2018.06.06 / 10:49
Linux - °³ÀÎ À¥ ¹æȺ® ±¸Ãà(iptables, j2ssh ÀÌ¿ë)
ÀλçÀ̵åÀÚ¹Ù
Ãßõ ¼ö 209
# ¿ëµµ¹× È°¿ë
- ¼¹ö ±¸ÃàÈÄ¿¡ ¿ÜºÎ Á¢¼Ó¿¡ ´ëÇÑ º¸¾È °ü¸®°¡ ÇÊ¿äÇÒ¶§.
- ÀÎÅͳÝÀÌ Á¢¼ÓµÇ´Â ¾î´À°÷¿¡¼³ª À¥ ºê¶ó¿ìÀú¸¦ ÀÌ¿ëÇÏ¿©, ÇØ´ç Á¢¼ÓÁö ¾ÆÀÌÇÇ¿¡ ´ëÇÑ Á¢±ÙÀ» Çã¿ë¹× ÇØÁ¦.
# È®Àå °¡´É ¹üÀ§
- °³ÀÎ ¼¹ö¹× ±â¾÷ ³»ÀÇ ¼Ò±Ô¸ð µ¿ÀÏ ³×Æ®¿öÅ© ´ë¿ªÀÇ ¼¹öµéÀÇ Æ÷Æ® °³¹æ °ü¸®.
# ÀÛ¾÷ ÁøÇà ÁٰŸ®
- Http ÇÁ·ÎÅäÄÝÀÇ ±âº» Æ÷Æ® 80À» Á¦¿ÜÇÑ ³ª¸ÓÁö Æ÷Æ®´Â iptables ±âº» Á¤Ã¥¿¡¼ ¸ðµÎ Â÷´Ü.
- iptables Á¤Ã¥¿¡¼ DNS ÀÀ´ä, localhost µîÀÇ ³»ºÎ ³×Æ®¿÷¿¡ ´ëÇÑ ÆÐŶÀ» Çã¿ë.
- ssh Á¢¼ÓÀ» À§ÇÑ ÀÏ¹Ý °èÁ¤À» »ý¼º, iptables ½ÇÇà ±ÇÇѸ¸À» ºÎ¿©.
- À¥ ÄÁÅ×À̳ʿ¡¼ ssh »ç¿ëÀÚÀÇ °èÁ¤À¸·Î Á¢¼ÓÇÏ¿©, ƯÁ¤ Æ÷Æ®¿¡ ´ëÇÑ Á¢¼ÓÀ» ¿äû¹× ÇØÁ¦.
- iptables ¿¡¼ Á¢¼ÓÁöÀÇ °øÀÎ(À¯µ¿,°íÁ¤) ¾ÆÀÌÇÇ¿¡ ´ëÇÏ¿© µî·ÏÀ» ÇÏ°í ¿äû Æ÷Æ®¸¦ °³¹æ¹× Â÷´Ü.
- Á¢¼Ó °èÁ¤, Á¢¼ÓÁö ¾ÆÀÌÇÇ, ±âŸ Á¤º¸µîÀ» DBMS¿¡ ÀúÀå.
- 24½Ã ÀÌÀüÀÇ iptables¿¡ Á¢±Ù Çã¿ëµÈ ¸ðµç Á¤Ã¥Àº crontabÀ» ÀÌ¿ëÇÏ¿©, ¸ÅÀÏ 24(00)½Ã°æ¿¡ ÃʱâÁ¤Ã¥ ¸®¼Â.
- ¼¹ö ¸®ºÎÆýÿ¡µµ ¿ÜºÎ¿¡¼ÀÇ Á¢±Ù¹× °ü¸®¸¦ À§ÇØ WAS, DBMS µîÀÇ ¼ºñ½º¸¦ ÀÚµ¿ ½ÃÀ۵ǵµ·Ï ¼³Á¤.
- »ç¿ëÇÏ°ÔµÉ WAS(Tomcat)´Â µÇµµ·Ï À¥ ¹æȺ® Àü¿ë, µ¶¸³ÀûÀ¸·Î »ç¿ëÇϴ°ÍÀ» Ãßõ.
# ±¸Ãà ȯ°æ
- Linux : 2.6(kernel)
- iptables : 1.4.7
- OpenSSH : 5.3
- Apache : 2.2.22
- Tomcat : 7.0.33
- Mysql : 5.5.28
- Java : 1.6
- À¥ °³¹ß ¾ð¾î : JAVA & JSP
# ÇÊ¿ä Áغñ»çÇ×
- iptables ¹æȺ® Ãʱâ Á¤Ã¥
- SSH Á¢¼Ó ÀÏ¹Ý °èÁ¤
- Apache & Tomcat ¸¦ ¿¬µ¿ÇÑ À¥ ¼ºñ½º ¶Ç´Â Java & Jsp ¸¦ ±¸µ¿ÇÒ ¼ö ÀÖ´Â ±âŸ À¥ ÄÁÅ×À̳Ê(80 Æ÷Æ® °³¹æ)
# ÀÛ¾÷ ÁøÇà
1) iptables Ãʱâ Á¤Ã¥ ½ºÅ©¸³Æ®
[root@sunshiny script]# cat iptables_init.sh
#!/bin/sh
######################################################
### Iptables Init ###
######################################################
# ¸ðµç RuleÀ» Á¤¸®ÇÑ´Ù.
iptables -F
# °¢°¢¿¡ ´ëÇÑ Á¤Ã¥À» ¼¼¿î´Ù.
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
# localhost¿¡¼ÀÇ trafficÀ» ¹Þ¾ÆµéÀδÙ.
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# DNS ÀÀ´äÀ» ¹Þ¾ÆµéÀδÙ.
iptables -A INPUT -i eth0 -p tcp --source-port 53 -j ACCEPT
iptables -A INPUT -i eth0 -p udp --source-port 53 -j ACCEPT
# icmp
iptables -A INPUT -p icmp -j ACCEPT
iptables -A FORWARD -p icmp -j ACCEPT
# http ÇÁ·ÎÅäÄÝ 80 Æ÷Æ®¿¡ ´ëÇÑ Á¢¼Ó Çã¿ë
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
# ·ÎÄÿ¡¼ ¿ÜºÎ Á¢¼Ó : http
iptables -A INPUT -i eth+ -p tcp -m tcp --sport 80 -j ACCEPT
# SMTP ¸ÞÀÏ Àü¼Û
iptables -A INPUT -i eth+ -p tcp --sport 25 -j ACCEPT
# ³»ºÎ ³×Æ®¿öÅ© Á¢¼Ó
iptables -A FORWARD -s 192.168.0.0/24 -d 192.168.0.0/24 -j ACCEPT
iptables -A OUTPUT -s 192.168.0.0/24 -d 192.168.0.0/24 -j ACCEPT
# Save Log
#iptables -A INPUT -j LOG -m comment --comment "LOGGING /etc/var/messages"
#iptables -A OUTPUT -j LOG -m comment --comment "LOGGING /etc/var/messages"
########## Manager IP ###########
# ³»ºÎ ³×Æ®¿öÅ© ´ë¿ª Çã¿ë
iptables -A INPUT -s 192.168.1.0/24 -p tcp --dport 22 -j ACCEPT
# Á¤Ã¥ ¹Ý¿µÈÄ Á¶È¸
[root@sunshiny ~]# iptables -L -n --line
Chain INPUT (policy DROP)
num target prot opt source destination
1 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
3 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:53
4 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:53
5 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
6 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
7 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:80
----------- Ãʱ⠱⺻ ¼³Á¤ INPUT Á¤Ã¥ ³¡, Á¢¼ÓÀÚ ¿äû ½ÃÀÛ ¶óÀÎ num 8¹ø ------------------------
8 ACCEPT tcp -- 123.17.13.12 0.0.0.0/0 tcp dpt:3690
9 ACCEPT tcp -- 123.17.13.12 0.0.0.0/0 tcp dpt:22
Chain FORWARD (policy DROP)
num target prot opt source destination
1 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
2 ACCEPT all -- 192.168.0.0/24 192.168.0.0/24
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
2 ACCEPT all -- 192.168.0.0/24 192.168.0.0/24
2) iptables Ãʱâ Á¤Ã¥ ½ºÄÉÁÙ µî·Ï
[root@sunshiny etc]# cat /etc/crontab
# Example of job definition:
# .---------------- minute (0 - 59)
# | .------------- hour (0 - 23)
# | | .---------- day of month (1 - 31)
# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...
# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# | | | | |
# * * * * * user-name command to be executed
# Every Day IPTables FireWall Open ReSet
01 00 * * * root /root/script/iptables_init.sh
3) ¼¹ö ¸®ºÎÆÃÈÄ¿¡ iptables Á¤Ã¥ ¸®¼Â, DBMS, WAS ÀÚµ¿ ½ÇÇà ¼³Á¤
- °¢ ¼ºñ½ºº° /etc/init.d/ ¿¡ µî·ÏµÇ¾î¼ ºÎÆýà ÀÚµ¿À¸·Î ½ÇÇàÀÌ µÇ´Â »óȲÀÌ¸é °Ç³Ê¶Ü.
[root@sunshiny rc.d]# cat /etc/rc.d/rc.local
# Start Up Mysql Server
#su - mysql -c "/home/mysql/support-files/mysql.server start"
# Start Up FireWall Tomcat Was Server
su - tomcat -c "/home/sshuser/apache-tomcat-7.0.33/bin/startup.sh"
# Start Up Apache Web Server
/home/apache/bin/apachectl start
# Server FireWall Set
/root/script/iptables_init.sh
4) ssh Á¢¼Ó °èÁ¤ »ý¼ºÈÄ iptables ½ÇÇà ±ÇÇÑ ºÎ¿©
[root@sunshiny etc]# vi /etc/sudoers
#
# Disable "ssh hostname sudo <cmd>", because it will show the password in clear.
# You have to run "ssh -t hostname sudo <cmd>".
# (1) tty(Å͹̳ÎÁ¢¼Ó) ¿¡¼¸¸ sudo ½ÇÇà Á¦ÇÑ ÇØÁ¦
#Defaults requiretty
#
......
## Allow root to run any commands anywhere
root ALL=(ALL) ALL
# sshuser Add Policy iptables
sshuser ALL=/sbin/iptables, /etc/init.d/iptables
# sshuser No Check Passwd, (2)¸®¸ðÆ® Á¢¼Ó À¯Àú¿¡°Ô Æнº¿öµå üũ ¿ä±¸ ÇØÁ¦
Defaults:sshuser !authenticate
5) DBMS(Mysql) µ¥ÀÌÅͺ£À̽º, Å×ÀÌºí »ý¼º ½ºÅ©¸³Æ®
- ÇÁ·ÎÁ§Æ® ¼Ò½ºÀÇ WorkMemo/DBMS_SET.sql Âü°í
6) À¥ ¼ºñ½º(WAS) ȯ°æ±¸Ãà ¼³Á¤Àº ±âŸ ÀÚ·á Âü°í.
7) ½ÇÇà À̹ÌÁö
# ÇÁ·ÎÁ§Æ® ¼Ò½º
WebFirewall.zip (395)
#!/bin/sh
######################################################
### Iptables Init ###
######################################################
# ¸ðµç RuleÀ» Á¤¸®ÇÑ´Ù.
iptables -F
# °¢°¢¿¡ ´ëÇÑ Á¤Ã¥À» ¼¼¿î´Ù.
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
# localhost¿¡¼ÀÇ trafficÀ» ¹Þ¾ÆµéÀδÙ.
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# DNS ÀÀ´äÀ» ¹Þ¾ÆµéÀδÙ.
iptables -A INPUT -i eth0 -p tcp --source-port 53 -j ACCEPT
iptables -A INPUT -i eth0 -p udp --source-port 53 -j ACCEPT
# icmp
iptables -A INPUT -p icmp -j ACCEPT
iptables -A FORWARD -p icmp -j ACCEPT
# http ÇÁ·ÎÅäÄÝ 80 Æ÷Æ®¿¡ ´ëÇÑ Á¢¼Ó Çã¿ë
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
# ·ÎÄÿ¡¼ ¿ÜºÎ Á¢¼Ó : http
iptables -A INPUT -i eth+ -p tcp -m tcp --sport 80 -j ACCEPT
# SMTP ¸ÞÀÏ Àü¼Û
iptables -A INPUT -i eth+ -p tcp --sport 25 -j ACCEPT
# ³»ºÎ ³×Æ®¿öÅ© Á¢¼Ó
iptables -A FORWARD -s 192.168.0.0/24 -d 192.168.0.0/24 -j ACCEPT
iptables -A OUTPUT -s 192.168.0.0/24 -d 192.168.0.0/24 -j ACCEPT
# Save Log
#iptables -A INPUT -j LOG -m comment --comment "LOGGING /etc/var/messages"
#iptables -A OUTPUT -j LOG -m comment --comment "LOGGING /etc/var/messages"
########## Manager IP ###########
# ³»ºÎ ³×Æ®¿öÅ© ´ë¿ª Çã¿ë
iptables -A INPUT -s 192.168.1.0/24 -p tcp --dport 22 -j ACCEPT
Chain INPUT (policy DROP)
num target prot opt source destination
1 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
3 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:53
4 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:53
5 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
6 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
7 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:80
----------- Ãʱ⠱⺻ ¼³Á¤ INPUT Á¤Ã¥ ³¡, Á¢¼ÓÀÚ ¿äû ½ÃÀÛ ¶óÀÎ num 8¹ø ------------------------
8 ACCEPT tcp -- 123.17.13.12 0.0.0.0/0 tcp dpt:3690
9 ACCEPT tcp -- 123.17.13.12 0.0.0.0/0 tcp dpt:22
Chain FORWARD (policy DROP)
num target prot opt source destination
1 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
2 ACCEPT all -- 192.168.0.0/24 192.168.0.0/24
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
2 ACCEPT all -- 192.168.0.0/24 192.168.0.0/24
# Example of job definition:
# .---------------- minute (0 - 59)
# | .------------- hour (0 - 23)
# | | .---------- day of month (1 - 31)
# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...
# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# | | | | |
# * * * * * user-name command to be executed
# Every Day IPTables FireWall Open ReSet
01 00 * * * root /root/script/iptables_init.sh
# Start Up Mysql Server
#su - mysql -c "/home/mysql/support-files/mysql.server start"
# Start Up FireWall Tomcat Was Server
su - tomcat -c "/home/sshuser/apache-tomcat-7.0.33/bin/startup.sh"
# Start Up Apache Web Server
/home/apache/bin/apachectl start
# Server FireWall Set
/root/script/iptables_init.sh
#
# Disable "ssh hostname sudo <cmd>", because it will show the password in clear.
# You have to run "ssh -t hostname sudo <cmd>".
# (1) tty(Å͹̳ÎÁ¢¼Ó) ¿¡¼¸¸ sudo ½ÇÇà Á¦ÇÑ ÇØÁ¦
#Defaults requiretty
#
......
## Allow root to run any commands anywhere
root ALL=(ALL) ALL
# sshuser Add Policy iptables
sshuser ALL=/sbin/iptables, /etc/init.d/iptables
# sshuser No Check Passwd, (2)¸®¸ðÆ® Á¢¼Ó À¯Àú¿¡°Ô Æнº¿öµå üũ ¿ä±¸ ÇØÁ¦
Defaults:sshuser !authenticate
÷ºÎÆÄÀÏ
WebFirewall.zip