Beowulf Ŭ·¯½ºÅÍÀÇ ÀϹÝÀûÀÎ º¸¾ÈÁ¤Ã¥Àº Ŭ·¯½ºÅͳ»ÀÇ ¸ðµç ³ëµå°¡ ¼·Î¸¦ ½Å·ÚÇÒ ¼ö ÀÖ¾î¾ßÇÑ´Ù´Â °ÍÀÌ´Ù. Ŭ·¯½ºÅͳ»ÀÇ º¸¾È¿¡ ¿©·¯ºÐÀÌ ¾È½ÉÇÒ ¼ö ÀÖ´Â ÀÌÀ¯´Â Ŭ¶óÀ̾ðÆ® ³ëµå ¾î¶°ÇÑ °Íµµ ¿ÜºÎ¿Í Á÷Á¢¿¬°áÀÌ µÇ¾î ÀÖÁö ¾Ê°í ¸ðµç ³ëµåµéÀÌ ±âº»ÀûÀ¸·Î µ¿ÀÏÇϱ⠶§¹®ÀÌ´Ù. ¸¸ÀÏ ´©±º°¡°¡ °ÔÀÌÆ®¿þÀ̸¦ ÇØÅ·(¿ªÀÚÁÖ: Å©·¡Å·ÀÌ Á¤È®ÇÑ ¸íĪ)ÇÏ·Á ÇÑ´Ù¸é Å©·¡Ä¿µéÀº Ŭ¶óÀ̾ðÆ® ³ëµå¿¡ ´ëÇÑ Á¤º¸´Â ÀüÇô ¾òÀ» ¼ö ¾ø¾î¼ ÀÌ·¯ÇÑ ¼öÁØ¿¡¼´Â º¸¾È¹®Á¦¸¦ °ÆÁ¤ÇÒ ÇÊ¿ä°¡ ¾ø´Ù. ´©±º°¡°¡ ¿©·¯ºÐÀÇ ³ëµåÀÇ Äֿܼ¡ ÀÖÁö ¾Ê°í ¼¹ö³ëµå¸¦ °ÅÄ¡Áö ¾Ê°í ³ëµå¿¡ Á¢¼ÓÀ» ÇÑ´Ù´Â °ÍÀº ºÒ°¡´ÉÇÑ ÀÏÀÌ´Ù. Ŭ·¯½ºÅͳ»ÀÇ º¸¾ÈÀ» ¿ÏȽÃÅ°´Â °¡Àå Å« ÀåÁ¡Àº À¯¿¬¼ºÀÌ°í »ç¿ëÇϱ⠽±°í °ü¸®Çϱ⠽±´Ù´Â Á¡ÀÌ´Ù. ÀÌ¿Í´Â ´Þ¸® ¼¹ö³ëµå´Â Ŭ¶óÀ̾ðÆ® ³ëµå¸¦ ¹Ï¾î¾ßÇÏÁö¸¸ ¿ÜºÎ¼¼°è´Â ¹Ï¾î¼´Â ¾ÈµÈ´Ù. Ŭ·¯½ºÅͳ»ÀÇ º¸¾ÈÀ» ¿ÏȽÃÅ°°í ¿ÜºÎ·ÎºÎÅÍ ¿©·¯ºÐ ÀÚ½ÅÀ» ÁöÅ°´Â ¹æ¹ýÀº ¸î°¡Áö ÀÖ´Ù.
ÀϹÝÀûÀ¸·Î TCP wrapper·Î ¾Ë·ÁÁø tcpd µ¥¸óÀº ¹æ¾îÀÇ Á¦1¼±ÀÌ°í ¿©·¯ºÐÀÇ ¸Ó½Å¿¡ Á¢¼ÓÀ» Á¦ÇÑÇÏ´Â °¡Àå °£´ÜÇÑ ¹æ¹ýÀÌ¾î¼ ½Ã½ºÅÛÀÇ º¸¾È¼ºÀ» ³ôÀδÙ. ÀÌ´Â Red Hat ¹èÆ÷º»ÀÇ ÀϺκÐÀ¸·Î ³ª¿ÍÀÖ°í ¼³Á¤ÀÌ °£´ÜÇÏ´Ù. ¼¼°¡Áö ¼³ÀúÆÄÀϵéÀÌ ÀÖ´Ù: /etc/hosts.allow
´Â ¿¬°áÀ» Çã¶ôÇϴ ȣ½ºÆ®¸¦ È®ÀÎÇÑ´Ù. /etc/hosts.deny
´Â /etc/hosts.allow
¿¡ ³ªÅ¸³ªÁö ¾ÊÀº ¸ñ·ÏÀÌ ÀÖÀ¸¸é Àоîµå¸°´Ù. ¿¬°áÀ» °ÅºÎÇϴ ȣ½ºÆ®¸¦ È®ÀÎÇÑ´Ù. /etc/inetd.conf
´Â tcpd¸¦ ¼³Á¤ÇÒ ¶§ º¯°æÇÒ ÇÊ¿ä¾ø´Â °ÍµéÀÌ ÀÖ´Ù. host_access(5)
man ÆäÀÌÁö´Â /etc/hosts.allow
¿Í /etc/hosts.deny
ÀÇ ¹®¹ý¿¡ °üÇÑ ³»¿ë¿¡ ´ëÇÑ ÁÁÀº Á¤º¸¸¦ ÁØ´Ù.
Allowing access with /etc/hosts.allow
¾Æ·¡ÀÇ ¿¹´Â IP ÁÖ¼Ò°¡ 10.0.0.x, 10.1.x, 10.0.2.x¿¡¼ µé¾î¿À´Â ¾î¶°ÇÑ Æ÷Æ®µµ ¿¬°áÀ» Çã¶ôÇÑ´Ù´Â ÀǹÌÀÌ´Ù. ¶ÇÇÑ myworkstation.usq.edu.au
ÀÇ È£½ºÆ®·Î ºÎÅÍ¿À´Â °Íµµ Á¢¼ÓÀ» Çã¶ôÇÑ´Ù´Â ÀǹÌÀÌ´Ù. ¸ðµç ´Ù¸¥ Á¢¼ÓÀº /etc/hosts.deny
ÆÄÀÏ¿¡ ÀÇÇؼ ¸·È÷°í ¼ºñ½ºµéÀº /etc/inetd.conf
¿¡ ¸ñ·ÏȵǾî ÀÖÀ¸¸ç, tcpd
¸¦ ÅëÇؼ ¼³Á¤ÀÌ ½ÃÀ۵ȴÙ.
# # hosts.allow This file describes the names of the hosts which are # allowed to use the local INET services, as decided # by the '/usr/sbin/tcpd' server # # we fully trust ourself and all the other nodes within the cluster ALL : localhost, 10.0.0., 10.0.1., 10.0.2. in.telnetd : myworkstation.usq.edu.au
/etc/hosts.deny
¸¦ ÀÌ¿ëÇÑ Á¢±Ù°ÅºÎ /etc/hosts.deny
ÆÄÀÏÀº /etc/hosts.allow
ÆÄÀÏ¿¡¼ ÀÏÄ¡ÇÏÁö ¾Ê´Â È£½ºÆ®¸¦ È®ÀÎÇÑ´Ù. TCP wrapper¸¦ ÀÌ¿ëÇÏ´Â °¡Àå ÁÁÀº ¹æ¹ýÀº /etc/hosts.allow
¿¡¼ Çã¶ôÇÏÁö ¾Ê´Â ¸ðµç È£½ºÆ®¸¦ °ÅºÎÇÏ´Â °ÍÀÌ´Ù. ÀúÀÚÀÇ °æ¿ì /etc/hosts.deny
¿Í ÀÏÄ¡ÇÏÁö ¾Ê´Â °ÍÀº ¹°·Ð ÀÌ°Å´Ï¿Í ¸ðµç °ÍÀÇ Á¢±ÙÀ» °ÅºÎ½ÃÄÑ ³õ¾Ò´Ù. ¸ðµç °ÅºÎµÈ ¿¬°á¿¡ ´ëÇؼ´Â °ü¸®ÀÚ¿¡°Ô ÀÚ¼¼ÇÑ ³»¿ëÀ» À̸ÞÀÏ·Î º¸³½´Ù.
ALL: ALL: spawn ( \ echo -e "\n\ TCP Wrappers\: Connection Refused\n\ By\: $(uname -n)\n\ Process\: %d (pid %p)\n\ User\: %u\n\ Host\: %c\n\ Date\: $(date)\n\ " | /bin/mail -s "From tcpd@$(uname -n). %u@%h -> %d." root)
¸¸ÀÏ ¿¬°áÀÌ /etc/hosts.allow
¿¡¼ ³ª¿ÍÀÖÁö ¾Ê´Â È£½ºÆ®·ÎºÎÅÍ ½ÃµµµÈ´Ù¸é /etc/hosts.deny
¿¡¼ ¿¬°áÀ» °ÅºÎÇÒ °ÍÀÌ¸ç °Å±â¿¡ µû¸¥ À̸ÞÀÏÀ» ÀúÀÚ´Â ¹Þ°Ô µÉ °ÍÀÌ´Ù. ±×·¯ÇÑ À̸ÞÀÏÀÇ ³»¿ëÀº ´ÙÀ½°ú °°´Ù.
From root Fri Apr 16 23:33:50 1999 Return-Path: <root> by topcat.beowulf.usq.edu.au (8.8.7/8.8.7) id XAA19278 for root; Fri, 16 Apr 1999 23:33:50 +1000 Date: Fri, 16 Apr 1999 23:33:50 +1000 From: TOPCAT Admin <root@topcat.beowulf.edu.au> Message-Id: <199904161333.XAA19278@topcat.beowulf.usq.edu.au> To: root@topcat.beowulf.edu.au Subject: From tcp@topcat.beowulf.usq.edu.au. jacek@lamport.comp.usq.edu.au -> in.telnetd. Status: 0 TCP Wrappers: Connection Refused By: topcat.beowulf.usq.edu.au Process: in.telnetd (pid 19270) User: jacek Host: jacek@lamport.comp.usq.edu.au Date: Fri 16 Apr 1999 23:33:50 EST 1999
/etc/inetd.conf
¾ÆÁÖ ´Ü¼ø ÇÏÁö¸¸ È¿°úÀûÀÎ ¼¹öº¸¾ÈÀÇ ÇÑ°¡Áö ¹æ¹ýÀº »ç¿ëÇÏÁö ¾Ê´Â µ¥¸óÀ» ¸ØÃß´Â °ÍÀÌ´Ù. ÀϹÝÀûÀ¸·Î ¿©·¯ºÐÀÌ »ç¿ëÇÏÁö ¾Ê´Â °ÍÀº ¸ØÃß´Â °ÍÀÌ ÁÁ´Ù. ´ëºÎºÐÀÇ µ¥¸óÀÌ inetd
¿¡ ÀÇÇØ ÀÛµ¿ÀÌ µÇ°í /etc/inetd.conf
ÀÇ ³»¿ë¿¡¼ »ç¿ëÇÏÁö ¾Ê´Â µ¥¸óÀ» ÁÖ¼®Ã³¸® ÇØÁÖ¸é ÀÛµ¿ÇÏÁö ¾Ê´Â´Ù. ´ÙÀ½ÀÇ ¿¹´Â /etc/inetd.conf
ÀÇ login, exec, talk°ú ntalkÀÇ ¿¹¸¦ º¸¿©ÁÖ´Â °ÍÀÌ´Ù.
shell stream tcp nowait root /usr/sbin/tcpd in.rshd #login stream tcp nowait root /usr/sbin/tcpd in.rlogind #exec stream tcp nowait root /usr/sbin/tcpd in.rexecd #comsat dgram udp wait root /usr/sbin/tcpd in.comsat #talk dgram udp wait nobody.tty /usr/sbin/tcpd in.talkd #ntalk dgram udp wait nobody.tty /usr/sbin/tcpd in.ntalkd
¼³Á¤ÆÄÀÏÀ» º¯°æÇÑ ÈÄ¿¡ ´Ù½Ã inetd
µ¥¸óÀ» ½ÃÀÛÇÑ´Ù. ¸®´ª½º¿¡¼ °¡Àå ¼Õ½¬¿î ¹æ¹ýÀº ¼³Á¤ÆÄÀÏÀ» ´Ù½Ã ÀÐ¾î µå¸®°Ô µ¥¸ó¿¡°Ô ½ÅÈ£¸¦ ÁÖ´Â °ÍÀÌ´Ù.
[root@topcat root]# killall -HUP inetd
´Ù¸¥ À¯´Ð½º ½Ã½ºÅÛ¿¡¼´Â killÀ» Àß ÀÐ°í ¼öÇàÇ϶ó!
¿©·¯ºÐÀº ¸ðµç Æ÷Æ®ÀÇ ¸ñ·ÏÀ» °¡Áö°í ¾î¶² µ¥¸óÀÌ ¼öÇàµÇ°í ÀÖ´ÂÁö¸¦ È®ÀÎÇÒ ¼ö ÀÖ´Ù. ´ÙÀ½ ¸í·ÉÀ¸·Î ÀÌ ¸ñ·ÏÀ» ¾òÀ» ¼ö ÀÖ´Ù.
[root@topcat root]# netstat -a | grep "LISTEN" | grep -v "^unix"
À¥¼¹ö(http
)¿Í °°Àº ¼¹ö¿Í »ï¹Ù(smbd
)´Â rc ½ºÅ©¸³Æ®·Î¼ ÀÛµ¿ÇÑ´Ù. º¸Åë °¢°¢Àº /etc/rc.d/rc3.d
¿¡ ÀÖ´Â °¢°¢¿¡ ÇØ´çÇÏ´Â ¸µÅ©¸¦ Á¦°ÅÇÔÀ¸·Î½á ÀÛµ¿À» ¸ØÃ߰ԵȴÙ. ¿¹¸¦ µé¾î httpd, samba¿Í sendmail(¶Ç´Ù¸¥ º¸¾ÈÇÁ·Î±×·¥)dms run level 3°ú 5À» ÀÛµ¿½ÃÅ´À¸·Î½á ´ÙÀ½°ú °°ÀÌ ÇÒ ¼ö ÀÖ´Ù.
[root@topcat samba]# rm -f /etc/rc.d/rc/3d/S*httpd [root@topcat samba]# rm -f /etc/rc.d/rc/5d/S*httpd [root@topcat samba]# rm -f /etc/rc.d/rc/3d/S*smb [root@topcat samba]# rm -f /etc/rc.d/rc/5d/S*smb [root@topcat samba]# rm -f /etc/rc.d/rc/3d/S*sendmail [root@topcat samba]# rm -f /etc/rc.d/rc/5d/S*sendmail
ipfwadm
ipfwadm
ÇÁ·Î±×·¥Àº ƯÁ¤ IP ÁÖ¼Ò¿¡¼ºÎÅÍ Æ¯Á¤ Æ÷Æ®±îÁö ÆÐŶÀ» ¸·´Â¿ªÇÒÀ» ÇÑ´Ù. ÀÌ´Â º¸¾ÈÀ» Á¦¾îÇÏ´Â °¡Àå À¯¿¬ÇÑ ¹æ¹ýÀÌ´Ù. ¿¹¸¦ µé¾î firewall
(17Àý (firewall_script)) rc ½ºÅ©¸³Æ®´Â ¹Ýµå½Ã ½Ã½ºÅÛÀÌ ½ÃÀÛÇÒ ¶§ °°ÀÌ ½ÃÀ۵Ǿî¾ß ÇÏ°í ´ÙÀ½°ú °°ÀÌ ÇϸéµÈ´Ù.
[root@topcat init.d]# cp /home/jacek/firewall /etc/rc.d/init.d [root@topcat init.d]# chmod u+rx firewall [root@topcat init.d]# ln -s /etc/rc.d/init.d/firewall /etc/rc.d/rc3.d/S05firewall [root@topcat init.d]#ln -s /etc/rc.d/init.d/firewall /etc/rc.d/rc5.d/S05firewall
NOTE: ¿©·¯ºÐÀº ¿©·¯ºÐÀÇ È¯°æ¿¡ ¸Â°Ô ÀúÀÚÀÇ ½ºÅ©¸³Æ®¸¦ ¹Ù²Ù¾î¾ßÇÑ´Ù.
»ç¿ëÀÚµéÀÌ ÇÏ°í½Í¾î ÇÏ´Â °ÍÁßÀÇ Çϳª´Â Æнº¿öµå¾øÀÌ ³ëµå°£¿¡ Á¢¼ÓÀ» ÇÏ°í ¿ø°Ý¸í·ÉÀ» ³»¸®´Â °ÍÀÌ´Ù. ´ëºÎºÐÀÇ Beowulf ¼ÒÇÁÆ®¿þ¾î¿Í À¯Æ¿¸®Æ¼µéÀº ¿©·¯ºÐÀÌ rsh·Î ÀÛµ¿ÇÏ°Ô ¸¸µé¾î Æнº¿öµå ¾øÀÌ ÀÛ¾÷ÇÏ°Ô ¸¸µç´Ù.
Ŭ·¯½ºÅͳ»ÀÇ Æнº¿öµå¸¦ ¾ø¾Ö´Â µÎ°¡Áö ¹æ¹ýÀÌ Àִµ¥ Çϳª´Â /etc/hosts.equiv
¿¡ ÀÔ·ÂÇÏ´Â °ÍÀÌ°í, ´Ù¸¥ Çϳª´Â »ç¿ëÀÚ °¢ÀÚÀÇ µð·ºÅ丮¿¡ .rhosts
¸¦ ÷°¡ÇÏ´Â °ÍÀÌ´Ù.
/etc/hosts.equiv
°¡ ¸ðµç ³ëµå¿¡ .rhosts
¿¡ ÀÖ´Â ³»¿ëÀ» ¸ð¾Æ¼ ÇϳªÀÇ ÆÄÀÏ·Î Àû¿ëµÉ ¼ö Àֱ⿡ ¸¹ÀÌ ¼±È£µÈ´Ù.
´ÙÀ½ÀÇ ÇüÅ´ .rhosts
¿¡ Àִ ȣ½ºÆ®ÀÇ ¸ñ·ÏÀÌ´Ù:
# must be read/writable by user only! node1 node2 node3 node4 node5 node6
/etc/hosts.equiv
ÀÇ ÇüÅ´Â:
#node name optional user name node1 node2 node3 node4 node5 node6
root°¡ Ŭ·¯½ºÅͳ»ÀÇ ¾î¶°ÇÑ ³ëµå¿¡µµ rloginÇϱâ À§Çؼ´Â °¢³ëµåÀÇ root µð·ºÅ丮¿¡ .rhosts¸¦ ÷°¡ÇؾßÇÕ´Ï´Ù. .rhostsÆÄÀÏÀº Ŭ·¯½ºÅͳ»ÀÇ ¸ðµç ³ëµåµéÀ» ¸í±âÇÏ°í ÀÖ¾î¾ßÇÕ´Ï´Ù. Áß¿äÇÑÁ¡: .rhosts´Â ¹Ýµå½Ã »ç¿ëÀÚ¸¸ÀÌ ÀÐ°í ¾µ ¼ö ÀÖ¾î¾ßÇÕ´Ï´Ù. ( chmod go-rwx .rhosts
) ÀÌ´Â °ÔÀÌÆ®¿þÀÌ ³ëµå¿¡¼´Â Çؼ´Â ¾ÈµË´Ï´Ù.
Ãß°¡·Î /etc/pam.d/rlogin:
ÀÇ Ã³À½ µÎÁÙÀ» ¹Ù²ãÁÝ´Ï´Ù.
#orginal /etc/pam.d/rlogin auth required /lib/security/pam_securetty.so auth sufficient /lib/security/pam_rhosts_auth.so auth required /lib/security/pam_pwdb.so shadow nullock auth required /lib/security/pam_nologin.so account required /lib/security/pam_pwdb.so password required /lib/security/pam_cracklib.so password required /lib/security/pam_pwdb.so shadow nullock use_authtok session required /lib/security/pam_pwdb.so #first two lines are swapped /etc/pam.d/rlogin auth sufficient /lib/security/pam_rhosts_auth.so auth required /lib/security/pam_securetty.so auth required /lib/security/pam_pwdb.so shadow nullock auth required /lib/security/pam_nologin.so account required /lib/security/pam_pwdb.so password required /lib/security/pam_cracklib.so password required /lib/security/pam_pwdb.so shadow nullock use_authtok session required /lib/security/pam_pwdb.so
NOTE: ´õ ³ªÀº ¹æ¹ýÀÌ ÀÖ´ÂÁö´Â ¸ð¸£°ÚÁö¸¸ ÀÛµ¿Àº ÇÑ´Ù.
°ÔÀÌÆ®¿þÀÌ ³ëµå¸¦ Á¦¿ÜÇÑ ¸ðµç ³ëµå¿¡ /etc/securetty ÆÄÀÏ¿¡ ´ÙÀ½°ú °°Àº ³»¿ëÀ» ÷°¡ÇÑ´Ù:
ttyp0 ttyp1 ttyp2 ttyp3 ttyp4
ÀÌ·¯ÇÑ º¯È´Â remote telnetÀ» ÀÌ¿ë Ŭ·¯½ºÅͳ»ÀÇ ¾î¶°ÇÑ ³ëµå·Î ¿¬°á ÀÌ °¡´ÉÄÉÇÏ´Â °ÍÀÌ´Ù.
rootÀÇ ftp Á¢±ÙÀÌ ÇÊ¿äÇÑ ½Ã½ºÅÛÀÇ °æ¿ì, /etc/ftpusers ÆÄÀÏ¿¡ ´ÙÀ½°ú °°ÀÌ root ºÎºÐ¿¡ ÁÖ¼®À» ´Ü´Ù.
#Comment out root to allow other systems ftp access as root #root bin daemon adm lp sync shutdown halt mail news uucp operator games nobody