  html ۼǾµ ؽƮ     ֽϴ.
http://tunelinux.pe.kr/bbs/include/security/files/php0oEkke/linux_security.html
⼭ html ·   ֽϴ.

    Lance Spitzner     ¶   Ӵϴ. 

-----------------------------------------------------------------------
ͳݿ   ϱ
 ȣϱ 

Lance Spitzner 
  : 2000. 4. 25

ó : http://www.enteract.com/~lspitz/linux.html

 : 2000. 5. 13
 : http://tunelinux.pe.kr/bbs/include/security/files/php0oEkke/linux_security.html

 :  ( taejun@taejun.pe.kr  http://tunelinux.pe.kr http://
taejun.pe.kr http://database.sarang.net )

 ÷ :    ý ȣϱ  ⺻ å 
  Ѵ.   ٽ κп ؼ  ϰ 
      ִ.     Ȩ
 湮ϸ    ڷ ִ. KLDP   Ͽ
   ؼ   ̴.     ؿ 
ؼ  å    ̸ ó   
̵ ű  ִ.    ô   
ƾѴ.

 

  ȸ翡   ϰ ִ. ͳݿ ֿ
 񽺸 ϰ Ǹ鼭   ǥ Ǳ⵵ Ѵ. ̷ 
 ý ȣϱ  ⼭  ý ⺻ ȿ 
 Ѵ. ⼭ ϴ   6.0   
 ٸ  ǿ   ִ.

ġ
ý  ϴ   ܰ ü ġ ̴.  
ϴ ý̱   ġߴ  ŷ ʿ . 
ý  ġμ ý    ִ. ý 
Ʈ иŰ. ý Ȱ Ʈ̳ ͳݿ ؼ 
 谡ɼ ΰ   ̴.   
ݿ  15е script kiddie   ŷϴ  Ͽ
. ߿ ϰ ġ ڿ ġϱ  ٸ   ǻͰ  
ʿϴ.  ǻ͸ ̿ ͳݿ  ް  ýۿ 
 ϰų CDROM .

и Ʈ ý ξٸ  . ù °δ ü
 ؾѴ.  6.0  ũ̼, , Ŀ(⺻)
  ɼ ִ. Ŀ õϴµ ġ 񽺸   
ְ Ƽ ϴ´   ִ. ּ Ű ϴ 
  ̷  ϱⰡ  ϴ. ġ Ʈ 
 Ȱõ   ߻ ̴.    
 ʿ ġ  ʴ´ٴ ̴.    ߿ 
Ű ߰ϴ  ٴ ̴.  ġ ߵ  
Ŵ  Ͽ  ġѴ. ¶    
 ڿ ϳ ýۿ  ߻ų   .

Ŀ Ͽٸ Ƽ Ѵ.   Ʈ Ƽ
 ũ   ϸ   ⿡ ִ´. ׷ ߿ 
     ̴. ׷ Ʈ ̺긦 ȣ
   Ƽ  ʿϴ. Ʈ Ƽǿ α׳ ̸ϵ 
ڷḦ  ý رų ɼ ִ  ź (DOS) 
ó  ִ.

׷   /var Ƽ и  õѴ. ⿡  
ý α׿ ̸ . /var Ƽ иؼ Ʈ Ƽ 
     ִ. /var  400MB ̻ ʿϴ. (ó 
ٸ   ø)  α׸ û  Ư ø
    Ƽ   ʿ䰡  ڰ ٸ /hom
e  ʿϴ. ̷ ܰ踦 ġ Ƽ   ̴:

/        - Ÿ  Ÿ
/var     - 400 MB 
swap     - (Ϲ 256MB ) 
  

ġ ϰ  õǰ ִ  ġ ġؾѴ. 
  Red Hat's errata support site  ġ ã  ִ. 
ġ ý ȣϱ  ߿ϸ ׻ ƮؾѴ.   bugtr
aq@securityfocus.com Ǵ redhat-watch-list-request@redhat.com  
׿ ý ġ ãµ Ǹ  ȴ. ̷ ġ  ʴ
ٸ ý ս ջ  ִ. ġ ϴ   ý
 и Ʈ ξ Ѵٴ  .   rpm 
ٿ޾Ҵٸ    Ʈ  ִ. wu-ftpd   
Ʈ   .

rpm -Uvh wu-ftpd-2.6.0-1.i386.rpm 

̹ Ʈ Ǿ ִ ý    ftp rpm 
޾ ġ  ִ.

rpm -Uvh ftp://updates.redhat.com/5.2/i386/wu-ftpd-2.6.0-1.i386.rpm 

 6.1 'up2date'  ġ ƿƼ ִ.  ƿƼ 
  ϰ õѴ.  ýۿ    rpm 
Ʈ ϰ  Ʈ ٿ޾Ƽ ġ Ѵ. 
ǿ ° ϱ  ϱ⵵ .

 
Ű ġ ġϰ ߴٸ  ü  Ѵ. 
 , α ϱ, ֿ  , TCP    ý
 ȣ  ִ.  񽺸 Ѵ.

⺻    񽺸 ϴ  ü
. ׷ κ 񽺰 ʿϰ    
. ù ° /etc/inetd.conf Ѵ.   /usr/sbin/inetd 
󿡼  񽺸 ó Ѵ. ⺻ /etc/inetd.conf 
 پ 񽺷 Ǿ  κ ftp  ڳݸ ʿϴ. 
ʿ 񽺿 ּ ޾Ƽ   ִ. (example A).  inetd 
 Ǵ  κ ɰ    ִµ popd, 
imapd, rsh  ִ.     񽺸 ߴ Ȯ
. (  ּó   񽺸 ش)

 grep -v "^#" /etc/inetd.conf 

 ܰ .rc ũƮμ init μ  񽺸  
Ѵ.   /etc/rc.d/rc3.d (Gnome̳ KDE  GUI 
ڵ ϴ 쿡 /etc/rc.d/rc5.d) 丮 ũƮ ã 
 ִ. ũƮ  ߷ 빮 S ҹ s  ٲٸ ȴ. 
ҹ s  빮 S  ٲٸ ٽ ս ũƮ   ִ. 
޿ ִ ƿƼ ̿Ѵٸ "/usr/sbin/setup"  ġ 
"System Services"   ý  񽺸 . Ǵٸ 
α׷δ chkconfig  ִµ κ ǿ ִ.  
 ũƮ ⺻ ġ  ý ϴµ ߿
 ʴ. ʿٸ ũƮ off . ̸ ڴ ʱȭ 
ȣμ ǰ   ٸ. 빮 S  빮 K 
ϴ ũƮ ̹  񽺸 ̴µ ϴ.

S05apmd       (ž ʿ) 
S10xntpd     (Network time protocol) 
S11portmap   (NIS NFS  rpc 񽺿 ʿ)
S15sound     ( ī  ) 
S15netfs     (nfs Ŭ̾Ʈ nfs  Ͻý ÿ ʿ) 
S20rstatd    ( r 񽺸  ʴ  .  ڿ
 ʹ   ֱ ̴)
S20rusersd 
S20rwhod 
S20rwalld 
S20bootparamd (ũ Ŭ̾Ʈ ϸ ̷  
 ʿ  ̴)
S25squid     (Proxy server) 
S34yppasswdd (NIS  ʿϸ ſ  ̴) 
S35ypserv    (NIS  ʿϸ ſ  ̴) 
S35dhcpd     (dhcp server daemon) 
S40atd       (cron ϸ at 񽺿 ϸ ʿ ʴ)
S45pcmcia    (ž ʿ)
S50snmpd     (SNMP   ڿ ý    
 ִ)
S55named     (DNS server.  DNS Ѵٸ BIND  ֽ  
ƮؾѴ. http://www.isc.org/bind.html) 
S55routed    (RIP,  ʿ   )
S60lpd       (Printing services) 
S60mars-nwe   (Netware file and print server) 
S60nfs       (NFS  ϸ  ʿѰ ƴ϶  
)
S72amd        (AutoMount daemon,   ý Ʈ )
S75gated      (OSPF  ٸ   ϴµ ʿ)
S80sendmail  ( ̸     ްŶ ̸ 
 ̴)
S85httpd     (Apache webserver, ֽ  Ʈ   õ. 
http://www.apache.org/) 
S87ypbind     (NIS Ŭ̾Ʈ ʿ)
S90xfs       (X font server) 
S95innd      (News server) 
S99linuxconf  ( ̿   ý ûϴµ 
)

 ũƮ ϱ  󸶳  񽺸  ϰ ִ
 ȮѴ.

ps aux | wc -l 

ġ ġ  ũƮ off Ѵ  ɾ ٽ ġ 󸶳 
  ڰ پ غ. 񽺸  Ҽ 
.      񽺰   ִ Ȯ.

netstat -na --ip 

αױϰ ý ϱ(Tweaking )
  񽺸 ߴٸ αױ ϵ Ѵ.  
 α״ /var/log ´. ⺻  Ǹϰ αױ
 µ ftp ܴ. ftp αױϿ ΰ ɼ  /etc/
ftpaccess ̳ /etc/inetd.conf  Ѵ.  /etc/inetd.c
onf  ϱ  ϴµ ֳ, ϱ⶧̴.  ftp ǿ 
 ü αױ    Ѵ.

ftp     stream  tcp     nowait  root    /usr/sbin/tcpd  in.ftpd -l -L 
-i -o 

--- From the man pages --- 

If the -l option is specified, each ftp session is logged in the sysl
og 
If the -L flag is used, command logging will be on by default as soon 
as the ftp server is invoked.  This will cause  the  server  to log a
ll USER commands, which if a user accidentally enters a password for 
that command instead of the username, will cause passwords to be logg
ed via syslog. 
If the -i option is specified, files received by the ftpd(8) server w
ill be logged to the xferlog(5). 
If the -o option is specified, files transmitted by the ftpd(8) serve
r will be logged to the xferlog(5). 

--- snip snip --- 

 ý  ϱ̴. ⿡ پ   Ե
.    /etc/passwd  ϰ ϴ ̴. ù ° 
 йȣ Ѵ.  йȣ Ʈ   ִ 
Ͽ ؽ ־   йȣ Ѵ.  
ȣ  Ͽ ũϴ  Ѵ(Ŀ   ã 
 ϳ).  6.0  йȣ  ⺻̴. 츮 
ؾ   Ʈ   ġ ̴. ׷ ڵ йȣ
 /etc/shadow Ϸ ȯѴ. ̰ ý  ϴµ 
 ߿  ϳ Ѵ.

pwconv 

 °δ н Ͽ κ ⺻ ý  ش. 
 츮 ʿ پ ý Ȱ   
. ̷  ʿٸ .   ýۿ ϱ
 . "news"   .   nntp   
ٸ  ʿ. (/etc/cron.hourly "news" ڸ ã 
  ϵ ƮؾѴ)  ͸ ftp   "ftp
"  ش.     Ѵ.

man ftpd: 

       Ftpd authenticates users according to four rules. 

       4)     If  the  user name is ``anonymous'' or ``ftp'', an anon
ymous ftp account must be pre-sent in the password file (user ``ftp'
').  In this case the user is allowed to log in by specifying any pas
sword (by convention this is given as the client host's name). 

 /etc/passwd    . example C. 

츮  /etc/ftpusers  ϱ  ̴. (example D). 
 Ͽ ϵǾ ִ  ftp    . ֿ  roo
t, bin   ftp   ϴ  Ѵ.   
 ⺻  ִ. Ʈ ftp    Ʈ 
 ִ Ȯ. ftp ӿ ʿ   Ͽ  
 Ȯ.

 Ʈ ڳ     Ǿִ ȮѴ. ٸ 
 ýۿ   su ̿ Ʈ ٲٸ ȴ. /etc/securetty 
Ͽ Ʈ   ִ tty Ѵ.  Ͽ  tty1, tty
2 Ǿִٸ Ʈ  ٸ ϴ. ttyp1, ttyp2 pseudo 
͹̳η Ʈ  ڳ    ֵ Ѵ. (example E). 

 /etc/issue  .   ڳ α  
 ƽŰ ؽƮ ̴. (example B).  ڵ ýۿ α
   ̴.    ֱ ϸ /etc/rc.d
/init.d/S99local  Ѵ. ⺻  Ҷ 
ο /etc/issue  .
  

 ϱ
  ϴ   ϰ ϴ  ߿ϴ. 
 ý   ε带   ϴµ   
 ȣȸǾѴ. ⼭ ssh  TCP  ۿ  ϰڴ.

 ssh ϴµ ssh ȭ ý    ȣȭ
Ѵ. tcp ۴ Ʈ Ʈȿ ϴ   Ѵ. 
Ʈ󿡼 ڰ Ÿϴ (йȣ ) keystrokes    
͸  ִ. ȭ  ٸ  ͸ϴ  
Ѵٸ ڳ/ftp  ssh ϱ õѴ. ssh   
ȣȭϸ    ε ý    ִ. ss
h tcp ۿ ϰ  αױϱ  ְ  
   ִ. ҽ ssh Ŭ̾Ʈ     ssh  
 ڼ  ssh here   ã.  ̼  ִ 2.x 
ٴ 1.2.x  õѴ. Ǵٸ ssh α׷δ Openssh 
 ִ. 

TCP ۴ ȣȭ   ýۿ ϴ ڿ  
α׸    ִ. inetd 񽺸  Ǵ telnet, ft
p  δ α׷̴. tcp ۸ ̿ ýۿ inetd ῡ 
 ۸   õ  α׸    Ͽ 
´ Ȯ Ѵ.  Ǹ, tcp ۴  ڳݵ  
 α׷ Ѵ.   Ͽ   źδϸ 
 .   TCP  Ŀ ̹ ġǾ ֱ 
 /etc/hosts.allow  /etc/hosts.deny  ϱ⸸ ϸ ȴ. 
 Ͽ   㰡, źθ   ִ.  TCP  ۴ 
ʸ ְų safe_finger  ٸ α׷ ҷ  ִ. 
  ϴ. /etc/hosts.allow Ͽ   ip 
ҳ Ʈ ָ ȴ. /etc/hosts.deny  Ͽ  ź ip
 Ʈ ָ ȴ. ⺻     
ϰ    ؾѴ. tcp ۷ ۾   ΰ
 õѴ. 

ý̳  ̸  ip ּ  
/etc/hosts.deny    źϴ  Ѵ(ALL). ׷
 Ư Ʈ  /etc/hosts.allow ̿  Ѵ. 
̿   example F.  TCP ۸      
ڷᰡ ʿϸ Intrusion Detection ̿Ѵ.
  
  

 (Paranoid) Ͽ
    ʿ ̶  Ѵ.  ܰ踦 
 ý  شȭغ.  ý 100%   
 ׷  . ׷  Ϻ    ܰ踦 ߰
.

 wheel ׷ . wheel ׷ /bin/su     
  ִ   ׷̴. ̷ ɿ   ִ 
ڸ ؼ ý  ų  ִ. /etc/group  
ؼ wheel ׷ ߰ϰ ý ڸ  ׷쿡 ִ´. ׷
 /bin/su  ֿ ý  Ѵ. ׷  wh
eel ٲٰ ڿ ׷츸 డϵ 㰡 ٲ۴. (Ư 
α׷  suid  guid ϰ ־Ѵ) /bin/su ܿ 
  Ѵ:

/bin/chgrp wheel /bin/su 
/bin/chmod 4750 /bin/su 

 °δ .rhosts, .netrc, /etc/hosts.equiv Ͽ  ɾ 
ϰ Ѵ. r  ýۿ ϴµ ̷  ̿Ѵ.  
ɾ ̷   ϰ ϱ ؼ touch   
㰡 0 ٲ۴. ׷    ϰų   
.  .

/bin/touch /root/.rhosts /root/.netrc /etc/hosts.equiv 
/bin/chmod 0 /root/.rhosts /root/.netrc /etc/hosts.equiv 

 ° /etc/shadow crypt(3) Լ  MD5 hashes ϵ 
Ѵ. йȣ  ũϱ 鵵 ȣȭѴ. ̰ PAM  
ν ȴ. PAM (Pluggable Authentication Modules)  
̼ǿ ڸ ϴµ     ϰ 
ϴ  ̺귯 ̴. PAM   ϰ ˷  
Ʈ . ftp://ftp.us.kernel.org/pub/linux/libs/pam/Linux-PAM
-html/pam.html 

 MD5 hashes ϱ  ٲٷ PAM   
ؾߴ. ׷  6.0   setup ƿƼ MD5 ha
shes   ִ. setup  ġ "authentication configuratio
n"  ϸ ȴ. ⼭ MD5 hashes Ѵ. ׷ MD5 has
hes ڰ йȣ ٽ Էϱ  ȿ  
. setup ƿƼ  ( 5.2 )  쿡 
 PAM   ؾ Ѵ. (example G). 

bash ϴ   .bash_history   ȣ ʴ´. ٸ 
(Ʈ )  ߴ  ˱⸦  ʴ´. ׷ 
 .bash_profile   ߴ:

HISTFILESIZE=0 

̰ .bash_history  Ͽ ƹ͵   ʴ´ٴ ǹ̴. 
 HISTSIZE  ȯ溯 ̿  丮  ̿Ͽ  
ٽ ҷ  ɾ 丮 .bash_history Ͽ  
 ʴ´.

  κ ý ȣϴ ̴. BIOS 
йȣ   ִ.  /etc/lilo.conf  xxx  йȣ 
(password=xxx)Ͽ ý ýۿ йȣ    ִ. 
 ؾ    ýۿ    ִٸ 
ý ȣ  .

IPChains 
IPChains ٷ ʰ   ̾߱  . ipchains 2.
2.x ̻  Ŀο Բ ִ  Ŷ ͸ Ʈ̴. 
 6.0 ̻  ϴ   ġ Բ ġȴ. IPC
hains ý   ϰ ѵ  ýۿ  
 Ŷ   ִ. ַ ȭ ø̼ Ǹ 
  ýۿ ý ȣϴµ   ִ.  
 ȣϱ  ó ۽ ٸ  õϴ TCP  ź
ϵ IPChains Ѵ.  UDP, ICMP  Ѵ. 
 źε   α׿ Ͽ ٸ  𿡼  
   ֵ Ѵ. ׷ εĳƮ/ƼĳƮ Ʈ 
ý α׸  ä  ź α׿  ʴ
.  ý ȣϱ  IPChains    .

bash# ipchains -L 
Chain input (policy DENY): 
target prot opt source destination ports 
DENY all ------ 0.0.0.0 anywhere n/a 
DENY all ------ anywhere 255.255.255.255 n/a 
DENY all ------ anywhere BASE-ADDRESS.MCAST.NET/8 n/a 
ACCEPT tcp !y---- anywhere anywhere any -> any 
ACCEPT udp ----l- anywhere anywhere any -> any 
ACCEPT icmp ----l- anywhere anywhere any -> any 
DENY all ----l- anywhere anywhere n/a 
Chain forward (policy ACCEPT): 
Chain output (policy ACCEPT): 

̿     example H .  ýۿ ȭ
 IPChains ϴ  IPChains HOWTO ϱ ٶ.


 ý( ) ȣϴµ õ ⺻ ܰ踦 ¤
Ҵ.  ý ϴ ⺻ ּ Ʈ ġ
 TCP , IPChains  ȼ ϸ  йȣ 
 ̴. ̿ ߰  ۾ ִµ tripwire (ý ̳ʸ 
ȭ ͸) swatch (ڵȭ α ͸   α׷) 
ִ.  ܰ  ý ڵ ȣϵ ϴ  
ũƮ Bastille Linux غ  õѴ. ؾ   
 ý۵ 100%   . ׷   ۾ 
      ִ.




 Ұ
Lance Spitzner   н ý ϴ    
 Ѵ. ״  Officer in the Rapid Deployment Force  
    ߴ. ׿  Ϸ lance@spitzner.net 
̿ϸ ȴ.
