LINUX FIREWALL
¸®´ª½º¿¡¼­ÀÇ ¹æÈ­º® ½Ã½ºÅÛ[2]

    À̼öÁØ ¿Ü BIT NETWORK 67 ±â
    VIRUSAWALL & SSL APPLICATION ÆÀ

     

 

    Áö³­ È£¿¡¼­´Â Linux FirewallÀ» ±¸ÃàÇϱâ À§ÇÑ ¹æÈ­º®°ú ¶ó¿ìÆà °³³ä, ¶ó¿ìÅÍ, º£½ºÃµ È£½ºÆ®¿¡ ´ëÇؼ­ ¾Ë¾Æº¸¾Ò´Ù. À̹ø È£´Â °è¼ÓÇؼ­ FWTKÀÇ ¼³Ä¡¿Í ±¸¼º, ¿î¿µ ¹æ¹ý µî¿¡ ´ëÇØ ¾Ë¾Æº¸±â·Î ÇÑ´Ù.

 

TIS Firewall ToolkitÀÇ °³¿ä

    TIS Firewall ToolkitÀº ÇϳªÀÇ ÅëÇÕµÈ ¹æÈ­º® ÆÐÅ°Áö°¡ ¾Æ´Ï¶ó ¹æÈ­º® ¼ÒÇÁÆ®¿þ¾î¸¦ Á¦ÀÛÇϴµ¥ ÇÊ¿äÇÑ ¿©·¯°¡Áö µµ±¸µéÀÇ ¸ðÀ½ÀÌ´Ù. TIS Firewall ToolkitÀ¸·Î ±¸ÃàÀÌ °¡´ÉÇÑ ¹æÈ­º® È£½ºÆ®´Â ÇÁ¶ô½Ã(proxy)¹æ½ÄÀÇ ¹æÈ­º® È£½ºÆ®ÀÌ´Ù. µû¶ó¼­ °¢°¢ÀÇ ³×Æ®¿öÅ© ¼­ºñ½º º°·Î ÇÁ¶ô½Ã¸¦ µÎ°í ÀÌ ÇÁ¶ô½ÃµéÀÌ ¹æÈ­º®ÀÇ ±â´ÉµéÀ» ¼öÇàÇÏ°Ô µÇ´Â °ÍÀÌ´Ù. TIS Firewall ToolkitÀÌ Á¦°øÇÏ´Â ÇÁ¶ô½ÃµéÀº ¿ø°Ý ·Î±×ÀÎ ÇÁ¶ô½Ã, ÆÄÀÏ Àü¼Û ÇÁ¶ô½Ã, ÀüÀÚ ¿ìÆí ÇÁ¶ô½Ã µîÀÌ ÀÖÀ¸¸ç, ¾Æ¿ï·¯ ´Ù¾çÇÑ ÇüÅÂÀÇ »ç¿ëÀÚ ÀÎÁõÀ» À§ÇÑ ÀÎÁõ ¼­¹ö¸¦ º°µµ·Î µÎ°í ÀÖ´Ù. ÀÌ ¸ðµç ÀÀ¿ë ÇÁ·Î±×·¥µéÀº ¼Ò½º ÄÚµåÀÇ ÇüÅ·ΠÁ¦°øµÇ¹Ç·Î »ç¿ëÀÚ°¡ ¾à°£ÀÇ ÇÁ·Î±×·¥ °³¹ß °æÇ踸 ÀÖ´Ù¸é ½±°Ô ÄÄÆÄÀÏÇÏ¿© »ç¿ëÇÒ ¼ö ÀÖ°í, ¾Æ¿ï·¯ »ç¿ëÀÚÀÇ Áö½Ä¿¡ µû¶ó »õ·Î¿î ÇüÅÂÀÇ ±â´ÉÀ» Ãß°¡·Î °³¹ßÇÏ¿© »ç¿ëÇÒ ¼ö ÀÖ´Ù.

    TIS Firewall ToolkitÀº fwtk.tar.ZÀÇ ´ÜÀÏ ÆÄÀÏ ÇüÅ·Π¹èÆ÷µÇ°í ÀÖ´Ù. ÆÄÀÏÀ» ÀÔ¼öÇÏ°í ¾ÐÃàÀ» ÇØÁ¦ÇÑ ÈÄ À¯´Ð½ºÀÇ tar ¸í·É¾î¸¦ ÀÌ¿ëÇÏ¿© Ç®¸é <±×¸² 2.1>°ú °°Àº ÇüÅÂÀÇ µð·ºÅ丮¸¦ º¼ ¼ö ÀÖ´Ù. ¹°·Ð °¢°¢ÀÇ µð·ºÅ丮 ³»¿¡´Â ÇØ´ç ÇÁ·Î±×·¥À̳ª µµ±¸ÀÇ ¼Ò½º ÆÄÀÏÀÌ Á¸Àç

     

                             fwtk
                             
      |
                             
      |

            auth----|----tools

         config----|           |----admin

        ftp-gw----|           |            |----flog

       http-gw----|           |            |----netscan

               lib----|           |            |----portscan

         netacl----|           |            |----progmail

      plug-gw----|           |            |----reporting

    rlogin-gw----|           |----client

          smap----|           |            |----gate-ftp

        smapd----|           |            |----misc

         tn-gw----|           |----server

          x-gw----|                         |----aix-auth

                                                    |----ftpd

                                                    |----login-sh

                                                    |----login-ts

                                                    |----syslog

                                                                  |---- x-gw


    TIS Toolkit µð·ºÅ丮 ±¸Á¶

    ÇÑ´Ù. TIS Firewall ToolkitÀº ¿©·¯°¡ÁöÀÇ  ÇÁ¶ô½Ã¸¦ Á¦°øÇÏ°í ÀÖÀ¸¸ç, ½ÇÁ¦ ¹æÈ­º®À» ±¸ÃàÇÒ ¶§ À̵é ÇÁ¶ô½Ã¸¦ ¼±ÅÃÀûÀ¸·Î ¼³Ä¡ÇÒ ¼ö ÀÖ´Ù. ¿©±â¼­´Â °¢ ÇÁ¶ô½ÃµéÀÇ ±â´ÉÀ» °£´ÜÈ÷ »ìÆ캸±â·Î ÇÏ°Ú´Ù.

     

Á¢±Ù Á¦¾îÀÇ »ç¿ë

    netaclÀº ¼­¹ö¿¡¼­ »ç¿ëµÇ´Â ´Ù¾çÇÑ TCP ±â¹ÝÀÇ ¼­ºñ½º¿¡ ´ëÇÑ Á¢±ÙÀÇ Á¤µµ¸¦ °áÁ¤ÇØ ÁÖ´Â ³×Æ®¿öÅ© Á¢±Ù Á¦¾î ÇÁ·Î±×·¥ÀÌ´Ù. ¿¹¸¦ µé¸é, ¸¸¾à ¾î¶² Àΰ¡µÈ »ç¿ëÀÚ¿¡ ´ëÇØ ¹æÈ­º® ½Ã½ºÅÛÀ¸·ÎÀÇ telnetÁ¢±ÙÀ» Çã¿ëÇÏ°í ½Í´Ù¸é netacl°ú Àû´çÇÑ ±ÔÄ¢À» Àû¿ëÇÏ¿© ÇØ´ç ±â´ÉÀ» °¡´ÉÅä·Ï ÇÒ ¼ö ÀÖ´Ù. ¹°·Ð ftp¿Í rlogin¼­ºñ½º¿¡µµ ¸¶Âù°¡Áö·Î Àû¿ëÇÒ ¼ö ÀÖ´Ù.

     

telnet ÇÁ¶ô½Ã

    telnet ÇÁ¶ô½ÃÀÎ ¼ö-gw´Â ¿øÇÏ´Â ¼­¹ö·ÎÀÇ telnet ¼­ºñ½º¿¡ ´ëÇÑ À¯ÀÏÇÑ °æ·Î¸¦ Á¦°øÇϴµ¥, ¸¹Àº ³×Æ®¿öÅ© ȯ°æ¿¡¼­ ½Ã½ºÅÛ °ü¸®ÀÚ°¡ ³»ºÎ¸ÁÀ¸·Î ¹æÈ­º® È£½ºÆ®¸¦ ÅëÇÑ telnetÁ¢±ÙÀ» Çã¿ëÇÏÁö ¾ÊÀ» ¶§ »ç¿ëÇÑ´Ù. netacl°ú´Â ´Ù¸£°Ô telnet ÇÁ¶ô½Ã´Â ¹æÈ­º®À¸·ÎÀÇ Á÷Á¢ Á¢±ÙÀ» Á¦°øÇÏÁö ¾Ê´Â´Ù. Áï, netaclÀ» °æÀ¯ÇÏ´Â telnetÀº ¹æÈ­º® È£½ºÆ®·ÎÀÇ Á¢±ÙÀÌ Çã¿ëµÇÁö¸¸ ÇÁ¶ô½Ã¸¦ °æÀ¯ÇÏ´Â telnetÀº ´ÜÁö ·Î±ë Á¦¾î¸¦ °®´Â °æ·Î¸¸À» Á¦°ø¹Þ°Ô µÇ´Â °ÍÀÌ´Ù.

    ¹æÈ­º® ½Ã½ºÅÛÀÇ °ü¸®ÀÚ´Â Á¾Á¾ ¹æÈ­º® È£½ºÆ®ÀÇ ¿ø°Ý °ü¸®¸¦ À§ÇÑ Á¢±Ù °æ·Î¿Í ÇÁ¶ô½Ã telnetÀ» ±¸ÃàÇØ¾ß ÇÏ´Â µô·¹¸¶¿¡ ºüÁú ¼ö°¡ Àִµ¥, ÀÌ´Â /etc/services ÆÄÀÏ°ú /etc/inetd. Conf ÆÄÀÏÀ» ¼öÁ¤ÇÏ¿© ½ÇÁ¦ÀÇ telnetd¸¦ telnetÀÇ Ç¥ÁØ TCPÆ÷Æ®¿Í´Â ´Ù¸£°Ô ¼³Á¤ÇÏ°í, ÇÁ¶ô½Ã¸¦ telnet ÀÇ Ç¥ÁØ TCPÆ÷Æ®¿¡ ¼³Á¤ÇÔÀ¸·Î½á ÇØ°áÇÒ ¼ö ÀÖ´Ù. ¾Æ¿ï·¯, ÀÌ °æ¿ì¿¡´Â º¸¾ÈÀ» À§ÇØ netcalµîÀÇ Á¢±Ù Á¦¾î°¡ ÇÊ¿äÇÏ´Ù.

    tn-gwÀÇ µ¿ÀÛÀº ¸Å¿ì °£´ÜÇÏ´Ù. ¹æÈ­º® È£½ºÆ®·ÎÀÇ Ç¥ÁÖ telnetÆ÷Æ®·Î µé¾î¿À´Â telnetÁ¢±ÙÀÌ °¨ÁöµÇ¸é tn-gwÇÁ·Î±×·¥ÀÌ ±âµ¿µÇ¸ç, tn-gw¿¡¼­´Â ÇÁ¶ô½Ã·ÎÀÇ ÇØ´ç Á¢±ÙÀÌ Çô¿ëµÈ È£½ºÆ®·ÎºÎÅÍ ¿Â °ÍÀÎÁö¸¦ ÆǺ°ÇÏ¿© Çã¿ë/°ÅºÎ¸¦ °áÁ¤ÇÏ°Ô µÈ´Ù.

     

rlogin ÇÁ¶ô½Ã

    rlogin ÇÁ¶ô½ÃÀÎ rlogin-gw´Â, telnet ¼­ºñ½º°¡ ¾Æ´Ñ, rlogin ¼­ºñ½º¸¦ Á¦°øÇÑ´Ù´Â Á¡À» Á¦¿ÜÇϸé telnet ÇÁ¶ô½Ã¿Í µ¿ÀÏÇÑ µ¿ÀÛ ¸ÞÄ¿´ÏÁòÀ» °¡Áö°í ÀÖ´Ù. ±×·¯³ª ÀϹÝÀûÀ¸·Î´Â, ¹æÈ­º® È£½ºÆ®¸¦ ÅëÇÏ´Â Á¢±ÙÀÇ °æ¿ì¿¡ rlogin ¼­ºñ½º¸¦ Çã¿ëÇÏÁö ¾Ê´Â °ÍÀÌ ¹Ù¶÷Á÷ÇÏ´Ù. ÀÌ´Â rlogin ¼­ºñ½º ÀÚü°¡ ¸¹Àº º¸¾È»óÀÇ ÇãÁ¡À» ³»Æ÷ÇÏ°í Àֱ⠶§¹®ÀÌ´Ù. µû¶ó¼­ ¹æÈ­º® È£½ºÆ®·ÎÀÇ ¿ø°Ý ·Î±×ÀÎ ¼­ºñ½º´Â telnetÀ¸·Î ±¹ÇÑÇϵµ·Ï ±ÇÇÑ´Ù.

     

FTP ÇÁ¶ô½Ã

    FTP ÇÁ¶ô½ÃÀÎ ftp-gw´Â, ¹æÈ­º® È£½ºÆ®¸¦ Åë°úÇÏ´Â »ç¼³ ³×Æ®¿öÅ© ¶Ç´Â, °ø¿ë ³×Æ®¿öÅ©·ÎÀÇ FTP Æ®·¡ÇÈÀ» Çã¿ëÇϴµ¥, telnet ÇÁ¶ô½Ã¿Í ¸¶Âù°¡Áö·Î ¹æÈ­º®À¸·Î Ç¥ÁØ FTPÆ÷Æ®¸¦ °æÀ¯ÇÏ´Â FTP Á¢±ÙÀÌ °¨ÁöµÇ¸é ÇÁ¶ô½ÃÀÇ ¼öÇàÀÌ ½ÃÀ۵ȴÙ. ¹æÈ­º® È£½ºÆ®·Î »ç¿ëµÇ´Â ½Ã½ºÅÛÀÌ FTP ¼­ºñ½º¸¦ Á¦°øÇÏ°Ô ÇÏ´Â °ÍÀº º°·Î ÁÁÁö ¾ÊÀº »ý°¢ÀÌ´Ù. °¡Àå ÁÁÀº ¹æ¹ýÀº º°µµÀÇ FTP ¼­¹ö¸¦ ¿î¿ëÇÏ´Â °ÍÀÌÁö¸¸, ½Ã½ºÅÛÀÇ ¿ø°Ý °ü¸®¸¦ À§ÇØ FTP ¼­ºñ½º°¡ ÇÊ¿äÇÒ °æ¿ì, telnet ¼­ºñ½ºÀÇ °æ¿ì¿Í ¸¶Âù°¡Áö·Î /etc/services ÆÄÀÏ°ú /etc/inetd.conf ÆÄÀÏÀ» ¼öÁ¤ÇÏ¿© ½ÇÁ¦ÀÇ ftpd¸¦ FTPÀÇ Ç¥ÁØ TCP Æ÷Æ®¿¡ ¼³Á¤ÇÏ¿© »ç¿ëÇÒ ¼ö ÀÖ´Ù. ¹°·Ð, ÀÌ °æ¿ì¿¡µµ netcalµîÀÇ Á¢±Ù Á¦¾î°¡ ÇÊ¿äÇÏ´Ù.

     

sendmail ÇÁ¶ô½Ã

    ¹æÈ­º® È£½ºÆ®¸£ ¸ÞÀÏÀÇ ¿Ã¹Ù¸¥ Àü¼ÛÀ» À§Çؼ­´Â smap°ú smapd·Î ºÒ¸®´Â 2°³ÀÇ ÇÁ¶ô½Ä ÇÊ¿äÇÏ´Ù. ÀÌÁß¿¡ smapÀº SMTPÀÇ ÃÖ¼Ò ¹öÀü¸¸À» ±¸ÇöÇÑ Å¬¶óÀ̾ðÆ®ÀÇ ±â´ÉÀ» ´ã´çÇÏ°Ô µÇ´Âµ¥, ³×Æ®¿öÅ©·ÎºÎÅÍ ¸Þ½ÃÁö¸¦ ¹Þ¾Æµé¿© À̸¦ µð½ºÅ©¿¡ ÀúÀåÇÔÀ¸·Î¼­ ÈÄ¿¡ smapd°¡ ¸Þ½ÃÁö¸¦ ¹Þ¾Æµé¿© À̸¦ µð½ºÅ©¿¡ ÀúÀåÇÔÀ¸·Î¼­ ÈÄ¿¡ smapd°¡ ÀúÀåµÈ ¸Þ½ÃÁö¸¦ ÀçÀü¼ÛÇϵµ·Ï ÇÏ´Â ¿ªÇÒÀ» ¼öÇàÇÑ´Ù. ÇÁ¶ô½Ã·Î µ¿À۵Ǵ smapÀº, chrootµÈ »óÅ¿¡¼­ non-privilegedÇÁ·Î¼¼½º·Î ¼öÇàµÇµµ·Ï ¼³°èµÇ¾î ÀÖÀ¸¹Ç·Î ÀϹÝÀûÀÎ privileged ¸ÞÀÏ·¯¿¡ ºñÇØ ³ôÀº ¼öÁØÀÇ º¸¾È¼ºÀ» Á¦°øÇÏ°Ô µÈ´Ù.

    Smapd µ¥¸óÀº, smap¿¡ ÀÇÇØ ÀúÀåµÈ ¸ÞÀÏÀÇ ÀúÀå ¿µ¿ªÀ» ÁÖ±âÀûÀ¸·Î °Ë»çÇÏ¿© ¼öÁýµÈ ¸ÞÀÏÀÇ ¼ö½ÅÀÚ¿¡°Ô ÇØ´ç ¸ÞÀÏÀ» Àü´ÞÇϵµ·Ï ÇÏ´Â ¿ªÇÒÀ» ¼öÇàÇÏ°Ô µÇ´Âµ¥, ÀÌ ¶§ ¸ÞÀÏÀÇ Àü¼ÛÀº sendmailÀ̶ó´Â MAT(Mail Transfer Agent)¿¡ ÀÇÇØ ÀÌ·ç¾îÁö¸ç Àü¼ÛÀÌ ¿Ï·áµÈ ¸ÞÀÏ ¸Þ½ÃÁö´Â »èÁ¦µÈ´Ù. ¸¸ÀÏ ¸ÞÀÏÀü¼ÛÀÌ ºÒ°¡´ÉÇÒ °æ¿ì smapd´Â ¸ÞÀÏÀÌ ÀúÀåµÇ¾î ÀÖ´Â ¿µ¿ªÀ» À籸¼ºÇÏ¿© ÈÄ¿¡ ÀÖÀ» Àç Àü¼Û¿¡ ´ëºñÇÏ°Ô µÈ´Ù.

     

HTTP ÇÁ¶ô½Ã

    HTTP ÇÁ¶ô½ÃÀÎ http-gw´Â, ¹æÈ­º® È£½ºÆ®¸¦ Åë°úÇÏ´Â HTTP¿ä±¸¿¡ ´ëÇØ, º¸´Ù °£·«È­µÈ ¸ÞÄ¿´ÏÁòÀ» Á¦°øÇÑ´Ù. ¶ÇÇÑ Gopher³ª Gopher+µîÀÇ Gopher Ŭ¶óÀ̾ðÆ®µé¿¡ ´ëÇÑ ¿ä±¸¸¦ Áö¿øÇϸç, Gopher Ŭ¶óÀ̾ðÆ®·ÎºÎÅÍÀÇ FTP¿ä±¸¿Í WWW Ŭ¶óÀ̾ðÆ®·ÎºÎÅÍ Àü´ÞµÈ HTTP, Gopfer, Gopher+ ¹× FTP ¿ä±¸¸¦ Áö¿øÇÑ´Ù.

    HTTP ÇÁ¶ô½Ã´Â ¶ÇÇÑ ³Ý½ºÄÉÀÌÇÁ³ª ÀͽºÇ÷η¯µîÀÇ ÇÁ¶ô½Ã¿É¼ÇÀÌ ÀÖ´Â À¥ ºê¶ó¿ìÁ®¸¦ Áö¿øÇÒ ¼ö ÀÖ´Ù. ¸¸¾à ÇÁ¶ô½Ã ¿É¼ÇÀ» Á¦°øÇÏÁö ¾Ê´Â À¥ ºê¶ó¿ìÁ®¸¦ »ç¿ëÇÒ ¶§´Â »ç¿ëÀÚÀÇ URL¼³Á¤½Ã ÇÁ¶ô½Ã¸¦ °æÀ¯Çϵµ·Ï ÇÏ¿©¾ß¸¸ ÇÑ´Ù.

     

X Windows ÇÁ¶ô½Ã

    x-gw ´Â, tn-gw¿Í rlogin-gw Á¢±Ù Á¦¾îÇÏ¿¡¼­ »ç¿ëÀÚ-·¹º§ÀÇ X Windows ÀÎÅÍÆäÀ̽º¸¦ °¡´ÉÄÉÇÏ´Â X-Windows ÇÁ¶ô½ÃÀÌ´Ù. µû¶ó¼­ x-gw´Â ´Üµ¶ ½ÇÇàÀÌ ºÒ°¡´ÉÇÏ¸ç ¹Ýµå½Ã tn-gw³ª rlogin-gw¸¦ ÅëÇØ ¹æÈ­º® È£½ºÆ®·ÎÀÇ Á¢±ÙÀÌ Çã¿ëµÇ¾úÀ» °æ¿ì¿¡¸¸ »ç¿ëÇÒ ¼ö ÀÖ´Ù.

     

ÀÎÁõ ¼­¹ö

    TIS Flrewall Toolkit´Â ±¤¹üÀ§ÇÑ »ç¿ëÀÚ ÀÎÁõ ¸ÞÄ¿´ÏÁòÀ» Æ÷ÇÔÇÏ°í ÀÖ´Ù. TISÀÎÁõ ¼­¹ö´Â µÎ°¡Áö ÄÄǪ³ÍÆ®·Î ±¸¼ºµÇ¾î Àִµ¥, ù¹ø°°¡ ½ÇÁ¦ ¼­¹ö ±× ÀÚüÀÌ¸ç µÎ¹ø°°¡ ÀÎÁõ¼­¹ö¸¦ ±¸¼ºÇÏ°í ÀÎÁõ ¼­¹ö¿Í »óÈ£ µ¿ÀÛÀ» ÇÏ´Â »ç¿ëÀÚ ÀÎÁõ °ü¸®ÀÚÀÌ´Ù.

    authsrv·Î ºÒ¸®´Â ÀÎÁõ ¼­¹ö´Â, ³»ºÎ »ç¿ëÀÚ µ¥ÀÌÅͺ£À̽º¸¦ °¡Áö¸é¼­ ´Ù¾çÇÑ Á¾·ùÀÇ »ç¿ëÀÚ ÀÎÁß ÇÁ·Î¼¼½º¸¦ Áö¿øÇϵµ·Ï ¼³°èµÇ¾î Àִµ¥, »ç¿ëÀÚ Á¤º¸¸¦ °¡Áö°í ÀÖ´Â »ç¿ëÀÚ µ¥ÀÌÅÍ º£À̽º´Â ´ÙÀ½°ú °°Àº ³»¿ëÀ¸·Î ±¸¼ºµÈ´Ù.

      ¨ç »ç¿ëÀÚÀÇ ·Î±×ÀÎ ID
      ¨è »ç¿ëÀÚÀÇ ±×·ì
      ¨é »ç¿ëÀÚÀÇ À̸§
      ¨ê ÃÖ±ÙÀÇ ¼º°øÀûÀÎ ÀÎÁõ Á¤º¸

    Æнº¿öµå·Î´Â ³»ºÎ »ç¿ëÀÚ¸¦ À§ÇÑ plaintext Çü½Ä°ú ±× ¿Ü »ç¿ëÀÚ¸¦ À§ÇÑ ¾ÏȣȭµÈ Çü½ÄÀ» ¸ðµÎ »ç¿ëÇÒ ¼ö Àִµ¥, plaintextÇü½ÄÀÇ Æнº¿öµå´Â ³»ºÎÀÇ Çã°¡µÈ »ç¿ëÀڵ鸸ÀÌ »ç¿ëÇØ¾ß Çϸç, ¿ÜºÎ¸Á µî Àΰ¡µÇÁö ¾ÊÀº ³×Æ®¿öÅ©·ÎºÎÅÍÀÇ »ç¿ëÀڵ鿡°Ô ÀÇÇؼ­´Â »ç¿ëµÇÁö ¾Ê´Â °ÍÀÌ ¹Ù¶÷Á÷ÇÏ´Ù. µû¶ó¼­ ¹æÈ­º® ½Ã½ºÅÛ °ü¸®ÀÚ´Â ¿ÜºÎ ³×Æ®¿öÅ©ÀÇ »ç¿ëÀڵ鿡°Ô´Â ¾ÏȣȭµÈ Æнº¿öµå¸¸À» Á¦°øÇÏ¿© ³×Æ®¿öÅ© ½º´ÏÇÎ µîÀÇ °ø°ÝÀ¸·ÎºÎÅÍ ³»ºÎ ¸ÁÀ» º¸È£ÇØ¾ß ÇÒ °ÍÀÌ´Ù.
    authsrv µ¥ÀÌÅͺ£À̽º¿¡ µî·ÏµÈ »ç¿ëÀÚµéÀº °¢±â ´Ù¸¥ ±×·ì¿¡ ¼ÓÇÒ ¼ö ÀÖÀ¸¸ç, °¢ ±×·ì °ü¸®Àڵ鸸ÀÌ ÇØ´ç ±×·ìÀÇ »ç¿ëÀÚµéÀ» °ü¸®ÇÒ ¼ö ÀÖ´Ù. authsrv´Â ¶ÇÇÑ ´ÙÀ½°ü °°ÀÌ ´Ù¾çÇÑ ÇüÅÂÀÇ »ç¿ëÀÚ ÀÎÁõ µµ±¸µéÀ» Áö¿øÇϵµ·Ï ±¸¼ºµÇ¾î ÀÖ´Ù.

      ¨ç ³»Àå plaintext Æнº¿öµå
      ¨è Bellcore »çÀÇ S/Key
      ¨é Security Dynamics»çÀÇ SecurID
      ¨ê Enigma Logics»çÀÇ Silver Card
      ¨ë Digital Pathways»çÀÇ SNK004 Secure Net Key

    À§ÀÇ ÀÎÁõ µµ±¸µé Áß, Plaintext Æнº¿öµå¿Í Bellcore»çÀÇ S/Key ´Â ÇöÀç º°µµÀÇ Çϵå¿þ¾î Ãß°¡ ¾øÀ̵µ ¹«·á·Î »ç¿ë ÇÒ ¼ö ÀÖ´Ù.

 

±âŸ ¼­ºñ½º¸¦ À§ÇÑ ÇÁ¶ô½Ã

    ÀϹÝÀûÀ¸·Î ³×Æ®¿öÅ© Æ®·¡ÇÈÀÇ 80% ÀÌ»óÀÌ À§¿¡¼­ ¾ð±ÞµÈ ¼­ºñ½º (telnet °ú rlogin, FTP, sendmail ¹× HTTP)·Î ÀÌ·ç¾îÁ® ÀÖ´Ù. ±×·¯³ª ¿©±â¿¡ ¾ð±ÞµÇÁö ¾ÊÀº Network News Transfer Protocol(NNTP)°ú Post Office Protocol(POP)µîÀÇ ¼­ºñ½º´Â ¾î¶»°Ô ó¸®ÇØ¾ß ÇÒ±î?
    TIS Firewall Toolkit¿¡¼­´Â ÀÌ¿¡ ´ëÇÑ ÇØ°áÃ¥À¸·Î Ç÷¯±× º¸µå ÇüÅÂÀÇ ¿¬°áÀ» À§ÇÑ plug-gw ÇÁ¶ô½Ã¸¦ Á¦°øÇÏ°í ÀÖ´Ù.

 

TIS Firewall ToolkitÀÇ ÀÔ¼ö

    ¸ÕÀú http://www.tis.com/¿¡ Á¢¼ÓÇÏ¸é ´Ù¿î·Îµå ¹æ¹ýÀ» ºñ·ÔÇÏ¿© TIS Firewall Toolkit À» ´Ù¿î·Îµå ¹ÞÀ¸·Á ÇÒ °æ¿ì¿¡ send¶ó´Â ´Ü¾î¸¦ ³»¿ëÀ¸·Î ÇÑ ¸ÞÀÏÀ» fwtk-request@tis.com ¿¡°Ô º¸³»¶ó´Â ³»¿ëÀÇ ¾È³»±ÛÀÌ ³ª¿À ÀÖÀ¸¹Ç·Î ±×´ë·Î µû¸£±â ¹Ù¶õ´Ù. ÇϷ糪 ÀÌƲ ÈÄ¿¡ TIS Firewall ToolkitÀ» ´Ù¿î·Îµå ¹ÞÀ» ¼ö ÀÖ´Â FTP »çÀÌÆ®¿Í µð·ºÅ丮¸¦ ¾Ë·ÁÁÖ´Â ÀüÀÚ ¸ÞÀÏÀÌ TIS »ç·ÎºÎÅÍ Àü¼ÛµÇ¾î µµÂøµÇ¹Ç·Î, ÇØ´ç »çÀÌÆ®¿Í µð·ºÅ丮·Î FTP ·Î±×ÀÎÇÏ¿© ÆÄÀÏÀ» ¹Þ¾Æ¿À¸é TIS Firewall ToolkitÀ» ÀÔ¼öÇÒ ¼ö ÀÖ´Ù. ÀÌ¿Í ÇÔ²² TIS¿¡¼­´Â TIS Firewall Toolkit°ú °ü·ÃµÈ ¹®¼­µéÀ» ¸ð¾Æ fwtk-doc-only_tar.tar.Z¶ó´Â º°µµÀÇ ÆÄÀÏ·Î Á¦°øÇÏ°í ÀÖ´Ù. º¸ÅëÀÇ °æ¿ì, ÀÌ ¹®¼­ ÆÄÀϵµ ÇÁ·Î±×·¥ ÆÄÀÏ°ú µ¿ÀÏÇÑ µð·ºÅ丮 »ó¿¡¼­ ¾ÐÃàÀ» Ç®°í tar¸¦ ÇØÁ¦ÇÏ¿© »ç¿ë¿¡ ÂüÁ¶ÇÏ°Ô µÈ´Ù.

     

º£½ºÃµ È£½ºÆ®ÀÇ ±¸Ãà

 

º£½ºÃµ È£½ºÆ® »ç¿ëÀÚ °èÁ¤ÀÇ »èÁ¦

    ²À ÇÊ¿äÇÑ °æ¿ì°¡ ¾Æ´Ï¸é º£½ºÃµ È£½ºÆ® ³»ÀÇ »ç¿ëÀÚ °èÁ¤Àº ¸ðµÎ »èÁ¦½ÃÄÑ¾ß ÇÑ´Ù. »ç¿ëÀÚ °èÁ¤ÀÌ Á¸ÀçÇÏÁö ¾Ê´Â º£½ºÃµ È£½ºÆ®°¡ º¸´Ù ³ôÀº ¼öÁØÀÇ º¸¾È ¼öÁØÀ» Á¦°øÇÒ ¼ö Àֱ⠶§¹®Àε¥, ÀÌ¿¡ ´ëÇÑ ÀÌÀ¯´Â ´ÙÀ½°ú °°´Ù.

      ¨ç °èÁ¤ ÀÚü°¡ º¸¾È»óÀÇ Ãë¾à¼ºÀ» ³»Æ÷ÇÏ°í ÀÖ´Ù.
      ¨è °èÁ¤ °ü¸®¸¦ À§ÇÑ ¼­ºñ½ºµéÀÌ º¸¾È»óÀÇ Ãë¾à¼ºÀ» ³»Æ÷ÇÏ°í ÀÖ´Ù.
      ¨é ¸Ó½ÅÀÇ ¾ÈÁ¤¼º°ú ½Å·Ú¼ºÀ» °¨¼Ò½Ãų ¼ö ÀÖ´Ù.
      ¨ê »ç¿ëÀÚ¿¡ ÀÇÇØ º£½ºÃµ È£½ºÆ®ÀÇ ¹æ¾î·ÂÀÌ °¨¼ÒµÉ ¼ö ÀÖ´Ù.
      ¨ë °ø°ÝÀÇ °¨Áö°¡ ¾î·Á¿öÁø´Ù.

 

º£½ºÃµ È£½ºÆ®ÀÇ ±¸Ãà ¼ø¼­

    ÀϹÝÀûÀÎ ¿î¿µÃ¼Á¦¸¦ »ç¿ëÇÏ´Â º£½ºÃµ È£½ºÆ®¸¦ ±¸ÃàÀº ´ÙÀ½ÀÇ ¼ø¼­¿¡ µû¶ó ÀÌ·ç¾î Áø´Ù.

      ¨ç ¸Ó½ÅÀÇ ÀÚü º¸¾È ¼öÁØÀ» ³ôÀδÙ.
      ¨è ÇÊ¿ä¾ø´Â ¸ðµç ¼­ºñ½º¸¦ ÁßÁö½ÃŲ´Ù.
      ¨é ±â´É Á¦°øÀ» ¿øÇÏ´Â ¼­ºñ½º¸¦ ¼³Ä¡ÇÏ°í ¼öÁ¤.
      ¨ê ¿øÇÏ´Â µ¿ÀÛ »óÅÂÀÇ È¯°æÀ¸·Î ¸Ó½ÅÀ» À籸¼º
      ¨ë ±âÁØ¿¡ ÀûÇÕÇÑÁö º¸¾È °¨»ç µµ±¸¸¦ µ¿ÀÛ
      ¨ì °¨»ç °á°ú¿¡ µû¶ó ¸Ó½ÅÀ» ³×Æ®¿öÅ©¿¡ ¿¬°á½ÃÄÑ »ç¿ë

     

¹æÈ­º® ȯ°æ ±¸ÃàÀ» À§ÇÑ Áغñ

    ¹æÈ­º® ȯ°æ ±¸ÃàÀ» À§ÇÑ Ã¹¹ø° ´Ü°è´Â, ¾Õ¼­ ¾ð±ÞµÈ ¹Ù¿Í °°ÀÌ ºÒÇÊ¿äÇÑ ¼­ºñ½º¸¦ ÁßÁö½ÃÅ°´Â °ÍÀÌ´Ù.

      ¨ç /etc/inetd.conf ÆÄÀÏÀ» ¼öÁ¤
      ¨è /etc/re,/etc/rc2.d/* µîÀÇ ½Ã½ºÅÛ ½ÃÀÛ ½ºÅ©¸³Æ®¸¦ ¼öÁ¤
      ¨é ¿î¿µÃ¼Á¦ ±¸¼ºÀ» ¼öÁ¤ÇÏ¿© ºÒÇÊ¿äÇÑ Ä¿³Î ±â¹Ý ¼­ºñ½ºµéÀ» Á¦°Å

     

³×Æ®¿öÅ© Çã¿ë Å×À̺í

    ¹æÈ­º® ¼ÒÇÁÆ®¿þ¾î°¡ Á¤»óÀûÀ¸·Î ¼³Ä¡µÇ¾úÀ» °æ¿ì,/usr/local/etc/netperm-table ÀÇ ÆÄÀÏ·Î Á¸ÀçÇÏ´Â ³×Æ®¿öÅ© Çã¿ë Å×À̺í (Network Permission Table)Àº, TIS Firewall Toolkit ±â¹Ý ¹æÈ­º® ÇÁ·Î±×·¥ÀÇ ¿ä¼Òµé(neactl, smap, smapd, ftp-gw, tn-gw ¹× plug-gwµî)À» À§ÇÑ Áß¿äÇÑ È¯°æ ±¸¼º ÆÄÀÏÀÌ´Ù.

    TIS Firewall ToolkitÀÇ ÇÁ¶ô½Ã°¡ µ¿ÀÛÀ» ½ÃÀÛÇϸé, ³×Æ®¿öÅ© Çã¿ë Å×À̺í·ÎºÎÅÍ È¯°æ ±¸¼º°ú Á¢±Ù Çã¿ë Á¤º¸¸¦ Àоî¿Í, ¸Þ¸ð¸®¿¡ µ¥ÀÌÅͺ£À̽º ÇüÅ·ΠÀúÀåÇÏ°í ÀÌÈÄ »ç¿ë¿¡ ´ëºñÇÑ´Ù. Á¢±Ù Çã¿ë/±¸¼º ÆÄÀÏÀº Á¢±Ù ±ÔÄ¢¿¡ µû¶ó ¸¸µé¾îÁö´Âµ¥, °¢°¢ÀÇ Á¢±Ù ±ÔÄ¢µéÀº ÇØ´ç ±ÔÄ¢ÀÌ Àû¿ëµÇ´Â ¾îÇø®ÄÉÀÌ¼Ç ÇÁ¶ô½Ã·Î ¸í¸íµÇ¸ç, "¾îÇø®ÄÉÀÌ¼Ç ÇÁ¶ô½Ã¸í: Á¢±Ù ±ÔÄ¢"°ú °°ÀÌ ÄÝ·Ð(:)À» »ç¿ëÇÏ¿© Ç¥½ÃÇÑ´Ù. ¶ÇÇÑ µ¿ÀÏÇÑ Á¢±Ù ±ÔÄ¢ÀÌ Àû¿ëµÇ´Â ¿©·¯ ¾îÇø®ÄÉÀÌ¼Ç ÇÁ¶ô½ÃµéÀº "¾îÇø®ÄÉÀÌ¼Ç ÇÁ¶ô½Ã¸í 1, ¾îÇø®ÄÉÀÌ¼Ç ÇÁ¶ô½Ã¸í 2: Á¢±Ù ±ÔÄ¢"°ú °°ÀÌ ÄÞ¸¶(,)¸¦ »ç¿ëÇÏ¿© ÇѲ¨¹ø¿¡ Ç¥½ÃÇÒ ¼öµµ ÀÖ°í "*"µîÀÇ ±âÈ£µµ »ç¿ëÀÌ °¡´ÉÇÏ´Ù. ƯÁ¤ ¾îÇø®ÄÉÀÌ¼Ç ÇÁ¶ô½Ã°¡ ȯ°æ Á¤º¸¸¦ ÃßÃâÇÒ °æ¿ì¿¡´Â, Àڽſ¡°Ô ÇØ´çµÇ´Â ±ÔÄ¢¸¸À» ÃßÃâÇÏ¿© ¼ø¼­´ë·Î Àû¿ëÇÏ°Ô µÇ´Âµ¥, ´ÙÀ½ÀÇ ¸®½ºÆ®¿¡ smap°ú smapd¿¡ Àû¿ëµÇ´Â Á¢±Ù ±ÔÄ¢ÀÇ ¿¹¸¦ º¸¿©ÁÖ°í ÀÖ´Ù.

      # sample rules for smap
      smap, smapd: userid   4
      smap, smapd: directory  /mail/inspool
      smap:         timeout  3600

    ¾îÇø®ÄÉÀÌ¼Ç ÇÁ¶ô½Ã°¡ ÀÚ½ÅÀ» À§ÇÑ Á¢±Ù ±ÔÄ¢À» ¹ß°ßÇϸé, ÇØ´ç ±ÔÄ¢Àº ³»ºÎÀûÀ¸·Î °ø¹é ¹®ÀÚ ´ÜÀ§ÀÇ ¹®ÀÚ¿­·Î ±¸ºÐµÇ¾î ÀÌÈÄ »ç¿ë¿¡ ´ëºñÇÑ´Ù. ÀϹÝÀûÀ¸·Î ù¹ø° ´Ü¾î°¡ ±ÔÄ¢À» ³ªÅ¸³»°í, ´ÙÀ½¿¡ À̾îÁö´Â ´Ü¾îµéÀÌ ÇØ´ç ±ÔÄ¢¿¡ Àû¿ëµÇ´Â ¿É¼Ç ÆĶó¹ÌÅ͸¦ ³ªÅ¸³½´Ù.

    ¾ÕÀÇ smap Ŭ¶óÀ̾ðÆ®¿Í smapd¼­¹öÀÇ ¿¹¸¦ º¸¸é, userid Ç׸ñÀº ÇØ´ç ¾îÇø®ÄÉÀÕ¤¤ÀÌ ½ÇÇàµÉ ¶§ÀÇ »ç¿ëÀÚ ID¸¦ ³ªÅ¸³»¸ç, directory Ç׸ñÀº ÆÄÀÏÀÇ À§Ä¡¸¦, ±×¸®°í timeout Ç׸ñÀº ÃÖ´ë ´ë±â ½Ã°£À» ³ªÅ¸³»°Ô µÈ´Ù.

    Á¢±Ù ±ÔÄ¢À» ³ªÅ¸³»´Â ¹®ÀÚ¿­¿¡´Â ¿©·¯°¡ÁöÀÇ ´Ù¾çÇÑ Àǹ̵éÀÌ Àû¿ë °¡´ÉÇѵ¥, ÇÑ ¿¹·Î permit-hostsȤÀº deny-host·Î ½ÃÀÛÇÒ °æ¿ì¿¡´Â Á¢¼ÓÀ» Çã¿ë, ȤÀº °ÅºÎÇÒ È£½ºÆ®ÀÇ IP¾îµå·¹½º°¡ µ¿¹ÝµÇ¸ç ¿©±â¿¡ ÇØ´çÇϴ ȣ½ºÆ®µéÀº Á¢¼ÓÀ» Çã¿ë, ȤÀº °ÅºÎÇϵµ·Ï ¿î¿ë µÈ´Ù.

      # sample rules for netacl    
      netacl - in.ftpd:      permit-hosts 202.30.113.5 -exec/usr/sbin/in.ftpd
      netacl-in. ftpd:      permit-hosts 203.68.35.112 -exec/usr/sbin/in.ftpd
      netacl-in.ftpd:       deny-hosts unknown
      netacl-in.ftpd:       deny-hosts *

    ³×Æ®¿öÅ© Çã¿ë Å×À̺íÀ» ¸¸µé ¶§ °í·ÁµÇ¾î¾ß ÇÒ ¾à¼ÓµéÀÌ ¸î °³ Àִµ¥, ÀÌ·¯ÇÑ ¾à¼ÓµéÀº ÆÄÀÏÀÇ ÀÏ°ü¼ºÀ» ¾à¼ÓÇϸç, º¸´Ù ´õ ÀÌÇØÇϱ⠽±°í °ü¸®°¡ ÆíÇÑ ±ÔÄ¢ ¸ñ·ÏÀ» ¸¸µé ¼ö ÀÖµµ·Ï µµ¿ÍÁØ´Ù. ÀÌÇظ¦ ½±°Ô Çϱâ À§ÇØ, ±ÔÄ¢¿¡ È£½ºÆ®ÀÇ À̸§À̳ª ¹ß½ÅÁö È£½ºÆ®ÀÇ IP ¾îµå·¹½º°¡ ¼³Á¤µÇ°í ÆÐÅÏ ¸ÅĪ¿¡ µû¸¥ Çã¿ë È£½ºÆ®¸¦ ÆÇ´ÜÇÏ´Â °æ¿ì¸¦ ¿¹·Î µé¾î º¸ÀÚ.

      netaci-in.ftpd: permit-hosts 202.30.113.5 -exec/usr/sbin/in.ftpd

    À§¿Í °°Àº ±ÔÄ¢ÀÌ Àû¿ëµÈ »óÅ¿¡¼­ Á¢¼Ó ¿ä±¸°¡ µé¾î¿À°Ô µÇ¸é, ±ÔÄ¢ÀÇ ºÎÇÕ ¿©ºÎ¸¦ ÆÇ´ÜÇϱâ À§ÇØ ¿ø°Ý ¸Ó½ÅÀÇ IP¾îµå·¹½º°¡ »ç¿ëµÉ °ÍÀÌ´Ù. ´ÙÀ½Àº µµ¸ÞÀÎ À̸§À¸·Î Çã¿ë ±ÔÄ¢À» ÀÛ¼ºÇÏ¿´À» °æ¿ì¸¦ »ìÆ캸ÀÚ.

      netaci-in.ftpd: permit-hosts*.nca.or,kr -exec/usr/sbin/in.ftpd

    Á¢±Ù ±ÔÄ¢¿¡ ¿ø°Ý ¸Ó½ÅÀÇ IP ¾îµå·¹½º°¡ ¾Æ´Ñ µµ¸ÞÀÎ À̸§ÀÌ »ç¿ëµÈ °æ¿ì, DNS ½ºÇªÇÎ(spoofing)ÀÇ °¡´É¼º¿¡ ÀÇÇØ ¹æÈ­º® È£½ºÆ®ÀÇ º¸¾È¼ºÀÌ Ãë¾àÇØÁú ¼ö ÀÖÀ¸¹Ç·Î »ç¿ëÀ» ³²¿ëÇÏÁö ¾Êµµ·Ï ±Ç°íÇÑ´Ù.

    ¾îÇø®ÄÉÀÌ¼Ç ÇÁ¶ô½Ã°¡ IP ¾îµå·¹½º¸¦ µµ¸ÞÀÎ À̸§À¸·Î ¹Ù²Ù±â À§ÇÑ ¸®¹ö½º ·è¾÷(reverse lookup)½Ãµµ°¡ ½ÇÆÐÇÏ´Â °æ¿ì È£½ºÆ® À̸§Àº "unknown"À¸·Î ¼³Á¤µÇ¸ç, ÀÌ¿ÜÀÇ °æ¿ì ¿ø°Ý ½Ã½ºÅÛÀÇ È£½ºÆ® À̸§À» ¹Ýȯ¹Þ°Ô µÈ´Ù. ¾Æ¿ï·¯ µµ¸ÞÀÎ À̸§ ã±â°¡ ¹æÈ­º® È£½ºÆ®¿¡ ÀÇÇØ ¼öÇàµÉ °æ¿ì, ¸®¹ö½º ·è¾÷¿¡ ÀÇÇØ ¹ÝȯµÇ´Â µµ¸ÞÀÎ À̸§À» ¾Ë¾Æ³»±â À§ÇÑ ÀÛ¾÷Àº ¾ÈÀüÀ» º¸Àå¹ÞÀ» ¼ö ÀÖ°Ô µÇ¸ç, ÀÌ·¯ÇÑ È¯°æ ±¸¼ºÀ¸·Î DNS ½ºÇªÇÎÀ» ¸·À» ¼ö ÀÖ´Ù. ¸¸ÀÏ IP ¾îµå·¹½º°¡ DNS½Ã½ºÅÛ ³»¿¡ À§Ä¡ÇÒ ¼ö ¾ø´Ù¸é, È£½ºÆ® À̸§Àº "unknown"À¸·Î ¼³Á¤ µÇ°í °æ°í°¡ ·Î±×µÇ´Âµ¥, ÀÌ¿Í °°ÀÌ ¹æÈ­º®Àº À¯È¿ÇÑ DNS ¸ÅÇÎÀ» °¡ÁöÁö ¾ÊÀº È£½ºÆ®¿¡ ´ëÇؼ­µµ µ¿ÀÛÇÏ´Â ±ÔÄ¢À» Çã¿ëÇÑ´Ù. Áï, ÀÎÅÍ³Ý »ó¿¡¼­ ¾î¶² È£½ºÆ®µµ ¹æÈ­º®À» Åë°úÇϵµ·Ï ÇѴٰųª, ȤÀº ¸®¹ö½º DNS ¾îµå·¹½ÌÀÌ Àß ±¸¼ºµÇ¾î ÀÖÀ» °æ¿ì ƯÁ¤ ¼­ºñ½º¿¡ Á¢±Ù Çϵµ·Ï ÇÏ´Â °ÍÀÌ °¡´ÉÇÏ´Ù´Â ¶æÀÌ µÉ ¼ö ÀÖ´Ù.

 

³×Æ®¿öÅ© Á¢±Ù Á¦¾î

    TIS Firewall Toolkit ±â¹ÝÀÇ ¹æÈ­º®¿¡¼­´Â ³×Æ®¿öÅ© Á¢±ÙÁ¦¾îÀÇ ±â´ÉÀ» À§ÇØ netaclÀ̶ó ºÒ¸®´Â ÇÁ·Î±×·¥À» Á¦°øÇÑ´Ù. NetaclÇÁ·Î±×·¥Àº inetdµ¥¸ó¿¡ ÀÇÇØ ±âµ¿µÇ°Ô µÇ¸ç, ¿ø°Ý »ç¿ëÀÚ/½Ã½ºÅÛÀ¸·ÎºÎÅÍÀÇ ¼­ºñ½º ¿ä±¸¸¦ Çã¿ëÇϰųª °ÅºÎÇÏ´Â ±â´ÉÀ» ´ã´ç ÇÑ´Ù. Inetd.confÆÄÀÏ¿¡¼­ netaclÀ» ¼³Á¤ÇÒ °æ¿ì¿¡, netcalÀÌ ¿ÀÁ÷ ÇϳªÀÇ Àμö¸¦ ÃëÇÑ´Ù´Â °ÍÀº ¸Å¿ì Áß¿äÇѵ¥, ÀÌ Àμö·Î´Â ½ÃÀÛÇÏ°íÀÚ ÇÏ´Â ¼­ºñ½ºÀÇ À̸§ÀÌ »ç¿ëµÈ´Ù. ¾Æ¿ï·¯ ÀÌ¿ÜÀÇ ÀμöµéÀº netcalÀÌ ±âµ¿ÇÏ´Â ¼­ºñ½º°¡ »ç¿ëÇÏ°Ô µÇ´Âµ¥, inetd.confÆÄÀÏ¿¡ ´ëÇÑ ¾Æ·¡ÀÇ ¿¹¸¦ ÂüÁ¶ÇϽñ⠹ٶõ´Ù.

      ftp  stream tcp nowait root /usr/local/etc/netacl /usr/sbin/in.ftpd

    À§¿Í °°ÀÌ ±¸¼ºµÇ¾úÀ» °æ¿ì, ftp ¼­ºñ½º Á¢¼Ó ¿ä±¸°¡ inetd¿¡ ÀÇÇؼ­ ¹Þ¾Æµé¿©Áö°Ô µÇ¸é, netcal ÇÁ·Î±×·¥ÀÌ /usr/sbin/in.ftpd¸¦ Àμö·Î ÇÏ¿© µ¿ÀÛÀ» ½ÃÀÛÇÏ°Ô µÈ´Ù. ftpd µ¥¸óÀÌ ½ÃÀ۵DZâ Àü¿¡ netaclÀº, ÇØ´ç ¿ä±¸°¡ netperm-table ³» Á¢¼Ó ±ÔÄ¢¿¡ ºÎÇյǴÂÁö¸¦ °Ë»çÇÏ¿© ftpdµ¥¸óÀÇ ½ÇÇà ¿©ºÎ¸¦ ÆÇ´ÜÇÏ°Ô µÈ´Ù. Åë»óÀûÀ¸·Î ±ÔÄ¢ÀÇ À̸§Àº netacl- °ú ÇØ´ç ¼­ºñ½ºÀÇ À̸§À» Á¶ÇÕÇÏ¿© »ç¿ëÇÏ°Ô µÇ´Âµ¥, ¼­ºñ½º°¡ in.ftpdÀÏ °æ¿ì¿¡´Â netaÄ¡-in.ftpd·Î ±ÔÄ¢ÀÇ À̸§À» ¼³Á¤µÇ¾î¾ß¸¸ ÇÑ´Ù.

      netacl-in. ftpd: permit-hosts 202.30.113.5 -exec/usr/sbin/in.ftpd

     

    ¼­ºñ½º

    Å°¿öµå

    ¼³ ¸í

    netacl

    permit-hosts IP ¾îµå·¹½º
    ¶Ç´Â È£½ºÆ®À̸§

    Á¢¼ÓÀ» Çã¿ëÇÏ°íÀÚ Çϴ ȣ½ºÆ®¸¦
    ³ªÅ¸³½´Ù.

    deny-hosts IP ¾îµå·¹½º
    ¶Ç´Â È£½ºÆ®À̸§

    Á¢¼ÓÀ» °ÅºÎÇÏ°íÀÚ Çϴ ȣ½ºÆ®¸¦
    ³ªÅ¸³½´Ù.
    ¼­ºñ½º °ÅºÎ Á¤º¸´Â syslogd¿¡ ÀÇÇØ
    ±â·ÏµÈ´Ù.

    -exec ½ÇÇàÆÄÀÏ [arg]

    ¿äû ¼­ºñ½º 󸮸¦ À§ÇÑ ÇÁ·Î±×·¥À»
    ³ªÅ¸³½´Ù.
    ÀÌ ¿É¼ÇÀº ¹Ýµå½Ã ¸¶Áö¸·¿¡ »ç¿ëµÇ¾î¾ß Çϸç, ¹Ýµå½Ã »ç¿ëµÇ¾î¾ß ÇÑ´Ù.

    -user »ç¿ëÀÚ ID

    ¼ýÀڷΠǥ½ÃµÈ UID³ª /etc/passwd
    ³»¿¡ ±â·ÏµÈ »ç¿ëÀÚ À̸§À¸·Î, ÇÁ·Î±×·¥ÀÌ ±âµ¿µÉ ¶§ »ç¿ëµÇ¾î¾ß ÇÑ´Ù.

    -chroot rootdir

    ¼­ºñ½º ÇÁ·Î±×·¥À» È£ÃâÇϱâ À§ÇØ netaclÀÌ chroot(2) ¸í·É¾î¸¦ ½ÇÇàÇÏ´Â µð·ºÅ丮¸¦ ³ªÅ¸³½´Ù.
    ÀÌ Ç׸ñÀº ¼­ºñ½º ÇÁ·Î±×·¥ÀÌ »ç¿ëÇÒ »õ·Î¿î ·çÆ® µð·ºÅ丮¸¦ ÁöÁ¤Çϱâ À§ÇØ ÇÊ¿äÇÏ´Ù.


    Ç¥ 3.1 netacl À» À§ÇÑ Á¢±Ù ±ÔÄ¢

    À§ÀÇ ¿¹¿¡¼­´Â, 202.30.113.5ÀÇ IP ¾îµå·¹½º¸¦ °®´Â È£½ºÆ®¸¸ÀÌ ¹æÈ­º®À¸·ÎÀÇ ftp ¼­ºñ½º¸¦ À§ÇÑ Á¢±ÙÀ» ÇÒ ¼ö ÀÖ´Ù. ¾Æ¿ï·¯ <Ç¥ 3.1>¿¡ netacl À» À§ÇÑ ¿©·¯°¡ÁöÀÇ Å°¿öµå ¸®½ºÆ®°¡ Ç¥½ÃµÇ¾î ÀÖÀ¸¹Ç·Î À̸¦ ÂüÁ¶ÇÏ¿© Á¢±Ù ±ÔÄ¢À» ¼³Á¤Çϱ⠹ٶõ´Ù.

    ¿äû ¼­ºñ½ºÀÇ ¼ö¿ë°ú °ÅºÎ´Â syslog µ¥¸ó¿¡ ÀÇÇØ ´ÙÀ½°ú °°ÀÌ ±â·ÏµÇ¹Ç·Î ÃßÈÄ ¹æÈ­º® ½Ã½ºÅÛ ºÐ¼®¿¡ »ç¿ëµÉ ¼ö ÀÖÀ» °ÍÀÌ´Ù.

      Oct 31 00:12:30 firewall netacl[339]: deny host=test.nca.or.kr/
      202.30.113.3 service=in.ftpd
      Oct 31 00:13:30 firewall netacl [354]: deny host=test.nca.or.kr/
      202.30.113.3 service=in.ftpd excute=/usr/sbin/in.ftpd

    ·Î±× ¸®Æ÷Æ®ÀÇ Ã¹ ¹ø° ¶óÀÎÀº È£½ºÆ® test.nca.or.krÀÌ ¿äûÇÑ ftp ¼­ºñ½º°¡ netacl¿¡ ÀÇÇØ °ÅºÎµÇ¾úÀ½À» ¾Ë·Á ÁÖ°í ÀÖÀ¸¸ç, µÎ¹ø° ¶óÀÎÀº ftp Á¢¼Ó ¿äûÀÌ Çã°¡ µÇ¾úÀ½À» ¾Ë·Á ÁÖ°í ÀÖÀ¸¸ç, µÎ¹ø° ¶óÀÎÀº ftp Á¢¼Ó ¿ëûÀÌ Çã°¡µÇ¾úÀ½À» ³ªÅ¸³½´Ù. ±×·¯³ª Á¢¼ÓÀ» ¿äûÇÑ »ç¿ëÀÚ¿¡ ´ëÇؼ­´Â ¾Æ¹«·± Á¤º¸µµ º¸¿©ÁÖÁö ¸øÇϹǷΠºÒ¹ý »ç¿ëÀÚÀÇ ÃßÀû¿¡ ÇÑ°è°¡ ÀÖ´Ù°í º¼ ¼ö ÀÖ´Ù. ´ÙÀ½¿¡ º¸¿©ÁÖ´Â netacl ±ÔÄ¢À» ÂüÁ¶ÇÏ¿© ÇÊ¿äÇÑ Á¢±Ù ±ÔÄ¢À» ¸¸µé¾î »ç¿ëÇϸé È¿°úÀûÀ¸·Î Á¢±ÙÀ» Á¦¾îÇÒ ¼ö ÀÖ´Ù.

      netacl-in.telnetd: permit-hosts 198.53.64.* -exec /usr/sbin/in.telnetd
      netacl-in.ftpd: permit-hosts unknown -exec/usr/bin/cat noftp.txt
      netzcl-in.ftpd: permit-hosts 204.191.3.* -exec/usr/sbin/in.ftpd
      netacl-ftpd: permit-hosts* -chroot/home/ftp-exec/usr/etc/ftpd

    À§ÀÇ ¿¹¿¡¼­, netaclÀÌ Æ¯Á¤ ¼­ºê³Ý »óÀÇ È£½ºÆ®¿¡°Ô¸¸ telnet¼­ºñ½º°¡ Çã¿ëµÇµµ·Ï ±¸¼ºµÇ¾ú°í, À¯È¿ÇÑ DNS À̸§À» °¡ÁöÁö ¾ÊÀº ½Ã½ºÅÛÀ¸·ÎºÎÅÍÀÇ ¸ðµç FTP¿¬°áÀº noftp.txtÆÄÀÏÀ» Ãâ·ÂÇϵµ·Ï ±¸¼ºµÇ¾úÀ¸¸ç, ƯÁ¤ ¼­ºê³Ý »óÀÇ È£½ºÆ®¿¡°Ô¸¸ FTP ¼­ºñ½º°¡ Çã¿ëµÇµµ·Ï ±¸¼ºµÇ¾ú´Ù. ¶ÇÇÑ À§¿¡¼­ ¾ð±ÞµÈ È£½ºÆ® ÀÌ¿ÜÀÇ ¸ðµç ³×Æ®¿öÅ©·ÎºÎÅÍÀÇ FTP ¼­ºñ½º ¿äûÀº, ƯÁ¤ µð·ºÅ丮¿¡ º°µµÀÇ FTP ¼­¹ö¸¦ »ç¿ëÇϵµ·Ï ÇÏ¿´À¸¹Ç·Î, º°µµÀÇ FTP ¼­¹ö¿¡¼­ Á¦°ø ¼­ºñ½º¸¦ Á¦ÇÑÇÒ ¼ö ÀÖ´Ù.

     

ÇÁ¶ô½Ã ¼­¹öÀÇ ¿î¿ë

 

1). telnet ÇÁ¶ô½Ã

    TIS Firewall Toolkit ±â¹ÝÀÇ ¹æÈ­º®¿¡¼­´Â telnet¼­ºñ½º¸¦ À§ÇÑ tn-gw¶ó ºÒ¸®´Â telnetÇÁ¶ô½Ã¸¦ Á¦°øÇÑ´Ù. tn-gwÇÁ·Î±×·¥µµ inted µ¥¸ó¿¡ ÀÇÇØ ±âµ¿µÇ´Âµ¥, ´ÙÀ½°ú °°ÀÌ /etc/inetd.conf ÆÄÀÏÀ» ¼öÁ¤ÇÏ¿© ¿øÇÏ´Â ÇÁ¶ô½Ã µ¿ÀÛÀ» ±¸ÇöÇÒ ¼ö ÀÖ´Ù.

      telnet stream tcp nowait root /usr/local/etc/tn-gw tn-gw

     

    ¸í·É¾î

    ¼³   ¸í

    c[onnect]È£½ºÆ®À̸§[Æ÷Æ®]
    telnet È£½ºÆ®À̸§[Æ÷Æ®]
    open

    ¿ø°ÝÈ£½ºÆ®·ÎÀÇ ¿¬°áÀ» ½ÃµµÇÑ´Ù. ¿ø°Ý È£½ºÆ®·ÎÀÇ Á¢±ÙÀº ´ë»ó È£½ºÆ® ±ÔÄ¢¿¡ ÀÇÇØ °ÅºÎµÉ ¼öµµ ÀÖ´Ù.

    x[-gw] [display/È£½ºÆ®À̸§]

    X Windows °ÔÀÌÆ®¿þÀ̸¦ ºÒ·¯¿À´Â ¸í·É¾îÀÌ´Ù. µðÆúÆ® Ç¥½Ã À̸§Àº test.nca. or.kr:0.0 µî°ú °°ÀÌ :0.0ÀÌ »ç¿ëµÈ´Ù.

    help
    ?

    »ç¿ëÀÚ°¡ ¼³Á¤ÇÑ µµ¿ò¸» ÆÄÀÏÀ» ³ªÅ¸³½´Ù.

    quit
    exit
    close

    °ÔÀÌÆ®¿þÀ̷κÎÅÍÀÇ Á¢¼Ó Á¾·á¸¦ ³ªÅ¸³½´Ù.


    Ç¥ 4.1 tn-gw ¸í·É¾î

     

    ¿É ¼Ç

    ¼³ ¸í

    userid »ç¿ëÀÚ

    ¼ýÀڷΠǥ½ÃµÈ UID³ª /etc/passwd³»¿¡ ±â·ÏµÈ »ç¿ëÀÚ À̸§À¸·Î ÇÁ·Î±×·¥ÀÌ ±âµ¿µÉ ‹š »ç¿ëµÇ¾î¾ß ÇÑ´Ù.

    directory pathname

    ¼­ºñ½º ÇÁ·Î±×·¥À» È£ÃâÇϱâ À§ÇØ tn-gw chroot(2) ¸í·É¾î¸¦ ½ÇÇàÇÏ´Â µð·ºÅ丮¸¦ ³ªÅ¸³½´Ù.

    prompt ¹®ÀÚ¿­

    ¸í·É¾î ¸ðµå¿¡¼­ÀÇ tn-gw¸¦ À§ÇÑ ÇÁ·ÒÇÁÆ®¸¦ ³ªÅ¸³½´Ù.

    denial-msg ÆÄÀÏ

    ÇÁ¶ô½Ã »ç¿ëÀÌ °ÅºÎµÇ¾úÀ» °æ¿ì ¿ø°Ý »ç¿ëÀÚ¿¡°Ô Ç¥½ÃÇÒ ¸Þ½ÃÁö¸¦ ´ã°í ÀÖ´Â ÆÄÀÏÀÇ À̸§À» ³ªÅ¸³½´Ù. ÀÌ ¿É¼ÇÀÌ ¼³Á¤µÇÁö ¾ÊÀ¸¸é µðÆúÆ® ¸Þ½ÃÁö¸¦ Ç¥½ÃÇÑ´Ù.

    timeout ÃÊ

    ÇÁ¶ô½ÃÀÇ ¿¬°áÀ» ²÷À» ´ë±â ½Ã°£À» ³ªÅ¸³»¸ç, µðÆúÆ®´Â ½Ã°£ÀÌ ¼³Á¤µÇÁö ¾Ê´Â´Ù.

    welcome-msg ÆÄÀÏ

    ÇÁ¶ô½Ã »ç¿ëÀÌ Çã¿ëµÇ¾úÀ» °æ¿ì ¿ø°Ý »ç¿ëÀÚ¿¡°Ô Ç¥½ÃÇÒ ¸Þ½ÃÁö¸¦ ´ã°í ÀÖ´Â ÆÄÀÏÀÇ À̸§À» ³ªÅ¸³½´Ù. ÀÌ ¿É¼ÇÀÌ ¼³Á¤µÇÁö ¾ÊÀ¸¸é µðÆúÆ® ¸Þ½ÃÁö¸¦ Ç¥½ÃÇÑ´Ù.

    help-msg ÆÄÀÏ

    'help' ¸í·É¾î¿¡ ´ëÇÏ¿© ¿ø°Ý »ç¿ëÀÚ¿¡°Ô Ç¥½ÃÇÒ µµ¿ò¸»À» ´ã°í ÀÖ´Â ÇÏÀÏÀÇ À̸§À» ³ªÅ¸³½´Ù. ÀÌ ¿É¼ÇÀÌ ¼³Á¤µÇÁö ¾ÊÀ¸¸é µðÆúÆ® µµ¿ò¸»À» Ç¥½ÃÇÑ´Ù.

    denydest-msg ÆÄÀÏ

    »ç¿ëÀÚ ÀÎÁõÀÌ °ÅºÎµÇ¾úÀ» °æ¿ì ¿ø°Ý»ç¿ëÀÚ¿¡°Ô Ç¥½ÃÇÒ ¸Þ½ÃÁö¸¦ ´ã°í ÀÖ´Â ÆÄÀÏÀÇ À̸§À» ³ªÅ¸³½´Ù. ÀÌ ¿É¼ÇÀÌ ¼³Á¤µÇÁö ¾ÊÀ¸¸é µðÆúÆ® ¸Þ½ÃÁö¸¦ Ç¥½ÃÇÑ´Ù.

    authserver È£½ºÆ®
    [Æ÷Æ®¹øÈ£ [ciperkey]]

    ³×Æ®¿öÅ© ÀÎÁõ¿¡ »ç¿ëµÇ´Â ½Ã½ºÅÛÀÇ Àϸ§À̳ª IP ¾îµå·¹½º¸¦ ³ªÅ¸³½´Ù. tn-gw°¡ ÀÎÁõ¼­¹ö ¹× Æ÷Æ®¸¦ ³»ºÎÀûÀ¸·Î °¡Áö°í ÄÄÆÄÀÏ µÇ¾úÀ» °æ¿ì µðÆúÆ® ¼³Á¤¿¡ »ç¿ëµÇÁö¸¸, º» ±ÔÄ¢ÀÌ ¼³Á¤µÇ¾úÀ» °æ¿ì ÇØ´ç ±¸Ä¢¿¡ Àû¿ëÀ» ¹Þ°Ô µÈ´Ù. ¸¸ÀÏ ¼­¹ö°¡ DES ¾Ïȣȭ¸¦ Áö¿øÇϸé ciperkey ¿É¼ÇÀ» »ç¿ëÇÏ¿© º¸´Ù ¾ÈÀüÇÑ Åë½ÅÀÌ º¸ÀåµÈ´Ù.

    hostd È£½ºÆ®À̸§
    [È£½ºÆ®À̸§2...] [¿É¼Ç]

    ÇØ´ç È£½ºÆ®¿¡ ´ëÇÑ Á¢±Ù Çã¿ë ±ÔÄ¢À» ³ªÅ¸³½´Ù.


    Ç¥ 4.2 tn-gw¸¦ À§ÇÑ Á¢±Ù ±ÔÄ¢

    ÀÌ·¯ÇÑ È¯°æ ±¸¼º¿¡¼­, telnet Æ÷Æ®·ÎÀÇ Á¢¼Ó ½Ãµµ°¡ ¹ß»ýµÇ¸é tn-g°¡ µ¿ÀÛÀ» ½ÃÀÛÇÏ°Ô µÇ¸ç, tn-gw´Â ¿äû È£½ºÆ®°¡ ÇÁ¶ô½Ã Á¢¼ÓÀÌ Çã¿ëµÈ È£½ºÆ®ÀÎÁö¸¦ °Ë»çÇÏ°Ô µÈ´Ù. tn-gwÀÇ °æ¿ìµµ netaclÀÇ °æ¿ì¿Í ¸¶Âù°¡Áö·Î netperm-table¿¡ ¼³Á¤µÇ¾î ÀÖ´Â Á¢±Ù ±ÔÄ¢¿¡ µû¶ó Á¢¼Ó Çã¿ë ¿©ºÎ¸¦ ÆǺ°ÇÑ´Ù. tn-gw¸¦ À§ÇÏ¿© netperm-table¿¡ ´ÙÀ½°ú °°ÀÌ Á¢±Ù ±ÔÄ¢ÀÌ ¼³Á¤µÇ¾î ÀÖÀ» °æ¿ì¸¦ ¿¹·Î µé¾î º¸ÀÚ.

      tn-gw: denial-msg  /usr/local/etc/tn-deny.txt
      tn-gw: welcome-msg /usr/local/etc/tn-welcome.txt
      tn-gw: help-msg  /usr/local/etc/tn-help.txt
      tn-gw: timeout   3600
      tn-gw: permit-hosts 202.30.113.* -dest*.nca.or.kr -dest !* -passok  -xok

    ÀÌ °æ¿ì, 202.30.113.*ÀÌ¿ÜÀÇ »çÀÌÆ®·ÎºÎÅÍ Á¢¼ÓÀ» ½ÃµµÇÏ´Â »ç¿ëÀÚ´Â Á¢¼ÓÀÌ °ÅºÎµÇÁö ¾Ê°í ¿øÇÏ´Â ¼­ºñ½ºÀÇ ÀÌ¿ëÀÌ ºÒ°¡´ÉÇÏ°Ô µÈ´Ù. Á¢¼ÓÀÌ Çã¿ëµÈ È£½ºÆ®·Î ÆǸíµÇ¾úÀ» °æ¿ì tn-gw ÇÁ·Î±×·¥Àº ¸í·É¾î ´ë±â ·çÇÁ·Î µ¿ÀÛÀ» ½ÃÀÛÇÏ°Ô µÇ´Âµ¥, ÀÌ °æ¿ì¿¡ »ç¿ëÀÌ °¡´ÉÇÑ ¸í·É¾îµéÀº <Ç¥ 4.2>¿¡ Ç¥½ÃµÈ °Í°ú °°´Ù.

    Çã°¡µÈ È£½ºÆ®°¡ ÇÁ¶ô½Ã·Î Á¢¼ÓÇÏ°Ô µÇ¸é, tn-gw¿É¼Ç¿¡ µû¶ó Á¢¼Ó ȯ¿µ ÆÄÀÏÀÇ ³»¿ëÀ» óÀ½ Á¢ÇÏ°Ô µÈ ÈÄ ¸í·É¾î ÇÁ·ÒÇÁÆ® »óÅ·Πµé¾î°¡°Ô µÈ´Ù. ÇÁ·ÒÇÁÆ®»ó¿¡¼­´Â <Ç¥ 4.1>¿¡ Ç¥½ÃµÈ ¸í·É¾î¸¸À» »ç¿ëÇÒ ¼ö ÀÖ´Ù.

    telnet ÇÁ¶ô½Ã¿¡ ´ëÇÑ Á¢±Ù Çã¿ë ¹× °ÅºÎ ±ÔÄ¢Àº ¸î°¡Áö Ãß°¡ ¿É¼Ç¿¡ ÀÇÇØ º¯°æµÉ ¼ö ÀÖ´Ù.
    <Ç¥ 4.2>¿¡ µû¶ó ´ÙÀ½ÀÇ ±ÔÄ¢À» »ìÆì º¸±â·Î ÇÏÀÚ.

      tn-gw:  deny-hosts    unknown
      tn-gw   hosts          202.30.113.*192.94.12.*

    ÀÌ ±ÔÄ¢ÀÌ Àû¿ëµÇ°Ô µÇ¸é, µµ¸ÞÀÎ À̸§À» DNS¿¡¼­ ¹ß°ßÇÒ ¼ö ¾øÀ» °æ¿ì, Á¢¼ÓÀÌ °ÅºÎµÇ¸ç, 202.30.113¹× 192.94.12³×Æ®¿öÅ©·ÎºÎÅÍÀÇ Á¢±Ù¸¸À» Çã¿ëÇÏ°Ô µÈ´Ù. ¾Õ¼­ Àû¿ëµÈ ±ÔÄ¢À» ´Ù½Ã Çѹø »ìÆ캸±â·Î ÇÏÀÚ.
     

    ¸í·É¾î

    ¼³  ¸í

    -dest ÆÐÅÏ
    -dest { ÆÐÅÏ1 ÆÐÅÏ2 ...}

    À¯È¿ÇÑ ´ë»ó ½Ã½ºÅÛÀÇ ¸®½ºÆ®¸¦ ³ªÅ¸³½´Ù. ¾Æ¹«·± ¸®½ºÆ®µµ ¼³Á¤µÇÁö ¾ÊÀ¸¸é ¸ðµç ´ë»ó ½Ã½ºÅÛÀÌ À¯È¿Çϵµ·Ï ¼³Á¤µÈ´Ù. -dest ¿¡ ! ¿É¼ÇÀÌ »ç¿ëµÇ¸é ºÎÁ¤À» ÀǹÌÇÑ´Ù.

    -auth

    ÇÁ¶ô½Ã°¡ »ç¿ëÀÚ ÀÎÁõ ±â´ÉÀ» »ç¿ëÇÔÀ» ÀǹÌÇÑ´Ù. µû¶ó¼­ º°µµÀÇ ÀÎÁõ ¼­¹öÀÇ ÀÎÁõÀ» ¹Þ¾Æ¾ß Á¢±Ù Çã¿ëÀÌ ÀÌ·ç¾îÁú ¼ö ÀÖ´Ù.

    -passok

    Çã¿ëµÈ »ç¿ëÀÚ°¡ ÀÚ½ÅÀÌ »ç¿ëÇÒ ºñ¹Ð¹øÈ£¸¦ º¯°æÇÒ ¼ö ÀÖµµ·Ï µÇ¾î ÀÖÀ½À» ³ªÅ¸³½´Ù.


    Ç¥ 4.3È£½ºÆ® Á¢±Ù ±ÔÄ¢

     

    ¿É  ¼Ç

    ¼³  ¸í

    userid »ç¿ëÀÚ

    ¼ýÀڷΠǥ½ÃµÈ UID³ª /etc/passwd ³»¿¡ ±â·ÏµÈ »ç¿äÀÚ À̸§À¸·Î ÇÁ·Î±×·¥ÀÌ ±âµ¿µÉ ¶§ »ç¿ëµÇ¾î¾ß ÇÑ´Ù.

    directory pathname

    ¼­ºñ½º ÇÁ·Î±×·¥À» È£ÃâÇϱâ À§ÇØ ftp-gw chroot(2) ¸í·É¾î¸¦ ½ÇÇàÇÏ´Â µð·ºÅ丮¸¦ ³ªÅ¸³½´Ù.

    prompt ¹®ÀÚ¿­

    ¸í·É¾î ¸ðµå¿¡¼­ÀÇ ftp-gw¸¦ À§ÇÑ ÇÁ·ÒÇÁÆ®¸¦ ³ªÅ¸³½´Ù.

    denial-msg ÆÄÀÏ

    ÇÁ¶ô½Ã »ç¿ëÀÌ °ÅºÎµÇ¾úÀ» °æ¿ì ¿ø°Ý »ç¿ëÀÚ¿¡°Ô Ç¥½ÃÇÒ ¸Þ½ÃÁö¸¦ ´ã°í ÀÖ´Â ÆÄÀÏÀÇ À̸§À» ³ªÅ¸³½´Ù. ÀÌ ¿É¼ÇÀÌ ¼³Á¤µÇÁö ¾ÊÀ¸¸é µðÆúÆ® ¸Þ½ÃÁö¸¦ Ç¥½ÃÇÑ´Ù.

    timeout ÃÊ

    ÇÁ¶ô½ÃÀÇ ¿¬°áÀ» ²÷À» ´ë±â ½Ã°£À» ³ªÅ¸³»¸ç, µðÆúÆ®´Â ½Ã°£ÀÌ ¼³Á¤µÇÁö ¾Ê´Â´Ù.

    welcome-msg ÆÄÀÏ

    ÇÁ¶ô½Ã »ç¿ëÀÌ Çã¿ëµÇ¾úÀ» °æ¿ì ¿ø°Ý »ç¿ëÀÚ¿¡°Ô Ç¥½ÃÇÒ Çì½ÃÁö¸¦ ´ã°í ÀÖ´Â ÆÄÀÏÀÇ À̸§À» ³ªÅ¸³½´Ù. ÀÌ ¿É¼ÇÀÌ ¼³Á¤µÇÁö ¾ÊÀ¸¸é µðÆúÆ® µµ¿ò¸»À» Ç¥½ÃÇÑ´Ù.

    help-msg ÆÄÀÏ

    'help' ¸í·É¾î¿¡ ´ëÇÏ¿© ¿ø°Ý »ç¿ëÀÚ¿¡°Ô Ç¥½ÃÇÒ µµ¿ò¸»À» ´ã°í ÀÖ´Â ÆÄÀÏÀÇ À̸§À» ³ªÅ¸³½´Ù. ÀÌ ¿É¼ÇÀÌ ¼³Á¤µÇÁö ¾ÊÀ¸¸é µðÆúÆ® µµ¿ò¸»À» Ç¥½ÃÇÑ´Ù.

    denydest-msg ÆÄÀÏ

    »ç¿ëÀÚ ÀÎÁõÀÌ °ÅºÎµÇ¾úÀ» °æ¿ì ¿ø°Ý »ç¿ëÀÚ¿¡°Ô Ç¥½ÃÇÒ ¸Þ½ÃÁö¸¦ ´ã°í ÀÖ´Â ÆÄÀÏÀÇ À̸§À» ³ªÅ¸³½´Ù. ÀÌ ¿É¼ÇÀÌ ¼³Á¤µÇÁö ¾ÊÀ¸¸é µðÆúÆ® ¸Þ½ÃÁö¸¦ Ç¥½ÃÇÑ´Ù.


    Ç¥ 4.4 ftp-gw¸¦ À§ÇÑ Á¢±Ù ±ÔÄ¢

      tn-gw: permit-hosts 202.30.113.* -dest* .nca.or.kr -dest !  * -passok-xok

    ÀÌ °æ¿ì, 202.30.113 ³×Æ®¿öÅ©·ÎºÎÅÍ ¿ä±¸µÈ Á¢¼Ó Áß nca.or.kr·ÎÀÇ Á¢¼Ó¸¸À» Çã¿ëÇÏ°í ÀÌ¿ÜÀÇ Á¢¼Ó ¿ä±¸´Â ¸ðµÎ °ÅºÎÇÏ°Ô µÈ´Ù. Ãß°¡ÀÇ ¿É¼ÇÀº ÇÏÀÌÇ°ú ÇÔ²² »ç¿ëµÉ ¼ö Àִµ¥, -dest ¿É¼ÇÀº Á¢¼ÓÀ» Çã¿ëÇÏ´Â ´ë»ó ½Ã½ºÅÛÀ» ÀǹÌÇϸç, !¿Í ÇÔ²² »ç¿ëµÉ °æ¿ì¿¡´Â Çã°¡µÇÁö ¾ÊÀº ½Ã½ºÅÛÀ» ³ªÅ¸³½´Ù. ¾Æ¿ï·¯ Ãß°¡ »ç¿ë ¿É¼Ç¿¡ ´ëÇÑ ¼³¸íÀÌ <Ç¥ 4.3>¿¡ ÁÖ¾îÁ® ÀÖ´Ù.

 

2). FTP ÇÁ¶ô½Ã

    FTP ÇÁ¶ô½ÃÀÎ ftp-gw ÇÁ·Î±×·¥µµ inetd µ¥¸ó¿¡ ÀÇÇØ ±âµ¿µÇ°Ô µÇ´Âµ¥, ´ÙÀ½°ú °°ÀÌ /etc/inetd.conf ÆÄÀÏÀ» ¼öÁ¤ÇÏ¿© ¿øÇÏ´Â ÇÁ¶ô½Ã µ¿ÀÛÀ» ±¸ÇöÇÒ ¼ö ÀÖ´Ù.

      ftp  stream  tcp  nowait   root/usr/local/etc/ftp-gw  ftp-gw

    ÀÌ·¯ÇÑ È¯°æ ±¸¼º¿¡¼­, FTP Æ÷Æ®·ÎÀÇ Á¢¼Ó ½Ãµµ°¡ ¹ß»ýµÇ¸é ftp-gw°¡ µ¿ÀÛÀ» ½ÃÀÛÇÏ°Ô µÇ

     

    ¸í·É¾î

    ¼³  ¸í

    -dest ÆÐÅÏ
    -dest { ÆÐÅÏ1 ÆÐÅÏ2 ...}

    À¯È¿ÇÑ ´ë»ó ½Ã½ºÅÛÀÇ ¸®½ºÆ®¸¦ ³ªÅ¸³½´Ù. ¾Æ¹«·± ¸®½ºÆ®µµ ¼³Á¤µÇÁö ¾ÊÀ¸¸é ¸ðµç ´ë»ó ½Ã½ºÅÛÀÌ À¯È¿Çϵµ·Ï ¼³Á¤µÈ´Ù. -dest ¿¡ ! ¿É¼ÇÀÌ »ç¿ëµÇ¸é ºÎÁ¤À» ÀǹÌÇÑ´Ù.

    -auth

    ÇÁ¶ô½Ã°¡ »ç¿ëÀÚ ÀÎÁõ ±â´ÉÀ» »ç¿ëÇÔÀ» ÀǹÌÇÑ´Ù. µû¶ó¼­ º°µµÀÇ ÀÎÁõ ¼­¹öÀÇ ÀÎÁõÀ» ¹Þ¾Æ¾ß Á¢±Ù Çã¿ëÀÌ ÀÌ·ç¾îÁú ¼ö ÀÖ´Ù.

    -passok

    Çã¿ëµÈ »ç¿ëÀÚ°¡ ÀÚ½ÅÀÌ »ç¿ëÇÒ ºñ¹Ð¹øÈ£¸¦ º¯°æÇÒ ¼ö ÀÖµµ·Ï µÇ¾î ÀÖÀ½À» ³ªÅ¸³½´Ù.

    -virus

    FTP ÆÄÀÏ Àü¼Û½Ã ¹ÙÀÌ·¯½º Æ÷ÇÔ¿©ºÎ¸¦ ¾Ë·ÁÁØ´Ù.
    (Ãß°¡µÈ ±â´É)


    Ç¥ 4.5 È£½ºÆ® Á¢±Ù ¿É¼Ç

    ¸ç, ftp-gw´Â ¿äû È£½ºÆ®°¡ ÇÁ¶ô½Ã Á¢¼ÓÀÌ Çã¿ëµÈ È£½ºÆ®ÀÎÁö °Ë»çÇÏ°Ô µÈ´Ù. ftp-gwÀÇ °æ¿ìµµ tn-gwÀÇ °æ¿ì¿Í ¸¶Âù°¡Áö·Î netperm-table ¿¡ ¼³Á¤µÇ¾î ÀÖ´Â Á¢±Ù ±ÔÄ¢¿¡ µû¶ó Á¢¼Ó Çã¿ë ¿©ºÎ¸¦ ÆǺ°ÇÏ°Ô µÇ´Âµ¥, <Ç¥ 4.4>¿¡ ftp-gw¸¦ À§ÇÑ Å°¿öµå ¸®½ºÆ®°¡ Ç¥½ÃµÇ¾î ÀÖÀ¸¹Ç·Î À̸¦ ÂüÁ¶ÇÏ¿© Á¢±Ù ±ÔÄ¢À» ¼³Á¤Çϱ⠹ٶõ´Ù.

    ftp-gw¸¦ À§ÇÏ¿© netperm-table¿¡ ´ÙÀ½°ú °°ÀÌ Á¢±Ù ±ÔÄ¢ÀÌ ¼³Á¤µÇ¾î ÀÖÀ» °æ¿ì¸¦ ¿¹·Î µé¾î º¸ÀÚ.

      ftp-gw:  denial-msg   /usr/local/etc/ftp-deny.txt
      ftp-gw:  welcome-msg  /usr/local/etc/ftp-welcome.txt
      ftp-gw:  help-msg  /usr/local/etc/ftp-help.txt
      ftp-gw:  denydest-msg  /usr/local/etc/ftp-baddest.txt
      ftp-gw:  timeout     3600

    FTPÇÁ¶ô½Ã¿¡ ´ëÇÑ Á¢±Ù Çã¿ë ¹× °ÅºÎ ±ÔÄ¢Àº ¸î°¡Áö Ãß°¡ ¿É¼Ç¿¡ ÀÇÇØ º¯°æµÉ ¼ö ÀÖ´Ù.

      ftp-gw:  deny-hosts   unknown
      ftp-gw:  hosts         202.30.113.* 192.94.12.*

    ÀÌ ±ÔÄ¢ÀÌ Àû¿ëµÇ°Ô µÇ¸é, µµ¸ÞÀÎ À̸§À» DNS¿¡¼­ ¹ß°ßÇÒ ¼ö ¾øÀ» °æ¿ì Á¢¼ÓÀÌ °ÅºÎµÇ¸ç, 202.30.113 ¹× 192.94.12³×Æ®¿öÅ©·ÎºÎÅÍÀÇ Á¢±Ù¸¸À» Çã¿ëÇÏ°Ô µÈ´Ù. ¾Æ¿ï·¯ Ãß°¡ »ç¿ë ¿É¼Ç¿¡ ´ëÇÑ ¼³¸íÀÌ <Ç¥ 4.5>¿¡ ÁÖ¾îÁ® ÀÖ´Ù.

    FTP ÇÁ¶ô½Ã¸¦ ÅëÇÑ Á¢¼ÓÀÌ ÀÌ·ç¾îÁö°Ô µÇ°í Çã°¡µÈ È£½ºÆ®·Î ÆǸíµÇ¸é Á¢±Ù ±ÔÄ¢¿¡ µû¶ó »ç¿ëÀÚ ÀÎÁõÀÌ ¿ä±¸µÉ ¼ö ÀÖ´Ù. »ç¿ëÀÚ ÀÎÁõÀÌ »ç¿ëµÈ °æ¿ìÀÇ netperm-tableÀÇ ³»¿ëÀº ´ÙÀ½°ú °°´Ù.

      ftp-gw:  permit-hosts 202.30.63.* -authall -log { retr stor }

     

Á¤¸®µÈ sytem fileµé

     

    netperm-tableÀÇ ¿¹

     

    #  cat /user/local/etc/netperm-table
    #  Sample netperm configuration table
    #
    #  To get a good sample working netperm-table, just globally
    #  substitute YOURNET for your network address (e.g.; 666.>>777.888
    #
    #  Netacl rules:
    #------------------------------------------------------------
    netacl-in.telentd : permit-hosts 202.30.113.3 -exec /user/sbin/in.telnetd
    netacl-in.ftpd :     permit-hosts 202.30.113.3 -exec /user/sbin/in.ftpd 
    #------------------------------------------------------------
    #
    #Telnet gateway rules :
    #------------------------------------------------------------
    tn-gw :   userid                    bin
    tn-gw :   directory                /home/telnet
    tn-gw :   denial-msg            /usr/local/etc/tn-deny.txt
    tn-gw :   welcome-msg        /usr/local/etc/tn-welcome.txt 
    tn-gw :   timeout                  3600
    tn-gw :   prompt                  "Enter Commend>"
    tn-gw :   permit-hosts          202.30.113.*  -auth  -passok
    tn-gw :   permit-hosts          202.30.114.*  202.30.113.*  -auth
    #------------------------------------------------------------
    #
    #  FTP gateway rules:
    #------------------------------------------------------------
    ftp-gw : userid               bin
    ftp-gw : directory            /home/ftp
    ftp-gw : denial-msg        /usr/local/etc/ftp-deny.txt
    ftp-gw : welcome-msg    /usr/local/etc/ftp-welcome.txt
    ftp-gw : timeout              3600
    ftp-gw : permit-hosts      202.30.113.*  -authall  -dest  !202.30.113.2
    ftp-gw : permit-hosts      202.30.114.*  -virus  -log  { retr stor }
    ftp-gw : permit-hosts      202.30.115.*  -auth { stor } -log { >>retr stor }
    #------------------------------------------------------------
    #
    #  HTTP gateway rules :
    #------------------------------------------------------------
    http-gw : userid bin
    http-gw :             deny-hosts   unknown
    http-gw :             timeout   3600
    http-gw :             permit-hosts   * -http web.nca.or.kr
    http-gw :             default=gopher  web.nca.or.kr
    #------------------------------------------------------------
    #
    #  NNTP gateway rules :
    #------------------------------------------------------------
    plug-gw :             timeout   3600
    plug-gw :             port nntp  * nca.or.kr   -plug-to  ds.krnic.net -port nntp
    plug-gw :             port 23  * -plug-to 202.30.113.7 -port 23
    #------------------------------------------------------------
    #
    #  SMAP/SMAPD rules :
    #------------------------------------------------------------
    smap, smapd :      userid    smtp
    smap, smapd :      directory   /var/spool/smap
    smap :                  timeout   3600
    smapd :                executable   /usr/local/etc/smapd 
    smapd :                sendmail   usr/lib/sendmail
    #------------------------------------------------------------
    #
    #  Auth server rules :
    #------------------------------------------------------------
    authsrv :               permit-hosts       127.0.0.1
    #------------------------------------------------------------
    #
    #Auth client rules :
    #------------------------------------------------------------
    * :    authserver   127.0.0.1   7777
    #
    #  END.

     

    inetd.conf ÆÄÀÏÀÇ ¿¹

      

    #  ca /etc/inetd.conf
    #
    #ident   "@(#) inetd.conf  1.16   94/03/08  SMI"  /* SVr4.0  1.5  */
    #  Configuration file for inetd(1M). See inetd.conf(4).
    #
    #  To re-configure the running inetd process, edit this file, then
    #  send the inetd process a SIGHUP.
    #
    #  Syntax for socket-based Internet service :
    #   <service_name> <socket_type> <proto> <flags> <user> <server_pathname>      >> <args>
    #
    #  Syntax for TLI-based Internet services :
    #   <service_name> tli <proto> <flags> <user> <server_pathname> <args>
    #
    #  Ftp and telnet are standard Internet services.
    #
    ftp    stream   tcp   nowait   root   /usr/local/etc/ftp-gw   ftp-gw
    ftp-a    stream   tcp   nowait   root   /usr/local/etc/netacl  in.ftpd
    telnet    stream   tcp   nowait   root   /usr/local/etc/tn-gw   tn-gw
    telnet-a    stream   tcp   nowait   root   /usr/local/etc/netacl  intelnetd
    #
    #  smap/ smapd
    smtp   stream   tcp   nowait   root   /usr/local/etc/smap   smap
    #
    #  authsrv
    authsrv   stream   tcp   nowait   root   /usr/local/etc/authsrv   authsrv
    #
    #  HTTP
    http   stream   tcp   nowait   root   /usr/local/etc/http-gw   http-gw
    gopher   stream   tcp   nowait   root   /usr/local/etc/authsrv   authsrv
    #
    #NNTP
    nntp   stream   tcp   nowait   root   /usr/local/etc/plug-gw   plug-gw nntp
    #
    #  Tnamed serves the obsolete IEN-116 name server protocol.
    #
    name   dgram   udp   wait   root   /usr/sbin/in.tnamed   in.tnamed
    #
    #  Sell, login, exec, comsat and talk are BSD protocols.
    #
    #sell   stream   tcp   nowait   root   /usr/sbin/in.rshd   in.rshd
    #login   stream   tcp   nowait   root   /usr/sbin/in.rlogin   in.rlogin
    #exec   stream   tcp   nowait   root   /usr/sbin/in.rexecd   in.rexecd
    #comsat   dgram   udp   nowait   root   /usr/sbin/in.comsat   in.comsat
    #talk   dgram   udp   nowait   root   /usr/sbin/in.talkd   in.talkd
    #
    #  Must run as root (to read /etc/shadow) ; "-n" turns off logging in utmp/wtmp.
    #
    #uucp   stream   tcp   nowait   root    /usr/sbin/in.uucpd   in.uucpd
    #
    #  Tftp service is provided primarily for booting. Most site run this
    #  only on machines acting as "boot servers."
    #
    #tftp   dgram   udp   wait   root   /usr/sbin/in.tftpd   in.tftpd   -s   /tftpboot
    #
    #  Finger, systat and netstat give out user information which may be
    #  valuable to potential "system crackers." Many sites choose to disable
    #  some or all of these services to improve security.
    #
    #finger   stream   tcp   nowait   nobody   /usr/sbin/in.fingerd   in fingerd
    #finger   stream   tcp   nowait   root  /usr/local/etc/netacl   in fingerd
    #systat   stream   tcp   nowait   root   /usr/bin/ps   ps   -ef
    #netstat   stream   tcp   nowait   root   /usr/bin/netstat   netstat   -f   inet
    #
    # Time service is used for clock synchronization.
    #
    time   stream   tcp     nowait   root   internal
    time   dgram   udp     wait       root   internal
    #
    #  Echo, discard, daytime, and chargen are used primarily for testing.
    #
    echo            stream     tcp      nowait     root     internal
    echo            dgram     udp      wait        root     internal
    discard         stream     tcp      nowait     root     internal
    discard         dgram     udp      wait        root     internal
    daytime        stream     tcp      nowait     root     internal
    daytime        dgram     udp      wait         root     internal
    chargen        stream     tcp      nowait     root     internal
    chargen        dgram     udp      wait        root     internal
    #
    # END.

     

    services ÆÄÀÏÀÇ ¿¹

     

    #cat /etc/services
    #
    #ident  "@(#)services    1.9    93/09/10   SMI"   /*  SVr4.0  1.8    */
    #
    #
    #  Network services, Internet style
    #
    tcpmux             1/tcp
    echo                7/tcp
    echo                7/udp 
    discard             9/tcp          sink null
    discard             9/udp         sink null 
    systat              11/tcp         users
    daytime           11/udp
    daytime           13/udp
    netstat             15/tcp
    chargen           19/tcp          ttytst source
    chargen           19/udp         ttytst source 
    ftp                   21/tcp
    telnet               23/tcp
    smtp                25/tcp          mail
    time                 37/tcp          timeserver
    time                 37/udp         timeserver 
    name               42/udp         nameserver
    whois               43/tcp         nicname          #usually to sri-nic
    domain            53/udp
    domain            53/tcp
    hostnames       101/tcp         hostname       #usually to sri-nic
    sunrpc             111/udp        rpcbind
    sunrpc             111/tcp        rpcbind
    #
    #  Host specific functions
    #
    tftp                  69/udp
    gopher             70/tcp
    rje                   77/tcp
    finger               79/tcp
    http                 80/tcp
    link                  87/tcp           ttylink
    supdup            95/tcp
    iso-tsap          102/tcp
    x400                103/tcp                              # ISO Mail 
    x400-snd         104/tcp
    csnet-ns          105/tcp
    pop-2              109/tcp                              # Post Office
    uucp-path       117/tcp
    nntp                119/tcp          usenet               # Network News Transfer
    ntp                  123/tcp                                  # Network Protocol
    ntp                  123/udp                                 # Network Protocol
    NeWS              144/tcp         news               # Window System
    #
    #  UNIX specific services
    #
    #  these are NOT officially assigned
    #
    exec               512/tcp
    login               513/tcp
    shell               514/tcp           cmd              # no passwords use
    printer            515/tcp            spooler         # line printer spooler
    courier           530/tcp            rpc               # experrmental
    uucp              540/tcp            uucpd          # uucp daemon
    biff                 512/udp           comsat
    who                513/udp           whod
    syslog             514/udp
    talk                 517/udp
    route              520/udp           router routed
    new-rwho       550/udp           new-who        # experimental
    rmonitor          560/udp          rmonitord        # experimental
    monitor           561/udp                                # experimental
    pcserver          600/tcp                                # ECD Integrated PC board
    kerberos         750/udp           kdc                # kerberos key server
    kerberos         750/tcp           kdc                # kerberos key server
    ingreslock       1524/tcp   
    ftp-a              2021/tcp
    telnet-a          2023/tcp
    listen              2766/tcp                               #System V listener port
    nfsd               2049/udp         nfs                 # NFS server daemon
    lockd             4045/udp                               # NFS lock daemon/manager
    lockd             4045/tcp   
    #
    #  authentication port
    authsrv          7777/tcp                                # 7777 was for authsrv
    #
    #  END.

     

    ³ª°¡´Â ¸»

    À̹ø´Þ¿¡´Â TIS FWTK¿¡ ´ëÇÑ Àü¹ÝÀûÀÎ »çÇ×°ú ±× »ç¿ë¹ý¿¡ ´ëÇØ ¾Ë¾Æº¸¾Ò´Ù. tn-gw, ftp-gw¿Ü ´Ù¸¥ ÇÁ¶ô½Ã ¼­¹ö¿¡ ´ëÇÑ ³»¿ëÀº Áö¸é»ó ´Ù ¾²Áö ¸øÇÔÀ» ¾Æ½±°Ô »ý°¢Çϸç, ´Ùº» ÇÁ·ÎÁ§Æ®¿¡¼­ Ãß°¡Çß´ø ³»¿ë°ú ±âŸ »çÇ׿¡ ´ëÇؼ­ ¾ð±ÞÇϱâ·Î ÇÏ°Ú´Ù. º» ±â»ç ¿Ü¿¡ ´õ Ãß°¡µÈ ¿ø¹®Àº ´ÙÀ½´Þ ³»¿¡ ¼Ò½ºÄÚµå¿Í ÇÔ²² ¸ðµÎ °ø°³Çϱâ·Î ÇÑ´Ù.




¡ã top

homeÀ¸·Î...