  html ۼǾµ ؽƮ     ֽϴ.
http://tunelinux.pe.kr/bbs/include/security/files/phpvyyi7u/swatch.html
⼭ html ·   ֽϴ.

    Lance Spitzner     ¶   Ӵϴ. 

-----------------------------------------------------------------------
α ͸ ڵȭϱ
α ϱ
Lance Spitzner 
 : 2000. 4. 14.

 

ó : http://www.enteract.com/~lspitz/swatch.html

 : 2000. 5. 23

 :  ( taejun@tunelinux.pe.kr  http://tunelinux.pe.kr
http://taejun.pe.kr http://database.sarang.net )

 ÷ :   ý α׸ ͸ؼ    
 ϰ ִ.     Ȩ 湮ϸ   
ڷ ִ. KLDP   Ͽ   ؼ   ̴. 
   ؿ ؼ  å   
̸ ó   ̵ ű  ִ.    ô
  ޾ƾѴ.   ƴϱ   ϴµ
 ΰڴ.   ּ **  ǥø ϰڴ.

 

 α״ ý  ϴµ  ߿ κ̴. ýۿ 
ϵ  ˷ش. ׷ α״ İ ÷ Ŀ ʹ 
  ش.  ũ  ä ʿ  ȴ. ̹
 α׸ ڵ ͸ؼ    ذϰ ʿ 
˷  ο  ִ   ٷ.

  

͸
α״  ߿ κ    ̷ 
ؾԴ´. ʹ   µ ð ʹ .  α׸ 
 ڵȭؼ ʿ  ˷شٸ  ʴ°.   ѹ غ.
⼭ ʿ  ã  α׸ ͸ϰ ˷ִ  
Ѵ. 

ù °  ͸ϰ  ˸ ϴ ȹ  Ϳ 
 ̴.  °δ ͸ Ѵ. ⼭ ͷ  ƮŲ
 swatch  ̴.͸ ó  δ  α׸ 
̴. ׷ ڰ ϴ  α׿   ִ.

 

 ؾ ϴ°
ù  ȹ ̴. ڵȭ α  ȹ  ܰ谡 ִ.
ù ° ϴ α׸ Ѵ. ý α׿   ʿ
ؾѴ.  ° ܰ  α Ͽ  ִ ȮѴ. 
° ܰ ʿ α׸ ϴ ƮŸ .

   ȿ   ϴ ,  ϼ 
̷ Ϸ õ  ˰ ̴.  expn   
 SMTP  õϴ Ϳ ˰  ̴. 츮 ˰ ϴ 
μ ù ° ܰ踦 ƴ. 

(**   : expn Ʒ ¹ٿ  ּҰ ϸƮ Ű
 Ͽ    ִ.   ˸ƽ س ϰ ͵  
ִٴ ̴.

214-EXPN <recipient>
214-    Expand an address.  If the address indicates a mailing
214-    list, return the contents of that list.
214 End of HELP info


)

 ° ܰ ҽ ؾϴµ  α׿  ִ ˾ƾ
Ѵ.    /etc/syslog.conf  ȴ.   Ͽ  αװ
 ϵǴ ִ.   ֶ󸮽 /var/logsyslog ̸
 /var/log/maillog ̴.

(**  :  α ǹ̿ ؼ  Ʈ Ѵ.

http://tunelinux.pe.kr/bbs/include/linuxinfo/files/phpQHFsET/log_admin.txt ->
 

http://mgt.kaist.ac.kr/~sakai/Docs/Security_document/Part3.html -> kaist 
Ȩ

)

goalith #cat /etc/syslog.conf | grep mail 
 mail.debug ifdef(`LOGHOST', /var/log/syslog, @loghost) 

 ܰ Ʈ ̴. αϿ 츮 ϴ Ư ׸
Ѵ.  ܿ ΰ ƮŸ  ̴. 

츮    ̷ Ϸ   IP ּ ִ
Ʈ 
 off س expand  Ϸ õ ִ Ʈ 

ƮŸ ϴ    /usr/bin/tail -f ̿Ͽ α׸ ؼ
ʿ ׸ ̾Ƴ ̴.  ýۿ Ҽ ٸ ƮŸ 
ִ  ý ã.   ̸ Ϸ   ڸ
ã ù ° ƮŸ . 㰡  IPּҿ  ϼ
̷ غ. /usr/bin/tail -f ̿ /var/log.syslog α ׸
캸. (Refer to Figure A).   

moo.com   ɼϼ ִ ̸ ̸ õϷ
޽   ִ. ̰ 㰡    Ʈ̴.  
IP ּҿ  ִٴ  . 

 㰡  expn  뿡   ° ƮŸ . SMTP
Ʈ  α Ͽ expn . tail -f /var/log/syslog
͸Ѵ. (Refer to Figure B). 

⼭  ޽  moo.com  root  ̸ expand
õ  ´.  "expn"  Ϸ Ʈ̴. 
 IP ּҿ  ִٴ  . 

 ڵ α ͸ ȹ   ܰ踦 ƴ.  ߿ 
츮    ̷ Ϸ 㰡  õ expn 
 ߴ. ׷ ̷   ִ α 
/var/log/syslog   ˾Ҵ.   ǿ   ˷ִ
ƮŸ ߴ.  ڵȭ ͸  غ  Ǿ.

 

SWATCH 
ġ(SWATCH, "The Simple WATCHer and filter)"  ƮŲ  
α׷ α׸ ǽð ͸Ѵ. ġ Ư Ʈſ  α׸
͸ϴµ Ʈſ شϴ  ̸ س Ĵ  ˷ش.
츮  ġ    ˷ִ ·  ̴.

α׷ ġϱ  ϴ. ġ  ̺귯,  , 
  丮 ִ  ġ ƮƮ Բ Ǿ ִ.
   ϰ ġؾϴµ ġ ũƮ ̿  ˷ش.
ġ ģ    α׷ ϸ ȴ. ġ 
Ʈ ٿ  ִ.
ftp://ftp.stanford.edu/general/security-tools/swatch. 

(**   :    Ʈ ٿ ʾҽϴ. ׷ 
6.1 迭 ǿ  ֽϴ.)

swatchrc Ҹ û  ġ α׷ ٽ̴.  ؽƮ Ͽ
ġ ͸ α׿ Ʈ, ƮŰ ߻ҽ   Ѵ.
ġ swatchrc  Ʈſ ´ ǥ ̿ ۾ Ѵ.
/usr/bin/tail -f ̿ ǽð  ͸Ѵ.

    α  swatchrc  . ǥ
 츮 ̸ ýۿ ϴ 츶 Ϸ ڷḦ  ̴.
츮 㰡   ̿ expn ɽõ ̹ ߴ. swatchrc
   . װ ʵ Ǹ ù °  ° ʵ
ݵ ʿϰ   ʵ ̴. ù ° ʵ  .

/pattern/pattern/ 

 ġ ã  ǥ̴. ̰ Ʈ̴.  ° ʵ 
.

Action,action 

׼  ġϴ    ΰ̴. ׼ǿ پ ɼ ִµ
email, paging,     ִ.  ° ʵ 'throttle' (ɼ)
  ð  Ѵ.

HH:MM:SS 

HH ð, MM  , SS ʸ Ÿ. ð   ݺ ĪǴ 
ϴ  ϴ ð Ÿ.   5   
ġϴ  20 ִٰ ϴ  ðȿ  ѹ ˸. 

 ° ʵ( ° ʵ带 ϴ  ʿ) Ÿӽ : ·
Ѵ. ̰ ˸ ޽ Ÿӽ ġ ̸ Ѵ.

  츮 ΰ Ʈſ ´ ϸ ã swatchrc 
ϱ Ѵ. ( Figure A  Figure B ). ΰ Ͽ ´ 
ã, abuse@ourcompany.net  ̸Ϸ  ˸ ̸Ͼȿ شϴ
 ԽŲ. ׷  ޽  ʵ ؾѴ. 
  д 1000 ̸ Ϸ õ Ѵٸ ˸ ޽
   ̴. ׷ 5а ð   ̴. 5е
شϴ  󸶳    츮  Ѱ  ޽
 ̴. swatchrc   :

watchfor /Relaying denied|expn/ 
         echo=normal 
         mail=abuse@ourcompany.net,subject=--- Sendmail Alert! --- 
         throttle 5:00 0:16 

ù ° ʵ "/Relaying denied|expn/" ̴. ġ ǥĿ ´
 ߰ϸ alert  ޽ . ù °  "Relaying denied"
 Ʈ #1 (Figure A)   㰡   ̸ õϴ
̴. Ʈ #2 ִ "expn"  (Figure B)  expn 
õϴ ̴.  ΰ Ʈ ǥ   ó ٷ.

 ° ʵ "echo=normal,mail=abuse@company.net"  ̴.  ޽
abuse@ourcompany.net   ش α ׸ ֿܼ ش.

 °,  ° ׸(ɼ) "5:00 0:16" ̴. 5е شϴ Ͽ 
 ޽ ݺ ʴ´.  ʵ Ÿӽ ġ ̸
Ѵ.

̿ swatch   Ͽ.  ܰ ġ ϴ ̴.
ġ   پ ɼ    ̴.  .

/usr/local/bin/swatch -c /var/log/syslogrc -t /var/log/syslog & 

-c ɼ   Ű -t ɼ ǽð ͸ α 
Ų. "&"  ġ ׶ Ѵ. ǰ ġ ڽ
μ Ѵ. ׷Ƿ ġ   μ ȴ. ڽ
 ũƮ ϰ ߷   μ kill ȣ Ѵ.
  ƴ.  αװ ڵ ͸ ̴.  
ýۿ     ̸Ϸ    α׿ Ե ش
Ʈŵ   ִ. ( Figures A   Figure B ). 


α״  ̴. ׷ ڷᰡ  þ. ̷  ̷ ڼ
 ϰ    Ű  ʰ ȴ. ̷ α׸ ڵ
͸Ͽ  ذ  ִ. ڵ ͸ ô ϸ 츮 ʿ
 ǽð ˷ش.    α  ڵ ͸
    Ǿ ڴ.

Figure A 
Trigger for anyone attempting un-authorized mail relay from your sendmail
server. 
Oct 3 14:48:51 homer sendmail[6704]: OAA06704:
ruleset=check_rcpt,arg1=bsmith@domain.com, relay=foo@moo.com
[206.54.252.1],reject=550 root@domain.com... Relaying denied 
  

Figure B 
Trigger for anyone attempting to utilize the expn command on your sendmail
server. 
Oct 2 20:28:37 homer sendmail[5453]: NOQUEUE: foo@moo.com[206.54.252.1]: expn
root [rejected] 
  

 Ұ
Lance Spitzner   н ý ϴ    
Ѵ. ״  Officer in the Rapid Deployment Force  ־ 
  ߴ. ׿  Ϸ lance@spitzner.net ̿ϸ ȴ.

 

**  

/etc/syslog.conf   α׸ α ϰų   ͵
 ̶ մϴ.  ũĿ ħؼ      
 ְ  θ ణ̳ ũŷ ð   
 ˴ϴ.  ȣƮ α׸   Ƿ ߰ 
 α׸   ȣƮ м   ֽϴ.

ġ ü ؼ    ϰڽϴ.   6.1 rpm
ġ Ͽϴ. α׷ ۽     -c -t ɼǸ ص
ϸ  Ͽ   man  ϸ ˴ϴ.  
  ٷ  ߴµ ⺻ ٿ   ־
մϴ.  Ұ. ݵ  ʵ ""  մϴ. 
ٷӰ Ǿ.    ° ʵ,  ° ʵ忡 ؼ Ȯϰ
ذ  ʽϴ.  ׽  Ƶ.

 ߿Ѱ ᱹ α ͸ Ϸ ý α׿ ؼ  ˰ ־
մϴ. ϼ, DNS, ftp, telnet, ssh . Ʒ  ׽ϰ ִ
ε  ĥ ϴ. DNS α׵ ߸  κ ֽϴ. ġ
ü  Ⱦ  ̹ ȸ   α׷  α׸
ϴ  ޽  ޽  ϴ   
ϴ. ̱ ϸ鼭  ݱ ߸    ִٴ  
߽߰ϴ. ׷Ƿ Ʒ  ׳ ̷   ִٰ Ͻð 
״ ؼ  . α м ؼ  ƽô  
ֽø ڽϴ.

Ÿ α   ϴ. Logcheck α׷  ϴ ϸ
 α׷ cron ̿մϴ. .  ƴ   
ߴµ ̵   ʾƼ telnet  SMTP ؼ   expn
 ̿ ̵ ˾Ƴ. ~

Log monitoring 

Psionic Logcheck 
colorlogs  
WOTS 
swatch 
#
#
# swatch ⺻ ִ swatrc.personal  
#
# ۼ . 2000.05.18 ֹ .
# http://tunelinux.pe.kr http://taejun.pe.kr http://database.sarang.net
# taejun@tunelinux.pe.kr
#
# swatch  Ʈ
# http://www.enteract.com/~lspitz/swatch.html
#
#
# /etc/syslog.conf   ޽ messages ϵ 
#
# αױϰ ؼ  Ʈ 
# http://tunelinux.pe.kr/bbs/read.php3?table=linuxinfo&no=22&page=1
# [] ý ȭ - α м  ȿ ϱ()
# 
# http://mgt.kaist.ac.kr/~sakai/Docs/Security_document/Part3.html
# ý α   м(ְ)
#
#
#  ŷȺ αױ ׻ ֽ   ؾҵ
#
# http://www.certcc.or.kr/paper/tr2000/2000-02/tr2000-02.html 
# ŷ ؽý м    ()
#

 


# Alert me of bad login attempts and find out who is on that system
/INVALID|REPEATED|INCOMPLETE/                   echo=inverse,bell=3


# п õ 
/failure|reject|failed/                         echo=inverse
/REFUSED|refused|attack|ATTACK/                 echo=normal


# Important program errors
#/LOGIN/                                                echo=inverse,bell=3    
 
01:00   00:16
#/passwd/                                       echo=bold,bell=3


# inetd α
/inetd/&&/auth/&&/tcp/&&/bind/                  ignore


# mail : spam relay, telent ٽõ
/sendmail/&&/(Relaying denied)/                 echo=normal
/sendmail/&&/expn/                              echo=normal
#   ߼
/sendmail/&&/Sent/                              ignore
/sendmail/&&/relay=/&&/from/                    ignore

# pop3 
#  pop3 
/ipop3d/&&/211.11.11/                          ignore

 

# name server 
#  Ӽ 
/named/&&/Lame server/                          ignore
/named/&&/MX/                                   ignore
#   USAGE , NSTATS, XSTATS
/named/&&/Clean/                                ignore
/named/&&/USAGE/                                ignore
/named/&&/NSTATS/                               ignore
/named/&&/XSTATS/                               ignore
# bind 8 dynamic update  
#/named/&&/ns_forw/&&/query                             ignore
#/named/&&/XSTATS/                              ignore


# ftp, telnet ӽõ
# ssh ϰ ftp telnet ° 
#/telnet/                                       echo=bold,bell=3
#/ftp/                                          echo=bold,bell=3


# sshd 
#  ssh 
/sshd/&&/211.11.11.11/&&/DNS/                  ignore


# Kernel problems
# ý ر
/panic|halt|shutdown/                           echo=bold,bell
/file system full/                              echo=bold,bell=3
/fingerd.*(root|[Tt]ip|guest)/                  echo,bell=3

/su/                                            echo=inverse    01:00   00:16


# ׿  α 
/.*/                                            echo            01:30   00:16
