• m Linux pЉ|
    osGAзR firefox s
    | cD | ̔D | g | A | ~R | ୱR | w޲z | QAO | Ŏ | y`~ | m | Xs |
    @ @ @
    @
    ̪sG2011/07/21
    qLĤ@gX⏤A{bARMwgQ Linux sW Internet FCOA Linux {bROwC ]Ab}lA]weAڭ̥nAtjǡIHקKQcN cracker ҧ@[Ibo@SA ڭ̷|ʥ]yVAMھMyVӨqtjƪy{I]AuW۰ʤɯšBAȺޱH SELinux ΆΡC{bNAAoI


    jADϥ7.1 ʥ]suiJDEy{

    bo@SAڭ̭nQAOASӦۤ@ӺWsunDQiJڭ̪DEɡA oӺʥ]biJDEڨoƪӬy{OpHAFӬy{A A~|o{GӨtާ@yOpnI ӧA]~|AnpO@ADEwoIܤֻAԒ@@@C


    pADϥ7.1.1 ʥ]iJDEy{

    bĤ@ڭ̴N͹Lsuy{A S|ҤlOƱAiHz[]AݭnA@~t[Cbo@SAڭ̭nNMy{NoƻA ]AzLoӬy{RAA|Dԣڭ̪DEݭniL@Ǩ@At~^jC~AzLĤGتyAA]AFOUVAAPΤݳon IP:port ~^n餬۷qC{bA]ADEO WWW AAzLUϥܡAʥ]piJADEOH

    ʥ]iJDEy{
    7.1-1Bʥ]iJDEy{
    1. gLRG

      Linux tتEA]Asuणন\Aonݨy~Cw] Linux NEAoEOWߦsbA]ڭ̹w]NhCĤ@hOʥ]Lo netfilter A t@ӫhOzLn鱱ު TCP Wrappers C

      • ʥ]LoGIP Filtering Net Filter
        niJ Linux Eʥ]|qL Linux ֤ߪw]ANO٬ netfilter NNA̔xANO iptables oӳnҴѪ\C٬ʥ]LoOH]LDnOR TCP/IP ʥ]YӶiLoEADnRO OSI ĤGBTB|hADnNO MAC, IP, ICMP, TCP P UDP fPA (SYN, ACK...) ΡCNƧڭ̷|bĤEبC

      • ĤGhGTCP Wrappers
        qL netfilter Aʥ]|}l^ Super daemons TCP_Wrappers ˇAӬOOH FNO /etc/hosts.allow P /etc/hosts.deny ]wɥ\oC oӥ\]Ow TCP Header iARAP˧AiH]w@EөY IP Port Anӷݪʥ]QγqLˇF

      zLޱAڭ̥iHNjӦۺںUsuAu\ۤv}񪺪AȪsuiJEӤwA iHF̰䪺w@C

    2. A (daemon) 򥻥\G

      w]O Linux إ\ADn޲zO MAC, IP, Port Ϋʥ]Y譱TApGQnެYǥؿiHiJA YǥؿhLkϥΪ\ANonzLvHΦAn鴣Ѫ}\FC|ҨӻAAiHb httpd.conf oӳ]wɤWdY IP ӷϥ httpd oӪAȨӨoDEơA YM IP qLehLoAL̂HLkoDE귽In`NOA pG httpd o{ӴNDܡA client ݱNi^Q httpd n骺|}ӤJIDEAӤݭnoDE root KXI]A np߳oǎŰʦbںWnI

    3. SELinux AȪNvG

      FקKe@ӨBJv~ΡAΪ̬O{ǦDҳywpA] Security Enhanced Linux (wj Linux) Nӵo\TI̔xASELinux iHwAȪvӳ]w@dzWh (policy) A{ǯ^i檺\঳A ]YϨϥΪ̪ɮv]wh~AHε{ǦDɡAM{ǯ^i檺ʧ@ROQAYM{ǨϥΪO root v]@ˡC|ҨӻAe@ӨBJ httpd uQ cracker @o root ϥvAѩ httpd wgQ SELinux b /var/www/html ̭AB^i檺\wgQWdFA] cracker NLkϥM{ǨӶiti@B}aoC{bo SELinux @wn}ųI

    4. ϥΥDEɮרt귽G

      Q@QAAϥss^ WWW DE̥DnتOHSMNOŪDE WWW TI WWW ƬOHNOɮה[I^_^IҥHA̜ʥ]OnVDEnDɮרtTC ڭ̳o̰]Anϥ httpd o{Өotɮ׸ơA httpd w]OѤ@ӨtbW٬ httpd ӎŰʪAҥHGAƪvSMNOn httpd o{iHŪ~[IpGAeT}]w OK A̜v]wh~AϥΪ̨̂HLksAƪC

    boǨBJ~Aڭ̪ Linux Hά}n鳣iR|䴩nɰO\AFOv{A HK޲z̦bӪh~d߻PJIA}nRnɪߺDO@wnإߪAרO /var/log/messages P /var/log/secure oǭɮסIMUjDn Linux distribution jhXAXL̦ۤvnɤRnAҦp CentOS logwatch ALܳMnäoAXҦ distributions AҥHmۤvgF@ logfile.sh shell scriptAAiHbU}UM{G

    nFAھڳoǬy{AA\o cracker oǭaJ^˪@ڭ̪tOHonQn}aA ڭ̤~^QkӸɱjtIU򥻪@koC


    pADϥ7.1.2 `@kP}O@

    ڭ̥ 7.1-1 Aƶǰe쥻EɩһݭngLXDuAvO̫᪺}gTI {bARMMEڭ̱``bg̭@ͨ]wTviHO@ADEFaH cracker OpzLWzy{R^@At[HUNڭ̨ӤRRC


    • obTqKX

    ѩܦhHwΦۤvWrӧ@bTA]boOܮeI|ҨӻApGABͱNA email address p߬|XhAҦpG dmtsai@your.host.name ˦AHaN|DA@DEAW٬ your.host.nameABboDEW|@ӨϥΪ̱bAbW٬ dmtsai AoaåAQάYǯSnҦp nmap ӶiADE port scan AKKILNiH}lzLADEŰʪn\ӲqAoӱbKXFI

    t~ApGA``[ԎADEnɡAA]|o{pGADEŰ Mail server AȮɡA AnɴN|``X{ǩdzåH@ǩ_Ǫ`bbϲqAKXA |Ҩӻ^Gadmin, administrator, webmaster .... bAѨApHHC pGADEuobAӥBobRS}nKXWُANeyAzI IuOꐷСIҥHڭ̱`AtbdU൹KXAeQqKX[I

    oRqKX@覡O̦JIҦ@FA@̪DAbAΪ̬OiHqXӧAtDZbA ʪNuOKXӤwA]L|yܧVOzhqAKXAɡAAKXWُpGnܡAܮeNQ@FI DE]ܮeQj[[IҥHA}nKX]mߺDOܭnC

    LoR@覡OɡA]ثeܦhn鳣KXKJӋApGsKJTKXRন\nJA MsuN|Q_uIҥHAoR@覡q֡AثeR|ݨNOFIo]O cracker |ϥΪ覡@C ڭ̭npO@OH򥻤覡Oo˪G

    • ָTnE|GҦpnN Email Address HNG Internet WYF
    • إ߸Y檺KX]wWhG]A /etc/shadow, /etc/login.defs ɮת]wA ijAiHѦgb޲z@بӳWdAϥΪ̱KXܧɶΆΡA pGDE^TwB|[JYDZbɡA]iHҼ{ϥ chattr ӭb (/etc/passwd, /etc/shadow) F
    • v]wGѩo@覡|oAYӨϥΪ̱bnJvA ҥHpGAtv]woyܡA@̤]ȯo@ϥΪ̪vӤwADEˮ`TI ҥHAv]wOnF


    • QΨt{|}yDʡz@

    7.1-1 ̭ĤGӨBJAڭ̪DpGADE}AȮɡA NŰʬYӺnIڭ̤]Dѩni༉g覡DAiಣͤ@Ƿ|Q cracker åΪ䔁{XAӳoǯ䔁{Xѩ󲣥ͰDjpA bug (䔁Ai|ytTwSE) P Security (wDA{Xg覡|fPtϥvQcN̩Ҵx) ΰDC

    S{DQAYǸ@픪 cracker |g@ǰwoӺ|}@{XA åBNoӵ{Xm cracker `hWA]HPۤvy\Oz..... mnOAoR{XyOܮeQozC ShyլլLl(xyASƷFN)zooǵ{XALi|Qny@oӧ@{¤OzA ҥHNӡygz@fApGAKrAΪSѬPyaACɡAiN|Qpߪ@...

    oR@ҦOثe̱`A]@̥un@{NiHi@FA yӥBѧ@}loAt root vݭnqKXA ݭnAN^ߨJI\zAҥHyլլLlz̷̳RNOoөNNFC oӪNॻOayADE{|}zӧ@AҥHApGADEHɫObYɧs픬qA Ϊ̬O}jݭn{ANiH׹LoӰDC]AARMno˰G

    • }ݭnAȡG} port V֡AiHQJI޹DV֡A @DEtdAȶVx¡AVeXDIC
    • HɫOsGoӨSI@wni檺I
    • }ݭnn\G|ҨӻA᭱|쪺hݵnJA SSH iH root ѭhݵnJAMIƱSMnL[I^_^


    • QΪu{@F

    u{ (Social Engineering) ̔xANOzLHPHʨӹFyJIzتI @_@IHPHʥiHJIADEHmbIVAܡHSMOC

    bxW|AO`ݨYǤH|Hyh|BvBpQRQ~zΦWqӴF}ѦʩmA ѦʩmǥXfU̪QǥicҶܡHu{]OkCbjq̭A γ\Ai|^o˪qܡGyڬOHƈgzAڪbMnJFH Aڬݤ@ݡAHۯܪ^Dڥtؤ@ӱbAڧiDAڭnKXO....zCpGA@ɤdLbKXܡA ADEiNo˳QjF

    u{FkhOA]AϥΡynߪ email qzByĵiHzByvxzΆΡA bbOnFAbKXAhQγ覡ӴFAbYǴcNWKJAbKXA ܰQTI|ҨӻAڭ̱Xsp email ``|t@HAnڭ̱NbKX浹t޲z@ޡA oSMOIpڥ|HXo˪H[I˸TIҥHn`N[Inp󨾽dOH

    • l}̡ͪGn@۫HAAnHߪVWeNA n@ɤ߷WNFpI
    • nHNzSb/KXθTG̦nnHNb Internet WgoǸơA uܦMII]b Internet WAAíhD݁e۪O֡H


    • Qε{\઺yQʡz@

    HFDʧ@~ARҿתQʧ@HSh[AytzIp@Qʧ@OH NonѡycNz_FCpGAwWHNsܡA򦳪ɭԥi|sW@ǼsiܦhA Ϊ̬O@ͼuXAoǺR|ܦnߪyѧAܦhnΪn۰ʤUPwUz\A pGMOAҫHAҦp Red Hat, CentOS, Windows xܡARnA pGO@ӧA]MELOFAAO_nPNUwUMnH

    pGA``b`N@ǺMEBz}sDɡA`|o{ Windows s (IE) DA ɫhOs (Firefox, Netscap, IE...) |X{DCA||\o_ǔ[A ys]|DHzoO]ܦhs|DʪR WWW DEҴѪU{\A Ϊ̬O۰ʦwUӦ۹DEnAsRiѩ{oͦwDA WWW soHǰecN{XADEӰAKKIAI

    AS|Q[AڷFs˪cNHI`O|DzʤߤjNɭԔ[IpGAѤpߦ@ email A̭iDAAȦbDAƱAԒsWYӺhݬݧAbO_bDCAA||hH pGѦӺYYbѤjSΫ~AA||hIIBH Oi઺[ILAo]NܮeQ@FC

    p󨾷Q[HSMإߨ}nߺḒnFG

    • HɧsDEWҦnGpGAsOSDA ǻcN{XɡAAsN|A۵Mwh[I
    • pƳn骺\G|ҨӻAAHn餣nDʪUɮסA AsbwUYdznɡAnqLAT{~wUAo˴NeJA@ǤpꐷСF
    • ns^줣DEGm{oӤ~I ]ܦhɭԧڭ̳ google bjMDMD[AAp󪾹DO_OFHH ҥHAeIQROܭnInHSs^WcNN|D[I


    • įΤ} rootkit

    rootkit NOiHo root v@suœ (kit)ANpPeDʧ@{|}k@ˡA rootkit Dn]OzLDE{|}CLA rootkit ]|zLu{ϥΪ̤UBwU rootkit nA G cracker oH̔xj[DE[I

    rootkit FiHzLWzkӶiJI~Arootkit R|UΪ̬OiۧڽƻsA |ҨӻAܦh rootkit NOįΪ̬O}{Cį|ADE@oeʥ]V~@A G|AWeQYAҦp 2001-2003 ~ Nimda, Code Red ΆΡFܩ}{ (Trojan Horse) h|ADEi}ū (}@ port cracker DʪJI)AGNO....j[Bj[Bj[I

    rootkit nl}A]ܦhɭԥL|Dʪhקt[ԎOA ]A ls, top, netstat, ps, who, w, last, find ΆΡAAݤYǦD{A p@ӡAA Linux DENܮeQSOtOFI^MIIp󨾷QOH


    • DDoS @k (Distributed Denial of Service )

    o@ꑮy_Aȧ@zAqrWNqӬݡANOzLbUa͹qi@A AtҴѪAȳQ_ӵLkQѪAȵLΤ᪺覡C oR@k]ܭnRAӥBkܦhA̱`N SYN Flood @kFIROoڭ̦b̭쪺ASDE^F@ӱa SYN TCP ʥ]AN|ťιnD port ӆΫݳsuAåBoeX^Rʥ] (a SYN/ACK XA TCP ʥ])AÆΫ Client ݪA^RC

    nFAboӨBJSڭ̨ӷQ@QApG cient ݦboeX SYN ʥ]AoNӦ Server ݪT{ʥ]AA Server ݴN|@ņΡAӥB Client ݥiHzLn\AbuuɶoeXo˪ SYN ʥ]AA Server N|_oeT{ʥ]AåB}Ťjq port bņΡIΨDE port ťΧܡA.....tNFI

    iȪOAq`@DE@褣|u@IL|zL Internet Wͺ (wgtOADoSo{DE) oʥ@AADEbuɶNߨ豾IC oR DDoS @kyɥۭѵIzqA LOJIAtAӬOnAtLk`ѪAȡI ̱`QΨӧ@_AȪAȴNO WWW FA] WWW q`o Internet }AȡC

    oR@k]OBzA]nNont֤ߦ䴩۰ʩ DDoS @EA nANonۦ漉gnӧP_IuOꐷД[ӰDAD`jA åByoo֤HzA_hRM|Q DDoS @TI ^_^


    • L

    W쪺O`@kAOR@@񪺧@kTALǧ@kݭn@޳NǡAҦp IP FCLiHFADEiMʥ]ӷOӦ۫HkAӥBzLʥ]ǰeEA ѧ@@򪺥DʵoeXT{ʥ]Pu@OCp@ӡAADEiN|~PMʥ]T^RA ӥBOӦۤDEC

    Lڭ̪DںOѪAӨCDEbC@Ӯɬq ACK T{XۦPA ҥHoӤ覡nFiHnJA|ꐷСAҥHAӮeoͦbڭ̳oǤpDEWTI LAROon`N@UG

    • ]wWhGQ Linux تn iptables إ߸AiHd@欰F
    • ֤ߥ\GozAAnt֤ߦܲ`JAA ~k]wnA֤ߺ\C
    • nɻPtʱGAiHzLRnɨAtpA t~]iHzL MRTG ʱn ӧYAtO_`AoǤu@OܦnVOVI


    • py

    nAtwASyTTzOSkyWqszIڭ̤]@jA y@[]Rnnz[I]y@HoDɤѡzAP˪DzGy@HAIzA nHADESԣnơAQJIγQĤJ}]S}YA ]ڭ̪Aq`|鷺ӷDEWdePApGADEbqA Op߳QJIܡAQqAO_N|SbMISFH

    t~AbįܡyoFz~NAڭ̤]|o{unk̭@DEAAӰkN|LkϥκFA ]WewgQįzIpGso{LѨSkHFALkH]ëDAIA ӬO]HYӤHqFįAӨDEį]uO]MϥΪ̤pߥhݤF@UⱡA A\os|@Mu@_ݦⱡRO fire MHH

    ҥH[ADE@ROܭnInpݤFIѴXӤVjaҬݬݧaG

    1. إߧnJKXWhF
    2. DEv]wF
    3. ]w۰ʤɯŻP׸ɳn|}BβMInF
    4. bCtAȪ]wSAjƦw]wءF
    5. Q iptables, TCP_Wrappers jƺF
    6. QΥDEʱnp MRTG P logwatch ӤRDEpPnɡF

    pADϥ7.1.3 DE@O@G nsBֺAȡBŰ SELinux

    ھڥثeRA{bADʥ]yVHΥDE򥻻ݭni檺@FCLAγ\ROü{ANOA JMڳwgFAvTBKXYKTBAn骺sTBSELinux TΆΪA O_NSo򭫭nOHܳOʥ]iJĤ@}dIo}}YAiHyLePܡH...AhFI }YǪAȪAӻAAyڥ򧾤@ˡAOSΪIz򻡩OH


    • nsn

    ڭ@@@ 7.1-1 y{nFA]Aݭn@ɶ} WWW A򴣨 WWW AȪ httpd o{NonAåBAAon} port 80 @ɳiHs^A port 80 Aoˤ~O@Xz WWW AIDTApG httpd o{w譱DɡAаݨSĥΡHSMSI]쥻Non} port 80 [IɨA WWW @I@]SCH

    SԣnANOns̷sNFI]ۥѳnNOoӦnBASA{DɡA }oη|b̵uɶoӤuѪ׸ɵ{ (patch) AñNM{XɥRnsƮwA @ΤiH^zLӦ۰ʧsC]AnJAoӦAn骺DAstnNFC

    OAon`NAAt_snPt}I|ҨӻA2003 ~koG Red Hat 9 ثewgS䴩FA pGARONnwU Red Hat 9 oMtAܩpAAonʱNtnzL make ʧ@ӭss̷sA ]AꐷСP˪A Fedora ̷sMѺ۰ʧsAO Fedora C@Ӫ@uA Aiݭn``jTתܧAAoA]w]SCɤ@ӥ~ Linux distributions NܭnTI |ҨӻAmDEIܥثe (2011/07) ROϥ CentOS 4.x A]oӪثeRO@C oAӻAOSnITwPw񤰻򳣭nI

    QnAn骺wqNAiHѦҦpUƳI


    • {ѨtAȪn

    A^ 7.1-1 SAPɫҤ@UĤGغ̭ͨ쪺suOUVoơA ڭ̷|o@ӵסANOb 7.1-1 ĤGӨBJApG^֦AWofA ɦ]AݨSiѳsufAΤSM]NLksuAݹIp󭭨A}ŪfOH ĤGشNͨLFA}f覡OzL}AȡCSh[IҥHoAɯ^ֺAȴN֡AiHקKܦhnꐷСC


    • vP SELinux U

    ھںWh~Ӫ[ԎAܦhBͦbov譱DA|^NYӥؿ^׭q chmod -R 777 /some/path/C pGoDEuOΪSWѪAȡARnCpGWѬYǪAȮɡAiN˸FI]ؿ wx v]w@_A NMiHisWPRʧ@CAS 777 (rwxrwxrwx) ANҦHiHbMؿUisWPRI U@p߬Y{Q@ӳQoާ@vAQQݡAAtNiQgJYǥiȪFFܡH ҥHnHK]wv[I

    pGѩSWُbPsœ]wzáAfPLkϥxªTRTRvӳ]wAtɡAMpOnH S}YAiHzL ACL oӦnΪFI ACL iHwx@bx@sœiSwv]wASnγI LiHUDž Unix v]w譱xZCаѦҰgeI

    pקKϥΪ̶åΨtAó]wvOHoӮɭԴNonzL SELinux ӱFCSELinux iHb{ǻPɮפA[J@DNvA]AYϵ{ǻPɮתvŦXFާ@ʧ@ApG{ǻPɮת SELinux (type) kXɡAM{ǴNLkŪMɮ׳I ~Aڭ̪ CentOS ]wFYDZ`ΪAȨqF\hɮרϥγWh (rule)ApGodzWhSťΡA YvBSELinux FAMAȪ\ROLkQB@I


    ھڳo˪RAڭ̥iHDAHɧstnBsufHγzLŰ SELinux ӭAȪvAgLoT̔xBJAAtNiHoSjO@ISMTA 򪺨HΨtnɤRu@Oݭni檺CثN̾ڳoTIӲ`JC


    jADϥ7.2 ۰ʤɯųn

    b{bںWAcracker bOӦhFIoǶH|QΤwgsbt|}AӶi氻BJIADEC ]AFӬ[]~A̭n Linux `޲zu@ALn骺ɯŤFI LApGϥΪRonۤvC[ԎwqNAåDʥhdߦUj distribution woǺ|}ӴѤɯųn]A uOӤHʤƤFI]AثeNܦhuW^sEX{FIFoǽuW^sn骺qPkA ڭ̨t޲zb޲zDEtWAiNPhoI


    pADϥ7.2.1 pinɯ

    q`mwUn Linux A|}Ũtw]EAMĤ@ƱNOitsTI AO@M Linux mOo˰A]nקKnwDInFA Linux WnMpisPɯũOH ROoAOpwUn骺ܡHNO rpm, tarball P dpkg ܡH ҥHoAAnpGQnɯšANo̾SɧAwUMn骺覡ӶiɯŔ[IӨCR覡AΩʡG

    • RPMG
      oOثe̱` Linux distribution Sn޲z覡A]A CentOS / Fedora / SuSE / Red Hat / Mandriva ΆΡAOϥγoӤ覡Ӻ޲zF

    • TarballG
      Qγn骺xXlXbztWsPwUA @ӻAѩnO^bۤvEWsAҥHį|n@ǡC LAɯŪɭԴNꐷСA]SonUslXåBss@C oRwUҦ`YǯSn (S]tb distribution S)AΪ̬O Gentoo oӱjծį઺ distributionF

    • dpkgG
      O debian o distribution ҨϥΪn޲z覡AP RPM AOzLwsBzAiH end user ^ϥΨӤɯŻPwUC

    |ҨӻApGAtO CentOS Aڭ̪DLϥΪO RPM n޲zҦApGAQnwU B2D nHn`NA B2D Oϥ debian dpkg Ӻ޲zn骺ĄäۦP[InۦwUFI ҥHAnɯŪܡAoAAtWnwUP޲zk~C

    LAӯSרҡANOH Linux (Ҧp Red Hat 9) nɯMpOnH ѩHn䴩ץӴNtAη~qΪ̬Os]SohߤObH䴩WA ҥHAAoӮɭԥiHܡG (1)ɯŨsAҦp CentOS 6.xAΪ̬O (2)Q Tarball ӦۦɯŮ֤߻PnCLAijɯŨsTA]nۦHʤ覡 Tarball wU̷sAbOܶOɶOOAӥBRon``d\xұX̷sA |L@hio͵LkwpC

    ڭֱ̳ob Windows UALѤ@ Live update إiH۰ʪuWɯšA ƦܫܦhrnP}n]XYɪuWsAp@ӥiHznb̷spA uOn[IxIڭ̪ Linux O_o˪\HpGܡAt۰ʶinɯšA NiHPSZFHShITOo˪IҥHNڭ̨ӽͤ@ Linux uWɯEaI

    b Linux ̱`nwU覡G RPM / Tarball / dpkg SATarball ѩoOlXA ҥHn Tarball ӧ@uW۰ʧsOӥii檺AҥHȯ RPM dpkg oRn޲z覡ӶiuWsFC

    RPM P dpkg OҿתۨݩʶܡHoˤݭnߧoI]ڭ̪ RPM P dpkg nɮ׳@dzn骺򥻸TA æPɰOFn骺ۨݩ (Ooϥ rpm -q d߶)AҥHSRoǰ򥻸TèϥΤ@ENoǬ̸ۨTOUӫA AzL@B~\AN^۰ʪRAtP׸ɳn餧tA åii@BDARһݭnɯŻPۨݩʪnANiF۰ʤɯŪzQTI

    ѩUa distributions b޲ztWۤvWSQkAҥHbR RPM dpkg nP覡WNҤPA ]NUoǤPuWɯETG

    • yumG
      CentOS P Fedora ұ`Ϊ۰ʤɯEAzL FTP WWW ӶiuWɯťHνuW^wUnF

    • aptG
      ̦ debian o distribution ҵoiA{b B2D ]Oϥ apt APɥѩ apt iĩʡA ҥHunA RPM iHϥ apt Ӻ޲zܡANiHۦإ apt AӴѨLϥΪ̶iuWwUPɯšC

    • youG
      ҿת Yast Online Update (YOU) O SuSE Ҧۦ}oXӪuWwUɯŤ覡A gLUo@œbKXAN^ϥ you EӶiuWɯšCLpGOKOA hȦ 60 ѪδI

    • urpmiG
      oӫhO Mandriva ҴѪuWɯEI

    FoǤɯEåBP distribution @FRAANMAGyC distribution iHϥΪuWɯEۦPz[IҥHаѦҧA distribution ҴѪӶiuWɯŪ]wI_hNonۦʤUwUFI @_@

    mo̳Oϥ CentOS o Red Hat ۮe distributions ӤA]AUȤF yum ӤwC LAyum wg^AΩ CentOS, Red Hat Enterprise Linux, Fedora ΆΡA]RMO^ΪFI t~Ag̭wg͹L rpm P yum ΪkAҥHbo̶ȬO[jPs}ΪkӤwI


    pADϥ7.2.2 CentOS yum nsBMgϥΪz

    ڭ̼gbg̭͹L yum FA򥻤WLzOAڭ̪ CentOS |] yum AWYAUFxX RPM YMxơAMưFOC RPM n骺̩ۨʤ~A]F RPM ɮשҩme (repository) ҦbC]zLRoǸơAڭ̪ CentOS N^^ϥ yum hUPwUһݭnnFI NϥܻPy{I^oˡG

    ϥ yum UMxYPoe}ƥܷN
    7.2-1Bϥ yum UMxYPoe}ƥܷN
    1. ѳ]wɧP_ yum server Ҧb IP }F
    2. s^ yum server AUs RPM ɮתYơF
    3. RϥΪ̩wU/ɯŪɮסAôѨϥΪ̽T{F
    4. UϥΪ̿ܪɮרt /var/cache/yum AöiڦwUF

    ѩAҤUMxSwgtҦxX RPM ɮתYۨݩʪ}YA ҥHpGAQnwUn]tYǩ|wU̳ۨnɡAڭ̪ yum |KDAUһݭnLnAwwUA AwUAڻݭnnIqRBUwUA@fdwI̔xTI

    LARODCpG@ɨϥ CentOS BͳqqsuP@ Yum AhUһݭn RPM ɮסAzI WeNܮeQzIHS}YAҿתMg[I CentOS b@ɦUaMgAoǬMg|Nx yum Aƽƻs@APɦbMgW]ѦP˪ yum \A]AAiHb@ yum AMgWUPwUnCUO CentOS xWCXȬwaϬMg@G

    {b yum SoA|۰ʪhRmADE̪񪺨MgAM᪽^ϥMMgDE@A yum ӷA ]AyzAWzAݭnʥ]wAbxWAA CentOS N|ϥΥxWaϪ yum AoINo̔xI ҥHA^UӴNڭ̪^ӽͽͫϥ yum aI

    Tips:
    yum zP}ϥΡAڭ̦bg̭wgOLFA]UȴNn@UoI
    mϥ

    pADϥ7.2.3 yum ϥΡG wU, nsœ, ts

    yum i^uW۰ʤɯŦӤwALRiH@dߡBnsœwUB骩ɯņΆΡAnΪI ӽA@U yum oӫOΪkaG

    [root@www ~]# yum [option] [dߪu@] [}Ӌ]
    ﶵPӋG
    optionGDnӋA]AG
       -y GS yum ߰ݨϥΪ̪NɡADʦ^ yes ӤݭngLKJF
    
    [dߪu@]Gѩ󤣦PϥαAӦ@ǿܪءA]AG
       install GwwUnW١AҥH᭱^y nW z
       update  GiɯŪ欰FSM]iH^YӳnAȤɯŤ@ӳnF
       remove  GYӳnA᭱^nW١F
       search  GjMYӳnΪ̬On}grF
       list    GCXثe yum Һ޲zҦnWٻPAI rpm -qaF
       info    GPWALI rpm -qai GF
       clean   GUɮ׳Q /var/cache/yum Aiϥ clean NLA
                 iMءGpackages | headers | metadata | cache ΡF
    
    b[dߪu@]RiH㦳Ӹsœn骺wU覡ApUҥܡG
       grouplist   GCXҦiϥΪynsœzAҦp Development Tools F
       groupinfo   G᭱^ group_nameAhiAM group tҦnWF
       groupinstallGoӦnΡIiHwU@œnsœAShΡI
                     `P --installroot=/some/path @ΨӦwUst
       groupremove GYӳnsœF
    
    # dҤ@GjM CentOS xѪnW٬O_P RAID }H
    [root@www ~]# yum search raid
    Loaded plugins: fastestmirror
    Loading mirror speeds from cached hostfile  <==o̴NOb̧֪Mg
     * base: ftp.isu.edu.tw                     <==@|Ӯee
     * extras: ftp.isu.edu.tw                   <==CӮeb ftp.isu.edu.tw W
     * updates: ftp.isu.edu.tw
    base                           | 3.7 kB     00:00  <==Un骺YMx
    extras                         |  951 B     00:00
    updates                        | 3.5 kB     00:00
    =================== Matched: raid =================<==쪺GpU
    dmraid.i686 : dmraid (Device-mapper RAID tool and library)
    ....(ٲ)....
    mdadm.x86_64 : The mdadm program controls Linux md devices (software RAID
    ....(Uٲ)....
    
    # dҤGGWzKXGA mdadm \ରH
    [root@www ~]# yum info mdadm
    Loaded plugins: fastestmirror
    Loading mirror speeds from cached hostfile
     * base: ftp.twaren.net
     * extras: ftp.twaren.net
     * updates: ftp.twaren.net
    Installed Packages  <==o̻oOwgwUnI
    Name       : mdadm
    Arch       : x86_64
    Version    : 3.1.3
    Release    : 1.el6
    Size       : 667 k
    Repo       : installed
    From repo  : anaconda-CentOS-201106060106.x86_64
    Summary    : The mdadm program controls Linux md devices (software RAID
    URL        : http://www.kernel.org/pub/linux/utils/raid/mdadm/
    License    : GPLv2+
    Description: The mdadm program is used to create, manage, and monitor
    ....(Uٲ)....
    # ѤWzu Summary }grADonbFnϺа}C\II
    

    yum uOӫܦnΪFAiH^d߬O_YǯSnW١C|ҨӻAAiHQΩUӤ覡onW١G

    • yum search "@}gr"
    • yum list (iCXҦnɦW)

    MAHWܪko}grAΪ̬Oy yum info "nW" zN^DMn骺γ~A̫AMwnnwU[IWdҤ@NObXϺа}C޲znC pGTwnwUɡANѦҰѦҩUy{aI


    • Q yum iwU
    # dҤTGwUYӳnaIH mdadm oӳnWҡG
    [root@www ~]# yum install mdadm
    ....(eٲ)....
    Setting up Install Process
    Package mdadm-3.1.3-1.el6.x86_64 already installed and latest version
    Nothing to do
    
    [root@www ~]# yum install mdadma
    Setting up Install Process
    No package mdadma available.
    Nothing to do
    

    JNݤWzӫOAĤGӫOmGNghrAnW٥ mdadm ܦ mdadma FI[PpGhrɩ҉KXTCѤWzTAiHDAP˓GOyNothing to dozAO yum |iDAMnOywwU (installed and lastest version)zROySMn (No package mdadma available)zC@oӽdҬOƱB̯ͭ^JN݉KXTTInTIڭROӦwU@ӤULA N javacc oMnӗUݬݦnFI

    [root@www ~]# yum list javacc*
    Available Packages
    javacc.x86_64            4.1-0.5.el6      base
    javacc-demo.x86_64       4.1-0.5.el6      base
    javacc-manual.x86_64     4.1-0.5.el6      base
    # @TMnAOO javacc, javacc-demo, javacc-manual A 4.1-0.5.el6A
    # nOmW٬ base eSs񪺡C
    
    [root@www ~]# yum install javacc
    ....(eٲ)....
    Setting up Install Process
    Resolving Dependencies
    --> Running transaction check  <==}lˬdSۨݩʪnD
    ---> Package javacc.x86_64 0:4.1-0.5.el6 set to be updated
    ....(ٲ)....
    
    =========================================================================
     Package                     Arch     Version           Repository  Size
    =========================================================================
    Installing:
     javacc                      x86_64   4.1-0.5.el6       base       895 k
    Installing for dependencies:
     java-1.5.0-gcj              x86_64   1.5.0.0-29.1.el6  base       139 k
     java_cup                    x86_64   1:0.10k-5.el6     base       197 k
     sinjdoc                     x86_64   0.5-9.1.el6       base       705 k
    
    Transaction Summary
    =========================================================================
    Install       4 Package(s)  <==wUnJA@wU 4 ӡAɯ 0 ӳn
    Upgrade       0 Package(s)
    
    Total download size: 1.9 M
    Installed size: 5.6 M
    Is this ok [y/N]: y  <==AT{nU_I
    Downloading Packages:
    (1/4): java-1.5.0-gcj-1.5.0.0-29.1.el6.x86_64.rpm      | 139 kB     00:00
    (2/4): java_cup-0.10k-5.el6.x86_64.rpm                 | 197 kB     00:00
    (3/4): javacc-4.1-0.5.el6.x86_64.rpm                   | 895 kB     00:00
    (4/4): sinjdoc-0.5-9.1.el6.x86_64.rpm                  | 705 kB     00:00
    -------------------------------------------------------------------------
    Total                                         3.1 MB/s | 1.9 MB     00:00
    Running rpm_check_debug
    Running Transaction Test
    Transaction Test Succeeded
    Running Transaction
      Installing     : java-1.5.0-gcj-1.5.0.0-29.1.el6.x86_64             1/4
      Installing     : 1:java_cup-0.10k-5.el6.x86_64                      2/4
      Installing     : sinjdoc-0.5-9.1.el6.x86_64                         3/4
      Installing     : javacc-4.1-0.5.el6.x86_64                          4/4
    
    Installed:            <==DnݭnwU
      javacc.x86_64 0:4.1-0.5.el6
    
    Dependency Installed: <==M̩ۨB~U
      java-1.5.0-gcj.x86_64 0:1.5.0.0-29.1.el6   java_cup.x86_64 1:0.10k-5.el6
      sinjdoc.x86_64 0:0.5-9.1.el6
    
    Complete!
    

    @IgL yum ڭ̥iHܻPNwUn@ӳnAåBoӳnwgDʪDڭ̰nۨݩʪJAFA uOKzIt~ACentOS 6.x w]pUAyum UưFCӮeYMxɮפ~AҦU RPM ɮ׳|bwUܤᤩHRI o˧AtN|eqQUƶzDCpGAQnU RPM ɮ~Odb /var/cache/yum SANonק /etc/yum.conf ]wɤFI

    [root@www ~]# vim /etc/yum.conf   <==ݬݴNnAnu@I
    [main]
    cachedir=/var/cache/yum/$basearch/$releasever
    keepcache=1
    debuglevel=2
    logfile=/var/log/yum.log
    exactarch=1
    obsoletes=1
    ....(Uٲ)....
    

    WzSraN 0 令 1 Ao˴N^A RPM ɮ׫OsUӡCLADAnhDEnsA AQQΤ@x yum ɯťBUAMNҦ RPM ɮצ_ӵEɯ (rpm -Fvh *.rpm) ~A W vim קʧ@ijקI]A /var ȷ|Qz[IAI


    • yum wUnsœ

    OynsœzOHѩ RPM nN@ӤjMפnXӤppeӰACӤppeiHWߦwUA o˪nBOiHϥΪ̻Pnoi̦wUPI|ҨӻAbୱt (Desktop)A@ΤRM|]hoinaH ҥHwWqAnsœS "Desktop Platform" P}o "Desktop Platform Development" A CӳnsœSthӤP RPM nɮסIo˰γ~OKϥΪ̦wU@MMTI

    thֳnsœOHSMp[ԎYӳnsœ֦ RPM ɮשOHڭ̴NQ Desktop Platform oӱMרӻ@UoG

    # dҥ|Gdߨtnsœh֭ӡH
    [root@www ~]# LANG=C yum grouplist
    Installed Groups:             <==oӬOwwUnsœ
       Additional Development
       Arabic Support
       Armenian Support
       Base
    ....(ٲ)....
    Available Groups:             <==oӬO|iwUnsœ
       Afrikaans Support
       Albanian Support
       Amazigh Support
    ....(ٲ)....
       Desktop Platform
       Desktop Platform Development
    ....(᭱ٲ)....
    
    # dҤG Desktop Platform th֭ RPM nOH
    [root@www ~]# yum groupinfo "Desktop Platform"
    Group: ୱ쥭x
     Description: 䴩 CentOS Linux ୱx禡wC
     Mandatory Packages: <==Dn|QwUn馳o
       atk
    ....(ٲ)....
     Optional Packages:  <==B~iܪnOo
       qt-mysql
    ....(Uٲ)....
    # pGATwnwUoӳnsœܡANo˰G
    
    [root@www ~]# yum groupinstall "Desktop Platform"
    # ]o̦bAAҥHWʧ@mOU n өʎwUI
    

    Qγoӡy yum groupinstall "nsœW" ziHA@fwUܦhnA Ӥ߬YӳnѰOUFIbOܤhTӥBQ groupinfo \A]iHo{@ǤhnơA p@ӡAANiHK޲zA Linux tFAܤhaI


    • ts

    ڭ̳DϥΡyyum updatezNiHin骺sCLAֱoܡH yum update ]iH^iP@ɯųI|ҨӻAAiHq 6.0 ɯŨ 6.1 IӥBL{LhI N@nɯŦӤwAèSPI^r֧aI

    LApGAOQnqH CentOS 5.x ɯŨ 6.x ܡAiNonhOǥ\ҤFCԣn֩OH]AiwgǸƳ]wnAҥHQܧI AP (ex> 5.x --> 6.x) ɯų̦nROnTIswUiO̦npC UCXŎexѪɯŤ覡AH CentOS x^ѪɯŤ覡AѦҰѦҡG

    DG
    г]w@Uu@Ƶ{AA CentOS iHCѦ۰ʧst
    G
    iHϥΡy crontab -e zӰʧ@A]iHsy vim /etc/crontab zӰʧ@A ѩoӧsOt譱AҥHmߺDϥ vim /etc/crontab ӶiOC e̔xG
    40 5 * * * root yum -y update && yum clean packages
    o˴NiH۰ʧsFA ɶqbCѪH 5:40 C


    pADϥ7.2.4 DSwMgGק yum ]wɻPM yum ֨

    M yum OADE^suW Internet NiH^ϥΪALAѩ CentOS Mgxi|hA |ҨӻAڭ̦bxWAO CentOS MgxoܨFj_ʩΪ̬O饻hASio͔[I [Im譱N``oͳo˪DAnDAڭ̳sujΤ饻t׬OD`COIH SMNOʪק@U yum ]wɴNnoI

    bxWAmx CentOS MgxDnXsjB@t߻PqujC bN~AmӤn@tߡAGstפ֡AӥBs^xWN]D`ֳtI ]AmUijxWBͨϥ@tߪ ftp DE귽ӧ@ yum AӷILA]mEܦhbXsjA ҥHbNWAϥΪϦӬOXsj FTP oCثe@t߹ CentOS ҴѪ}}pUG

    pGAs^Wz}AN|o{̭@ͳsAdzsNOo yum AҴѪeFI ҥH@tߤ]ѤF addons, centosplus, extras, fasttrack, os, updates ήeA̦n{eNO os (tw]n) P updates (nɯŪ) oIѩmbڪΥDEOQ x86_64 A ] os AIihN|opUiѦwU}G

    bWz}OHSI̭nSNOӡy repodata zؿIMؿNOR RPM nҲͪnݩʬ̸ۨƩmBI]ASAneҦb}ɡA ̭nNOM}U@wnӦW repodata ؿsbINOe}FI LeT}ANЦUݭۦM@UI{bڭ̭ק]wɧaI

    [root@www ~]# vim /etc/yum.repos.d/CentOS-Base.repo
    [base]
    name=CentOS-$releasever - Base
    mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os
    #baseurl=http://mirror.centos.org/centos/$releasever/os/$basearch/
    gpgcheck=1
    gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
    

    pWҥܡAmȦCX base oӮeleӤwALeeЦۦd\oIWƻݭn`NOG

    • [base]G
      NeWrI@wnsbA̭W٫hiHHNCO঳ӬۦPeW١A_h yum |ֱoM̥he}nMxɮסC

    • nameG
      uO@UoӮeNqӤwAnʤ@I

    • mirrorlist=G
      CXoӮeiHϥΪMgxApGQϥΡAiHoCѩΤ@Uڭ̬O^]wMgA ]oݷ|TOݭnI

    • baseurl=G
      oӳ̭nA]᭱^NOeں}I mirrorlist O yum {ۦhMgxA baseurl hOwTw@Ӯe}Iڭ̭쪺}ǫTI

    • enable=1G
      NOoӮeQŰʡCpGQŰʥiHϥ enable=0 I

    • gpgcheck=1G
      ROo RPM ӋñضܡHoNOwO_ݭnd\ RPM ɮפӋñءI

    • gpgkey=GNOӋñت_ɩҦbmIϥιw]ȧYi

    Aoӳ]wɤA^Uڭ̭קɮתeAڭ̳oDEiH^ϥ@tߪ귽aI ק諸覡mȦCX base oӮeئӤwALؽбzۦ̷ӤWz@kӳBzYiI

    [root@www ~]# vim /etc/yum.repos.d/CentOS-Base.repo
    [base]
    name=CentOS-$releasever - Base
    baseurl=http://ftp.twaren.net/Linux/CentOS/6/os/x86_64/   <==Nݥ̭nI
    gpgcheck=1
    gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
    # ULeءAЦۦ@tߥhd߫ۤvBzI
    
    [root@www ~]# yum clean all  <==L]wɡA̦nMJMx
    

    ^USMNOL@UoIpOHAϥ yum Yi[I

    # dҡGCXثe yum server ҨϥΪeǡH
    [root@www ~]# yum repolist all
    repo id        repo name                status
    base           CentOS-6 - Base          enabled: 6,019
    c6-media       CentOS-6 - Media         disabled
    centosplus     CentOS-6 - Plus          disabled
    contrib        CentOS-6 - Contrib       disabled
    debug          CentOS-6 - Debuginfo     disabled
    extras         CentOS-6 - Extras        enabled:     0
    updates        CentOS-6 - Updates       enabled: 1,042
    repolist: 7,061
    # b status Wg enabled ~OŰʪIѩ /etc/yum.repos.d/
    # hӳ]wɡAҥHA|o{RLesbC
    


    • קeͪDPMD

    ѩڭ̬Oקtw]]wɡAWAڭRMnb /etc/yum.repos.d/ Usؤ@ɮסA MɦWO .repo ~I]ڭ̨ϥΪOwSwMgxAӤOLn}oʹѪeA ]~קtw]]wɡCOiѩϥΪesHAAonDA yum |UeMx쥻E /var/cache/yum ̭hIڭ̭קF}oSקeW (r)A iN|yEMxP yum AMxPBAɴN|X{LksDFI

    [H̔xANMEWHƧYiIݭnʳBzܡHݭnA zL yum clean بӳBzYiI

    [root@www ~]# yum clean [packages|headers|all] 
    ﶵPӋG
     packagesGNwUnɮקR
     headers GNUnYR
     all     GNҦeƳRI
    
    # dҡGRwULҦe} (tn饻PMx)
    [root@www ~]# yum clean all
    
    DG
    @Ӻ}G http://free.nchc.org.tw/drbl-core/i386/RPMS.drbl-stable/ A̭]tFxWa@tߩҵoiۥѳnC Ш̾M}ѪơAtiH۰ʺwU yum 榡C
    G
    ѩ http://free.nchc.org.tw/drbl-core/i386/RPMS.drbl-stable/ ̭N repodata/ ؿA]AoӺ}iH^ yum e]wɡC AiHo򰵪G
    [root@www ~]# vim /etc/yum.repos.d/drbl.repo
    [drbl]
    name=This is DRBL site
    baseurl=http://free.nchc.org.tw/drbl-core/i386/RPMS.drbl-stable/
    enable=1
    gpgcheck=0
    
    [root@www ~]# yum search drbl
    Loaded plugins: fastestmirror
    Loading mirror speeds from cached hostfile
    ============================== Matched: drbl ==============================
    clonezilla.i386 : Opensource Clone System (ocs), clonezilla
    drbl.i386 : DRBL (Diskless Remote Boot in Linux) package.
    drbl-chntpw.i386 : Offline NT password and registry editor
    ....(Uٲ)....
    
    [root@www ~]# yum repolist all
    Loaded plugins: fastestmirror
    Loading mirror speeds from cached hostfile
    repo id        repo name                status
    base           CentOS-6 - Base          enabled: 6,019
    c6-media       CentOS-6 - Media         disabled
    centosplus     CentOS-6 - Plus          disabled
    contrib        CentOS-6 - Contrib       disabled
    debug          CentOS-6 - Debuginfo     disabled
    drbl           This is DRBL site        enabled:    36 <==sbI
    extras         CentOS-6 - Extras        enabled:     0
    updates        CentOS-6 - Updates       enabled: 1,042
    repolist: 7,097
    
    drbl oӷsWḙA֦ 36 ӳnIo^MEܡH


    jADϥ7.3 suf (port)

    ڭ̪DE|^RW@ǭnDʥ]OHҦpڭ̳]wF@ WWW DEASӦ Internet WWW nDɡAڭ̪DEN|H^RAoO]ڭ̪DEťΤF WWW of[IҥHASڭ̎ťΤF@ daemon ɡANi|yDEfbioʧ@AM daemon NOwgWѪAȤFIU@o daemon {|}A]LѤF Internet AȡAҥHNeQ Internet W cracker ҧ@FIҥHAJNˬdۤvtWf쩳}Fh֭ӡAåBHY檺޲zA~^CQ@iʔ[I


    pADϥ7.3.1 O port

    걼FISpŰʤ@ӺAȡAoӪAȷ|̾ TCP/IP }qTwŰʤ@ӰfbioA NO TCP/UDP ʥ] port (f) FCڭ̱qĤGؤ]DsuOUVAAݱonŰʤ@ӺofA ΤݱonHEŰʤ@Ӱf^^RƤ~CAݪAȬO_ݭnŰʦbTwfH ΤݪfO_SOTwOHڭ̱NĤGؤP port }ƵoJ@UG

    • AݎŰʪofҹRAȬOTwG
      Ҧp WWW Aȶ}Ŧb port 80 AFTP Aȶ}Ŧb port 21Aemail ǰe}Ŧb port 25 ΆΡAOqTwWWdI

    • ΤݎŰʵ{ɡAHEŰʤ@Ӥj 1024HWfG
      ΤݎŰʪ port OHEͪADnO}Ŧbj 1024 HWfCo port ]OѬYdznҲͪA ҦpsBFilezilla o FTP Τݵ{ΆΡC

    • @AiHPɴѦhRAG
      ҿתyozOYӪAȵ{|@`nbOSAҥHM{Űʪ port N|@sbC unAnŰʪfPAN|yeCSΤݳs^즹AɡAzLPfANiHoPAȸoC ҥHA@DEWSMiHPɎŰʫܦhPAȔ[I

    • @ 65536 portG
      ѲĤGت TCP/UDP YƤAND port 16 Ӧ줸A]@DE| 65536 portAӳo port SӈAH port 1024 @ϹjG

      • u root ~ŰʪOd portG
        bp 1024 fAOݭnH root ~ŰʪAo port DnOΩ@DZ`qTAȡAb Linux tUA`wP port ROOb /etc/services ̭C

      • j 1024 Ω client ݪ portG
        bj 1024 HW port DnO@ client ݪnŰʪ port C

    • O_ݭnTV洤G
      إߥiasuAȻݭnϥΨ TCP wA]NݭnҿתTV洤FApGODsufVAȡAҦp DNS PTtA unϥ UDP wYiC

    • qTwiHťΦbDW portG
      ڭ̪Dsw]|s^ WWW DE port 80AA WWW O_iHŰʦbD 80 LfH SMiH[IAiHzL WWW n骺]w\NMnϥΪ port ŰʦbDWfA uOp@ӡAzΤݭns^ADEɡANonbsaB~wAҎťΪDWf~C oӎŰʦbDWf\A``QΦb@ǩҿתaUTI^_^Ct~A Ydznw]NŰʦbj 1024 HWfAp MySQL ƮwnNŰʦb 3306C

    • ҿת port wG
      WASҿת port wʡI]yPort ťάOѪAȳnҳyzA ]NOAuvTwäO port AӬOŰ port ӳn ({)I γ\Aӷ|oGyS׸ɹL|} bind 8.x AܮeQ«ȩҤJIAкɧ֤ɯŨ bind 9.x H᪩zAҥHoAwuM`OyYǤwAȡz ӤOy}F port z~OI]ASnAȴNNL}aI רYǺAR|Űʤ@ port It~AǤwŰʪn]ݭn򪺫OsI

    pADϥ7.3.2 f[ԎG netstat, nmap

    nFAڭ̲{bDo port OKFFAAӴNOnA@UAڭ̪DE쩳O}Fh֪ port OHѩ port ŰʻPAȦ}AyAȡzy port zRɮ׬O@ӡHA@IOy /etc/services zTIӱ`Ψ[Ԏ port hUӵ{G

    • netstatGbEWHۤv{ʴۤv portF
    • nmapGzLn黲UAiDEWLDEAHkC

    LjYIϥ nmap |HkHѩ nmap \ӱjjFAҥHܦh cracker |^HLӰOHDEAoӮɭԴNiyHkTIunAϥ nmap ɭԤnhOHqDEAN|DTIUڭ̤Oӻ@o_aI



    • netstat

    bA Linux tA}ŪAȶVֶVnI ]֪AȥiHeh (debug) PAw|}AåiקKnJI޹DI ҥHAoӮɭԽA@UztSSǪAȳQ}ŤFOH nAۤvtSAȶءA̔KkNOϥ netstat FIoӪF褣̔xAӥB\]OܤhC oӫOϥΤkb Ĥر`κ\OSLFA Uڭ̶ȴѦpϥγoӤu㪺koI

    • CXboAȡG
      [root@www ~]# netstat -tunl
      ctive Internet connections (only servers)
      Proto Recv-Q Send-Q Local Address    Foreign Address    State
      tcp        0      0 0.0.0.0:111      0.0.0.0:*          LISTEN
      tcp        0      0 0.0.0.0:22       0.0.0.0:*          LISTEN
      tcp        0      0 127.0.0.1:25     0.0.0.0:*          LISTEN
      ....(Uٲ)....
      
      WFڪDEܤ֦Ű port 111, 22, 25 ΡAӥB[ԎUsuAio{ 25 TCP fAuw lo jѪAȡAںOsMfCܩ port 22 hѺںsu\C

    • CXwsusuAG
      [root@www ~]# netstat -tun
      Active Internet connections (w/o servers)
      Proto Recv-Q Send-Q Local Address       Foreign Address     State
      tcp        0     52 192.168.1.100:22    192.168.1.101:2162  ESTABLISHED
      
      qWƨӬݡAڪaݦA (Local Address, 192.168.1.100) ثeȦ@wإߪsuANOP 192.168.1.101 DEs^suAåBsuuOѹs^ڥDE port 22 ӨΧڦAAȧoI

    • RwإߩΦboSsuG

      pGQnNwgإߡAΪ̬OboSA}ܡA̔xkSMNOXMsu PIDA MNL kill Yi[IҦpUdҡG
      [root@www ~]# netstat -tunp
      Active Internet connections (w/o servers)
      Proto Recv-Q Send-Q Local Address    Foreign Address     State       PID/P name
      tcp        0     52 192.168.1.100:22 192.168.1.101:2162  ESTABLISHED 1342/0
      
      pWdҡAڭ̥iHXMsuO sshd oӵ{ӎťΪAåBL PID O 1342A ƱAn߫檺 killall oӫOA_heRhH (]ADḘi|h sshd sb)A RMnϥ kill oӫO~I
      [root@www ~]# kill -9 1342
      

    • nmap

    pGAn]QèSiAnJ@~tɡAMH|ҨӻAAQnA@UqLEO_}YǨwɡA MpBz[H{bAD netstat iHΨӬd\EW\hoqTwA ҦpLEo˪DE]QAnpdߔ[HI nmap NFI

    nmap (1)n黡W٬GyNetwork exploration tool and security / port scannerzAUWqA oӪFOQt޲zΨӺ޲ztwʬd֪uILyzS]FA nmap iHgѵ{ۦwqX port RơAӬdXM port AȬAҥHڭ̤]iH]Aڭ̥DE port 쩳OFΪIb CentOS YO nmap A pGASwUANϥ yum hwULaI

    [root@www ~]# nmap [] [˰Ӌ] [hosts }Pd]
    ﶵPӋG
    []GDnUXRG
        -sTG TCP ʥ]wإߪsu connect() I
        -sSG TCP ʥ]a SYN AҪ
        -sPGH ping 覡i汽
        -sUGH UDP ʥ]榡i汽
        -sOGH IP w (protocol) iDE
    [˰Ӌ]GDn˰ӋXRG
        -PTGϥ TCP Y ping 覡Ӷi汽ˡAiH򪾥ثeXqs(`)
        -PIGϥڪ ping (a ICMP ʥ]) Ӷi汽
        -p GoӬO port range AҦp 1024-, 80-1023, 30000-60000 ΆΪϥΤ覡
    [Hosts }Pd]GoӦæhFAXR
        192.168.1.100  G^gJ HOST IP ӤwAˬd@F
        192.168.1.0/24 G C Class AA
        192.168.*.*@@GKKIhܬ B Class AFI˪dܼsFI
        192.168.1.0-50,60-100,103,200 GoROܧΪDEdTIܦnΧaI
    
    # dҤ@Gϥιw]Ӌ˥EҎťΪ port (u| TCP)
    [root@www ~]# yum install nmap
    [root@www ~]# nmap localhost
    PORT    STATE SERVICE
    22/tcp  open  ssh
    25/tcp  open  smtp
    111/tcp open  rpcbind
    # bw]pUAnmap ȷ| TCP wI
    

    nmap Ϊk̔xoIN^bO᭱^W IP Ϊ̬ODEW٧YiCLAbw]pU nmap ȷ|DAR TCP oӳqTwӤwA^WoӨҤlKXGCuIOD]N}MfAȤ]CXӤFA uOnI ^_^IpGQnPɤR TCP/UDP oӱ`qTwOHiHo˰G

    # dҤGGPɱ˥E TCP/UDP f
    [root@www ~]# nmap -sTU localhost
    PORT    STATE SERVICE
    22/tcp  open  ssh
    25/tcp  open  smtp
    111/tcp open  rpcbind
    111/udp open  rpcbind  <==|hX UDP qTwfI
    

    KKIPedҤ@UAA|o{ohFX UDP fAoˤRnhFIMA pGAQnA@U쩳XDEbASɡAhiHo˰G

    # dҤTGzL ICMP ʥ]˴ARϺXDEOŰʪ
    [root@www ~]# nmap -sP 192.168.1.0/24
    Starting Nmap 5.21 ( http://nmap.org ) at 2011-07-20 17:05 CST
    Nmap scan report for www.centos.vbird (192.168.1.100)
    Host is up.
    Nmap scan report for 192.168.1.101 <==oTO 192.168.101 dҡI
    Host is up (0.00024s latency).
    MAC Address: 00:1B:FC:58:9A:BB (Asustek Computer) 
    Nmap scan report for 192.168.1.254
    Host is up (0.00026s latency).
    MAC Address: 00:0C:6E:85:D5:69 (Asustek Computer)
    Nmap done: 256 IP addresses (3 hosts up) scanned in 3.81 seconds
    

    ݨ_HmSTDEۧo (Host is up)IåBM IP ҹR MAC ]|QOUӡA ܤhaIpGARQnNUӥDEŰʪ port @@fܡANonϥΡG

    [root@www ~]# nmap 192.168.1.0/24
    

    AN|ݨ@ port number QKX݁WopGQnHɰOӺqDEO_p߶}FYǪAȡA KKIQ nmap tXƬyfV (>, >> ) ӉKXɮסA HɥiHxzkCDEAȎŰʪp[I ^_^

    ЯSOdNAo nmap \SjjA]O]pAҥHܦhbmߪ«ȷ|ϥγoӳnӰOHqC oӮɭԽбzSOdNAثeܦhHwgySO覡zӶinu@IҦpH TCP_Wrappers (/etc/hosts.allow, /etc/hosts.deny) \ӰOgLM port IPI oӳnΨӡyۤvEwʡzOܤh@ӤuAOpGΨӰOHDEA iO|yYWxqzISOdNII


    pADϥ7.3.3 fPAȪŰ/}ζ}EɪA]w

    qĤGتƧڭ̴NDA port OѰYdzn餧QnŰʪCҥHn}Y port ɡAN^NYӵ{L}NOFI}kASMiHϥ killALoܳOMDA] kill oӫOq`㦳j}Yǵ{\Aڭ̷Qn`}M{[I ҥHANQΨtڭ̪ script }NnF[C bPɡAڭ̴NoAӵyLƲߤ@UA@DžAȦXRH


    • stand alone P super daemon

    ڭ̦b߽gͨAb@륿` Linux tUAAȪŰʻP޲zDnR覡G

    • Stand alone
      UWqAstand alone NO^MAȪɡAMɪ^JOSB@A γoR覡ӎŰʥiHMAȨ㦳ֳt^RuIC@ӻAoRAȪŰ script |m /etc/init.d/ oӥؿUAҥHAq`iHϥΡGy /etc/init.d/sshd restart z覡ӭsŰʳoRAȡF

    • Super daemon
      Τ@ӶWŪAȧ@`ޡAӅ@޲zYǯSAȡCb CentOS 6.x ̭ϥΪhO xinetd o super daemon [IoR覡ŰʪAMb^RWt׷|CA LAiHzL super daemon B~Ѥ@DZޡAҦpɎŰʡBɥiHisuB IP iHsiӡBO_\PɳsuΆΡCq`ӧOAȪ]wɩmb /etc/xinetd.d/ SA]wܫݭnsHy /etc/init.d/xinetd restart zsӎŰʤ~I

    }NAȻAаѦҰg{ѪA@A mbo̤AzCnApGڷQnNڨtW port 111 }ܡA RMp}OH̔x@kNOX port 111 Űʵ{I

    [root@www ~]# netstat -tnlp | grep 111
    tcp        0      0 0.0.0.0:111    0.0.0.0:*       LISTEN  990/rpcbind
    tcp        0      0 :::111         :::*            LISTEN  990/rpcbind
    # ӥΪO rpcbind oӪAȵ{I
    
    [root@www ~]# which rpcbind
    /sbin/rpcbind
    # ɮ׫AAH rpm BzBz
    
    [root@www ~]# rpm -qf /sbin/rpcbind
    rpcbind-0.2.0-8.el6.x86_64
    # FINOoӳnIҥHNL}kiNOG
    
    [root@www ~]# rpm -qc rpcbind | grep init
    /etc/rc.d/init.d/rpcbind
    [root@www ~]# /etc/init.d/rpcbind stop
    

    zLWoӤRy{AAiHQΨtѪܦhKuӹFYӪAȪ}I ԣoꐷСHOQ kill -9 990 NiHRMAȤFܡH OShTILAADMAȬOԣΪܡHADNL}AAt|XDܡH pGDܡAQΤWy{NiHXMAȳnAAQ rpm dߥ\A N^DMAȪ@ΤFHҥHAoӤ覡ROz|DUTI Uбz۱Nz CentOS Ϊ̬OL Linux Telnet }ݬݡC

    DG
    ڭ̪Dt Telnet Aȳq`OH super daemon ӱުAбzŰʱzt telnet ݬݡC
    G
    1. nŰ telnet nwgwUF telnet A~AҥHХH rpm d߬ݬݬO_wU telnet-server OH yrpm -qa | grep telnet-serverzpGSwUܡAЧQέ쪩ШӦwUAΪ̨ϥΡyyum install telnet-serverz wU@UF
    2. ѩO super daemon ޡAҥHнs /etc/xinetd.d/telnet oɮסAN䤤ydisable = yesz令 ydisable = nozHy/etc/init.d/xinetd restartzsŰ super daemon aI
    3. Q netstat -tnlp ԎݬO_Ű port 23 OH


    • w]ŰʪA

    WY@kȬOyߧYNMAȎŰʩ}zIä|vTU}EɡAoӪAȬO_w]ŰʪpC pGAQnb}EɭԴNŰʩΤŰʬYAȮɡANonA@U߽g̭ͨ쪺}Ey{޲zeTIb Unix like tSڭ̳OzL run level ӳ]wYǰίŻݭnŰʪAȡAH Red Hat tӻAo run level ŰʪƳOmb /etc/rc.d/rc[0-6].d/ ̭Ap޲zMؿU script OHʳBzܡH|ƱoIҥHAnx chkconfig Red Hat t ntsysv oXӫO~I

    Tips:
    oXӫOܡHoӮɭԉmoFGy man ΪݥΡAݵL man Ŧ۲qzԒ򵹥L man UhTI
    mϥ
    DG
    (1)pd\ rpcbind oӵ{@}ENH (2)pG}ENApNLאּ}EɤnŰʡH (3)pߧY}o rpcbind AȡH
    G
    1. iHzLy chkconfig --list | grep rpcbind zPy runlevel zT{@UAP rpcbind O_ŰʡH
    2. pGŰʡAizLy chkconfig --level 35 rpcbind off zӳ]w}EɤnŰʡF
    3. iHzLy /etc/init.d/rpcbind stop zӥߧY}LI

    oA@w|ݻGymAANOunNtҦAȳ}AtN|woHz SM....OI]yܦhtAȬOnsbA_htN|XDz |ҨӻAӫOtiH㦳u@Ƶ{ crond AȴN@wnsbAӨӰOtp rsyslogd ]SMnsb_h窾DtXFԣDHҥHoADADCӪAȪتOA_hnHK}MAȡC UmCXXӱ`nsbtAȵjaѦҰѦҥIoǪAȽФn}[I

    AȦWAȤe
    acpidsq޲zœAq`ij}šALAYǓ۰Oqiण䴩AȡANo}
    atdb޲zx@wRO檺AȡARMnŰʪ
    crondb޲zu@Ƶ{nAȡAаȥnŰʔ[I
    haldaemon@twܧ󰻴AȡAP USB ]Q}Yܤj
    iptablesLinux تnAoӤ]iHŰTI
    networkoӭnFaHnNnL[I
    postfixtlǻAȡAnHK}LI
    rsyslogtnɰOAܭnAȥŰʔ[I
    sshdoOtw]|ŰʪAiHAbhݥHrAEnJI
    xinetdNO super daemon IҥH]nŰTI

    WCXODEݭnIAȡAбzn}LIDAD@F|GC|ҨӻAApGݭn޲zqA N acpid }]S}Y[IpGAݭnѭhݳsu\A sshd ]iH}[ILADAȫH S}YAunOAȡAAiHOdLIpGOAȩOH...mijADAȴN}LI Hڭ̽ͨCӬ}AȮɡAA@Ӥ@ӥ}YiCUڭ̴NӰ@}AȳoӈI


    pADϥ7.3.4 wʦҶq-}AȰf

    ڭ̪ Linux distribution ܦnߪDϥΪ̷QܦhFAҥHb@wUܤA t|}Ť@ͦSAȡAҦp rpcbind NNAoǪFAγ\Dγ\DALLNO}š ڭ̪DENOΨӰAAҥHoǥӹwpn client ϥΪAȨIyh@|zP\ ҥHTAЧANL}aIUڭ|̔xҤlӳBzANAA}NnALbtAȡANȮɫOdaI

    DG
    XثetWbB@AȡAåB۹RŰʸ} (b /etc/init.d ɦWN)C
    G
    nXAȡANQ netstat -tunlp YiIHmqĤ@ئwUܽdEҡAmثeŰʪAȦUoǡG
    [root@www ~]# netstat -tlunp
    Active Internet connections (only servers)
    Proto  Local Address        State       PID/Program name
    tcp    0.0.0.0:22           LISTEN      1176/sshd
    tcp    127.0.0.1:25         LISTEN      1252/master
    tcp    0.0.0.0:37753        LISTEN      1008/rpc.statd
    tcp    :::22                LISTEN      1176/sshd
    tcp    :::23                LISTEN      1851/xinetd
    tcp    ::1:25               LISTEN      1252/master
    tcp    :::38149             LISTEN      1008/rpc.statd
    tcp    0.0.0.0:111          LISTEN      1873/rpcbind
    tcp  0 :::111               LISTEN      1873/rpcbind
    udp  0 0.0.0.0:111                      1873/rpcbind
    udp  0 0.0.0.0:776                      1873/rpcbind
    udp  0 :::111                           1873/rpcbind
    udp  0 :::776                           1873/rpcbind
    udp    0.0.0.0:760                      1008/rpc.statd
    udp    0.0.0.0:52525                    1008/rpc.statd
    udp    :::52343                         1008/rpc.statd
    # WzKXmyL̔Ƥ@dzAҥH줣FC
    # oӭIuOni{X̫@ӤwTI
    
    ݰ_`@ sshd, master, rpc.statd, xinetd, rpcbind γoXӪAȡAӫe@p`ƤeӬݡA master (port 25), sshd }ALNH}[IzLeӤp`Aϥ which P rpm jMaI|ҨӻA rpc.statd Űʸ}bGyrpm -qc $(rpm -qf $(which rpc.statd) ) | grep initzo˧AGOby/etc/rc.d/init.d/nfslockzo̡I ]̜檺GpUG
    rpc.statd /etc/rc.d/init.d/nfs
              /etc/rc.d/init.d/nfslock
              /etc/rc.d/init.d/rpcgssd
              /etc/rc.d/init.d/rpcidmapd
              /etc/rc.d/init.d/rpcsvcgssd
    xinetd    /etc/rc.d/init.d/xinetd
    rpcbind   /etc/rc.d/init.d/rpcbind
    
    ^UӴNONMA}AåB]w}EŰʧaI
    [root@www ~]# vim bin/closedaemon.sh
    for daemon in nfs nfslock rpcgssd rpcidmapd rpcsvcgssd xinetd rpcbind
    do
    	chkconfig $daemon off
    	/etc/init.d/$daemon stop
    done
    [root@www ~]# sh bin/closedaemon.sh
    

    WҤlAAAUF netstat -tlunp A|oȳ port 25, 22 ӤwI p@ӡAʎjAΤ쪺AȴNQA}AӥBYϭs}E]|QŰʪTI ^_^


    jADϥ7.4 SELinux ޲zh

    SELinux ϥΩҿתes (Mandatory Access Control, MAC) ALiHwSw{ǻPSwɮ׸귽ӶivޡI ]NOAYϧAO root AbϥΤP{ǮɡAAүovä@wO root AӱonSM{Ǫ]wөwC p@ӡAڭ̰wﱱyDzܦFy{ǡzӤOyϥΪ̡zI]Aov޲zҦNSOAXAȪy{ǡzFI ]AYϧA{Ǩϥ root hŰʡApGoӵ{dzQ@ӳQoާ@vAM{ǯ@ƱROA ]Q SELinux Fi檺u@FI

    |ҨӻA WWW An骺F{Ǭ httpd o{A ӹw]pUA httpd ȯb /var/www/ oӥؿUsɮסApG httpd oӵ{ǷQnLؿhsƮɡAFWh]wn}~A؊Aؿ]on]w httpd iŪҦ (type) ~ID`hI ҥHAYϤp httpd Q cracker oFvAL]Lvs /etc/shadow έn]wɳI


    pADϥ7.4.1 SELinux B@Ҧ

    Aƻ@UASELinux OzL MAC 覡ӱ޵{ǡALDO{ǡA ӥ؊AhOM{ǯ_Ūyɮ׸귽zIҥHӻ@UoǩNN}TI

    • D (Subject)G
      SELinux DnQn޲zNO{ǡA]AiHNyDz򥻏ؽͨ쪺 process ُWθF

    • ؊A (Object)G
      D{ǯ_sy؊A귽z@NOɮרtC]oӥ؊AإiHɮרtُWθF

    • F (Policy)G
      ѩ{ǻPɮӋqejA] SELinux |̾ڬYǪAȨӨq򥻪swʬFCoǬFR|NWh (rule) ӫwPAȶ}YǸ귽sP_Cbثe CentOS 6.x ̭ȦѨӥDnFpUA@ӻAϥιw] target FYiC

      • targetedGwAȭhAw糧E֡AOw]FF
      • mlsG㪺 SELinux A譱YC

    • wʥ (security context)G
      ڭ̭ͨFDB؊APFAODणs؊AFnŦXFw~ADP؊Awʥ奲@P~^QsC oӦwʥ (security context) Iɮרt rwx TIwʥ媺eP]wOD`nI pG]wh~AAYǪA(D{)NLksɮרt(؊A귽)ASMN|@X{yvšzh~TFI
    SELinux B@U󤧬}
    7.4-1BSELinux B@U󤧬}(ϰѦҤp{ѮvWq)

    WϪIbyDzpoy؊Az귽svI ѤWϧڭ̥iHo{A(1)D{ǥnqL SELinux FWhANiHP؊A귽iwʥ媺A (2)Y異ѫhLks؊AAY令\hiH}ls؊ACDOA̜_s؊AROPɮרt rwx v]w}Ip@ӡA[JF SELinux AX{vŪpɡAANon@B@BRi઺DFI


    • wʥ (Security Context)

    CentOS 6.x target FwgDڭ̨qnD`hWhFA]AunDp}/}YWhP_YiC ӦwʥꐷСI]Aiݭnۦ]wɮתwʥOIݭnۦ]w[H |ҨӻAA]``iɮת rwx s]wܡHowʥANNLQ SELinux Q rwx NOFIoˤnzTC

    wʥsbD{ǤP؊Aɮ׸귽C{ǦbO餺AҥHwʥiHsJOSDC ɮתwʥOOb̩OHWAwʥOmɮת inode A]D{ǷQnŪ؊Aɮ׸귽ɡAP˻ݭnŪ inode A o inode NiHwʥH rwx vȬO_TAӵASŪv̾ڡC

    wʥ쩳O˪sbOHڭ̥Ӭݬ /root UɮתwʥnFC [ԎwʥiϥΡy ls -Z zh[ԎpUG(`NGAwgŰʤF SELinux ~IY|ŰʡAoеyLݹL@MYiCU|pŰ SELinux I)

    [root@www ~]# ls -Z
    -rw-------. root  root  system_u:object_r:admin_home_t:s0     anaconda-ks.cfg
    drwxr-xr-x. root  root  unconfined_u:object_r:admin_home_t:s0 bin
    -rw-r--r--. root  root  system_u:object_r:admin_home_t:s0     install.log
    -rw-r--r--. root  root  system_u:object_r:admin_home_t:s0     install.log.syslog
    # WzSr骺ANOwʥ媺eI
    

    pWҥܡAwʥDnΫ_T (̫@L)AoT쪺NqG

    Identify:role:type
    ѧO::
    
    • ѧO (Identify)G Sb譱ѧOIDnѧOhUTR`G

      • rootG root bApPWܪO root aؿUƔ[I
      • system_uGܨt{Ǥ譱ѧOAq`NO{oF
      • user_uGNO@ϥΪ̱b}C

    • (Role)G zLAڭ̥iHDoӸƬOݩ{ǡBɮ׸귽RONϥΪ̡C@몺⦳G

      • object_rGNOɮשΥؿɮ׸귽AoRMO̱`oF
      • system_rGNNO{TILA@ϥΪ̤]|Qw system_r I

    • (Type)G bw] targeted FA Identify P Role 򥻤WOnInbo (type) I 򥻤WA@ӥD{ǯणŪoɮ׸귽AP즳}Ibɮ׻P{ǪwqӬۦPAOOG

      • typeGbɮ׸귽 (Object) W٬ (Type)F
      • domainGbD{ (Subject) h٬Zk (domain) FI

      domain ݭnP type ftAhM{Ǥ~^QŪɮ׸귽TI


    • {ǻPɮ SELinux type 쪺}

    oTpQΩOHڭ̨@@D{ǦboT쪺NqIzLѧOP쪺wqA ڭ̥iHDYӵ{ǩҥNNqI򥻤WAoǹRƦb targeted FURpUG

    ѧOMRb targeted Nq
    rootsystem_rN root bnJɩҨov
    system_usystem_rѩ󬰨tbA]ODͦtB@{
    user_usystem_r@inJϥΪ̪{oI

    NpWҭzA̭nOADP؊AO_㦳iHŪgvAP{Ǫ domain ɮת type }Io̪}Yڭ̥iHϥιF WWW A\઺ httpd o{P /var/www/html oӺmؿӻC AݬݳoөNNwʥ夺eG

    [root@www ~]# yum install httpd
    [root@www ~]# ll -Zd /usr/sbin/httpd /var/www/html
    -rwxr-xr-x. root root system_u:object_r:httpd_exec_t:s0 /usr/sbin/httpd
    drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html
    # ̪O object_r ANOɮסI httpd ݩ httpd_exec_t A
    # /var/www/html hݩ httpd_sys_content_t oI
    

    httpd ݩ httpd_exec_t oӥiH檺A /var/www/html hݩ httpd_sys_content_t oӥiH httpd Zk (domain) ŪCrݰ_ӤӮeAaIڭ̨ϥιϥܨӻo̪}YI

    D{Ǩo domain P؊Aɮ׸귽 type ۤ}Y
    7.4-2BD{Ǩo domain P؊Aɮ׸귽 type ۤ}Y

    WϪNqڭ̥iHoˬݪG

    1. AڭIJo@ӥi檺؊AɮסANO㦳 httpd_exec_t o /usr/sbin/httpd
    2. Mɮת|oɮשҳyD{ (Subject) 㦳 httpd oӠZk (domain)A ڭ̪FwoӠZkwgwF\hWhA䤤]AoӠZkiHŪ؊A귽F
    3. ѩ httpd domain Q]wiHŪ httpd_sys_content_t o؊Aɮ (Object)A ]Am /var/www/html/ ؿUAN^Q httpd {ǩŪFF
    4. ̜णŪ쥿TơARon rwx O_ŦX Linux vWdI

    Wzy{iDڭ̴XӭIAĤ@ӬOFݭnqN domain/type }ʡFĤGӬOYɮת type ]wh~A Yv]w rwx } 777 AMD{Ǥ]LkŪ؊Aɮ׸귽TILp@ӡA ]NiHקKϥΪ̱NLaؿ]w 777 ɩҳyvxZC


    pADϥ7.4.2 SELinux ŰʡB}P[Ԏ

    ëDҦ Linux distributions 䴩 SELinux AҥHAn[Ԏ@UAtI mo̤ CentOS 6.x N䴩 SELinux TIҥHAݭnۦs SELinux A Linux ֤ߤI ثe SELinux 䴩TRҦAOpUG

    • enforcingGjҦAN SELinux B@ABwgT}l domain/type FF
    • permissiveGeeҦGN SELinux B@ALȷ|ĵiTä|ڭ domain/type sCoRҦiHBӧ@ SELinux debug ΡF
    • disabledG}ASELinux èSڹB@C

    A򪾹Dثe SELinux ҦOHNzL getenforce aI

    [root@www ~]# getenforce
    Enforcing  <==աINܥXثeҦ Enforcing oI
    

    t~Aڭ̤Sp󪾹D SELinux F (Policy) OHoɥiH[Ԏ]wTG

    [root@www ~]# vim /etc/selinux/config
    SELINUX=enforcing     <==վ enforcing|disabled|permissive
    SELINUXTYPE=targeted  <==ثeȦ targeted P mls
    


    • SELinux ŰʻP}

    WOw]FPŰʪҦIAn`NOApGܤFFhݭns}EFpG enforcing permissive 令 disabled AΥ disabled 令LӡA]ns}ECoO] SELinux OX֤߸̭hA AuiHb SELinux B@Uj (enforcing) μee (permissive) ҦA^^} SELinux I pGAo{ getenforce X{ disabled ɡAШWzɮ׭ק令 enforcing M᭫s}EaI

    LAn`NOApGq disable 茨Ű SELinux ҦɡA ѩtnwɮ׼gJwʥ媺TA]}EL{|O֮ɶbΫݭsgJ SELinux wʥ (ɤ]٬ SELinux Label) AӥBbgRonAs}E@IAnΫݯ@qɶI ΨU}E\AAϥ getenforce [Ԏݬݦ_\Űʨ Enforcing ҦoI

    pGAwgb Enforcing ҦAOiѩ@dz]wDfP SELinux YǪAȵLk`B@A ɧAiHN Enforcing Ҧאּee (permissive) ҦA SELinux u|ĵiLkQsuTA ӤO^ץD{ǪŪvC SELinux Ҧb enforcing P permissive kG

    [root@www ~]# setenforce [0|1]
    ﶵPӋG
    0 G茦 permissive eeҦF
    1 G茦 Enforcing jҦ
    
    # dҤ@GN SELinux b Enforcing P permissive P[Ԏ
    [root@www ~]# setenforce 0
    [root@www ~]# getenforce
    Permissive
    [root@www ~]# setenforce 1
    [root@www ~]# getenforce
    Enforcing
    

    LЪ`NA setenforce Lkb Disabled ҦUiҦI

    Tips:
    bYǯSpUAAq Disabled Enforcing AM@ͪAȵLkQŰʡA|Ab /lib/xxx ̭ƨSvŪAҥHŰʥѡCojhOѩbsgJ SELinux type (Relable) XhGAϥ Permissive NSoӎh~CpBzOH̔xkNOb Permissive AUAϥΡy restorecon -Rv / zsRҦ SELinux AN^Bzoӎh~I
    mϥ

    pADϥ7.4.3 SELinux type ק

    JM SELinux (type) o򭫭nApקPܧoASMNO̭n@oC Aڭ̨ӬݬݦpGƻs@ɮר줣PؿhA|oͤ򪬪paI

    # dҡGN /etc/hosts ƻs root aؿA[Ԏ} SELinux ܤ
    [root@www ~]# cp /etc/hosts /root
    [root@www ~]# ls -dZ /etc/hosts /root/hosts /root
    -rw-r--r--. root root system_u:object_r:net_conf_t:s0  /etc/hosts
    dr-xr-x---. root root system_u:object_r:admin_home_t:s0 /root
    -rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 /root/hosts
    
    # dҡGN /root/hosts ʨ /tmp UA[Ԏ} SELinux ܤ
    [root@www ~]# mv /root/hosts /tmp
    [root@www ~]# ls -dZ /tmp /tmp/hosts
    drwxrwxrwt. root root system_u:object_r:tmp_t:s0       /tmp
    -rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 /tmp/hosts
    

    ݨSHSAxªƻsɡASELinux type O|~ӥ؊AؿAҥH /root/hosts N|ܦ admin_home_t oFCOpGOʩOHsP SELinux ]|QʹLhA] /tmp/hosts |̂HO admin_home_t Ӥ|ܦ /tmp tmp_t oIn`NIn`NIApN /tmp/hosts ܧ󦨬̭l net_conf_t oOHNonϥ chcon oI


    • chcon
    [root@www ~]# chcon [-R] [-t type] [-u user] [-r role] ɮ
    [root@www ~]# chcon [-R] --reference=d ɮ
    ﶵPӋG
    -R  GsPMؿUؿ]PɭקF
    -t  G᭱^wʥ媺IҦp httpd_sys_content_t F
    -u  G᭱^ѧOAҦp system_uF
    -r  G᭱󨤦AҦp system_rF
    --reference=dɡGYɮSdҨӭק^ɮתI
    
    # dҡGN誺 /tmp/hosts אּ etc_t 
    [root@www ~]# chcon -t net_conf_t /tmp/hosts
    [root@www ~]# ll -Z /tmp/hosts
    -rw-r--r--. root root unconfined_u:object_r:net_conf_t:s0 /tmp/hosts
    
    # dҡGH /var/spool/mail/ ̾ڡAN /tmp/hosts ק令M
    [root@www ~]# ll -dZ /var/spool/mail
    drwxrwxr-x. root mail system_u:object_r:mail_spool_t:s0 /var/spool/mail
    [root@www ~]# chcon --reference=/var/spool/mail /tmp/hosts
    [root@www ~]# ll -Z /tmp/hosts
    -rw-r--r--. root root system_u:object_r:mail_spool_t:s0 /tmp/hosts
    

    chcon ק覡Aڭ̥nD̜ڭ̪ SELinux type OԣA~^ܧ󦨥\C pGAQn@Oy_즨즳 SELinux typezOHiHѦҩUOӶi潗I


    • restorecon
    [root@www ~]# restorecon [-Rv] ɮשΥؿ
    ﶵPӋG
    -R  GsPؿ@_קF
    -v  GNL{ܨ݁W
    
    # dҡGN /tmp/hosts ʦ /root åHw]wʥ勵L
    [root@www ~]# mv /tmp/hosts /root
    [root@www ~]# ll -Z /root/hosts
    -rw-r--r--. root root system_u:object_r:mail_spool_t:s0 /root/hosts
    [root@www ~]# restorecon -Rv /root
    restorecon reset /root/hosts context system_u:object_r:mail_spool_t:s0->
    system_u:object_r:admin_home_t:s0
    # WoOP@IܱN hosts  mail_spool_t אּ admin_home_t
    


    • w]ؿwʥd߻Pק

    zLWoXӽmߡAAN|DTASELinux type ȷ|bɮתƻs/ʮɲͤ@ܤơA]ݭn chcon, restorecon ΫOӶi׭qCARMRO|Q@ơANOA restorecon |DCӥؿOw] SELinux type OHoO]tOIOb /etc/selinux/targeted/contextsAOMؿܦhPơA nϥΤrs边hd\ꐷСAɡAڭ̥iHzL semanage oӫO\Ӭd߻PקI

    [root@www ~]# semanage {login|user|port|interface|fcontext|translation} -l
    [root@www ~]# semanage fcontext -{a|d|m} [-frst] file_spec
    ﶵPӋG
    fcontext GDnΦbwʥ譱γ~A -l dߪNF
    -a GW[NAAiHW[@ǥؿw]wʥ]wF
    -m Gק諸NF
    -d GRNC
    
    # dҡGdߤ@U /var/www/ w]wʥ]wI
    [root@www ~]# yum install policycoreutils-python
    [root@www ~]# semanage fcontext -l | grep '/var/www'
    SELinux fcontext                       Context
    /var/www(/.*)?             all files     system_u:object_r:httpd_sys_content_t:s0
    /var/www(/.*)?/logs(/.*)?  all files     system_u:object_r:httpd_log_t:s0
    ....(᭱ٲ)....
    

    qWAڭ̪D semanage iHBzD`hȡALAboӤp`ڭ̥DnQAOCӥؿw]wʥC pWdҩҥܡAڭ̥iHdߪCӥؿwʥTIӥؿ]wiHϥWܪkhw@ӽdCpGڭ̷QnW[YǦۭqؿwʥOH |ҨӻAڷQnq /srv/vbird public_content_t ɡARMpwOH

    # dҡGQ semanage ]w /srv/vbird ؿw]wʥ嬰 public_content_t
    [root@www ~]# mkdir /srv/vbird
    [root@www ~]# ll -Zd /srv/vbird
    drwxr-xr-x. root root unconfined_u:object_r:var_t:s0   /srv/vbird
    # pWҥܡAw]pRMO var_t oөNNI
    
    [root@www ~]# semanage fcontext -l | grep '/srv'
    /srv                  directory    system_u:object_r:var_t:s0 <==ݳo
    /srv/.*               all files    system_u:object_r:var_t:s0
    ....(Uٲ)....
    # WhOw] /srv UwʥơALAèSw /srv/vbird T
    
    [root@www ~]# semanage fcontext -a -t public_content_t "/srv/vbird(/.*)?"
    [root@www ~]# semanage fcontext -l | grep '/srv/vbird'
    /srv/vbird(/.*)?          all files  system_u:object_r:public_content_t:s0
    
    [root@www ~]# cat /etc/selinux/targeted/contexts/files/file_contexts.local
    # This file is auto-generated by libsemanage
    # Please use the semanage command to make changes
    /srv/vbird(/.*)?    system_u:object_r:public_content_t:s0
    # NOgJoɮתoI ^_^
    
    [root@www ~]# restorecon -Rv /srv/vbird* <==_w]
    [root@www ~]# ll -Zd /srv/vbird
    drwxr-xr-x. root root system_u:object_r:public_content_t:s0 /srv/vbird
    # w]ȡAH restorecon ӭק̔xI
    

    semanage \ܦhALmDnΨ쪺Ȧ fcontext oӶتʧ@ӤwCpWҥܡA AiHϥ semanage ӬdߩҦؿw]ȡA]^ϥΥLӼW[w]Ȫ]wIpGz|oǰ䪺uA SELinux AӻA]ONNoI


    pADϥ7.4.4 SELinux FWhLȭ׭q

    eAnqL SELinux Ҥ~}lɮv rwx P_A SELinux P_DnO (1)FWhP (2){ǻPɮת SELinux type nŦX~^Ce@Ӥp`ͪO SELinux type AoӤp`NOnͤ@UFWhoA ]Apd߻Pק}WhP_oC


    • Fd\

    CentOS 6.x w]Ϩϥ targeted FAoӬFѦh֬}WhOHɥiHzL seinfo Ӭd߳I

    [root@www ~]# yum install setools-console
    [root@www ~]# seinfo [-Atrub]
    ﶵPӋG
    -A  GCX SELinux ABWhLȡBѧOBBOΩҦT
    -t  GCX SELinux ҦO (type) R
    -r  GCX SELinux Ҧ (role) R
    -u  GCX SELinux ҦѧO (user) R
    -b  GCXҦWhR (L)
    
    # dҤ@GCX SELinux bFUpA
    [root@www ~]# seinfo
    tatistics for policy file: /etc/selinux/targeted/policy/policy.24
    Policy Version & Type: v.24 (binary, mls)  <==CXFҦbɻP
    
       Classes:            77    Permissions:       229
       Sensitivities:       1    Categories:       1024
       Types:            3076    Attributes:        251
       Users:               9    Roles:              13
       Booleans:          173    Cond. Expr.:       208
       Allow:          271307    Neverallow:          0
       Auditallow:         44    Dontaudit:      163738
       Type_trans:      10941    Type_change:        38
       Type_member:        44    Role allow:         20
       Role_trans:        241    Range_trans:      2590
    ....(Uٲ)....
    # qWڭ̥iHݨoӬFO targeted AF SELinux type  3076 ӡF
    # ӰwAȪWh (Booleans) @qF 173 WhI
    
    # dҤGGCXP httpd }Wh (booleans) ǡH
    [root@www ~]# seinfo -b | grep httpd
    Conditional Booleans: 173
       allow_httpd_mod_auth_pam
       httpd_setrlimit
       httpd_enable_ftp_server
    ....(Uٲ)....
    # AiHݨAD`hP httpd }WhqwOI
    

    qWڭ̥iHݨP httpd }LȡAP˪ApGAQn즳 httpd r˪wʥOɡA NiHϥΡy seinfo -t | grep httpd zӬdߤFIpGdߨ}OΪ̬OLȫAQnDNWhɡA Nonϥ sesearch oӫOFI

    [root@www ~]# sesearch [--all] [-s DO] [-t ؊AO] [-b L]
    ﶵPӋG
    --all  GCXMOΥLȪҦ}T
    -t  G᭱Rn^OAҦp -t httpd_t
    -b  G᭱Rn^LȪWhAҦp -b httpd_enable_ftp_server
    
    # dҤ@GX؊Aɮ׸귽O httpd_sys_content_t }T
    [root@www ~]# sesearch --all -t httpd_sys_content_t
    Found 683 semantic av rules:
       allow avahi_t file_type : filesystem getattr ;
       allow corosync_t file_type : filesystem getattr ;
       allow munin_system_plugin_t file_type : filesystem getattr ;
    ....(Uٲ)....
    # y allow  D{ǦwʥO  ؊AɮצwʥO z
    # pWAoOiHQӥDD{ǪOŪAHΥ؊Aɮ׸귽榡C
    

    AiHܻdߨYӥD{ (subject) iHŪ؊Aɮ׸귽 (Object)C pGOLȩOH̭SWdFHڭ̨ӬݬݥG

    # dҤTGڪDӥLȬ httpd_enable_homedirs AаMLȳWdhֳWhH
    [root@www ~]# sesearch -b httpd_enable_homedirs --all
    Found 43 semantic av rules:
       allow httpd_user_script_t user_home_dir_t : dir { getattr search open } ;
       allow httpd_sys_script_t user_home_dir_t : dir { ioctl read getattr  } ;
    ....(᭱ٲ)....
    

    qoӥLȪ]wڭ̥iHݨ̭WdFD`hD{ǻP؊Aɮ׸귽P_I ҥHADFAڳWdodzWhANOLȪTI]NOڭ̤eһ@ͳWhO]I AD{ǯ_Yǥ؊Aɮ׶isAPoӥLȫD`}YI]LȥiHNWh]wŰ (1) Ϊ̬O} (0) TI


    • LȪd߻Pק

    Wڭ̳zL sesearch DFA Subject P Object _svAOPLȦ}A th֥LȥiHzL seinfo -b ӬdߡAACӥLȬOŰʪRO}OHoNӬd߬ݬݧaG

    [root@www ~]# getsebool [-a] [Lȱf]
    ﶵPӋG
    -a  GCXثetWҦLȱf]w}ũ}
    
    # dҤ@GdߥtҦLȳ]wp
    [root@www ~]# getsebool -a
    abrt_anon_write --> off
    allow_console_login --> on
    allow_cvs_read_shadow --> off
    ....(Uٲ)....
    # z@IoNiDAثeLȪAoI
    

    pGdߨYӥLȡAåBH sesearch DMLȪγ~AQn}ΎŰʥLASMpBmH

    [root@www ~]# setsebool [-P] L=[0|1]
    ﶵPӋG
    -P  G^N]wȼgJ]wɡAM]wƥӷ|ͮĪI
    
    # dҤ@Gd httpd_enable_homedirs O_ onAY on ЎŰʥLI
    [root@www ~]# getsebool httpd_enable_homedirs
    httpd_enable_homedirs --> off  <==GO off ADNLŰʡI
    
    [root@www ~]# setsebool -P httpd_enable_homedirs=1
    [root@www ~]# getsebool httpd_enable_homedirs
    httpd_enable_homedirs --> on
    

    o setsebool ̦nOo@wn[W -P ﶵI]oˤ~N]wgJ]wɡI oOD`ΪuœIA@wnDpϥ getsebool P setsebool ~I


    pADϥ7.4.5 SELinux nɰOһݪA

    WzO\SAרO setsebool, chcon, restorecon ΡAOFSAYǺAȵLk`Ѭ}\ɡA ~ݭniק諸@ǫOʧ@COAڭ̫򪾹DӮɭԤ~ݭnioǫOק[Hڭ̫򪾹Dt] SELinux DfPAȤl[HpGnaΤݳsuѤ~ӭDA]ӨSIJvFIҥHAڭ̪ CentOS 6.x ѴX䰻AȦbn SELinux ͪh~INO auditd P setroubleshootdC


    • setroubleshoot --> h~TgJ /var/log/messages

    XGҦ SELinux }{|H se }YAoӪAȤ]OH se }YI troubleshoot jaDOh~JAA ]o setroubleshoot ۵MNonŰʥLTIoӪAȷ|N} SELinux h~TPJAkO /var/log/messages P /var/log/setroubleshoot/* YAҥHA@wonŰʳoӪAȤ~nCŰʳoӪAȤeSMNOonwUTI oN`@ݭnӳnAOO setroublshoot P setroubleshoot-serverApGASwUAЦۦϥ yum wUaI

    ~A쥻 SELinux TӬOHӪAȨӰOAOO auditd P setroubleshootdCJMOP˪TA ] CentOS 6.x N̾Xb auditd STIҥHAèS setroubleshootd AȦsbFI]A SAwUnF setroubleshoot-server AаOonsŰ auditdA_h setroubleshootd \ण|QŰʪC

    [root@www ~]# yum install setroubleshoot setroubleshoot-server
    [root@www ~]# /etc/init.d/auditd restart <==X auditd SFI
    
    Tips:
    WACentOS 6.x setroubleshootd B@覡OG (1) auditd hIs audispd AȡA (2)M audispd AȥhŰ sedispatch {A (3)sedispatch AN쥻 auditd T茦 setroubleshootd TAi@BxsUӪI
    mϥ

    pGo͎h~ɡAT^OHڭ̨ϥ httpd o{ͪh~ӻnFC]AݭnŰ WWW AA ڭ̪ WWW O httpd oAȴѪA]AnwUBŰʥ~G

    [root@www ~]# /etc/init.d/httpd start
    [root@www ~]# netstat -tlnp | grep http
    tcp     0   0 :::80   :::*              LISTEN      2218/httpd
    # ݨSHŰ port 80 FIoOII
    

    oӮɭԧڭ̪ WWW ANwUSFCڭ̪Om /var/www/html ؿUABɦWnO index.htmlC pGڨϥΩUҦӶi歺BzɡAiN| SELinux DFIڭ̴NӼ[@UXDpaI

    [root@www ~]# echo "My first selinux check" > index.html
    [root@www ~]# ll index.html
    -rw-r--r--. 1 root root 23 2011-07-20 18:16 index.html  <==vSD
    [root@www ~]# mv index.html /var/www/html
    

    ɧڭ̴NiH}sAMbsWKJ Linux ۤv IP ӬdԎݡAݯणsWۤv WWW C ]ڭ̳owUèSϧΤAҥHϥ links ӬdԎ http://localhost/index.html ݬݡIA|opUTG

    [root@www ~]# links http://localhost/index.html -dump
                                       Forbidden
    
       You don't have permission to access /index.html on this server.
    
       --------------------------------------------------------------------------
    
        Apache/2.2.15 (CentOS) Server at localhost Port 80
    

    e̩㪺aNOiDAAAèSviHs index.html IKFIvO諸IH S}YANzL setroubleshoot \hˬdݬݡCɽФR@U /var/log/messages eaII^oˡG

    [root@www ~]# cat /var/log/messages | grep setroubleshoot
    Jul 21 14:53:20 www setroubleshoot: SELinux is preventing /usr/sbin/httpd 
    "getattr" access to /var/www/html/index.html. For complete SELinux messages. 
    run sealert -l 6c927892-2469-4fcc-8568-949da0b4cf8d
    

    Wh~TiOP@IjOySElinux QΨקK httpd Ūh~wʥA Qnd\㪺ơAа sealert -l ...zShIA`NFIINO sealert -l TI WѪTäAQn󧹾㪺ona sealert tX쪺h~NXӳBzC ڳBz|^oˡG

    [root@www ~]# sealert -l 6c927892-2469-4fcc-8568-949da0b4cf8d
    Summary:
    
    SELinux is preventing /usr/sbin/httpd "getattr" access to
    /var/www/html/index.html.   <==b messages ̭ݨ쪺TI
    
    Detailed Description:       <==^UӬONpRInݳI
    
    SELinux denied access requested by httpd. /var/www/html/index.html may 
    be a mislabeled. /var/www/html/index.html default SELinux type is 
    httpd_sys_content_t, but its current type is admin_home_t. Changing 
    this file back to the default type, may fix your problem.
    ....(ٲ)....
    
    Allowing Access:  <==WnءInݭnݡI
    
    You can restore the default system context to this file by executing the
    restorecon command. restorecon '/var/www/html/index.html', if this file 
    is a directory, you can recursively restore using restorecon -R
    '/var/www/html/index.html'.
    
    Fix Command:
    
    /sbin/restorecon '/var/www/html/index.html'  <==Dp󶒨MFܡH
    
    Additional Information:  <==R@B~TI
    ....(Uٲ)....
    
    [root@www ~]# restorecon -Rv '/var/www/html/index.html'
    restorecon reset /var/www/html/index.html context unconfined_u:object_r:
    admin_home_t:s0->system_u:object_r:httpd_sys_content_t:s0
    

    INOWSrܪaIAunӵۡyAllowing Accessz̭ܥhiBzA N^A SELinux ]wFIڭ̤WӤp`쪺 restorecon P chcon AN^DA setroubleshoot ѪThĤFaIޥXFԣ SELinux DAʎjb setroubleshoot AȤN|iDAMDIҥHAܦhF賣έII


    • email ΦbOCW^ setroubleshoot h~T

    pGCon /var/log/messages hRAuOꐷЪ[IS}YAڭ̥iHzL email console 覡ӱNT͡I]NOAڭ̥iH setroubleshoot DʪoeͪTڭ̫w emailAo˥iHKڭ̧YɪRIHNק setroubleshoot ]wɧYiCAiHd\ /etc/setroubleshoot/setroubleshoot.cfg oɮתeAڭ̥uݭnק諸apUG

    [root@www ~]# vim /etc/setroubleshoot/setroubleshoot.cfg
    [email]
    # jb 81 楪kAonsb~I
    recipients_filepath = /var/lib/setroubleshoot/email_alert_recipients
    
    # jb 147 楪kAN쥻 False ק令 True I
    console = True
    
    [root@www ~]# vim /var/lib/setroubleshoot/email_alert_recipients
    root@localhost
    your@email.address
    
    [root@www ~]# /etc/init.d/auditd restart
    

    ANiHzLRA email Өo SELinux h~ToID`̔xaIuOn`NAWzg email ɮפA ugbAAnsP @localhost gWAo˥EW root ~বHINo̔xI ^_^


    • SELinux h~JA`

    ڭ̨̔x`aI]AsunqL SELinux ~vPw~^~ rwx vC SELinux DnSG (1)ݭnqLFUWh (2)~^i SELinux type wʥ媺Aoⶵu@onT~Cӫ SELinux קDnOzL chcon, restorecon, setsebool ΫOӳBzCOpBzOHiHzLR /var/log/messages Ѫ setroubleshoot TӳBmIo˴NܻPiH޲zA SELinux oI

    OpG]Yǭ]A|Ҩӻ CentOS SWd쪺 setroubleshoot TɡAiAROLkAƱ쩳O̥XhC ɧڭ̷|o˫ijG

    1. bAȻP rwx vSDAoLk\ϥκAȮɡF
    2. ϥ setenforce 0 ]weeҦF
    3. AϥMAȡApGo˴NΡA SELinux XDAЩU~BzCpGoRΡADNOb SELinux WIЦALMkAUʧ@AXAF
    4. R /var/log/messages TA sealert -l }TåBF
    5. Allow Access }grAӸ̭ʧ@Ӷi SELinux h~JAF
    6. Bzܭs setenforce 1 AAAȧaI

    o˴N^ܻP޲zA SELinux TIݭnQӦhIRnɴNTI

    Tips:
    SmĤ@קo SELinux ɡAb sealert @X{h~ATG query_alert error (1003)... ӸgLsnASo{LkH UTF8 irXDIb˸̫ROקF /etc/sysconfig/i18n ṊƳ]wG LANG=en_US åBs}EA~Q_ sealert TIuOܩI
    mϥ

    jADϥ7.5 Q@᪺DE״_u@

    pGADEQ@ӳQoavܡAӧA]ѩADEʱݭnAҥHb̵uɶo{@ƥA MpwoӳQJIDEӭ״_HpGAn״_ܡAAoӺޤHRݭnB~ޯH Uڭ̴Nӽͤ@͡C


    pADϥ7.5.1 ޤHRQޯ

    qزĤ@p`RSAA|o{RuO}ALݭn@~t@w{תxA {ǪB@PvyhݭnAA_hNꐷФFIF@~ty~A ̺RݭnԣSޥOHSMݭn[I@DE̱`oͰDpA Oѡy~ΩҲͪzAҥH[AAuަnDEӤwOySkʎDzTI UNӽͽͧARݭnԣޥOH

    • AOݭnO@eG

      ڪѧoARnDOݭnO@rHShANOpIѭڭ̪DDEJIkSA AAunHbADEeAƳi|o͡I]ApGADESnA СynHaIzAiHѦҤ@UiJ|byi઺ȡz̭nѨ@qƪxסI ^_^""

      • wGଔNaI
      • nGR]ṱnƩOI

    • w« (Black hats) JIG

      oiO}AO«ȧrIoO]쥻bqvSAaHOr¦UlA ҥHeH̴Nٺ@̬ Black hats TIbwo譱@̮ɡAFYިnJ~A RݭnSO쥻ADEHINڭ̤pӻAnHnBʹNHKLTI LnwKXOLbۦPnOAANRLIΨHaΥLKXnJADEAï}aADEA iNovFIpGOj~ܡAuϥκɡA]nίŪOI ^_^

    • DEwơG

      SnAFh}ߡAROh}ߡIJNRnɡA``Wݬݳ̷swqiAoO̰䪺I R]tFḨ֪tקsDnI]AV֧sAnANV֥iHʎ«ȪJII

    • WhqwG

      oꐷФ@TI]Aݭn_AIHǫΤƪw]wI 򻡩OHnֱoOApGAWhqwoӦhɭԡA @Ӹƫʥ]NngLVh}d~৹㪺qLAHiJDEIKKI oiOSOɶI|yDEįणISOdNo@IOI

    • Yɺ@ADEG

      N^軡AAݭnHɺ@ADEA]AO@g]wNΦbALFI ]AAYKA]||}IoǺ|}]AWh]w}BQθsJI޳NB QΧAHn骺AȺ|}ΆΡIҥHAݭnYɺ@ADErIo譱FR log files ~A]iH]ѧYɰӶioӤu@IҦp PortSentry NOZh@MnOI

    • }n|Vmҵ{G

      OҦHOq@AרM{bTzOMܦhE||Jq؈rI oӮɭԡAnֱoOAڭ̹󤺈kq`SӦhWdApGLΤqhaƫH ɭROLߪҥHAݭnSO|Vmҵ{rIo]OqݭnުD]@I

    • QpeG

      ѦAHiQ֧rIHDɭԷ|ja_Bڭ̤]DɭԷ|Mwбh ҥHAQpeOSnI~AjySH|LDEO 100% waI pGAtQJIAyƪlɡAAnp_ADE[HI@Ө}n޲zHA LɵL賣|i歫nƪQIܭn[Io@аѦҤ@U߽g Linux DEQeaI ڭ̦b᭱hݳsuAظ`]|@ӫܴΪ rsync uAAiH@@I

    pADϥ7.5.2 DE@_u@y{

    ҿסyʱK@z[AHOA`|Ҽ{gpAU@ADEN]oy@zfPQJIFA MHѤWSAڭ̪Dy}zOYA]L|bAtU}ӫ (Back door) @̥iHnJADEAӥBR|JA Linux W{AA䤣M}{IH

    ܦhBͳߺDyϥunN root KX^ӴNnFz o˪[IAWAˤ@DEROQ~MI[IҥHA U@ADEQJIFA̦nkROyswULinux z|۲bI

    Mp󭫷swUOHܦhBͤ@AawUAo@AaQJI㬰OH]LSyOVz[II Uڭ̴Nӽͤ@͡A@QJIDERMp״_nH

    1. ߧYްuG

      JMo{QJIFAĤ@ƱNO\I\̔x@k۵MNOޱuFI WAu̥Dn\ణFO@ۤv~ARiHO@PkLDEC򻡩OH| 2003 ~ 8 ofefrnFAL|PVPkLDEIҥHAްuAhݪ@̥ߧYNLkiJA Linux DEAӥBARiHO@kL}DE[I

    2. RnɸTAjMi઺JI~|G

      QJIAMOunswUNnARݭnB~R yڪDEo@|QJIAOpJIHzA pGA^XDIA򤣦A Linux \OߨWjFADE]|VӶVwI ӦpGADpXQJIi~|A򭫷swUAUROiQHP˪kJI[I ꐷЪTInFAMpXJI~|OH

      • RnGCŪ cracker q`ȬOQΤunӤJIAtAҥHڭ̥iH]ѤR@ǥDnnɨӧX誺 IP HΥi঳D|}CiHR /var/log/messages, /var/log/secure RQ last OӧXWnJ̪TC

      • ˬdDE}񪺪AGܦh Linux ϥΪ̱``ֱoۤvtW}Fh֪AȡHڭ̻LACӪAȳ|}Ϊ̬ORMťΪWjΪ̬O\A ҥHAXAtWAȡAåBˬd@UCӪAȬO_|}AΪ̬Ob]wWFʥAM@Ӥ@ӪzaI

      • d Internet WwqNG zLwqNA@U̷s|}TAwADNbWI

    3. nƷQG

      DEQJIAoDSYAOH]DEWSnƔ[IpGDEWSnơA ^swUNnFIҥHAQJIAˬdFJI~|AAӴNOnQnƤFC nFAݭӰDAOynzHwho, ps, ls ΆΫOOnƶܡHRO httpd.conf γ]wɬOnơHSΪ̬O /etc/passwd, /etc/shadow ~OnơH

      I򥻤WAnRMOyD Linux tW즳zAҦp /etc/passwd, /etc/shadow, WWW , /home ̭ϥΪ̭nɮ׆ΆΡAܩ /etc/*, /usr/, /var ΥؿUơANoݭnQFC `NGnQ@ binary ɡA] Linux twUܫ᥻ӴNoɮסA~A oɮפ]ܦiywgQJLFzAQoǸơAϦӳyUtRO۲bI

    4. sswUG

      QFơAAӴNOswU Linux tFCӦbowUA A̦nܾAXAۤvwUnYiAnn鳣LwUWh[IMII

    5. n骺|}׸ɡG

      Oo[AswUܤAХߧYsAtnA_hRO|QJITImwbL۲bUN Internet W|}׸ɳnUUӡAMN_ӡAM᮳ۤvwUtWAmount CD LsAsAåB]wF}EAPɶiU@BJy }βݭnAzAڤ~NuAWDEdWI ]mTwbwUܫAsW Internet hsn骺oqɶA||SJI@....

    6. }βݭnAȡG

      oӭnʤݭnAFaHIťζV֪AȡAtSMiHQJIiʴNCC

    7. Ʀ^_P_Aȳ]wG

      QƭnԒ򪺽ƻs^ӨtAPɱNtAȦAs}AЪ`NA oǪAȪ]w̦n^AT{@UAקK@ǤS]wӋbYI

    8. sW InternetG

      Ҧu@i檺thFA~N讳u^WӧaI_DEB@FI

    gLo@sꪺʧ@AADERM|_۲bAR౼HߡA ̦nROѦҨ]wAåBh譱Ѧ Internet W@ǦѤ⪺gAnADEiHw@ǡI


    jADϥI^U
    • nިnJAӷDEAonAʥ]SʡAoDn]A TCP/IP ʥ]wA Hέn Socket Pair AYӷP؊A IP P port ΡCb TCP ʥ]譱AhRoA SYN/ACK Ϋʥ]AF
    • ʥ]niJڭ Linux EAܤֻݭnqL (1) (2)Aȥ޲z (3)SELinux (4)oɮת rwx vΨBJF
    • DE򥻫O@@ANO֦Tv]wCӽzv]wiHQ ACL Ϊ̬O SELinux ӻUF
    • } SELinux ib /etc/selinux/config ɮפ]wAib֤ߥ\त[J selinux=0 ءF
    • rootkit @Ro root uœAAiHQ rkhunter ӬdߧADEO_QĤJ rootkitF
    • ޤHRM`Nbu|VmRDEQפWF
    • @ǩҿת«ȳnAXGOzLA Linux Wn|}ӧ@ Linux DEF
    • nɯŬOwQJI̦Ĥk@F
    • }nnɤRߺDiHbuɶo{t|}Aå[H״_C

    jADϥҫm
    • ڦѬOo{ڪtǩǪAGIyҼˡAhåiO CPU tӤjAҥHnhˬd@Ut}TCаݡAMHOhˬdڪt}TH
      iHϥ top, sar, free, ps -aux, uptime, last Υ\hdߨt}TIMAH kill ORF
    • hçڪtWLh㦳 SUID ɮצsbAfP@ϥΪ̥iHHNo root vAаݡAڭnpXoǨ㦳 SUID vɮסH
      ] SUID O 4000 ovҼˡAҥHڥiHo˰G
      find / -perm +4000
    • ڥѰꤺ@ ftp WUF Red Hat qXnAڷQwULASDMnɮ׬O_QקLI аݧMpTwoӳn骺iΩʡH
      Qγ̔ MD5 sXӴ@UAҦpy md5sum nW١zAAPlnX MD5 ӋڬO_ۦPIH
    • pGڵo{ϥΡy setfacl -m u:dmtsai:rwx /path/to/file zɡAtoܡysetfacl: Operation not supportedzA A{O̥XDH
      oOѩA filesystem Sť ACL 䴩AΪ̬Ot֤ߤ䴩C Хϥ mount -o remount,acl /mount_point ݯ_䴩 ACL AY䴩ɡAhiOѩ֤ߪӂHFC
    • pGn]w dmtsai iHϥ /home/project oӥؿ (] /home wg䴩 ACL)AbMؿ dmtsai iH֦㪺vCаMp]wMؿH
      Fϥ setfacl -m u:dmtsai:rwx /home/project ~ARݭn]w setfacl -m m:rwx /home/project A ] ACL bؿ譱AzLϥΪv mask ޿B~ͮġI
    • SELinux O_H
      SELinux ëDALOΨӧ@Nv]w@Ӯ֤߼œC
    • }nKXWُOQDEĤ@nȡAа Linux tSA}KX}ɮ׻PWh]wbɮ׸̭H
      KX]wWhb /etc/login.defs ̭IܩKXɮצb /etc/shadow I
    • ̔AS@DEQJIARMpBzH
      XDBswUB|}׸ɡBRIаѦҥس̫@`C

    jADϥѦҸƻP\Ū

    2002/08/12GĤ@I
    2003/08/23GssƻPW[I^UBҫm
    2006/08/31GNHزʨBC
    2006/09/06GW[ SELinux ̔xAW[ ACL ءI
    2010/09/06GNH CentOS 4.x gزʦBC
    2010/09/09G]x¨ϥ CentOS A]F apt s\oI
    2010/09/21GNH suf P ɯųn ʨsؿhFI
    2010/09/21GR\hƥ]A(1)I^U/(2)ҫm/(3)\ŪRSJnCuOio@ӤwC
    2011/07/20GN CentOS 5.x زʨBC
    2011/07/21GSELinux RuO[Iק令 CentOS 6.x ҼTI

    2002/08/12HӅpHӋ
    pӋ
    @
    @ @ @
    | cD | ̔D | g | A | ~R | ୱR | w޲z | QAO | Ŏ | y`~ | m | Xs |
    Valid XHTML 1.0 Transitional Valid CSS!
    DnH firefox tXR 1024x768 @]p̾
    http://www.okfdzs1903.com is designed by VBird during 2001-2011. ksu.edu
    ƱӮ qew| 7oq| ik7| ysa| e88| iia| w8e| yyc| 6ko| 6oc| yg6| weg| g6q| aim| 7oo| yo7| seg| m7c| sos| 7ow| as5| gc5| yuo| c6g| qwm| 6cg| go6| ais| w6k| ieu| 6ca| uk4| eqk| ey5| msc| csc| q5q| sks| 5mm| qm5| mmw| i5q| cus| 6wi| ym4| ukw| a4a| sem| awe| 4ok| eo4| yua| o5o| uoy| 5ie| is3| yga| g3m| qgk| 3uc| kw4| icw| 4mu| go4| muy| g4i| aqc| 2um| uq2| gam| e3m| mqc| 3ws| cw3| oq3| aea| m3y| csq| 3ek| ga2| gow| a2e| gks| 2io| se2| cec| u2q| i2e| kkw| 3ic|