미션1
http://st.kr의 index.html을 수정하라
st.kr > /var/www/html > root
서버 모니터링 시스템 설치
sudo apt -y install netdata
nano /etc/netdata/netdata.conf
ip = 0.0.0.0
systemctl restart netdata
포트 포워딩 19999
https://192.168.0.208:19999 > 으로 접속
sudo apt -y install awstats
nano /etc/awstats/awstats.conf
# line 126 : set [1] if httpd log format is [combined]
# for [common], set [4]
LogFormat=1
# line 157 : set hostname
SiteDomain="st.kr"
# line 172 : set domains or IP addresses you'd like to exclude on reports
HostAliases="localhost 127.0.0.1 REGEX[^.*www\.srv\.world$]"
nano /etc/apache2/conf-available/awstats.conf
# create new
Alias /awstats-icon/ /usr/share/awstats/icon/
Alias /awstatsclasses/ /usr/share/java/awstats/
Directory /usr/share/awstats>
Options FollowSymLinks
AllowOverride None
# access permission for your local network
Require ip 127.0.0.1 0.0.0.0/24
/Directory>
a2enconf awstats
a2enmod cgid
systemctl restart apache2
/usr/share/awstats/tools/update.sh
/usr/share/awstats/tools/buildstatic.sh
192.168.0.208/cgi-bin/awstats.pl 으로 접속
디스크 용량 늘리는 방법
물리적인 디스크를 추가해주고
fdisk -l
fdisk /dev/sdf
mkfs.ext4 /dev/sdf1
vgs 로 여유공간 확인
pvcreate /dev/sdf1
vgextend /dev/ubuntu-vg /dev/sdf1
lvextend -L +25G /dev/ubuntu-vg/ubuntu-lv
resize2fs /dev/ubuntu-vg/ubuntu-lv
df -h
sudo apt-get install tripwire > 무결성 검증(해시값 변동여부)
cd /etc/tripwire
nano twcfg.txt
twadmin -m F -c tw.cfg -S site.key twcfg.txt
nano twpolmake.pl
#!/usr/bin/perl
# Tripwire Policy File customize tool
# ----------------------------------------------------------------
# Copyright (C) 2003 Hiroaki Izumi
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
# ----------------------------------------------------------------
# Usage:
# perl twpolmake.pl {Pol file}
# ----------------------------------------------------------------
#
$POLFILE=$ARGV[0];
open(POL,"$POLFILE") or die "open error: $POLFILE" ;
my($myhost,$thost) ;
my($sharp,$tpath,$cond) ;
my($INRULE) = 0 ;
while () {
chomp;
if (($thost) = /^HOSTNAME\s*=\s*(.*)\s*;/) {
$myhost = `hostname` ; chomp($myhost) ;
if ($thost ne $myhost) {
$_="HOSTNAME=\"$myhost\";" ;
}
}
elsif ( /^{/ ) {
$INRULE=1 ;
}
elsif ( /^}/ ) {
$INRULE=0 ;
}
elsif ($INRULE == 1 and ($sharp,$tpath,$cond) = /^(\s*\#?\s*)(\/\S+)\b(\s+->\s+.+)$/) {
$ret = ($sharp =~ s/\#//g) ;
if ($tpath eq '/sbin/e2fsadm' ) {
$cond =~ s/;\s+(tune2fs.*)$/; \#$1/ ;
}
if (! -s $tpath) {
$_ = "$sharp#$tpath$cond" if ($ret == 0) ;
}
else {
$_ = "$sharp$tpath$cond" ;
}
}
print "$_\n" ;
}
close(POL) ;
perl twpolmake.pl twpol.txt > twpol.txt.new
twadmin -m P -c tw.cfg -p tw.pol -S site.key twpol.txt.new
tripwire -m c -s -c /etc/tripwire/tw.cfg
tripwire -m i -s -c tw.cfg
ll /var/lib/tripwire/report
tripwire -m -u -a -s -c /etc/tripwire/tw.cfg \
-r /var/lib/tripwire/report/dlp.srv.world-20181129-140452.twr
미션2
모니터링 프로그램 설치
무결성 검증 프로그램 설치 보안 프로그램 설치 > tripwire
사이트 개발 완료 후
전체적으로 해시값 저장
http://st.kr
웹 방화벽
mod_security (Web Application Firewall)
sudo apt -y install libapache2-mod-security2
sudo apt -y install roundcube roundcube-mysql
https://st.kr
wget https://repo.zabbix.com/zabbix/6.0/ubuntu/pool/main/z/zabbix-release/zabbix-release_6.0-3+ubuntu22.04_all.deb
dpkg -i zabbix-release_6.0-3+ubuntu22.04_all.deb
apt update
apt -y install zabbix-server-mysql zabbix-frontend-php zabbix-apache-conf zabbix-sql-scripts zabbix-agent2 php-mysql php-gd php-bcmath php-net-socket
self https : 자체인증서
sudo apt -y install openssl
실제 도메인이 주어져야 하므로 진짜 서버에서만 사용가능
공인 인증서 : 대행 업체 (letsencrypt.org)
sudo apt -y install certbot
certbot ceronly --webroot -w /home/web1/public_html -d web1.st.kr
* gns3 윈도우 안에서는 utm
https:/10.10.10.254:4444
https:/10.10.10.1:19999
https:/10.10.10.1/cgi-bin/awstats.pl
컴퓨터는 언제 부팅 되었는가?
20250208 16:05
사용자는 누구인가
manager
관리자는 몇번 시스템에 로그인 했는가
레지스트리 확인
해커가 정보수집를 하는 시간은 언제 인가
서버 (netdata 등)
무슨 정보를 수집하려고 했는가
> 패킷 분석하기(방화벽 네트워크 확인)
미션
192.168.0.208
naver.com / google.com
> nano /etc/bind/named.conf.default-zones
zone "naver.com" {
type master;
file "/etc/bind/naver.com.zone";
};
zone "google.com" {
type master;
file "/etc/bind/google.com.zone";
cp db.local naver(google).com.zone
nano /etc/bind/naver.com.zone
;
; BIND data file for local loopback interface
;
$TTL 604800
@ IN SOA localhost. root.localhost. (
2 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS naver.com.
@ IN A 192.168.0.208
@ IN AAAA ::1
nano /etc/bind/goole.com.zone
;
; BIND data file for local loopback interface
;
$TTL 604800
@ IN SOA localhost. root.localhost. (
2 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS google.com.
@ IN A 192.168.0.208
@ IN AAAA ::1
systemctl restart named
utm 사이트 차단
웹 보호 > 웹 필터링 실행 > 웹 필터 프로필 > 필터 동작
모든 --- 차단으로 변경
적용 하면 차단 됨
공격을 했는가
공격을 했다면 무슨 흔적들이 남는가
웹서버에 파일이 업로드 했는가
관리자가 파일을 다운로드 받았는가
받고 실행은 했는가
네트워크 nat ip 설정 값
10.0.2.15
10.0.2.2
10.0.2.15