Professional Documents
Culture Documents
Linux Security
Linux Security
Hardware
Software 4 Linux 4 Internet Server
4? Open source EE F
H 4F Linux Server
Security 4EE4
4 (Tools)
H ? Software Open source F
(Update)
F4?EE F4 H
4 E
.4 .. 2550
F 4 Centralize Log Server
EE 4
4 Configuration
4 ?4
2551 E
E
2551
Linux Server Security
1 Overview 1
2 Network Model 17
3 Kernel Harden 43
4 Web Server Security 81
5 Mail Server Security 99
6 DNS Server Security 115
7 FTP Server Security 135
8 Secure Shell 147
9 Firewall Using IPTABLES 155
10 sXid 189
11 Log check 195
12 Port Sentry 203
13 Tripwire 221
14 Snort (IDS) 233
15 Backup and Restore 255
279
C
Linux Server Security
) 1 Overview
Server
#$%'
*,'%
(Overview)
/0%/$ 0$ *
$ Internet 9/'$ $0
*#:$$<
/$'*$$0,'
//:/90 /0
Hardware Software /$/$/$ </
900#%$ /0$:$
9*%$,$
$$$*$/$/
$%0*$/,$%%90$,/
%:$,< 09/,'$
I$,,/#//#/*
/,$/* ///0$//
) 1 Overview .....: 1
Linux Server Security
) 1 Overview .....: 2
Linux Server Security
) 1 Overview .....: 3
Linux Server Security
) 1 Overview .....: 4
Linux Server Security
9 Server $$$//$$/$
/, site <
5. *9 //
Data communication / $ Internet / / /
Software 9/*$ 9
00%' $/$
$$$%'9/9$
Internet //%, /*%% User account
/%%$%* /
account /$,<% 9,/%/,$//
$ Cracker * account 9
$$ %'# 0$/*/$/*$
Cracker Hacker $$I$I* $
*$ 9//*
/$$:$/$$$
*#, $*/0$$$
'/%/
6. %$/,$$ /,$$
0/$/0/$,$/0
- $ web site //,$#,$
$ The Computer Emergency Response Team web site $
//%
) 1 Overview .....: 5
Linux Server Security
- TCP UDP 90 $ /
0$%$z
- : Version Software /%'/
//,$ <://
*,,*%//,#$
- */$:$$ $
*#$* Service //$<*
$/ */**/90/
7. *$9/$/ %/*9<
$/% ' /// ' $ % $
*%/%%% ' // Linux $$
$: Cracker //% * profile linux user
* %/*/ //
$% $' %90 account /$/
/$/,<
, $ *,$
% % / , /
%'/$/$/
$ % ' $ , / / $ / , login
%' 9/ security policy *, policy
%$$
,***99%$ /0
) 1 Overview .....: 6
Linux Server Security
- // password $0$
- /,$
- /* guess password $
- / Backdoor $
9,*, site <<$$$*
account / $/%%%<
$$/ password $$9/<
,$//%$ $/0<9<$,
$/
8. # $/*
/*#/$ /
$$ ,,$$ ,%'%/
# $ * # / $ / /
' // %$ $/0
- / (Risk) %/,,
*< $ /' execute /
$$/9 account ,<
- , (Threat) %/$,/%%|
%/$/%% $%
,,,%$ / /0
1. < /0/$#
OS /$
) 1 Overview .....: 7
Linux Server Security
) 1 Overview .....: 8
Linux Server Security
- ,,$/
/*/* /
:/%/ *:,,'
$%/%
10. /*//*
*/,$$
9$$ $ ,%$$',
// /,,*$%0
,,*/<//
*$%*% 0$*%0
$'$ * 9 9 ' $ $ /0
%$/%0%'$ 9
host security network security
11. ///9//%90
* :$0< 9* 9#
%<#:%'%90$<$0
$* 9* $ $/*
$/$
%0$ *0 11 /$
,*$%%% $$/
%%% /9 $ 6 $ /0
1. Server Security $////
$,/0$/*/%$/, ,$
) 1 Overview .....: 9
Linux Server Security
) 1 Overview .....: 10
Linux Server Security
$/0$//
%%<$90 %%//
</$$ $ Microsoft UNIX //
Novell $ 0/0*$$//%%
/0/$$,:$ $ Bug :
//$9$$//* 9/*
%% Open Source *9$/%
,$$ ,,$/
/$:#%%/
<*$$/%:/,/,*$
"Harden" 9//9$
3. Communications Security /0%/%
% / % Server *: , /
/$<%/%90 0/%
/0/%'$ ///$$
/$*/ /$$/0
,$ Hardware 0$ Hardware /0
$$9$/%*#$
9$/*< Digital Certificate
/$9$
Digital Certificate //0, /0
3.1 Electronic ID $/ Server Site /* //
*$$<
) 1 Overview .....: 11
Linux Server Security
/ 1.1 *
) 1 Overview .....: 12
Linux Server Security
) 1 Overview .....: 13
Linux Server Security
) 1 Overview .....: 14
Linux Server Security
) 1 Overview .....: 15
Linux Server Security
1. Authentication
2. Confidentiality (Privacy)
3. Integrity
4. Availability
5. Non-Repudation
6. Auditing
*///$* $/
9 $,0,,/%90$ :,
/0/ ,%$$
9%%%%%//:, $*
,'9%%/*0/ /$$$% $$*
% /* $$$/
//0 ,$<%:I,$/
Network '$$$//*
$/$ * 9 /
:/</ /<* 9$*$
* /*0/9$$'
'$
) 1 Overview .....: 16
Linux Server Security
!2 2 Network Model
Internet Server
,./
!%'
1. Data communication /
2. .= (Specification)
3. // .=/
4. / /EG,
Network Model
,I/GII/ /
1 , L/,
/I G,
,.=
/=/I / ,
E Model / /,
/ I / / I /
.III
2.1
Prevention /ES ,
E ,/,/GS/
./
/=,/LI (Detection)
(Response) / ./.S//GI/I
,//,S
Detection GS=GI
X//GIS (Prevention)
,E/X/
,XLI
Response =
/,ESX
X/ E
E.E/
SGI
/ ISO/OSI Model . .
OSI Model 7 Layers ,, Model I
/SLS / Model /I/
1 IE Layer 8 / People Layer
G / , Packet Filtering L
.=, Firewall , Router G/,EI Firewall
E Hardware engine /= Software ,
Firewall , , / I Version
.=/
../. ,/
// /..//=
/ /I,E/
I/SI
Denial-of-Service Attacks (DoS)
///IE User ,/
E,/
/ /, 2
1. SYN Flood E/ TCP packet /
/ TCP three-way handshake Server /S.
// new TCP connections LI ( S
Firewall iptables:state NEW )
2.9 / DdoS
S//I ,
/I
1. Filter packets broadcast address
2. z broadcasts Network
3. Block . packet Internet / address
4. Block firewall . packet protocol port //
, Internet network
5. Block packets ./ source address //
Spoofing E/ IP address,
MAC address / // /
1. IP address spoofing
2. ARP poisoning
3. Web spoofing
4. DNS spoofing
2.10 /I packet
/IE/ L LE 3 /
/ E/ / (Internet or Network Uplink) / E Firewall
/E/ (Internal Network)
S/ Firewall I IPTABLES Linux ,,
/ Configuration .= /I 6 /
I
1. Single Layer Firewall
E Firewall L I../
/ S,../ Internal network
I . . , / Bastion host G/
Internal network /
2. Two Layer Firewall
ELGI Firewall 2 (I
Firwall 2 .) S.. S Internal network /
E Firewall 2 .
,I/ E=/ NIC 3
,E Exterior, DMZ Interior , Configuration /
I,L/I Firewall 2 .
/ Firewall NIC / Internal netwok E.
5. Two Layer with merge Bastion Host & Exterior
Firewall E,X.G// .
., firewall 6
6. Packet filtering and stateful firewall (Gateway Server)
,E Internet ISP
/ , E , I Server , E
gateway / Private IP address /, ,
Firewall S/ /,I/ IP Address
.= Router /,.=/
Network Model W
/IEI//I/
GX . GE/
/=,I/
I L E / . = I G / /
Configure / Router
II
,. . (Intrusion Detection System : IDS) / L
G//,/ network
packet / / I ,
/ IDS snort GI/I ,/
/I
I/=/ ,G
/.=/ G Operating
System G Software ./
Configuration E/
/ G / Version G
. I Software Open Source I //
,/, Software
II //G/ Software
,
!1 3 Kernel Harden
Kernel
!#$'' Kernel
$''
-!'#!!
!%'
1. ## vsftpd : Open source
2. A- ftp, telnet
3. E#E '#:!E : (Bold)
4. !!E# # -!! '
!E!#'-E-
(*%
# # E ' M Server '
(Administrator) - $# S ' E
E' Router A' E'#E-:E
###S'#- '''!#- VM
'-' E!'#':
(1!1 BIOS
!# 'M E'# BIOS ' Boot Floppy
Disk, USB, CD ROM Remove media ' ' password
BIOS $''#E --#E'a'
E' BIOS # '#''E''
S Boot Sc' #'#' Security E
Password #'E-S##!! Password #E:
'E $#ESS!##a Battery Backup
Reset CMOS Switch #- BIOS Reset :'!'#
Network Server C
'! #A ' !- :
# #S-!E!!' '
'# NIC - #' Server S
Access #S-! '
' '# ': !#E# '
#() E'h# -!S'E
##' ' LAN MS!
'
portmap
rhnsd
service '#E
# /etc/init.d/<L1 service> stop
# chkconfig <L1 service> off
' service #-#'
crond, anacron, haldaemon, mcstrans, messagebus, network, restorecond, smartd, syslogd
S service #- Mode 3 'E#
C (Password) C
## Download # Hacker #
Server #'# Crack Password - Crack
password cE ' password #''#S
!A #--# 'E' #
##E'M' password ''
- S # password '' ' 'E
c!'-E
C !1!
1. #' (Password Length) '' 6 #
# 8 # c!''
A oS PAM -''' 8
2. '-#'':-##! ' S
# # c S!!
3. #-S'##''-
#E
4. # Lock ' #$!-E
#E
(! C (Password Length)
oSc shadow -
' PAM (Pluggable Authentication Module) E##'
''#-#c /etc/pam.d/system_auth A'#
: module #' pam_cracklib -!'##E
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 <- ! c '
#E
minlen=8 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1
' ' # password ' - passwd
#'#! ''# login root #E
# password E- ' ! # ' # E # '
PASS_MIN_DAYS = 7 c /etc/login.defs :---S#-
# password = 7 - password ! 26 EM- '
remember=26 -# password '#'
password !- 3 ! difok=3 !E'#Ec!#E
# vi /etc/pam.d/system_auth
.
password requisite pam_cracklib.so try_first_pass retry=3
!1 root account
Root : account ## !! S OS UNIX EA' #
S S log in root !E S#'c#
- !!S'#- '':aa!
c# !-S'
S''''' log in !EM
':!#' --'E##
% root login
-' login timeout root ##
- login root E#'#- login !E
:' logout c profile
#E
# vi /etc/profile
.
HISTSIZE=1000
TMOUT = 3600
export PATH USER LOGNAME MAIL HOSTNAME HISTSIZE TMOUT
INPUTRC
** %!*!sCL1% logout % login % root % C **
' 3600 !# ' login root account !E'#-
1 ( 60 x 60 = 3600 !#) '#- linux logout
# M'#EM# #'M
logout - login root '' profile '-#
# grub-md5-crypt
Password: <!c'#>
$1$0WXVJ$siSTEUxO.X7qx56RIwggD1 <- '
- grub-md5-crypt M#'#
!c : MD5 #''''#!-' -
EM''''#c grub.conf #E
# vi /boot/grub/grub.conf
# grub.conf generated by anaconda
#
# Note that you do not have to rerun grub after making changes to this file
# NOTICE: You have a /boot partition. This means that
# all kernel and initrd paths are relative to /boot/, eg.
# root (hd0,0)
# kernel /vmlinuz-version ro root=/dev/hda9
# initrd /initrd-version.img
#boot=/dev/hda
password --md5 $1$0WXVJ$siSTEUxO.X7qx56RIwggD1
default=0
timeout=5 <- %%O 0 % C %% 'L% boot !
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
title Linux Server (2.6.22.14-72.fc6)
root (hd0,0)
( t Ctrl+Alt+Del L1 reboot
E!c'!##E-- M#'
'# Reboot cold start -# '-
# Server ! ' Server '#SV
Reset #'SV Power 'E# PC - Server #SV#
S- Internet Server a! 24 '' #
M#' UPS Server 'E '#EASM' #
## server :'!c M!c#
M !c'c#M'E
!c:-E a c '#!AEM''
2:2345:respawn:/sbin/mingetty tty2
# 3:2345:respawn:/sbin/mingetty tty3
# 4:2345:respawn:/sbin/mingetty tty4
# 5:2345:respawn:/sbin/mingetty tty5
# 6:2345:respawn:/sbin/mingetty tty6
Ac
# /sbin/init q
# vc/11
tty1
# tty2
# tty3
# tty4
# tty5
# tty6
t user !% C C Console
#-' Console M:'# Hacker
user -' #-' poweroff, reboot halt
-!# Server -!'''#'
login reboot poweroff a'
S Linux OS '$S#E''-!$E
'c# script !' console ## Authenticate
' PAM E -#E
rm -f /etc/security/console.apps/halt
rm -f /etc/security/console.apps/poweroff
rm -f /etc/security/console.apps/reboot
rm -f /etc/security/console.apps/shutdown
( % C Console * pam.d
% TCP Wrappers
L1 C host
!E Internet Server M !##' ip
address . host -# c /etc/host.conf '
host '# ip address '' M dns '
dns 'M#' hosts bind A-'#-
ip address ! '
# vi /etc/host.conf
order hosts, bind ( hosts ' DNS)
multi on (## ip address)
nospoof on
( nospoof on : ' ip address host )
t %C
' ! (Service Name) port protocol
RFC 1700 Assigned Number !' Server
client #!' ! port protocol #
account !1C%%
!E Linux - Internet Server E :##
-!E''!E UNIX A:S'#-
!##'!-: ' ''M! -
:'a'c#S#' #'
' OS '- #E-- special user
account #!-:o# login
#!!' user ## SE user group #'-:
-
# userdel username
# groupdel groupname
#E'cS' #
M
# userdel adm
# userdel lp
# userdel shutdown
# userdel halt
# userdel news
# userdel operator
# userdel mailnull
# userdel games
# userdel gopher
# userdel ftp
# userdel vcsa
- userdel ' home directory home
directory parameter -r ' : userdel -r username E group
#E
# groupdel adm
# groupdel lp
# groupdel news
# groupdel games
# groupdel dip
# groupdel pppusers
# groupdel popusers
# groupdel slipusers
: Version '# User Group '
'M!E E user account #-# root
login root login -AE (!M user
!E ) -#E
# useradd admin
# passwd admin
t % su O root
linux ' S root - login tty A '
remote login SS login user -
#!! su : root !!# S$ su : root
'#! -#E
# vi /etc/pam.d/su
#%PAM-1.0
auth sufficient pam_rootok.so
# ncomment the following line to implicitly trust users in the "wheel" group.
#auth sufficient pam_wheel.so trust use_uid
#Uncomment the following line to require a user to be in the "wheel" group.
auth required pam_wheel.so use_uid
auth include system-auth
account sufficient pam_succeed_if.so uid = 0 use_uid quiet
account include system-auth
password include system-auth
session include system-auth
session optional pam_xauth.so
% % 'C
OS linux # -
- memory - process id # SS
/dev/sda1/boot ext3 ro 0 0
E!''#!'
$ server '#''! '- Linux
#-' CD ROM Hacker #' M:
!#''!' partition ##'
'$#EM!ES'M'!
mount /usr : ro $'#-' compile server M'
:#- CD '!EM- mount :
default !'
% RPM %!1
RedHat Linux ' # - ' '
#-# Install, Erase Update package ' #M E
SSM#-#E-!E' #' Server A
'!##$# !E A
compress file ' S '
# chmod 700 /bin/rpm
# mount /dev/fd0
# mv /bin/rpm /mnt/floppy
# umount /dev/fd0
!#M:# mode rpm root 'S
user # # '# /mnt/floppy SS'
#! c# ' Hacker #'c# Server :
%C Shell Logging
-# linux ' #!##-!##
' $AE (Up arrow key) !'
- # S' ' linux --! A 1000 -# '! #
# :'' S user - ##'
' password #!AE M-M #:
ac#M'#EM password S'' !#S
M '# c .bash_history A home directory S user E S
-'-'#-:M!'#- -' -#E
# vi /etc/profile
-' HISTSIZE #'
HISTSIZE=10
HISTFILESIZE=0
M %' OS
boot # login #-!S! OS
' : Fedora Release 8.x ' version - :'
'c#-SS Server :'# S-a
''#E
# rm -f /etc/issue
# rm -f /etc/issue.net
logout - login ' ' #'
login '## version ' M#
*C % root O% 1C *
!E Linux ' permission ##' -
'!# Linux #'-M '!
E' ' !S! A#-' permission
-' S user #' A:
' Back door ' c # S S server '
permission 'E permission # bit : +s E user group #' SUID
SGID #' root-owned program AE' permission # root
# # # bits # ' : +s - : : 04000 02000
(SUID/SGID : -rwsr-xr-x, -r-xr-sr-x) S ! - chmod a-s
<program name> ' #-'# root ES
-'' -'#E
- S''#E
- S' user #'' root #
- S#E'' su : root #
!#!-#E
*!1 1 file ## flag +s - find ' -##
Ac##- aa flag +s - su
*!1 2 ! chmod
# chmod a-s /usr/bin/chage
# chmod a-s /usr/bin/gpasswd
CC kernel parameter %
!E Linux Server S'S version #
'' parameter ' kernel !AE
'''# network '### OS
--!'- 2 '' echo c
' #' /proc/sys - network -#S
-SE# reboot # linux --' #c /etc/rc.local !##
##-''' kernel # reboot '#SE
S-##S! ''
parameter ' #c /etc/sysctl.conf ##E!'': '
SS Server ( !# ''
1. (!t 1 ping
:! # $ ' package ' ' Server ## ' Ping of
Death A#:# Server '# Script
firewall a ping !##E'' -#E
# vi /etc/sysctl.conf
!'c
net.ipv4.icmp_echo_ignore_all = 1
A''
# /etc/rc.d/init.d/network restart
#' restart network #E
# sysctl -w net.ipv4.icmp_echo_ignore_all = 1
2. % Broadcasts
Network c# #'c#'
Broadcasts (# ip S ' 192.168.1.255) package S ip
address Network -S! S$'#E
# vi /etc/sysctl.conf
!'c
net.ipv4.icmp_echo_ignore_broadcasts = 1
A''
#/etc/rc.d/init.d/network restart
#' restart network #E
# sysctl -w net.ipv4.icmp_echo_ignore_broadcasts = 1
3. t Source route
Routing Routing Protocol o Server :' IP
Source Routing -:#S##' packet S
A:'#'c#''#
source route packet M'A$#-
SS# A:'!##!' ip routing EA
#a#E '#E
# vi /etc/sysctl.conf
!'c
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
A''
#/etc/rc.d/init.d/network restart
#' restart network #E
# sysctl -w net.ipv4.conf.all.accept_source_route = 0
# sysctl -w net.ipv4.conf.default.accept_source_route = 0
5. t Redirect Package
##' packet !!AE
icmp redirect packet !# (Redirect) router '#'#
SS' package #EM# -#
routing table # host ' -'$
EA$' Server ' Redirect # ping -#E
# vi /etc/sysctl.conf
!'c
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
A''
# /etc/rc.d/init.d/network restart
#' restart network #E
# sysctl -w net.ipv4.conf.all.accept_redirects=0
# sysctl -w net.ipv4.conf.default.accept_redirects=0
10. % .rhosts
Server ''#c .rhosts ':c# ! Remote
server '#!E-SS:''#
:#-#!E -#E
# find /home .rhosts
S crontab Ec#E #' '
# script ' mail S#c#EAE Server ''#E
# vi /etc/cron.daily/rhosts.cron
!c script '#E root S#c .rhosts
#!/bin/sh
/usr/bin/find /home -name .rhosts | (cat <<EOF
Web Server
$
,0$
!%'
1. httpd : Open source
2. BB $:B : (Bold)
3. B ,$
B$,B,
(*%
B Web Server , $ B Linux , Internet
Server B $B,B Apache Web Server BR R
Web Server R,$ add
user webmaster , ( Change Owner ) /home/httpd
: webmaster webmaster Upload Webpage ftp $
$,$$$
Port 80 0$, ` $
Server ,$ $ 2
`$$` Firewall ,B
20 (! % Web Server !
1. (Update) httpd : Version $$
:c$ `B Version $
2. $ Version 0
httpd.conf B
# vi /etc/httpd/conf/httpd.conf
ServerSignature On
:
ServerSignature Off
ServerTokens OS
:
ServerTokens Prod
:wq
BR$ Error 4xx
$ Web Browser : Server B
Bad Request
Your browser sent a request that this server could not understand.
$$$$
OS Apache Version , Web Server
3. $ $ httpd , , User Group
apache $, User nobody $$ mail
server $R 0 httpd.conf
User apache
Group apache
4.$0$ Web root R
0 httpd.conf B
# vi /etc/httpd/conf/httpd.conf
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
:
<Directory />
Order Deny,Allow
Deny from all
Options None
AllowOverride None
</Directory>
:wq
$:B Options Override B
Directory ,$ Option R Options $B
5. s Directory $ ,$ tag Options
$ tag B$$: None 4 ,B
Options -Indexes
6. $ SSI (Server Side Include) R
, $ tag Options $ tag B$$: None 4
,B
Options -Includes
7. $ cgi ,, CGI ,$
tag Options $ tag B$$: None 4 ,B
Options -ExecCGI
8. $ apache , link $
,$ tag Options $ tag B$$: None 4
,B
Options -FollowSymLinks
9. , $ tag Options $ $ B $
None $,$$ 5,6,7 8 ,
$$ $$ 1 B
Options -ExecCGI -FollowSymLinks -Indexes
10. $$0 .htaccess .htpasswd $
0`B .ht B
AccessFileName .htaccess
<Files ~ "^\.ht">
Order allow,deny
Deny from all
</Files>
11. Module $ :
,$ mod_security download http://www.modsecurity.org/ `
$$ B
Simple filtering
Regular Expression based filtering
URL Encoding Validation
Unicode Encoding Validation
Auditing
Null byte attack prevention
Upload memory limits
Server identity masking
Built in Chroot support
R
http://gotroot.com/ http://www.tatica.org/
$B Fedora R Download 0 mod_security
R0 http://hany.sk/mirror/fedora/extras/6/i386/ `0 mod_security-2.1.3-
1.fc6.i386.rpm `,B,
# rpm -ivh mod_security-2.1.3-1.fc6.i386.rpm
R $ $ module Download 0
B$$ $$ ($
) R 0 http://www.gotroot.com B R
http://www.tatica.org/tux/manual/mod_security-fc6_HOWTO.html ,:B
$ B$B
BR , Directory ,R$ Configuration
B
# mkdir /etc/modsecurity
# cd /etc/modsecurity
# wget http://www.gotroot.com/downloads/ftp/mod_security/
2.0/apache2/exclude.conf
# wget http://www.gotroot.com/downloads/ftp/mod_security/
2.0/apache2/rules.conf
# wget http://www.gotroot.com/downloads/ftp/mod_security/
2.0/apache2/blacklist.conf
# wget http://www.gotroot.com/downloads/ftp/mod_security/
2.0/apache2/blacklist2.conf
# wget http://www.gotroot.com/downloads/ftp/mod_security/
2.0/apache2/useragents.conf
# wget http://www.gotroot.com/downloads/ftp/mod_security/
2.0/apache2/rootkits.conf
# wget http://www.gotroot.com/downloads/ftp/mod_security/
2.0/apache2/apache2-rules.conf
B0 mod_security.conf B
# vi /etc/httpd/conf.d/mod_security.conf
copy $R wget download
0 conf $B
# Example configuration file for the mod_security Apache module
LoadFile /usr/lib/libxml2.so.2
LoadModule security2_module modules/mod_security2.so
#LoadModule unique_id_module modules/mod_unique_id.so
#<IfModule mod_security2.c>
# This is the ModSecurity Core Rules Set.
# Basic configuration goes in here
# Include modsecurity.d/modsecurity_crs_10_config.conf
# Protocol violation and anomalies.
# These are disabled as there's a bug in REQUEST_FILENAME handling
# causing the "+" character to be incorrectly handled.
# Include modsecurity.d/modsecurity_crs_20_protocol_violations.conf
# Include modsecurity.d/modsecurity_crs_21_protocol_anomalies.conf
SecFilterCheckURLEncoding On
SecFilterCheckCookieFormat On
SecFilterCheckUnicodeEncoding Off
SecFilterNormalizeCookies On
# enable version 1 (RFC 2965) cookies
SecFilterCookieFormat 1
SecServerResponseToken Off
#If you want to scan the output, uncomment these
SecFilterScanOutput On
SecFilterOutputMimeTypes "(null) text/html text/plain"
# Accept almost all byte values
SecFilterForceByteRange 1 255
# Server masking is optional
#fake server banner - NOYB used - no one needs to know what we are using
SecServerSignature "NOYB"
#SecUploadDir /tmp
#SecUploadKeepFiles Off
# Only record the interesting stuff
SecAuditEngine RelevantOnly
SecAuditLog logs/audit_log
# You normally won't need debug logging
SecFilterDebugLevel 0
SecFilterDebugLog logs/modsec_debug_log
Timeout 45
15. Upload 0$ : Denial
of Service $ default : Unlimited :$ 1 MB
0 httpd.conf B
LimitRequestBody 1048576
$ Upload 0,$B
, $ $ LimitRequestFields LimitRequestFieldSize
` http://httpd.apache.org/docs/2.0/mod/core.html
16. ,,0 XML $ default , 1 MB $
mod_dav $ WebDAV , $ : 0 $
WebDAV ,` 10 MB tag 0 httpd.conf B
LimitXMLRequestBody 10485760
17. ,$,R tag MaxClients 0
httpd.conf ,$$,
Server $,R tag ,B$
$ B MaxSpareServers, MaxRequestPerChild, ThreadsPerChild, ServerLimit
MaxSpareThreads `$$ $B, Hardware
18. ,, IP Address Server R
,`B$B:$ Network IP Address 203.172
R$ 203.172.0.0/16 0 httpd.conf B
Order Deny,Allow
Deny from all
Allow from 203.172.0.0/16
: IP Address B
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
19. , $ KeepAlive :$ ` connect
B$ ,: Off $
tag B ,: On ,$ MaxKeepAliveRequests ,
: 100 ,: 0 $: Unlimited $B,,
$0 tag KeepAliveTimeout ,: 15 `:
$B$ $BB Server
$,$B$$ 50 % `
0$B log file
20. Secure Socket Layer (SSL) , Web Application $
cB$R0$$
R User/Password ,
$ ,$$ Software
Sniffer $ $ Network $ Segment $
Layer 3 Switch `$ $R, Port 80
(Wireless) R$
BB 19 $$
$$ $`R
Login , (Link) $B
, Port 443 (SSL) ,`B $R
0 server.key R$0`BBB
# openssl rsa -in /etc/pik/tls/privat/server.key -out
/etc/pki/tls/private/server.key
Enter pass phrase for /etc/pki/tls/private/server.key: $B
R0 server.key , permission
root B
# chmod 600 /etc/pki/tls/private/server.key
20.2 B$,
server.csr ,'%'n'% !%o Web Server B
# openssl req -new -key /etc/pki/tls/private/server.key -out
/etc/pki/tls/certs/server.csr
.. $R Enter $
Country Name (2 letter code) [GB]:TH
State or Province Name (full name) [Berkshire]:Phitsanulok
Locality Name (eg, city) [Newbury]:Muang
Organization Name (eg, company) [My Company Ltd]:Technical College
Organizational Unit Name (eg, section) []:Electrical Power
Common Name (eg, your name or your server's hostname) []:fbi.mine.nu
Email Address []:webmaster@mine.nu
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
Syntax OK
Syntax OK $ $ 0
$$
Syntax OK ` Server ,$
# /etc/init.d/httpd restart
,R,
$ Configuration File ,B
# chattr +i /etc/httpd/conf/httpd.conf
# chattr +i /etc/httpd/conf.d/ssl.conf
,c$c$s$
,$ Web Server $ $:`
$ ,R Server $ Access $
Web Browser R$ Hacker Port 80,443 `:
Port HTTP, HTTPS $$ OS Software R:
Hacker BB B`,
,B ,:$
SSL ` Apache c$ httpd Linux
$ Compile module SSL BB
1!1 n%%
ifup <ethx> ; eth0 or eth1 ethernet ,
ifdown <ethx> ; eth0 or eth1 ethernet ,
chkconfig < service> [on,off] service on,off boot
chattr [+,-] i file/dir attributes $
useradd <username> user account
passwd <username> ,/$
userdel <username> user account
groupdel <groupname> group
mount ,B0$ CD Drive,USB
unmount ,B0 mount
mv ,0 directories
chmod +,- r,w,x [file,dir] ,$ permission file/dir
rm -f(r) file/dir file directories
find , file/dir
Mail Server
) Mail Server
03
!%'
1. sendmail < Open source
2. D00 admin newaliases, makemap mailq
3. D00 user mailstats praliases
4. NN <N < (Bold)
5. N 0
N0N0
(*%
N D Mail Server
0 Mail Server Sendmail N
Install Linux N protocol SMTP port 25 0 N \ N
<0 Configure N
N 00
0 port 25 2 SSL
(Secure Socket Layer) 0NN
!1 1 0 Sendmail Port 25 0N
N
*!1 1 Update 0
Server N
# yum update sendmail
N0 link 30 mail shell
3 sendmail.cf smrsh sh
User smrsh 0 forward mail 3 .forward home
directory
# cd /etc/smrsh
# ln -s /bin/mail mail
# cd /etc/smrsh
# ln -s /usr/bin/procmail procmail
*!1 2 Maildir procmail
# mkdir -p /etc/skel/Maildir/new
# mkdir -p /etc/skel/Maildir/cur
# mkdir -p /etc/skel/Maildir/tmp
# chmod -R 700 /etc/skel/Maildir/
*!1 3 Configuration file procmail
# vi /etc/procmailrc
PATH=/usr/bin:/bin
SHELL=/bin/bash
MAILDIR=$HOME/Maildir
DEFAULT=$MAILDIR/
DROPPRIVS=yes
*!1 4 service saslauthd 0
# /etc/init.d/saslauthd restart
# chkconfig saslauthd on
*!1 5 3 access
# vi /etc/mail/access
# Check the /usr/share/doc/sendmail/README.cf file for a description
# of the format of this file. (search for access_db in that file)
# The /usr/share/doc/sendmail/README.cf is part of the sendmail-doc
# package.
#
# by default we allow relaying from localhost...
Connect:localhost.localdomain RELAY
Connect:localhost RELAY
Connect:127.0.0.1 RELAY
# N < IP Address >
Connect:192.168.1.0/24 RELAY
D3 vi
:wq
N database makemap
# makemap hash /etc/mail/access.db < /etc/mail/access
*!1 6 N3 local-host-names domain
alias host
# vi /etc/mail/local-host-names
# local-host-names - include all aliases for your machine here.
# 3
sample.co.th
mail.sample.co.th
\D3 vi
:wq
*!1 7 3 authinfo
# vi /etc/mail/authinfo
AuthInfo:mail.sample.co.th "U:<username>" "I:<identity>" "P:<password>"
"M:LOGIN PLAIN"
:wq
*!1 8 mode 3 authinfo < 600
# chmod 600 /etc/mail/authinfo
*!1 9 3 authinfo.db 0 makemap
# makemap hash /etc/mail/authinfo.db < /etc/mail/authinfo
*!1 10 senmail.mc
# vi /etc/mail/sendmail.mc
.
.
dnl # Do not advertize sendmail version.
dnl #
define(`confSMTP_LOGIN_MSG',`unknown')dnl
.
define(`SMART_HOST', `mail.sample.co.th')dnl
..
TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN
PLAIN')dnl
define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5
CRAM-MD5 LOGIN PLAIN')dnl
FEATURE(`authinfo', `hash -o /etc/mail/authinfo.db')dnl
..
FEATURE(`blacklist_recipients')dnl
# blacklist http://www.technoids.org/dnsbl.html
FEATURE(dnsbl,`relays.ordb.org')dnl
FEATURE(dnsbl,`list.dsbl.org')dnl
FEATURE(dnsbl,`sbl-xbl.spamhaus.org')dnl
dnl EXPOSED_USER(`root')dnl
.
dnl # 127.0.0.1 and not on any other network devices. Remove the loopback
dnl # address restriction to accept email from the internet or intranet.
dnl #
dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl
DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl
..
DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl
.
dnl # that do not have 24x7 DNS do need this.
dnl #
dnl FEATURE(`accept_unresolvable_domains')dnl
.
LOCAL_DOMAIN(`localhost.localdomain')dnl
define(`confDOMAIN_NAME', `mail.sample.co.th')dnl
dnl #
dnl # The following example makes mail from this host and any additional
dnl # specified domains appear to be sent from mydomain.com
dnl #
MASQUERADE_AS(`sample.co.th')dnl
dnl #
dnl # masquerade not just the headers, but the envelope as well
dnl #
FEATURE(masquerade_envelope)dnl
dnl #
# /etc/init.d/sendmail restart
Shutting down sm-client: [ OK ]
Shutting down sendmail: [ OK ]
Starting sendmail: [ OK ]
Starting sm-client: [ OK ]
*!1 13 00 mail root
# vi /etc/aliases
# trap decode to catch security attacks
decode: root
# Person who should get root's mail
root: admin,admin@sample.co.th
D3 vi
:wq
\0 newaliases
# newaliases
0\3 13 N<0 sendmail
03N
Configure NN\
)N
1. account 3 aliases 0<
3 aliases < (Bold) NN 9 N
# vi /etc/aliases
2. Ne
Server SMTP Sendmail localhost
0N
3 sendmail.cf (vi /etc/mail/sendmail.cf) N
# vi /etc/mail/sendmail.cf
O SmtpGreetingMessage=$j Sendmail $v/$Z; $b
<
O SmtpGreetingMessage=$j
D30 restart
# /etc/init.d/sendmail restart
Shutting down sendmail: [ OK ]
Starting sendmail: [ OK ]
3. 0N set flag
3 N
# chattr +i /etc/mail/sendmail.cf
# chattr +i /etc/mail/local-host-names
# chattr +i /etc/aliases
# chattr +i /etc/mail/access
!1 2 Sendmail 0 smtps SSL Port 465
Dovecot 0 imaps 0 Port 993 0 0 Web
Base e-mail D0N 0N
*!1 1 N Linux Server \ Sendmail N
ssl_disable = no
ssl_verify_client_cert = no
ssl_parameters_regenerate = 168
ssl_cipher_list = ALL:!LOW
ssl_cert_file = /etc/pki/tls/certs/sendmail.pem <- N
ssl_key_file = /etc/pki/tls/certs/sendmail.pem <- N
disable_plaintext_auth = yes <- N no < yes
protocols = imaps pop3s
D3 vi
:wq
*!1 5 \0 restart service
# /etc/init.d/sendmail restart
# /etc/init.d/dovecot restart
*!1 6 00 port 465 993
Firewall 0 Port N
# vi /etc/sysconfig/iptables
.. port 25, 465 993 N
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --syn --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --syn --dport 465 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --syn --dport 993 -j ACCEPT
\D vi
:wq
restart service
# /etc/init.d/iptables restart
0 Firewall \ 3 port NN
iptables -A INPUT -i eth0 -m state --state NEW -m tcp -p tcp --syn --dport 25 -j
ACCEPT <-- for TLS encryption (and basic SMTP)
iptables -A INPUT -i eth0 -m state --state NEW -m tcp -p tcp --syn --dport 465 -j
ACCEPT <-- for SSL encryption
iptables -A INPUT -i eth0 -m state --state NEW -m tcp -p tcp --syn --dport 993 -j
ACCEPT <-- for SSL encryption
\D restart firewall
DNS Server
Configuration
0247
!%'
1. bind > Open source
2. E0 nslookup, host
3. MM 7>M > (Bold)
4. M 07
M70M0
(*%
0 Linux 0 DNS Server 77 0X
7MZ72
0Z \ DNS 7 Domain Name 7M
7 Web site > Domain 2 MZ
7 DNS M7 >02Z7
7
!1 1 ;*
7M>0 Service 7
Internet Server 07MM7M
0 Configuration 0 bind 9.x.x X20M0
> Chroot jail 0 7 0 /var/named/chroot M
7E7 version 7 /var/named 7
1. 7 702 0
Update
# yum update bind
2. 40 named mode > 750
# ls -l /usr/sbin/named
777 750 0 chmod
# chmod 750 /usr/sbin/named
3. 72 Account named ftp service M
7\ ftp server vsftpd
# echo "named" >> /etc/vsftpd/ftpusers
4. 7 permission Directory 7 /var/named 72
group write 2 7M
! Primary DNS
# chown -R root.named /var/named/chroot/var/named
# chmod 750 /var/named/chroot/var/named
# chmod -R go-w /var/named/chroot/var/named
! Secondary DNS
# chown -R root.named /var/named/chroot/var/named
# chmod 770 /var/named/chroot/var/named
5. 0 SUID/SGID (70 3 Kernel
harden)
# find /usr/sbin f -exec chmod ug-s {} \;
# vi /var/named/chroot/etc/named.conf
// Authorized source addresses.
acl "trusted" {
localhost;
};
// Known fake source addresses shouldn't be replied to.
acl "blocked" {
0.0.0.0/8;
1.0.0.0/8;
2.0.0.0/8;
192.0.2.0/24;
224.0.0.0/3;
169.254.0.0/16;
// Enterprise networks may or may not be bogus.
10.0.0.0/8;
172.16.0.0/12;
192.168.0.0/16;
};
options {
directory "/var/named";
allow-transfer { none; };
allow-query { trusted; };
allow-recursion { trusted; };
blackhole { blocked; };
tcp-clients 32;
forwarders { 192.168.1.5; 192.168.1.6; };
version "New version";
};
logging {
category lame-servers { null; };
};
// Root server hints
zone "." { type hint; file "db.cache"; };
Kns1-ns2.+157+45508
4Z key
Kns1-ns2.+157+45508.key
Kns1-ns2.+157+45508.private
*!1 2 \4 private key
# cat Kns1-ns2.+157+45508.private
Private-key-format: v1.2
Algorithm: 157 (HMAC_MD5)
Key: EJF5ryfnLcD6XwUbh+JE4g= = <- (Bold)
*!1 3 4M
# rm -f Kns1-ns2.+157+45508.key
# rm -f Kns1-ns2.+157+45508.private
*!1 4 07 key named.conf
4 named.conf (vi /var/named/chroot/etc/named.conf) M Primary
Secondary 7 3 774
key ns1-ns2 {
algorithm hmac-md5;
secret "EJF5ryfnLcD6XwUbh+JE4g= =";
};
#vi /var/named/chroot/etc/named.conf
key ns1-ns2 {
algorithm hmac-md5;
secret "EJF5ryfnLcD6XwUbh+JE4g= =";
};
// Authorized source addresses.
acl "trusted" {
localhost;
192.168.100.0/24;
192.168.0.0/24;
};
// Known fake source addresses shouldn't be replied to.
acl "blocked" {
0.0.0.0/8;
1.0.0.0/8;
2.0.0.0/8;
192.0.2.0/24;
224.0.0.0/3;
169.254.0.0/16;
// Enterprise networks may or may not be bogus.
10.0.0.0/8;
172.16.0.0/12;
192.168.0.0/16;
};
options {
directory "/var/named";
allow-transfer { 192.168.100.5; };
allow-query { trusted; };
allow-recursion { trusted; };
blackhole { blocked; };
tcp-clients 1024;
forwarders { none; };
version "New version";
};
logging {
category lame-servers { null; };
};
// Root server hints
zone "." { type hint; file "db.cache"; };
// Provide a reverse mapping for the loopback address 127.0.0.1
zone "0.0.127.in-addr.arpa" {
type master;
file "db.127.0.0";
notify no;
};
zone "sample.co.th" {
type master;
file "db.sample";
allow-query { any; };
};
zone "100.168.192.in-addr.arpa" {
type master;
file "db.192.168.100";
allow-query { any; };
};
logging {
category lame-servers { null; };
};
// Root server hints
zone "." { type hint; file "db.cache"; };
// Provide a reverse mapping for the loopback address 127.0.0.1
zone "0.0.127.in-addr.arpa" {
type master;
file "db.127.0.0";
notify no;
};
zone "sample.co.th" {
type slave;
file "db.sample";
masters { 192.168.100.4; };
allow-query { any; };
};
zone "100.168.192.in-addr.arpa" {
type slave;
file "db.192.168.100";
masters { 192.168.100.4; };
allow-query { any; };
};
74 /var/named/chroor/etc/named.conf 0 Secondary/Slave
name server : 192.168.100.5 Private IP : 192.168.0.0/24 ( o;1;(%(1
o!1q (Bold))
#vi /var/named/chroot/etc/named.conf
key ns1-ns2 {
algorithm hmac-md5;
secret "EJF5ryfnLcD6XwUbh+JE4g= =";
};
server 192.168.100.5 {
keys { ns1-ns2 ;};
};
* ! 1 6 M 2 7 0 Permission 4 named
0M Primary Secondary
# chmod 600 /var/named/chroot/etc/named.conf
# /etc/init.d/named restart
Shutting down named: [OK]
Starting named: [OK]
% TSIG 0EE77
Primary Secondary M70
key E0 77 7 0 4
named.conf allow-transfer { 192.168.100.5; }; Primary Name Server
M
# vi /var/named/chroot/etc/named.conf
allow-transfer { 192.168.100.5; };
>
zone "sample.co.th" {
type master;
file "db.sample";
!1 4 % Encryption Algorithm
M 7 BIND 9 24
named.conf 07 key 7 algorithm secret 77>
DNS Server Version 9 7E7
Z727 0227 key 7\2
207 key 7 EM
0 6 MM
*!1 1 version 7 key 128 bit E
EM key 0 bit M7 1-512 bit M7M
0 key 352 bit (60 byte) 7EM
# dnssec-keygen -a hmac-md5 -b 352 -n user rndc
Krndc.+157+44283
4 Krndc.+157+44283.key Krndc.+157+44283.private
*!1 2 \4 Krndc.+157+44283.private 7 key
#cat Krndc.+157+44283.private
Private-key-format: v1.2
Algorithm: 157 (HMAC_MD5)
Key: RZfsvIRU0DY8/tC0OcXXISiYUO0rWtizlEoP49cw6PTTYBWVhh4hjiCxcKo=
*!1 3 4MM
# rm -f Krndc.+157+44283.key
# rm -f Krndc.+157+44283.private
algorithm hmac-md5;
secret "EJF5ryfnLcD6XwUbh+JE4g= =";
};
server 192.168.100.4 {
keys { ns1-ns2 ;};
};
key rndckey {
algorithm hmac-md5;
secret "
RzfsvIRU0DY8/tC0OcXXISiYUO0rWtizlEoP49cw6PTTYB
WVhh4hjiCxcKo=";
};
controls {
inet 127.0.0.1 allow { 127.0.0.1; } keys { rndckey; };
};
0 VI Editor 77
7 insert mode 0
i dd Cursor 7
07 Cursor 7
7 insert mode 0
a 707 Cursor u (undo)
7
7 insert mode 0
o yy copy cursor 7
EM7
copy cursor 70 n
:set number nyy
buffer
7 buffer 7
:set nonumber p
cursor 7
/(0
0 :w E4
)
0 E4
ESC :wq
07 vi
:q! 7E
FTP Server
$& Configuration &
7&
!%'
1. vsftpd C Open source
2. H7 ftp, telnet
3. $$ &C$ C (Bold)
4. $ 7&
$&7$7
(*%
$ Linux Internet Server $ & Linux
H Linux $& $
Server Server WWW, FTP, Proxy, Mail
configuration 7 $HCH C
&]& C&&^&
& Server && &H$_
!1 1 C7 Configuration $ ^
vsftpd.conf
# cp /etc/vsftpd/vsftpd.conf /etc/vsftpd/vsftpd.orig
# vi /etc/vsftpd/vsftpd.conf
&$7 FTP Server $
ftpd_banner=Welcome to FTP service.
anon_umask=077
local_umask=022
nopriv_user=ftp
pasv_enable=YES
anon_root=/var/ftp
&C User
Anonymous User (& default=NO) ]
anonymous_enable=YES
7&7 500
max_clients=500
max_per_ip=4 <- connect & ip address
.. 7 chroot jail user & directory && home directory
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd/chroot_list <- ^ user
.. User account & $ server & 2
&7$
chroot_local_user=YES
!1 2 C TLS/SSL
&& 7$
&&7 SSL $&
# ldd /usr/sbin/vsftpd |grep ssl
libssl.so.6 => /lib/libssl.so.6 (0x0012c000)
$ libssl 7 private key digital certificate
rIv7gIakIT0y4HahOMZyMnl41DlDxKNcQJBAOzhsT4Yd/QWn94COAAuwX
3Yp2/fQVSNaR3ic1+m09xFF00Ybvwx+NEJoj3WWOCLijZv89DCGPArQRp
fJOn4kQJXNuNp9VJNaNf0CqBf9QtZTb1u1ofXmkpjayPi5t47R8+JoeoSxMl
UcgauqDSI+1qJW8E2wyRAkAtc5VWxAJkRJEMHerRTpyjznBav5BD/US8+
/FGh7L1/HdUikn2WJaSZt5oB6u/mjtcTvixg85zt6gKV
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIID1DCCAz2gAwIBAgIJAN+qqIj7BqKMA0GCSqGSIb3DQEBBQUAMIGj
VQQGEwJUSDEQMA4GA1UECBHQm9vbmx1ZTEUMBIGA1UEBxMLUG
EzARBgNVBAoTCk5vIGNvbXBhbnkxGAXBgNVBAsTEGZ0cC5zYW1wbG
GTAXBgNVBAMTEGZ0cC5zYW1wbGUuY28udGgxITAfBgkqhkiG9w0BCQ
QHNhbXBsZS5jby50aDAeFw0wNzEyzAxMzU4NTFaFw0wOTEyMjkxMzU
MQswCQYDVQQGEwJUSDEQMA4A1UECBMHQm9vbmx1ZTEUMBIGA1
bnVsb2sxEzARBgNVBAoTCk5vIGNbXBhbnkxGTAXBgNVBAsTEGZ0cC5z
Y28udGgxGTAXBgNVBAMTEGZ0cC5zYW1wbGUuY28udGgxITAfBgkqhki
EmFkbWluQHNhbXBsZS5jby50aDBnzANBgkqhkiG9w0BAQEFAAOBjQAw
5u+qo6DU4uzO10lH9UZowRyWjvWrNVpSrGv0qX1+BNV61L/yBULjAAzZ
kpiPoze0nSwnPKSLEZrSozRETV/P5lfOYengDrhp/1DgXKLd2KdHAL5SYcu
cE/pf2SFsfoMRP9V3uxdWGDwRv4to1BwLYvQNk5Ho0CAwEAAaOCAQw
A1UdDgQWBBSIpEdNg2Y0U70jGzm0k8QMMAXB3TCB2AYDVR0jBIHQM
g2Y0U70jGzm0k8QMMAXB3aGBqSBpjCBozELMAkGA1UEBhMCVEgxED
B0Jvb25sdWUxFDASBgNVBAcT1BoaXRzYW51bG9rMRMwEQYDVQQKE
YW55MRkwFwYDVQQLExBmdHAuc2FtcGxlLmNvLnRoMRkwFwYDVQQD
cGxlLmNvLnRoMSEwHwYJKoZIcNAQkBFhJhZG1pbkBzYW1wbGUuY28u
gKqiI+waijAMBgNVHRMBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBA
pQto7C4GGMiCs04GNob+x7+npl5Eo6eNSnIFYnt4TxS6be+GMUDUpnA
jqwly2zQhlOue7H6/a8aPth5EgRvgYUZtV6v9+NySwibVnyILmSw07/C0gy6
maBPC6t5ejK3uAiC+cyDaU5eR7tzSNDH
-----END CERTIFICATE-----
$&&&& $
# openssl x509 -in /etc/pki/tls/certs/vsftpd.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
df:80:aa:a2:23:ec:1a:8a
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=TH, ST=Boonlue, L=Phitsanulok, O=No Company, OU=Linux
Srever, CN=ftp.sample.co.th/emailAddress=admin@sample.co.th
Validity
Not Before: Dec 30 13:58:51 2007 GMT
Not After : Dec 29 13:58:51 2009 GMT
Subject: C=TH, ST=Boonlue, L=Phitsanulok, O=No company, OU=Linux
Server, CN=ftp.sample.co.th/emailAddress=admin@sample.co.th
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
5f:13:bf:c3:c9:ae:55:34:a5:0b:68:ec:2e:06:18:c8:82:b3:
4e:06:36:86:fe:c7:bf:a7:a5:4a:96:97:91:28:e9:e3:52:9c:
81:58:9e:de:13:c5:2e:9b:7b:e1:8c:50:35:29:9c:0c:35:00:
29:56:8e:ac:25:cb:6c:d0:86:53:ae:7b:b1:fa:fd:af:1a:3e:
d8:79:13:07:60:46:f8:18:51:9b:55:ea:ff:7e:37:24:b0:89:
b5:67:c8:82:e6:4b:0d:3b:fc:2d:20:cb:a3:5d:99:a0:4f:0b:
ab:79:7a:32:b7:b8:08:82:f9:cc:83:69:4e:5e:47:bb:73:48:
d0:c7
^ Mode C 600
# chmod 600 /etc/pki/tls/certs/vsftpd.pem
^ vsftpd.pem _^^ vsftpd.conf
# vi /etc/vsftpd/vsftpd.conf
# &
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=NO
force_local_logins_ssl=YES <- NO & SSL _
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
rsa_cert_file=/etc/pki/tls/certs/vsftpd.pem <-
_H^ vi
:wq
$ restart service
# /etc/init.d/vsftpd restart
!1 8 Secure Shell
Server
%&* Configuration *
7%*%%
!%'
1. Openssh ? Open source
2. C7 slogin, sftp
3. 7%* Client MS Windows OS
4. && *?%& ? (Bold)
5. %%& 7%% *
%&%*7&7
(*%
% Server T**
&* (Hardware) C Kernel X*X
*%?*X TT
Z*7 Server CZ
#ListenAddress 0.0.0.0
#ListenAddress ::
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 1h
ServerKeyBits 1024
# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
LogLevel INFO
# Authentication:
LoginGraceTime 30s
PermitRootLogin no
#StrictModes yes
MaxAuthTries 4
#RSAAuthentication yes
#PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
PermitEmptyPasswords no
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication mechanism.
# Depending on your PAM configuration, this may bypass the setting of
# PasswordAuthentication, PermitEmptyPasswords, and
# "PermitRootLogin without-password". If you just want the PAM account and
# session checks to run without PAM authentication, then enable this but set
# ChallengeResponseAuthentication=no
#UsePAM no
UsePAM yes
# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE
LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE
LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
#UseDNS yes
#PidFile /var/run/sshd.pid
............
# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server
AllowUsers admin
AllowGroups admin
DenyUsers hacker hack
DenyGroups hackgroup
7* Configuration *\?*
*% *** Z*%
IPTABLES Firewall
)+ Server +2
3+433
!%'
1. 44 iptables ? Open source
2. G ftp, telnet, nmap, netstat
3. N4N +4?3N ? (Bold)
4. 33N44 33+
3N34+N
(*%
X Y 4 N 4 4 Firewall Free Software 4 +
IPTABLES 44 Linux OS 2 + 3 +
Application ++ Configuration + Openwall, IPCOP
4 ++Y N 4 +4^ +
IPTABLES NN 4+2+ Configure +GN
4G IPTABLES 4GN43
Y_Y+^3 42
4+4 3++ IPTABLES +4 N4^4
IPTABLES 2+ XY4N4+GN
4 Network 44GN+XY
IPTABLES + IPV6 G+ IPV4 +
G4GN+3 4
3+ IPTABLES Kernel 2.4 ^ Kernel 2.6 4
4N4+4Y4334GN^GN
4 Version + _
Version 42++^ Version +N+Y Version N
GX+ 34+ Y34
3 ^++ 42 4N2434
+ IPTABLES 1.3.x (444N iptables 1.4 2++ Test)
Y33+4
N Y Server 4 3 G Firewall
Server N +N +NY
+34+4332+^
? 24Y+N+4 4+
++ +343GNY+ 42
++4+ Firewall IPTABLES 4+
4 3 Policy YGY_ ipchains
2 Firewall Model +
2_GNG44 4
+N 3 4 IPTABLES 44+^ Module
GN rule table + packet 3
? 3 Table filter table, nat table mangle table 444N
Filter Table ? Table + Table 2Y33 option
Command Line 4 filter table 4?N44N
1. Chain-relate operation INPUT, OUTPUT, FORWARD
user-defined chain
2. Target disposition ACCEPT DROP
3. IP header field match operations + protocol, source destination
address, input output interface, fragment handling
4. Match operation TCP, UDP ICMP header field
3 N Network 44 N 2 G G
2? ^4++ 23
4 ? Internet )+44
34?+ +4 2 42 YY44
Y Server Y Reconfiguration +
442YY4 + OS 44
Network )G2+ 323 OS
+4 ^+423_N +4
4 Linux ^? OS G4 UNIX G4
XY IPTABLES ?
+G (Firewall) SElinux 42
Kernel 4 2 G N + Version 3
4+?N G2?
Y _ 3 N Server Service + +
N?_4223
+ Policy 4 4N 5 chain
Y chain +N chain 442+4N
- INPUT
- OUTPUT
- FORWARD
- PREROUTING
- POSTROUTING
Y ipchains Version 4+ YN4 +
Firewall Y+Y+ Chain 4+?
++
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
2444N
iptables [-t|--table table] -command [chain] [-i interface] [-p protocol]
[-s address [port[:port]]] [-d address [port[:port]]] -j policy
24^?4 +Y+4
+44 Pipe [|] N+++
+ G + -t --table ^ 4 + 4 4 +
[port[:port]] G+ port N+ port : G port Y + 0:1023
G N+ port 0 G port 1023 42N + 1024: 4NG
port 1024 ? +2+ ?
table G3+N 4 +43+
filter ?+ default packet
+Y+ -t +?+4N
nat ?4 Network Address Translation
mangle QOS (Quality of Service) 444Y
raw 4^4YN
kernel 444 port 4
+4+
command [chain] G44+4+N
+ chain ^+ chain 44N 5 chain G chain 4GN 2+
command +4N4N
-A --append G3 rule chain
-D --delete G rule chain
-I --insert G rule +4
-R --replace G 4 rule
-F --flush G 3++
N
-L --list G 42 rule N
-N --new-chain G chain +
-X --delete-chain G chain 4GN
-P --policy G N+ chain
-E --rename-chain G4 chain +4+ command
^ command option 4+4?
-i G interface 4 packet
-o G interface 4+ packet
-p G protocol + tcp, udp, icmp
-s G IP packet (Source)
-d G IP packet (Destination)
3+2+
Common options used in Rule Specifications
Option Description
Match if the packet originated from sourceIP. sourceIP may be an IP
-s sourceIP address (e.g., 192.168.200.201), network address (e.g.,
192.168.200.0/24), or hostname (e.g., woofgang.dogpeople.org). If not
specified, defaults to 0/0 (which denotes "any").
Match if packet is destined for destinationIP. destinationIP may take
-d destinationIP
the same forms as sourceIP, listed earlier in this table. If not specified,
defaults to 0/0.
+4N?+)4Y
3 G442++42424
++? script Run 4+
Command line +3 +Y
G24+4N
33_N+4N?
#!/bin/sh
# Script Created by: Mr.Boonlue Yookong
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack_ftp
# +3
IPTS="/sbin/iptables"
# Flush old rules, old custom tables
$IPTS -F
$IPTS -F -t nat
$IPTS -X
# Firewall 44Y+N42+2Y Chain
$IPTS -P INPUT DROP
$IPTS -P FORWARD DROP
$IPTS -P OUTPUT DROP
^G vi
:wq
N4 mode file ? 700
# chmod 700 /root/test_firewall
run script
# /root/test_firewall
# iptables -L -n
^+ chain N 3 2 DROP 4^
++
V !1 3 ) IP (Anti-IP-spoofing rules) 22
4G+4 log file Y2
+
# ?+NY+ ip address 4
$IPTS -A INPUT -s 255.0.0.0/8 -j LOG --log-prefix "Spoofed source IP!"
$IPTS -A INPUT -s 255.0.0.0/8 -j DROP
$IPTS -A INPUT -s 0.0.0.0/8 -j LOG --log-prefix "Spoofed source IP!"
$IPTS -A INPUT -s 0.0.0.0/8 -j DROP
$IPTS -A INPUT -s 127.0.0.0/8 -j LOG --log-prefix "Spoofed source IP!"
$IPTS -A INPUT -s 127.0.0.0/8 -j DROP
$IPTS -A INPUT -s 192.168.0.0/16 -j LOG --log-prefix "Spoofed source IP!"
$IPTS -A INPUT -s 192.168.0.0/16 -j DROP
$IPTS -A INPUT -s 172.16.0.0/12 -j LOG --log-prefix " Spoofed source IP!"
$IPTS -A INPUT -s 172.16.0.0/12 -j DROP
$IPTS -A INPUT -s 10.0.0.0/8 -j LOG --log-prefix " Spoofed source IP!"
V !1 2 nmap 43
# nmap -sURT -F -P0 -O 192.168.1.11
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2008-01-03 13:05 ICT
Warning: OS detection will be MUCH less reliable because we did not find at least 1 open
and 1 closed TCP port
Interesting ports on 192.168.1.11:
Not shown: 1239 filtered ports, 1010 open|filtered ports
PORT STATE SERVICE VERSION
1379/udp closed dbreporter
1399/udp closed cadkey-licman
2045/udp closed cdfunc
5011/udp closed telelpathattack
32773/udp closed sometimes-rpc10
32779/udp closed sometimes-rpc22
MAC Address: 00:C1:28:01:9C:4E (Unknown)
Too many fingerprints match this host to give specific OS details
Nmap finished: 1 IP address (1 host up) scanned in 809.294 seconds
G) iptables +N
Scan port +4 Firewall +34
22G Firewall 4
3 Y +24 Script 4Y )++ 2
N 5 +4N
1. Host Forwarding Destination NAT DNAT 2
Host Forwarding GXY 44N+Y_ Network +
344N Site ^4 Public IP Address 4_4^
4N Server +2+ Private IP Address DNAT
Y 4 connected Service 3 4 4 4 +
Transparent forward Server 43 N 2 + DMZ 4 Public Service +
32+44 Firewall
4 1. Firewall 44 8 IP Addresses
ADDRESS BLOCK IP ADDRESS
Network Address 203.254.25.80/29
Network Mask 255.255.255.248
Router Address 203.254.25.81
Firewall/DNS Address 203.254.25.82
First Host Address 203.254.25.83
Last Host Address 203.254.25.86
Broadcast Address 203.254.25.87
Total Local Hosts 5
^+ netfilter 34 YYY2
N+XY +24+^22_+ +4N
Y_ iptables Version 1.3.x GN ^ String-matching patch
4 24Y3+
4 +++ 4+2 Internet Server XY
") Download bit torrent +" 2432N +2
^_ ^^Y P2P 3 )
port ^44+++ Y+ +4N3
4 module 442^+ Server N
+^43+ N bit torrent
4 Random Port G+34 port +2
iptables 4 Firewall +Y_ XY4 patch
4 + + L7 Layer 7 G ? Y
Application Layer ++2+ MSN ^+ + port
_ ^ DROP Messenger 4N 2 Y
?+ 2++4N
^+4_+^ string
matching ?+3 --hex-string )+
44 Code ^ Antivirus Compile patch Layer7 2
4 4 http://under-linux.org/ 2 2 download 4 http://l7-
filter.sourceforge.net/ +Y342+ Port Forward
Command Option DNAT (Destination NAT)
$IPTS -t nat -A PREROUTING ! -i $INT_IF -p tcp --dport-port 80 \
-j DNAT --to 100.0.0.5:80
Port forward Server 4? Private IP ) virus
FORWARD chain 4N
$IPTS -A FORWARD -p tcp --dport 80 -m string \
--string "/default.ida?" --algo bm -j DROP
2 IPTABLES 4+4 3 +
Filter Table
o INPUT
o OUTPUT
o FORWARD
NAT Table
o PREROUTING (DNAT/REDIRECT)
o OUTPUT (DNAT/REDIRECT)
o POSTROUTING (SNAT/MASQUERADE)
Mangle table
o PREROUTING
o INPUT
o FORWARD
o POSTROUTING
o OUTPUT
G4+3+ ^+4+
2_ 4++
+ 22G44+ Script 4424N
+ Service 4 Server + N + 4
Software 4?+4 G++34344
Server 3++_^ +N4 4
Port 4+Y?+4 4?X22+
Trick SSH
Y 4 Y connect G server Y4
hosts.allow Y4 Firewall 4+4N
# iptables -A INPUT -p tcp -m state --state NEW --source x.x.x.x --dport 22 -j ACCEPT
# iptables -A INPUT -p tcp --dport 22 -j DROP
4 x.x.x.x G IP Address 4 SSH
44^24+3 4_
# iptables -A INPUT -p tcp -m state --syn --state NEW --dport 22 -m limit --limit 1/minute
--limit-burst 1 -j ACCEPT
# iptables -A INPUT -p tcp -m state --syn --state NEW --dport 22 -j DROP
!1 10 sXid
"% Permission
"3% Configuration sXid
>"%
!%'
1. sxid C Open source
2. 33 %C"3 C (Bold)
3. ""3 ""%
"3"%3
(*%
%%>>>
Server > file directory root-owned bits set
bit C +s suid sgid W CX%>
%% User [ directory
% Server %
file directory bit C +s % e-mail
3 % sXid
download ftp://marcus.seva.net/pub/sxid/ rpmfind.net 3
download rpm "3%> path %
3
# rpm -ivh /tmp/sXid-4.xxxx.rpm
3W Configuration 3
*!1 1
sxid.conf ()
# vi /et/sxid.conf
# Configuration file for sXid
SEARCH = "/"
# Which subdirectories to exclude from searching
EXCLUDE = "/proc /mnt /cdrom /floppy"
# Who to send reports to
EMAIL = "admin@sample.co.th"
# Always send reports, even when there are no changes?
ALWAYS_NOTIFY = "no"
# times based on KEEP_LOGS below
LOG_FILE = "/var/log/sxid.log"
# How many logs to keep
KEEP_LOGS = "5"
# Rotate the logs even when there are no changes?
ALWAYS_ROTATE = "no"
# Directories where +s is forbidden (these are searched
# even if not explicitly in SEARCH), EXCLUDE rules apply
FORBIDDEN = "/home /tmp"
# Remove (-s) files found in forbidden directories?
ENFORCE = "yes"
# This implies ALWAYS_NOTIFY. It will send a full list of
# entries along with the changes
LISTALL = "no"
# Ignore entries for directories in these paths
# (this means that only files will be recorded, you
# can effectively ignore all directory entries by
# setting this to "/"). The default is /home since
# some systems have /home g+s.
IGNORE_DIRS = "/home"
# Mail program. This changes the default compiled in
# mailer for reports. You only need this if you have changed
# it's location and don't want to recompile sxid.
MAIL_PROG = "/bin/mail"
[ Permission
#chmod 400 /etc/sxid.conf
*!1 2
3 crontab -e
#crontab -e
# 3 run > 4 " () >
0 4 * * * /usr/bin/sxid
b > /etc/cron.daily/ vi 3
#vi /etc/cron.daily/sxid
#!/bin/sh
SXID_OPTS=
if [ -x /usr/bin/sxid ]; then
/usr/bin/sxid ${SXID_OPTS}
fi
>3
# sxid -k
sXid Vers : 4.0.1
Check run : Wed Oct 3 12:40:32 2002
This host : ns.sample.com
Spotcheck : /home/admin
Excluding : /proc /mnt /cdrom /floppy
Ignore Dirs: /home
Forbidden : /home /tmp
No changes found
3 C
% NOS " % %
"C Version % "[3%" "3 50%
C OS Client % %3C Server
" %
CX%> C>">
C 3 Server
>% login "% login
C >%
">%%
!9 11 Log Check
Log file
"#% Configuration
%"
!%'
1. logcheck 8 Open source
2. >% cat, tail last
3. ## 8"# 8 (Bold)
4. ""# %""
"#"%#%
(*%
"% O Q
" Server % "% 8"
O%# cat, tail, last
# cat /var/log/secure
# tail /var/log/secure
# cat /var/log/message
# tail /var/log/message
# cat /var/log/maillog
# tail /var/log/maillog
# last
U log file " /var/log O
"""O% %# logcheck
Q > # Download Portsentry
# ] 8 source code > % " # _
Download % configure #
CD ROM # "#
Configuration O ] % ]
download CD logcheck-1.1.1.tar.gz logcheck-1.1.1-8.i386.rpm
"#"#
!9 1 ] .gz
cdrom Linux Server 3 mount copy ] /tmp
#mount /dev/cdrom
#cp /mnt/cdrom/MyBooks/logcheck-1.1.1.tar.gz /tmp
download /tmp
# cd /tmp
# tar xzpf logcheck-1.1.1.tar.gz
# cd logcheck-1.1.1
#8 Configuration #
J!9 1
# vi +34 systems/linux/logcheck.sh
" 34
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/ucb:/usr/local/bin
8
PATH=/bin:/sbin:/usr/bin:/usr/sbin
" 47
LOGTAIL=/usr/local/bin/logtail
8
LOGTAIL=/usr/sbin/logtail
" 55
TMPDIR=/usr/local/etc/tmp
8
TMPDIR=/tmp/logcheck$$-$RANDOM
" 92
HACKING_FILE=/usr/local/etc/logcheck.hacking
8
HACKING_FILE=/etc/logcheck/logcheck.hacking
" 101
VIOLATIONS_FILE=/usr/local/etc/logcheck.violations
8
VIOLATIONS_FILE=/etc/logcheck/logcheck.violations
" 118
VIOLATIONS_IGNORE_FILE=/usr/local/etc/logcheck.violations.ignore
8
VIOLATIONS_IGNORE_FILE=/etc/logcheck/logcheck.violations.ignore
" 125
IGNORE_FILE=/usr/local/etc/logcheck.ignore
8
IGNORE_FILE=/etc/logcheck/logcheck.ignore
" 148
rm -f $TMPDIR/check.$$ $TMPDIR/checkoutput.$$ $TMPDIR/checkreport.$$
"]" 2
rm -rf $TMPDIR
mkdir $TMPDIR
" 224
rm -f $TMPDIR/check.$$
"]" 1
rm -rf $TMPDIR
" 274
# Clean up
rm -f $TMPDIR/check.$$ $TMPDIR/checkoutput.$$ $TMPDIR/checkreport.$$
"]" 1
rm -rf $TMPDIR
J!9 2
# vi +9 Makefile
CC = cc <--- % cc f gcc
" 14
CFLAGS = -O
8
CFLAGS = -O3 -mtune=i686 -funroll-loops -fomit-frame-pointer
" 22
#INSTALLDIR = /usr/local/etc
8
INSTALLDIR = /etc/logcheck
" 25
INSTALLDIR_BIN = /usr/local/bin
8
INSTALLDIR_BIN = /usr/sbin
" 30
INSTALLDIR_SH = /usr/local/etc
8
INSTALLDIR_SH = /usr/sbin
" 56
/bin/rm $(INSTALLDIR_SH)/logcheck.sh
8
/bin/rm $(INSTALLDIR_SH)/logcheck
" 66
@echo "Creating temp directory $(TMPDIR)"
@if [ ! -d $(TMPDIR) ]; then /bin/mkdir $(TMPDIR); fi
@echo "Setting temp directory permissions"
chmod 700 $(TMPDIR)
"#i #
#@echo "Creating temp directory $(TMPDIR)"
#@if [ ! -d $(TMPDIR) ]; then /bin/mkdir $(TMPDIR); fi
#@echo "Setting temp directory permissions"
#chmod 700 $(TMPDIR)
" 75
cp ./systems/$(SYSTYPE)/logcheck.sh $(INSTALLDIR_SH)
8
cp ./systems/$(SYSTYPE)/logcheck.sh $(INSTALLDIR_SH)/logcheck
" 78
chmod 700 $(INSTALLDIR_SH)/logcheck.sh
8
chmod 700 $(INSTALLDIR_SH)/logcheck
#%>]
:wq Enter
# Daily check Log files for security violations and unusual activity
/usr/sbin/logcheck
EOF
#%% permission
# chmod 700 /etc/cron.daily/logcheck
!1 12 Portsentry
Scan Port
#% Portsentry
.2#3
!%'
1. 66 portsentry 9 Open source
2. >. nmap scan port
3. %6% 369#% 9 (Bold)
4. ##%66 .##3
#%#63.%.
(*%
M Internet Server M36
6 Server 323 >36
Server 3 Service 3363
>36>3 NOS (Network Operating System) 6.
#%%633 >9W6 > 63
Server 36%9 NOS
3333#%96%#6#%
Server 3 Service 3 % 3 6 .
Security >96 6>
Server 3 Service 6% 6.
(Tool) 696#33 Scan Port >966
3 6 Server %%36 9
%W#W Port 93
6 #336 96
%[336 63. Internet Server 36
>3#6>#%6 Scan Port >
6% 6 6 # % Configuration .
Server [ #%[[6W Server
#3>%6 63[W336
.66% portsentry 3
6. Scan Port .3 IP Address 6. Scan 66
36%3 Block 33 Server %36
636%
. Linux OS 6. . Server 6 . Portsentry 9
6>% Scan Port real time 6.6 Portsentry
9 3 > Open source 6 Download
http://sourceforge.net/projects/sentrytools/ >69 Compress file 3
.gz .bz2 . RedHat Fedora . Compile 3
(*%
6%#%%2 .gz .rpm .
Linux 33 #.6%
I
66 Compile Source Code 6
Server 3 3 6 # % gcc 3 # % . #
63>.%.36%
INSTALLDIR = /usr/local/psionic
9
INSTALLBIN = /usr/sbin
LOGDIR = /var/log/portsentry
INSTALLDIR = /etc
#6 68
/bin/rm $(INSTALLDIR)$(CHILDDIR)/*
/bin/rmdir $(INSTALLDIR)
9
/bin/rm -rf $(INSTALLDIR)$(CHILDDIR)
/bin/rm -f $(INSTALLBIN)/portsentry
/bin/rm -rf $(LOGDIR)
#6 79
@echo "Setting directory permissions"
3 79 6 2
@if [ ! -d $(LOGDIR) ]; then /bin/mkdir\
$(LOGDIR); fi
#6 86
cp ./portsentry $(INSTALLDIR)$(CHILDDIR)
9
cp ./portsentry $(INSTALLBIN)
#6 90
chmod 700 $(INSTALLDIR)$(CHILDDIR)/portsentry
9
chmod 700 $(INSTALLBIN)/portsentry
%2 portsentry.conf
# vi portsentry.conf
#6 83
IGNORE_FILE="/usr/local/psionic/portsentry/portsentry.ignore"
9
IGNORE_FILE="/etc/portsentry/portsentry.ignore"
#6 85
HISTORY_FILE="/usr/local/psionic/portsentry/portsentry.history"
9
HISTORY_FILE="/var/log/portsentry/portsentry.history"
#6 87
BLOCKED_FILE="/usr/local/psionic/portsentry/portsentry.blocked"
9
BLOCKED_FILE="/var/log/portsentry/portsentry.blocked"
%2 portsentry_config.h
# vi portsentry_config.h
#6 25
#define CONFIG_FILE "/usr/local/psionic/portsentry/portsentry.conf"
9
#define CONFIG_FILE "/etc/portsentry/portsentry.conf"
[[>2
:wq
[. Compile #%6%
# make linux
# make install
2 /tmp #%
# cd /tmp
# rm -rf portsentry*
.3 Configuration 3
%2#%
# rm -f /tmp/portsentry*
3 Configuration 63 2 26%
/etc/portsentry/portsentry.conf 92 configuration 6[
%
/etc/portsentry/portsentry.ignore 936. 96[3 IP
Address Server 3##6 port 63 List
. Server Back List 3#
.2 portsentry.conf nano vi 3
6. 369 6%
# vi /etc/portsentry/portsentry.conf (96 1 36
/usr/local/psionic/portsentry )
# PortSentry Configuration
# . Port 6 Scan
TCP_PORTS="1,11,15,79,111,119,143,540,635,1080,1524,2000,5742,6667,123
45,
12346,20034,31337,32771,32772,32773,32774,40421,49724,54320"
UDP_PORTS="1,7,9,69,161,162,513,635,640,641,700,32770,32771,32772,3277
3,32774,31337,54321"
# . Port 36 scan 6
ADVANCED_PORTS_TCP="1023"
ADVANCED_PORTS_UDP="1023"
# . Port 39 Port 6.6
Boot # ident(113), NetBIOS(137-138), RIP(520), bootp broadcasts(67)
ADVANCED_EXCLUDE_TCP="113,139"
ADVANCED_EXCLUDE_UDP="520,138,137,67"
# ..36323
IGNORE_FILE="/etc/portsentry/portsentry.ignore"
HISTORY_FILE="/var/log/portsentry/portsentry.history"
BLOCKED_FILE="/var/log/portsentry/portsentry.blocked"
# .36
# 0 = 3 block Scan TCP/UDP
# 1= block % TCP/UDP
# 2= block external command 3%
BLOCK_UDP="1"
BLOCK_TCP="1"
# 6% Linux Version 33% 6 iptables .6 Firewall
36 server 6
KILL_ROUTE="/sbin/iptables -I INPUT -s $TARGET$ -j DROP"
# .6# IP 63#2 hosts.deny
KILL_HOSTS_DENY="ALL: $TARGET$"
# .. Port 6 Connect 63%3 1-2 .
9 0 9>3 Log file 636 Scan port
3 default = 2 9.%
3 "0"
SCAN_TRIGGER="0"
# .36 3.9 .
3 6%3 Stealth scan
# portsentry -audp
%3.3.
# ps ax | grep portsentry
#.[
# killall portsentry
;;
stop)
stop
;;
status)
status portsentry
RETVAL=$?
;;
restart)
stop
start
;;
condrestart)
if [ -f /var/lock/subsys/portsentry ]; then
stop
start
fi
;;
*)
echo $"Usage: $prog {start|stop|restart|condrestart|status}"
exit 1
esac
exit $RETVAL
[>
:wq Enter
%. Permission Script
#chmod 700 /etc/rc.d/init.d/portsentry
.# Script .6 Reboot
# chkconfig - -portsentry
# chkconfig - -level 345 portsentry on
36[3.
#/etc/rc.d/init.d/portsentry restart
3% (* rpm 3.6 portsentry.conf
3.
# /etc/rc.d/init.d/portsentry restart
ntsysv [*] portsentry .%6 Reboot
33
!1 13 Tripwire
"
$
''"$ Server
/0 Configuration :'
!%'
1. Tripwire @ Open source
2. 00 :@/0 @ (Bold)
3. //0 L//:
/0/:L0L
(*%
0@'':' OS ::/
SELinux R: ::
"$:RR Server S
:$0S0:
STR/R:''S Tripwire @ Software
*!1 2 ///0$"/0:
Server 0L"R (Key File) 0
# tripwire-setup-keyfiles
LL keyfile 0
* ! 1 6 0 0 @ 0 L : Configuration
UNIX ::"$ Linux
Error /S0"$: 00S@L Script
RedHat Tripwire RedHat 8.0 S
L Hard Disk Fedora 0 SL Script 0@:
R:/":/L Script :L '"$
Download /"$ :L::0
# vi /etc/tripwire/tripwirepol.pl
//"0:0@
#!/usr/bin/perl
# Tripwire Policy File customize tool for Linux Servr 3.0
# ----------------------------------------------------------------
# Copyright (C) 2003 Hiroaki Izumi
while (<POL>) {
chomp;
if (($thost) = /^HOSTNAMEs*=\s*(.+)\s*;/) {
$myhost = `hostname` ; chomp($myhost) ;
if ($thost ne $myhost) {
$_="HOSTNAME=$myhost;" ;
}
}
elsif ( /^{/ ) {
$INRULE=1 ;
}
elsif ( /^}/ ) {
$INRULE=0 ;
}
elsif ($INRULE == 1 and ($sharp,$tpath,$cond) = /^(\s*\#?\s*)(\/\S+)\b(\s+-
>\s+.+)$/) {
$ret = ($sharp =~ s/\#//g) ;
if ($tpath eq '/sbin/e2fsadm' ) {
$cond =~ s/;\s+(tune2fs.*)$/; \#$1/ ;
}
if (! -e $tpath) {
$_ = "$sharp#$tpath$cond" if ($ret == 0) ;
}
else {
$_ = "$sharp$tpath$cond" ;
}
}
print "$_\n" ;
}
close(POL) ;
$ Script S"
:wq
*!1 8 0:L": 0
# vi /etc/tripwire/twpol.txt
..
..
:0
SIG_MED=66; # Non-critical files that are of significant security impact
SIG_HI= 100; # Critical files that are significant points of vulnerability
/"/0
( emailto = root )
{
0L: disabled-entries (1|} ~:
}
# disabled-entries: 184
$:S": vi
:wq
:0':"
':
Tripwire Data Files 100 0 0 0
0@ 100 % @:
0" tw.pol : 100 % :@
Error Report :/: No Errors
!1 14 Snort (IDS)
Linux Server
#% Snort Snort MySql
4#78##
!%'
1. 88 Snort > Open source
2. %8% 78>#% > (Bold)
3. ##%88 4##7
#%#874%4
(*%
48%L> Open source Free Software 78Q8
8 Linux OS 7 7 4 IDS (Intrusion Detection
System) L Snort U877 OS 87
Hardware 7 7 7787
Update 487#%Q%88
8 77748 Download L
#% Start Service 8L 7L # %7
MySQL 47#7 Q
77 8 7^7 4
77#%#% 78^
##8 ##^LL%
88 2 7 Network Model 88
IDS L 4 Snort # % 8
Database Serve MySQL Q4
#^U#87 ##88%
L^ http://www.snort.org/
8%>7#% Fedora RedHat 8^
rpm 8#%4 Configuration #
##Q8 log file 8 Q
MySQL ##%8%8%
* (*
*!1 1 8 Download snort L^
http://www.snort.org/dl/binaries/linux/
74#%88% libpcap 7Q4
78#% libpcap 4#%78%
# rpm -q libpcap
7#%4#%8%
# rpm -ivh libpcap-0.9.4-10.fc6.i386.rpm
Preparing... ######################################### [100%]
#include $RULE_PATH/local.rules
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
#include $RULE_PATH/finger.rules
#include $RULE_PATH/ftp.rules
#include $RULE_PATH/telnet.rules
#include $RULE_PATH/rpc.rules
#include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
#include $RULE_PATH/tftp.rules
include $RULE_PATH/web-cgi.rules
#include $RULE_PATH/web-coldfusion.rules
#include $RULE_PATH/web-iis.rules
#include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules
#include $RULE_PATH/sql.rules
#include $RULE_PATH/x11.rules
#include $RULE_PATH/icmp.rules
#include $RULE_PATH/netbios.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
#include $RULE_PATH/oracle.rules
include $RULE_PATH/mysql.rules
#include $RULE_PATH/snmp.rules
include $RULE_PATH/smtp.rules
#include $RULE_PATH/imap.rules
#include $RULE_PATH/pop2.rules
include $RULE_PATH/pop3.rules
#include $RULE_PATH/nntp.rules
include $RULE_PATH/other-ids.rules
include $RULE_PATH/web-attacks.rules
include $RULE_PATH/backdoor.rules
include $RULE_PATH/shellcode.rules
# include $RULE_PATH/policy.rules
:wq
*!1 3 %7 log file # 8 rotate log
^#8> 8%
# vi /etc/logrotate.d/snort
# /etc/logrotate.d/snort
# $Id$
# /var/log/snort/alert /var/log/snort/*log /var/log/snort/*/alert /var/log/snort/*/*log
{
/var/log/snort/alert /var/log/snort/*log {
daily
rotate 7
missingok
compress
sharedscripts
postrotate
/etc/init.d/snortd restart 1>/dev/null || true
endscript
}
:wq
*!1 4 % Download Oinkmaster 8
Download rule 7 8 Snort 87 Download
-> bleeding-botcc-BLOCK.rules
-> bleeding-botcc.rules
-> bleeding-dos.rules
-> bleeding-drop-BLOCK.rules
-> bleeding-drop.rules
-> bleeding-dshield-BLOCK.rules
-> bleeding-dshield.rules
-> bleeding-exploit.rules
-> bleeding-game.rules
-> bleeding-inappropriate.rules
-> bleeding-malware.rules
-> bleeding-p2p.rules
-> bleeding-policy.rules
-> bleeding-scan.rules
-> bleeding-sid-msg.map
-> bleeding-virus.rules
-> bleeding-voip.rules
-> bleeding-web.rules
-> bleeding.conf
-> bleeding.rules
*!1 12 Download Rule Bleedingsnort.com
snort.conf 784 Rule 7 8%
# vi /etc/snort/snort.conf
#^7^8%
# Bleeding Edge rules
include $RULE_PATH/bleeding.conf
include $RULE_PATH/bleeding-attack_response.rules
include $RULE_PATH/bleeding-botcc.rules
include $RULE_PATH/bleeding-dos.rules
include $RULE_PATH/bleeding-drop.rules
include $RULE_PATH/bleeding-dshield.rules
include $RULE_PATH/bleeding-exploit.rules
include $RULE_PATH/bleeding-game.rules
include $RULE_PATH/bleeding-inappropriate.rules
include $RULE_PATH/bleeding-malware.rules
include $RULE_PATH/bleeding-p2p.rules
include $RULE_PATH/bleeding-policy.rules
include $RULE_PATH/bleeding-scan.rules
include $RULE_PATH/bleeding-virus.rules
include $RULE_PATH/bleeding-voip.rules
include $RULE_PATH/bleeding-web.rules
include $RULE_PATH/bleeding.rules
:wq
*!1 13 L restart
# /etc/init.d/snortd restart
Snort + MySQL
* ! 1 1 % 8 % 4 Download snort-mysql L ^
http://www.snort.org/dl/binaries/linux/ OS 778%> FC6
wget download ^L8 /tmp 8%
# wget -P /tmp http://www.snort.org/dl/binaries/linux/old/snort-mysql-
2.7.0.1-1.FC6.i386.rpm
*!1 2 4#%
# rpm -ivh /tmp/snort-mysql-2.7.0.1-1.FC6.i386.rpm
Preparing... ######################################### [100%]
1:snort-mysql ####################################### [100%]
*!1 3 #%
# rm -f /tmp/snort-mysql-2.7.0.1-1.FC6.i386.rpm
*!1 4 %8%77 MySQL #%47 Q#
Database Snort 48%
# mysql -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 10 to server version: 5.x.x version 8
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql> CREATE DATABASE snort;
Query OK, 1 row affected (0.13 sec)
# rpm -q php-mysql
# rpm -q php-gd
# rpm -q php-adodb
7#%4#%4 php-mysql php-gd 77
CD
# mount /dev/cdrom /mnt/cdrom
# rpm -ivh /mnt/cdrom/Fedora/RPMS/php-mysql-5*
# rpm -ivh /mnt/cdrom/Fedora/RPMS/php-gd*
# eject
78 1 ^# /tmp
# rpm -ivh /tmp/php-adodb*
#%L^8 Download #%
# rm -f /tmp/php-adodb*
<Directory "/var/www/html/base">
Order deny,allow
Deny from all
Allow from 127.0.0.1 192.168.11 <- w IP |w IP !1%' i%
</Directory>
:wq
7^ base.conf 8#7
# apachectl configtest
Syntax OK
*!1 7 httpd 47
# /etc/init.d/httpd restart
>L# %% base IDS 8 snort
> 4#%#8 4 ^
php-pear-Image-Graph
php-pear
php-pear-Image-Canvas
php-pear-Image-Color
^ % Download 8 download.fedora.redhat.com 8 L ^
rpm.pbone.net ^%#%7L
>8#%784
% X Y
887L8 http://192.168.1.11/base
8 14.1
8 14.2
8 14.3
8 14.3 BASE table 4L# Main page
8 14.4
7 #78
78 14.5 Q%77 8 Q#
#7 BASE
8 14.5
!%'
1. partimage = Open source
2. B, tar, mkisofs, cdrecord
3. HH 4=H = (Bold)
4. H ,4
H4,H,
(*%
QR Server 4,
44S4H Backup/Restore Server H 4
S4 Server ,= 4
, 44H Server NOS
4SBB Server Q4
4 4H44
4 44H, 4 4
S4H,Z (UPS) 4
( backup 4 6 H
1. Full backup =, backup R4
2. Incremental backup =, backup R4, Full
backup
3. Differential 4
4. Network backup , backup client backup server
Server , backup
5. Dump backup 44= backup file 4, backup H
d disk partition file system
6. Level 0 to 9 backup =, incremental backup 4R4
44 lower lever backup
4. Server R
5. 4R
,d4 S SR=
4,R4= 3 R4
1. 44R
2. R=,
3. R4,
H 4 Directory , backup 4 , =
backup H hard drive 4 , 4
H
/etc =S Configuration file
/home =S User
/www =S Web file ( dir S)
4= (Media) S, backup
4R4 SS
44HRd4 Tape backup S
44 CD DVD QR4 Floppy Disk 4
B CD DVD S4 Floppy Drive 4
=44d,
4H
A!1 1 44R R4H4 /etc 4 Configure
HH server ,=
R,4 S, backup
4,
,, backup Linux R4=,
44 H copy S,
4 ,
- cp
- tar
- gzip
- dump
H4, tar 4 UNIX
,SH4dB Directory
Linux tar 4 Utility 4B
Option S Script ,S
, S R
(Compress) dS 4H
# tar cf backup.tar directory
c = create new file
f = file or device S
4 backup /home
# tar cf backup.tar /home
Restore
# tar xPf backup.tar
Option ,=H
44S /
# cd /
4H backup partition /home H4Rd 1
1
# cd /
# cd /
# tar cpf /archive/full-backup-`date '+%d-%B-%Y'`.tar \
--directory / --exclude=proc --exclude=mnt --exclude=archive \
--exclude=cache --exclude=*/lost+found .
Parameter --exclude B4 Backup partition
R Script , backup S,H
# vi /etc/cron.daily/backup
#!/bin/sh
#
COMPUTER=ns1
DIRECTORIES="/home"
BACKUPDIR=/backups
TIMEDIR=/backups/last-full
TAR=/bin/tar
PATH=/usr/local/bin:/usr/bin:/bin
DOW=`date +%a`
DOM=`date +%d`
DM=`date +%d%b`
# Monthly Full Backup
if [ $DOM = "01" ]; then
NEWER=""
$TAR $NEWER -cf $BACKUPDIR/$COMPUTER-$DM.tar
$DIRECTORIES
fi
# Weekly full backup
if [ $DOW = "Sun" ]; then
NEWER=""
NOW=`date +%d-%b`
# Update full backup date
echo $NOW > $TIMEDIR/$COMPUTER-full-date
$TAR $NEWER -cf $BACKUPDIR/$COMPUTER-$DOW.tar
$DIRECTORIES
# Make incremental backup - overwrite last weeks
else
# Get date of last full backup
NEWER="--newer `cat $TIMEDIR/$COMPUTER-full-date`" $TAR
$NEWER -cf
fi
(! Restore % 1 tar
R, Backup 44= Partition /home 4
Backup H Hard disk S 4,4 Hard drive H
4 Server Q, Backup
4 ,4H
# cd /
# tar xpf /dev/st0/full-backup-Day-Month-Year.tar
Restore HRS M = #tar xMpf .
4 = Parameter c = x (Extract) d
S B , download
R = .tar 4 4 4 Script Backup
Script Sd ns1-15-Jan.tar Restore S
# tar xpf /dev/st0/ns1-15-Jan.tar
% Backup Media
BBR
BRQRS OpenSSH H Linux Server R4
4 , R H 4 d , backup
Z4,,4H
# openssl des -in /home/backup.tar.gz -out /home/backup.sec
4 H d backup.sec H B
, d H backup.tar.gz backup.sec Server
Restore S,RH
# openssl des -d -in /home/backup.sec -out /home/backup.tar.gz
S4,HRd Backup 4d
4H Server 4R44,
=44 ,H4H
backup partition /home Server 4 backup
, tar 4 gzip dS S4S backup
H
# tar zcvf - /home | ssh bkuser@backup "cat > /home/bkuser/home.tar.gz"
4, host S IP H
# tar zcvf - /home | ssh bkuser@192.168.1.20 "cat > /home/bkuser/home.tar.gz"
44 backup IP address 192.168.1.20 user S
d= user bkuser Secure Shell 4R root
login 4dS444 home directory
bkuser 4H Enter d 4 /home
HS password bkuser 4 dS
4 backup Sd
, dd S4 cat H
# tar zcvf - /home | ssh bkuser@192.168.1.20 "dd of=/home/bkuser/home.tar.gz"
mount backup S4B4
mount tape /dev/st0 S4BH
# tar cvzf - /home | ssh ssh bkuser@192.168.1.20 "cat > /dev/st0"
R4BS,H
# tar cvzf - /home | ssh ssh bkuser@192.168.1.20 $(mt -f /dev/st0 rewind; cat
> /dev/st0)$
% SSH !1A%A
44RH, backup 44 ssh R4
4RH, ssh 4
S44dS 4H,d
,H4d backup S44 ,
, Script 4 S ,4
H
,B Server = root user 4
root , Hard drive R4 = user 4
RR4 4 backup /etc d shadow =
user SZ44d4 4 home directory
root
[root@sv2 ~]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): <- Enter
Enter passphrase (empty for no passphrase): <- Enter
Enter same passphrase again: <- Enter
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
4SS Bd restart
# /etc/init.d/sshd restart
4HS login ,H
[root@ns1 ~]# ssh bkuser@192.168.1.20
Last login: Tue Jan 15 11:49:28 2008 from 192.168.1.1
[bkuser@backup ~]$
4 prompt user@host
4,,Sd , tar 444d backup.tar.gz
S backup
, backup CD-R, CD-RW DVD 4 H,
44 ,S, Script 4= tape
tape = CD Bd backup CD
4 backup H cdrecord mkisofs 4
H , backup , tar 4 d home.tar.gz
backup 4 openssh S4=
4=d H
backup
$ mkisofs -R -l home.tar.gz | cdrecord speed=8 -
= CD-RW 44B
$ mkisofs -R -l home.tar.gz | cdrecord blank=fast speed=8 -
HS,
# partimage Enter
15.1 partimage
15.2 =4 partimage ,
backup partition unmount 4H Continue ,444
4d4 B,, unmount 44
# umount /boot H
15.3 4
15.4 , bzip2
, 15.3 S Option 4 4
= Image split mode , Automatic split d
=4S, wait Z F5
,4
15.7 ,S Backup
,44 H4,
d4 4 Restore S, 44 image file
4 B = , Server
,d=4
Log Server
%'(
'( .4747
..
---------------------------------------------------------------
+& &**
4*
() + (Media) *& (Integrity)
FF (Identification) *H4
() *+&*+ 1
H&4 4& 4&&
&* + 4 + Centralized Log Server 1 Data
Archiving 1 Data Hashing 4 & **** &
1 H & 4 4 &
.....: 279
Linux Server Security
(IT Auditor) F *
**
() *&**&*H
4 41* ..
4& +
() +& F*&
F (Identification and Authentication) 4 Proxy Server,
Network Address Translation (NAT) Proxy Cache Cache Engine
Free Internet 1222 Wi-Fi Hotspot F
&F
&*&1&
FF (Stratum 0)
4 *
1*1 * Log Server 4
Open source ** Linux 4*4m Linux
F4 Network Operating System (NOS) *H Log file
&&oF&4*
&4 *4&&**4
1*4F&& (System Administrator) H Log file
&&111 Security H
1 Data hashing Data Archiving H& IT Auditor &*
&&& Log file *
r4 414
.....: 280
Linux Server Security
H**H&4**&
14*
.....: 281
Linux Server Security
.....: 282
Linux Server Security
4*&&*1*4
* mount cd 4 Internet 4*1 Configuration
1 * server * NTP Server *
1
.....: 283
Linux Server Security
28 Jan 14:28:20 ntpdate[2693]: step time server 192.43.244.18 offset -0.092687 sec
4 NTP Server Nectec
# ntpdate -b clock.nectec.or.th
# ntpdate -b clock2.nectec.or.th
# ntpdate -b clock.thaicert.nectec.or.th
*144 Server
Server ***F (&4 offset *4*F
Server * 1, 2, 3 configuration)
4o no server suitable for synchronization found 4* host *H+
4
I%( 3 1* 4 configure *4
*
# cp /etc/ntp.conf /etc/ntp.conf.bak
# vi /etc/ntp.conf
restrict default kod nomodify notrap noquery nopeer
restrict 127.0.0.1
# F internal network
restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap
server 203.185.69.60 dynamic
server time.navy.mi.th dynamic
server time.nist.gov dynamic
.....: 284
Linux Server Security
.....: 285
Linux Server Security
.....: 286
Linux Server Security
.....: 287
Linux Server Security
+4*&4*4 *
4 Network Time Server (NTP) 4
& 44 (Default) * Microsoft Windows XP 1 Update
F 7 1*4&4*4
1H Log file 4
4&4444* Update Now 4*14
&4F Registry (4*
F) *
*& Start -> Run -> regedit Enter *14
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\w32time\TimeProvide
rs\NtpClient]
*14 SpecialPollInterval 4
(Hex) "SpecialPollInterval"=dword:00093a80 decimal
* 93a80 604800 4 * * 4 * * 4 4 7 ( 1 = 86400
* ) * Update ** ** * + *
*14 Server time.windows.com *
IP Address NTP Server *H Update Now 1
1+44 Sync Server * 4
F Windows Time Service &4* Automatic start service F
* Boot
.....: 288
Linux Server Security
.....: 289
Linux Server Security
Version *414
Configuration Version 2 4 version 1.x 4114*
1 44* syslog-ng version 2.x *&4 FC7 1
.....: 290
Linux Server Security
.....: 291
Linux Server Security
};
# This is the actual Squid Logging
log { source(src); filter(f_squid); destination(d_squid); };
# Remove the 'squid' Log entries from 'user' Log facility
filter f_remove { not program("squid"); };
# Log everything else less the categories removed
# by the f_remove period
log {
source(src);
filter(f_remove);
destination(logs);
};
Client Log Server Configuration
# /etc/syslog-ng/syslog-ng.conf
# All sources
source src {
pipe("/proc/kmsg");
unix-stream("/dev/log");
file("/proc/kmsg" Log_prefix("kernel: "));
internal();
};
# The filter removes all entries that come from the
# program 'squid' from the syslog
.....: 292
Linux Server Security
.....: 293
Linux Server Security
.....: 294
Linux Server Security
log {
source(src);
filter(f_remove);
destination(logserver);
};
I%( 4 1
# /etc/init.d/syslog stop
.....: 295
Linux Server Security
# /etc/init.d/syslog-ng start
# chkconfig syslog off
# chkconfig syslog-ng on
11
# ps ax |grep syslog-ng
3. . Log %(v 4 6
2 +&& *
. &+*H4 *
H (Remote Access) 4* 4
1 Freeradius 1 Configuration
Freeradius 44 Log * syslog syslog-ng 44 Log file
+ Centralize Log 4
# vi /etc/raddb/radiusd.conf
Logdir = syslog
Log_destination = syslog
:wq
startup script -l syslog -g <facility>
* 8 (4) *F&F4 Proxy Server
*&4 Gateway server *1 Proxy *41
Authentication user F1 Log on *&44
4 Squid H* Log file 4*&4*4 Configuration
*+* Log *
.....: 296
Linux Server Security
# vi /etc/squid/squid.conf
access_log /var/log/squid/access.log squid
access_log syslog squid
4 Logformat *4
:wq
# squid -k reconfigure
1*F4 4 ***
4*F Hardware 4 Manage Switch 1 VLAN
1 NAT *F4 HF WiFi Hotspot 4
44 *&&4F+ Log
1 Forward Log Log & user account
F host *
. & + * + (e-mail
servers) oF44 +*1 Mail Server +4
11+ Log *1 4*4*o
Mail Server ** &4 Protocol 4 pop, imap smtp H
44H*H Log &4* syslog-ng 4
client +4 Mail Log + Log * 4* Free e-mail **
+4 &+&4* Log & mail *
+*4+ Access Log * proxy +&4
.....: 297
Linux Server Security
.....: 298
Linux Server Security
.....: 299
Linux Server Security
LogLevel notice
:wq
# /etc/init.d/httpd restart
syslog-ng * Log Web Server &4+
Log &*1 Log format
. &44 (Usenet) *4*
4H4*4+ Log File
. &*4+4 Internet Relay Chat
(IRC) Instant Messaging (IM) *44
4F4 **
* 444 MSN, Yahoo, ICQ H**1H
*+&4&*1 Log file 4 H
44 4 + 4*
1 user account & * 4
4 14 Transparent Proxy
Web Proxy Server 4 * IM Transparent Proxy download
imspector Open source Gateway *
4+&4 + Configuration 14 Log file
+ Log 4H software *1* Transparent
Proxy +&*1m4F
.....: 300
Linux Server Security
.....: 301
Linux Server Security
/var/log/webserver/2008/02/kernel.2008-02-14 H411
rotate +&4
. 1*& Log (Compress) + 1 tar
Backup * 15 4
# tar cvfz webserver.tar.gz /var/log/webserver
# ls
webserver.tar.gz
. 1** +** 15 4
# openssl des -in webserver.tar.gz -out webserver.sec
# ls
webserver.tar.gz webserver.sec
. + Backup **FF+ &
*H 4 CD * 15 &*& Log 1 4
- 1* +
- .gz
- backup CD .sec
*1+* script 1*4*
command line * script * crontab 1*F*
& reload syslog-ng 41 Log
44 1**1 Hard disk **+ Log +4+
CD *4*H4 3
14 4*F1
.....: 302
Linux Server Security
v% Microsoft .. server
.....: 303
Linux Server Security
4 log 4 MS Windows *
filter windows {
program(MSWinEventLog);
};
destination windows {
file("/var/log/$HOST/$YEAR/$MONTH/windows.$YEAR-$MONTH-$DAY"
template("$ISODATE <$FACILITY.$PRIORITY> $HOST $MSG\n")
template_escape(no)
owner(root) group(adm) perm(665)
create_dirs(yes) dir_perm(0775));
};
log {
source(src); filter(windows); destination(windows);
flags(final);
};
14 windows ISA IIS service *
4 MS Windows H*4 Service 4 snare
for IIS Web Server snare for ISA Servers + download
Server 4* & Snare *4 Host/IP ports
Log Server *44+ 4*4 snare 44 udp 4
4 port 1 snare Log 4 TCP
UDP *4* #
udp(ip(0.0.0.0) port(514));
.....: 304
Linux Server Security
.....: 305
- ... $
(
- . $
""
- (
- Internet Server 6
- (Networking System) 6 Webpage
CAI , Internet Server Security 6
$ $