Solaris ½Ã½ºÅÛ¿¡ TCP Wrapper ÇÁ·Î±×·¥ ¼³Ä¡Çϱâ
[ TCP Wrapper ¼³Ä¡Çϱâ ]
1) TCP Wrapper
TCP Wrapper´Â inetd daemonÀ¸·ÎºÎÅÍ ±âµ¿µÇ´Â network application¿¡ ´ëÇÑ
¿¢¼¼½º ÄÜÆ®·Ñ ÇÁ·Î±×·¥ÀÌ´Ù.
2) TCP Wrapper ÇÁ·Î±×·¥À» ÀÔ¼öÇÑ´Ù.
ftp://ftp.cert-kr.or.kr/pub/Security/tool/tcp_wrappers/tcp_wrappers_7.4.tar.gz
3) ÀÔ¼öÇÑ ÇÁ·Î±×·¥À» Àû´çÇÑ µð·ºÅ丮¿¡¼ Ǭ´Ù.
¿¹) ¿©±â¼´Â /usr/local/etc directory
tech% cd /usr/local/etc
tech% ls
tcp_wrappers_7.4.tar.gz
tech% gunzip -cd tcp_wrappers_7.4.tar.gz | tar xpf -
tech% cd tcp_wrappers_7.4
tech% ls
BLURB fromhost.c patchlevel.h tcpd.8
Banners.Makefile hosts_access.3 percent_m.c tcpd.c
CHANGES hosts_access.5 percent_x.c tcpd.h
DISCLAIMER hosts_access.c printf.ck tcpdchk.8
Makefile hosts_ctl.c ptx.c tcpdchk.c
README hosts_options.5 refuse.c tcpdmatch.8
README.IRIX inetcf.c rfc931.c tcpdmatch.c
README.NIS inetcf.h safe_finger.c tli-sequent.c
clean_exit.c misc.c scaffold.c tli-sequent.h
diag.c miscd.c scaffold.h tli.c
environ.c mystdarg.h setenv.c try-from.c
eval.c myvsyslog.c shell_cmd.c update.c
fakelog.c ncr.c socket.c vfprintf.c
fix_options.c options.c strcasecmp.c workarounds.c
4) ¿ì¼± README ÈÀÏÀ» Àо´Â °ÍÀÌ ÁÁ´Ù.
5) Compile ¹æ¹ý
¨± ¿ì¼± ÀνºÅç ÇÏ·Á´Â ½Ã½ºÅÛÀÇ Å¸ÀÔÀ» ¾Ë¾Æ¾ß ÇϹǷÎ
½Ã½ºÅÛÀÇ Å¸ÀÔÀ» ¾Æ·¡¿Í °°ÀÌ È®ÀÎÇÑ´Ù.
tech% uname -a
SunOS tech 5.5.1 Generic_103640-01 sun4m sparc sun4m
¨² ¾ÐÃàÇÁ·Î±×·¥À» Çص¿ÇÑ µð·ºÅ丮¿¡¼ "make"¸¦ ¼öÇàÇϸé make sys-type ÀÇ
ÇüÅ·ΠÀÔ·ÂÇ϶ó´Â ¸Þ¼¼Áö¿Í ÇÔ²² »ùÇà ŸÀÔÀÌ ¸®½ºÆ®µÇ¸ç, ±×Áß¿¡¼
ÀÚ½ÅÀÇ ½Ã½ºÅÛ¿¡ ¸Â´Â°ÍÀ» °ñ¶ó ¾Æ·¡¿Í °°ÀÌ ÄÄÆÄÀÏÇÑ´Ù.
tech% make sunos5
[ÁÖÀÇ !]
README fileÀÇ ³¡ºÎºÐÂë º¸¸é easy configurationÀ̶ó ÇÏ¿© ÀÌ setting ¹æ¹ý
ÀÌ ³ª¿Í ÀÖ´Ù. ÇÏÁö¸¸ À§ÀÇ uname¸í·É¹®ÀÇ ½ÇÇà°á°ú¸¦ º¸°í sun, Sun, SunOS
sun4m,sparc,sun4mµîÀ¸·Î ½áº¸´Ï make¿¡¼ error°¡ »ý°å´Ù.
±×·±µ¥, MakefileÀ» ¿¾îº¸¸é »ç¿ë¹æ¹ý°ú Áö¿øµÇ´Â ½Ã½ºÅÛÀÇ Å¸ÀÔÀÌ ³ª¿Â´Ù.
@echo "This Makefile knows about the following sys-types:"
@echo
@echo " generic (most bsd-ish systems with sys5 compatibility)"
@echo " 386bsd aix alpha apollo convex-ultranet dell-gcc dgux dgux543"
@echo " dynix epix esix freebsd hpux irix4 irix5 isc(untested) iunix linux"
@echo " machten mips(untested) ncrsvr4 netbsd next osf ptx-2.x ptx-generic"
@echo " pyramid sco sco-nis sco-od2 sco-os5 sunos4 sunos40 sunos5"
@echo " sysv4 ultrix unicos7 unicos8 unixware1 unixware2 uxp
Solaris 2.5¿¡¼´Â sunos5¸¦ ¼±ÅÃÇÏ´Ï compileÀÌ ½ÇÇàµÇ¾ú´Ù.
(´ÙÀ½Àº README, Makefile¿¡ ¾²¿©Áø ½ÇÇà¹æ¹ýÀÌ´Ù.)
¿©±â¼ ¿¹»ó´ë·Î ÄÄÆÄÀÏÀÌ µÇÁö ¾ÊÀ¸¸é MakefileÀ» "vi"¿¡µðÅÍ·Î ¿¾î
40 Line° ºÎÅÍ ±â¼úµÈ REAL_DAEMON_DIR ºÎºÐÀ» ÀÚ½ÅÀÇ ½Ã½ºÅÛ¿¡ ¸Â´Â°ÍÀ»
°ñ¶ó UncommentÇÑÈÄ, ´Ù½Ã ÄÄÆÄÀÏÇÑ´Ù.
¹°·Ð, óÀ½ºÎÅÍ ¾Æ·¡¿Í °°ÀÌ ¼öÇàÇÏ¸é ¸¸»ç OK !
tech% make REAL_DAEMON_DIR=/usr/sbin sys-type
~~~~~~~~~~~~~~~~~~
À̺κÐÀº ½Ã½ºÅÛ¿¡ µû¶ó ´Ù¸¦¼ö ÀÖ´Ù.
¨³ ÄÄÆÄÀÏÀÌ Á¤»óÀûÀ¸·Î ³¡³ª¸é tcpdchk, safe_finger, try-from, tcpdmatch,
tcpd µî 5°³ÀÇ ½ÇÇàÈÀÏÀÌ »ý¼ºµÈ´Ù.
°¢°¢ÀÇ ±â´ÉÀ» »ìÆ캸¸é ¾Æ·¡¿Í °°´Ù.
tcpd : TCP Wrapper ÇÁ·Î±×·¥(DAEMON)
tcpdchk : TCP Wrapper ÄÁÇDZԷ¹ÀÌ¼Ç Ã¼Å© ÇÁ·Î±×·¥
tcpdmatch : TCP Wrapper ¿¢¼¼½º ÄÜÆ®·Ñ üũ ÇÁ·Î±×·¥
try-from : À¯Àú üũ À¯Æ¿¸®Æ¼
safe_finger : finger üũ À¯Æ¿¸®Æ¼
6) ¿Â¶óÀÎ ¸Å´º¾óÀÇ ÀνºÅç
# ls *.[1-8]
hosts_access.3 hosts_options.5 tcpdchk.8
hosts_access.5 tcpd.8 tcpdmatch.8
# cp *.3 /usr/local/man/man3
# cp *.5 /usr/local/man/man5
# cp *.8 /usr/local/man/man8
7) °¢Á¾ ¼³Á¤
¨± telnetµî °¢Á¾ ¾îÇø®ÄÉÀ̼ÇÀÇ ¿¢¼¼½º¸¦ »ó±â TCP Wrapper ÇÁ·Î±×·¥À¸·Î
±³Ã¼Çϱâ À§ÇØ "/etc/inetd.conf"ÈÀÏÀ» ÆíÁýÇÑ´Ù.
# vi /etc/inetd.conf
¿¹·Î½á ´ÙÀ½À» º¸¸é,
ftp stream tcp nowait root /etc/ftpd in.ftpd
~~~~~~~~~ =======
telnet stream tcp nowait root /etc/telnetd in.telnetd
~~~~~~~~~~~~ ==========
¿Í °°Àº ÇüÅ·Π±â¼úµÇ¾î ÀÖ´Â ~~~ºÎºÐÀ» /usr/local/etc/tcpd ·Î
¾Æ·¡¿Í °°ÀÌ ¹Ù²Ù¸é µÈ´Ù.
ftp stream tcp nowait root /usr/local/etc/tcpd in.ftpd
~~~~~~~~~~~~~~~~~~~
telnet stream tcp nowait root /usr/local/etc/tcpd in.telnetd
~~~~~~~~~~~~~~~~~~~
(=== ºÎºÐÀº ftpd, telnetdµîÀ¸·Î µÇ´Â ½Ã½ºÅÛµµ ÀÖÀ¸¹Ç·Î
±×·± °æ¿ì´Â in. À» ºÙÀÌÁö ¾Ê°í ´ÙÀ½ÀÇ ¿¹¿Í °°ÀÌ ±â¼úÇÏ¸é µÈ´Ù.
telnet stream tcp nowait root /usr/local/etc/tcpd telnetd)
¨² "/etc/inetd.conf"ÈÀÏ¿¡¼ ftp, telnet¿Ü¿¡ finger, exec, rsh,
rlogin, tftp, talk, comsatµî ´Ù¸¥ tcp ¶Ç´Â udp ¼ºñ½ºµéµµ »ç¿ëÇÒ¼ö
ÀÖÀ¸¹Ç·Î ¿¢¼¼½º ÄÜÆ®·Ñ ÇؾßÇÒ ÇÊ¿ä°¡ ÀÖ´Â ¼ºñ½ºµéÀ» /usr/local/etc/tcpd
À¸·Î ±³Ã¼ÇØ ÁÖ¸éµÈ´Ù.
[ÆíÁýÈÄÀÇ ¿¹]
ftp stream tcp nowait root /usr/local/etc/tcpd in.ftpd
telnet stream tcp nowait root /usr/local/etc/tcpd in.telnetd
tftp dgram udp wait nobody /usr/local/etc/tcpd in.tftpd -n
finger stream tcp nowait nobody /usr/local/etc/tcpd in.fingerd
exec stream tcp nowait root /usr/local/etc/tcpd in.rexecd
login stream tcp nowait root /usr/local/etc/tcpd in.rlogind
shell stream tcp nowait root /usr/local/etc/tcpd in.rshd
talk dgram udp wait root /usr/local/etc/tcpd in.talkd
ntalk dgram udp wait root /usr/local/etc/tcpd in.talkd
¨³ ´ÙÀ½¿¡´Â tcpd¿¡ ÀÇÇÏ¿© ¿¢¼¼½º ÄÜÆ®·ÑÀ» °áÁ¤ÇÏ´Â ·ê(±ÔÄ¢)À»
±â¼úÇÏ´Â ÄÜÆ®·Ñ ÈÀÏÀ» ÀÛ¼ºÇÑ´Ù.
i) ¿ì¼± ¿¢¼¼½º¸¦ °ÅºÎÇÏ´Â ÈÀÏ "/etc/hosts.deny"¸¦ ÀÛ¼ºÇÑ´Ù.
# cat /etc/hosts.deny
ALL: ALL : ( (/usr/local/etc/safe_finger -l %u@%h;\
echo "--- USERS LIST ---";/usr/bin/rusers -l -i %h) | \
/usr/bin/mail -s "%d¿¡ÀÇÇØ %h¿¡¼ mars·Î..." root@tech.svc.hei.co.kr) &
#ALL: ALL : (/usr/local/etc/safe_finger -l @%h | \
/usr/bin/mail -s %d-%h root) &
»ó±â ù¹ø° ÇàÀº ¿ÜºÎ¿¡¼ ħÀԽõµ½Ã ±× log¸¦ techÀÇ root·Î
ÀÏÁ¤ÇÑ Àå¼Ò·Î ¸ÞÀÏÀ» º¸³»µµ·Ï ÇÑ °ÍÀ̸ç, µÎ¹ø° #À¸·Î ¸·¾Æ³õÀº ÇàÀº
±× ½Ã½ºÅÛÀÇ root·Î ¸ÞÀÏÀ» º¸³»µµ·Ï ±â¼úÇÑ °ÍÀÌ´Ù.
ii) ´ÙÀ½¿¡´Â ¿¢¼¼½º¸¦ Çã¶ôÇÏ´Â ÈÀÏ "/etc/hosts.allow"¸¦ ÀÛ¼ºÇÑ´Ù.
# cat /etc/hosts.allow
in.ftpd: LOCAL.svc.hei.co.kr 203.240.
in.telnetd: LOCAL.svc.hei.co.kr 203.240.
in.tftpd: LOCAL.svc.hei.co.kr 203.240.
in.fingerd: LOCAL.svc.hei.co.kr 203.240.
in.rexecd: LOCAL.svc.hei.co.kr 203.240.
in.rlogind: LOCAL.svc.hei.co.kr 203.240.
in.rshd: LOCAL.svc.hei.co.kr 203.240.
in.talkd: LOCAL.svc.hei.co.kr 203.240.
(À§ÀÇ daemon Áß¿¡¼ /etc/ined.conf¿¡¼ »ç¿ëµÈ µ¥¸óÀÌ ¿¹¸¦ µé¾î
ftpd¿Í °°ÀÌ ¾Õ¿¡ in. À̶ó´Â Á¢µÎ¾î°¡ ¾ø´Â °æ¿ì ¿©±â¼µµ ¸¶Âù°¡Áö·Î
¾Õ¿¡ in.ÀÌ ¾ø´Â daemonÀ» ¾Æ·¡ÀÇ ¿¹Ã³·³ ½á¾ßÇÑ´Ù.
¿¹) ftpd: LOCAL.svc.hei.co.kr 203.240.
¸¸ÀÏ, daemonÀ̸§ÀÌ ¼·Î Ʋ¸®°Å³ª ¸ÂÁö¾ÊÀ¸¸é ¸ðµÎ ¿¢¼¼½º°¡ Çã¿ëµÇÁö
¾Ê´ÂµîÀÇ Çö»óÀÌ ¹ß»ýÇϹǷΠÁÖÀÇ ¹Ù¶õ´Ù.)
iii) ÄÜÆ®·Ñ ÈÀÏÀÇ ±â¼ú¹ý
-. ÄÜÆ®·Ñ ÈÀÏÀÇ ¼½Ä
¼¹öÇÁ·Î±×·¥: Ŭ¶óÀ̾ðÆ® ¸®½ºÆ® [ : ½©ÀÇ ¸®½ºÆ® ]
-. Ŭ¶óÀ̾ðÆ® ¸®½ºÆ® ±â¼ú·Ê
a) È£½ºÆ® IP Address¿¡ ÀÇÇÑ ±â¼ú
203.240.159.31
b) ³×Æ®¿÷ ¾îµå·¹½º¿Í ³×Æ® ¸¶½ºÅ©¿¡ ÀÇÇÑ ±â¼ú
203.240.159.0/255.255.255.0
c) ³×Æ® ±×·ì¿¡ ÀÇÇÑ ±â¼ú
@local-network
(ÀÌ °æ¿ì ÁöÁ¤ÇÑ ³×Æ®¿÷ ±×·ìÀÌ /etc/netgroup¿¡ µî·Ï ÇÊ¿ä)
d) È£½ºÆ® ¸í¿¡ ÀÇÇÑ ±â¼ú
hyundai2.svc.hei.co.kr
.svc.hei.co.kr
(»ó±â µµ¸ÞÀÎ¸í¸¸À» ±â¼úÇÏ¸é ±× µµ¸ÞÀο¡ µî·ÏµÈ ¸ðµç È£½ºÆ®¿¡ Àû¿ë)
e) /etc/host³»ÀÇ ¸ðµç ·ÎÄ® È£½ºÆ®¸íÀ» Ç¥½Ã Çϴ¿ÍÀϵåÄ«µå
LOCAL
f) ¸ðµç È£½ºÆ®¸¦ Ç¥½Ã ÇÏ´Â ¿ÍÀϵåÄ«µå
ALL
g) À¯Àú¸í°ú È£½ºÆ®¸íÀÇ Á¶ÇÕ »ç¿ë
melanie@hyundai2.svc.hei.co.kr
-. hosts.allow¿Í hosts.deny¿¡ ±â¼úµÇÁö ¾ÊÀº È£½ºÆ®¿¡ ´ëÇÏ¿©´Â
¿¢¼¼½º°¡ Çã°¡µÇ¹Ç·Î Åë»óÀº hosts.deny ¿¡¼ ¸ðµç È£½ºÆ®¸¦
°ÅºÎÇÑÈÄ hosts.allow ¿¡¼ ¿¢¼¼½º Çã°¡¸¦ ÁöÁ¤ÇÏ´Â ¹æ¹ýÀÌ ±ÇÀåµÈ´Ù.
-. ƯÈ÷, %h, %d µîÀº TCP Wrapper¿¡¼ÀÇ Ç¥ÇöÀ¸·Î °¢°¢ È£½ºÆ®¸í°ú
µ¥¸ó ÇÁ·Î¼¼½º¸íÀ» ³ªÅ¸³½´Ù.
8) ¸ðµç ¼³Á¤ÀÌ ³¡³µÀ¸¸é inetd daemonÀ» kill ÇÑµÚ ´Ù½Ã ±¸µ¿½ÃŲ´Ù.
ÃʱâÈÇϸé Àû¿ëµÈ´Ù.
# kill -9 inetd daemon process ID
~~~~~~~~~~~~~~~~~~~~~~~
Revision History
ÀÛ¼ºÀÏÀÚ : 97.3.24
ÀÛ¼ºÀÚ : ½É¹Î¼±