hardening_linux_web_servers.pdf


간단히 뽑아서 정리해 보았습니다.



Security is a process, not a result.

netstat

[root@test1 ~]# netstat -l -n -p -t -u -w
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name  
tcp        0      0 0.0.0.0:3306                0.0.0.0:*                   LISTEN      1736/mysqld        
tcp        0      0 0.0.0.0:21                  0.0.0.0:*                   LISTEN      1603/proftpd: (acce
tcp        0      0 :::80                       :::*                        LISTEN      3102/httpd         
tcp        0      0 :::22                       :::*                        LISTEN      1549/sshd          
udp        0      0 0.0.0.0:68                  0.0.0.0:*                               1439/dhclient      

(-l is for listening, -n is for IP information and -p is for program/PID information, -t, -u, -w are for tcp,
udp and raw socket connections. By setting these flags, I disable displaying information about unix sockets
which are not relevant to network security, as they are only used for interprocess communication on the
current host.)




nmap


[root@test1 ~]# nmap -P0 -O 172.16.98.1

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2008-12-31 13:19 KST
Interesting ports on 172.16.98.1:
Not shown: 1679 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
MAC Address: 00:50:56:xx:xx:xx (VMWare)
Device type: general purpose
Running: Linux 2.4.X|2.5.X|2.6.X
OS details: Linux 2.4.0 - 2.5.20, Linux 2.4.7 - 2.6.11

Nmap finished: 1 IP address (1 host up) scanned in 2.649 seconds



iptables

방화벽 설정 룰 보기
[root@test1 ~]# iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination        

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination        

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination        


초기화
$iptables -F
  or
$iptables -F INPUT
$iptables -F FORWARD
$iptables -F OUTPUT



방화벽 설정
# Enable stateful filtering allowing connections
# initiated on host be allowed.
iptables -A INPUT -m state --state \
         RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state \
     NEW,RELATED,ESTABLISHED -j ACCEPT
# Allow Incoming SSH, HTTP, HTTPS
iptables -A INPUT -p tcp -m tcp \
    --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -m tcp \
          --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m tcp \
          --dport 443 -j ACCEPT
# Allow Everything from the local host
iptables -A INPUT -s 127.0.0.1 -j ACCEPT
# Block Outgoing SSH connections
iptables -A OUTPUT -p tcp -m tcp \
          --dport 22 -j DROP
# Block Everything else
iptables -A INPUT -j DROP
iptables -A FORWARD -j DROP

[root@test1 ~]# iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination        
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:https
ACCEPT     all  --  localhost.localdomain  anywhere           
DROP       all  --  anywhere             anywhere           

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination        
DROP       all  --  anywhere             anywhere           

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination        
ACCEPT     all  --  anywhere             anywhere            state NEW,RELATED,ESTABLISHED
DROP       tcp  --  anywhere             anywhere            tcp dpt:ssh



방화벽 설정 저장
[root@test1 ~]# iptables-save > /root/firewall

[root@test1 ~]# cat /root/firewall
# Generated by iptables-save v1.3.5 on Wed Dec 31 13:58:13 2008
*filter
:INPUT ACCEPT [14712:1529876]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [12518:981746]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -s 127.0.0.1 -j ACCEPT
-A INPUT -j DROP
-A FORWARD -j DROP
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 22 -j DROP
COMMIT
# Completed on Wed Dec 31 13:58:13 2008


방화벽설정 저장한것으로 적용하기

[root@test1 ~]# iptables-restore -c /root/firewall



Hardening SSH


ssh 접근 설정
/etc/ssh/sshd_config

# ListenAddress defines the IP address ssh will
# listen on
#ListenAddress 0.0.0.0 -> ListenAddress 10.0.2.10
#Only accept SSH protocol 2 connections
#Protocol 2,1 -> Protocol 2
#Disable root login
PermitRootLogin yes -> PermitRootLogin no
#Disable allowing all system accounts to ssh in,
# only allow certain users (space delimited)
AllowUsers userName1 userName2 userName3
# Change Default port
Port 22 -> Port 2200



File system security

/tmp 설정
/dev/hda2 /tmp ext3 nodev,nosuid, noexec 0 0


루트킷 검사
# Use the wget utility to download the latest
# version of chkrootkit
wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
tar -xzvf chkrootkit.tar.gz
cd chkrootkit-version (whatever version is)
./chkrootkit


php.ini 설정

# Edit /usr/local/php/php.ini with your
# favorite editor
# Since you're are going through the trouble of
# hiding PHP files you might as well disable
# this as well
 expose_php = On -> expose_php = Off
# You really don't want users, or worse yet
# an attacker to see error messages
 display_errors = On -> \
    display_erros = Off
# But you do want them logged \
 log_errors = Off -> log_errors = On
# Log to a file
;error_log = filename -> \
     error_log = /var/log/php-err



mysql 설정

# Set the root password
mysqladmin -u root -h localhost password subGen1us
# Once this is done, log in as the root user and
# disable anonymous accounts
mysql -u root -p
# Drop the test database which comes installed
# by default
mysql> drop database test;
# Disable anonymous accounts
mysql> use mysql;
mysql> delete from db where User=’’;
mysql> delete from user where User=’’;
# Change DBA NAME
mysql> update user set user="mydbadmin" \
           where user="root";
mysql> flush privileges;
# Make sure to login again to make sure
# all the changes work
mysql -u mydbadmin -p
password: subGen1us
# Configure /etc/my.cnf for security Uncomment
# the following line to disable TCP connections
# to mysql. As with tomcat this prevents remote
# connections event in the even of the firewall
# even in the even of the firewall rules being
# flushed.

 
 
XSS 관련

php 코드

# Vulnerable Code
<?php
        $userInput = $_GET['input'];
        print $userInput;
?>
# Secure Code
<?php
    $userInput = urlencode($_GET['input']);
    print $userInput;
?>


jsp 코드

  # Vulnerable Code
  public class myServlet extends HttpServlet {
    public static void doGet
               (HttpServletRequest req,
                HttpServletResponse res) {
     // Get User Input
     String userInput = req.getParameter("input");
     // Print User Input to page
     PrintWriter out = response.getWriter();
    out.write("<html>");
    out.write(userInput);
    out.write("</html>");
  }
}
# Secure Code
import java.net.URLEncoder;
public class myServlet extends HttpServlet {
   public static void doGet
             (HttpServletRequest req,
              HttpServletResponse res) {
      // Get User Input
      String userInput = req.getParameter("input");
      // URLEncode Input
      userInput =
           URLEncoder.encode(userInput, "UTF-8");
      // Print User Input to page
      PrintWriter out = response.getWriter();
      out.write("<html>");
      out.write(userInput);
      out.write("</html>");
  }
}


SQL Injection

# Partial PHP
$query_result = mysql_query
 ( "select * from users where name = \""
     .
    mysql_real_escape_string($user_name)
     .
    "\"" );
# Partial Java, ? is the bind variable
Connection con = (acquire Connection)
PreparedStatement pstmt =
  con.prepareStatement
     ("SELECT * FROM users WHERE name = ?");
pstmt.setString(1, userInput);
ResultSet rset = pstmt.executeQuery()









신고
크리에이티브 커먼즈 라이선스
Creative Commons License

WRITTEN BY
김병국
유용했던 자료를 기록해 두었습니다. 도움이 되시길~~~ Welcome! I started this blog as a way to give back to all of the other system administrators who have taught me something in the past. Writing these posts brings me a lot of enjoyment and I hope you fun

받은 트랙백이 없고 , 댓글이 없습니다.
secret