38일차
10.10.10.1 > st.kr 22001로 접속 가능하도록 설정
10.10.10.2 > st.kr 22002로 접속 가능하도록 설정
10.10.10.3 > st.kr 22003로 접속 가능하도록 설정
서버 모니터링 시스템 설치
sudo apt -y install netdata
sudo apt -y install sysstat
sudo apt -y install awstats
nano /etc/awstats/awstats.conf
# line 126 : set [1] if httpd log format is [combined]
# for [common], set [4]
LogFormat=1
# line 157 : set hostname
SiteDomain="st.kr"
# line 172 : set domains or IP addresses you'd like to exclude on reports
HostAliases="localhost 127.0.0.1 REGEX[^.*www\.srv\.world$]"
nano /etc/apache2/conf-available/awstats.conf
# create new
Alias /awstats-icon/ /usr/share/awstats/icon/
Alias /awstatsclasses/ /usr/share/java/awstats/
Options FollowSymLinks
AllowOverride None
# access permission for your local network
Require ip 127.0.0.1 0.0.0.0/24
a2enconf awstats
a2enmod cgid
systemctl restart apache2
/usr/share/awstats/tools/update.sh
/usr/share/awstats/tools/buildstatic.sh
192.168.0.207/cgi-bin/awstats.pl
sudo apt -y install prometheus prometheus-node-exporter
sudo apt -y install aide
wget https://repo.zabbix.com/zabbix/6.0/ubuntu/pool/main/z/zabbix-release/zabbix-release_6.0-3+ubuntu22.04_all.deb
dpkg -i zabbix-release_6.0-3+ubuntu22.04_all.deb
apt update
apt -y install zabbix-server-mysql zabbix-frontend-php zabbix-apache-conf zabbix-sql-scripts zabbix-agent2 php-mysql php-gd php-bcmath php-net-socket
fdisk -l
fdisk /dev/sdf
mkfs.ext4 /dev/sdf1
vgs로 여유공간 확인
pvcreate /dev/sdf1
vgextend /dev/ubuntu-vg /dev/sdf1
lvextend -L +25G /dev/ubuntu-vg/ubuntu-lv
resize2fs /dev/ubuntu-vg/ubuntu-lv
df -h
모니터링 프로그램 설치
무겨성 검증프로그램 설치
보안 프로그램 설치 사이트 개발 완료 후 전체적으로 해시값 저장
tripwire 설치
sudo apt-get install tripwire > 무결성 확인
cd /etc/tripwire
nano twcfg.txt
twadmin -m F -c tw.cfg -S site.key twcfg.txt
nano twpolmake.pl
#!/usr/bin/perl
# Tripwire Policy File customize tool
# ----------------------------------------------------------------
# Copyright (C) 2003 Hiroaki Izumi
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
# ----------------------------------------------------------------
# Usage:
# perl twpolmake.pl {Pol file}
# ----------------------------------------------------------------
#
$POLFILE=$ARGV[0];
open(POL,"$POLFILE") or die "open error: $POLFILE" ;
my($myhost,$thost) ;
my($sharp,$tpath,$cond) ;
my($INRULE) = 0 ;
while () {
chomp;
if (($thost) = /^HOSTNAME\s*=\s*(.*)\s*;/) {
$myhost = `hostname` ; chomp($myhost) ;
if ($thost ne $myhost) {
$_="HOSTNAME=\"$myhost\";" ;
}
}
elsif ( /^{/ ) {
$INRULE=1 ;
}
elsif ( /^}/ ) {
$INRULE=0 ;
}
elsif ($INRULE == 1 and ($sharp,$tpath,$cond) = /^(\s*\#?\s*)(\/\S+)\b(\s+->\s+.+)$/) {
$ret = ($sharp =~ s/\#//g) ;
if ($tpath eq '/sbin/e2fsadm' ) {
$cond =~ s/;\s+(tune2fs.*)$/; \#$1/ ;
}
if (! -s $tpath) {
$_ = "$sharp#$tpath$cond" if ($ret == 0) ;
}
else {
$_ = "$sharp$tpath$cond" ;
}
}
print "$_\n" ;
}
close(POL) ;
perl twpolmake.pl twpol.txt > twpol.txt.new
twadmin -m P -c tw.cfg -p tw.pol -S site.key twpol.txt.new
tripwire -m c -s -c /etc/tripwire/tw.cfg
tripwire -m i -s -c tw.cfg
ll /var/lib/tripwire/report
tripwire -m u -a -s -c /etc/tripwire/tw.cfg \
-r /var/lib/tripwire/report/dlp.srv.world-20181129-140452.twr
http://st.kr -> https://st.kr
웹 방화벽
mod_security (Web Application Firewall)
apt -y install libapache2-mod-security2
apt -y install roundcube roundcube-mysql
self https: 자체 인증서
공인 인증서: 대행 업체 (letsencrypt.org)
sudo apt -y install certbot
cerbot certonly --webroot -w /home/web1/public_html -d web1.st.kr
시나리오2
컴퓨터는 언제 부팅 되었는가
사용자는 누구
관리자는 몇번 시스템에 로그인 했나
해커가 정보 수집을 하는 시간은 언제인가
무슨 정보를 수집할려 했는가
서버 (netData,.....)
공격을 했나
공격을 했다면 무슨흔적들이 남는가
웹서버에 파일이 업로드 되었는가
관리자가 파일을 다운로드 받았는가
받고 실행은 했는가