¿ø°Ý ·Î±× ¼­¹ö ¸¸µé±â ¿Ïº® °¡À̵å
(Complete Reference Guide to Creating a Remote Log Server)

¹ø¿ª : À̱¹Çö (errai@hitel.net)

 

     

    ¿ø¹®¸µÅ©:
    http://www.linuxsecurity.com/feature_stories/remote_logserver-1.html

ÀÌ ¹®¼­´Â Eric Hines¿¡ ÀÇÇØ ¾²¿©Áø °ÍÀ¸·Î, ¿ø°Ý ·Î±×¼­¹ö¸¦ ¸¸µé±â À§ÇÑ ÀÚ¼¼ÇÑ ¼³¸í°ú ¼³Á¤¹æ¹ýµîÀ» ´Ù·ê °ÍÀÌ´Ù.

 

¼Ò°³(INTRODUCTOIN)

    ¿ì¼± º» ¹®¼­¿¡¼­ ¾ð±ÞÇÏ°í ÀÖ´Â À¯Æ¿¸®Æ¼µéÀÇ README È­Àϵ鿡 ´ëÇؼ­ ¿­½ÉÈ÷ °øºÎÇØ º¼ °ÍÀ» ±ÇÇÑ´Ù. ±×¸®°í ¹®¼­¸¦ Àд٠º¸¸é ³ª¿À´Â ´Ü¾î Áß SERVER´Â ¿ø°Ý ¸Ó½Å(CLIENTS)µé·ÎºÎÅÍ log¸¦ ¹Þµµ·Ï ¼³Á¤µÇ¾îÁø ÄÄÇ»ÅÍÀÌ°í, CLIENT´Â ¿ø°Ý ·Î±× ¼­¹ö(REMOTE LOG SERVER)¿¡°Ô log¸¦ º¸³»µµ·Ï ¼³Á¤ µÇ¾îÁø ÄÄÇ»ÅÍÀÓÀ» ³ªÅ¸³½´Ù.

     

    A. ¿ø°Ý ·Î±× ¼­¹ö¶õ ¹«¾ùÀΰ¡?
        (WHAT IS A REMOTE LOG SERVER)

    ¿ø°Ý ·Î±×¼­¹ö´Â ´Ù¸¥ ½Ã½ºÅÛµéÀÇ logµéÀ» ÀúÀåÇÒ ÇÏµå µå¶óÀÌºê °ø°£À» Á¦°øÇϵµ·Ï ¹Ì¸® ¼³Á¤µÇ¾îÁø ½Ã½ºÅÛÀÏ »Ó ±× ÀÌ»óµµ ÀÌÇϵµ ¾Æ´Ï´Ù.
    ÀÌ ½Ã½ºÅÛÀº ¿Ïº®ÇÑ º¸¾ÈÀ¸·Î Â÷´ÜµÇ¾î ÀÖ¾î¾ß¸¸ ÇÑ´Ù. ¸ðµç RPC µ¥¸óµéÀ̳ª ´Ù¸¥ ±âŸ ¼­ºñ½ºµéµµ ¾ÏȣȭµÇÁö ¾Ê°í¼­´Â Àý´ë Á¢±ÙÀÌ Çã¶ôµÇÁö ¾Ê´Â´Ù. µ¥ÀÌŸµéÀº ¿ÀÁ÷ UDP/Port 514 ¹øÀ» ÅëÇؼ­¸¸ Àü¼ÛÀÌ Çã¶ôµÈ´Ù.
    ·Î±×¼­¹ö¿¡ ´ëÇÑ ÀÚ¼¼ÇÑ ¼³Á¤ ¹× ¼³Ä¡µî¿¡ ´ëÇؼ­ Çϳª¾¿ Çϳª¾¿ Á¢±ÙÇØ º¸±â·Î ÇÏÀÚ.
    ([¿ªÀÚÁÖ] : UDP port 514¹øÀº syslog°¡ »ç¿ëÇÏ°í ÀÖ´Ù)

     

    B. SYSLOGD

    syslogdÀÇ Àç ÄÄÆÄÀÏ(Recompiling syslogd)

    ¿©·¯ºÐ ÄÄÇ»ÅÍ¿¡¼­ ¿ø°ÝÀ¸·Î ·Î±×¸¦ ³²±â´Â ´É·ÂÀ» ÀÛµ¿½ÃÅ°±â À§Çؼ­ ù¹ø°·Î ÇÒ ÀÏÀº syslogdÀÇ Àç ÄÄÆÄÀÏÀÌ´Ù. ÀÌ°ÍÀº º¸¾È»óÀÇ ÀÌÀ¯·Î½á syslog.conf È­ÀÏÀÌ ¾Æ´Ñ ´Ù¸¥ È­ÀÏÀ» Àеµ·Ï Çϱâ À§ÇÔÀÌ´Ù. ÀÚ¼¼ÇÑ ³»¿ëÀº ³ªÁß¿¡ ´Ù·ç°Ú´Ù.

    NOTES : ÀÌ ¾ÆÀ̵ð¾î´Â Lance Spitzner°¡ ¾´ "To Build a Honeypot"À̶õ whitepaper¸¦ ÅëÇØ
                 ¾ò°Ô µÇ¾ú´Ù. º¸¾È °øµ¿Ã¼¸¦ À§ÇØ °øÇåÀ» ÇÑ Lance¿¡°Ô °¨»çÀÇ ¸»À» ÀüÇÑ´Ù.
                 ÀÌ ¶Ù¾î³­ ¾ÆÀ̵ð¾î´Â ħÀÔÀÚ°¡ ÀÌ ½Ã½ºÅÛ¿¡´Â ¿ø°Ý ·Î±×¸¦ ³²±â´Â ±â´ÉÀÌ ¾ø´Ù°í
                 Âø°¢ÇÏ°Ô ¸¸µå´Â °ÍÀÌ´Ù. ÀÌÀü¿¡ »ç¿ëÇÑ /etc/syslog.conf È­ÀÏÀ» ³²°Ü³õÀ½À¸·Î½á
                 ¿¹±âÄ¡ ¸øÇÑ Å©·¡Ä¿¸¦ ¼ÓÀ̴µ¥ µµ¿òÀ» ÁÙ °ÍÀÌ´Ù.

       

      STEP 1 : »õ·Î¿î ¹öÁ¯À¸·Î ÄÄÆÄÀÏÇϱâ
                   (COMPILING OUR NEW VERSION)

      ¿ì¼± ¿©·¯ºÐÀÇ ¿î¿µÃ¼Á¦¿¡´Â ±âº»ÀûÀ¸·Î syslogd°¡ ¼³Ä¡µÇ¾î ÀÖÀ» °ÍÀÌ°í ¼Ò½ºÄÚµå´Â ÇÔ²² µé¾îÀÖÁö ¾ÊÀ» °ÍÀÌ´Ù. ¿©·¯ºÐÀº ¿ì¼± RedHat À̳ª Joey's FTP site(syslogdÀÇ °³¹ßÀÚ)¸¦ ÅëÇØ ¼Ò½º Äڵ带 ´Ù¿î·Îµå ¹Þ¾Æ¾ß ÇÑ´Ù. ¿©·¯ºÐÀÇ ¹èÆ÷ÆÇ¿¡¼­ ¼Ò½º Äڵ带 Á¦°øÇÏÁö ¾Ê´Â´Ù¸é ¿ÀÇ ¼Ò½º Á¤Ã¥¿¡ À§¹ÝµÇ´Â °ÍÀÌ´Ù. ±×·¯¹Ç·Î ¾Æ·¡ÀÇ ¸µÅ©¿¡¼­ ¼Ò½º¸¦ ´Ù¿î¹Þ±æ ¿øÇÏÁö ¾Ê´Â´Ù¸é ¿©·¯ºÐÀÇ OS vender¿¡¼­ ¼Ò½ºÄڵ带 ¾ò±â ¹Ù¶õ´Ù.  

      SITE 1:
      ftp://ftp.infodrom.north.de/pub/people/joey/sysklogd/
      ȤÀº
      SITE 2:
      ftp://ftp.sourceforge.net/pub/mirrors/redhat/redhat/redhat-6.2/SRPMS/SRPMS
            /sysklogd-1.3.31-16.src.rpm

      ¸¸¾à RedHat°è¿­ÀÇ »ç¿ëÀÚÀÏ ¶§ rpm-iv-vsysklogd-1.3.31-16.src.rpm ¶ó°í ½ÇÇàÇÑ´Ù¸é /usr/src/redhat/ SOURCES/sysklogd-1.3-31 ¿¡ ÀνºÅç µÉ °ÍÀÌ´Ù.

       

      STEP 2 : ±âº» ¼³Á¤ È­ÀÏ À§Ä¡ º¯°æÇϱâ
                   (CHANGING THE DEFAULT CONFIG FILE LOCATION)

      ¿©±â´Â Àç¹ÌÀÖ´Â ºÎºÐÀÌ´Ù. ÀÌ°ÍÀº ħÀÔÀÚ°¡ ¿©·¯ºÐÀÇ logÈ­ÀÏÀÌ local¿¡ ÀúÀåµÈ´Ù°í »ý°¢ÇÏ°Ô²û ¼ÓÀδÙ. ¿ì¸®´Â syslogd°¡ ´Ù¸¥ ¼³Á¤ È­ÀÏÀ» Àеµ·Ï ÀçÄÄÆÄÀÏÀ» ÇÒ °ÍÀÌ´Ù. ±âº»À¸·Î ¼³Á¤µÇ¾îÀÖ´Â ¿¾ È­ÀÏÀº ħÀÔÀÚ°¡ ¿ø°Ý ·Î±×°¡ ±â·ÏµÇ´ÂÁö cat µîÀ» ½ÇÇàÇؼ­ /etc/syslog.conf¸¦ µé¿©´Ù º¸¾ÒÀ» ¶§ ¼ÓÀÏ ¼ö ÀÖÀ» °ÍÀÌ´Ù. ÀçÄÄÆÄÀÏÇؼ­ »õ·Î¿î ¹ÙÀ̳ʸ®¸¦ ¾ò´õ¶óµµ ¿¾ ¼³Á¤È­ÀÏÀº ³²°Ü³õµµ·Ï ÇÏÀÚ.

      ±âº» ¼³Á¤ÀÎ /etc/syslog.conf ¸¦ °íÄ£´Ù.

      [ehines@myhost sysklogd-1.3-31]$ cd /usr/src/redhat ¡¬/SOURCES/sysklogd-1.3-31
      [ehines@myhost sysklogd-1.3-31]$ vi syslogd.c

      syslog.conf ºÎºÐÀ» ã´Â´Ù.

      #define _PATH_LOGCONF   "/etc/syslog.conf"

      ÀÌÁ¦ ¿©·¯ºÐÀÌ ¿øÇϴµ¥·Î ¼³Á¤ °ªÀ» °íÄ¡¸é µÈ´Ù. ¿©·¯ºÐÀº /etc/.sys/CORE.conf °°ÀÌ µ¶Ã¢ÀûÀ¸·Î ¼³Á¤Çϱ⠹ٶõ´Ù.
      »õ·Î¿î syslogd ¹ÙÀ̳ʸ®°¡ »ý°å´Ù¸é ÀÌÀü °Í À§¿¡ µ¤¾î¾´´Ù.(´ëºÎºÐÀº /sbin/syslogd)

      ÀÌ ºÎºÐÀ» ½ÇÇàÇϱâ Àü¿¡ ¿¾³¯ ¹öÁ¯Àº ¹é¾÷ ÇصÎÀÚ. °ü¸®ÀÚ¶ó¸é ÀÌ¹Ì ¾Ë°í ÀÖ°ÚÁö¸¸, ±×·¸ÁÒ?  :)

      NOTES : °£´ÜÇÏ°Ô ¿¹Àü syslogd¸¦ °¡Áö°í (-f ¼³Á¤È­ÀÏ)Çü½ÄÀ¸·Î ½ÇÇàÇÏÁö ¾ÊÀº
                   ÀÌÀ¯´Â, ħÀÔÀÚ°¡ ps µîÀ¸·Î ÇÁ·Î¼¼½º ¸®½ºÆ®¸¦ º¼ °æ¿ì µÚ¿¡ ºÙÀº ¿É¼ÇµéÀÌ
                   ´Ù º¸¿©¼­ ¼³Á¤È­ÀÏÀ» ¹«¾ùÀ¸·Î ¹Ù²Ù¾ú´ÂÁö ´Ù ¾Ë°Ô µÉ °ÍÀÌ´Ù.
                   ±×·¯¹Ç·Î ÀÌ¿Í °°Àº Çü½ÄÀ¸·Î ÇÏ´Â°Ô ÁÁ´Ù. ÇÊÀÚ´Â /etc/syslog.conf ÆÄÀÏÀ»
                   ±³¹¦ÇÏ°Ô ³öµÎ°í, ÀçÄÄÆÄÀÏÀ» ÅëÇØ ¼³Á¤È­ÀÏÀ» ¹Ù²Ù´Â °ÍÀ» ÃßõÇÑ´Ù.
                   ±×¸®°í À§Ä¡¸¸ º¯°æÇÏ°í À̸§Àº ±×´ë·Î µÎ´Â °ÍÀº À§ÇèÇÏ´Ù.
                   °£´ÜÇÏ°Ô find / -name "syslog.conf" ·Î ã¾Æ³¾ ¼ö ÀÖ´Ù.

       

      STEP 3 : ÁøÂ¥ syslog ¼³Á¤È­ÀÏ °íÄ¡±â
        (MODIFY THE (REAL) SYSLOG CONFIG FILE)

      ¿¹¸¦ µé¾î, ´ÙÀ½ÀÇ syslog.conf ´Â ¸ðµç ¸Þ¼¼Áö¸¦ ¿ø°Ý È£½ºÆ®·Î Æ÷¿öµù ÇÏ´Â °ÍÀÌ´Ù.

      # °£´ÜÇÏ°Ô ¸ðµç ¸Þ¼¼Áö¸¦ ¿ø°Ý È£½ºÆ®·Î Æ÷¿öµù.
      *.*            @hostname

      # ¸ðµç Ä¿³Î ¸Þ¼¼Áö¸¦ ¿ø°Ý È£½ºÆ®·Î Æ÷¿öµù.
      kern.*         @hostname

      # ·ÎÄÿ¡µµ ±â·ÏÇϸ鼭 ¿ø°ÝÀ¸·Îµµ ±â·ÏÀ» ³²±è (½ÇÆÐÇÒ °æ¿ì ´ëºñ)
      kern.crit                    @finlandia
      kern.crit                    /dev/console

      ±âŸµîµî ¿©·¯ºÐÀÌ ¿øÇϴµ¥·Î ¸ðµç ·Î±×È­ÀÏÀ» ¼³Á¤ÇÑ´Ù.

     

    C. THE CLIENT ( REMOTE LOG SERVER )

    Ŭ¶óÀ̾ðÆ® ¼­¹ö(ȤÀº ¸ðµç ¿ø°Ý ·Î±×µéÀ» ¼ö¿ëÇÏ´Â ÄÄÇ»ÅÍ)´Â ¿ø°Ý ·Î±×¸¦ ³²±â±â À§Çؼ­ syslogd¿¡ -r ½ºÀ§Ä¡¸¦ Á༭ ½ÇÇà½ÃÄÑ¾ß ÇÑ´Ù.  ±×¸®°í /etc/servicesÈ­ÀÏ¿¡ syslog 514/udp °¡ ÀûÇôÁ® ÀÖ¾î¾ß ÇÑ´Ù.

     

    D. ¿ø°Ý ·Î±× ¼­¹ö Â÷´ÜÇϱâ
        (LOCKING DOWN THE REMOTE LOG SERVER)

    ¸ðµç ·Î±×µéÀ» ¹Þ¾ÆµéÀÌ´Â ÄÄÇ»ÅÍ´Â ¿Ïº®ÇÏ°Ô ¿ÜºÎ¿Í Â÷´ÜµÇ¾î ÀÖ¾î¾ß ÇÑ´Ù.

       

      1. ¸ðµç ¼­ºñ½º Á¾·á½ÃÅ°±â (Turn off(ALL SERVICES))

      ÀÌ ÄÄÇ»ÅÍ´Â ¿ÀÁ÷ ·Î±× ¼­¹öÀÏ »ÓÀ̹ǷΠ´Ù¸¥ ¼­ºñ½ºµéÀ» ½ÇÇà½Ãų ÇÊ¿ä°¡ ¾ø´Ù. ´ÙÀ½°ú °°ÀÌ ½ÇÇàÇÑ´Ù.

      [root@myhost /etc]# cd /etc
      [root@myhost /etc]# vi inetd.conf

      1) ¸ðµç INETD ¼­ºñ½º Á¾·á½ÃÅ°±â (TURN OFF ALL INETD SERVICES)

      ¿©·¯ºÐÀº ÀÌ È­ÀÏ¿¡¼­ '#' ¸¦ Ãß°¡½ÃÅ´À¸·Î½á ÁÖ¼®À¸·Î 󸮸¦ ÇÒ °ÍÀÌ´Ù. ¾Æ·¡ÀÇ ¸ðµç ¼­ºñ½ºµéÀ» ÁÖ¼®Ã³¸®Çϱ⠹ٶõ´Ù.

      a. echo
      b. discard
      c. daytime
      d. chargen
      e. time
      f. ftp
      g. telnet
      h. shell
      i. login
      j. exec
      k. comsat
      l. talk
      m. ntalk
      n. dtalk
      o. pop-2
      p. pop-3
      q. imap
      r. uucp
      s. tftp
      t. bootps
      u. finger
      v. cfinger
      w. systat
      x. netstat
      y. auth
      z. linuxconf
      zz. swat

      2) ¸ðµç RPC ¼­ºñ½º Á¾·á½ÃÅ°±â (DISABLE ALL RPC SERVICES)

      [root@myhost /etc]# cd /etc/rc.d

      µð·ºÅ丮¸¦ »ìÆ캸¸é ´ë¹®ÀÚ "S"·Î ½ÃÀÛÇÏ´Â È­ÀϵéÀÌ º¸ÀÏ °ÍÀÌ´Ù. ÀÌ°ÍÀº ½Ã½ºÅÛÀÌ ºÎÆÃÇÒ ¶§ ½ÃÀ۵Ǵ ¼­ºñ½ºµéÀÌ´Ù. ¿©·¯ºÐÀº mv ¸í·É¾î¸¦ ÀÌ¿ëÇؼ­ ¼Ò¹®ÀÚ s·Î ¹Ù²ãÁÖ¸é µÈ´Ù. ¿¹¸¦ µé¾î mv S11portmap s11portmap À̶ó°í ÇØÁÖ¸é ºÎÆ® ŸÀÓ¶§ portmapper ¸¦ ½ÃÀÛÇÏÁö ¾Ê°Ô µÈ´Ù.

      ¾Æ¸¶µµ nfslock, apmd, netfs, identd, autofs, portmap, atd, pcmcia ¿Í isdn, sendmail, gpm, httpd, vmware, xfs,linuxconf, local °°Àº ¼­ºñ½ºµéÀ» ²¨ÁÖ¸é µÉ °ÍÀÌ´Ù. rc0.d ¿¡¼­ºÎÅÍ rc6.d ±îÁö ´Ù Á¾·á½ÃÄÑ ÁÖ¾î¾ß ÇÑ´Ù.

       

      2. °èÁ¤ »èÁ¦(DISABLE ACCOUNTS)

      [root@myhost /etc]# vi /etc/passwd

      ¿©·¯ºÐÀÇ Æнº¿öµå È­ÀÏ¿¡¼­ »ç¿ëÇÏÁö ¾Ê´Â °èÁ¤À» »èÁ¦ÇØ¾ß ÇÑ´Ù. ÇÊÀÚ´Â /bin/noshell(http://www. cerias.purdue.edu/coast/archive/data/categ50.html)¶ó´Â ÅøÀ» ´Ù¿î¹ÞÀ» °ÍÀ» Á¦¾ÈÇÑ´Ù.
      ÀÌ°ÍÀº °èÁ¤À» Ãß°¡Çϰųª »èÁ¦ÇÒ ¶§ °ü¸®ÀÚ¿¡°Ô À¯¿ëÇÑ ÇÁ·Î±×·¥ÀÌ´Ù.

       

      3. SSHÀÇ ¼³Ä¡ (INSTALL SSH)

      telnetÀ» »ç¿ëÇϸé sniffing ´çÇÒ À§ÇèÀÌ ÀÖ´Ù. ÇÏÁö¸¸ ¿ì¸®¿¡°Õ GNU ¿ÀǼҽº °øµ¿Ã¼ÀÇ »ê¹°ÀÎ OpenSSHÀÌ ÀÖ´Ù. ÀÚ ÀÌÁ¦ OpenSSH¸¦ ¼³Ä¡Çغ¸ÀÚ.

      1) OPENSSH ´Ù¿î·Îµå ¹Þ±â (DOWNLOADING OPENSSH)

      ¿©·¯ºÐÀÇ À¥ºê¶ó¿ìÁ®·Î www.openssh.com¿¡ Á¢¼ÓÇÑ´Ù. À̹®¼­°¡ ¾²¿©Áú ¶§ ÃֽŹöÁ¯Àº version 2.1.1·Î SSH1°ú SSH2 ÇÁ·ÎÅäÄÝÀ» µÑ ´Ù Áö¿øÇÑ´Ù. ¼Ò½º¸¦ ´Ù¿î¹Þ°í ´ÙÀ½°ú °°ÀÌ ÇÑ´Ù.

      [root@myhost ]# gzip -d openssh-2.1.1p2.tar.gz
      [root@myhost ]# tar -xvf openssh-2.1.1p2.tar

      ¸ðµç »çÇ×À» ¶È°°ÀÌ ÇÒ ¼ö´Â ¾øÀ» °ÍÀÌ´Ù. °è¼Ó ÁøÇàÇϱâ Àü¿¡ INSTALL È­ÀÏÀ» ²À Àо±â ¹Ù¶õ´Ù. ÇÊÀÚ´Â ¿©·¯ºÐ °¢°¢ ½Ã½ºÅÛÀÌ ¿ä±¸ÇÏ´Â »çÇ×±îÁö À̾߱â ÇØ ÁÙ ¼ö ¾ø´Ù. ÀÌ°ÍÀº ´ÜÁö ÇÊÀÚÀÇ ÀνºÅçÀ» ¿©·¯ºÐÀÌ ÁöÄѺ¸´Â °Í ÀÏ »ÓÀÌ´Ù.

      ¿ì¼± Zlib¿Í OpenSSLÀ» ÀνºÅçÀ» ÇØ¾ß ÇÑ´Ù.  

      Zlib:
      http://www.freesoftware.com/pub/infozip/zlib/

      OpenSSL 0.9.5a or greater:
      http://www.openssl.org/

      RPM¹öÁ¯ÀÇ OpenSSLÀº
      http://violet.ibs.com.au/openssh/files/support

      GNUmake°¡ ¼³Ä¡µÇ¾î ÀÖ´Ù¸é ´ÙÀ½°ú °°ÀÌ ÇÏ¸é ¼³Ä¡°¡ µÉ °ÍÀÌ´Ù.

      [root@myhost ]# ./configure && make && make install

      ¸¸¾à PAMÀ» »ç¿ëÇÑ´Ù¸é /etc/pam.d/sshd °ú °°Àº PAM control fileµµ ÇÊ¿ä·Î ÇÒ °ÍÀÌ´Ù. ÀϹÝÀûÀ¸·Î´Â conrtib/sshd.pam.generic ¿¡ Æ÷ÇÔÇÏ°í ÀÖ´Ù. »ç¿ëÇϱâ Àü¿¡ ¿©·¯ºÐÀÇ ½Ã½ºÅÛ¿¡ ¸Â°Ô ÆíÁýÇØ¾ß ÇÒ °ÍÀÌ´Ù. ¸¸¾à ·¹µåÇÞ ¸®´ª½º 6.2¸¦ »ç¿ëÇÑ´Ù¸é contrib/redhat/sshd.pam ÀÌ ´õ À¯¿ëÇÒ °ÍÀÌ´Ù.
      ÇÊÀÚ´Â configure ÇÒ ¶§ --without-pamÀ¸·Î PAM Áö¿øÀ» ²ô´Â °ÍÀ» ÁÁ¾ÆÇÑ´Ù. ¸¸¾à ¹ß°ßµÈ´Ù¸é PAMÀº ÀÚµ¿ÀûÀ¸·Î ½ºÀ§Ä¡°¡ ÄÑÁú °ÍÀÌ´Ù.
      --without-pam ¿É¼ÇÀº ´ë½Å¿¡ RSA ÀÎÁõÀ» »ç¿ëÇÒ °æ¿ì¿¡ »ç¿ëµÈ´Ù.

      [root@myhost ]# tar -xvf zlib.tar
      [root@myhost ]# cd zlib-1.1.3
      [root@myhost zlib-1.1.3]# ./configure && make && make install

      ¼³Ä¡µµÁß¿¡·¯°¡ ¹ß»ýÇÑ´Ù¸é ¹Ì¾ÈÇÏÁö¸¸ README È­ÀÏÀ» Àб⠹ٶõ´Ù. ÇÊÀÚ´Â ¿¡·¯°¡ ¹ß»ýÇϸé README È­Àϵ鿡¼­ error¿¡ °ü·ÃµÈ »çÇ×À» ã¾Æº¸°ï ÇÑ´Ù.

      OpenSSLÀ» ÀνºÅç Çϱâ À§Çؼ­´Â ´ÙÀ½°ú °°Àº °ÍÀÌ ÇÊ¿äÇÏ´Ù.

           *  Perl 5
           *  an ANSI C compiler
           *  a supported Unix operating system

      [root@myhost ]# tar -xvf openssl-0.9.5a.tar
      [root@myhost ]# ./config && make && make test && make install

      ÀÌÁ¦ OpenSSH¸¦ ¼³Ä¡ÇÑ´Ù.

      [root@myhost ]# cd openssh-2.1.1p2
      [root@myhost ]# ./configure --without-PAM && make && make install

      ¼º°øÀûÀ¸·Î OpenSSH¸¦ ÄÄÆÄÀÏ Çß´Ù¸é ´ÙÀ½°ú °°Àº ¸Þ¼¼Áö¸¦ º¸°Ô µÈ´Ù.
      Key generation complete.
      Your identification has been saved in /usr/local/etc/ssh _host_key.
      Your public key has been saved in /usr/local/etc/ssh _host_key.pub.
      The key fingerprint is:
      d5:74:83:d0:3f:c4:b4:d6:c5:39:1d:94:ee:9b:a8:61 root @soc1.priv.nuasis.com
      Generating DSA parameter and key.
      Your identification has been saved in /usr/local/etc/ssh _host_dsa_key.
      Your public key has been saved in /usr/local/etc/ssh _host_dsa_key.pub.
      The key fingerprint is:
      ed:58:65:b9:8b:fe:05:81:c2:8c:06:c9:cb:ac:bb:e6 root @soc1.priv.nuasis.com

      2) OPENSSHÀÇ ¼³Á¤ (CONFIGURING OPENSSH)

      ±âº»ÀûÀ¸·Î ¼³Á¤µÇ¾îÁø °ÍÀ» »ç¿ëÇÏ´õ¶óµµ ³ªÁß¿¡ º¯°æÇÒ ¶§¸¦ ´ëºñÇؼ­¶óµµ ssh configÈ­ÀÏÀ» ºÁµÎÀÚ. ¼³Á¤È­ÀÏÀº /usr/local/etc/ssh_config, /usr/local/etc/sshd _config °¡ ÀÖ´Ù.
      ¼³Ä¡°¡ ³¡³­ ÈÄ¿¡´Â host key¿Í DSA key°¡ »ý¼ºµÉ °ÍÀÌ´Ù.

      ¿©·¯ºÐÀº SSH ¹èÆ÷ÆÇÀÇ ¹®¼­¸¦ ÂüÁ¶Çؼ­ ¼³Á¤À» Çϱ⠹ٶõ´Ù.

       

      4. ¹æÈ­º® (THE FIREWALL)

      ÆÐŶ ÇÊÅ͸µÀº ¿©·¯ºÐÀÇ ½Ã½ºÅÛ¿¡ ¾î¶² Ãë¾àÁ¡ÀÌ ¹ß°ßµÇÁö Àü±îÁö´Â ÇÊ¿äÇÏÁö ¾ÊÀ» °ÍÀÌ´Ù. syslog port(514/udp)¸¦ ÇÊÅ͸µ ÇÏ´Â ÀÌÀ¯´Â syslog server°¡ ¾²·¹±â °ªÀ» Àü¼ÛÇßÀ» ¶§ ¸ØÃâ ¼ö ¾ø±â ¶§¹®ÀÌ´Ù. ±×·¯³ª ´õ Áß¿äÇÑ °ÍÀº udp°ªÀÌ ½±°Ô spoofµÉ ¼ö ÀÖ°Ô ¶§¹®ÀÌ´Ù.
      ÀÌ°ÍÀº Àû¾îµµ ¿©·¯ºÐÀÌ ¿©·¯ ´ëÀÇ ÄÄÇ»ÅÍ¿¡¼­ ¸ðµç ·Î±×°¡ ÇϳªÀÇ ÀÎÅÍÆäÀ̽º·Î µé¾î¿Ã ¶§ ¿©·¯ºÐÀÌ ¿ÜºÎ·ÎºÎÅÍ µé¾î¿À´Â ¸ðµç °ÍÀ» ¾ÈÀüÇÏ°Ô ÇÊÅ͸µ ÇÏ°Ô ÇØÁØ´Ù.

      ¾Æ·¡´Â ¸®´ª½º ¸Ó½Å¿¡¼­ ipchains¸¦ ÀÌ¿ëÇÑ ½© ½ºÅ©¸³Æ®ÀÌ´Ù.

      #!/bin/sh

      PATH=/usr/sbin:/sbin:/bin:/usr/sbin

      LOCAL_INTERFACE="192.168.1.1/32"
      # put your real IP address
      LOCAL_NETWORK="192.168.1.0/24"
      # put your  local net IP address/mask here
      SSH_PERMITTED="192.168.1.2/32 192.168.2.3/32"
      # who allowed to ssh
      SYSLOG_PERMITTED="192.168.1.5/32 192.168.5.2/32"
      # who allowed to log syslog messages

      # deny everything
      ipchains -P input DENY
      ipchains -P output DENY
      ipchains -P forward DENY
      ipchains -F

      #permit ssh
      for ipaddr in $SSH_PERMITTED;
      do
      ipchains -A input -p tcp -s $ipaddr -d 0/0 22 -i $LOCAL_INTERFACE -j ACCEPT
      done

      # permit outgoing tcp
      ipchains -A output -p tcp -i $LOCAL_INTERFACE -j ACCEPT
      ipchains -A input -p tcp ! -y -i $LOCAL_INTERFACE -j ACCEPT

      # permit syslog
      for ipaddr in $SYSLOG_PERMITTED;
      do
      ipchains -A input -p udp -s $ipaddr -d $LOCAL_INTERFACE 514 -i ¡¬
      $LOCAL_INTERFACE -j ACCEPT
      done
      # if you would like to log all the other connection
      #attempts, uncommend these...
      #ipchains -A input -p tcp -i $LOCAL_INTERFACE -l -j DENY
      #ipchains -A input -p udp -i $LOCAL_INTERFACE -l -j DENY
      #ipchains -A input -p icmp -i $LOCAL_INTERFACE -l -j DENY

      ¸¸¾à IP filter ÆÐÅ°Áö¸¦ ÀÌ¿ëÇÑ´Ù¸é ´ëü·Î ´ÙÀ½°ú °°À» °ÍÀÌ´Ù.
      # close everything on local interface
      # block in all on le0 from any to any

      # pass secureshell
      pass in on le0 proto tcp from 192.168.1.2/32 to 192.168.1.1/32 port = 22
      pass out on le0 proto tcp from 192.168.1.2/32 to 192.168.1.1/32 port = 22

      # or you can replace these two rules with
      #pass in on le0 proto tcp from 192.168.1.2/32 to
      #192.168.1.1/32 port = 22 keep state
      #pass SYSLOG
      pass in on le0 proto udp from 192.168.1.2/32 to 192.168.1.1/32 port = 514

       

      5. LOG REPORTING

      ¾Æ¹«¸® ÁÁÀº ¿ø°Ý ·Î±× ¼­¹ö¸¦ ¸¸µé¾î³öµµ ¿©·¯ºÐÀÌ Á÷Á¢ ¸ð´ÏÅ͸µ ÇÒ ¼ö ¾øÀ¸¸é ¹«¿ëÁö¹°ÀÌ´Ù. ÇÊÀÚ´Â ´ÙÀ½°ú °°Àº À¯Æ¿¸®Æ¼¸¦ ÃßõÇÑ´Ù.

         *   Logcheck - www.psionic.com
         *   Swatch - www.swatch.org

      ¾Æ·¡´Â °£´ÜÇÑ ½© ½ºÅ©¸³Æ®(Mr. Bill Pennington)ÀÌ´Ù. ÀÌ°ÍÀº ¸Å ÀÏ/½Ã°£/ºÐ ·Î±×È­ÀϵéÀ» ÁöÁ¤µÈ À̸§°ú Àå¼Ò¿¡ º¸°üÇÑ´Ù.

      #!/bin/bash
      #Simple script to rotate the log files on a daily basis
      #Bill Pennington 1/19/2000

      #Set the date variable
      date=`date +%m-%d-%Y`

      #Rename the messages file
      mv /var/log/messages /var/log/messages.$date
      #HUP the syslog daemon so it writes to a new file
      killall -HUP syslogd

      #Compress the file
      /bin/gzip /var/log/messages.$date
      #Rename the secure file
      mv /var/log/secure /var/log/secure.$date

      #HUP the syslog daemon so it writes to a new file
      killall -HUP syslogd

      #Compress the file
      /bin/gzip /var/log/secure.$date

      #Rename mail file
      mv /var/log/maillog /var/log/maillog.$date

      #HUP the syslog daemon so it writes to a new file
      killall -HUP syslogd

      #Compress the file
      /bin/gzip /var/log/maillog.$date

      #Then scp them somewhere

       

      6. ½Ã°£ (TIME)

      ¼­¹ö´Â ¾ðÁ¦³ª Á¤È®ÇÑ ½Ã°£°ú ³¯Â¥¸¦ °¡Áö°í ÀÖ¾î¾ß ÇÑ´Ù.  xntpd¸¦ ¼³Ä¡ÇÑ ÈÄ¿¡ "ntpdate timeservername"À̶õ ¸í·ÉÀ» ÇÏ·ç¿¡ Àû¾îµµ ÇѹøÁ¤µµ ½ÇÇà½ÃÄÑ Áà¾ß ÇÑ´Ù.
      ÇÊÀÚ´Â ÇÏ·ç¿¡ µÎ ¹ø ¾¿ ÀÌ ÀÛ¾÷À» ½ÃŲ´Ù. ¹°·Ð ¿©·¯ºÐÀÌ °¡Áø ¸ðµç ¼­¹ö¿¡ ÇØ¾ß ÇÑ´Ù.

       

      7. ´Ù¸¥ SYSLOG ÀåÄ¡ (OTHER SYSLOG DEVICES)

      ¿©±â¿¡ syslog°¡ ±â·ÏÇÏ´Â °ÍÀ» ¼³Á¤ÇÒ ¼ö ÀÖ´Â CISCO¿Í °°Àº ´Ù¸¥ ÀåÄ¡µéÀÌ ÀÖ´Ù. ¿©·¯ºÐÀÇ ³×Æ®¿öÅ©¿Í ¼­¹ö¿¡¼­ Á¤È®ÇÑ °ªÀ» ¾ò±â À§Çؼ­´Â syslog¿¡¼­ ±â·ÏÇÏ´Â °ÍÀ» À§ÇØ ¿©·¯ºÐÀÇ ¸ðµç ÀåÄ¡¸¦ ¼³Á¤ÇØ¾ß ÇÑ´Ù.

      Cisco
      ¸ðµç Cisco ÀåÄ¡µéÀº syslog¸¦ Áö¿øÇÑ´Ù. ¾Æ·¡¿¡ ¸î °¡Áö ¿¹Á¦°¡ ÀÖÁö¸¸ Á÷Á¢ ¿©·¯ºÐÀÇ Cisco ¹®¼­¸¦ È®ÀÎÇغ¸±â ¹Ù¶õ´Ù.

      Routers
           In config mode...

           logging <server ip address or name>
           logging facility <facility> defaults to LOCAL7

      Pix Firewall
           In config mode... logging host <ip address of syslog server> logging facility
           <facility> defaults to LOCAL4 logging trap <level> from
           emergencies to debug , be carefull with debug you will get a ton of traffic!

      Switches
           In config mode...

           set logging server enable
           set logging server <ip address of log server>
           set logging session enable
           set logging level all 1 default

      Windows NT
      ¿©·¯ºÐÀº NT server·Î syslog server·Î ƯÁ¤ÀÛ¾÷À» Æ÷¿öµù ½Ãų ¼ö ÀÖ´Ù. ÀÌ¿Í °ü·ÃµÈ ¿©·¯ °³ÀÇ shareware /freeware  ÆÐÅ°Áö°¡ ÀÖ´Ù.
      http://www.bhs.com ¿¡¼­ syslog¸¦ °Ë»öÇغ¸¶ó.

     

    E. RESOURCES

        * Swatch - http://www.stanford.edu/~atkins/swatch/
        * OpenSSH - http://www.openssh.com
        * LogCheck - http://www.psionic.com/abacus/logcheck/
        * xntp and list of public NTP servers - http://www.eecis.udel.edu/~ntp/
        * Cisco - http://www.cisco.com
        * Windows NT software - http://www.bhs.com
        * Robert Graham's sniffing FAQ (hints to build `receive-only device'
           http://www.robertgraham.com/pubs/sniffing-faq.html
        * IP Filter - TCP/IP filtering package: http://coombs.anu.edu.au/~avalon/

     

    F. ¿ªÀÚ ÁÖ

    °³ÀÎÀûÀ¸·Î ÆÇ´ÜÇؼ­ ²À ÇÊ¿äÇÏÁö ¾Ê´Ù°í ÇÏ´Â ³»¿ëÀº »èÁ¦ ¶Ç´Â º¯°æÇÏ¿´½À´Ï´Ù. ÇÊÀÚ(Eric Hines)°¡ ¾ð±ÞÇÑ ¹ø¿ªµÇÁö ¾ÊÀº ³»¿ëÀº ¿ø¹®À» ÂüÁ¶ÇϽñ⠹ٶø´Ï´Ù. :)




¡ã top

homeÀ¸·Î...