LINUX
HOME > OS/WAS > LINUX
2020.12.31 / 16:38

LINUX º¸¾È ¼³Á¤ Á¤¸® - apache º¸¾È ¼³Á¤

±Ýµ¿ÀÌ
Ãßõ ¼ö 159

LINUX º¸¾È ¼³Á¤ Á¤¸®

ÀϹÝÀûÀ¸·Î ¸¹ÀÌ »ç¿ëÇÏ´Â ¸®´ª½º º¸¾È ¼³Á¤À» ´ë·«ÀûÀ¸·Î Á¤¸®ÇÏ¿´½À´Ï´Ù.

¿ÜºÎ¸Á¿¡ ³ëÃâÀÌ µÈ Host ¶ó¸é sshd port º¯°æ¹× root user Á¢¼ÓÁ¦ÇÑÀº ²ÀÇϽñ⠹ٶø´Ï´Ù.

sshd_config ¿¡¼­ Permitroot no ¼³Á¤°ú Port number ¸¸ º¯°æÇÏ¿©µµ ƯÁ¤»ç¿ëÀÚ root ¶Ç´Â ´Ù¸¥ °èÁ¤À» ÅëÇÑ

»çÀü°ø°Ý(binary attack)Àº °¨¼Ò ÇÕ´Ï´Ù.

root/root ·Î  ¼³Á¤ÈÄ °øÀÎ ip »ç¿ë½Ã ÇÏ·ç ¾È¿¡ ÇØÅ·À» ´çÇÒ¼ö ÀÖ½À´Ï´Ù.

iptables ÀÇ °æ¿ì Â÷ÈÄ CentOS firewalld ¿Í °°ÀÌ ¼³¸íÇϵµ·Ï ÇÏ°Ú½À´Ï´Ù.

Test OS ȯ°æ: CentOS7.4

  • TCP wrapper 
  • login.defs 
  • pam_tally2
  • sshd_config º¯°æ

 

TCP Wrapper

hosts allow / deny ÀÇ °æ¿ì deny ¿¡¼­ ALL:ALL ·Î ¼³Á¤ÈÄ hosts.allow ¿¡¼­ Service º°·Î open ÇÏ´Â Çü½ÄÀ¸·Î »ç¿ë ÇÕ´Ï´Ù.

 

ex) Å×½ºÆ® ½Ã³ª¸®¿À centos7-test System ¿¡¼­ centos74·Î ssh Á¢¼Ó

centos74 , centos7-test

 

Á¢¼Ó È®ÀÎ

[root@centos74 ~]# tail -f /var/log/secure
Nov 30 22:30:21 centos74 sshd[2233]: Accepted password for root from 192.168.186.130 port 48408 ssh2
Nov 30 22:30:21 centos74 sshd[2233]: pam_unix(sshd:session): session opened for user root by (uid=0)

Á¤»óÀûÀ¸·Î Á¢¼ÓµÈ°ÍÀ» È®ÀÎ ÇÒ¼ö ÀÖ½À´Ï´Ù.

 

Test ½Ã °øÀθÁÀ» ÅëÇÏ¿© ¿­¾î ³õ¾Ò±â ¶§¹®¿¡ ssh root ·Î Á¢¼Ó½Ãµµ°¡ »ó´çÈ÷ ¸¹Àº°ÍÀ» È®ÀÎÇÒ¼ö ÀÖ½À´Ï´Ù.

Á¢¼ÓÀ» ½ÃµµÇÏ´Â ip ÀÇ °æ¿ì AŬ·¡½º¸¦ x ó¸® ÇÏ¿´½À´Ï´Ù.  sshd_config ¿¡¼­ PermitRootLogin no º¯°æ ¹× Port º¯°æÀÌ ÇÊ¿ä ÇÕ´Ï´Ù.

Nov 30 22:30:38 centos74 sshd[2235]: Failed password for root from x.38.145.226 port 52215 ssh2
Nov 30 22:30:38 centos74 sshd[2235]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Nov 30 22:30:40 centos74 sshd[2235]: Failed password for root from x.38.145.226 port 52215 ssh2
Nov 30 22:30:40 centos74 sshd[2235]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Nov 30 22:30:42 centos74 sshd[2235]: Failed password for root from x.38.145.226 port 52215 ssh2
Nov 30 22:30:43 centos74 sshd[2235]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Nov 30 22:30:45 centos74 sshd[2235]: Failed password for root from x.38.145.226 port 52215 ssh2
Nov 30 22:30:45 centos74 sshd[2235]: error: maximum authentication attempts exceeded for root from x.38.145.226 port 52215 ssh2 [preauth]
Nov 30 22:30:45 centos74 sshd[2235]: Disconnecting: Too many authentication failures [preauth]
Nov 30 22:30:45 centos74 sshd[2235]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.38.145.226  user=root
Nov 30 22:30:45 centos74 sshd[2235]: PAM service(sshd) ignoring max retries; 6 > 3

 

TCP Wraper ¼³Á¤

[root@centos74 ~]# vi /etc/hosts.deny
ALL:ALL

 

/var/log/secure È®ÀνÃ

[root@centos74 ~]# tail -f /var/log/secure
Nov 30 22:42:45 centos74 sshd[2537]: refused connect from 192.168.186.130 (192.168.186.130)

 

centos7-test ¿¡¼­ È®ÀÎ ssh-client È®ÀÎ

[root@centos7-test ~]# ssh centos74
ssh_exchange_identification: read: Connection reset by peer
[root@centos7-test ~]#

Á¤»óÀûÀ¸·Î Á¢¼Ó ÇÒ¼ö ¾ø½À´Ï´Ù.

 

sshd: 192.168.186 ´ë¿ªÃß°¡

´ë¿ªÀ¸·Î Ãß°¡½Ã ¹Ýµå½Ã ex) 192.168.0. ·Î ¿ÁÅÝÀ» Âï¾î Áà¾ß ÇÕ´Ï´Ù.

ƯÁ¤ ¾ÆÀÌÇǸ¸ Á¢¼Ó Çã°¡½Ã 192.168.0.10 À¸·Î ¼³Á¤ ÇÏ½Ã¸é µË´Ï´Ù.

[root@centos74 ~]# vi /etc/hosts.allow
sshd:192.168.186.


[root@centos74 ~]# tail -f /var/log/secure
Nov 30 22:45:59 centos74 sshd[2579]: Accepted password for root from 192.168.186.130 port 48416 ssh2
Nov 30 22:45:59 centos74 sshd[2579]: pam_unix(sshd:session): session opened for user root by (uid=0)

 

º°µµÀÇ ¼³Á¤ ¾øÀÌ VMHOST ¿¡¼­ Á¢¼Ó ÇÏ¿´Áö¸¸ Á¤»óÀûÀ¸·Î Web-site ¿¡ Á¢¼Ó ÇÒ¼ö ÀÖ½À´Ï´Ù.

apache ÀÇ °æ¿ì mod_access ¸¦ ÀÌ¿ëÇÏ¿© allow ¿Í Deny ¸¦ ¼³Á¤ ÇÒ¼ö ÀÖ½À´Ï´Ù.

 

ldd ¸í·É¾î¸¦ ÅëÇÏ¿© libwrap ÀÇ ¶óÀ̺귯¸®¸¦ »ç¿ëÇÏ´ÂÁö È®ÀÎ ÇÒ¼ö ÀÖ½À´Ï´Ù.

httpd È®ÀÎ

[root@centos74 ~]# which httpd
/usr/sbin/httpd
[root@centos74 ~]# ldd /usr/sbin/httpd |grep libwrap
[root@centos74 ~]#

 

sshd È®ÀÎ

[root@centos74 ~]# ldd /usr/sbin/sshd
        linux-vdso.so.1 =>  (0x00007ffe8f1e9000)
        libfipscheck.so.1 => /lib64/libfipscheck.so.1 (0x00007ff0e08ee000)
        libwrap.so.0 => /lib64/libwrap.so.0 (0x00007ff0e06e3000)
        libaudit.so.1 => /lib64/libaudit.so.1 (0x00007ff0e04ba000)
        libpam.so.0 => /lib64/libpam.so.0 (0x00007ff0e02ab000)
        libselinux.so.1 => /lib64/libselinux.so.1 (0x00007ff0e0084000)
        libsystemd.so.0 => /lib64/libsystemd.so.0 (0x00007ff0e005b000)
        libcrypto.so.10 => /lib64/libcrypto.so.10 (0x00007ff0dfbfa000)
        libdl.so.2 => /lib64/libdl.so.2 (0x00007ff0df9f6000)
        libldap-2.4.so.2 => /lib64/libldap-2.4.so.2 (0x00007ff0df7a1000)
        liblber-2.4.so.2 => /lib64/liblber-2.4.so.2 (0x00007ff0df592000)
        libutil.so.1 => /lib64/libutil.so.1 (0x00007ff0df38f000)
        libz.so.1 => /lib64/libz.so.1 (0x00007ff0df178000)
        libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007ff0def41000)
        libresolv.so.2 => /lib64/libresolv.so.2 (0x00007ff0ded27000)
        libgssapi_krb5.so.2 => /lib64/libgssapi_krb5.so.2 (0x00007ff0dead9000)
        libkrb5.so.3 => /lib64/libkrb5.so.3 (0x00007ff0de7f1000)
        libk5crypto.so.3 => /lib64/libk5crypto.so.3 (0x00007ff0de5be000)
        libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00007ff0de3b9000)
        libc.so.6 => /lib64/libc.so.6 (0x00007ff0ddff6000)
        libnsl.so.1 => /lib64/libnsl.so.1 (0x00007ff0ddddd000)
        libcap-ng.so.0 => /lib64/libcap-ng.so.0 (0x00007ff0ddbd6000)
        libpcre.so.1 => /lib64/libpcre.so.1 (0x00007ff0dd974000)
        /lib64/ld-linux-x86-64.so.2 (0x000055f3da440000)
        libcap.so.2 => /lib64/libcap.so.2 (0x00007ff0dd76f000)
        libm.so.6 => /lib64/libm.so.6 (0x00007ff0dd46c000)
        librt.so.1 => /lib64/librt.so.1 (0x00007ff0dd264000)
        liblzma.so.5 => /lib64/liblzma.so.5 (0x00007ff0dd03e000)
        libgcrypt.so.11 => /lib64/libgcrypt.so.11 (0x00007ff0dcdbc000)
        libgpg-error.so.0 => /lib64/libgpg-error.so.0 (0x00007ff0dcbb7000)
        libdw.so.1 => /lib64/libdw.so.1 (0x00007ff0dc970000)
        libgcc_s.so.1 => /lib64/libgcc_s.so.1 (0x00007ff0dc759000)
        libpthread.so.0 => /lib64/libpthread.so.0 (0x00007ff0dc53d000)
        libsasl2.so.3 => /lib64/libsasl2.so.3 (0x00007ff0dc320000)
        libssl3.so => /lib64/libssl3.so (0x00007ff0dc0d3000)
        libsmime3.so => /lib64/libsmime3.so (0x00007ff0dbeac000)
        libnss3.so => /lib64/libnss3.so (0x00007ff0dbb82000)
        libnssutil3.so => /lib64/libnssutil3.so (0x00007ff0db954000)
        libplds4.so => /lib64/libplds4.so (0x00007ff0db750000)
        libplc4.so => /lib64/libplc4.so (0x00007ff0db54b000)
        libnspr4.so => /lib64/libnspr4.so (0x00007ff0db30c000)
        libfreebl3.so => /lib64/libfreebl3.so (0x00007ff0db109000)
        libkrb5support.so.0 => /lib64/libkrb5support.so.0 (0x00007ff0daefa000)
        libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00007ff0dacf6000)
        libattr.so.1 => /lib64/libattr.so.1 (0x00007ff0daaf0000)
        libelf.so.1 => /lib64/libelf.so.1 (0x00007ff0da8d8000)
        libbz2.so.1 => /lib64/libbz2.so.1 (0x00007ff0da6c7000)
[root@centos74 ~]#

 

ÇØ´ç ³»¿ëÀº ¾Æ·¡ »çÀÌÆ®¿¡¼­ È®ÀÎ ÇϽǼö ÀÖ½À´Ï´Ù.

Á¤¸®°¡ ÀߵǾîÀÖ¾î ¸µÅ©¸¸ Ãß°¡ ÇÕ´Ï´Ù.

TCP Wrapper ÀÇ °æ¿ì xinetd ±â¹ÝÀ¸·Î µ¿ÀÛÇÏ´Â ¼­ºñ½ºµéÀÇ Á¢±Ù °ÅºÎ¸¦ ¼³Á¤ ÇÒ¼ö Àִ°ÍÀ¸·Î ÀϹÝÀûÀ¸·Î ¾Ë°í ÀÖ½À´Ï´Ù.

TCP Wrapper https://www.joinc.co.kr/w/man/12/tcpwrapper

bsd ÀÇ °æ¿ì inetd ¼³Á¤À¸·Î TCP Wrapper ·Î apache Á¢±ÙÀ» ÇÒ¼ö ÀÖÀ»°ÍÀ¸·Î º¸ÀÔ´Ï´Ù.

»ó´çÈ÷ ¿À·¡µÈ ÀÚ·á¶ó Å×½ºÆ®¸¦ Çغ¸°í ½Í±â´Â Çϳª »ç¿ëÀ» ¾ÈÇÒ°ÍÀ¸·Î º¸¿© ¸µÅ©¸¸ ³²°Ü ³õ½À´Ï´Ù.

FreeBSD inetd ±â¹Ý apache http://freebsdhowtos.com/113.html

 

login.defs 

/etc/login.defs ¼³Á¤½Ã Æнº¿öµå Á¤Ã¥À» ¼³Á¤ ÇÒ¼ö ÀÖ½À´Ï´Ù.

PASS_MAX_DAYS  9999      Æнº¿öµå ÃÖ´ë»ç¿ë ±â°£

PASS_MIN_DAYS        0       Æнº¿öµå º¯°æÃÖ¼Ò ±â°£

PASS_MIN_LEN          0       Æнº¿öµå ÃÖ¼Ò±æÀÌ

PASS_WARN_AGE      7       Æнº¿öµå ¼Ò¸ê ÀÌÀü °æ°í ¹ß¼Û

login.defs ÆÄÀÏÀ» ¼öÁ¤ ÇÏ¿©µµ ±âÁ¸ »ç¿ëÀÚ´Â ¿µÇâÀ» ¹ÞÁö ¾ÊÀ¸¸ç ¼³Á¤ÀÌÈÄ Ãß°¡µÈ »ç¿ëÀÚ ºÎÅÍ Àû¿ëÀÌ µË´Ï´Ù.

 

/etc/shadow ÆÄÀÏ ¼³¸í 

[root@centos74 ~]# cat /etc/shadow
1   :                                                    2                                             :  3  :4:  5  :6:7:8:9
root:$6$ZayMBeKp$aTokocQJQg77pDbkUGqYuBC21ESGCkKafchr2OMMWzplyQnid4ECxNPkNFIXd8K0vkDiVJvQv0nJDpq4Hb3qh/:17497:0:99999:7:::
bin:*:17110:0:99999:7:::
daemon:*:17110:0:99999:7:::
adm:*:17110:0:99999:7:::
lp:*:17110:0:99999:7:::
test:$6$S9l9DJ9Q$SswkqlquRVyZOUZVETnrn1HJCjW3FQS9AvWSFe.ZUtSvfOJPnjgkc7XxHq4kdKqoe0StGEmJrqeZoZPYpw6Ig/:17500:0:99999:7:::
test1:$6$/wcpiL/o$vd.Gsw/aehbJ6WTgWSjohq0A9W3ks/5PA12SLA7MlVqdLxl0iJv8MkdmfThsb2s.Ux4mo1.QyleHgrfsNNmxt0:17500:0:99999:7:::
test2:$6$SWU0NjnK$8LA3TVRXCnveva/kETFn4vhaRL6tQooaGoaH9wT/mdD0CW6oVPA7f8z/vjGJL.p37HRjxkYRRmhpEgjQScMAr1:17500:0:99999:7:::
test3:!!:17500:0:99999:7:::
[root@centos74 ~]#

Çʵ弳¸í

1. Login Name : »ç¿ëÀÚ °èÁ¤

2. Encrypted : Æнº¿öµå¸¦ ¾Ïȣȭ ½ÃŲ°ª

3. Last Changed: 1970³â 1¿ù 1ÀÏ ºÎÅÍ Æнº¿öµå°¡ ¼öÁ¤µÈ ³¯Â¥ÀÇ Àϼö¸¦ °è»ê

4. Minimum: Æнº¿öµå º¯°æµÇ±â Àü ÃÖ¼Ò »ç¿ë±â°£(ÀÏ)

5. Maximum: Æнº¿öµå º¯°æ Àü ÃÖ´ë»ç¿ë ±â°£(ÀÏ)

6. Inactive: ·Î±×ÀÎ Á¢¼ÓÂ÷´Ü ±â°£(ÀÏ)

7. Expire: ·Î±×ÀÎ »ç¿ëÀ» ±ÝÁöÇÑ ±â°£(ÀÏ) (¿ù/ÀÏ/¿¬µµ)

8. Reserved: »ç¿ëµÇÁö ¾ÊÀ½

 

test À¯ÀúÀÇ °æ¿ì default ·Î /etc/login.defs ¿¡¼­ ¼³Á¤ÇÑ °ªÀ¸·Î ¼³Á¤ÀÌ µÇ¾î ÀÖ½À´Ï´Ù.

 

test:$6$S9l9DJ9Q$SswkqlquRVyZOUZVETnrn1HJCjW3FQS9AvWSFe.ZUtSvfOJPnjgkc7XxHq4kdKqoe0StGEmJrqeZoZPYpw6Ig/:17500:0:99999:7:::

PASS_MIN_DAYS: 0

PASS_MAX_DAYS: 99999

PASS_WARN_AGE: 7

 

/etc/login.defs ¼öÁ¤ÈÄ test4 User »ý¼º

[root@centos74 ~]# vi /etc/login.defs
PASS_MAX_DAYS   90
PASS_MIN_DAYS   7
PASS_MIN_LEN    5

ÃÖ´ë »ç¿ë±â°£ 90ÀÏ·Î º¯°æ

ÃÖ¼Ò »ç¿ë±â°£ 7 ÀÏ

Æнº¿öµå ÃÖ¼Ò±æÀÌ 5

 

test4:$6$QVwi5qjn$2g4IuWJOdmgOkXxwZFFGFdxroOFhtcKa0v.7.5NmHFl0PCXbK5km3yb1.MIHR9/m4GxXqOcLvkqbk8qEg5tDG/:17500:7:90:7:::

PASS_MIN_DAYS: 7

PASS_MAX_DAYS: 90

PASS_WARN_AGE: 7

Æнº¿öµå ÃÖ¼Ò ±æÀÌÀÇ °æ¿ì User password º¯°æ½Ã¿¡¸¸ Àû¿ë µÈ´Ï´Ù. test3 User°¡ ÀÚ½ÅÀÇ password Àû¿ë½Ã Àû¿ë

root ·Î password º¯°æ½Ã Àû¿ëµÇÁö ¾Ê½À´Ï´Ù.

login.defs ¼³Á¤½Ã cron ÀÛ¾÷ÀÇ °æ¿ì ÇØ´ç ÀÛ¾÷ÀÌ Á¤Áö°¡ µË´Ï´Ù.

ÇØ´ç³»¿ªÀÇ Å×½ºÆ® Note ´Â º°µµ·Î ÇÏ´Ü¿¡ ÀÛ¼ºÇØ ³õ¾Ò½À´Ï´Ù.

 

pam_tally2

pam_tally2 ÀÇ °æ¿ì login counter module ÀÔ´Ï´Ù.

pam_tally2´Â Æнº¿öµåÀÇ ÃÖ¼Ò±æÀÌ ¹× ¿µ¹® ¼Ò¹®ÀÚ ´ë¹®ÀÚ, ¼ýÀÚ , Ư¼ö¹®ÀÚ ¹× ssh login fail ½Ã °èÁ¤Àá±ÝÁ¤Ã¥À» ¼³Á¤ ÇÒ¼ö ÀÖ½À´Ï´Ù.

ÀÚ¼¼Çѳ»¿ªÀº : http://www.linux-pam.org/Linux-PAM-html/sag-pam_tally2.html ¿¡¼­ È®ÀÎÇϽǼö ÀÖ½À´Ï´Ù.

ÀϺΠpam_tally ¿¡¼­ ¼³Á¤ÇÏ´ø ¼³Á¤ÀÌ pam_tally2 ·Î ¹Ù²î¸é¼­ authconfig ·Î ¹Ù²ñ¿¡ µû¶ó º°µµ·Î authconfig Æ÷½ºÆà Çϵµ·Ï ÇÏ°Ú½À´Ï´Ù.

º» Æ÷½ºÆ®¿¡¼­´Â pam_tally2 oner=fail deny , unlock_time ±îÁö¸¸ ´Ù·çµµ·Ï ÇÏ°Ú½À´Ï´Ù.

 

pam ¼³Ä¡ È®ÀÎ

[root@centos74 ~]# rpm -aq |grep -i pam
pam-1.1.8-18.el7.x86_64

 

/etc/pam.d/system-auth ¼öÁ¤ (ÄܼÖÀ» ÅëÇÑ Á¢¼Ó ¹× su Àüȯ½Ã)

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        required      pam_tally2.so deny=5 unlock_time=1200
auth        required      pam_faildelay.so delay=2000000
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        required      pam_deny.so

account     required      pam_unix.so
account     required      pam_tally2.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so

 

password-auth ÆÄÀÏ ¼öÁ¤ (¿ø°ÝÁ¢¼Ó ¹× X-window Á¢¼Ó)

[root@centos74 ~]# vi /etc/pam.d/password-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        required      pam_tally2.so deny=5 unlock_time=1200
auth        required      pam_faildelay.so delay=2000000
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        required      pam_deny.so

account     required      pam_unix.so
account     required      pam_tally2.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so

deny= Ƚ¼ö ¼³Á¤ ÈÄ unlock_time À¸·Î ½Ã°£À¸·Î ¼³Á¤ ÇÒ¼öµµ ÀÖ½À´Ï´Ù.

centos5, centos6 ÀÇ pam_cracklib ¼³Á¤Àº authconfig ·Î ´ëüµÈ°ÍÀ¸·Î º¸ÀÔ´Ï´Ù.

 

ssh login fail È®ÀÎ 3¹øÀÌ ³ÑÀº ½ÃÁ¡¿¡¼­´Â test4 À¯Àú´Â ·Î±×ÀÎ ÇÒ¼ö ¾ø½À´Ï´Ù.

[root@centos74 ~]# pam_tally2
Login           Failures Latest failure     From
test4               1    12/01/17 00:07:11  192.168.186.1
[root@centos74 ~]# pam_tally2
Login           Failures Latest failure     From
test4               2    12/01/17 00:07:15  192.168.186.1
[root@centos74 ~]# pam_tally2
Login           Failures Latest failure     From
test4               3    12/01/17 00:07:19  192.168.186.1
[root@centos74 ~]# pam_tally2
Login           Failures Latest failure     From
test4               4    12/01/17 00:07:26  192.168.186.1
[root@centos74 ~]#

 

test4 User unlock

[root@centos74 ~]# pam_tally2 -r -u test4
Login           Failures Latest failure     From
test4               5    12/01/17 00:07:31  192.168.186.1
[root@centos74 ~]# pam_tally2

 

ÀϹÝÀ¯Àú passwd º¯°æ °ü·Ã ¿À·ù¸Þ½ÃÁö

[test4@centos74 ~]$ passwd
Changing password for user test4.
Changing password for test4.
(current) UNIX password:
You must wait longer to change your password
passwd: Authentication token manipulation error

/etc/shadow ÆÄÀÏ¿¡¼­ PASS_MIN_DAYS Çʵ带 º¯°æ ÇØ¾ß Á¤»óÀûÀ¸·Î º¯°æÀÌ °¡´ÉÇÕ´Ï´Ù.

root À¯ÀúÀÇ °æ¿ì Æнº¿öµå Á¤Ã¥¿¡¼­ °ü°è ¾ø°ÚÁö¸¸ ÀϹÝÀ¯ÀúÀÇ °æ¿ì Æнº¿öµå Á¤Ã¥¿¡ °É·Á º¯°æÀÌ ¾ÈµË´Ï´Ù.

 

/etc/pam.d/password-auth ÆÄÀÏ password remember Å×½ºÆ®

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        required      pam_tally2.so deny=5 unlock_time=1200
auth        required      pam_faildelay.so delay=2000000
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        required      pam_deny.so

account     required      pam_unix.so
account     required      pam_tally2.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=2

 

remember=2 »ç¿ëÈÄ Å×½ºÆ®

[test4@centos74 ~]$ passwd
Changing password for user test4.
Changing password for test4.
(current) UNIX password:
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
[test4@centos74 ~]$

º¯°æµÈ Æнº¿öµå¸¦ »ç¿ëÇÏ¿© ssh ·Î±×ÀÎ
±âÁ¸¿¡ »ç¿ëÇÏ´ø Æнº¿öµå·Î ´Ù½Ã ¼³Á¤

[test4@centos74 ~]$ passwd
Changing password for user test4.
Changing password for test4.
(current) UNIX password:
New password:
Retype new password:
Password has been already used. Choose another.
passwd: Authentication token manipulation error
[test4@centos74 ~]$

Á¤»óÀûÀ¸·Î Æнº¿öµå ¼³Á¤À» ÇÒ¼ö ¾ø½À´Ï´Ù.

 

ÇØ´ç¶óÀÎ Á¦°ÅÈÄ Å×½ºÆ® (ÁÖ¼®Ã³¸®)

[root@centos74 ~]# cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
#auth       required      pam_tally2.so deny=5 unlock_time=1200
auth        required      pam_faildelay.so delay=2000000
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        required      pam_deny.so

account     required      pam_unix.so
#account     required      pam_tally2.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=2
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
[root@centos74 ~]#

password º¯°æ

[test4@centos74 ~]$ passwd
Changing password for user test4.
Changing password for test4.
(current) UNIX password:
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
[test4@centos74 ~]$

Á¤»óÀûÀ¸·Î Æнº¿öµå¸¦ º¯°æ ÇÒ¼ö ÀÖ½À´Ï´Ù.

´Ù¸¥ ¿É¼Ç ³»¿ëÀÇ °æ¿ì http://www.linux-pam.org/Linux-PAM-html/sag-pam_tally2.html ¿¡¼­ È®ÀÎÇϽǼö ÀÖ½À´Ï´Ù.

 

sshd_config ¼³Á¤

 

 

[root@centos74 ~]# cat /etc/ssh/sshd_config
#       $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#
#Port 22          / Default ¼³Á¤ÀÇ °æ¿ì  Port 22 ¹øÀ» »ç¿ë ÇÕ´Ï´Ù.  
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none

# Logging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m         /   User °¡ ·Î±×Àο¡ ½ÇÆÐÇßÀ» °æ¿ì ¼­¹ö°¡ ¿¬°áÀ» ²÷´Â ½Ã°£ / Default ´Â 0 À̸ç Á¦ÇÑÀÌ ¾ø½À´Ï´Ù. 
PermitRootLogin yes        /   root login Çã¿ë¿©ºÎ / Default ´Â yes À̸ç root user ·Î±×ÀÎÀÌ °¡´É ÇÕ´Ï´Ù. 
#StrictModes yes           /   ·Î±×ÀÎÀ» Çã¿ëÇϱâ Àü¿¡ ÆÄÀϸðµå, »ç¿ëÀÚ È¨µð·ºÅ丮¸¦ sshd °¡ üũ  
#MaxAuthTries 6
#MaxSessions 10

#PubkeyAuthentication yes

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile      .ssh/authorized_keys

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes               / .rhosts ÆÄÀÏÀ» »ç¿ëÇÒÁö ¿©ºÎ Default ¼³Á¤Àº yes ·Î rhost °ªÀ» »ç¿ë ÇÏÁö ¾Ê´Â´Ù.

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes

# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
#GSSAPIEnablek5users no

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several
# problems.
UsePAM yes                        / sshd ¿¡¼­ PAM Module À» »ç¿ëÇÒÁö ¿©ºÎ Default ´Â yes ÀÔ´Ï´Ù. no ¼³Á¤½Ã pam¼³Á¤Àº ¹«½Ã µË´Ï´Ù. 

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes                 / X11 Æ÷¿öµù »ç¿ë ¿©ºÎ / Default °ªÀ¸·Î yes ÀÔ´Ï´Ù. 
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes                 / Ŭ¶óÀ̾ðÆ®ÀÇ Á¢¼ÓÀÌ ²÷¾îÁ³´ÂÁö üũÇϱâ À§ÇØ ¼­¹ö°¡ ÀÏÁ¤½Ã°£ ¸Þ½ÃÁö¸¦ Àü´Þ 
#UseLogin no
#UsePrivilegeSeparation sandbox
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0            / AliveInterval ¼³Á¤ 
#ClientAliveCountMax 3            / Alive Interval * AliveCountMax = ¼¼¼Ç À¯Áö ½Ã°£À» ¼³Á¤ (º¸Åë .bash_profile TMOUT=ÃÊ´ÜÀ§·Î ¼³Á¤ ÇÕ´Ï´Ù. ex) TMOUT=600 (10ºÐ)
#ShowPatchLevel no
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none                         / Default ´Â none ÀÌ¸ç  ex) Banner /etc/issue.net À¸·Î ¼³Á¤ ÇÒ¼ö ÀÖ½À´Ï´Ù. issue.net file À» ¼³Á¤ ÇÏ¿© banner ¸¦ ¼³Á¤ÇÏ¸é µË´Ï´Ù. 

# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS

# override default of no subsystems
Subsystem       sftp    /usr/libexec/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#       X11Forwarding no
#       AllowTcpForwarding no
#       PermitTTY no
#       ForceCommand cvs server
[root@centos74 ~]#

PermitRootLogin no / root user Á¢¼Ó ±ÝÁö 

Port 22 -> unknown Port ex) 4320 µîÀ¸·Î º¯°æ ÇÏ¿© »ç¿ë ÇÏ´Â°É ±ÇÀå ÇÕ´Ï´Ù. 

Ãß°¡ÀûÀÎ sshd_config ¼³Á¤³»¿ëÀº https://linux.die.net/man/5/sshd_config ¿¡¼­ È®ÀÎÇϽǼö ÀÖ½À´Ï´Ù.