´ÙÀ½ ÀÌÀü Â÷·Ê

12. º¸¾È

Beowulf Ŭ·¯½ºÅÍÀÇ ÀϹÝÀûÀÎ º¸¾ÈÁ¤Ã¥Àº Ŭ·¯½ºÅͳ»ÀÇ ¸ðµç ³ëµå°¡ ¼­·Î¸¦ ½Å·ÚÇÒ ¼ö ÀÖ¾î¾ßÇÑ´Ù´Â °ÍÀÌ´Ù. Ŭ·¯½ºÅͳ»ÀÇ º¸¾È¿¡ ¿©·¯ºÐÀÌ ¾È½ÉÇÒ ¼ö ÀÖ´Â ÀÌÀ¯´Â Ŭ¶óÀ̾ðÆ® ³ëµå ¾î¶°ÇÑ °Íµµ ¿ÜºÎ¿Í Á÷Á¢¿¬°áÀÌ µÇ¾î ÀÖÁö ¾Ê°í ¸ðµç ³ëµåµéÀÌ ±âº»ÀûÀ¸·Î µ¿ÀÏÇϱ⠶§¹®ÀÌ´Ù. ¸¸ÀÏ ´©±º°¡°¡ °ÔÀÌÆ®¿þÀ̸¦ ÇØÅ·(¿ªÀÚÁÖ: Å©·¡Å·ÀÌ Á¤È®ÇÑ ¸íĪ)ÇÏ·Á ÇÑ´Ù¸é Å©·¡Ä¿µéÀº Ŭ¶óÀ̾ðÆ® ³ëµå¿¡ ´ëÇÑ Á¤º¸´Â ÀüÇô ¾òÀ» ¼ö ¾ø¾î¼­ ÀÌ·¯ÇÑ ¼öÁØ¿¡¼­´Â º¸¾È¹®Á¦¸¦ °ÆÁ¤ÇÒ ÇÊ¿ä°¡ ¾ø´Ù. ´©±º°¡°¡ ¿©·¯ºÐÀÇ ³ëµåÀÇ Äֿܼ¡ ÀÖÁö ¾Ê°í ¼­¹ö³ëµå¸¦ °ÅÄ¡Áö ¾Ê°í ³ëµå¿¡ Á¢¼ÓÀ» ÇÑ´Ù´Â °ÍÀº ºÒ°¡´ÉÇÑ ÀÏÀÌ´Ù. Ŭ·¯½ºÅͳ»ÀÇ º¸¾ÈÀ» ¿ÏÈ­½ÃÅ°´Â °¡Àå Å« ÀåÁ¡Àº À¯¿¬¼ºÀÌ°í »ç¿ëÇϱ⠽±°í °ü¸®Çϱ⠽±´Ù´Â Á¡ÀÌ´Ù. ÀÌ¿Í´Â ´Þ¸® ¼­¹ö³ëµå´Â Ŭ¶óÀ̾ðÆ® ³ëµå¸¦ ¹Ï¾î¾ßÇÏÁö¸¸ ¿ÜºÎ¼¼°è´Â ¹Ï¾î¼­´Â ¾ÈµÈ´Ù. Ŭ·¯½ºÅͳ»ÀÇ º¸¾ÈÀ» ¿ÏÈ­½ÃÅ°°í ¿ÜºÎ·ÎºÎÅÍ ¿©·¯ºÐ ÀÚ½ÅÀ» ÁöÅ°´Â ¹æ¹ýÀº ¸î°¡Áö ÀÖ´Ù.

12.1 ¼­¹ö

TCP wrapper

ÀϹÝÀûÀ¸·Î TCP wrapper·Î ¾Ë·ÁÁø tcpd µ¥¸óÀº ¹æ¾îÀÇ Á¦1¼±ÀÌ°í ¿©·¯ºÐÀÇ ¸Ó½Å¿¡ Á¢¼ÓÀ» Á¦ÇÑÇÏ´Â °¡Àå °£´ÜÇÑ ¹æ¹ýÀ̾ ½Ã½ºÅÛÀÇ º¸¾È¼ºÀ» ³ôÀδÙ. ÀÌ´Â Red Hat ¹èÆ÷º»ÀÇ ÀϺκÐÀ¸·Î ³ª¿ÍÀÖ°í ¼³Á¤ÀÌ °£´ÜÇÏ´Ù. ¼¼°¡Áö ¼³ÀúÆÄÀϵéÀÌ ÀÖ´Ù: /etc/hosts.allow´Â ¿¬°áÀ» Çã¶ôÇϴ ȣ½ºÆ®¸¦ È®ÀÎÇÑ´Ù. /etc/hosts.deny´Â /etc/hosts.allow¿¡ ³ªÅ¸³ªÁö ¾ÊÀº ¸ñ·ÏÀÌ ÀÖÀ¸¸é Àоîµå¸°´Ù. ¿¬°áÀ» °ÅºÎÇϴ ȣ½ºÆ®¸¦ È®ÀÎÇÑ´Ù. /etc/inetd.conf´Â tcpd¸¦ ¼³Á¤ÇÒ ¶§ º¯°æÇÒ ÇÊ¿ä¾ø´Â °ÍµéÀÌ ÀÖ´Ù. host_access(5) man ÆäÀÌÁö´Â /etc/hosts.allow¿Í /etc/hosts.denyÀÇ ¹®¹ý¿¡ °üÇÑ ³»¿ë¿¡ ´ëÇÑ ÁÁÀº Á¤º¸¸¦ ÁØ´Ù.

Allowing access with /etc/hosts.allow ¾Æ·¡ÀÇ ¿¹´Â IP ÁÖ¼Ò°¡ 10.0.0.x, 10.1.x, 10.0.2.x¿¡¼­ µé¾î¿À´Â ¾î¶°ÇÑ Æ÷Æ®µµ ¿¬°áÀ» Çã¶ôÇÑ´Ù´Â ÀǹÌÀÌ´Ù. ¶ÇÇÑ myworkstation.usq.edu.auÀÇ È£½ºÆ®·Î ºÎÅÍ¿À´Â °Íµµ Á¢¼ÓÀ» Çã¶ôÇÑ´Ù´Â ÀǹÌÀÌ´Ù. ¸ðµç ´Ù¸¥ Á¢¼ÓÀº /etc/hosts.denyÆÄÀÏ¿¡ ÀÇÇؼ­ ¸·È÷°í ¼­ºñ½ºµéÀº /etc/inetd.conf¿¡ ¸ñ·ÏÈ­µÇ¾î ÀÖÀ¸¸ç, tcpd¸¦ ÅëÇؼ­ ¼³Á¤ÀÌ ½ÃÀ۵ȴÙ.


#
# hosts.allow   This file describes the names of the hosts which are 
#               allowed to use the local INET services, as decided 
#               by the '/usr/sbin/tcpd' server
#

# we fully trust ourself and all the other nodes within the cluster

ALL : localhost, 10.0.0., 10.0.1., 10.0.2.
in.telnetd : myworkstation.usq.edu.au

/etc/hosts.deny¸¦ ÀÌ¿ëÇÑ Á¢±Ù°ÅºÎ /etc/hosts.denyÆÄÀÏÀº /etc/hosts.allowÆÄÀÏ¿¡¼­ ÀÏÄ¡ÇÏÁö ¾Ê´Â È£½ºÆ®¸¦ È®ÀÎÇÑ´Ù. TCP wrapper¸¦ ÀÌ¿ëÇÏ´Â °¡Àå ÁÁÀº ¹æ¹ýÀº /etc/hosts.allow¿¡¼­ Çã¶ôÇÏÁö ¾Ê´Â ¸ðµç È£½ºÆ®¸¦ °ÅºÎÇÏ´Â °ÍÀÌ´Ù. ÀúÀÚÀÇ °æ¿ì /etc/hosts.deny¿Í ÀÏÄ¡ÇÏÁö ¾Ê´Â °ÍÀº ¹°·Ð ÀÌ°Å´Ï¿Í ¸ðµç °ÍÀÇ Á¢±ÙÀ» °ÅºÎ½ÃÄÑ ³õ¾Ò´Ù. ¸ðµç °ÅºÎµÈ ¿¬°á¿¡ ´ëÇؼ­´Â °ü¸®ÀÚ¿¡°Ô ÀÚ¼¼ÇÑ ³»¿ëÀ» À̸ÞÀÏ·Î º¸³½´Ù.


ALL: ALL: spawn ( \
echo -e "\n\
TCP Wrappers\:  Connection Refused\n\
By\:                    $(uname -n)\n\
Process\:               %d (pid %p)\n\
User\:                  %u\n\
Host\:                  %c\n\
Date\:                  $(date)\n\
" | /bin/mail -s "From tcpd@$(uname -n).  %u@%h -> %d." root)

¸¸ÀÏ ¿¬°áÀÌ /etc/hosts.allow¿¡¼­ ³ª¿ÍÀÖÁö ¾Ê´Â È£½ºÆ®·ÎºÎÅÍ ½ÃµµµÈ´Ù¸é /etc/hosts.deny¿¡¼­ ¿¬°áÀ» °ÅºÎÇÒ °ÍÀÌ¸ç °Å±â¿¡ µû¸¥ À̸ÞÀÏÀ» ÀúÀÚ´Â ¹Þ°Ô µÉ °ÍÀÌ´Ù. ±×·¯ÇÑ À̸ÞÀÏÀÇ ³»¿ëÀº ´ÙÀ½°ú °°´Ù.


From root       Fri Apr 16 23:33:50     1999
Return-Path: <root>
             by topcat.beowulf.usq.edu.au (8.8.7/8.8.7) id XAA19278
             for root; Fri, 16 Apr 1999 23:33:50 +1000
Date: Fri, 16 Apr 1999 23:33:50 +1000
From: TOPCAT Admin <root@topcat.beowulf.edu.au>
Message-Id: <199904161333.XAA19278@topcat.beowulf.usq.edu.au>
To: root@topcat.beowulf.edu.au
Subject: From tcp@topcat.beowulf.usq.edu.au.   jacek@lamport.comp.usq.edu.au -> in.telnetd.
Status: 0

TCP Wrappers: Connection Refused
By:             topcat.beowulf.usq.edu.au
Process:        in.telnetd (pid 19270)
User:           jacek
Host:           jacek@lamport.comp.usq.edu.au
Date:           Fri 16 Apr 1999 23:33:50 EST 1999

»ç¿ëÇÏÁö ¾Ê´Â µ¥¸ó ¸ØÃß±â - /etc/inetd.conf

¾ÆÁÖ ´Ü¼ø ÇÏÁö¸¸ È¿°úÀûÀÎ ¼­¹öº¸¾ÈÀÇ ÇÑ°¡Áö ¹æ¹ýÀº »ç¿ëÇÏÁö ¾Ê´Â µ¥¸óÀ» ¸ØÃß´Â °ÍÀÌ´Ù. ÀϹÝÀûÀ¸·Î ¿©·¯ºÐÀÌ »ç¿ëÇÏÁö ¾Ê´Â °ÍÀº ¸ØÃß´Â °ÍÀÌ ÁÁ´Ù. ´ëºÎºÐÀÇ µ¥¸óÀÌ inetd¿¡ ÀÇÇØ ÀÛµ¿ÀÌ µÇ°í /etc/inetd.confÀÇ ³»¿ë¿¡¼­ »ç¿ëÇÏÁö ¾Ê´Â µ¥¸óÀ» ÁÖ¼®Ã³¸® ÇØÁÖ¸é ÀÛµ¿ÇÏÁö ¾Ê´Â´Ù. ´ÙÀ½ÀÇ ¿¹´Â /etc/inetd.confÀÇ login, exec, talk°ú ntalkÀÇ ¿¹¸¦ º¸¿©ÁÖ´Â °ÍÀÌ´Ù.


shell   stream  tcp     nowait  root    /usr/sbin/tcpd  in.rshd
#login   stream  tcp     nowait  root    /usr/sbin/tcpd  in.rlogind
#exec   stream  tcp     nowait  root    /usr/sbin/tcpd  in.rexecd
#comsat dgram   udp     wait    root    /usr/sbin/tcpd  in.comsat
#talk   dgram   udp     wait    nobody.tty      /usr/sbin/tcpd  in.talkd
#ntalk  dgram   udp     wait    nobody.tty      /usr/sbin/tcpd  in.ntalkd

¼³Á¤ÆÄÀÏÀ» º¯°æÇÑ ÈÄ¿¡ ´Ù½Ã inetdµ¥¸óÀ» ½ÃÀÛÇÑ´Ù. ¸®´ª½º¿¡¼­ °¡Àå ¼Õ½¬¿î ¹æ¹ýÀº ¼³Á¤ÆÄÀÏÀ» ´Ù½Ã ÀÐ¾î µå¸®°Ô µ¥¸ó¿¡°Ô ½ÅÈ£¸¦ ÁÖ´Â °ÍÀÌ´Ù.

[root@topcat root]# killall -HUP inetd

´Ù¸¥ À¯´Ð½º ½Ã½ºÅÛ¿¡¼­´Â killÀ» Àß ÀÐ°í ¼öÇàÇ϶ó!

¿©·¯ºÐÀº ¸ðµç Æ÷Æ®ÀÇ ¸ñ·ÏÀ» °¡Áö°í ¾î¶² µ¥¸óÀÌ ¼öÇàµÇ°í ÀÖ´ÂÁö¸¦ È®ÀÎÇÒ ¼ö ÀÖ´Ù. ´ÙÀ½ ¸í·ÉÀ¸·Î ÀÌ ¸ñ·ÏÀ» ¾òÀ» ¼ö ÀÖ´Ù.

[root@topcat root]# netstat -a | grep "LISTEN" | grep -v "^unix"

rc ½ºÅ©¸³Æ®¸¦ ÀÌ¿ëÇÏ¿© ¼­¹ö¸ØÃß±â

À¥¼­¹ö(http)¿Í °°Àº ¼­¹ö¿Í »ï¹Ù(smbd)´Â rc ½ºÅ©¸³Æ®·Î¼­ ÀÛµ¿ÇÑ´Ù. º¸Åë °¢°¢Àº /etc/rc.d/rc3.d¿¡ ÀÖ´Â °¢°¢¿¡ ÇØ´çÇÏ´Â ¸µÅ©¸¦ Á¦°ÅÇÔÀ¸·Î½á ÀÛµ¿À» ¸ØÃ߰ԵȴÙ. ¿¹¸¦ µé¾î httpd, samba¿Í sendmail(¶Ç´Ù¸¥ º¸¾ÈÇÁ·Î±×·¥)dms run level 3°ú 5À» ÀÛµ¿½ÃÅ´À¸·Î½á ´ÙÀ½°ú °°ÀÌ ÇÒ ¼ö ÀÖ´Ù.


[root@topcat samba]# rm -f /etc/rc.d/rc/3d/S*httpd
[root@topcat samba]# rm -f /etc/rc.d/rc/5d/S*httpd
[root@topcat samba]# rm -f /etc/rc.d/rc/3d/S*smb
[root@topcat samba]# rm -f /etc/rc.d/rc/5d/S*smb
[root@topcat samba]# rm -f /etc/rc.d/rc/3d/S*sendmail
[root@topcat samba]# rm -f /etc/rc.d/rc/5d/S*sendmail

ipfwadm

ipfwadmÇÁ·Î±×·¥Àº ƯÁ¤ IP ÁÖ¼Ò¿¡¼­ºÎÅÍ Æ¯Á¤ Æ÷Æ®±îÁö ÆÐŶÀ» ¸·´Â¿ªÇÒÀ» ÇÑ´Ù. ÀÌ´Â º¸¾ÈÀ» Á¦¾îÇÏ´Â °¡Àå À¯¿¬ÇÑ ¹æ¹ýÀÌ´Ù. ¿¹¸¦ µé¾î firewall (17Àý (firewall_script)) rc ½ºÅ©¸³Æ®´Â ¹Ýµå½Ã ½Ã½ºÅÛÀÌ ½ÃÀÛÇÒ ¶§ °°ÀÌ ½ÃÀ۵Ǿî¾ß ÇÏ°í ´ÙÀ½°ú °°ÀÌ ÇϸéµÈ´Ù.

[root@topcat init.d]# cp /home/jacek/firewall /etc/rc.d/init.d
[root@topcat init.d]# chmod u+rx firewall
[root@topcat init.d]# ln -s /etc/rc.d/init.d/firewall /etc/rc.d/rc3.d/S05firewall
[root@topcat init.d]#ln -s /etc/rc.d/init.d/firewall /etc/rc.d/rc5.d/S05firewall

NOTE: ¿©·¯ºÐÀº ¿©·¯ºÐÀÇ È¯°æ¿¡ ¸Â°Ô ÀúÀÚÀÇ ½ºÅ©¸³Æ®¸¦ ¹Ù²Ù¾î¾ßÇÑ´Ù.

12.2 Ŭ¶óÀ̾ðÆ®

.rhosts versus hosts.equiv

»ç¿ëÀÚµéÀÌ ÇÏ°í½Í¾î ÇÏ´Â °ÍÁßÀÇ Çϳª´Â Æнº¿öµå¾øÀÌ ³ëµå°£¿¡ Á¢¼ÓÀ» ÇÏ°í ¿ø°Ý¸í·ÉÀ» ³»¸®´Â °ÍÀÌ´Ù. ´ëºÎºÐÀÇ Beowulf ¼ÒÇÁÆ®¿þ¾î¿Í À¯Æ¿¸®Æ¼µéÀº ¿©·¯ºÐÀÌ rsh·Î ÀÛµ¿ÇÏ°Ô ¸¸µé¾î Æнº¿öµå ¾øÀÌ ÀÛ¾÷ÇÏ°Ô ¸¸µç´Ù.

Ŭ·¯½ºÅͳ»ÀÇ Æнº¿öµå¸¦ ¾ø¾Ö´Â µÎ°¡Áö ¹æ¹ýÀÌ Àִµ¥ Çϳª´Â /etc/hosts.equiv¿¡ ÀÔ·ÂÇÏ´Â °ÍÀÌ°í, ´Ù¸¥ Çϳª´Â »ç¿ëÀÚ °¢ÀÚÀÇ µð·ºÅ丮¿¡ .rhosts¸¦ ÷°¡ÇÏ´Â °ÍÀÌ´Ù.

/etc/hosts.equiv°¡ ¸ðµç ³ëµå¿¡ .rhosts¿¡ ÀÖ´Â ³»¿ëÀ» ¸ð¾Æ¼­ ÇϳªÀÇ ÆÄÀÏ·Î Àû¿ëµÉ ¼ö Àֱ⿡ ¸¹ÀÌ ¼±È£µÈ´Ù.

´ÙÀ½ÀÇ ÇüÅ´ .rhosts¿¡ Àִ ȣ½ºÆ®ÀÇ ¸ñ·ÏÀÌ´Ù:


# must be read/writable by user only!
node1
node2
node3
node4
node5
node6

/etc/hosts.equivÀÇ ÇüÅ´Â:


#node name      optional user name
node1
node2
node3
node4
node5
node6

root rlogin Á¢±Ù:

root°¡ Ŭ·¯½ºÅͳ»ÀÇ ¾î¶°ÇÑ ³ëµå¿¡µµ rloginÇϱâ À§Çؼ­´Â °¢³ëµåÀÇ root µð·ºÅ丮¿¡ .rhosts¸¦ ÷°¡ÇؾßÇÕ´Ï´Ù. .rhostsÆÄÀÏÀº Ŭ·¯½ºÅͳ»ÀÇ ¸ðµç ³ëµåµéÀ» ¸í±âÇÏ°í ÀÖ¾î¾ßÇÕ´Ï´Ù. Áß¿äÇÑÁ¡: .rhosts´Â ¹Ýµå½Ã »ç¿ëÀÚ¸¸ÀÌ ÀÐ°í ¾µ ¼ö ÀÖ¾î¾ßÇÕ´Ï´Ù. ( chmod go-rwx .rhosts) ÀÌ´Â °ÔÀÌÆ®¿þÀÌ ³ëµå¿¡¼­´Â Çؼ­´Â ¾ÈµË´Ï´Ù.

Ãß°¡·Î /etc/pam.d/rlogin:ÀÇ Ã³À½ µÎÁÙÀ» ¹Ù²ãÁÝ´Ï´Ù.


#orginal /etc/pam.d/rlogin
auth     required       /lib/security/pam_securetty.so
auth     sufficient     /lib/security/pam_rhosts_auth.so
auth     required       /lib/security/pam_pwdb.so shadow nullock
auth     required       /lib/security/pam_nologin.so
account  required       /lib/security/pam_pwdb.so
password required       /lib/security/pam_cracklib.so
password required       /lib/security/pam_pwdb.so shadow nullock
                                                   use_authtok
session  required       /lib/security/pam_pwdb.so

#first two lines are swapped /etc/pam.d/rlogin
auth     sufficient     /lib/security/pam_rhosts_auth.so
auth     required       /lib/security/pam_securetty.so
auth     required       /lib/security/pam_pwdb.so shadow nullock
auth     required       /lib/security/pam_nologin.so
account  required       /lib/security/pam_pwdb.so
password required       /lib/security/pam_cracklib.so
password required       /lib/security/pam_pwdb.so shadow nullock
                                                   use_authtok
session  required       /lib/security/pam_pwdb.so

NOTE: ´õ ³ªÀº ¹æ¹ýÀÌ ÀÖ´ÂÁö´Â ¸ð¸£°ÚÁö¸¸ ÀÛµ¿Àº ÇÑ´Ù.

root telnet Á¢±Ù

°ÔÀÌÆ®¿þÀÌ ³ëµå¸¦ Á¦¿ÜÇÑ ¸ðµç ³ëµå¿¡ /etc/securetty ÆÄÀÏ¿¡ ´ÙÀ½°ú °°Àº ³»¿ëÀ» ÷°¡ÇÑ´Ù:


ttyp0
ttyp1
ttyp2
ttyp3
ttyp4

ÀÌ·¯ÇÑ º¯È­´Â remote telnetÀ» ÀÌ¿ë Ŭ·¯½ºÅͳ»ÀÇ ¾î¶°ÇÑ ³ëµå·Î ¿¬°á ÀÌ °¡´ÉÄÉÇÏ´Â °ÍÀÌ´Ù.

root ftp Á¢±Ù

rootÀÇ ftp Á¢±ÙÀÌ ÇÊ¿äÇÑ ½Ã½ºÅÛÀÇ °æ¿ì, /etc/ftpusers ÆÄÀÏ¿¡ ´ÙÀ½°ú °°ÀÌ root ºÎºÐ¿¡ ÁÖ¼®À» ´Ü´Ù.


#Comment out root to allow other systems ftp access as root
#root
bin
daemon
adm
lp
sync
shutdown
halt
mail
news
uucp
operator
games
nobody


´ÙÀ½ ÀÌÀü Â÷·Ê