1. Yum(Yellow dog Updater, Modified) package Update
1-1. yum download
http://www.linux.duke.edu/projects/yum/download.ptml
1-2. install
# RedHat 8.0
rpm -Uvh yum-1.0.3-1_80.noarch.rpm
# RedHat 7.3
rpm -Uvh yum-1.0.3-1_73.noarch.rpm
# RedHat 9.0 & Fedora Core 1
rpm -Uvh yum-2.0.7-1.noarch.rpm
1-3. 설정 (RedHat 8.0 기준)
vi /etc/yum.conf
[main]
cachedir=/var/cache/yum
debuglevel=2
logfile=/var/log/yum.log
pkgpolicy=newest
exclude=kernel*
[base]
name=Red Hat Linux $releasever base
baseurl=http://mirror.hostway.co.kr/redhat/8.0/os/i386/
[updates]
name=Red Hat Linux $releasever updates
baseurl=http://mirror.hostway.co.kr/redhat/8.0/updates/i386/
1-4. 패키지 업데이트
yum update
2. 쉘 ~ 로그 & 파일 & 사용자 ~ 관리
2-1. ~/.bash_out
vi /etc/skel/.bash_logout
vi /etc/root/.bash_logout
~~~~~~~~~~~~~~~~~~~~~~~~~
# ~/.bash_logout
rm -rf ~/.bash_history
rm -rf ~/.mysql_history
clear
~~~~~~~~~~~~~~~~~~~~~~~~~
2-2. profile
vi /etc/profile
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
HISTFILESIZE=30
HISTSIZE=30
TMOUT=1800
export HISTFILESIZE HISTSIZE TMOUT
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2-3. inittab
vi /etc/inittab
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Run gettys in standard runlevels
1:2345:respawn:/sbin/mingetty tty1
#2:2345:respawn:/sbin/mingetty tty2
#3:2345:respawn:/sbin/mingetty tty3
#4:2345:respawn:/sbin/mingetty tty4
#5:2345:respawn:/sbin/mingetty tty5
#6:2345:respawn:/sbin/mingetty tty6
#x:5:respawn:/etc/X11/prefdm -nodaemon
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2-4.
ls /etc/xinetd.d/* (불필요 파일 제거)
ls /etc/rc.d/init.d/* (불필요 초기화 스크립트 제거)
#cat /etc/services (사용하지 않는 포트 주석처리)
#cat /etc/hosts.allow , /etc/hosts.deny (Tcp_wrapper 효과적 활용)
2-5.
#cat /etc/syslog.conf
logserver 설정 ( remote 에 로그정보 저장 )
2-6. file permission
vi. /root/permission.sh
~~~~~~~~~~~~~~~~~~~~~~~~~~
#!/bin/sh
chmod 750 /var/log
chgrp nofiles /var/log
chmod 751 /var/qmail
chmod 751 /var/named
chmod 750 /var/qmail/rc
chmod 751 /var/qmail/control
chmod 640 /var/qmail/control/locals
chgrp qmail /var/qmail/control/locals
chmod 640 /var/qmail/control/rcpthosts
chgrp nofiles /var/qmail/control/rcpthosts
chmod 640 /var/qmail/control/sqlserver
chgrp nofiles /var/qmail/control/sqlserver
chmod 751 /home/qmail
chmod 505 /proc
chmod 701 /bin
chmod 700 /boot
chmod 701 /dev
chmod 701 /home
chmod 700 /mnt
chmod 700 /root
chmod 701 /usr
chmod 751 /var
chmod 750 /etc/cron.*
chmod 640 /etc/crontab
chmod 750 /etc/default
chmod 600 /etc/exports
chmod 600 /etc/fstab
chmod 600 /etc/gpm-root.conf
chmod 644 /etc/group
chmod 600 /etc/host.conf
chmod 600 /etc/hosts
chmod 600 /etc/hosts.allow
chmod 600 /etc/hosts.deny
#chmod 600 /etc/identd.conf
chmod 600 /etc/initlog.conf
chmod 600 /etc/inittab
chmod 400 /etc/issue
chmod 400 /etc/issue.net
chmod 600 /etc/krb.conf
chmod 600 /etc/krb5.conf
#chattr +i /etc/lilo.conf
chmod 600 /etc/ld.so.conf
chmod 600 /etc/ldap.conf
chmod 600 /etc/lilo.conf
chmod 600 /etc/login.defs
chmod 600 /etc/logrotate.conf
chmod 750 /etc/logrotate.d
chmod 600 /etc/lpd.conf
chmod 600 /etc/ltrace.conf
chmod 600 /etc/modules.conf
chmod 600 /etc/modules.conf~
chmod 605 /etc/mtab
chmod 650 /etc/my.cnf
chmod 640 /etc/named.conf
chown named /etc/named.conf
chmod 600 /etc/nscd.conf
chmod 600 /etc/nsswitch.conf
chmod 600 /etc/pbm2ppa.conf
chmod 600 /etc/pine.conf
chmod 600 /etc/pnm2ppa.conf
chmod 600 /etc/pwdb.conf
chmod 600 /etc/radvd.conf
chmod 750 /etc/rc.d
chmod 600 /etc/redhat-release
chmod 750 /etc/rpm
chmod 600 /etc/rpc
chmod 440 /etc/screenrc
chmod 600 /etc/securetty
chmod 750 /etc/security
chmod 600 /etc/services
chmod 700 /etc/skel
chmod 750 /etc/smrsh
chmod 750 /etc/ssh
chmod 750 /etc/sysconfig
chmod 600 /etc/sysctl.conf
chmod 600 /etc/syslog.conf
chmod 600 /etc/tcp.smtp
chmod 600 /etc/updatedb.conf
chmod 600 /etc/xinetd.conf
chmod 750 /etc/xinetd.d
chmod 600 /etc/yp.conf
chmod 600 /etc/ypserv.conf
chmod 700 /usr/local/src
chmod 701 /usr/local/apache/cgi-bin
chmod 700 /usr/local/apache/conf
chmod 701 /usr/local/apache/htdocs
chmod 700 /usr/local/apache/logs
chmod 700 /usr/bin/chage
chmod 500 /usr/bin/wall
chmod 700 /usr/bin/chfn
chmod 700 /usr/bin/write
chmod 700 /usr/sbin/usernetctl
chmod 700 /bin/mount
chmod 700 /bin/umount
chmod 700 /sbin/netreport
chmod 700 /bin/rpm
chmod 550 /bin/ps
chmod 550 /bin/netstat
chmod 550 /bin/dmesg
chmod 555 /bin/df
chmod 550 /usr/bin/who
chmod 550 /usr/bin/finger
chmod 550 /usr/bin/last
chmod 550 /usr/bin/top
chmod 550 /usr/bin/w
chmod 550 /usr/bin/uptime
chmod 550 /usr/sbin/useradd
chmod 550 /usr/sbin/userdel
chmod 700 /usr/sbin/groupdel
chmod 700 /usr/sbin/usermod
chmod 550 /bin/ping
chmod 550 /usr/bin/find
chmod 755 /var/run
chmod 755 /usr/bin/rlogin
chmod 755 /usr/bin/rcp
chmod 755 /usr/bin/gpasswd
chmod 755 /usr/bin/at
chmod 755 /usr/bin/at
chmod 711 /usr/bin/newgrp
chmod 755 /usr/bin/crontab
chmod 755 /usr/bin/rsh
chmod 111 /usr/bin/sudo
chmod 755 /usr/bin/ssh
chmod 755 /usr/sbin/traceroute
chmod 755 /usr/sbin/traceroute6
chmod 755 /usr/sbin/ping6
chmod 711 /usr/bin/chsh
chmod 555 /usr/sbin/sendmail.old
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2-7
#ntsysv
-> 초기 실행할 서비스 데몬 내리기 ( chkconfig 활용 )
3. 시스템 정보 숨기기
3-1
# cat < /dev/null > /etc/issue & /etc/issue.net
-> 로그인 할 때, 배포본, 버전, 커널 버전, 서버이름 관한 항목 제거
# cat etc/securetty
-> root가 로그인가능한 터미널(tty)장치 설정
* shadow 패스워드 (pwconv) 시스템 설정을 사용하므로 /etc/login.defs root 접속가능 터미널 셋팅
4. 일반 유저의 su root 방지
4-1
#cat /etc/pam.d/su
-> wheel group에 등록된 user 만 접근가능 설정
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
auth sufficient /lib/security/pam_rootok.so debug
auth required /lib/security/Pam_wheel.so group=wheel
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#cat /etc/group
wheel:x:10:root,admin
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
5. 파일 시스템 마운트 - 마운트위치될 특성에 따라 옵션적용
defaults: 기본 옵션, 쓰기,읽기 가능, quota, suid 가능
noquota: 유저 쿼타가 적용되지 않음
nosuid: SUID/SGID 억세스 불가
nodev: special devices 또는 character 사용 불가 (예를 들어 /dev 같은)
noexec: 이 파티션상의 모든 바이너리 실행 불가
quota: 유저 쿼타 사용
ro: 읽기 전용으로 마운트
rw: 읽기,쓰기 허용
suid: SUID/SGID 억세스 허용
#cat /etc/fstab
~~~~~~~~~~~~~~~~~~~~~~~~~ 에디트 ~~~~~~~~~~~~~~~~~~~~~~~~~~
LABEL=/ / ext3 defaults 1 1
LABEL=/boot /boot ext3 defaults 1 2
none /dev/pts devpts gid=5,mode=620 0 0
LABEL=/home /home ext3 defaults,nodev,usrquota,grpquota 1 2
none /proc proc defaults 0 0
none /dev/shm tmpfs defaults 0 0
LABEL=/tmp /tmp ext3 defaults,nodev,noexec,nosuid 1 2
LABEL=/usr /usr ext3 defaults 1 2
LABEL=/usr/local /usr/local ext3 defaults,nodev 1 2
LABEL=/var /var ext3 defaults,nodev 1 2
/dev/sda2 swap swap defaults 0 0
/dev/hda2 /mnt/backup ext3 defaults 0
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
6. 시스템 네트워크 설정 최적화 ( kernel compile 포함 )
# cat /etc/rc.d/rc.local
-> DDos & Syn_flooding 공격으로 방어 커널 옵션값 설정 (리붓, 부팅후 자동 적제)
sysctl -w net.ipv4.icmp_destunereach_rate=1
sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
sysctl -w net.ipv4.icmp_echoreply_rate=1
sysctl -w net.ipv4.icmp_echo_ignore_all=1
sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
sysctl -w net.ipv4.icmp_paramprob_rate=1
sysctl -w net.ipv4.icmp_timeexceed_rate=1
sysctl -w net.ipv4.igmp_max_meindex.php index.php3 index.htm index.phtml index.cgi index.jspmberships=1
sysctl -w net.ipv4.ip_default_ttl=64
sysctl -w net.ipv4.ip_forward=0
sysctl -w net.ipv4.ipfrag_time=15
sysctl -w net.ipv4.tcp_syn_retries=3
sysctl -w net.ipv4.tcp_retries1=3
sysctl -w net.ipv4.tpc_retries2=7
sysctl -w net.ipv4.conf.eth0.rp_filter=2
sysctl -w net.ipv4.conf.lo.rp_filter=2
sysctl -w net.ipv4.conf.default.rp_filter=2
sysctl -w net.ipv4.conf.all.rp_filter=2
sysctl -w net.ipv4.conf.eth0.accept_redirect=0
sysctl -w net.ipv4.conf.lo.accept_redirect=0
sysctl -w net.ipv4.conf.default.accept_redirect=0
sysctl -w net.ipv4.conf.all.accept_redirect=0
sysctl -w net.ipv4.conf.eth0.accept_source_route=0
sysctl -w net.ipv4.conf.lo.accept_source_route=0
sysctl -w net.ipv4.conf.default.accept_source_route=0
sysctl -w net.ipv4.conf.all.accept_source_route=0
sysctl -w net.ipv4.conf.eth0.bootp_relay=0
sysctl -w net.ipv4.conf.lo.bootp_relay=0
sysctl -w net.ipv4.conf.default.bootp_relay=0
sysctl -w net.ipv4.conf.all.bootp_relay=0
sysctl -w net.ipv4.conf.eth0.log_martians=0
sysctl -w net.ipv4.conf.lo.log_martians=0
sysctl -w net.ipv4.conf.default.log_martians=0
sysctl -w net.ipv4.conf.all.log_martians=0
sysctl -w net.ipv4.conf.eth0.secure_redirects=0
sysctl -w net.ipv4.conf.lo.secure_redirects=0
sysctl -w net.ipv4.conf.default.secure_redirects=0
sysctl -w net.ipv4.conf.all.secure_redirects=0
sysctl -w net.ipv4.conf.eth0.send_redirects=0
sysctl -w net.ipv4.conf.lo.send_redirects=0
sysctl -w net.ipv4.conf.default.send_redirects=0
sysctl -w net.ipv4.conf.all.send_redirects=0
sysctl -w net.ipv4.conf.eth0.proxy_arp=0
sysctl -w net.ipv4.conf.lo.proxy_arp=0
sysctl -w net.ipv4.conf.default.proxy_arp=0
sysctl -w net.ipv4.conf.all.proxy_arp=0
sysctl -w net.ipv4.tcp_keealive_time=30
sysctl -w net.ipv4.tcp_fin_timeout=30
sysctl -w net.ipv4.tcp_tw_buckets=720000
sysctl -w net.ipv4.tcp_keepalive_probes=2
sysctl -w net.ipv4.tcp_max_ka_probes=100
7. 네트웍 무결성
vi /etc/ftpusers
vi /etc/resolv.conf
vi /etc/host.conf
~~~~~~~~~~~~~~~~
order hosts,bind
multi on
nospoof on
~~~~~~~~~~~~~~~~
8. SUID/SGID 설정 해제
-> 관리에 필요한 ( su , passwd ) 를 제외한 모든 퍼미션 제거
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#find / -type f -perm -4000 -user root -exec ls -l {} \;
#find / -type f -perm -2000 -user root -exec ls -l {} \;
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
9. Backup script 작성
vi /etc/cron.weekly/homebackup.sh
-> 주일단위 홈백업 스크립트
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#!/bin/sh
find /backup/week/home -ctime +10 \-exec rm -f {} \;
home_root="/home/"
backup_home_root="/backup/week/home/"
sysdtime=`date +%Y%m%d-%H`
cd $home_root
echo "백업 중입니다"
for home_name in $(ls)
do
if [ -d "$home_root/$home_name" ] ; then
echo "tar -cvzpf $backup_home_root$home_name-$sysdtime.tar.gz $home_name"
tar -czpf "$backup_home_root$home_name-$sysdtime.tar.gz" "$home_name"
fi
done
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
vi /etc/cron.daily/dbbackup.sh
-> 일일 db dump 백업
~~~~~~~~~~~~~~~~~~~~~~~~~~ 에디트 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#!/bin/sh
find /backup/day/mysqldump -ctime +10 \-exec rm -f {} \;
mysql_dbdump="1"
backupdir="/backup/day"
mysql_host="localhost"
mysql_rootpasswd="디비패스워드지정"
mysql_backupdir="${backupdir}/mysqldump"
mysql_dump="/usr/local/mysql/bin/mysqldump"
mysql_show="/usr/local/mysql/bin/mysqlshow"
db_compress="1"
not_dump_db="test|test2"
/usr/bin/rdate -s time.bora.net >/dev/null 2>&1
if [ "$mysql_dbdump" != "1" ] ; then
exit 0
fi
sysdtime=`date +%Y%m%d-%H`
mysql_connect="-h $mysql_host -u root -p$mysql_rootpasswd"
mysql_DBs=`$mysql_show $mysql_connect 2>/dev/null | egrep -v "(${not_dump_db}|Databases|\+)" | awk '{print $2}'`
mysql_dump_work() {
mysql_each_DB="$1"
mysql_dump_file="${mysql_backupdir}/${mysql_each_DB}-${sysdtime}.sql"
$mysql_dump $mysql_connect $mysql_each_DB > $mysql_dump_file
if [ "$db_compress" = "1" ] ; then
gzip -f9 $mysql_dump_file
fi
}
if [ "$mysql_DBs" != "" ] ; then
if [ ! -d "$mysql_backupdir" ] ; then
mkdir -p "$mysql_backupdir"
chmod 700 "$mysql_backupdir"
fi
## All DB dump to one file(.sql) !!!!
## Verbal advice --> LSN tip board : 'lubzzon'
## --all-databases > all_db.sql
##
for mysql_DB in $mysql_DBs ; do
mysql_dump_work $mysql_DB
done
#chmod 600 $mysql_backupdir
#chown root mysql_backupdir
else
if [ "$reportmailto" != "" ] ; then
mailsubject="dailydump.cron report [${HOSTNAME}]"
mailmessages="MySQL이 가동하지 않거나 DB가 없습니다.${IFS}MySQL 서버(${mysql_host}) 확인하세요!!!"
echo "$mailmessages" | mail -s "$mailsubject" "$reportmailto" >/dev/null 2>&1
fi
fi
exit 0
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
vi. /etc/cron.weekly/otherbackup.sh
-> 주일에 한번 중요설정파일 백업
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#!/bin/sh
find /backup/week/other -ctime +10 \-exec rm -f {} \;
tar zcpvf /backup/week/other/apache_conf-`date +%Y%m%d%H%M`.tar.gz /usr/local/apache/conf
tar zcpvf /backup/week/other/namedzone-`date +%Y%m%d%H%M`.tar.gz /var/named
tar zcpvf /backup/week/other/etc-`date +%Y%m%d%H%M`.tar.gz /etc
tar zcpvf /backup/week/other/var-`date +%Y%m%d%H%M`.tar.gz /var
tar zcpvf /backup/week/other/root-`date +%Y%m%d%H%M`.tar.gz /root
tar zcpvf /backup/week/other/tomcat_conf-`date +%Y%m%d%H%M`.tar.gz /usr/local/tomcat/conf
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
댓글 없음:
댓글 쓰기