* ³Ø½ºÆ®¶óÀÎ ±â¼úºÎÀÔ´Ï´Ù.
³Ø½ºÆ®¶óÀο¡¼´Â ssh(tcp:22) ¿¡ ´ëÇÑ ¹«ÀÛÀ§ ´ëÀÔ°ø°Ý(dictionary attack)À» ¹Ì¿¬¿¡ ¹æÁöÇÏ°íÀÚ
´ÙÀ½°ú °°Àº ÂüÁ¶¹®¼¸¦ Á¦°øÇÕ´Ï´Ù.
º¸´Ù ¾ÈÁ¤ÀûÀÎ ½Ã½ºÅÛ ¿î¿µÀ» À§ÇØ °í°´´ÔµéÀÇ ¸¹Àº °ËÅ並 ºÎŹ µå¸³´Ï´Ù.
********************************************************************************************
* º» ¹®¼°¡ Áö¿øÇÏ´Â os : redhat °è¿ÀÇ ¸ðµç linux ±º
¸ÕÀú, ´ÙÀ½°ú °°ÀÌ ¿ÜºÎ·ÎºÎÅÍÀÇ ssh °ø°Ý¿©ºÎ¸¦ È®ÀÎÇÕ´Ï´Ù.
shell> grep "Failed password for illegal user" /var/log/secure
°æ¿ì¿¡ µû¶ó, »ç¿ëÇÏ°í ÀÖ´Â crt ÇÁ·Î±×·¥(secure crt, putty) ȸéÀÌ ¿©·¯ ¹ø ½ºÅ©·ÑµÉ Á¤µµ·Î
»ó´çÀÌ ¸¹Àº °ø°Ý½Ãµµ°¡ ÀÖÀ½À» È®ÀÎÇÒ ¼ö ÀÖÀ» °Ì´Ï´Ù.
<¹«ÀÛÀ§ ´ëÀÔ°ø°Ý(dictionary attack)ÀÇ ·Î±×±â·Ï ¿¹>------------------------------
| Failed password for illegal user (root) from 111.222.333.444 port 50662 ssh2 |
| Failed password for illegal user (test) from 111.222.333.444 port 50139 ssh2 |
| Failed password for illegal user (user) from 111.222.333.444 port 50528 ssh2 |
| Failed password for illegal user (admin) from 111.222.333.444 port 50405 ssh2 |
| Failed password for illegal user (guest) from 111.222.333.444 port 50281 ssh2 |
| Failed password for illegal user (a) from 111.222.333.444 port 50805 ssh2 |
| Failed password for illegal user (b) from 111.222.333.444 port 50933 ssh2 |
| Failed password for illegal user (c) from 111.222.333.444 port 50805 ssh2 |
| Failed password for illegal user (d) from 111.222.333.444 port 50933 ssh2 |
--------------------------------------------------------------------------------
À§ ¿¹¿Í °°ÀÌ, ¿ÜºÎ(111.222.333.444)·ÎºÎÅÍ root, test, user µîÀÇ °èÁ¤À¸·Î ¹«ÀÛÀ§ ´ëÀÔ¿¡ ÀÇÇÑ
Á¢¼ÓÀÌ ½ÃµµµÇ¸ç ¸¸¾à, ¿î¿µÁßÀÎ ¼¹öÀÇ ºñ¹Ð¹øÈ£°¡ ºó(null)¾ÏÈ£ À̰ųª 1234 µîÀÇ À¯Ãß °¡´ÉÇÑ
ºñ¹Ð¹øÈ£·Î ¼³Á¤ÇÑ °æ¿ì¿¡´Â ¼Õ½±°Ô ÇØ´ç¼¹öÀÇ Á¢¼Ó(»ó½Â)±ÇÇÑÀ» ¾òÀ» ¼ö ÀÖ½À´Ï´Ù.
ÀÌ·¯ÇÑ ssh µ¥¸ó¿¡ ´ëÇÑ ¹«ÀÛÀ§ ´ëÀÔ°ø°ÝÀ» ¹æ¾îÇϱâ À§ÇÑ ¹æ¹ýÀ¸·Î´Â...
¨ç iptables À» ÅëÇÑ Æ¯Á¤ ip ¸¸ÀÇ Á¢¼ÓÇã¿ë ¼³Á¤ -> ³Ø½ºÆ®¶óÀÎ ¹æȺ®(iptables) ¸¶¹ý»ç ÂüÁ¶!
¨è ssh(tcp:22) ¼ºñ½º Æ÷Æ®º¯°æ / root ·ÎÀÇ ssh Á÷Á¢ Á¢¼ÓÀ» ±ÝÁö
¨é tcp_wrapper À» ÅëÇÑ Æ¯Á¤ ip ¸¸ÀÇ Á¢¼ÓÇã¿ë ¼³Á¤µî...
º» ¹®¼¿¡¼´Â À§ ¹æ¹ý¿Ü¿¡ ¿ÜºÎÁ¢¼Ó ½Ãµµ¸¦ ±â·ÏÇÏ´Â ÆÄÀÏÀÎ /var/log/secure ¸ð´ÏÅ͸µÀ» ÅëÇØ
À¯ÇØ Á¢¼Ó½Ãµµ ip ¸¦ ¿øõ Â÷´ÜÇÏ´Â ¹æ¹ý¿¡ ´ëÇØ ¼³¸í µå¸®°Ú½À´Ï´Ù.
¨ç ¸ÕÀú, °ü·Ã ½ºÅ©¸³Æ®¸¦ /root/bin µð·ºÅ丮³»¿¡ ´Ù¿î·Îµå ÇÕ´Ï´Ù.
´Ù¿î·Îµå url : http://www.nextline.net/util/ssh_dos_block.sh
¨è ´Ù¿î·ÎµåÇÑ ssh_dos_block.sh ÆÄÀÏ¿¡ ½ÇÇà±ÇÇÑÀ» ºÎ¿©ÇÕ´Ï´Ù.
shell> chmod 700 /root/bin/ssh_dos_block.sh
¨é ssh_dos_block.sh ½ºÅ©¸³Æ®°¡ 30ºÐ ¸¶´Ù ÀÚµ¿½ÇÇà µÇµµ·Ï /etc/crontab ¿¡ µî·ÏÇÕ´Ï´Ù.
shell> echo "*/30 * * * * root /root/bin/ssh_dos_block.sh" >> /etc/crontab
¶Ç´Â /etc/crontab ¿¡ */30 * * * * root /root/bin/ssh_dos_block.sh ±¸¹®Ãß°¡
Âü°íÀûÀ¸·Î, À¯ÇØ Á¢¼Ó½Ãµµ ip ¿¡ ´ëÇؼ´Â ssh, ftp µîÀÇ ³×Æ®¿÷ Á¢±ÙÀ» Â÷´ÜÇϱâ À§Çؼ
/etc/hosts.deny ÆÄÀÏ¿¡ µî·ÏÇÏ°Ô µË´Ï´Ù.
* °ü·Ã¼³Á¤ Áß, ¹®ÀÇ»çÇ×Àº º»»ç Äü¸ÞÀÏ ¶Ç´Â ±â¼úºÎ·Î ¿¬¶ô¹Ù¶ø´Ï´Ù.
³Ø½ºÆ®¶óÀÎ ±â¼úºÎ : ¢Î 02-6288-6661 ³»¼± 101~103
* ¹®¼ ÀÛ¼ºÀÏ : 2006/02/21
|
