IPTS -t nat -A PREROUTING -I $EXT_IF -d $DEST_IP -p tcp \
--syn -j syn-flood
nat table G2 Transparent Proxy

2 + Y + Private IP Address 43 Port 80 2
43 (REDIRECT) 34 port 8080 +4N

$IPTS -t nat -A PREROUTING -i $INT_IF -p tcp --dport 80 -j REDIRECT \

--to-port 8080
42 G 4 4 ) Xmas scan + Null packet
G44N++44)++4N
$IPTS -t nat -A PREROUTING -p tcp --tcp-flag ALL ALL -j DROP
$IPTS -t nat -A PREROUTING -p tcp --tcp-flag ALL NONE -j DROP
4N? iptables N2+42
+4+2+ iptables ^+4?4 Patch
N 4 kernel + iptables 2 4 Download
http://www.netfilter.org/ + psd patch 4 patch ^ iptables 4
command option + -m 3GN4+ -m psd _)
Scan port ++4N
$IPTS -t nat -A PREROUTING -i $EXT_IF -d $DEST_IP -m psd -j DROP
4 iplimit patch ^ 3 iptables
IP Address 4 Connected + ++
4NY Connected 2Y 16 IP Address
$IPTS -t nat -A PREROUTING -i $EXT_IF -p tcp --syn -d $DEST_IP \
-m iplimit --limit-above 16 -j DROP
+4 psd iplimit G compile +4+
Y+ 3 netfilter +4 patch
4 Y+Y 2+ patch-o-matic-ng + .. 2004 4
CodeRed +^ netfilter string-matching patch +)
CodeRed Nimda virus ++4N

$IPTS -A INPUT -i $EXT_IF -p tcp -d DEST_IP --dport 80 \

-m string --string "/default.ida?" -j DROP
-m string --string ".exe?/c+dir" -j DROP
-m string --string ".exe?/c_tftp" -j DROP
^+ netfilter 34 YYY2
N+XY +24+^22_+ +4N
Y_ iptables Version 1.3.x GN ^ String-matching patch
4 24Y3+
4 +++ 4+2 Internet Server XY
") Download bit torrent +" 2432N +2
^_ ^^Y P2P 3 )
port ^44+++ Y+ +4N3
4 module 442^+ Server N
+^43+ N bit torrent
4 Random Port G+34 port +2
iptables 4 Firewall +Y_ XY4 patch
4 + + L7 Layer 7 G ? Y
Application Layer ++2+ MSN ^+ + port
_ ^ DROP Messenger 4N 2 Y
?+ 2++4N

#Block portscan 44 psd patch

#--------------------------------------------
iptables -A INPUT -p tcp -m psd -j DROP
#Block MSN 44 l7 patch
#--------------------------------------------
iptables -A FORWARD -m layer7 --l7proto messenger -j DROP
#Block math string 4N Version XY
#--------------------------------------------
iptables -A FORWARD -m string string .torrent --algo bm -j DROP
^+4_+^ string
matching ?+3 --hex-string )+
44 Code ^ Antivirus Compile patch Layer7 2
4 4 http://under-linux.org/ 2 2 download 4 http://l7-
filter.sourceforge.net/ +Y342+ Port Forward
Command Option DNAT (Destination NAT)
$IPTS -t nat -A PREROUTING ! -i $INT_IF -p tcp --dport-port 80 \
-j DNAT --to 100.0.0.5:80
Port forward Server 4? Private IP ) virus
FORWARD chain 4N
$IPTS -A FORWARD -p tcp --dport 80 -m string \
--string "/default.ida?" --algo bm -j DROP

2 IPTABLES 4+4 3 +
Filter Table
o INPUT
o OUTPUT
o FORWARD
NAT Table
o PREROUTING (DNAT/REDIRECT)
o OUTPUT (DNAT/REDIRECT)
o POSTROUTING (SNAT/MASQUERADE)
Mangle table
o PREROUTING
o INPUT
o FORWARD
o POSTROUTING
o OUTPUT
G4+3+ ^+4+
2_ 4++
+ 22G44+ Script 4424N
+ Service 4 Server + N + 4
Software 4?+4 G++34344
Server 3++_^ +N4 4
Port 4+Y?+4 4?X22+

++++ Service + 4 Protocol Port

+ Firewall G? Firewall ^23
G IPTABLES + kernel 2.6.x G + 4
iptables 2 Layer 7 script ^32+ G34
4 G ipv6 G?43 IP
Address G N 3 ipv4 4 +
Netmask 4 32 3 ^34X ip address +? version 6 3+
? 128 3 2 4 ^ _
http://www.thailandipv6.net/ 4 N ? firewall +
Y_)+ Service Server +
++

Trick SSH
Y 4 Y connect G server Y4
hosts.allow Y4 Firewall 4+4N
# iptables -A INPUT -p tcp -m state --state NEW --source x.x.x.x --dport 22 -j ACCEPT
# iptables -A INPUT -p tcp --dport 22 -j DROP
4 x.x.x.x G IP Address 4 SSH
44^24+3 4_
# iptables -A INPUT -p tcp -m state --syn --state NEW --dport 22 -m limit --limit 1/minute
--limit-burst 1 -j ACCEPT
# iptables -A INPUT -p tcp -m state --syn --state NEW --dport 22 -j DROP

!1 10 sXid

"% Permission
"3% Configuration sXid
>"%
!%'
1. sxid C Open source
2. 33 %C"3 C (Bold)
3. ""3 ""%
"3"%3
(*%
%%>>>
Server > file directory root-owned bits set
bit C +s suid sgid W CX%>
%% User [ directory
% Server %
file directory bit C +s % e-mail
!1 10 sXid .....: 189

3 % sXid
download ftp://marcus.seva.net/pub/sxid/ rpmfind.net 3
download rpm "3%> path %
3
# rpm -ivh /tmp/sXid-4.xxxx.rpm
3W Configuration 3
*!1 1
sxid.conf ()
# vi /et/sxid.conf
# Configuration file for sXid
SEARCH = "/"
# Which subdirectories to exclude from searching
EXCLUDE = "/proc /mnt /cdrom /floppy"
# Who to send reports to
EMAIL = "admin@sample.co.th"
# Always send reports, even when there are no changes?
ALWAYS_NOTIFY = "no"
# times based on KEEP_LOGS below
LOG_FILE = "/var/log/sxid.log"
# How many logs to keep
KEEP_LOGS = "5"
# Rotate the logs even when there are no changes?
!1 10 sXid .....: 190

ALWAYS_ROTATE = "no"
# Directories where +s is forbidden (these are searched
# even if not explicitly in SEARCH), EXCLUDE rules apply
FORBIDDEN = "/home /tmp"
# Remove (-s) files found in forbidden directories?
ENFORCE = "yes"
# This implies ALWAYS_NOTIFY. It will send a full list of
# entries along with the changes
LISTALL = "no"
# Ignore entries for directories in these paths
# (this means that only files will be recorded, you
# can effectively ignore all directory entries by
# setting this to "/"). The default is /home since
# some systems have /home g+s.
IGNORE_DIRS = "/home"
# Mail program. This changes the default compiled in
# mailer for reports. You only need this if you have changed
# it's location and don't want to recompile sxid.
MAIL_PROG = "/bin/mail"
[ Permission
#chmod 400 /etc/sxid.conf
!1 10 sXid .....: 191

*!1 2
3 crontab -e
#crontab -e
# 3 run > 4 " () >
0 4 * * * /usr/bin/sxid
b > /etc/cron.daily/ vi 3
#vi /etc/cron.daily/sxid
#!/bin/sh
SXID_OPTS=
if [ -x /usr/bin/sxid ]; then
/usr/bin/sxid ${SXID_OPTS}
fi
>3
# sxid -k
sXid Vers : 4.0.1
Check run : Wed Oct 3 12:40:32 2002
This host : ns.sample.com
Spotcheck : /home/admin
Excluding : /proc /mnt /cdrom /floppy
Ignore Dirs: /home
Forbidden : /home /tmp
No changes found
!1 10 sXid .....: 192

% no changes found W% Server >" %

>>% %"3
> Download > .tar.gz "33
# cp sxid_version.tar.gz /var/tmp/
# cd /var/tmp/
# tar xzpf sxid_version.tar.gz
# cd sxid-4.0.1/
configuration % Compile Program
CFLAGS=-O3 -march=i686 -mtune=i686 -funroll-loops -fomit-frame-
pointer \
./configure \
--prefix=/usr \
--sysconfdir=/etc \
--mandir=/usr/share/man
3 Compile "3 3
# make install
# cd /var/tmp
# rm rf /var/tmp/sxid*
%3W"3 sxid "3 rpm 3W

sxid.conf % 33CW """
% e-mail admin@sample.co.th %
!1 10 sXid .....: 193

3 C
% NOS " % %
"C Version % "[3%" "3 50%
C OS Client % %3C Server
" %
CX%> C>">
C 3 Server
>% login "% login
C >%
">%%
!1 10 sXid .....: 194

!9 11 Log Check
Log file
"#% Configuration
%"
!%'
1. logcheck 8 Open source
2. >% cat, tail last
3. ## 8"# 8 (Bold)
4. ""# %""
"#"%#%
(*%
"% O Q
" Server % "% 8"
O%# cat, tail, last
# cat /var/log/secure
# tail /var/log/secure
# cat /var/log/message
!9 11 Log Check .....: 195

# tail /var/log/message
# cat /var/log/maillog
# tail /var/log/maillog
# last
U log file " /var/log O
"""O% %# logcheck
Q > # Download Portsentry
# ] 8 source code > % " # _
Download % configure #
CD ROM # "#
Configuration O ] % ]
download CD logcheck-1.1.1.tar.gz logcheck-1.1.1-8.i386.rpm
"#"#
!9 1 ] .gz
cdrom Linux Server 3 mount copy ] /tmp
#mount /dev/cdrom
#cp /mnt/cdrom/MyBooks/logcheck-1.1.1.tar.gz /tmp
download /tmp
# cd /tmp
# tar xzpf logcheck-1.1.1.tar.gz
# cd logcheck-1.1.1
#8 Configuration #
!9 11 Log Check .....: 196

J!9 1
# vi +34 systems/linux/logcheck.sh
" 34
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/ucb:/usr/local/bin
8
PATH=/bin:/sbin:/usr/bin:/usr/sbin
" 47
LOGTAIL=/usr/local/bin/logtail
8
LOGTAIL=/usr/sbin/logtail
" 55
TMPDIR=/usr/local/etc/tmp
8
TMPDIR=/tmp/logcheck$$-$RANDOM
" 92
HACKING_FILE=/usr/local/etc/logcheck.hacking
8
HACKING_FILE=/etc/logcheck/logcheck.hacking
" 101
VIOLATIONS_FILE=/usr/local/etc/logcheck.violations
8
VIOLATIONS_FILE=/etc/logcheck/logcheck.violations
" 118
!9 11 Log Check .....: 197

VIOLATIONS_IGNORE_FILE=/usr/local/etc/logcheck.violations.ignore
8
VIOLATIONS_IGNORE_FILE=/etc/logcheck/logcheck.violations.ignore
" 125
IGNORE_FILE=/usr/local/etc/logcheck.ignore
8
IGNORE_FILE=/etc/logcheck/logcheck.ignore
" 148
rm -f $TMPDIR/check.$$ $TMPDIR/checkoutput.$$ $TMPDIR/checkreport.$$
"]" 2
rm -rf $TMPDIR
mkdir $TMPDIR
" 224
rm -f $TMPDIR/check.$$
"]" 1
rm -rf $TMPDIR
" 274
# Clean up
rm -f $TMPDIR/check.$$ $TMPDIR/checkoutput.$$ $TMPDIR/checkreport.$$
"]" 1
rm -rf $TMPDIR
!9 11 Log Check .....: 198

J!9 2
# vi +9 Makefile
CC = cc <--- % cc f gcc
" 14
CFLAGS = -O
8
CFLAGS = -O3 -mtune=i686 -funroll-loops -fomit-frame-pointer
" 22
#INSTALLDIR = /usr/local/etc
8
INSTALLDIR = /etc/logcheck
" 25
INSTALLDIR_BIN = /usr/local/bin
8
INSTALLDIR_BIN = /usr/sbin
" 30
INSTALLDIR_SH = /usr/local/etc
8
INSTALLDIR_SH = /usr/sbin
" 56
/bin/rm $(INSTALLDIR_SH)/logcheck.sh
8
/bin/rm $(INSTALLDIR_SH)/logcheck
!9 11 Log Check .....: 199

" 66
@echo "Creating temp directory $(TMPDIR)"
@if [ ! -d $(TMPDIR) ]; then /bin/mkdir $(TMPDIR); fi
@echo "Setting temp directory permissions"
chmod 700 $(TMPDIR)
"#i #
#@echo "Creating temp directory $(TMPDIR)"
#@if [ ! -d $(TMPDIR) ]; then /bin/mkdir $(TMPDIR); fi
#@echo "Setting temp directory permissions"
#chmod 700 $(TMPDIR)
" 75
cp ./systems/$(SYSTYPE)/logcheck.sh $(INSTALLDIR_SH)
8
cp ./systems/$(SYSTYPE)/logcheck.sh $(INSTALLDIR_SH)/logcheck
" 78
chmod 700 $(INSTALLDIR_SH)/logcheck.sh
8
chmod 700 $(INSTALLDIR_SH)/logcheck
#%>]
:wq Enter
"#O"% find ] Logcheck1 #

# cd
!9 11 Log Check .....: 200

# find /* > Logcheck1

# cd /tmp/logcheck-1.1.1/
""#
# mkdir -m700 /etc/logcheck
# make linux
O"#% find #] Logcheck2
# cd
# find /* > Logcheck2
%]#% diff O] Logcheck-Installed
# diff Logcheck1 Logcheck2 > Logcheck-Installed
"#O"#
# cd /tmp
# rm -rf logcheck-1.1.1/
# rm -f logcheck-1.1.1.tar.gz
"#O]%# 4 ]
/etc/logcheck/logcheck.hacking
/etc/logcheck/logcheck.ignore
/etc/logcheck/logcheck.violations
/etc/logcheck/logcheck.violations.ignore
# % # logcheck % _ script
crontab #
cat <<EOF > /etc/cron.daily/logcheck
# !/bin/sh
!9 11 Log Check .....: 201

# Daily check Log files for security violations and unusual activity
/usr/sbin/logcheck
EOF
#%% permission
# chmod 700 /etc/cron.daily/logcheck
!9 2 Linux RedHat Fedora Download ] .rpm

http://rpm.pbone.net/ ]"#% rpm
# rpm -ivh logcheck-1.1.1-6.i386.rpm
O# cron.daily _
*** v9(9(( yJ % log file !9 /var/logcheck/ ***
] Internet Server "%

Log file Server __#" "
"" > %_ _
"##O# _
/var/logcheck ]> _
""
""> U]
#"#"# O"]8
!9 11 Log Check .....: 202

!1 12 Portsentry
Scan Port
#% Portsentry
.2#3
!%'
1. 66 portsentry 9 Open source
2. >. nmap scan port
3. %6% 369#% 9 (Bold)
4. ##%66 .##3
#%#63.%.
(*%
M Internet Server M36
6 Server 323 >36
Server 3 Service 3363
>36>3 NOS (Network Operating System) 6.
#%%633 >9W6 > 63
Server 36%9 NOS
!1 12 Portsentry .....: 203

3333#%96%#6#%
Server 3 Service 3 % 3 6 .
Security >96 6>
Server 3 Service 6% 6.
(Tool) 696#33 Scan Port >966
3 6 Server %%36 9
%W#W Port 93
6 #336 96
%[336 63. Internet Server 36
>3#6>#%6 Scan Port >
6% 6 6 # % Configuration .
Server [ #%[[6W Server
#3>%6 63[W336
.66% portsentry 3
6. Scan Port .3 IP Address 6. Scan 66
36%3 Block 33 Server %36
636%
. Linux OS 6. . Server 6 . Portsentry 9
6>% Scan Port real time 6.6 Portsentry
9 3 > Open source 6 Download
http://sourceforge.net/projects/sentrytools/ >69 Compress file 3
.gz .bz2 . RedHat Fedora . Compile 3
!1 12 Portsentry .....: 204

629 .rpm 39% Download m 2003

9 Version 1.2 Download 2 portsentry-1.2.tar.gz
(*%
6%#%%2 .gz .rpm .
Linux 33 #.6%
I
66 Compile Source Code 6
Server 3 3 6 # % gcc 3 # % . #
63>.%.36%
!1 1 66#%2 .gz . Decompress . tar

>6 Download 6%.#% linux, debian-linux, bsd, solaris,
hpux, hpux-gcc, freebsd, osx, openbsd, netbsd, bsdi, aix, osf, irix, generic
make OS RedHat, Fedora 6 2
66%.26 Download [6 /tmp
# cd /tmp
# tar xvfz portsentry-1.2.tar.gz
% directory portsentry_beta change directory code
6%
# cd portsentry_beta
!1 12 Portsentry .....: 205

source code 2 portsentry.c 6 # . Enter >%

3. Compile 336 1584 6%
# vi +1584 portsentry.c
printf ("Copyright 1997-2003 Craig H. Rowland <craigrowland at users dot
sourceforget dot net>\n");
36 1584 6 1585 963 >.
6 1584 3 .3 dot 36 1585 . Cursor
.3 dot 3 Insert Mode Space bar 1 % Del >
1585 >%3.3 dot Remote
Del 3[ Cursor 66 1585 Back space >
>%3.3 dot [ ESC Insert Mode .>2
: wq Enter
%26 Compile 3 Makefile 6%
# vi Makefile
6 23 3 # 6%
#CC = cc
% # 6 26
CC = gcc
#6 29
CFLAGS = -O -Wall
9
CFLAGS = -O3 -mtune=i686 funroll-loops fomit-frame-pointer -Wall
#6 40
!1 12 Portsentry .....: 206

INSTALLDIR = /usr/local/psionic
9
INSTALLBIN = /usr/sbin
LOGDIR = /var/log/portsentry
INSTALLDIR = /etc
#6 68
/bin/rm $(INSTALLDIR)$(CHILDDIR)/*
/bin/rmdir $(INSTALLDIR)
9
/bin/rm -rf $(INSTALLDIR)$(CHILDDIR)
/bin/rm -f $(INSTALLBIN)/portsentry
/bin/rm -rf $(LOGDIR)
#6 79
@echo "Setting directory permissions"
3 79 6 2
@if [ ! -d $(LOGDIR) ]; then /bin/mkdir\
$(LOGDIR); fi
#6 86
cp ./portsentry $(INSTALLDIR)$(CHILDDIR)
9
cp ./portsentry $(INSTALLBIN)
#6 90
chmod 700 $(INSTALLDIR)$(CHILDDIR)/portsentry
!1 12 Portsentry .....: 207

9
chmod 700 $(INSTALLBIN)/portsentry
%2 portsentry.conf
# vi portsentry.conf
#6 83
IGNORE_FILE="/usr/local/psionic/portsentry/portsentry.ignore"
9
IGNORE_FILE="/etc/portsentry/portsentry.ignore"
#6 85
HISTORY_FILE="/usr/local/psionic/portsentry/portsentry.history"
9
HISTORY_FILE="/var/log/portsentry/portsentry.history"
#6 87
BLOCKED_FILE="/usr/local/psionic/portsentry/portsentry.blocked"
9
BLOCKED_FILE="/var/log/portsentry/portsentry.blocked"
%2 portsentry_config.h
# vi portsentry_config.h
#6 25
#define CONFIG_FILE "/usr/local/psionic/portsentry/portsentry.conf"
9
#define CONFIG_FILE "/etc/portsentry/portsentry.conf"
[[>2
!1 12 Portsentry .....: 208

:wq
[. Compile #%6%
# make linux
# make install
2 /tmp #%
# cd /tmp
# rm -rf portsentry*
.3 Configuration 3
! 1 2 92669 .rpm . # % Linux

RedHat, Fedora 36 rpm Download 6 http://rpm.pbone.net/ 6
Linux 3 6 rpm 3 3 6 % 9 Fedora 26
portsentry-1.2-1.te.i386.rpm #%6%
.263 /tmp
# rpm -ivh /tmp/portsentry-1.2-1.te.i386.rpm Enter
Preparing... ######################################## [100%]
1:portsentry ######################################## [100%]
%2#%
# rm -f /tmp/portsentry*
3 Configuration 63 2 26%
!1 12 Portsentry .....: 209

/etc/portsentry/portsentry.conf 92 configuration 6[
%
/etc/portsentry/portsentry.ignore 936. 96[3 IP
Address Server 3##6 port 63 List
. Server Back List 3#
.2 portsentry.conf nano vi 3
6. 369 6%
# vi /etc/portsentry/portsentry.conf (96 1 36
/usr/local/psionic/portsentry )
# PortSentry Configuration
# . Port 6 Scan
TCP_PORTS="1,11,15,79,111,119,143,540,635,1080,1524,2000,5742,6667,123
45,
12346,20034,31337,32771,32772,32773,32774,40421,49724,54320"
UDP_PORTS="1,7,9,69,161,162,513,635,640,641,700,32770,32771,32772,3277
3,32774,31337,54321"
# . Port 36 scan 6
ADVANCED_PORTS_TCP="1023"
ADVANCED_PORTS_UDP="1023"
# . Port 39 Port 6.6
Boot # ident(113), NetBIOS(137-138), RIP(520), bootp broadcasts(67)
ADVANCED_EXCLUDE_TCP="113,139"
ADVANCED_EXCLUDE_UDP="520,138,137,67"
!1 12 Portsentry .....: 210

# ..36323
IGNORE_FILE="/etc/portsentry/portsentry.ignore"
HISTORY_FILE="/var/log/portsentry/portsentry.history"
BLOCKED_FILE="/var/log/portsentry/portsentry.blocked"
# .36
# 0 = 3 block Scan TCP/UDP
# 1= block % TCP/UDP
# 2= block external command 3%
BLOCK_UDP="1"
BLOCK_TCP="1"
# 6% Linux Version 33% 6 iptables .6 Firewall
36 server 6
KILL_ROUTE="/sbin/iptables -I INPUT -s $TARGET$ -j DROP"
# .6# IP 63#2 hosts.deny
KILL_HOSTS_DENY="ALL: $TARGET$"
# .. Port 6 Connect 63%3 1-2 .
9 0 9>3 Log file 636 Scan port
3 default = 2 9.%
3 "0"
SCAN_TRIGGER="0"
# .36 3.9 .
3 6%3 Stealth scan
!1 12 Portsentry .....: 211

PORT_BANNER="** UNAUTHORIZED ACCESS PROHIBITED ***

YOUR CONNECTION ATTEMPT HAS BEEN LOGGED. GO AWAY."
2 portsentry.ignore 6%36.3 IP Address 3

3 9#% rpm # IP Address 3
compile 36 Script Run # boot [6
# IP Address 36%#3 [636
IP Address #33# 127.0.0.1 0.0.0.0 3 36
#
# vi /etc/portsentry/portsentry.ignore
127.0.0.1/32
0.0.0.0
#########################################
# Do NOT edit below this line, if you #
# do, your changes will be lost when #
# portsentry is restarted via the #
# initscript. Make all changes above #
# this box. #
#########################################
336%#3 Server 3
# Exclude all local interfaces
192.168.1.11 <- 9 IP Address server
127.0.0.1
!1 12 Portsentry .....: 212

# Exclude the default gateway(s)

192.168.1.1 <- IP Address Gateway
# Exclude the nameservers
192.168.1.1 <- IP Address DNS Server
# And last but not least...
0.0.0.0 <- 3 0.0.0.0
portsentry 6.33 parameter

93 protocol 6%
3 parameter
-atcp 33 Advance tcp % unused port
ADVANCE_PORTS_TCP 2 portsentry.conf
-audp 33 Advance udp % unused port
ADVANCE_PORTS_UDP 2 portsentry.conf
-tcp 33 tcp TCP_PORTS 2 portsentry.conf
-udp 33 udp UDP_PORTS 2 portsentry.conf
-stcp -tcp 3 stealth scan
-sudp -udp 3 stealth scan
start portsentry 6.#%6 1 3

make install #%36 Directory 3 /usr/sbin 33 path
6%63 start 6%
# portsentry -atcp
!1 12 Portsentry .....: 213

# portsentry -audp
%3.3.
# ps ax | grep portsentry
#.[
# killall portsentry
Script 6 start # boot [

#23 Script vi 6%
# vi /etc/init.d/portsentry
#%3369
#!/bin/bash
#
# Startup script for the Portsentry portscan detector
#
# chkconfig: 345 98 02
# Source function library.
. /etc/rc.d/init.d/functions
# Source networking configuration.
. /etc/sysconfig/network
# Check that networking is up.
[ "${NETWORKING}" = "no" ] && exit 0
prog="portsentry"
start () {
!1 12 Portsentry .....: 214

# Set up the ignore file

SENTRYDIR=/etc/portsentry
FINALIGNORE=$SENTRYDIR/portsentry.ignore
TMPFILE=/var/portsentry/portsentry.ignore.tmp
# Testline is used to see if the initscript has already been run
if [ -f $FINALIGNORE ] ; then
cp -f $FINALIGNORE $TMPFILE
testline=`grep -n "Do NOT edit below this" $TMPFILE | cut --delimiter=":"
-f1`
if [ -z "$testline" ] ; then
echo > /dev/null # Do nothing
else
let headline=$testline-2
head -$headline $FINALIGNORE > $TMPFILE
fi
fi
echo '#########################################' >> $TMPFILE
echo '# Do NOT edit below this line, if you #' >> $TMPFILE
echo '# do, your changes will be lost when #' >> $TMPFILE
echo '# portsentry is restarted via the #' >> $TMPFILE
echo '# initscript. Make all changes above #' >> $TMPFILE
echo '# this box. #' >> $TMPFILE
echo '#########################################' >> $TMPFILE
!1 12 Portsentry .....: 215

echo '' >> $TMPFILE

echo '# Exclude all local interfaces' >> $TMPFILE
for i in `/sbin/ifconfig -a | grep inet | awk '{print $2}' | sed 's/addr://'` ; do
echo $i >> $TMPFILE
done
echo '' >> $TMPFILE
echo '# Exclude the default gateway(s)' >> $TMPFILE
for i in `/sbin/route -n | grep ^0.0.0.0 | awk '{print $2}'` ; do
echo $i >> $TMPFILE
done
echo '' >> $TMPFILE
echo '# Exclude the nameservers' >> $TMPFILE
for i in `/bin/cat /etc/resolv.conf | grep ^nameserver | awk '{print $2}'` ; do
echo $i >> $TMPFILE
done
echo '' >> $TMPFILE
echo '# And last but not least...' >> $TMPFILE
echo '0.0.0.0' >> $TMPFILE
echo '' >> $TMPFILE
cp -f $TMPFILE $SENTRYDIR/portsentry.ignore
rm -f $TMPFILE
# Check for modes defined in the config file
if [ -s $SENTRYDIR/portsentry.modes ] ; then
!1 12 Portsentry .....: 216

modes=`cut -d "#" -f 1 $SENTRYDIR/portsentry.modes`

else
modes="tcp udp"
fi
for i in $modes ; do
echo -n $"Starting $prog: "
action "($i)" /usr/sbin/portsentry -$i
RETVAL=$?
done
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/portsentry
return $RETVAL
}
stop() {
echo -n $"Stopping $prog: "
killproc portsentry
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/portsentry
}
# See how we were called.
case $1 in
start)
start
!1 12 Portsentry .....: 217

;;
stop)
stop
;;
status)
status portsentry
RETVAL=$?
;;
restart)
stop
start
;;
condrestart)
if [ -f /var/lock/subsys/portsentry ]; then
stop
start
fi
;;
*)
echo $"Usage: $prog {start|stop|restart|condrestart|status}"
exit 1
esac
!1 12 Portsentry .....: 218

exit $RETVAL
[>
:wq Enter
%. Permission Script
#chmod 700 /etc/rc.d/init.d/portsentry
.# Script .6 Reboot
# chkconfig - -portsentry
# chkconfig - -level 345 portsentry on
36[3.
#/etc/rc.d/init.d/portsentry restart
3% (* rpm 3.6 portsentry.conf
3.
# /etc/rc.d/init.d/portsentry restart
ntsysv [*] portsentry .%6 Reboot
33
.6% 6.%3#% Internet Server Linux

6.3 6 Hacker %.[3 Hacker
Scan Port %3 Server W#
Port #% 62 .
nmap
# nmap localhost
!1 12 Portsentry .....: 219

# nmap I1I1 (3 nmap ns )
[W Port 3[ % 6%. Internet

Server 66W#636 Port 3% [36W Port 636
6%6 3 [ log file 3 Server
Protocol 3
96 6[9 log file >36[
3 portsentry.conf 3 default .> /var/log/portsentry.history 6
36%[. Server >
#6#6 Block 93 Block
#6. Worm 3
[363
Internet 3 .
# iptables -L INPUT
36 ip address 36 DROP [#.6%
# iptables -D INPUT -s [ip ' ] -j DROP
636%36 Block [#
!1 12 Portsentry .....: 220

!1 13 Tripwire
"
$
''"$ Server

/0 Configuration :'
!%'
1. Tripwire @ Open source
2. 00 :@/0 @ (Bold)
3. //0 L//:
/0/:L0L
(*%
0@'':' OS ::/
SELinux R: ::
"$:RR Server S
:$0S0:
STR/R:''S Tripwire @ Software
!1 13 Tripwire .....: 221

IDS (Intrusion Detection System) "

$: :L OS ::
L L$": :
0S: Configuration File '
:0: L L / ' S
0 Fedora RedHat SL@:L
R" OS @:
/0 Tripwire Fedora RedHat ES Download
http://rpm.pbone.net/ "R rpm L OS
rpm R ' R Version : : 0 @ L FC6 "
Download tripwire-2.4.1.1-1.fc6.i386.rpm /' OS '0:
" rpm $/00$ Restart Service $L
R: :0:::/ R$TR::
Freeware Open source LL//"
Free Version 'S00 ': $
S0': : :0L'/ Open
source Linux : / R :S0 0 '
Tripwire L IDS ': Download R
: Configuration ': /0L:
'" 100 % ' Tripwire '0
:/ Error R: 00
!1 13 Tripwire .....: 222

*!1 1 Download L/0 0

# rpm -ivh tripwire-2.4.1.1-1.fc6.i386.rpm
Preparing... ##################################### [100%]
1:tripwire ##################################### [100%]
*!1 2 ///0$"/0:
Server 0L"R (Key File) 0
# tripwire-setup-keyfiles
LL keyfile 0
Enter the site keyfile passphrase: <:: 8 >

Verify the site keyfile passphrase: <:>
L: site keyfile : passphrase
L site keyfile $0 local keyfile $0S
::$:SL L0L0
Enter the local keyfile passphrase: <:: 8 >
Verify the local keyfile passphrase: <:>
: / " Configuration Policy (tw.cfg
tw.pol) site passphrase 0 : / $
:: local passphrase :
L: S:/$
L:/ " tw.cfg tw.pol
/etc/tripwire $::/0" Configuration R
!1 13 Tripwire .....: 223

txt ':S:: :@::

0:$L"@:0
:":0
*!1 3 " twcfg.txt @0

# vi /etc/tripwire/twcfg.txt
ROOT =/usr/sbin
POLFILE =/etc/tripwire/tw.pol
DBFILE =/var/lib/tripwire/$(HOSTNAME).twd
REPORTFILE =/var/lib/tripwire/report/$(HOSTNAME).twr
SITEKEYFILE =/etc/tripwire/site.key
LOCALKEYFILE =/etc/tripwire/$(HOSTNAME)-local.key
EDITOR =/bin/vi
LATEPROMPTING =false
LOOSEDIRECTORYCHECKING =true
MAILNOVIOLATIONS =false
EMAILREPORTLEVEL =4
REPORTLEVEL =4
MAILMETHOD =SENDMAIL
SYSLOGREPORTING =false
MAILPROGRAM =/usr/sbin/sendmail -oi -t
:wq
!1 13 Tripwire .....: 224

*!1 4 $L Configuration File site.key

twcfg.txt $ tw.cfg @":: text editor ' L0
# twadmin --create-cfgfile -S /etc/tripwire/site.key /etc/tripwire/twcfg.txt
Please enter your site passphrase: < site passphrase>
Wrote configuration file: /etc/tripwire/tw.cfg
*!1 5 $L:: Configuration twcfg.txt 0

L twadmin
# twadmin --print-cfgfile > /etc/tripwire/twcfg.txt
* ! 1 6 0 0 @ 0 L : Configuration
UNIX ::"$ Linux
Error /S0"$: 00S@L Script
RedHat Tripwire RedHat 8.0 S
L Hard Disk Fedora 0 SL Script 0@:
R:/":/L Script :L '"$
Download /"$ :L::0
# vi /etc/tripwire/tripwirepol.pl
//"0:0@
#!/usr/bin/perl
# Tripwire Policy File customize tool for Linux Servr 3.0
# ----------------------------------------------------------------
# Copyright (C) 2003 Hiroaki Izumi
!1 13 Tripwire .....: 225

# This program is free software; you can redistribute it and/or

# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
# ----------------------------------------------------------------
# Usage:
# perl tripwire_pol.pl {Pol file}
# --------------------------------------------------------
#
$POLFILE=$ARGV[0];
open(POL,"$POLFILE") or die "open error: $POLFILE" ;

my($myhost,$thost) ;
my($sharp,$tpath,$cond) ;
my($INRULE) = 0 ;
!1 13 Tripwire .....: 226

while (<POL>) {
chomp;
if (($thost) = /^HOSTNAMEs*=\s*(.+)\s*;/) {
$myhost = `hostname` ; chomp($myhost) ;
if ($thost ne $myhost) {
$_="HOSTNAME=$myhost;" ;
}
}
elsif ( /^{/ ) {
$INRULE=1 ;
}
elsif ( /^}/ ) {
$INRULE=0 ;
}
elsif ($INRULE == 1 and ($sharp,$tpath,$cond) = /^(\s*\#?\s*)(\/\S+)\b(\s+-
>\s+.+)$/) {
$ret = ($sharp =~ s/\#//g) ;
if ($tpath eq '/sbin/e2fsadm' ) {
$cond =~ s/;\s+(tune2fs.*)$/; \#$1/ ;
}
if (! -e $tpath) {
$_ = "$sharp#$tpath$cond" if ($ret == 0) ;
}
!1 13 Tripwire .....: 227

else {
$_ = "$sharp$tpath$cond" ;
}
}
print "$_\n" ;
}
close(POL) ;
$ Script S"
:wq
" perl script $ Mode @ 700 0

# chmod 700 /etc/tripwire/tripwirepol.pl
* ! 1 7 L Perl Script L : Configuration

:" twpol.txt Run Script " twpol.txt :
0
# /etc/tripwire/tripwirepol.pl /etc/tripwire/twpol.txt > /etc/tripwire/twpol.txt.out
$"//0 0
# rm -f /etc/tripwire/twpol.txt
":"'
# mv /etc/tripwire/twpol.txt.out /etc/tripwire/twpol.txt
*!1 8 0:L": 0
!1 13 Tripwire .....: 228

# vi /etc/tripwire/twpol.txt
..
..
:0
SIG_MED=66; # Non-critical files that are of significant security impact
SIG_HI= 100; # Critical files that are significant points of vulnerability
/"/0
( emailto = root )
{
0L: disabled-entries (1|} ~:
}
# disabled-entries: 184
$:S": vi
:wq
*!1 9 " tw.pol : site.key twpol.txt $0

8 L:0
# twadmin --create-polfile -S /etc/tripwire/site.key /etc/tripwire/twpol.txt
Please enter your site passphrase: < site passphrase ' >
Wrote policy file: /etc/tripwire/tw.pol
!1 13 Tripwire .....: 229

*!1 10 " tw.pol $R0:@ twpol.txt

0
# twadmin --print-polfile > /etc/tripwire/twpol.txt
*!1 11 @$/0" Policy :0

R:0: Error '" Hard
disk 0/L
# tripwire --init
Please enter your local passphrase: < local passphrase ' >
Parsing policy file: /etc/tripwire/tw.pol
Generating the database...
*** Processing Unix File System ***
Wrote database file: /var/lib/tripwire/<!* Hostname>.twd
The database was successfully generated.
*!1 12 Tripwire /L : tw.pol L

report <Hostname>.twd ' : /var/lib/tripwire/report/ (L : 0 ' R "
twcfg.txt 3 ) :LL L
# tripwire - -check
Parsing policy file: /etc/tripwire/tw.pol
*** Processing Unix File System ***
Performing integrity check...
Wrote report file: /var/lib/tripwire/report/<hostname>.twr
!1 13 Tripwire .....: 230

:0':"
':
Tripwire Data Files 100 0 0 0
0@ 100 % @:
0" tw.pol : 100 % :@
Error Report :/: No Errors
*!1 13 0:0 Script L :

L// :0/:/L
:$L: '' Shell Script $//
: Script 0
# vi /root/tripwire.sh
//"0
#!/bin/sh
echo "Shell Script for Tripwire"
echo " Start dat-time : (`date +"%k %M %S "`)"
/usr/sbin/tripwire - -check
rm -f /var/lib/tripwire/<hostname>.twd
/usr/sbin/tripwire - -init -P <local passphase>
echo " End dat-time : (`date +"%k %M %S "`)"
Script $ Mode @ 700 0
# chmod 700 /root/tripwire.sh
!1 13 Tripwire .....: 231

*!1 14 @0RL0 Tripwire L

:L:': Server :L:
:LL 3.00 . () R L0
# crontab -e
00 03 * * * /root/tripwire.sh
/0$" : 2 " twcfg.txt

twpol.txt S Configuration Policy
/ $ /0$:" twpol.txt
twcfg.txt /0 policy :0: 0:
$/0S/ 0/ " :'
: LSS'R0L path
$"00@ / Read Only : CD ROM :
:
!1 13 Tripwire .....: 232

!1 14 Snort (IDS)
Linux Server
#% Snort Snort MySql
4#78##
!%'
1. 88 Snort > Open source
2. %8% 78>#% > (Bold)
3. ##%88 4##7
#%#874%4
(*%
48%L> Open source Free Software 78Q8
8 Linux OS 7 7 4 IDS (Intrusion Detection
System) L Snort U877 OS 87
Hardware 7 7 7787
Update 487#%Q%88
8 77748 Download L
#% Start Service 8L 7L # %7
!1 14 Snort (IDS) .....: 233

MySQL 47#7 Q
77 8 7^7 4
77#%#% 78^
##8 ##^LL%
88 2 7 Network Model 88
IDS L 4 Snort # % 8
Database Serve MySQL Q4
#Û#87 ##88%
L^ http://www.snort.org/
8%>7#% Fedora RedHat 8^
rpm 8#%4 Configuration #
##Q8 log file 8 Q
MySQL ##%8%8%
* (*
*!1 1 8 Download snort L^
http://www.snort.org/dl/binaries/linux/
74#%88% libpcap 7Q4
78#% libpcap 4#%78%
# rpm -q libpcap
7#%4#%8%
# rpm -ivh libpcap-0.9.4-10.fc6.i386.rpm
Preparing... ######################################### [100%]
!1 14 Snort (IDS) .....: 234

1:libpcap ######################################## [100%]

# rpm -ivh snort-2.7.0.1-1.FC6.i386.rpm
Preparing... ######################################### [100%]
1:snort ########################################## [100%]
#%L7^8 download Server
# rm -f snort-2.7.0.1-1.FC6.i386.rpm
*!1 2 Configuration 7 8%
# vi /etc/snort/snort.conf
#78%7
# var HOME_NET [10.1.1.0/24,192.168.1.0/24]
#
# MAKE SURE YOU DON'T PLACE ANY SPACES IN YOUR LIST!
#
# or you can specify the variable to be any IP address
# like this:
var HOME_NET 192.168.1.0/24
# Set up the external network addresses as well. A good start may be "any"
var EXTERNAL_NET !$HOME_NET
# Include all relevant rulesets here
#
# The following rulesets are disabled by default:
#
# web-attacks, backdoor, shellcode, policy, porn, info, icmp-info, virus,
!1 14 Snort (IDS) .....: 235

# chat, multimedia, and p2p

#
# These rules are either site policy specific or require tuning in order to not
# generate false positive alerts in most enviornments.
#
# Please read the specific include file for more information and
# README.alert_order for how rule ordering affects how alerts are triggered.
#=========================================
#include $RULE_PATH/local.rules
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
#include $RULE_PATH/finger.rules
#include $RULE_PATH/ftp.rules
#include $RULE_PATH/telnet.rules
#include $RULE_PATH/rpc.rules
#include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
#include $RULE_PATH/tftp.rules
include $RULE_PATH/web-cgi.rules
!1 14 Snort (IDS) .....: 236

#include $RULE_PATH/web-coldfusion.rules
#include $RULE_PATH/web-iis.rules
#include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules
#include $RULE_PATH/sql.rules
#include $RULE_PATH/x11.rules
#include $RULE_PATH/icmp.rules
#include $RULE_PATH/netbios.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
#include $RULE_PATH/oracle.rules
include $RULE_PATH/mysql.rules
#include $RULE_PATH/snmp.rules
include $RULE_PATH/smtp.rules
#include $RULE_PATH/imap.rules
#include $RULE_PATH/pop2.rules
include $RULE_PATH/pop3.rules
#include $RULE_PATH/nntp.rules
include $RULE_PATH/other-ids.rules
include $RULE_PATH/web-attacks.rules
include $RULE_PATH/backdoor.rules
!1 14 Snort (IDS) .....: 237

include $RULE_PATH/shellcode.rules
# include $RULE_PATH/policy.rules
:wq
*!1 3 %7 log file # 8 rotate log
^#8> 8%
# vi /etc/logrotate.d/snort
# /etc/logrotate.d/snort
# $Id$
# /var/log/snort/alert /var/log/snort/*log /var/log/snort/*/alert /var/log/snort/*/*log
{
/var/log/snort/alert /var/log/snort/*log {
daily
rotate 7
missingok
compress
sharedscripts
postrotate
/etc/init.d/snortd restart 1>/dev/null || true
endscript
}
:wq
*!1 4 % Download Oinkmaster 8
Download rule 7 8 Snort 87 Download
!1 14 Snort (IDS) .....: 238

Update Rule 8 Oinkmaster 4# 8%L

http://www.ip-solutions.net/~hhoffman/oinkmaster/ # % Server ^
oinkmaster-2.0-0.noarch.rpm ##%8%
# rpm -ivh /tmp/oinkmaster-2.0-0.noarch.rpm
Preparing... ######################################### [100%]
1:oinkmaster ######################################## [100%]
#L^8 Download #%
# rm -f oinkmaster-2.0-0.noarch.rpm
*!1 5 47 Configuration oinkmaster 8%
# vi /etc/oinkmaster.conf
8> 8%
# Example for Snort-current ("current" means cvs snapshots).
# url = http://www.snort.org/pub-bin/oinkmaster.cgi/<oinkcode>/snortrules-
snapshot-CURRENT.tar.gz
# <oinkcode> f Code !1% !i Snort
url = http://www.snort.org/pub-bin/oinkmaster.cgi/<oinkcode>/snortrules-
snapshot-CURRENT.tar.gz
# Example for Community rules
# url = http://www.snort.org/pub-bin/downloads.cgi/Download
/comm_rules/Community-Rules.tar.gz
url = http://www.snort.org/pub-bin/downloads.cgi/Download
/comm_rules/Community-Rules-CURRENT.tar.gz
:wq
!1 14 Snort (IDS) .....: 239

*!1 6 Oinkmaster 4 Rule Snort

8 Perl script 8
# oinkmaster.pl -o /etc/snort/rules/
8%LQ%7L Download 78#
Rule Snort 8774 78
Snort 7 8 Code Oinkmaster Download Rule 8
unregistered user release L7 Rule Version 7 47#88 Version
2.4 77 Snort 2.6 Q%
*!1 7 4 Oinkmaster 4 Update Rule 8 Snort 8%
# vi /etc/cron.daily/oinkmaster
#!/bin/sh
/usr/bin/oinkmaster.pl -o /etc/snort/rules/ 2>&1 > /dev/null
:wq
*!1 8 cron file Oinkmaster L848 Mode
# chmod 755 /etc/cron.daily/oinkmaster
*!1 9 77 Interface 8 Snort 4
# snort -i eth0 -c /etc/snort/snort.conf
*!1 10 Sort 4
7 snort 44 Permission log 7#%
rpm 8 Add User snort Q Log File 47
Log 8#%> root 48 Owner 78%
# chown -R snort.snort /var/log/snort/
# /etc/init.d/snortd start
!1 14 Snort (IDS) .....: 240

*!1 11 #847# Rule Snort

Rule 87 8% bleedingthreate.net 88
8#Q%7 Rule 7 Snort
oinkmaster Download Rule 8%
# oinkmaster.pl -o /etc/snort/rules/ -u http://www.bleedingsnort.com
/bleeding.rules.tar.gz
Download 4 Rule #% Snort
Loading /etc/oinkmaster.conf
Downloading file from http://www.bleedingsnort.com/bleeding.rules.tar.gz...
done.
Archive successfully downloaded, unpacking... done.
Setting up rules structures... done.
Processing downloaded rules... disabled 0, enabled 0, modified 0, total=3641
Setting up rules structures... done.
Comparing new files to the old ones... done.
Updating local rules files... done.
[***] Results from Oinkmaster started 20070612 22:00:53 [***]
[*] Rules modifications: [*]
None.
[*] Non-rule line modifications: [*]
None.
[+] Added files (consider updating your snort.conf to include them if needed): [+]
-> bleeding-attack_response.rules
!1 14 Snort (IDS) .....: 241

-> bleeding-botcc-BLOCK.rules
-> bleeding-botcc.rules
-> bleeding-dos.rules
-> bleeding-drop-BLOCK.rules
-> bleeding-drop.rules
-> bleeding-dshield-BLOCK.rules
-> bleeding-dshield.rules
-> bleeding-exploit.rules
-> bleeding-game.rules
-> bleeding-inappropriate.rules
-> bleeding-malware.rules
-> bleeding-p2p.rules
-> bleeding-policy.rules
-> bleeding-scan.rules
-> bleeding-sid-msg.map
-> bleeding-virus.rules
-> bleeding-voip.rules
-> bleeding-web.rules
-> bleeding.conf
-> bleeding.rules
*!1 12 Download Rule Bleedingsnort.com
snort.conf 784 Rule 7 8%
!1 14 Snort (IDS) .....: 242

#^7^8%
# Bleeding Edge rules
include $RULE_PATH/bleeding.conf
include $RULE_PATH/bleeding-attack_response.rules
include $RULE_PATH/bleeding-botcc.rules
include $RULE_PATH/bleeding-dos.rules
include $RULE_PATH/bleeding-drop.rules
include $RULE_PATH/bleeding-dshield.rules
include $RULE_PATH/bleeding-exploit.rules
include $RULE_PATH/bleeding-game.rules
include $RULE_PATH/bleeding-inappropriate.rules
include $RULE_PATH/bleeding-malware.rules
include $RULE_PATH/bleeding-p2p.rules
include $RULE_PATH/bleeding-policy.rules
include $RULE_PATH/bleeding-scan.rules
include $RULE_PATH/bleeding-virus.rules
include $RULE_PATH/bleeding-voip.rules
include $RULE_PATH/bleeding-web.rules
include $RULE_PATH/bleeding.rules
:wq
*!1 13 L restart
# /etc/init.d/snortd restart
!1 14 Snort (IDS) .....: 243

Snort + MySQL
* ! 1 1 % 8 % 4 Download snort-mysql L ^
http://www.snort.org/dl/binaries/linux/ OS 778%> FC6
wget download ^L8 /tmp 8%
# wget -P /tmp http://www.snort.org/dl/binaries/linux/old/snort-mysql-
2.7.0.1-1.FC6.i386.rpm
*!1 2 4#%
# rpm -ivh /tmp/snort-mysql-2.7.0.1-1.FC6.i386.rpm
Preparing... ######################################### [100%]
1:snort-mysql ####################################### [100%]
*!1 3 #%
# rm -f /tmp/snort-mysql-2.7.0.1-1.FC6.i386.rpm
*!1 4 %8%77 MySQL #%47 Q#
Database Snort 48%
# mysql -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 10 to server version: 5.x.x version 8
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql> CREATE DATABASE snort;
Query OK, 1 row affected (0.13 sec)
!1 14 Snort (IDS) .....: 244

mysql> GRANT CREATE,INSERT,SELECT,UPDATE,DELETE ON

snort.* TO snort@localhost IDENTIFIED BY 'password';
Query OK, 0 rows affected (0.08 sec)
mysql> GRANT CREATE,INSERT,SELECT,UPDATE,DELETE ON
snort.* TO snort IDENTIFIED BY 'password';
Query OK, 0 rows affected (0.01 sec)
mysql> exit
Bye
*!1 5 % Download ^88 gzip 8 /tmp wget
8%
# wget -P /tmp http://www.snort.org/dl/current/snort-2.7.0.1.tar.gz
78^8%L^ %L8U
*!1 6 4^84 tar 8%
# tar xzf /tmp/ snort-2.7.0.1.tar.gz -C /tmp
*!1 7 4 table database 8 mysql
snort 8%
# mysql -u snort -p < /tmp/snort-2.6.1.5/schemas/create_mysql snort
Enter password: <password> 78 database 4
*!1 8 ^8 Download #%
# rm -rf /tmp/snort*
*!1 9 Configuration snort
.
!1 14 Snort (IDS) .....: 245

47 output database ##8

# database: log to a variety of databases
# ---------------------------------------
# See the README.database file for more information about configuring
# and using this plugin.
#
output database: log, mysql, user=snort password=<w > dbname=snort
host=localhost
:wq
*!1 10 7% Restart Service
# /etc/init.d/snortd restart
Stopping snort: [ OK ]
Starting snort: [ OK ]
*!1 11 87 Priority #4%7
# vi /etc/init.d/snortd
#
# chkconfig: 2345 40 60
>
# chkconfig: 2345 91 60
:wq
%7#4778%
# chkconfig - -del snortd
# chkconfig - -add snortd
!1 14 Snort (IDS) .....: 246

>L#% snort 7 MySQL 78

Rule 84 Update L77
( Log file % BASE (Basic Analysis and Security Engine)

#% Snort 7 MySQL 87L^L #7
#^ 77 8 Snort Q
MySQL 788% 7774
Q#84#^877
848%7 7L44
Snort 87 Web Browser 777848%8#
httpd + php + MySQL 847^7Q Download #
% %4%#%8%
*!1 1 Download base http://www.sourceforge.net/ 8

878% base 8Q Version 1.3.9 Download ^ base-
1.3.9.tar.gz 48 /tmp
*!1 2 4 Server 78#% php-adodb, php-gd php-

mysql 4##%%^^78
7 CD L Download 7^8 php-adodb
Download 8 http://download.fedora.redhat.com/ Q 7 7 8 % ^ php-
adodb-4.94-1.fc6.noarch.rpm L8 /tmp 7^ php-mysql php-gd 8
7 CD 7 478%
!1 14 Snort (IDS) .....: 247

# rpm -q php-mysql
# rpm -q php-gd
# rpm -q php-adodb
7#%4#%4 php-mysql php-gd 77
CD
# mount /dev/cdrom /mnt/cdrom
# rpm -ivh /mnt/cdrom/Fedora/RPMS/php-mysql-5*
# rpm -ivh /mnt/cdrom/Fedora/RPMS/php-gd*
# eject
78 1 ^# /tmp
# rpm -ivh /tmp/php-adodb*
#%L^8 Download #%
# rm -f /tmp/php-adodb*
*!1 3 #%7 Web Server 44

base 84^ base 8 /tmp 8%
# tar xzf /tmp/base-1.3.9.tar.gz -C /var/www/html
8 directory %87 Browser
# mv /var/www/html/base-1.3.9 /var/www/html/base
^#%
# rm -f /tmp/base-1.3.9.tar.gz
!1 14 Snort (IDS) .....: 248

*!1 4 %7>47 Configuration base

# vi /var/www/html/base/base_conf.php
..
$BASE_Language = 'english'; <- w!
$BASE_urlpath = '/base'; <- path !1! Browser
$DBlib_path = '/usr/share/php/adodb/'; <- !1'w adodb

..
$DBtype = 'mysql'; <- ( Database !1%
78% Database mysql %87
$alert_dbname = 'snort';
$alert_host = 'localhost';
$alert_port = '';
$alert_user = 'snort';
$alert_password = 'password';
:wq
*!1 5 78% /base > Apache

# chmod -R apache:apache /var/www/html/base
*!1 6 % Configuration httpd

# vi /etc/httpd/conf.d/base.conf
!1 14 Snort (IDS) .....: 249

<Directory "/var/www/html/base">
Order deny,allow
Deny from all
Allow from 127.0.0.1 192.168.11 <- w IP |w IP !1%' i%
</Directory>
:wq
7^ base.conf 8#7
# apachectl configtest
Syntax OK
*!1 7 httpd 47
>L# %% base IDS 8 snort
> 4#%#8 4 ^
php-pear-Image-Graph
php-pear
php-pear-Image-Canvas
php-pear-Image-Color
^ % Download 8 download.fedora.redhat.com 8 L ^
rpm.pbone.net ^%#%7L
>8#%784
% X Y
!1 14 Snort (IDS) .....: 250

887L8 http://192.168.1.11/base
8 14.1
%88#8 Setup page
8 14.2
!1 14 Snort (IDS) .....: 251

# Setup page 8 14.2 #8 Create BASE AG
8 14.3
8 14.3 BASE table 4L# Main page
!1 14 Snort (IDS) .....: 252

8 14.4
7 #78
78 14.5 Q%77 8 Q#
#7 BASE
8 14.5
!1 14 Snort (IDS) .....: 253

Snort >Q84 IDS 8#77

U 4Q8 Network
7844 Snort #%48 IDS 7
Service 8 Server 7 4 Software
## Real time 4>87Q 8
8874 # Error 4L8
Scan packet 7 8# U878L www.snort.org
7 7 download update rule > Internet
download 7 ^7 887 download 7 L7
8 78 L 8 88 7
!1 14 Snort (IDS) .....: 254

!1 15 Backup and Restore
Backup Restore Server

, Backup Restore
,4
!%'
1. partimage = Open source
2. B, tar, mkisofs, cdrecord
3. HH 4=H = (Bold)
4. H ,4
H4,H,
(*%
QR Server 4,
44S4H Backup/Restore Server H 4
S4 Server ,= 4
, 44H Server NOS
4SBB Server Q4
4 4H44
!1 15 Backup and Restore .....: 255

4 44H, 4 4
S4H,Z (UPS) 4
( backup 4 6 H
1. Full backup =, backup R4
2. Incremental backup =, backup R4, Full
backup
3. Differential 4
4. Network backup , backup client backup server
Server , backup
5. Dump backup 44= backup file 4, backup H
d disk partition file system
6. Level 0 to 9 backup =, incremental backup 4R4
44 lower lever backup
S backup Restore BH4 backup

4, = Gigabyte S,= backup
, backup 4 Network S BH Bandwidth
, backup ,BBR Hard drive
failure H4B4RH H4,
backup 4 d4H
1. , backup
2. 4
3. = Restore ,

4. Server R
5. 4R
,d4 S SR=
4,R4= 3 R4
1. 44R
2. R=,
3. R4,
H 4 Directory , backup 4 , =
backup H hard drive 4 , 4
H
/etc =S Configuration file
/home =S User
/www =S Web file ( dir S)
4= (Media) S, backup
4R4 SS
44HRd4 Tape backup S
44 CD DVD QR4 Floppy Disk 4
B CD DVD S4 Floppy Drive 4
=44d,
4H
A!1 1 44R R4H4 /etc 4 Configure
HH server ,=

R4 Configure HS4 Update 4H

BBR,S,44 ZIP Disk
S CD-R S S /etc 4H ,S
User d passwd shadow =, Restore 4=
4 User ,B Restore
4,
4 Directory 4 4
, backup S /bin /usr =4 Q
H4S4 backup/restore ,S4 Configuration
A!1 2 R4 R4H4 User
Database 44 S4 /home RS
, backup R4 backup S
4 4 4,
, Script , backup =4BB4
444 Hard drive failure BH4 , backup S
4RR 4SR4HH,
(Rewritable) 4 CD-RW DVD-RW =SHH 7
7 4 4 backup =444 CD-R
DVD-R
A!1 3 R4, ,R4H
B4=RRR4S Script
,R backup 4

R,4 S, backup
4,
,, backup Linux R4=,
44 H copy S,
4 ,
- cp
- tar
- gzip
- dump
H4, tar 4 UNIX
,SH4dB Directory
Linux tar 4 Utility 4B
Option S Script ,S
, S R
(Compress) dS 4H
# tar cf backup.tar directory
c = create new file
f = file or device S
4 backup /home
# tar cf backup.tar /home
Restore
# tar xPf backup.tar
Option ,=H

v = Lists verbosely files being processed.

z = Detects and properly processes gzip archives during extraction.
p = Specifies to extract all protection information.
d = Specifies to find differences between the archive and the file system.
t = Lists the contents of the archive.
u = Specifies to append only files newer than the archive copies.
N date = Specifies to archive only files newer than the specified date.
P = Specifies not to strip the leading / character from file names. In this case,
regardless of the directory, from which the extraction command is executed, the
files will be extracted into their initial directories.
backup H Directory S,H
# tar cf backup.tar /home /etc /www
Hd Directory S backup.tar H
# tar tvf backup.tar
backup dS,,
tar , gzip ,4,dSR= .tar.gz H
# tar cfz backup.tar.gz /home /etc /www
, Restore ,
# tar xzPf backup.tar.gz

!R Full backup RedHat

4 , Tape Backup
QR4=44 H4 R
SBBH4 H4, tar
, Full Backup B Tape Backup BH Linux S= SCSI
tape drive ( /dev/st0 ) 4, Script 4RdB
44= Tape S
4 Server H, mt ,
# rpm -q mt-st
H CD ROM H
# mount /dev/cdrom
# rpm -ivh /mnt/cdrom/RedHat/RPMS/mt-st*.rpm
,, Full Backup H4, backup Hd,

4 6 =B 4
2-6 B44Rd 4 4
( -- =HS=)
44S /
# cd /
4H backup partition /home H4Rd 1
1
# cd /

# tar cpf /dev/st0 --label=" full-backup created on `date '+%d-%B-%Y'`." \

--directory / home
2 d
# cd /
# tar cpNf /dev/st0 --label=" full-backup created on `date '+%d-%B-%Y'`." \
--directory / home
3
# cd /
--directory / home
4 R
# cd /
--directory / home
5
# cd /
--directory / home
6 =Rd H 2 (d 2 =d4)
# cd /
# tar cpf /dev/st0 --label=" full-backup created on `date '+%d-%B-%Y'`." \
--directory / home
6 ,H,H4 2 - 5 4

2-5 = backup 4 (Incremental Backups) S4 1

6 ,R S , Backup 4
d
Option , tar
c (Create) = ,Z Backup
p (Preserve permission) = ,,4 permission file directory

N (New) = Backup 4

F = ZRdB
R (Rewind) ,
# mt -f /dev/st0 rewind
,
# mt -f /dev/st0 offline
R Backup 4 ,4= --multi-volume (-M)

M 4 H
# tar cMpf /dev/st0 /home
, Backup 4
4 ,
# cd /
# tar dvf /dev/st0
44H= Backup H (R partition ,=) H

# cd /
# tar cpf /archive/full-backup-`date '+%d-%B-%Y'`.tar \
--directory / --exclude=proc --exclude=mnt --exclude=archive \
--exclude=cache --exclude=*/lost+found .
Parameter --exclude B4 Backup partition
R Script , backup S,H
# vi /etc/cron.daily/backup
#!/bin/sh
#
COMPUTER=ns1
DIRECTORIES="/home"
BACKUPDIR=/backups
TIMEDIR=/backups/last-full
TAR=/bin/tar
PATH=/usr/local/bin:/usr/bin:/bin
DOW=`date +%a`
DOM=`date +%d`
DM=`date +%d%b`
# Monthly Full Backup
if [ $DOM = "01" ]; then
NEWER=""
$TAR $NEWER -cf $BACKUPDIR/$COMPUTER-$DM.tar
$DIRECTORIES

fi
# Weekly full backup
if [ $DOW = "Sun" ]; then
NEWER=""
NOW=`date +%d-%b`
# Update full backup date
echo $NOW > $TIMEDIR/$COMPUTER-full-date
$TAR $NEWER -cf $BACKUPDIR/$COMPUTER-$DOW.tar
$DIRECTORIES
# Make incremental backup - overwrite last weeks
else
# Get date of last full backup
NEWER="--newer `cat $TIMEDIR/$COMPUTER-full-date`" $TAR
$NEWER -cf
fi
R File Backup ( /backups )

# ls -l /backups/
total 22217
-rw-r--r-- 1 root root 10731288 Feb 7 11:24 ns1-01Feb.tar
-rw-r--r-- 1 root root 6879 Feb 7 11:24 ns1-Fri.tar
-rw-r--r-- 1 root root 2831 Feb 7 11:24 ns1-Mon.tar
-rw-r--r-- 1 root root 7924 Feb 7 11:25 ns1-Sat.tar

-rw-r--r-- 1 root root 11923013 Feb 7 11:24 ns1-Sun.tar

-rw-r--r-- 1 root root 5643 Feb 7 11:25 ns1-Thu.tar
-rw-r--r-- 1 root root 3152 Feb 7 11:25 ns1-Tue.tar
-rw-r--r-- 1 root root 4567 Feb 7 11:25 ns1-Wed.tar
drwxr-xr-x 2 root root 1024 Feb 7 11:20 last-full
HdS last-full B=4, Script
4 H
# date +%d%b > /backups/last-full/myserver-full-date
,4 myserver-full-date =d ,=
4 ns1-15-Jan ,=4 4
Backup Script Backup
4, Permission Script
# chmod 700 /etc/cron.daily/backup
(! Restore % 1 tar
R, Backup 44= Partition /home 4
Backup H Hard disk S 4,4 Hard drive H
4 Server Q, Backup
4 ,4H
# cd /
# tar xpf /dev/st0/full-backup-Day-Month-Year.tar
Restore HRS M = #tar xMpf .

4 = Parameter c = x (Extract) d
S B , download
R = .tar 4 4 4 Script Backup
Script Sd ns1-15-Jan.tar Restore S
# tar xpf /dev/st0/ns1-15-Jan.tar
% Backup Media
BBR
BRQRS OpenSSH H Linux Server R4
4 , R H 4 d , backup
Z4,,4H
# openssl des -in /home/backup.tar.gz -out /home/backup.sec
4 H d backup.sec H B
, d H backup.tar.gz backup.sec Server
Restore S,RH
# openssl des -d -in /home/backup.sec -out /home/backup.tar.gz
% 1 tar backup %'A ssh

H,=, backup d
,d backup 44 BS Hard drive
B4 4 CD-R, CD-RW DVD 4d
, 4 RRd 4H
Secure Shell 4, Remote Login

S4,HRd Backup 4d
4H Server 4R44,
=44 ,H4H
backup partition /home Server 4 backup
, tar 4 gzip dS S4S backup
H
# tar zcvf - /home | ssh bkuser@backup "cat > /home/bkuser/home.tar.gz"
4, host S IP H
# tar zcvf - /home | ssh bkuser@192.168.1.20 "cat > /home/bkuser/home.tar.gz"
44 backup IP address 192.168.1.20 user S
d= user bkuser Secure Shell 4R root
login 4dS444 home directory
bkuser 4H Enter d 4 /home
HS password bkuser 4 dS
4 backup Sd
, dd S4 cat H
# tar zcvf - /home | ssh bkuser@192.168.1.20 "dd of=/home/bkuser/home.tar.gz"
mount backup S4B4
mount tape /dev/st0 S4BH
# tar cvzf - /home | ssh ssh bkuser@192.168.1.20 "cat > /dev/st0"
R4BS,H
# tar cvzf - /home | ssh ssh bkuser@192.168.1.20 $(mt -f /dev/st0 rewind; cat
> /dev/st0)$

H Restore Server 4 ssh S,H

# cd /
# ssh root@192.168.1.20 "cat /home/bkuser/home.tar.gz" | tar zxvf -
% SSH !1A%A
44RH, backup 44 ssh R4
4RH, ssh 4
S44dS 4H,d
,H4d backup S44 ,
, Script 4 S ,4
H
,B Server = root user 4
root , Hard drive R4 = user 4
RR4 4 backup /etc d shadow =
user SZ44d4 4 home directory
root
[root@sv2 ~]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): <- Enter
Enter passphrase (empty for no passphrase): <- Enter
Enter same passphrase again: <- Enter
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.

The key fingerprint is:

25:70:8f:1e:84:52:9a:45:f6:6d:f3:f3:eb:ce:11:44 root@sv2.sample.co.th
[root@sv2 ~]#
= rsa key R root server d id_rsa
id_rsa.pub S4 .ssh S,44 id_rsa.pub (public key)
backup key 4 H
# ssh-copy-id -i .ssh/id_rsa.pub bkuser@192.168.1.20
15
bkuser@192.168.1.20's password: <- password bkuser
Now try logging into the machine, with "ssh 'bkuser@192.168.1.20'", and check
in:
.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
#
HH4 bkuser backup B4 key
backup ,S directory .ssh home directory bkuser
Bd authorized_keys 44 backup H
4d 44HRHHS 4
backup 4 ssh , configure 4
d user bkuser 4
H login root configuration backup
# vi /etc/ssh/sshd_config
..... 4 3 H4 # 4

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
4SS Bd restart
# /etc/init.d/sshd restart
4HS login ,H
[root@ns1 ~]# ssh bkuser@192.168.1.20
Last login: Tue Jan 15 11:49:28 2008 from 192.168.1.1
[bkuser@backup ~]$
4 prompt user@host
4,,Sd , tar 444d backup.tar.gz
S backup
, backup CD-R, CD-RW DVD 4 H,
44 ,S, Script 4= tape
tape = CD Bd backup CD
4 backup H cdrecord mkisofs 4
H , backup , tar 4 d home.tar.gz
backup 4 openssh S4=
4=d H
backup
$ mkisofs -R -l home.tar.gz | cdrecord speed=8 -
= CD-RW 44B
$ mkisofs -R -l home.tar.gz | cdrecord blank=fast speed=8 -

B44 option B man

4H,4 H4S4, backup
server S , backup 4S4 ssh S4S
Backup Restore Partition

H,, clone copy = partition 4
partimage , text mode =,S S
HH4 partition H Bd
Hard disk 44H4, backup
MBR boot partition , backup R file system H
ext2fs, ext3fs, fat16, fat32, hfs, hpfs, jfs, ntfs, reiserfs, ufs, xfs 44
partition , restore 44= file system ,
backup H444
4 hard disk Hd H= Open
source 4 download H
http://dries.ulyssis.org/rpm/packages/partimage/info.html OS Version
, 44H= Fedora Core 6 download d
partimage-0.6.6-1.fc6.rf.i386.rpm 4 4H
= Debian H,
# apt-get install partimage
= Fedora RedHat ,
# rpm -ivh partimage-0.6.6-1.fc6.rf.i386.rpm

HS,
# partimage Enter
15.1 partimage
15.1 partition backup ZBH

4 = sda1 (boot partition) HZ TAB image file to create/use
d path 4 backup d boot_part S
/backup S = /backup/boot_part = Action to be done:
backup Restore 4
Restore partition boot Restore an MBR H F5

15.2 Error partition 4 unmount
15.2 =4 partimage ,
backup partition unmount 4H Continue ,444
4d4 B,, unmount 44
# umount /boot H
15.3 4

15.3 Compression level 3 ,

dSS dS
R4,, bzip2 4S MBR
15.4 , bzip2
, 15.3 S Option 4 4
= Image split mode , Automatic split d
=4S, wait Z F5
,4

15.5 4 Partition ,,S H

OK
15.6 = Partition , Backup

4 15.6 OK S
, Backup SBH44 Partition B
S H

15.7 ,S Backup
,44 H4,
d4 4 Restore S, 44 image file
4 B = , Server
,d=4
, backup restore H4H S

BB, tar cvfz tar xvfz Zip
Unzip DOS Windows 4R4 44
,BHRBd=,4= Full-backup 4
4H
4R4 Word d Save SH

aaa bbb xyz SS Hard disk BS Rd 4

4d=d ,4BS
Linux 4S,4,,4 mount
device ,4, backup ,,S=
Linux 44 Partimage hard drive
,


Log Server
Centralize Log Server

&*+ Log file 1
+ Log file 4*1
%'(
'( .4747
..
---------------------------------------------------------------
+& &**
4*
() + (Media) *& (Integrity)
FF (Identification) *H4
() *+&*+ 1
H&4 4& 4&&
&* + 4 + Centralized Log Server 1 Data
Archiving 1 Data Hashing 4 & **** &
1 H & 4 4 &
.....: 279
(IT Auditor) F *
**
() *&**&*H
4 41* ..
4& +
() +& F*&
F (Identification and Authentication) 4 Proxy Server,
Network Address Translation (NAT) Proxy Cache Cache Engine
Free Internet 1222 Wi-Fi Hotspot F
&F
&*&1&
FF (Stratum 0)
4 *
1*1 * Log Server 4
Open source ** Linux 4*4m Linux
F4 Network Operating System (NOS) *H Log file
&&oF&4*
&4 *4&&**4
1*4F&& (System Administrator) H Log file
&&111 Security H
1 Data hashing Data Archiving H& IT Auditor &*
&&& Log file *
r4 414
.....: 280
H**H&4**&
14*
1. I7 I NTP Server (Network Time Protocol) 4&

*4 FF
(Stratum 0) 1* NTP Server H4
* Log Server 4 Server Workstation
1* 1 41* 2 3
Server 4 sync *o
Network *o1*4
4 Internet 4o
Server Workstation 4 1 ntp 14
Configure Server Client 44* Server **
Server Workstation 1 configure Client
* Server
.....: 281
&* -1 Log Server
I%( 1 ntp Server ( Log Server) *

*4 RedHat,Fedora 1
# rpm -ivh NTP-4*
Linux OS Server Client NTP &
&41
# rpm -q NTP
* debian 1
# apt-get install NTP-server
.....: 282
4*&&*1*4
* mount cd 4 Internet 4*1 Configuration
1 * server * NTP Server *
1
NTP 4 Clock Strata F

Server Address
203.185.69.60 Stratum-1 ** Stratum-0
4 *4 TAI BIPM
(precision ~50 nSec)
time.navy.mi.th F Stratum-1 ** Stratum-0
1 MOU
44* BIPM
time.nist.gov National Institute of Stratum-1 ** Stratum-0
Standards and *4 TAI BIPM
TechnoLogy, US
%( -1 NTP Server
I%( 2 Remote Server * 1*

# ntpdate -b 203.185.69.60
# ntpdate -b time.navy.mi.th
# ntpdate -b time.nist.gov
.....: 283
28 Jan 14:28:20 ntpdate[2693]: step time server 192.43.244.18 offset -0.092687 sec
4 NTP Server Nectec
# ntpdate -b clock.nectec.or.th
# ntpdate -b clock2.nectec.or.th
# ntpdate -b clock.thaicert.nectec.or.th
*144 Server
Server ***F (&4 offset *4*F
Server * 1, 2, 3 configuration)
4o no server suitable for synchronization found 4* host *H+
4
I%( 3 1* 4 configure *4
*
# cp /etc/ntp.conf /etc/ntp.conf.bak
# vi /etc/ntp.conf

restrict default kod nomodify notrap noquery nopeer
restrict 127.0.0.1
# F internal network
restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap
server 203.185.69.60 dynamic
server time.navy.mi.th dynamic
server time.nist.gov dynamic
.....: 284
server 127.127.1.0 # local clock

fudge 127.127.1.0 stratum 10
driftfile /var/lib/ntp/drift
broadcastdelay 0.008
keys /etc/ntp/keys
4**H
:wq
I%( 4 4 restart service server *

# ntpdate -b 203.185.69.60
restart service
# /etc/init.d/ntpd restart
# chkconfig ntpd on
I%( 5 1 Log file

# grep ntpd /var/Log/messages 4 44
Jan 28 15:47:49 ns1 ntpd[3838]: ntpd 4.2.4p2@1.1495-o Thu Jun 21 12:57:41
UTC 2007 (1)
Jan 28 15:47:49 ns1 ntpd[3839]: precision = 2.000 usec
Jan 28 15:47:49 ns1 ntpd[3839]: Listening on interface #2 lo, ::1#123 Enabled
Jan 28 15:47:49 ns1 ntpd[3839]: Listening on interface #5 eth0, 192.168.1.10#123
Enabled
Jan 28 15:47:49 ns1 ntpd[3839]: kernel time sync status 0040
.....: 285
Jan 28 15:47:50 ns1 ntpd[3839]: frequency initialized 80.586 PPM from

/var/lib/ntp/drift
I%( 6 Server 14* Error

1 Server 1
# ntpq -pn
remote refid st t when poll reach delay offset jitter
========================================================
203.185.69.60 .PPS. 1 u 49 64 3 49.263 577.356 40.539
122.154.11.67 .GPS. 1 u 50 64 3 50.387 568.011 4.886
192.43.244.18 .ACTS. 1 u 111 64 2 607.213 463.669 0.002
127.127.1.0 .LOCL. 10 l 48 64 3 0.000 0.000 0.002
Linux 1 Server
1
# ntpdate <ip address> 4 ip address NTP Server
I%( 7 1 Server Linux *14

configuration ntp NTP Server *
# vi /etc/ntp.conf
server 192.168.1.1 <- ip address NTP Server
restrict default ignore
restrict 127.0.0.1
.....: 286
restrict 192.168.1.1 mask 255.255.255.255 nomodify notrap noquery

driftfile /var/lib/ntp/drift
:wq
# /etc/init.d/ntpd restart
# chkconfig ntpd on
11 NTP Server 4*
444* NTP Server
I%( 8 4&44 H&*
4&4* Microsoft Windows &44
OS 4H&44 *4 Internet time
&4* 4 Task bar *
&* -2 414 Internet Time
.....: 287
+4*&4*4 *
4 Network Time Server (NTP) 4
& 44 (Default) * Microsoft Windows XP 1 Update
F 7 1*4&4*4
1H Log file 4
4&4444* Update Now 4*14
&4F Registry (4*
F) *
*& Start -> Run -> regedit Enter *14
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\w32time\TimeProvide
rs\NtpClient]
*14 SpecialPollInterval 4
(Hex) "SpecialPollInterval"=dword:00093a80 decimal
* 93a80 604800 4 * * 4 * * 4 4 7 ( 1 = 86400
* ) * Update ** ** * + *
*14 Server time.windows.com *
IP Address NTP Server *H Update Now 1
1+44 Sync Server * 4
F Windows Time Service &4* Automatic start service F
* Boot
.....: 288
Tip & Trick

11 NTP Server * SNTP Port = 123
& Firewall F&4 Port Protocol H
2. 7I Centralize Log Server oF Linux + syslog

H&14 Server H4
***F4144
H syslog-ng (New Generation) 4 *
syslog-ng *1* Centralize Log Server
4 *144 Log file ** Centralize Log
&4*1* IT Auditor *
44*&*4 admin +4& *
& Log Server 1*
I %( 1 Linux 4 1 Download source
code syslog-ng 11 Compile &*
http://www.balabit.com/downloads/files/syslog-ng/sources/stable/src/
4 debian 1
# apt-get install syslog-ng
4 RedHat, Fedora 1
# yum install syslog-ng
.....: 289
Version *414
Configuration Version 2 4 version 1.x 4114*
1 44* syslog-ng version 2.x *&4 FC7 1
I%( 2 1 Configuration H*&+*

44+1H&4
Centralize Log Server Configuration
# /etc/syslog-ng/syslog-ng.conf
options {
sync (0);
time_reopen (10);
Log_fifo_size (1000);
long_hostnames (off);
use_dns (no);
use_fqdn (no);
create_dirs (no);
keep_hostname (yes);
};
#All sources
source src {
internal();
pipe("/proc/kmsg");
unix-stream("/dev/log");
.....: 290
file("/proc/kmsg" Log_prefix("kernel: "));

# udp(ip(0.0.0.0) port(514));
tcp(ip(0.0.0.0) port(5149)); <- 4 tcp port 5149
};
# Log Server destination
destination logs {
# Location of the Log files using syslog-ng internal variables
file("/var/log/$HOST/$YEAR/$MONTH/$FACILITY.$YEAR-$MONTH-
$DAY"
# Log files owned by root, group is adm and permissions of 665
owner(root) group(adm) perm(665)
# Create the directories if they don't exist with 775 perms
create_dirs(yes) dir_perm(0775));
};
# Anything that's from the program 'squid'
# and the 'user' Log facility
filter f_squid { program("squid") and facility(user); };
# This is our squid destination Log file
destination d_squid {
# The squid Log file with dates
file("/var/log/$HOST/$YEAR/$MONTH/squid.$YEAR-$MONTH-$DAY"
.....: 291
};
# This is the actual Squid Logging
log { source(src); filter(f_squid); destination(d_squid); };
# Remove the 'squid' Log entries from 'user' Log facility
filter f_remove { not program("squid"); };
# Log everything else less the categories removed
# by the f_remove period
log {
source(src);
filter(f_remove);
destination(logs);
};
Client Log Server Configuration
# /etc/syslog-ng/syslog-ng.conf
# All sources
source src {
pipe("/proc/kmsg");
unix-stream("/dev/log");
file("/proc/kmsg" Log_prefix("kernel: "));
internal();
};
# The filter removes all entries that come from the
# program 'squid' from the syslog
.....: 292
filter f_remove { program("squid"); };

# Everything that should be in the 'user' facility
filter f_user { facility(user); };
# The Log destination should be the '/var/log/user.log' file
destination df_user { file("/var/log/user.log"); };
# The Log destination should be sent via UDP
destination logserver { tcp("192.168.1.11" port(5149)); };
# The actual Logging directive
log {
# Standard source of all sources
source(src);
# Apply the 'f_user' filter
filter(f_user);
# Apply the 'f_remove' filter to remove all squid entries
filter(f_remove);
# Send whatever is left in the user facility Log file to
# to the 'user.log' file
destination(df_user);
# Send it to the Logserver
destination(logserver);
};
# Log Server destination
destination logs {
.....: 293
# Location of the Log files using syslog-ng internal variables

file("/var/log/$HOST/$YEAR/$MONTH/$FACILITY.$YEAR-$MONTH-
$DAY"
# Log files owned by root, group is adm and permissions of 665
owner(root) group(root) perm(665)
# Create the directories if they don't exist with 775 perms
};
# Anything that's from the program 'squid'
# and the 'user' Log facility
filter f_squid { program("squid") and facility(user); };
# This is our squid destination Log file
destination d_squid {
# The squid Log file with dates
file("/var/log/$HOST/$YEAR/$MONTH/squid.$YEAR-$MONTH-$DAY"
};
log { source(src); filter(f_squid); destination(logserver); };
# Remove the 'squid' Log entries from 'user' Log facility
.....: 294
log {
source(src);
filter(f_remove);
destination(logserver);
};
I%( 3 4* Server ** hosts.deny ALL: ALL

# vi /etc/hosts.allow
.
syslog-ng: 192.168.1. <- IP Address *4 Log
:wq
4 Firewall iptables &4 * 9 4 1 * 9
script 4 filter *
# vi /etc/sysconfig/iptables

-A INPUT -m state --state NEW -m tcp -p tcp --dport 5149 -j ACCEPT
:wq
# /etc/init.d/iptables restart
lokkit +4 5149:tcp +4 Log 4
1F port Log FF
I%( 4 1
# /etc/init.d/syslog stop
.....: 295
# /etc/init.d/syslog-ng start
# chkconfig syslog off
# chkconfig syslog-ng on
11
# ps ax |grep syslog-ng
3. . Log %(v 4 6
2 +&& *
. &+*H4 *
H (Remote Access) 4* 4
1 Freeradius 1 Configuration
Freeradius 44 Log * syslog syslog-ng 44 Log file
+ Centralize Log 4
# vi /etc/raddb/radiusd.conf
Logdir = syslog
Log_destination = syslog
:wq
startup script -l syslog -g <facility>
* 8 (4) *F&F4 Proxy Server
*&4 Gateway server *1 Proxy *41
Authentication user F1 Log on *&44
4 Squid H* Log file 4*&4*4 Configuration
*+* Log *
.....: 296
# vi /etc/squid/squid.conf

access_log /var/log/squid/access.log squid

access_log syslog squid
4 Logformat *4
:wq
# squid -k reconfigure
1*F4 4 ***
4*F Hardware 4 Manage Switch 1 VLAN
1 NAT *F4 HF WiFi Hotspot 4
44 *&&4F+ Log
1 Forward Log Log & user account
F host *
. & + * + (e-mail
servers) oF44 +*1 Mail Server +4
11+ Log *1 4*4*o
Mail Server ** &4 Protocol 4 pop, imap smtp H
44H*H Log &4* syslog-ng 4
client +4 Mail Log + Log * 4* Free e-mail **
+4 &+&4* Log & mail *
+*4+ Access Log * proxy +&4
.....: 297
mail *+&44 user account + Log

Server *1**F
. &+&&
14*1 FTP Server *&1+
+4*&4 1+ Log file 44
FTP ** Linux F4 &4 4
download + 4 Configuration *+ Log &4
44 vsftpd +4 Log *
.. 4* Log syslog
# Activate Logging of uploads/downloads.
#xferlog_enable=YES
#log_ftp_protocol=YES
syslog_enable=YES
:wq
# /etc/init.d/vsftpd restart
syslog-ng +* 4 FTP Server +&4+
Log * **41&&* Secure Shell (ssh)
H Server * Configuration sshd *1 sftp
server 1 Subsystem *1&&
4 server + Log sshd 44 sftp-server child process
Log +** sftp 44+* 4
.....: 298
o sftp-server FTP server

Log **&4
. &++ 14
4 **+ Linux Software Open source
Apache httpd H* *+H
&4*& access_log &4*
& (Log format) +* *1
4 Configuration 4 Log file Log 4 1*
..
LogLevel warn

LogLevel notice
CustomLog Logs/access_Log combined

CustomLog "|/usr/bin/logger -p local1.info" combined
:wq
* Secure Socket Layer (SSL) +*
# vi /etc/httpd/conf.d/ssl.conf
.
ErrorLog logs/ssl_error_log
TransferLog "|/usr/bin/logger -p local1.info"
.....: 299
LogLevel notice
:wq
syslog-ng * Log Web Server &4+
Log &*1 Log format
. &44 (Usenet) *4*
4H4*4+ Log File
. &*4+4 Internet Relay Chat
(IRC) Instant Messaging (IM) *44
4F4 **
* 444 MSN, Yahoo, ICQ H**1H
*+&4&*1 Log file 4 H
44 4 + 4*
1 user account & * 4
4 14 Transparent Proxy
Web Proxy Server 4 * IM Transparent Proxy download
imspector Open source Gateway *
4+&4 + Configuration 14 Log file
+ Log 4H software *1* Transparent
Proxy +&*1m4F
.....: 300
y% Firewall '( Redirect IM Transparent proxy

MSN: iptables -t nat -A PREROUTING -p tcp --destination-port 1863 -j REDIRECT
--to-ports 16667
ICQ/AIM: iptables -t nat -A PREROUTING -p tcp --destination-port 5190 -j REDIRECT
--to-ports 16667
Yahoo: iptables -t nat -A PREROUTING -p tcp --destination-port 5050 -j REDIRECT
--to-ports 16667
IRC: iptables -t nat -A PREROUTING -p tcp --destination-port 6667 -j REDIRECT
--to-ports 16667
4F4*4+ IP *4
IP *1+* Firewall 4 port Log file
1** IM Log +F*1
4. 1 Log Server *
1 &*F41 Data hashing, Data archiving 4
admin Log Server 4&* IT Auditor &
4 Log Server & Log *
*1
. 1 Rotation Log Server &&*1 rotate
Log *H server &*14 script syslog-ng.conf 1+
Log *4 server 4 4 /var/log/webserver/ Directory 44
server 44FF
-- *&4 44 webserver
.....: 301
/var/log/webserver/2008/02/kernel.2008-02-14 H411
rotate +&4
. 1*& Log (Compress) + 1 tar
Backup * 15 4
# tar cvfz webserver.tar.gz /var/log/webserver
# ls
webserver.tar.gz
. 1** +** 15 4
# openssl des -in webserver.tar.gz -out webserver.sec
# ls
webserver.tar.gz webserver.sec
. + Backup **FF+ &
*H 4 CD * 15 &*& Log 1 4
- 1* +
- .gz
- backup CD .sec
*1+* script 1*4*
command line * script * crontab 1*F*
& reload syslog-ng 41 Log
44 1**1 Hard disk **+ Log +4+
CD *4*H4 3
14 4*F1
.....: 302
v% Microsoft .. server
*** Server Microsoft Windows 2x Server +*

4 even log MS Windows Server Log 4 && download
snare + http://www.intersectalliance.com/ 1 Server
1 Configuration 4 log + Log 4 Log
Configuration + 4
# vi /etc/syslog-ng/syslog-ng.conf
..... 4*
# Remove the 'squid' log entries from 'user' log facility
... *+ log MS winodows *
filter f_remove1 { not program("MSWinEventLog"); };
4 log filter(f_remove) 4 + 4 log MS
Windows Server
log {
source(src);
filter(f_remove);
filter(f_remove1);
destination(logs);
};
.....: 303
4 log 4 MS Windows *
filter windows {
program(MSWinEventLog);
};
destination windows {
file("/var/log/$HOST/$YEAR/$MONTH/windows.$YEAR-$MONTH-$DAY"
template("$ISODATE <$FACILITY.$PRIORITY> $HOST $MSG\n")
template_escape(no)
};
log {
source(src); filter(windows); destination(windows);
flags(final);
};
14 windows ISA IIS service *
4 MS Windows H*4 Service 4 snare
for IIS Web Server snare for ISA Servers + download
Server 4* & Snare *4 Host/IP ports
Log Server *44+ 4*4 snare 44 udp 4
4 port 1 snare Log 4 TCP
UDP *4* #
udp(ip(0.0.0.0) port(514));
.....: 304
41 Centralize Log Server *F*144

4F*14F1
*1* Log Server *4* 1*
** *&&**1&*4 Log file
14*&4&4
4H4 *F
* *1 4+4+4*
4*1 &&+4 4*& Log
4 *** **4**
F14 4441+4*o
4o*+4 *
*1 4+**&4
44 41
*1444 (**
4*&1)
.....: 305

. Internet Server Linux.

: , 2545.
. ! Linux Server #$&.
: ) , 2546.
Linux Security HOWTO, Kevin Fenzi and Dave Wreski,
http://www.linuxsecurity.com/docs/LDP/Security-HOWTO/
Secure Programming for Linux and Unix HOWTO, David A.
Wheeler, available at http://www.dwheeler.com/secure-programs
Securing and Optimizing Linux: The Ultimate Solution, Gerhard
Mourani http://www.openna.com/products/books/sol/solus.php
Securing Debian Manual, Javier Fernndez-Sanguino,
http://www.debian.org/doc/manuals/securing-debian-howto/
Linux Security Overview, ISSA-PS 2003, Brian Hatch,
http://www.ifokr.org/bri/presentations/issa-2003/
Linux: The Securable Operating System, Brian Hatch,
http://www.ifokr.org/bri/presentations/lfnw-2003/
http://www.linuxsecurity.com
http://www.linuxquestions.org/ (Security Forum)
http://gotroot.com/
http://www.tatica.org/
http://www.ssh.com/

- ... $
(
- . $
""
- (
- Internet Server 6
- (Networking System) 6 Webpage
CAI , Internet Server Security 6
$ $

Linux Security

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Linux Security

Uploaded by

Copyright:

Available Formats

Linux Server Security

$% %$0$ Update patch 9#%</

1.5 Network Security /9///%/$/

1.11 /9* *<:$ /%90

2. Host Security $/0,$$/

2. ' /0$$/$ %/,$

,'90 Server 90<%$$ /$

3.2 Certification Authority (CA) /%$

/ 1.2 Secure Socket Layer (SSL)

4. Service Security /0,/*/00*

*$< $ PHP $ MySQL Java Web

$ $/0/ User 0%0$%

!2 2 Network Model .....: 17

!2 2 Network Model .....: 18

2.2 OSI Model + People layer

!2 2 Network Model .....: 19

, Layer 8 GI OSI Model / 7 Layers E

2.3 IP Traffic flowing over a router

!2 2 Network Model .....: 20

!2 2 Network Model .....: 21

2.4 / TCP three-way handshake

2.5 SYN flood

!2 2 Network Model .....: 22

2.6 SYN flood Firewall

2. Smurf attack E persistent S

!2 2 Network Model .....: 23

2.7 / Smurf attack

IP Fragmentation Attacks: Ping of Death //,

!2 2 Network Model .....: 24

2.8 / Ping of death

Distributed Denial-of-Service Attacks , / Internet

!2 2 Network Model .....: 25

!2 2 Network Model .....: 26

2.11 / Web spoofing

!2 2 Network Model .....: 27

2.12 Single Layer Firewall

!2 2 Network Model .....: 28

2.13 Two Layer firewall

!2 2 Network Model .....: 29

packet /EI DMZ ,I Server

3. Merge Interior & Exterior

2.14 Merge interior & exterior

!2 2 Network Model .....: 30

Zone , / Firewall = Firewall Using

2.15 Two layer with two internal network

!2 2 Network Model .....: 31

2.16 Two layer with merge bastion host & exterior

!2 2 Network Model .....: 32

2.17 Linux gateway and firewall (Gateway Server)

!2 2 Network Model .....: 33

2.18 Home Network

2.19 Share Broadband Internet

!2 2 Network Model .....: 34

2.20 Share Broadband / Proxy/Firewall

!2 2 Network Model .....: 35

2.21 Share Broadband Internet serial port

!2 2 Network Model .....: 36

2.22 single layer / Gateway/Firewall

IE single layer /I firewall / server G

!2 2 Network Model .....: 37

2.23 , Packet filtering Router

!2 2 Network Model .....: 38

2.24 // Firewall Switch

!2 2 Network Model .....: 39

4. Service Security /0,//00