[카테고리:] linux

rocky linux 서버 보안관련

iptables 설정하기

# vim /etc/sysconfig/iptables

#Firewall configuration written by system-config-securitylevel

#Manual customization of this file is not recommended.

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT – [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp –icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp –dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp –dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp –dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport xxxx -j ACCEPT 추가하고싶은 포트 적어넣기
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m udp -p udp –dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 3306 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 3389 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 873 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 953 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 49152:65534 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 5000 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 5100 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT –reject-with icmp-host-prohibited
COMMIT

저장한 후에

# systemctl start iptables

동작 확인하기

# systemctl status iptables

# iptable -nvL

[root@danda33 /]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
220 36973 RH-Firewall-1-INPUT all — * * 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 RH-Firewall-1-INPUT all — * * 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT 134 packets, 18961 bytes)
pkts bytes target prot opt in out source destination

Chain RH-Firewall-1-INPUT (2 references)
pkts bytes target prot opt in out source destination
17 5573 ACCEPT all — lo * 0.0.0.0/0 0.0.0.0/0
203 31400 ACCEPT all — eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp — * * 0.0.0.0/0 0.0.0.0/0 icmptype 255
0 0 ACCEPT esp — * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT ah — * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp — * * 0.0.0.0/0 224.0.0.251 udp dpt:5353
0 0 ACCEPT udp — * * 0.0.0.0/0 0.0.0.0/0 udp dpt:631
0 0 ACCEPT tcp — * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:631
0 0 ACCEPT all — * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp — * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
0 0 ACCEPT tcp — * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:xxxx 추가한 포트들
0 0 ACCEPT tcp — * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
0 0 ACCEPT tcp — * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:21
0 0 ACCEPT tcp — * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25
0 0 ACCEPT tcp — * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:53
0 0 ACCEPT udp — * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53
0 0 ACCEPT tcp — * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443
0 0 ACCEPT tcp — * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:3306
0 0 ACCEPT tcp — * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:3389
0 0 ACCEPT tcp — * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:873
0 0 ACCEPT tcp — * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:953
0 0 ACCEPT tcp — * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpts:49152:65534
0 0 ACCEPT tcp — * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:5000
0 0 ACCEPT tcp — * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:5100
0 0 REJECT all — * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
[root@]#

기록 : 2025-03-23

리눅스 서버

초기설정시

서버의 퍼미션설정 정보입니다.

cd /
chmod 711 .
chmod 711 /
chmod 1777 tmp
chmod 500 proc

#

기록 : 2025-03-23

[root@mail WEBHOST]# ncftpget -R -u 아이디 -p 비밀번호 -P 포트번호 도메인명 . ‘상대경로’
점(.)은 현재폴더를 의미합니다.
상대경로란 /test 라 하면, 도메인명/test가 된다는 것입니다.
즉, 아이디의 상대경로다음부터 적용되는 폴더입니다.

Name    
   rootman  

Subject  
   서버세팅시 방장의 퍼미션 권한 설정

간만에 제 홈페이지를 들어오네요.. 휴~~
바쁭건 아닌데.. 여유가 좀처럼 없네요.

서버세팅시 제가 즐겨설정하는 것입니다.
auto.sh 라는 화일을 만들어서 퍼미션 및 유저를 삭제합니다..

해당 사항은 아래와 같습니다.

보탬이나, 부족한 부분있으면 덧붙여 주십시요.. ^^…………

#!/bin/sh
# 제목 : 퍼미션 및 유저삭제
#
chmod 700 /usr/bin/finger
chmod 700 /usr/bin/nslookup
chmod 700 /usr/bin/gcc
chmod 700 /usr/bin/suidperl
chmod 700 /usr/bin/whereis
chmod 700 /usr/bin/cc
chmod 700 /usr/bin/chage
chmod 700 /usr/bin/chfn
chmod 700 /usr/bin/sperl5.00503
chmod 700 /usr/bin/c++
chmod 700 /usr/bin/make
chmod 755 /usr/bin/man
chmod 700 /usr/bin/nslookup
chmod 700 /usr/bin/pstree
chmod 700 /usr/bin/rlog
chmod 700 /usr/bin/rlogin
chmod 700 /usr/bin/which
chmod 700 /usr/bin/who
chmod 700 /usr/bin/write
chmod 700 /usr/bin/wall
chmod 700 /usr/bin/w

chmod 700 /usr/sbin/usernetctl
chmod 700 /sbin/netreport
chmod 750 /sbin/ifconfig
chmod 700 /bin/mount
chmod 700 /bin/umonut
chmod 750 /bin/mail
chmod 750 /bin/ps
chmod 750 /bin/df
chmod 750 /bin/dmesg

chmod 700 /etc/fstab
chmod 700 /etc/exports

chmod 644 /etc/hosts
chmod 644 /etc/hosts.deny
chmod 644 /etc/hosts.allow
* 이 부분을 600등으로 막으면, imap쪽 getaddress가 동작하지 않음 – 주의할것

chmod -R 700 /etc/sysconfig/
chmod -R 700 /var/log/

chgrp wheel /sbin/ifconfig
chgrp wheel /bin/ps
chgrp wheel /bin/netstat
chgrp wheel /bin/dmesg
chgrp wheel /bin/df
chgrp wheel /usr/bin/w
chgrp wheel /usr/bin/who
chgrp wheel /usr/bin/finger
chgrp wheel /usr/bin/last
chgrp wheel /usr/bin/top

chattr +i /etc/mail/sendmail.cf or /etc/sendmail.cf
chattr +i /etc/mail/local-host-names
chattr +i /etc/mail/aliases or /etc/aliases
chattr +i /etc/mail/access
chattr +i /etc/services

chmod 4750 /sbin/dump
#——————————————————————
userdel adm && userdel lp && userdel sync && userdel shutdown
userdel halt && userdel news && userdel uucp && userdel operator
userdel games && userdel gopher && userdel ftp
#——————————————————————
groupdel adm && groupdel lp && groupdel news && groupdel uucp
groupdel games && groupdel games && groupdel dip
groupdel pppusers && groupdel slipusers
#——————————————————————

출처 : http://kltp.kldp.org/stories.php?story=02/01/17/8416340

find . -name ‘*.php’ -exec perl -pi -e ‘s/문자열/변경할문자열/g’ {} \;

웹호스트에서 검증한 명령어입니다. 칸띄우기등 그대로 사용하세요.

/home 디렉토리 하단에 .htaccess 파일중에서
“avi”란 단어가 들어간 파일을 모두 찾아보자.

[root@zero7 jasmine]# grep “avi” `find /home -name .htaccess`
/home/mech007/public_html/main/.htaccess:RewriteCond %{DOCUMENT_ROOT}//main/attach/1/favicon.ico -f
/home/mech007/public_html/main/.htaccess:RewriteRule ^favicon\.ico$ attach/1/favicon.ico [E=SURI:1,L]
/home/mech007/public_html/main/.htaccess:RewriteRule ^favicon\.ico$ image/icon_favicon_default.ico [E=SURI:1,L]

만약, 검색한 파일리스트만 출력하려면, 아래와 같이 하면 된다.

[root@zero7 jasmine]# grep -l “avi” `find /home -name .htaccess`
/home/mech007/public_html/main/.htaccess
[root@zero7 jasmine]#

입력시 `는 키보드좌측 탭키 바로위 ~자판임.

[root@ns2 ~]# smartctl -a /dev/sda
smartctl version 5.33 [i386-redhat-linux-gnu] Copyright (C) 2002-4 Bruce Allen
Home page is http://smartmontools.sourceforge.net/

Device: SEAGATE  ST373207LC       Version: 0003
Serial number: 3KT04Y9500007609MM1E
Device type: disk
Transport protocol: Parallel SCSI (SPI-4)
Local Time is: Thu Jul 17 19:47:11 2008 KST
Device supports SMART and is Enabled
Temperature Warning Enabled
SMART Health Status: OK

Current Drive Temperature:     28 C
Drive Trip Temperature:        68 C
Vendor (Seagate) cache information
  Blocks sent to initiator = 3138754649
  Blocks received from initiator = 1182413804
  Blocks read from cache and sent to initiator = 40205361
  Number of read and write commands whose size <= segment size = 1931501148
  Number of read and write commands whose size > segment size = 344679

Error counter log:
           Errors Corrected by           Total   Correction     Gigabytes    Total
               EEC          rereads/    errors   algorithm      processed    uncorrected
           fast | delayed   rewrites  corrected  invocations   [10^9 bytes]  errors
read:     497069        0         0    497069     497069        111.790           0
write:         0        0         0         0          0        329.737           0

Non-medium error count:        2

Error Events logging not supported

[GLTSD (Global Logging Target Save Disable) set. Enable Save with ‘-S on’]
No self-tests have been logged
Long (extended) Self Test duration: 1405 seconds [23.4 minutes]
[root@ns2 ~]#


HP cciss 디바이스 상태보는방법

[root@ns2 ~]# smartctl -a -d cciss,0 /dev/cciss/c0d0

[root@ns2 ~]# smartctl -a -d cciss,1 /dev/cciss/c0d1
smartctl version 5.36 [i686-redhat-linux-gnu] Copyright (C) 2002-6 Bruce Allen
Home page is http://smartmontools.sourceforge.net/

Device: ATA      ST3750330NS      Version: SN04
Serial number:             3QK04S5Z
Device type: disk
Local Time is: Fri Jul 18 21:17:32 2008 EDT
Device supports SMART and is Enabled
Temperature Warning Disabled or Not Supported
Log Sense failed, IE page [scsi response fails sanity test]
Read defect list: asked for grown list but didn’t get it

Error Counter logging not supported
Device does not support Self Test logging

상태가 잘 표시되지 않지만, 하드모델명정도는 알아낼 수 있다.



(주)웹호스트

프로그램 명 : dmidecode 2.8 (시스템(bios/dmi) 정보확인)
운영체제     LINUX,FreeBSD
라이센스     GPL
홈페이지     http://www.nongnu.org/dmidecode/

1. dmidecode 를 설치함.

홈페이지에서 최신 tar.gz 다운로드

tar xvzfp dmidecode-2.9.tar.gz
cd dmidecode-2.9
make
make install

2. 실행해본다.

[root@storage0001 dmidecode-2.9]# whereis dmidecode
dmidecode: /usr/sbin/dmidecode /usr/local/sbin/dmidecode
[root@storage0001 dmidecode-2.9]# dmidecode

매우 복잡한 시스템정보 출력됨

문제점

너무 복잡해서 뭐가 뭔지 모름

그래서, dmidecode를 쉽게 보여주는 유틸을 하나 추가설치한다.

3. lshw 설치

http://ezix.org/project/wiki/HardwareLiSter

화면중간쯤에

The latest version is B.02.13 (MD5:e94c728ed037ca706436b5ef71aa392d, SHA1:e27412d47de8efb4adb3646e46affffb95dd384f).

이 부분 클릭하고 다운로드함

wget http://ezix.org/software/files/lshw-B.02.13.tar.gz

tar xvzfp lshw-B.02.13.tar.gz
cd lshw-B.02.13
make

완료됨

cd src
./lshw |more
(약 2초간 대기….)

     *-cpu:1
          description: CPU
          physical id: 8
          bus info: cpu@1
          version: 15.4.3
          serial: 0000-0F43-0000-0000-0000-0000
          slot: CPU 2
          size: 18EHz
          capabilities: ht
          configuration: id=0
        *-cache:0 DISABLED
             description: L1 cache
             physical id: 9
             slot: L1-Cache
        *-cache:1 DISABLED
             description: L2 cache
             physical id: a
             slot: L2-Cache
        *-logicalcpu:0
             description: Logical CPU
             physical id: 0.1
             capabilities: logical
        *-logicalcpu:1
             description: Logical CPU
             physical id: 0.2
             capabilities: logical
     *-memory
          description: System Memory
          physical id: 36
          slot: System board or motherboard
          size: 1GiB
        *-bank:0
             description: DIMM DDR Synchronous [empty]
             physical id: 0
             slot: DIMM_2A
             width: 64 bits
        *-bank:1
             description: DIMM DDR Synchronous [empty]
             physical id: 1
             slot: DIMM_2B
             width: 64 bits
        *-bank:2
             description: DIMM DDR Synchronous 400 MHz (2.5 ns)
             physical id: 2
             slot: DIMM_1A
             size: 512MiB
             width: 64 bits
             clock: 400MHz (2.5ns)

.
.
.

cpu와 메모리등 보드자체의 제조사, 정확한 뱅크정보가 나온다.

lshw를 계속 사용하려면
cp lshw /usr/local/sbin

처럼 복사해서 사용한다.

(주)웹호스트 2008년 7월31일 작성

netstat -ant | awk ‘{print $5}’ | cut -f 1 -d : | sort | uniq|wc -l

서버에 접근하는 ip들 보기

#uname -a

하시면 됩니다.

Linux kkamagi2 2.6.18-8.1.15.el5 #1 SMP Mon Oct 22 08:32:04 EDT 2007 i686 i686 i386 GNU/Linux

32bit시에 위와 같이 뜨고..

64bit시에는.

x86 64로 나올 꺼예요