LINUX º¸¾È ¼³Á¤ Á¤¸® - apache º¸¾È ¼³Á¤
LINUX º¸¾È ¼³Á¤ Á¤¸®
ÀϹÝÀûÀ¸·Î ¸¹ÀÌ »ç¿ëÇÏ´Â ¸®´ª½º º¸¾È ¼³Á¤À» ´ë·«ÀûÀ¸·Î Á¤¸®ÇÏ¿´½À´Ï´Ù.
¿ÜºÎ¸Á¿¡ ³ëÃâÀÌ µÈ Host ¶ó¸é sshd port º¯°æ¹× root user Á¢¼ÓÁ¦ÇÑÀº ²ÀÇϽñ⠹ٶø´Ï´Ù.
sshd_config ¿¡¼ Permitroot no ¼³Á¤°ú Port number ¸¸ º¯°æÇÏ¿©µµ ƯÁ¤»ç¿ëÀÚ root ¶Ç´Â ´Ù¸¥ °èÁ¤À» ÅëÇÑ
»çÀü°ø°Ý(binary attack)Àº °¨¼Ò ÇÕ´Ï´Ù.
root/root ·Î ¼³Á¤ÈÄ °øÀÎ ip »ç¿ë½Ã ÇÏ·ç ¾È¿¡ ÇØÅ·À» ´çÇÒ¼ö ÀÖ½À´Ï´Ù.
iptables ÀÇ °æ¿ì Â÷ÈÄ CentOS firewalld ¿Í °°ÀÌ ¼³¸íÇϵµ·Ï ÇÏ°Ú½À´Ï´Ù.
Test OS ȯ°æ: CentOS7.4
- TCP wrapper
- login.defs
- pam_tally2
- sshd_config º¯°æ
TCP Wrapper
hosts allow / deny ÀÇ °æ¿ì deny ¿¡¼ ALL:ALL ·Î ¼³Á¤ÈÄ hosts.allow ¿¡¼ Service º°·Î open ÇÏ´Â Çü½ÄÀ¸·Î »ç¿ë ÇÕ´Ï´Ù.
ex) Å×½ºÆ® ½Ã³ª¸®¿À centos7-test System ¿¡¼ centos74·Î ssh Á¢¼Ó
centos74 , centos7-test
Á¢¼Ó È®ÀÎ
[root@centos74 ~]# tail -f /var/log/secure Nov 30 22:30:21 centos74 sshd[2233]: Accepted password for root from 192.168.186.130 port 48408 ssh2 Nov 30 22:30:21 centos74 sshd[2233]: pam_unix(sshd:session): session opened for user root by (uid=0)
Á¤»óÀûÀ¸·Î Á¢¼ÓµÈ°ÍÀ» È®ÀÎ ÇÒ¼ö ÀÖ½À´Ï´Ù.
Test ½Ã °øÀθÁÀ» ÅëÇÏ¿© ¿¾î ³õ¾Ò±â ¶§¹®¿¡ ssh root ·Î Á¢¼Ó½Ãµµ°¡ »ó´çÈ÷ ¸¹Àº°ÍÀ» È®ÀÎÇÒ¼ö ÀÖ½À´Ï´Ù.
Á¢¼ÓÀ» ½ÃµµÇÏ´Â ip ÀÇ °æ¿ì AŬ·¡½º¸¦ x ó¸® ÇÏ¿´½À´Ï´Ù. sshd_config ¿¡¼ PermitRootLogin no º¯°æ ¹× Port º¯°æÀÌ ÇÊ¿ä ÇÕ´Ï´Ù.
Nov 30 22:30:38 centos74 sshd[2235]: Failed password for root from x.38.145.226 port 52215 ssh2 Nov 30 22:30:38 centos74 sshd[2235]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root" Nov 30 22:30:40 centos74 sshd[2235]: Failed password for root from x.38.145.226 port 52215 ssh2 Nov 30 22:30:40 centos74 sshd[2235]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root" Nov 30 22:30:42 centos74 sshd[2235]: Failed password for root from x.38.145.226 port 52215 ssh2 Nov 30 22:30:43 centos74 sshd[2235]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root" Nov 30 22:30:45 centos74 sshd[2235]: Failed password for root from x.38.145.226 port 52215 ssh2 Nov 30 22:30:45 centos74 sshd[2235]: error: maximum authentication attempts exceeded for root from x.38.145.226 port 52215 ssh2 [preauth] Nov 30 22:30:45 centos74 sshd[2235]: Disconnecting: Too many authentication failures [preauth] Nov 30 22:30:45 centos74 sshd[2235]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.38.145.226 user=root Nov 30 22:30:45 centos74 sshd[2235]: PAM service(sshd) ignoring max retries; 6 > 3
TCP Wraper ¼³Á¤
[root@centos74 ~]# vi /etc/hosts.deny ALL:ALL
/var/log/secure È®ÀνÃ
[root@centos74 ~]# tail -f /var/log/secure Nov 30 22:42:45 centos74 sshd[2537]: refused connect from 192.168.186.130 (192.168.186.130)
centos7-test ¿¡¼ È®ÀÎ ssh-client È®ÀÎ
[root@centos7-test ~]# ssh centos74 ssh_exchange_identification: read: Connection reset by peer [root@centos7-test ~]#
Á¤»óÀûÀ¸·Î Á¢¼Ó ÇÒ¼ö ¾ø½À´Ï´Ù.
sshd: 192.168.186 ´ë¿ªÃß°¡
´ë¿ªÀ¸·Î Ãß°¡½Ã ¹Ýµå½Ã ex) 192.168.0. ·Î ¿ÁÅÝÀ» Âï¾î Áà¾ß ÇÕ´Ï´Ù.
ƯÁ¤ ¾ÆÀÌÇǸ¸ Á¢¼Ó Çã°¡½Ã 192.168.0.10 À¸·Î ¼³Á¤ ÇÏ½Ã¸é µË´Ï´Ù.
[root@centos74 ~]# vi /etc/hosts.allow sshd:192.168.186. [root@centos74 ~]# tail -f /var/log/secure Nov 30 22:45:59 centos74 sshd[2579]: Accepted password for root from 192.168.186.130 port 48416 ssh2 Nov 30 22:45:59 centos74 sshd[2579]: pam_unix(sshd:session): session opened for user root by (uid=0)
º°µµÀÇ ¼³Á¤ ¾øÀÌ VMHOST ¿¡¼ Á¢¼Ó ÇÏ¿´Áö¸¸ Á¤»óÀûÀ¸·Î Web-site ¿¡ Á¢¼Ó ÇÒ¼ö ÀÖ½À´Ï´Ù.
apache ÀÇ °æ¿ì mod_access ¸¦ ÀÌ¿ëÇÏ¿© allow ¿Í Deny ¸¦ ¼³Á¤ ÇÒ¼ö ÀÖ½À´Ï´Ù.
ldd ¸í·É¾î¸¦ ÅëÇÏ¿© libwrap ÀÇ ¶óÀ̺귯¸®¸¦ »ç¿ëÇÏ´ÂÁö È®ÀÎ ÇÒ¼ö ÀÖ½À´Ï´Ù.
httpd È®ÀÎ
[root@centos74 ~]# which httpd /usr/sbin/httpd [root@centos74 ~]# ldd /usr/sbin/httpd |grep libwrap [root@centos74 ~]#
sshd È®ÀÎ
[root@centos74 ~]# ldd /usr/sbin/sshd linux-vdso.so.1 => (0x00007ffe8f1e9000) libfipscheck.so.1 => /lib64/libfipscheck.so.1 (0x00007ff0e08ee000) libwrap.so.0 => /lib64/libwrap.so.0 (0x00007ff0e06e3000) libaudit.so.1 => /lib64/libaudit.so.1 (0x00007ff0e04ba000) libpam.so.0 => /lib64/libpam.so.0 (0x00007ff0e02ab000) libselinux.so.1 => /lib64/libselinux.so.1 (0x00007ff0e0084000) libsystemd.so.0 => /lib64/libsystemd.so.0 (0x00007ff0e005b000) libcrypto.so.10 => /lib64/libcrypto.so.10 (0x00007ff0dfbfa000) libdl.so.2 => /lib64/libdl.so.2 (0x00007ff0df9f6000) libldap-2.4.so.2 => /lib64/libldap-2.4.so.2 (0x00007ff0df7a1000) liblber-2.4.so.2 => /lib64/liblber-2.4.so.2 (0x00007ff0df592000) libutil.so.1 => /lib64/libutil.so.1 (0x00007ff0df38f000) libz.so.1 => /lib64/libz.so.1 (0x00007ff0df178000) libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007ff0def41000) libresolv.so.2 => /lib64/libresolv.so.2 (0x00007ff0ded27000) libgssapi_krb5.so.2 => /lib64/libgssapi_krb5.so.2 (0x00007ff0dead9000) libkrb5.so.3 => /lib64/libkrb5.so.3 (0x00007ff0de7f1000) libk5crypto.so.3 => /lib64/libk5crypto.so.3 (0x00007ff0de5be000) libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00007ff0de3b9000) libc.so.6 => /lib64/libc.so.6 (0x00007ff0ddff6000) libnsl.so.1 => /lib64/libnsl.so.1 (0x00007ff0ddddd000) libcap-ng.so.0 => /lib64/libcap-ng.so.0 (0x00007ff0ddbd6000) libpcre.so.1 => /lib64/libpcre.so.1 (0x00007ff0dd974000) /lib64/ld-linux-x86-64.so.2 (0x000055f3da440000) libcap.so.2 => /lib64/libcap.so.2 (0x00007ff0dd76f000) libm.so.6 => /lib64/libm.so.6 (0x00007ff0dd46c000) librt.so.1 => /lib64/librt.so.1 (0x00007ff0dd264000) liblzma.so.5 => /lib64/liblzma.so.5 (0x00007ff0dd03e000) libgcrypt.so.11 => /lib64/libgcrypt.so.11 (0x00007ff0dcdbc000) libgpg-error.so.0 => /lib64/libgpg-error.so.0 (0x00007ff0dcbb7000) libdw.so.1 => /lib64/libdw.so.1 (0x00007ff0dc970000) libgcc_s.so.1 => /lib64/libgcc_s.so.1 (0x00007ff0dc759000) libpthread.so.0 => /lib64/libpthread.so.0 (0x00007ff0dc53d000) libsasl2.so.3 => /lib64/libsasl2.so.3 (0x00007ff0dc320000) libssl3.so => /lib64/libssl3.so (0x00007ff0dc0d3000) libsmime3.so => /lib64/libsmime3.so (0x00007ff0dbeac000) libnss3.so => /lib64/libnss3.so (0x00007ff0dbb82000) libnssutil3.so => /lib64/libnssutil3.so (0x00007ff0db954000) libplds4.so => /lib64/libplds4.so (0x00007ff0db750000) libplc4.so => /lib64/libplc4.so (0x00007ff0db54b000) libnspr4.so => /lib64/libnspr4.so (0x00007ff0db30c000) libfreebl3.so => /lib64/libfreebl3.so (0x00007ff0db109000) libkrb5support.so.0 => /lib64/libkrb5support.so.0 (0x00007ff0daefa000) libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00007ff0dacf6000) libattr.so.1 => /lib64/libattr.so.1 (0x00007ff0daaf0000) libelf.so.1 => /lib64/libelf.so.1 (0x00007ff0da8d8000) libbz2.so.1 => /lib64/libbz2.so.1 (0x00007ff0da6c7000) [root@centos74 ~]#
ÇØ´ç ³»¿ëÀº ¾Æ·¡ »çÀÌÆ®¿¡¼ È®ÀÎ ÇϽǼö ÀÖ½À´Ï´Ù.
Á¤¸®°¡ ÀߵǾîÀÖ¾î ¸µÅ©¸¸ Ãß°¡ ÇÕ´Ï´Ù.
TCP Wrapper ÀÇ °æ¿ì xinetd ±â¹ÝÀ¸·Î µ¿ÀÛÇÏ´Â ¼ºñ½ºµéÀÇ Á¢±Ù °ÅºÎ¸¦ ¼³Á¤ ÇÒ¼ö Àִ°ÍÀ¸·Î ÀϹÝÀûÀ¸·Î ¾Ë°í ÀÖ½À´Ï´Ù.
TCP Wrapper https://www.joinc.co.kr/w/man/12/tcpwrapper
bsd ÀÇ °æ¿ì inetd ¼³Á¤À¸·Î TCP Wrapper ·Î apache Á¢±ÙÀ» ÇÒ¼ö ÀÖÀ»°ÍÀ¸·Î º¸ÀÔ´Ï´Ù.
»ó´çÈ÷ ¿À·¡µÈ ÀÚ·á¶ó Å×½ºÆ®¸¦ Çغ¸°í ½Í±â´Â Çϳª »ç¿ëÀ» ¾ÈÇÒ°ÍÀ¸·Î º¸¿© ¸µÅ©¸¸ ³²°Ü ³õ½À´Ï´Ù.
FreeBSD inetd ±â¹Ý apache http://freebsdhowtos.com/113.html
login.defs
/etc/login.defs ¼³Á¤½Ã Æнº¿öµå Á¤Ã¥À» ¼³Á¤ ÇÒ¼ö ÀÖ½À´Ï´Ù.
PASS_MAX_DAYS 9999 Æнº¿öµå ÃÖ´ë»ç¿ë ±â°£
PASS_MIN_DAYS 0 Æнº¿öµå º¯°æÃÖ¼Ò ±â°£
PASS_MIN_LEN 0 Æнº¿öµå ÃÖ¼Ò±æÀÌ
PASS_WARN_AGE 7 Æнº¿öµå ¼Ò¸ê ÀÌÀü °æ°í ¹ß¼Û
login.defs ÆÄÀÏÀ» ¼öÁ¤ ÇÏ¿©µµ ±âÁ¸ »ç¿ëÀÚ´Â ¿µÇâÀ» ¹ÞÁö ¾ÊÀ¸¸ç ¼³Á¤ÀÌÈÄ Ãß°¡µÈ »ç¿ëÀÚ ºÎÅÍ Àû¿ëÀÌ µË´Ï´Ù.
/etc/shadow ÆÄÀÏ ¼³¸í
[root@centos74 ~]# cat /etc/shadow 1 : 2 : 3 :4: 5 :6:7:8:9 root:$6$ZayMBeKp$aTokocQJQg77pDbkUGqYuBC21ESGCkKafchr2OMMWzplyQnid4ECxNPkNFIXd8K0vkDiVJvQv0nJDpq4Hb3qh/:17497:0:99999:7::: bin:*:17110:0:99999:7::: daemon:*:17110:0:99999:7::: adm:*:17110:0:99999:7::: lp:*:17110:0:99999:7::: test:$6$S9l9DJ9Q$SswkqlquRVyZOUZVETnrn1HJCjW3FQS9AvWSFe.ZUtSvfOJPnjgkc7XxHq4kdKqoe0StGEmJrqeZoZPYpw6Ig/:17500:0:99999:7::: test1:$6$/wcpiL/o$vd.Gsw/aehbJ6WTgWSjohq0A9W3ks/5PA12SLA7MlVqdLxl0iJv8MkdmfThsb2s.Ux4mo1.QyleHgrfsNNmxt0:17500:0:99999:7::: test2:$6$SWU0NjnK$8LA3TVRXCnveva/kETFn4vhaRL6tQooaGoaH9wT/mdD0CW6oVPA7f8z/vjGJL.p37HRjxkYRRmhpEgjQScMAr1:17500:0:99999:7::: test3:!!:17500:0:99999:7::: [root@centos74 ~]#
Çʵ弳¸í
1. Login Name : »ç¿ëÀÚ °èÁ¤
2. Encrypted : Æнº¿öµå¸¦ ¾ÏÈ£È ½ÃŲ°ª
3. Last Changed: 1970³â 1¿ù 1ÀÏ ºÎÅÍ Æнº¿öµå°¡ ¼öÁ¤µÈ ³¯Â¥ÀÇ Àϼö¸¦ °è»ê
4. Minimum: Æнº¿öµå º¯°æµÇ±â Àü ÃÖ¼Ò »ç¿ë±â°£(ÀÏ)
5. Maximum: Æнº¿öµå º¯°æ Àü ÃÖ´ë»ç¿ë ±â°£(ÀÏ)
6. Inactive: ·Î±×ÀÎ Á¢¼ÓÂ÷´Ü ±â°£(ÀÏ)
7. Expire: ·Î±×ÀÎ »ç¿ëÀ» ±ÝÁöÇÑ ±â°£(ÀÏ) (¿ù/ÀÏ/¿¬µµ)
8. Reserved: »ç¿ëµÇÁö ¾ÊÀ½
test À¯ÀúÀÇ °æ¿ì default ·Î /etc/login.defs ¿¡¼ ¼³Á¤ÇÑ °ªÀ¸·Î ¼³Á¤ÀÌ µÇ¾î ÀÖ½À´Ï´Ù.
test:$6$S9l9DJ9Q$SswkqlquRVyZOUZVETnrn1HJCjW3FQS9AvWSFe.ZUtSvfOJPnjgkc7XxHq4kdKqoe0StGEmJrqeZoZPYpw6Ig/:17500:0:99999:7:::
PASS_MIN_DAYS: 0
PASS_MAX_DAYS: 99999
PASS_WARN_AGE: 7
/etc/login.defs ¼öÁ¤ÈÄ test4 User »ý¼º
[root@centos74 ~]# vi /etc/login.defs PASS_MAX_DAYS 90 PASS_MIN_DAYS 7 PASS_MIN_LEN 5
ÃÖ´ë »ç¿ë±â°£ 90ÀÏ·Î º¯°æ
ÃÖ¼Ò »ç¿ë±â°£ 7 ÀÏ
Æнº¿öµå ÃÖ¼Ò±æÀÌ 5
test4:$6$QVwi5qjn$2g4IuWJOdmgOkXxwZFFGFdxroOFhtcKa0v.7.5NmHFl0PCXbK5km3yb1.MIHR9/m4GxXqOcLvkqbk8qEg5tDG/:17500:7:90:7:::
PASS_MIN_DAYS: 7
PASS_MAX_DAYS: 90
PASS_WARN_AGE: 7
Æнº¿öµå ÃÖ¼Ò ±æÀÌÀÇ °æ¿ì User password º¯°æ½Ã¿¡¸¸ Àû¿ë µÈ´Ï´Ù. test3 User°¡ ÀÚ½ÅÀÇ password Àû¿ë½Ã Àû¿ë
root ·Î password º¯°æ½Ã Àû¿ëµÇÁö ¾Ê½À´Ï´Ù.
login.defs ¼³Á¤½Ã cron ÀÛ¾÷ÀÇ °æ¿ì ÇØ´ç ÀÛ¾÷ÀÌ Á¤Áö°¡ µË´Ï´Ù.
ÇØ´ç³»¿ªÀÇ Å×½ºÆ® Note ´Â º°µµ·Î ÇÏ´Ü¿¡ ÀÛ¼ºÇØ ³õ¾Ò½À´Ï´Ù.
pam_tally2
pam_tally2 ÀÇ °æ¿ì login counter module ÀÔ´Ï´Ù.
pam_tally2´Â Æнº¿öµåÀÇ ÃÖ¼Ò±æÀÌ ¹× ¿µ¹® ¼Ò¹®ÀÚ ´ë¹®ÀÚ, ¼ýÀÚ , Ư¼ö¹®ÀÚ ¹× ssh login fail ½Ã °èÁ¤Àá±ÝÁ¤Ã¥À» ¼³Á¤ ÇÒ¼ö ÀÖ½À´Ï´Ù.
ÀÚ¼¼Çѳ»¿ªÀº : http://www.linux-pam.org/Linux-PAM-html/sag-pam_tally2.html ¿¡¼ È®ÀÎÇϽǼö ÀÖ½À´Ï´Ù.
ÀϺΠpam_tally ¿¡¼ ¼³Á¤ÇÏ´ø ¼³Á¤ÀÌ pam_tally2 ·Î ¹Ù²î¸é¼ authconfig ·Î ¹Ù²ñ¿¡ µû¶ó º°µµ·Î authconfig Æ÷½ºÆà Çϵµ·Ï ÇÏ°Ú½À´Ï´Ù.
º» Æ÷½ºÆ®¿¡¼´Â pam_tally2 oner=fail deny , unlock_time ±îÁö¸¸ ´Ù·çµµ·Ï ÇÏ°Ú½À´Ï´Ù.
pam ¼³Ä¡ È®ÀÎ
[root@centos74 ~]# rpm -aq |grep -i pam pam-1.1.8-18.el7.x86_64
/etc/pam.d/system-auth ¼öÁ¤ (ÄܼÖÀ» ÅëÇÑ Á¢¼Ó ¹× su Àüȯ½Ã)
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth required pam_tally2.so deny=5 unlock_time=1200 auth required pam_faildelay.so delay=2000000 auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth required pam_deny.so account required pam_unix.so account required pam_tally2.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account required pam_permit.so password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so
password-auth ÆÄÀÏ ¼öÁ¤ (¿ø°ÝÁ¢¼Ó ¹× X-window Á¢¼Ó)
[root@centos74 ~]# vi /etc/pam.d/password-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth required pam_tally2.so deny=5 unlock_time=1200 auth required pam_faildelay.so delay=2000000 auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth required pam_deny.so account required pam_unix.so account required pam_tally2.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account required pam_permit.so password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so
deny= Ƚ¼ö ¼³Á¤ ÈÄ unlock_time À¸·Î ½Ã°£À¸·Î ¼³Á¤ ÇÒ¼öµµ ÀÖ½À´Ï´Ù.
centos5, centos6 ÀÇ pam_cracklib ¼³Á¤Àº authconfig ·Î ´ëüµÈ°ÍÀ¸·Î º¸ÀÔ´Ï´Ù.
ssh login fail È®ÀÎ 3¹øÀÌ ³ÑÀº ½ÃÁ¡¿¡¼´Â test4 À¯Àú´Â ·Î±×ÀÎ ÇÒ¼ö ¾ø½À´Ï´Ù.
[root@centos74 ~]# pam_tally2 Login Failures Latest failure From test4 1 12/01/17 00:07:11 192.168.186.1 [root@centos74 ~]# pam_tally2 Login Failures Latest failure From test4 2 12/01/17 00:07:15 192.168.186.1 [root@centos74 ~]# pam_tally2 Login Failures Latest failure From test4 3 12/01/17 00:07:19 192.168.186.1 [root@centos74 ~]# pam_tally2 Login Failures Latest failure From test4 4 12/01/17 00:07:26 192.168.186.1 [root@centos74 ~]#
test4 User unlock
[root@centos74 ~]# pam_tally2 -r -u test4 Login Failures Latest failure From test4 5 12/01/17 00:07:31 192.168.186.1 [root@centos74 ~]# pam_tally2
ÀϹÝÀ¯Àú passwd º¯°æ °ü·Ã ¿À·ù¸Þ½ÃÁö
[test4@centos74 ~]$ passwd Changing password for user test4. Changing password for test4. (current) UNIX password: You must wait longer to change your password passwd: Authentication token manipulation error
/etc/shadow ÆÄÀÏ¿¡¼ PASS_MIN_DAYS Çʵ带 º¯°æ ÇØ¾ß Á¤»óÀûÀ¸·Î º¯°æÀÌ °¡´ÉÇÕ´Ï´Ù.
root À¯ÀúÀÇ °æ¿ì Æнº¿öµå Á¤Ã¥¿¡¼ °ü°è ¾ø°ÚÁö¸¸ ÀϹÝÀ¯ÀúÀÇ °æ¿ì Æнº¿öµå Á¤Ã¥¿¡ °É·Á º¯°æÀÌ ¾ÈµË´Ï´Ù.
/etc/pam.d/password-auth ÆÄÀÏ password remember Å×½ºÆ®
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth required pam_tally2.so deny=5 unlock_time=1200 auth required pam_faildelay.so delay=2000000 auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth required pam_deny.so account required pam_unix.so account required pam_tally2.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account required pam_permit.so password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=2
remember=2 »ç¿ëÈÄ Å×½ºÆ®
[test4@centos74 ~]$ passwd Changing password for user test4. Changing password for test4. (current) UNIX password: New password: Retype new password: passwd: all authentication tokens updated successfully. [test4@centos74 ~]$ º¯°æµÈ Æнº¿öµå¸¦ »ç¿ëÇÏ¿© ssh ·Î±×ÀÎ ±âÁ¸¿¡ »ç¿ëÇÏ´ø Æнº¿öµå·Î ´Ù½Ã ¼³Á¤ [test4@centos74 ~]$ passwd Changing password for user test4. Changing password for test4. (current) UNIX password: New password: Retype new password: Password has been already used. Choose another. passwd: Authentication token manipulation error [test4@centos74 ~]$
Á¤»óÀûÀ¸·Î Æнº¿öµå ¼³Á¤À» ÇÒ¼ö ¾ø½À´Ï´Ù.
ÇØ´ç¶óÀÎ Á¦°ÅÈÄ Å×½ºÆ® (ÁÖ¼®Ã³¸®)
[root@centos74 ~]# cat /etc/pam.d/system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so #auth required pam_tally2.so deny=5 unlock_time=1200 auth required pam_faildelay.so delay=2000000 auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth required pam_deny.so account required pam_unix.so #account required pam_tally2.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account required pam_permit.so password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=2 password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so [root@centos74 ~]#
password º¯°æ
[test4@centos74 ~]$ passwd Changing password for user test4. Changing password for test4. (current) UNIX password: New password: Retype new password: passwd: all authentication tokens updated successfully. [test4@centos74 ~]$
Á¤»óÀûÀ¸·Î Æнº¿öµå¸¦ º¯°æ ÇÒ¼ö ÀÖ½À´Ï´Ù.
´Ù¸¥ ¿É¼Ç ³»¿ëÀÇ °æ¿ì http://www.linux-pam.org/Linux-PAM-html/sag-pam_tally2.html ¿¡¼ È®ÀÎÇϽǼö ÀÖ½À´Ï´Ù.
sshd_config ¼³Á¤
[root@centos74 ~]# cat /etc/ssh/sshd_config # $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/local/bin:/usr/bin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options override the # default value. # If you want to change the port on a SELinux system, you have to tell # SELinux about this change. # semanage port -a -t ssh_port_t -p tcp #PORTNUMBER # #Port 22 / Default ¼³Á¤ÀÇ °æ¿ì Port 22 ¹øÀ» »ç¿ë ÇÕ´Ï´Ù. #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress :: HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ed25519_key # Ciphers and keying #RekeyLimit default none # Logging #SyslogFacility AUTH SyslogFacility AUTHPRIV #LogLevel INFO # Authentication: #LoginGraceTime 2m / User °¡ ·Î±×Àο¡ ½ÇÆÐÇßÀ» °æ¿ì ¼¹ö°¡ ¿¬°áÀ» ²÷´Â ½Ã°£ / Default ´Â 0 À̸ç Á¦ÇÑÀÌ ¾ø½À´Ï´Ù. PermitRootLogin yes / root login Çã¿ë¿©ºÎ / Default ´Â yes À̸ç root user ·Î±×ÀÎÀÌ °¡´É ÇÕ´Ï´Ù. #StrictModes yes / ·Î±×ÀÎÀ» Çã¿ëÇϱâ Àü¿¡ ÆÄÀϸðµå, »ç¿ëÀÚ È¨µð·ºÅ丮¸¦ sshd °¡ üũ #MaxAuthTries 6 #MaxSessions 10 #PubkeyAuthentication yes # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 # but this is overridden so installations will only check .ssh/authorized_keys AuthorizedKeysFile .ssh/authorized_keys #AuthorizedPrincipalsFile none #AuthorizedKeysCommand none #AuthorizedKeysCommandUser nobody # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes / .rhosts ÆÄÀÏÀ» »ç¿ëÇÒÁö ¿©ºÎ Default ¼³Á¤Àº yes ·Î rhost °ªÀ» »ç¿ë ÇÏÁö ¾Ê´Â´Ù. # To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes #PermitEmptyPasswords no PasswordAuthentication yes # Change to no to disable s/key passwords #ChallengeResponseAuthentication yes ChallengeResponseAuthentication no # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosGetAFSToken no #KerberosUseKuserok yes # GSSAPI options GSSAPIAuthentication yes GSSAPICleanupCredentials no #GSSAPIStrictAcceptorCheck yes #GSSAPIKeyExchange no #GSSAPIEnablek5users no # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. # WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several # problems. UsePAM yes / sshd ¿¡¼ PAM Module À» »ç¿ëÇÒÁö ¿©ºÎ Default ´Â yes ÀÔ´Ï´Ù. no ¼³Á¤½Ã pam¼³Á¤Àº ¹«½Ã µË´Ï´Ù. #AllowAgentForwarding yes #AllowTcpForwarding yes #GatewayPorts no X11Forwarding yes / X11 Æ÷¿öµù »ç¿ë ¿©ºÎ / Default °ªÀ¸·Î yes ÀÔ´Ï´Ù. #X11DisplayOffset 10 #X11UseLocalhost yes #PermitTTY yes #PrintMotd yes #PrintLastLog yes #TCPKeepAlive yes / Ŭ¶óÀ̾ðÆ®ÀÇ Á¢¼ÓÀÌ ²÷¾îÁ³´ÂÁö üũÇϱâ À§ÇØ ¼¹ö°¡ ÀÏÁ¤½Ã°£ ¸Þ½ÃÁö¸¦ Àü´Þ #UseLogin no #UsePrivilegeSeparation sandbox #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 / AliveInterval ¼³Á¤ #ClientAliveCountMax 3 / Alive Interval * AliveCountMax = ¼¼¼Ç À¯Áö ½Ã°£À» ¼³Á¤ (º¸Åë .bash_profile TMOUT=ÃÊ´ÜÀ§·Î ¼³Á¤ ÇÕ´Ï´Ù. ex) TMOUT=600 (10ºÐ) #ShowPatchLevel no #UseDNS yes #PidFile /var/run/sshd.pid #MaxStartups 10:30:100 #PermitTunnel no #ChrootDirectory none #VersionAddendum none # no default banner path #Banner none / Default ´Â none À̸ç ex) Banner /etc/issue.net À¸·Î ¼³Á¤ ÇÒ¼ö ÀÖ½À´Ï´Ù. issue.net file À» ¼³Á¤ ÇÏ¿© banner ¸¦ ¼³Á¤ÇÏ¸é µË´Ï´Ù. # Accept locale-related environment variables AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE AcceptEnv XMODIFIERS # override default of no subsystems Subsystem sftp /usr/libexec/openssh/sftp-server # Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding no # AllowTcpForwarding no # PermitTTY no # ForceCommand cvs server [root@centos74 ~]#
PermitRootLogin no / root user Á¢¼Ó ±ÝÁö
Port 22 -> unknown Port ex) 4320 µîÀ¸·Î º¯°æ ÇÏ¿© »ç¿ë ÇÏ´Â°É ±ÇÀå ÇÕ´Ï´Ù.
Ãß°¡ÀûÀÎ sshd_config ¼³Á¤³»¿ëÀº https://linux.die.net/man/5/sshd_config ¿¡¼ È®ÀÎÇϽǼö ÀÖ½À´Ï´Ù.