로그 파일 관리하기

FAQ 2005/06/27 18:17
시스템 관리자들은 정기적으로 로그 파일을 체크하고 관리해야 합니다.
리눅스에는 보안과 시스템 등에 관련된 다양한 로그 파일들이 존재하며
주로 /var/log 디렉토리에 싸이게 됩니다.

- dmesg
Linux가 시작될 때 나타나는 메시지들을 기록한 파일로 터미널에서
dmesg 명령을 입력하면 보여지는 내용과 동일합니다. 주로 시스템의
구동과 종료시에 문제점이 발생하는 경우 그 원인을 체크해 볼 수
있는 중요한 파일입니다.

- messages
다양한 서버의 데몬이나 xinetd와 관련된 서비스를 사용할 때 기록
되는 로그파일로 데몬에 문제가 발생할 경우 체크합니다.

- secure
시스템에 로그인하거나 인증을 요하는 작업을 한 경우 기록되는 파일
로 보안상 매우 중요한 로그입니다.

- lastlog
각 사용자가 마지막으로 로그인한 날짜를 기록하고 있습니다.
lastlog 명령어를 사용하여 확인할 수 있습니다.

- wtmp
시스템에 접속한 모든 사용자의 로그를 기록하는 파일로 las, 명령어
로 확인 할 수 있습니다.

- xferlog
FTP 서비스의 엑세스를 기록하는 로그입니다.

로그 파일의 관리에 소홀하면, 로그 파일이 계속 커져 시스템 FULL 과
같은 장애가 발생하고 디스크에도 심각한 문제를 일으킬 수 있으므로
logrotate와 같은 프로그램으로 자동으로 로그파일을 순환시켜야 합니다.
2005/06/27 18:17 2005/06/27 18:17
Introduction

The purpose of this document is to strengthen the UNIX IP stack against
a variety
of attack types prevalent on the Internet today. This document details
the
settings recommended for UNIX servers designed to provide network
intensive
services such as HTTP or routing (firewall services). This document
covers
the following UNIX variants:


A. IBM AIX 4.3.X
B. Sun Solaris 7
C. Compaq Tru64 UNIX 5.X
D. HP HP-UX 11.0 (research ongoing)
E. Linux kernel 2.2 (tested both SuSE Linux 7.0 and RedHat
7.0)
F. FreeBSD
G. IRIX 6.5.10


Windows NT/2000 will be covered in future releases.

The tuning changes noted below will not remain across reboots.
Thus, these changes should be added to a runtime commands file so
that the changes are enacted at each boot.

AIX - /etc/rc.net
Solaris - /etc/init.d/inetinit
Tru64 UNIX - Use the sysconfigdb or
dxkerneltuner command
HP-UX - /etc/rc.config.d/nddconf
Linux kernel 2.2 - /etc/sysctl.conf
FreeBSD - /etc/rc.conf
IRIX - Use the systune command


No tuning steps should be undertaken without a keen insight into
the purpose and effect of such steps. It is assumed that the
personnel who undertake such tuning are well versed in the UNIX
kernel with bit-level understanding of TCP/IP and the RFCs that
govern IP behavior.



Revision History

Version 1.0 - Created the AIX IP stack tuning guide
Version 2.0 - Added Solaris and additional AIX tuning tips, reformated
doc
Version 2.2 - Added ARP tuning tips
Version 2.3 - Added Compaq Tru64 UNIX SYN defense tips
Version 2.4 - Added HP HP-UX 11.0 tuning tips
Version 2.5 - Added Linux and FreeBSD tuning tips
Version 2.6 - Added IRIX 6.5.10 and additional FreeBSD tuning tips
Version 2.7 - Added additional HP-UX 11.0 tuning tips



Credits
This has become a global effort, and this document is made more rich and
valuable thanks to the input of several very helpful folks! Kudos and
lauds for the folks below:

Thanks to the Compaq Software Security Response Team for the Tru64 UNIX
SYN flood defense pointers.

For HP-UX 11.0, thanks to Tom Harrold for running ndd over and over at my
every request. :-)

Thanks to Klaus Moeller for a copious collection of Linux tuning tips.

Thanks to Andrew Korty for the FreeBSD tuning tips.

Thanks to Christian Lambert and Alex Icasiano of SGI for the IRIX tuning
tips.

Thanks, as always, to the FIRST
community for support, questions, and feedback.


General IP Stack Tuning Recommendations

1. TCP send and receive spaces

The TCP send and receive spaces directly effect the TCP window
size parameter. An increased window size will allow for more
efficient transfers, particularly bulk transfers such as FTP
and HTTP. The default for each is not optimal, and should be
increased to 32768 bytes. This value should not be increased
above 64K bytes unless the implications of
RFC1323
and RFC2018
are fully understood and support for both is enabled.

Do not enable RFC1323 without also enabling support for RFC2018.
Remember, pipe drain is a Bad Thing[tm].

A. AIX
/usr/sbin/no -o tcp_sendspace=32768
/usr/sbin/no -o tcp_recvspace=32768


B. Solaris
/usr/sbin/ndd -set /dev/tcp tcp_xmit_hiwat 32768
/usr/sbin/ndd -set /dev/tcp tcp_recv_hiwat 32768


C. Tru64 UNIX
No tuning recommendations.


D. HP-UX
The TCP send and receive spaces are set to 32768 by default


E. Linux kernel 2.2
While Linux automagically assigns the TCP send and receive
spaces,
support for both RFC1323 (large window support,
net.ipv4.tcp_window_scaling) and RFC2018 (SACK
support,
net.ipv4.tcp_sack) are enabled by default.


F. FreeBSD
sysctl -w net.inet.tcp.sendspace=32768
sysctl -w net.inet.tcp.recvspace=32768


G. IRIX
The default settings for IRIX are 64Kbytes for both the
TCP send
and receive spaces.




2. Socket queue defense against SYN attacks

While great effort is undertaken to defend any network from those
with malicious intent, several ports (largely TCP) must remain
open to conduct business. Internet vandals may attempt to
exploit these ports to launch a denial of service attack. One of
the most popular attacks remains the SYN flood, wherein the socket
queue of the attacked host is overwhelmed with bogus connection
requests. To defend against such attacks, certain UNIX variants
maintain separate queues for inbound socket connection requests.
One queue is for half-open sockets (SYN received, SYN|ACK sent),
the other queue for fully-open sockets awaiting an accept()
call from the application. These two queues should be increased so
that an attack of low to moderate intensity will have little to no
effect on the stability or availability of the server.

A. AIX
/usr/sbin/no -o clean_partial_conns=1
This setting will instruct the kernel to randomly remove
half-open sockets from the q0 queue to make room for
new
sockets.


B. Solaris
/usr/sbin/ndd -set /dev/tcp tcp_conn_req_max_q 1024
The q queue holds sockets awaiting an accept()

call from the application.


/usr/sbin/ndd -set /dev/tcp tcp_conn_req_max_q0 2048
The q0 queue contains half-open sockets.


C. Tru64 UNIX
/sbin/sysconfig -r socket sominconn=65535
The value of sominconn determines how many simultaneous
incoming
SYN packets can be handled by the system.


/sbin/sysconfig -r socket somaxconn=65535
The value of somaxconn sets the maximum number of pending
TCP
connections.


D. HP-UX
/usr/sbin/ndd -set tcp_syn_rcvd_max 1024
/usr/sbin/ndd -set tcp_conn_request_max 200


E. Linux kernel 2.2
/sbin/sysctl -w net.ipv4.tcp_max_syn_backlog=1280
Increases the size of the socket queue (effectively, q0).


/sbin/sysctl -w net.ipv4.tcp_syn_cookies=1
Enables support for TCP SYN cookies, which mitigates the
effectiveness
of SYN floods. However, this may cause performance
problems for
large windows (see RFC1323 and RFC2018). To read
more about SYN
cookies, please review DJ Bernstein's paper
here.


F. FreeBSD
sysctl -w kern.ipc.somaxconn=1024


G. IRIX
The listen() queue is hardcoded to 32. However,
the system
actually enforces the limit of pending connections as
((3 * backlog) / 2) + 1. This yields a maximum
backlog of 49
connections.




3. Redirects

A miscreant can use IP redirects to modify the routing table on a
remote host. In a well-designed network, redirects to the end
stations should not be required. Both the sending and accepting
of redirects should be disabled.

A. AIX
/usr/sbin/no -o ipignoreredirects=1
/usr/sbin/no -o ipsendredirects=0


B. Solaris
/usr/sbin/ndd -set /dev/ip ip_ignore_redirect 1
/usr/sbin/ndd -set /dev/ip ip_send_redirects 0


C. Tru64 UNIX
No tuning recommendations.


D. HP-UX
/usr/sbin/ndd -set /dev/ip ip_send_redirects 0


E. Linux kernel 2.2
/sbin/sysctl -w net.ipv4.conf.all.send_redirects=0
/sbin/sysctl -w net.ipv4.conf.all.accept_redirects=0


F. FreeBSD
sysctl -w net.inet.icmp.drop_redirect=1
sysctl -w net.inet.icmp.log_redirect=1
sysctl -w net.inet.ip.redirect=0
sysctl -w net.inet6.ip6.redirect=0


G. IRIX
/usr/sbin/systune icmp_dropredirects to 1




4. ARP cleanup

It is possible for a miscreant to create a resource exhaustion or
performance degredation by filling the IP route cache with bogus
ARP entries. In Solaris, there are two parameters that govern the
cleanup interval for the IP route cache. For unsolicited ARP
responses, the parameter to be tuned is arp_cleanup_interval. In
AIX, the cleanup interval is governed by the value of arpt_killc.
However, this parameter governs both solicited and unsolicited ARP
entries. For this reason, it is likely best to leave the parameter
at the default setting of 20 minutes.

A. AIX
/usr/sbin/no -o arpt_killc=20


B. Solaris
/usr/sbin/ndd -set /dev/arp arp_cleanup_interval
60000


C. Tru64 UNIX
No tuning recommendations.


D. HP-UX
By default set to five minutes.


E. Linux kernel 2.2
No tuning recommendations.


F. FreeBSD
sysctl -w net.link.ether.inet.max_age=1200


G. IRIX
No tuning recommendations.




5. Source routing

With source routing, an attacker can attempt to reach internal IP
addresses - including RFC1918 addresses. It is important to disable
the acceptance of source routed packets to prevent subtle probes of
your internal networks.

A. AIX
/usr/sbin/no -o ipsrcroutesend=0
Disable the sending of source routed packets.


/usr/sbin/no -o ipsrcrouteforward=0
This is important if the box is routing, e.g. a firewall.
Disable this feature to prevent the host from
forwarding source
routed packets.


B. Solaris
/usr/sbin/ndd -set /dev/ip ip_src_route_forward 0
This is important if the box is routing, e.g. a firewall.
Disable this feature to prevent the host from
forwarding source
routed packets.


C. Tru64 UNIX
No tuning recommendations.


D. HP-UX
ndd -set /dev/ip ip_forward_src_routed 0
Disable this feature to prevent the host from forwarding
source
routed packets.


E. Linux kernel 2.2
/sbin/sysctl -w
net.ipv4.conf.all.accept_source_route=0
Drop all source route packets.


/sbin/sysctl -w net.ipv4.conf.all.forwarding=0
/sbin/sysctl -w net.ipv4.conf.all.mc_forwarding=0
Do not forward source routed frames.


F. FreeBSD
sysctl -w net.inet.ip.sourceroute=0
sysctl -w net.inet.ip.accept_sourceroute=0


G. IRIX
/usr/sbin/systune ipforward to 2




6. TIME_WAIT setting

On a busy web server, many sockets may linger in the TIME_WAIT state.
This is caused by improperly coded client applications that do not
properly shut down a socket. This can also be used as a type of DDoS
attack.

A. AIX
No tuning recommendations.


B. Solaris
/usr/sbin/ndd -set /dev/tcp tcp_time_wait_interval
60000
This parameter effects the amount of time a TCP socket will
remain in the TIME_WAIT state. The default is quite
high
for a busy web server, so it should be lowered to
60000
milliseconds (60 seconds). The parameter name was
corrected
in Solaris 7 and higher. Prior to Solaris 7, the
parameter
was incorrectly labeled as tcp_close_wait_interval.


C. Tru64 UNIX
No tuning recommendations.


D. HP-UX
ndd -set /dev/tcp tcp_time_wait_interval 60000
Sockets will linger in TIME_WAIT state no more than 60
seconds.


E. Linux kernel 2.2
/sbin/sysctl -w net.ipv4.vs.timeout_timewait=60
Sockets will linger in TIME_WAIT state for no more than 60
seconds.


F. FreeBSD
No tuning recommendations.


G. IRIX
/usr/sbin/systune tcp_2msl to 60




7. Broadcast ECHO response

Smurf attacks work by sending ICMP 8 0 (ECHO REQUEST) messages to a
broadcast address from a spoofed address. Some IP stacks will respond,
by default, to such messages. This should be disabled. Further, if the
host is a firewall (router), it should not propogate directed broadcasts.

A. AIX
/usr/sbin/no -o directed_broadcast=0
Do not respond to directed broadcasts.


B. Solaris
/usr/sbin/ndd -set /dev/ip ip_respond_to_echo_broadcast
0
Do not respond to directed broadcasts.


/usr/sbin/ndd -set /dev/ip
ip_forward_directed_broadcasts 0
Do not forward directed broadcasts.


C. Tru64 UNIX
No tuning recommendations.


D. HP-UX
ndd -set /dev/ip ip_respond_to_echo_broadcast 0
Do not respond to directed broadcasts.


ndd -set /dev/ip ip_forward_directed_broadcasts 0
Do not forward directed broadcasts.


E. Linux kernel 2.2
/sbin/sysctl -w
net.ipv4.icmp_echo_ignore_broadcasts=1
Do not respond to directed broadcasts.


F. FreeBSD
sysctl -w net.inet.icmp.bmcastecho=0


G. IRIX
/usr/sbin/systune allow_brdaddr_srcaddr to 0




8. Other broadcast probes

There are two other broadcast probes that a miscreant could utilize
against a network. The address mask query can be used to map out the
size of the netblock, and set a range for further probes. The
timestamp broadcast is another means of mapping and fingerprinting
hosts.

A. AIX
/usr/sbin/no -o icmpaddressmask=0
Prevent address mask queries.


B. Solaris
/usr/sbin/ndd -set /dev/ip
ip_respond_to_address_mask_broadcast 0
Prevent address mask queries.


/usr/sbin/ndd -set /dev/ip
ip_respond_to_timestamp_broadcast 0
Disable timestamp broadcast query response.


C. Tru64 UNIX
No tuning recomendations.


D. HP-UX
ndd -set /dev/ip ip_respond_to_address_mask_broadcast
0
Prevent the host from revealing the configured netmask.


ndd -set /dev/ip ip_respond_to_timestamp_broadcast 0
Disable timestamp broadcast query response.


E. Linux kernel 2.2
No tuning recommendations.


F. FreeBSD
sysctl -w net.inet.icmp.maskrepl=0


G. IRIX
Use ipfilterd to block unwanted ICMP types.




9. Support for RFC1948

This will utilize RFC1948
sequence number generation techniques to ensure that the sequence
number for a given TCP socket is very difficult to guess. This
tactic prevents TCP session hijacking, which could be quite an issue
with e-commerce.

B. Solaris
Set TCP_STRONG_ISS=2 in /etc/default/inetinit.
This will require a reboot to take effect.


G. IRIX
/usr/sbin/systune tcpiss_md5 to 1
2005/06/27 18:17 2005/06/27 18:17

유용한 vi명령어

FAQ 2005/06/27 18:16
o 삽입
I: 줄의 제일 앞에서 입력
A: 줄의 제일 끝에서 입력

o 콤보command
4w: 4단어 skip후 이동
4b: 4단어 skip후 이동
4j,h,k,l: 커서이동시 지정한 수만큼 건너뛰므로
이동을 좀 더 빨리 할 수 있다.

o 줄의 결합(J)
2줄이 있고, 2째줄을 1째줄 끝에 붙이고 싶다면,
1째줄에서 J를 입력하면 된다.

o 커서이동
0: 줄의 처음
^: 줄의 처음(글자가 시작되는 처음)
$: 줄의 끝
w: 단어단위 이동
e: w와 같으나 단어의 끝으로 이동
b: w의 반대방향으로 이동
H, M, L: 커서를 화면 상,중,하로 이동

o 검색(/후 검색할 단어입력)
n: 뒤로 검색
N: 앞으로 검색

o 매크로
ab aa aaaa: aa를 입력하면 aaaa로 자동변환

o 치환
s/pattern/replace: 현재줄의 첫번째 matching pattern치환
s/pattern/replace/g: 현재줄의 모든 matching pattern치환
%s/pattern/replace/g: 모든 줄의 치환
line,lines/pattern/replace: 해당 범위의 치환

o 저장
w>> file: 지정한 파일에 추가

o 윈도 split
vi내에서 위아래로 윈도가 분활되면서 2개의 파일을
동시에 open/편집할 수 있다.
ex-mode(:프롬프트상태)에서 'sp 파일이름'
윈도우가 전환은 Ctrl+ww

o 기타
1. d의 경우 command모드로 계속 남아 있으나 c는 삭제후
insert모드로 변환한다. cc, c$, cw등은 유용하게 사용될 수 있다.
2. .은 마지막 명령을 되풀이한다.

o visual모드
윈도의 텍스트 에디터와 같이 선택부분이 반전되면서 복사,
삭제 등을 할 수 있다.
v로 visual모드로 집입하여 커서키를 사용해 원하는 부분을 선택한다.
복사는 y, 삭제/잘라내기는 d로 할 수 있다.

o vi 설정(vim 설정)
자신의 홈디렉토리에 .vimrc를 생성하고 다음과 같이 할 수 있다.

set ai : auto-indent
set ts=4 : tab stop
set nu : numbering

o 윈도에서 작업중 vi에 붙여넣기시 계단현상발생 방지
:set paste

o 위치기억(UltraEdit의 ALT-F2, F2와 동일한 기능)
m{a-z}: 현재위치를 {a-z}로 북마크함
`{a-z}: 기억해둔 {a-z}로 이동. 보통 한개만 등록했다면
그냥 ``를 사용하면 된다.

o 레코딩
설정파일의 주석추가/삭제시 유용하게 사용할 수 있다.
(이미 vi에 매크로기능이 있지만, 레코딩이 UltraEdit의 매크로기능과 유사하다.)
q{a-z}: {a-z}로 레코딩 시작. {a-z}만 가능한게 아니고 실제 {0-9a-zA-Z"}를
적기 번거로워 이렇게 표시만 한 것이다.
q: 레코딩 종료
@{a-z}: 레코딩 내용 적용(@@를 하면 바로 이전의 레코딩내용을 적용, N@@은
N으로 지정한 숫자만큼 적용)

----------------------
[vi] 치환(substitute)
----------------------
[범위] s [/패턴/대치/] [옵션] [카운트]

- 옵션
c 치환전 확인 유무 물음
g 글로벌 치환
p 치환된 마지막 라인 출력

- 예제
:1,10s/yes/no/g 처음 10행 치환
:%s/[Hh]ello/Hi/gc 치환 확인 물음
:s/Fortran/\U&/ 3 다음 3행의 "Fortran"을 대문자로 치환
:g/^[0-9][0-9]*/s//Line &:/ 숫자가 있는 모든라인에 Line: 추가

----------------------
[vi] 파일 오가며 편집하기
----------------------
:e#

"f4yy → :w → :e other_file → "fp
:f 버퍼에 4라인 복사후 붙이기
"F6yy
:f 버퍼에 6라인 추가
2005/06/27 18:16 2005/06/27 18:16