clamav

92번은 안전한가?
점검사항
1. 하드디스크 장착을 통해 관리가 편리한가?
sdb1 /home 장착
df -h
2.백업은 진행되는가?
파일백업만 진행중
myBackup.sh
#!/bin/sh
set $(date)
fname="master_backup_$1$2$3.tar.xz"
tar cfJ /backup/$fname /home

cat /etc/crontab
35 15   * * *   root   /home/master/myBackup.sh
00 04   * * *   root    /home/master/myBackup.sh
10 04   * * *   root    /home/master/rsync.sh
데이터베이스 백업은?


0. 서버는 작동하는가?
192.168.0.211

> 설정된 IP는 10.0.2.15 (NAT)
> 운영중인 서비스는 무엇인가?
netstat -ant
21,22,53,80,3306
21 : ftp
22 : ssh
53 : dns
80 : http
3306 : mysql

1. 서버 사용자는 누구인가?
cd /home
cat /etc/passwd
cat /etc/shadow

2. 하드디스크 장착을 통해 관리가 편리한가?
sdb1 /home 장착
df -h

계정에 하드디스크 용량 100G > 1G씩만 쓰게 해준다
일정 공간을 할당 (쿼터)

4. 이차 백업은 진행되는가?
#!/bin/sh
SOURCE_DIR="/backup"
DESTINATION_DIR="192.168.0.91::backup"
rsync -av --delete --exclude-from=/etc/rsync_exclude.lst $SOURCE_DIR/ $DESTINATION_DIR/

3. 접근권한은 설정되어 있는가?
tcpwarpper
cat /etc/hosts.allow (sshd: 192.168.0.211)
cat /etc/hosta.deny (ALL:ALL)

4. 파일무결성에 대한 대응은 하고 있는가?
tripwire : 모든 파일에 해시값 구하기

해시값은 내용을 수정하면 바뀐다 (파일명을 바꾼다고 해서 바뀌는 건 아님)

/backup
/boot
/etc
/lib
/mnt
/proc
/run
/snap
/tmp
/var
/bin
/dev
/home
/media
/opt
/root
/srv
/sys
/usr

단>80>webshell.php


sudo apt -y install tripwire (IDS: Intrusion Dectection System)
cd /etc/tripwire
nano twcfg.txt
REPORTLEVEL=4
ROOT          =/usr/sbin
POLFILE       =/etc/tripwire/tw.pol
DBFILE        =/var/lib/tripwire/$(HOSTNAME).twd
REPORTFILE    =/var/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr
SITEKEYFILE   =/etc/tripwire/site.key
LOCALKEYFILE  =/etc/tripwire/$(HOSTNAME)-local.key

twadmin -m F -c tw.cfg -S site.key twcfg.txt

nano twpolmake.pl
#!/usr/bin/perl
# Tripwire Policy File customize tool
# ----------------------------------------------------------------
# Copyright (C) 2003 Hiroaki Izumi
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
# ----------------------------------------------------------------
# Usage:
#     perl twpolmake.pl {Pol file}
# ----------------------------------------------------------------
#
$POLFILE=$ARGV[0];

open(POL,"$POLFILE") or die "open error: $POLFILE" ;
my($myhost,$thost) ;
my($sharp,$tpath,$cond) ;
my($INRULE) = 0 ;

while () {
    chomp;
    if (($thost) = /^HOSTNAME\s*=\s*(.*)\s*;/) {
        $myhost = `hostname` ; chomp($myhost) ;
        if ($thost ne $myhost) {
            $_="HOSTNAME=\"$myhost\";" ;
        }
    }
    elsif ( /^{/ ) {
        $INRULE=1 ;
    }
    elsif ( /^}/ ) {
        $INRULE=0 ;
    }
    elsif ($INRULE == 1 and ($sharp,$tpath,$cond) = /^(\s*\#?\s*)(\/\S+)\b(\s+->\s+.+)$/) {
        $ret = ($sharp =~ s/\#//g) ;
        if ($tpath eq '/sbin/e2fsadm' ) {
            $cond =~ s/;\s+(tune2fs.*)$/; \#$1/ ;
        }
        if (! -s $tpath) {
            $_ = "$sharp#$tpath$cond" if ($ret == 0) ;
        }
        else {
            $_ = "$sharp$tpath$cond" ;
        }
    }
    print "$_\n" ;
}
close(POL) ;
-----------------------------------------------------------
perl twpolmake.pl twpol.txt > twpol.txt.new 
twadmin -m P -c tw.cfg -p tw.pol -S site.key twpol.txt.new 
tripwire -m i -s -c tw.cfg
tripwire -m c -s -c /etc/tripwire/tw.cfg
ll /var/lib/tripwire/report 
tripwire -m u -a -s -c /etc/tripwire/tw.cfg -r /var/lib/tripwire/report/dlp.srv.world-20160620-135411.twr 





5. 악성코드 탐지는 가능한가?
clamav
sudo apt -y install clamav
sudo sed -i -e "s/^NotifyClamd/#NotifyClamd/g" /etc/clamav/freshclam.conf 
sudo nano /etc/clamav/freshclam.conf

systemctl stop clamav-freshclam
freshclam
systemctl start clamav-freshclam
cd /home/master
sudo clamscan --infected --remove --recursive /home
wget http://www.eicar.org/download/eicar.com 
sudo clamscan --infected --remove --recursive ./

6. ssh로그인시 알람기능은 활성화 했는가?
cat /etc/profile
#add
IP="$(echo $SSH_CONNECTION | cut -d " " -f 1)"
HOSTNAME=$(hostname)
NOW=$(date +"%e %b %Y, %a %r")
echo 'Someone from '$IP' logged into st '$HOSTNAME' on '$NOW'.' | mail -s 'SSH Login Notification'  log@jeonjucom.kr

7. 서버 모니터링은 활성화 했는가?
sudo apt -y install netdata
sudo nano /etc/netdata/netdata.conf

192.168.0.211:19999
systemctl restart netdata
(포트포워딩)


nano myBackup.sh
#!/bin/sh
set $(date)
fname="egw_backup_$1$2$3.tar.xz"
tar cfJ /backup/$fname /home/egw/public_html

cat /etc/crontab
35 15	* * * 	/root	/home/egw/myBackup.sh #추가


DB백업