BACKRUSH  À¯´Ð½º¸í·É  ´ÙÀ½  ÀÚ·á½Ç  Ascii Table   ¿ø°ÝÁ¢¼Ó  ´Þ·Â,½Ã°£   ÇÁ·Î¼¼½º   ½©
ÁöÇÏö³ë¼±   RFC¹®¼­   SUN FAQ   SUN FAQ1   C¸Þ´º¾ó   PHP¸Þ´º¾ó   ³Ê±¸¸®   ¾Æ½ºÅ°¿ùµå ¾ÆÀÌÇǼ­Ä¡

±Û¾´ÀÌ: °³´ª½º °³´ª½º º¸¾È¼³Á¤ Á¶È¸¼ö: 12816


1. ÇöÀç ¼­¹ö º¸¾È»óÅÂ¹× ÀÚ¿ø»óÅ ȮÀÎ

pstree # ±¸µ¿ÁßÀÎ ÇÁ·Î¼¼½º È®ÀÎ

lsof / ps # ÇÁ·Î¼¼½º »ó¼¼Á¡°Ë

netstat -anlp | more # open µÈ Æ÷Æ® È®ÀÎÇÏ¿© iptables ¿¡ ¹Ý¿µÇÒÁغñ

vmstat / top / iostat / sar # ½Ã½ºÅÛÀÚ¿øÀÇ »óÅÂÆľÇÇÏ¿© ½Ã½ºÅÛ ºÎÇÏ»óÅÂÈ®ÀÎ

df -Th # ÆÄƼ¼Ç ¿ë·® È®ÀÎ

uname -a # ÇöÀç ±¸µ¿ÁßÀÎ Ä¿³Î À̹ÌÁöÈ®ÀÎ
Ä¿³Î¹öÀü ³·À»½Ã Ä¿³Î¾÷µ¥ÀÌÆ®ÈÄ °í°´°ú »ó´ãÇÏ¿© ¸®ºÎÆÃÇÏ¿© ¹Ý¿µÇÒ°Í
2. ½Ã°£ Á¤º¸ µ¿±âÈ­

crontab ¿¡ »õº® 6½Ã¿¡ ½Ã°£µ¿±âÈ­ ½ÇÇàÇϵµ·Ï ¼³Á¤
rdate -s time.bora.net && date && clock -r && clock -w

echo '#!/bin/sh' >> /root/time.sh;

echo 'rdate -s time.bora.net && date && clock -r && clock -w;' >> /root/time.sh;

echo '# time sync' >> /etc/crontab;echo '00 6 * * * root /root/time.sh' >> /etc/crontab;

chmod 700 /root/time.sh;

/etc/rc.d/init.d/crond restart;
3. Ãʱ⠽ÇÇà µ¥¸ó ¼±Åà (¾Æ·¡ µ¥¸óµéÀº ¿¹Á¦À̹ǷΠÇÊ¿ä¾ø´Âµ¥¸ó¿©ºÎ´Â °í°´°ú »ó´ãÇÏ¿© ÁøÇà)

crond, imap,imaps,ipop3, pop3s, irqbalance, network, sendmail, saslauthd, sshd, syslog, vsftpd, xinetd,

( httpd, mysqld,named ´Â ¼­ºñ½º ÀÌ¿ë¿©ºÎ¿¡ µû¶ó ¼±ÅÃÀû )

4. ¼­¹ö¿¡ ºÒÇÊ¿äÇÑ ÆÐÅ°Áöµé Á¦°Å

rpm -e raidtools; (¼ÒÇÁÆ®¿þ¾î ·¹ÀÌµå ±¸¼º½Ã¿¡´Â ÁÖ¼®Ã³¸®)
rpm -e eject --nodeps;
rpm -e kernel-pcmcia-cs;
rm -f /etc/sysconfig/pcmcia.rpmsave;
rpm -e setserial;
rpm -e statserial;
rpm -e rsh;
rpm -e rlogin;
rpm -e telnet-server;
rpm -e redhat-config-mouse;
rpm -e gpm-devel;
rpm -e gpm;
rpm -e nfs-utils;
rpm -e yp-tools ypbind;
rpm -e isdn4k-utils;
rpm -e fam-devel;
rpm -e anacron;
rpm -e irda-utils;
rpm -e minicom;
rpm -e ppp --nodeps;
5. iptable ¼³Á¤

iptable Á¤Ã¥È®ÀÎ

iptables -L -n
cat /etc/sysconfig/iptables
# Á¤Ã¥ÀÌ ÀÌ¹Ì Àß¼³Á¤ÀÌ µÇ¾î ÀÖÀ»°æ¿ì´Â rc.firewall ÀÛ¾÷¼öÇàÇÏÁö¸»°Í
chkconfig --level 345 iptables off
cd /etc/rc.d/;

wget ftp://ftp.kksstt.com/scripts/rc.firewall*;

chmod 700 /etc/rc.d/rc.firewall*;

echo "/etc/rc.d/rc.firewall" >> /etc/rc.d/rc.local

;/etc/rc.d/rc.firewall;
ÀÌ¿Ü¿¡ netstat -anp ·Î È®ÀÎÇÏ¿© Æ÷Æ®¸¦ ¿­°Í

/etc/rc.d/rc.firewall.stop # iptable Á¤Ã¥¸ØÃã

/etc/rc.d/rc.firewall # iptable Á¤Ã¥½ÃÀÛ

iptables -L -n #ÇßÀ»½Ã ¾Æ·¡¿Í °°Àº Á¤Ã¥ÀÌ Á¦´ë·Î µÇ¾ú´ÂÁö È®ÀÎ
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 127.0.0.1 0.0.0.0/0
ACCEPT all -- °í°´¾ÆÀÌÇÇ 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 °í°´¾ÆÀÌÇÇ multiport dports 20,21,22,25,53,80,110,143
ACCEPT udp -- 0.0.0.0/0 °í°´¾ÆÀÌÇÇ multiport dports 20,53
ACCEPT tcp -- 0.0.0.0/0 °í°´¾ÆÀÌÇÇ multiport sports 20,21,22,25,53,80,110,143
ACCEPT udp -- 0.0.0.0/0 °í°´¾ÆÀÌÇÇ multiport sports 20,53
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT icmp -- °í°´¾ÆÀÌÇÇ °í°´¾ÆÀÌÇÇ
DROP tcp -- 0.0.0.0/0 °í°´¾ÆÀÌÇÇ tcp spt:2603 flags:0x16/0x02
DROP tcp -- 0.0.0.0/0 °í°´¾ÆÀÌÇÇ tcp spts:6666:6667 flags:0x16/0x02
DROP udp -- 0.0.0.0/0 °í°´¾ÆÀÌÇÇ multiport dports 135
LOG all -- 0.0.0.0/0 0.0.0.0/0 state INVALID LOG flags 0 level 4 prefix `INVALID DROP'
DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
DROP tcp -- 0.0.0.0/0 °í°´¾ÆÀÌÇÇ tcp flags:0x16/0x02
6. °èÁ¤»èÁ¦

ºÒÇÊ¿äÇÑ °èÁ¤ ¹× ±×·ì »èÁ¦ÇÑ´Ù
userdel adm;
userdel news;
userdel gopher;
userdel lp;
userdel sync;
userdel shutdown;
userdel halt;
userdel operator;
userdel games;
userdel ftp;
userdel rpc;
userdel rpcuser;
userdel nfsnobody;
userdel nscd;
groupdel adm;
groupdel news;
groupdel games;
groupdel dip;
7. ÆÄÀϽýºÅÛ ¿É¼Ç¼³Á¤ (µð¹ÙÀ̽º¸í(/dev/shm /tmp µîµî) À» ÀßÈ®ÀÎÇÏ¿© ±½Àº±Û¾¾Ãß°¡)

/etc/fstab
none /dev/shm tmpfs defaults,noexec,nosuid 0 0
LABEL=/home /home ext3 defaults,noatime,nodev 1 2
LABEL=/tmp /tmp ext3 defaults,noatime,nodev,noexec,nosuid 1 2
LABEL=/usr /usr ext3 defaults,noatime,nodev 1 2
LABEL=/usr/local /usr/local ext3 defaults,noatime,nodev 1 2
¸®¸¶¿îÆ®ÇÏ¿© Àû¿ë

mount -o remount,rw / /usr /usr/local /tmp /home /dev/shm

mount (¿É¼Ç È®ÀÎ)
## ¼³¸í ##

# /dev/shm Àº °øÀ¯¸Þ¸ð¸® µð¹ÙÀ̽º·Î posix±â¹ÝÀÇ °øÀ¯¸Þ¸ð¸®¸¦ »ç¿ëÇÏ´Â ¼Ò½º¿¡¼­ »ç¿ëÇÔ

# noatime Àº access time ¿¡ ´ëÇؼ­´Â ±â·ÏÀ» ÇÏÁö¾Ê¾Æ ÀÚÁÖ »ç¿ëÇÏ´Â ÆÄƼ¼ÇÀÇ ÆÄÀÏÀÏ°æ¿ì ¾ÆÁÖ ¾à°£ÀÇ ¼º´ÉÇâ»óÀÌ ÀÖ´Ù.

# nodev ´Â ÇØ´çÆÄƼ¼Ç¿¡¼­ ¹®ÀÚ³ª ƯÁ¤ µð¹ÙÀ̽º ÀåÄ¡¸¦ Çã¿ëÇÏÁö ¾ÊÀ½

# noexec ´Â ÇØ´ç ÆÄƼ¼Ç¿¡¼­ ½ÇÇàÆÄÀÏÀÇ ½ÇÇàÀÌ Çã¿ëµÇÁö ¾ÊÀ½

# nosuid ´Â ÇØ´çÆÄƼ¼Ç¿¡¼­ suid / sgid µîÀÇ setuid¼³Á¤À» Çã¿ëÇÏÁö ¾Ê´Â´Ù
8. ÆÛ¹Ì¼Ç Á¶Á¤

chmod 600 /proc;
chmod 751 /;
chmod 701 /bin;
chmod 700 /boot;
chmod 701 /dev;
chmod 755 /dev/shm;
chmod 751 /etc;
chmod 700 /etc/rc.d;
chmod 751 /home;
chmod 751 /lib/modules;
chmod 700 /mnt;
chmod 700 /root;
chmod 751 /sbin;
chmod 751 /usr;
chmod 751 /usr/local;
chmod 700 /usr/local/apache/conf;
chmod 701 /usr/local/apache/htdocs;
chmod 700 /usr/local/apache/logs;
chmod 751 /usr/local/bin;
chmod 751 /usr/local/sbin;
chmod 700 /usr/local/src;
chmod 701 /usr/sbin;
chmod 700 /usr/src;
chmod 751 /var;
chmod 751 /var/log;
chmod 751 /var/named;
chmod 751 /var/run;
chmod 755 /var/tmp;
chmod 750 /etc/cron.*;
chmod 640 /etc/crontab;
chmod 750 /etc/default;
chmod 600 /etc/exports;
chmod 600 /etc/fstab;
chmod 600 /etc/hosts.allow;
chmod 600 /etc/hosts.deny;
chmod 600 /etc/inittab;
chmod 600 /etc/login.defs;
chmod 750 /etc/logrotate.d;
chmod 600 /etc/mtab;
chmod 650 /etc/my.cnf;
chmod 750 /etc/rc.d;
chmod 600 /etc/redhat-release;
chmod 750 /etc/rpm;
chmod 600 /etc/rpc;
chmod 600 /etc/securetty;
chmod 751 /etc/security;
chmod 700 /etc/skel;
chmod 700 /etc/ssh;
chmod 700 /etc/sysconfig;
chmod 700 /etc/xinetd.d;
chmod 700 /etc/vsftpd;
chmod 700 /bin/mount;
chmod 500 /bin/ping;
chmod 700 /bin/umount;
chmod 550 /bin/ps;
chmod 550 /bin/netstat;
chmod 550 /bin/dmesg;
chmod 550 /bin/df;
chmod 700 /bin/rpm;
chmod 700 /sbin/netreport;
chmod 755 /usr/bin/at;
chmod 700 /usr/bin/chage;
chmod 700 /usr/bin/chfn;
chmod 700 /usr/bin/chsh;
chmod 755 /usr/bin/crontab;
chmod 550 /usr/bin/find;
chmod 700 /usr/bin/gpasswd;
chmod 700 /usr/bin/newgrp;
chmod 750 /usr/bin/pstree;
chmod 111 /usr/bin/sudo;
chmod 500 /usr/bin/wall;
chmod 700 /usr/bin/write;
chmod 700 /usr/sbin/ping6;
chmod 700 /usr/sbin/traceroute;
chmod 700 /usr/sbin/traceroute6;
chmod 700 /usr/sbin/usernetctl;
chmod 550 /usr/bin/who;
chmod 550 /usr/bin/finger;
chmod 550 /usr/bin/last;
chmod 550 /usr/bin/top;
chmod 550 /usr/bin/w;
chmod 550 /usr/bin/uptime;
chmod 550 /usr/sbin/useradd;
chmod 550 /usr/sbin/userdel;
chmod 700 /usr/sbin/groupdel;
chmod 700 /usr/sbin/usermod;
chmod 750 /usr/bin/telnet;
chmod 750 /usr/bin/rlogin;
chmod 750 /usr/bin/rcp;
chmod 750 /usr/bin/rsh;
chmod 700 /usr/bin/wget;
chmod 700 /usr/bin/lynx;
chmod 700 /usr/bin/curl;
chmod 700 /usr/bin/ncftpget;
9. ftp º¸¾È¼³Á¤ (º¹»çÈÄ ºÙ¿©³Ö±â)


### ½º¸¶Àϼ­ºê vsftpd ¼³Á¤ v1.0 ###

anonymous_enable=NO
# --> ¢Ñ FTP À͸í Á¢±Ù Â÷´Ü

local_enable=YES
# --> ¢Ñ ·ÎÄÿ¡¼­ °èÁ¤ÀÇ Á¢±ÙÇã¿ë

write_enable=YES
# --> ¢Ñ ¾²±âÇã¿ë

data_connection_timeout=180
# --> ¢Ñ 3ºÐ°£ Àü¼ÛÀÌ ¾øÀ»½Ã Á¢¼ÓÇØÁ¦

local_umask=022
# --> ¢Ñ directory=755 / file=644

xferlog_enable=YES
# --> ¢Ñ ·Î±×±â·Ï¿©ºÎ

connect_from_port_20=YES
# --> ¢Ñ 20Æ÷Æ®Çã¿ë¿©ºÎ

xferlog_std_format=YES
# --> ¢Ñ ·Î±×ÆÄÀÏÀÌ ½×ÀϽà ÀϹÝÀûÀÎ ·Î±×Æ÷¸ä»ç¿ë

chroot_local_user=YES
# --> ¢Ñ º»ÀÎ °èÁ¤ÀÇ µð·ºÅ丮³»¿¡¼­¸¸ Á¢±ÙÇã¿ë

use_localtime=YES
# --> ¢Ñ ¼­¹öÀÇ ·ÎÄý𣠻ç¿ë

pam_service_name=vsftpd
# --> ¢Ñ pam¿¡¼­ÀÇ vsftpd À̸§

userlist_enable=YES
# --> ¢Ñ /etc/vsftpd.ftpusers ¿¡ µî·ÏµÈ »ç¿ëÀÚ Á¢¼Ó°ÅºÎ

listen=YES
# --> ¢Ñ Standalone À¸·Î ¿î¿µÇϱâÀ§ÇѼ³Á¤

max_clients=30
# --> ¢Ñ ÃÖ´ëŬ¶óÀ̾ðÆ®

max_per_ip=5
# --> ¢Ñ ÇÑip¿¡¼­ ÃÖ´ëÁ¢¼Ó¿¬°á

tcp_wrappers=YES
# --> ¢Ñ /etc/hosts.allow /etc/hosts.deny ÆÄÀÏÀÇ Á¤Ã¥Áö¿ø
/etc/init.d/vsftpd restart

10. ssh ¼³Á¤¼öÁ¤

(redhat 9 ÀÌÇÏ ¿Í Centos / Fedora ±¸ºÐÀÌ µÇ¾î ÀÖÀ¸´Ï ÁÖÀÇ)

(±×´ë·Î º¹»çÇÏ¿© ºÙ¿©³ÖÀºÈÄ AllowUsers ¾ÆÀ̵ð´Â °í°´¾ÆÀ̵𸦠¹Ýµå½Ã ±âÀÔÇÑ´Ù)


### ½º¸¶Àϼ­ºê sshd ¼³Á¤ v1.0 Centos/Fedora ¼³Á¤ ###

Port 22

Protocol 2

ListenAddress 0.0.0.0

AllowUsers °í°´¾ÆÀ̵ð
# °í°´¾ÆÀ̵𸸠ssh ¿ø°ÝÁ¢±Ù°¡´ÉÇϵµ·Ï ¼³Á¤ (°í°´¾ÆÀ̵ð ¹Ýµå½Ã ±âÀÔÇÒ°Í)

HostKey /etc/ssh/ssh_host_rsa_key
# ÇÁ·ÎÅäÄÝ2 ¹æ½Ä¿¡¼­ÀÇ rsaÅ°°ª¼³Á¤

HostKey /etc/ssh/ssh_host_dsa_key
# ÇÁ·ÎÅäÄÝ2 ¹æ½Ä¿¡¼­ÀÇ dsaÅ°°ª¼³Á¤

KeyRegenerationInterval 30m
# 30ºÐ°£ Å°ÀÔ·ÂÀÌ ¾øÀ»½Ã ·Î±×¾Æ¿ô

ServerKeyBits 1024
# Å° ºñÆ®¼ö ÁöÁ¤

LoginGraceTime 30
# ·Î±×ÀÎÀ» Çϱ⠱îÁöÀÇ ½Ã°£ Á¦ÇÑ (30ÃÊ)

SyslogFacility AUTHPRIV
# ·Î±×Á¤Ã¥ Äڵ弳Á¤ (½Ã½ºÅÛ»ó¿¡¼­ ·Î±×±â·ÏÀ» ÀϹÝÀûÀÎ Çü½ÄÀ¸·Î ±âÀç)

LogLevel INFO
# ¼¼¼¼ÇÑÁ¢±Ù¿¡µµ ¸ðµÎ ·Î±×¿¡±â·Ï

PermitRootLogin no
# ¿ø°Ý¿¡¼­ root ¹Ù·Î Á¢±ÙºÒ°¡

RSAAuthentication yes
# RSA ÀÎÁõ ¿©ºÎ
IgnoreRhosts yes
# .rhosts, .shosts file ¹«½Ã ¿©ºÎ

IgnoreUserKnownHosts yes
# RhostsRSAAuthentication À» ÅëÇÑ ~/ssh/known_hosts ¸¦ ¹ÏÁö ¸øÇÏ°Ú´Ù¸é yes·Î ÁöÁ¤

HostbasedAuthentication no
# ssh2¿¡¼­ /etc/ssh/ssh_known_hosts ÆÄÀÏÀÇ host key »ç¿ë ¿©ºÎ

PermitEmptyPasswords no
# ºó Æнº¿öµå ÀÎÁ¤¿©ºÎ

PasswordAuthentication yes
# Æнº¿öµå ÀÎÁõ¹æ½Ä »ç¿ë¿©ºÎ

ChallengeResponseAuthentication no
# Challenge-response ÀÎÁõ ¸Å°³º¯¼ö¸¦ Çã¿ëÇÏÁö ¾ÊÀ½À¸·Î ¼³Á¤ (º¸¾È¹®Á¦·Î off)

GSSAPIAuthentication yes
# sasl ÆÐÅ°Áö¸¦ ÀÌ¿ëÇÑ (Generic Security Services API) ÀÎÁõ¹æ½Ä»ç¿ë (Kerberos V5 º¸¾È¹æ½ÄÀÇ Çϳª)

GSSAPICleanupCredentials yes
# °èÁ¤ÀÇ pam ÀÎÁõ ¹æ½ÄÀ» yesÇÒ°æ¿ì Àû¿ëµÇ´Â Ç׸ñÀ¸·Î pamÀÎÁõ¹æ½ÄÀÌ Çã¿ëµÊ

UsePAM yes
# pam °úÀÇ È£È¯¿©ºÎ ¼³Á¤

X11Forwarding yes
# xwindows ½ÇÇàÈÄ ssh Á¢±ÙÇÏ¸é ´ÙÀ½ºÎÅÍ display ȯ°æº¯¼ö¸¦ ¼³Á¤ÇÏÁö¾Ê¾Æµµ xÀÇ µð½ºÇ÷¹ÀÌÁ¤º¸°¡ client·Î ÀúÀåµÊ

UsePrivilegeSeparation yes
# Á¢¼ÓµÈ ÇÁ·Î¼¼½º¿¡ ´ëÇØ »óÀ§ ±ÇÇÑ ¾øÀÌ chroot·Î °í¸³µÈ ÇüÅ·ΠÀÛµ¿

Subsystem sftp /usr/libexec/openssh/sftp-server
# secure ftp ¼­¹ö·ÎÀÇ »ç¿ë¿©ºÎ (sftp-client·Î Á¢±ÙÇÏ¿© »ç¿ë°¡´É)
/etc/init.d/sshd restart

### ½º¸¶Àϼ­ºê sshd ¼³Á¤ v1.0 Redhat9 ÀÌÇÏ ¼³Á¤ ###

Port 22

Protocol 2

ListenAddress 0.0.0.0

AllowUsers °í°´¾ÆÀ̵ð
# °í°´¾ÆÀ̵𸸠ssh ¿ø°ÝÁ¢±Ù°¡´ÉÇϵµ·Ï ¼³Á¤ (°í°´¾ÆÀ̵ð ¹Ýµå½Ã ±âÀÔÇÒ°Í)

HostKey /etc/ssh/ssh_host_rsa_key
# ÇÁ·ÎÅäÄÝ2 ¹æ½Ä¿¡¼­ÀÇ rsaÅ°°ª¼³Á¤

HostKey /etc/ssh/ssh_host_dsa_key
# ÇÁ·ÎÅäÄÝ2 ¹æ½Ä¿¡¼­ÀÇ dsaÅ°°ª¼³Á¤

KeyRegenerationInterval 30m
# 30ºÐ°£ Å°ÀÔ·ÂÀÌ ¾øÀ»½Ã ·Î±×¾Æ¿ô

ServerKeyBits 1024
# Å° ºñÆ®¼ö ÁöÁ¤

LoginGraceTime 30
# ·Î±×ÀÎÀ» Çϱ⠱îÁöÀÇ ½Ã°£ Á¦ÇÑ (30ÃÊ)

SyslogFacility AUTHPRIV
# ·Î±×Á¤Ã¥ Äڵ弳Á¤ (½Ã½ºÅÛ»ó¿¡¼­ ·Î±×±â·ÏÀ» ÀϹÝÀûÀÎ Çü½ÄÀ¸·Î ±âÀç)

LogLevel INFO
# ¼¼¼¼ÇÑÁ¢±Ù¿¡µµ ¸ðµÎ ·Î±×¿¡±â·Ï

PermitRootLogin no
# ¿ø°Ý¿¡¼­ root ¹Ù·Î Á¢±ÙºÒ°¡

RSAAuthentication yes
# RSA ÀÎÁõ ¿©ºÎ

IgnoreRhosts yes
# .rhosts, .shosts file ¹«½Ã ¿©ºÎ

IgnoreUserKnownHosts yes
# RhostsRSAAuthentication À» ÅëÇÑ ~/ssh/known_hosts ¸¦ ¹ÏÁö ¸øÇÏ°Ú´Ù¸é yes·Î ÁöÁ¤

HostbasedAuthentication no
# ssh2¿¡¼­ /etc/ssh/ssh_known_hosts ÆÄÀÏÀÇ host key »ç¿ë ¿©ºÎ

PermitEmptyPasswords no
# ºó Æнº¿öµå ÀÎÁ¤¿©ºÎ

PasswordAuthentication yes
# Æнº¿öµå ÀÎÁõ¹æ½Ä »ç¿ë¿©ºÎ

ChallengeResponseAuthentication no
# Challenge-response ÀÎÁõ ¸Å°³º¯¼ö¸¦ Çã¿ëÇÏÁö ¾ÊÀ½À¸·Î ¼³Á¤ (º¸¾È¹®Á¦·Î off)

#GSSAPIAuthentication yes
# sasl ÆÐÅ°Áö¸¦ ÀÌ¿ëÇÑ (Generic Security Services API) ÀÎÁõ¹æ½Ä»ç¿ë (Kerberos V5 º¸¾È¹æ½ÄÀÇ Çϳª)

#GSSAPICleanupCredentials yes
# °èÁ¤ÀÇ pam ÀÎÁõ ¹æ½ÄÀ» yesÇÒ°æ¿ì Àû¿ëµÇ´Â Ç׸ñÀ¸·Î pamÀÎÁõ¹æ½ÄÀÌ Çã¿ëµÊ

#UsePAM yes
# pam °úÀÇ È£È¯¿©ºÎ ¼³Á¤

X11Forwarding yes
# xwindows ½ÇÇàÈÄ ssh Á¢±ÙÇÏ¸é ´ÙÀ½ºÎÅÍ display ȯ°æº¯¼ö¸¦ ¼³Á¤ÇÏÁö¾Ê¾Æµµ xÀÇ µð½ºÇ÷¹ÀÌÁ¤º¸°¡ client·Î ÀúÀåµÊ

UsePrivilegeSeparation yes
# Á¢¼ÓµÈ ÇÁ·Î¼¼½º¿¡ ´ëÇØ »óÀ§ ±ÇÇÑ ¾øÀÌ chroot·Î °í¸³µÈ ÇüÅ·ΠÀÛµ¿

Subsystem sftp /usr/libexec/openssh/sftp-server
# secure ftp ¼­¹ö·ÎÀÇ »ç¿ë¿©ºÎ (sftp-client·Î Á¢±ÙÇÏ¿© »ç¿ë°¡´É)
/etc/init.d/sshd restart
11. Su »ç¿ëÀÚ Á¦ÇÑ

(sshd_config ÆÄÀÏÀÇ AllowUsers ¿¡ ¸í½ÃµÈ¾ÆÀ̵𸦠ÇÊÈ÷±âÀçÇÒ°Í)

vi /etc/group

wheel:x:10:root À» wheel:x:10:root,°í°´°èÁ¤Ãß°¡

chgrp wheel /bin/su;

chmod 4750 /bin/su

ls -al /bin/su

-rwsr-x--- 1 root wheel 60772 8¿ù 13 19:26 /bin/su
°á°ú: root ·Î ¹Ù·Î Á¢¼ÓµÇÁö ¾Ê°í ¼³Á¤ÇÑ °í°´°èÁ¤À¸·Î Á¢¼ÓÈÄ root ±ÇÇÑÀ» ¾ò¾î¾ßÇϸç,°í°´°èÁ¤¿Ü¿¡´Â su ·Î root ±ÇÇÑȹµæÀÌ ºÒ°¡´ÉÇؾßÇÑ´Ù.

À§ ÀÛ¾÷ÈÄ ¹Ýµå½Ã °í°´°èÁ¤À¸·Î ·Î±×ÀÎ¹× su È®ÀÎ

12. Ä¿³Î ¸Å°³º¯¼ö ¼³Á¤




vi /etc/sysctl.conf # ¾Æ·¡³»¿ëºÙ¿©³Ö±â
# icmp redirects¸¦ º¸³»Áö ¾Ê´Â´Ù.
net.ipv4.conf.eth0.accept_redirects=0
net.ipv4.conf.lo.accept_redirects=0
net.ipv4.conf.default.accept_redirects=0
net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.eth0.send_redirects = 0
net.ipv4.conf.lo.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.send_redirects = 0

# proxy arp¸¦ ¼³Á¤ÇÏÁö ¾Ê´Â´Ù.
net.ipv4.conf.eth0.proxy_arp=0
net.ipv4.conf.lo.proxy_arp=0
net.ipv4.conf.default.proxy_arp=0
net.ipv4.conf.all.proxy_arp=0

# °ÔÀÌÆ®¿þÀ̷κÎÅÍÀÇ redirect¸¦ Çã¿ëÇÏÁö ¾ÊÀ½À¸·Î½á ½ºÇªÇÎÀ» ¸·±â À§ÇØ ¼³Á¤ÇÑ´Ù.
net.ipv4.conf.eth0.secure_redirects=0
net.ipv4.conf.lo.secure_redirects=0
net.ipv4.conf.default.secure_redirects=0
net.ipv4.conf.all.secure_redirects=0

# ½ºÇªÇÎÀ» ¸·±â À§ÇØ source route ÆÐŶÀ» Çã¿ëÇÏÁö ¾Ê´Â´Ù.
# ¼Ò½º ¶ó¿ìÆÃÀ» Çã¿ëÇÒ °æ¿ì ¾ÇÀÇÀûÀÎ °ø°ÝÀÚ°¡ IP ¼Ò½º ¶ó¿ìÆÃÀ» »ç¿ëÇؼ­ ¸ñÀûÁöÀÇ
# °æ·Î¸¦ ÁöÁ¤ÇÒ ¼öµµ ÀÖ°í, ¿ø·¡ À§Ä¡·Î µ¹¾Æ¿À´Â °æ·Îµµ ÁöÁ¤ÇÒ ¼ö ÀÖ´Ù. ÀÌ·¯ÇÑ ¼Ò½º ¶ó¿ìÆÃÀÌ
# °¡´ÉÇÑ °ÍÀ» ÀÌ¿ëÇØ °ø°ÝÀÚ°¡ ¸¶Ä¡ ½Å·Ú¹Þ´Â È£½ºÆ®³ª Ŭ¶óÀ̾ðÆ®ÀÎ °Íó·³ À§ÀåÇÒ ¼ö ÀÖ´Â °ÍÀÌ´Ù.
net.ipv4.conf.eth0.accept_source_route=0
net.ipv4.conf.lo.accept_source_route=0
net.ipv4.conf.default.accept_source_route=0
net.ipv4.conf.all.accept_source_route=0

# Broadcast·ÎºÎÅÍ ¿À´Â ÇÎÀ» Â÷´ÜÇÔ(Smurt °ø°ÝÀ» Â÷´ÜÇÔ).
net.ipv4.icmp_echo_ignore_broadcasts=1

# IP ³ª TCP Çì´õ°¡ ±úÁø bad icmp packetÀ» ¹«½ÃÇÑ´Ù.
net.ipv4.icmp_ignore_bogus_error_responses = 1

# ÀÚ½ÅÀÇ ³×Æ®¿öÅ©°¡ ½ºÇªÇÎµÈ °ø°ÝÁöÀÇ ¼Ò½º·Î ¾²ÀÌ´Â °ÍÀ» Â÷´ÜÇÑ´Ù.
# ¸ðµç ÀÎÅÍÆäÀ̽º¿¡¼­ µé¾î¿À´Â ÆÐŶ¿¡ ´ëÇØ reply¸¦ ÇÏ¿© µé¾î¿À´Â ÀÎÅÍÆäÀ̽º·Î ³ª°¡Áö ¸øÇÏ´Â ÆÐŶÀ» °ÅºÎÇÑ´Ù.
net.ipv4.conf.eth0.rp_filter=2
net.ipv4.conf.lo.rp_filter=2
net.ipv4.conf.default.rp_filter=2
net.ipv4.conf.all.rp_filter=2

# bootp ÆÐŶÀ» Çã¿ëÇÏÁö ¾Ê´Â´Ù.
net.ipv4.conf.eth0.bootp_relay=0
net.ipv4.conf.lo.bootp_relay=0
net.ipv4.conf.default.bootp_relay=0
net.ipv4.conf.all.bootp_relay=0

# ½ºÇªÇÎµÈ ÆÐŶÀ̳ª ¼Ò½º¶ó¿ìÆÃ, Redirect ÆÐŶ¿¡ ´ëÇØ ·Î±×ÆÄÀÏ¿¡ Á¤º¸¸¦ ³²±ä´Ù.
net.ipv4.conf.eth0.log_martians=1
net.ipv4.conf.lo.log_martians=1
net.ipv4.conf.default.log_martians=1
net.ipv4.conf.all.log_martians=1

# 1/100ÃÊ¿¡ ¹Þ¾ÆµéÀÌ´Â igmp "memberships"ÀÇ ¼ö
net.ipv4.igmp_max_memberships=1

# ¸Å¿ì º¹ÀâÇÑ »çÀÌÆ®¿¡¼­´Â ÀÌ °ªÀ» ´Ã¸®´Â °Íµµ °¡´ÉÇÏÁö¸¸ 64·Î µÎ´Â °ÍÀÌ Àû´çÇϸç
# ´õ ´Ã·ÈÀ» °æ¿ì¿¡´Â Å« ¹®Á¦°¡ ¹ß»ýÇÒ ¼öµµ ÀÖ´Ù.
net.ipv4.ip_default_ttl=64

# °ÔÀÌÆ®¿þÀÌ ¼­¹ö°¡ ¾Æ´Ñ ÀÌ»ó ÆÐŶÀ» Æ÷¿öµù ÇÒ ÇÊ¿ä´Â ¾ø´Ù.
net.ipv4.ip_forward=0

# fragmented packetÀÌ ¸Þ¸ð¸®¿¡ Á¸ÀçÇÏ´Â ½Ã°£À» 15ÃÊ·Î ¼³Á¤ÇÑ´Ù.
net.ipv4.ipfrag_time=15

# SYN_Flooding °ø°Ý¿¡ ´ëÇÑ ´ëºñ·Î ¹é·Î±×Å¥(Backlog Queue)°¡ °¡µæÂ÷¸é ´Ù¸¥ Á¢¼Ó ¿ä±¸¸¦ ¹Þ¾ÆµéÀÌÁö ¸øÇÑ´Ù.
net.ipv4.tcp_max_syn_backlog = 1024

# TCP ¿¬°á¿¡¼­ Three-way Handshake°¡ ¼º°øÀûÀ¸·Î ÀÌ·ç¾îÁöÁö ¾ÊÀ¸¸é ´õ ÀÌ»ó ¼Ò½º °æ·Î¸¦ °Å½½·¯ ¿Ã¶ó°¡Áö ¾Êµµ·Ï ÇÑ´Ù.
# µû¶ó¼­ ÀûÀýÇÑ ¿¬°á ¿äû¿¡ ´ëÇؼ­¸¸ ¿¬°áÀ» ¸Î´Â´Ù.
# syncookies°¡ ÀÛµ¿ÇÒ ¶§ SYN Flooding °ø°ÝÀÌ ÀÖÀ¸¸é messages ÆÄÀÏ¿¡ ¾Æ·¡¿Í °°Àº ³»¿ëÀÌ Ãâ·ÂµÈ´Ù.
# possible SYN flooding on port 80. Sending cookies.
net.ipv4.tcp_syncookies = 1

# ÀÏÁ¤ÇÑ ½Ã°£°ú IPº°·Î º¸³»°í ¹Þ´Â SYN Àç½Ãµµ Ƚ¼ö¸¦ 3ȸ·Î Á¦ÇÑÇÑ´Ù.
# ÀÌ ¿É¼ÇÀº ½ºÇªÇεÈ(À§Á¶µÈ) ÁÖ¼Ò·Î ¿À´Â SYN ¿¬°áÀÇ ¾çÀ» ÁÙ¿©ÁØ´Ù.
# ±âº» °ªÀº 5(180 ÃÊ¿¡ ´ëÀÀ)À̸ç 255¸¦ ³ÑÁö ¾Ê¾Æ¾ß ÇÑ´Ù.
net.ipv4.tcp_syn_retries = 3

# passive TCP Á¢¼Ó½Ãµµ°¡ ÀçÁ¢¼ÓÀ» Çϱâ À§ÇÑ SYNACKsÀÇ °ªÀ» Á¤ÇÑ´Ù. 255 º¸´Ù ³ô
# °Ô ÁöÁ¤ÇÒ ¼ö ¾ø´Ù. ±âº»°ªÀº 5À̸ç, 180ÃÊ¿¡ ´ëÀÀÀÌ µÈ´Ù.
net.ipv4.tcp_synack_retries = 3

# ¹«¾ð°¡ ¹®Á¦°¡ ÀÖÀ» ¶§ ¿¬°áÀ» À§ÇØ Àç½Ãµµ ÇÒ È½¼ö, ÃÖ¼Ò °ª°ú ±âº» °ªÀº 3ÀÌ´Ù.
net.ipv4.tcp_retries1=3

# TCP ¿¬°áÀ» ²÷±â Àü¿¡ Àç½ÃµµÇÒ È½¼ö.
net.ipv4.tcp_retries2=7

# ¿¬°áÀ» Á¾·á½Ã ¼Ò¿äµÇ´Â ½Ã°£À» ÁÙ¿©ÁØ´Ù(±âº» ¼³Á¤°ª: 60).
net.ipv4.tcp_fin_timeout=20

# µ¿½Ã¿¡ À¯Áö °¡´ÉÇÑ timewait ¼ÒÄÏÀÇ ¼öÀÌ´Ù.
# ¸¸¾à ÁöÁ¤µÈ ¼ýÀÚ¸¦ ÃÊ°úÇÏ¿´À» °æ¿ì¿¡´Â timewait ¼ÒÄÏÀÌ ¾ø¾îÁö¸ç °æ°í ¸Þ½ÃÁö°¡ Ãâ·ÂµÈ´Ù.
# ÀÌ Á¦ÇÑÀº ´Ü¼øÇÑ DoS °ø°ÝÀ» Â÷´ÜÇϱâ À§ÇØ Á¸ÀçÇϴµ¥, ÀÓÀÇ·Î ÀÌ °ªÀ» ÁÙ¿©¼­´Â ¾ÈµÇ¸ç
# ¸Þ¸ð¸®°¡ ÃæºÐÇÏ´Ù¸é ÀûÀýÇÏ°Ô ´Ã·ÁÁÖ´Â °ÍÀÌ ÁÁÀºµ¥, 64M ¸¶´Ù 180000À¸·Î ¼³Á¤ÇÏ¸é µÈ´Ù.
# µû¶ó¼­ 256MÀÏ °æ¿ì¿¡´Â 256/4=4 4*180000=720000
# 64M -> 180000
# 128M -> 360000
# 256M -> 720000
# 512M -> 1440000
# 1G -> 2880000
# 2G -> 5760000

#net.ipv4.tcp_max_tw_buckets = 180000

# ¿¬°áÀÌ ²÷¾îÁ³´Ù°í ÆÇ´ÜÇÒ ¶§±îÁö, ¾ó¸¶³ª keepalive probe ¸¦ º¸³¾Áö °áÁ¤. ±âº»°ª 9ȸ °£´ÜÇÑ DoS °ø°ÝÀ» ¸·¾ÆÁØ´Ù.
net.ipv4.tcp_keepalive_probes=2

# keepalive °¡ È°¼ºµÇ µÇ¾î ÀÖÀ» °æ¿ì, ¾ó¸¶³ª ÀÚÁÖ TCP °¡ keepalive ¸Þ¼¼Áö¸¦ º¸³»°Ô ÇÒ °ÍÀÎÁö¸¦ ¼³Á¤.
net.ipv4.tcp_keepalive_time=30

# keepalive_probes ¸¦ º¸³¾ °£°ÝÀ» Á¤ÇÔ. probe ¸¦ º¸³½ ÈÄ,
# probes * intvl ÀÇ ½Ã°£ÀÌ Áö³ªµµ·Ï ÀÀ´äÀÌ ¾øÀ¸¸é ¿¬°áÀÌ ÇØÁ¦µÈ °ÍÀ¸·Î °£ÁÖÇÏ°Ô µÊ.
# ±âº» °ªÀÇ »ç¿ë½Ã 11ºÐ 15ÃÊ µ¿¾È Àç½Ãµµ¸¦ ÇÏ°í ¿¬°áÀ» Ãë¼ÒÇÔ. °ªÀº ÃÊ´ÜÀ§
net.ipv4.tcp_keepalive_intvl = 10

# ¼­¹ö ÂÊ¿¡¼­ ´ÝÀº TCP ¿¬°áÀ» ²÷±â Àü¿¡ È®ÀÎÇϴ Ƚ¼ö¸¦ Á¤ÇÑ´Ù. ±âº» °ªÀº 7 ·Î
# RTO 50 ÃÊ¿¡¼­ 16 ºÐ »çÀÌ¿¡ ÇØ´çÇÑ´Ù. À¥ ¼­¹ö°¡ ¿î¿µ Áß À̶ó¸é ÀÌ °ªÀ» ÁÙ¿©¼­
# ¼ÒÄÏ µîÀÌ ±ÍÇÑ ¸®¼Ò½º¸¦ ¼ÒºñÇÏÁö ¾Êµµ·Ï ÇÒ ¼öµµ ÀÖ´Ù.
net.ipv4.tcp_orphan_retries = 2

# SYN ÆÐŶÀ» Àü¼ÛÇÑ ÈÄ¿¡ ·Î½º°¡ ¹ß»ýÀ» ÇÏ¿© ACK ¸¦ ÀϺΠ¹ÞÁö ¸øÇßÀ» °æ¿ì, ¼±ÅÃ
# ÀûÀ¸·Î (selected) ¹ÞÁö¸øÇÑ ACK ¸¸ ¹Þµµ·Ï ¿äûÇÏ´Â °ÍÀ» Çã¶ôÇÑ´Ù. ·Î½º°¡ ¸¹Àº
# ³×Æ®¿öÅ©¿¡¼­´Â »ó´çÈ÷ Áß¿äÇÑ ¿ªÇÒÀ» ÇÑ´Ù.
net.ipv4.tcp_sack = 1



ÇÑ»ç¿ëÀÚ°¡ ¿­¼öÀÖ´ÂÆÄÀϼö Á¦ÇÑ ¡°too many open files¡± ¿À·ù ¿¹¹æ

ulimit -n 32768
/etc/rc.d/init.d/network restart
12. ÀÛ¾÷¸¶¹«¸® È÷½ºÅ丮 ÆÄÀϺñ¿ò

cat /dev/null > ~/.bash_history


°ü·Ã±Û : ¾øÀ½ ±Û¾´½Ã°£ : 2009/05/30 22:36 from 119.196.113.211

  [HP-UX]KRS ¿¡·¯ 2 ½Ã Á¶Ä¡¹æ¹ý ¸ñ·Ïº¸±â »õ±Û ¾²±â Áö¿ì±â ÀÀ´ä±Û ¾²±â ±Û ¼öÁ¤ trap ¹øÈ£ ºÐ¼®[SUN]  
BACKRUSH  À¯´Ð½º¸í·É  ´ÙÀ½  ÀÚ·á½Ç  Ascii Table   ¿ø°ÝÁ¢¼Ó  ´Þ·Â,½Ã°£   ÇÁ·Î¼¼½º   ½©
ÁöÇÏö³ë¼±   RFC¹®¼­   SUN FAQ   SUN FAQ1   C¸Þ´º¾ó   PHP¸Þ´º¾ó   ³Ê±¸¸®   ¾Æ½ºÅ°¿ùµå ¾ÆÀÌÇǼ­Ä¡