Lee 브릿즈 서버 포팅
=========================
OS 64bit vmware CentOS6.5
yum install samba
삼바 root 접근시 문제 발생.
센투 보안정책 활성화 된 상태.
iptables -F
selinux 비활성화.
apm 설치 스크립트 분석
=======================
보안 그룹 핸들링
================
wheel : 외부에서 root로 바로 로그인 못하게 막고 일반 유저로 접근할 수 있도록 세팅
chgrp wheel /usr/bin/finger
chgrp wheel /usr/bin/nslookup
chgrp wheel /usr/bin/gcc
chgrp wheel /usr/bin/whereis
chgrp wheel /usr/bin/cc
chgrp wheel /usr/bin/c++
chgrp wheel /usr/bin/make
chgrp wheel /usr/bin/pstree
chgrp wheel /usr/bin/rlog
chgrp wheel /usr/bin/rlogin
chgrp wheel /usr/bin/which
chgrp wheel /usr/bin/who
chgrp wheel /usr/bin/w
chgrp wheel /bin/mail
chgrp wheel /usr/sbin/sendmail
chgrp wheel /usr/lib/sendmail
chgrp wheel /usr/bin/top
chgrp wheel /usr/bin/free
chgrp wheel /usr/bin/last
chgrp wheel /usr/bin/wget
chgrp wheel /etc/hosts
chgrp wheel /etc/hosts.deny
chgrp wheel /etc/hosts.allow
chgrp wheel /etc/named.conf
chgrp wheel /bin/df
chgrp wheel /bin/grep
chgrp wheel /bin/egrep
chgrp wheel /bin/ping
chgrp wheel /bin/netstat
chgrp wheel /usr/bin/ftp
chgrp wheel /usr/bin/whereis
chgrp wheel /usr/bin/rz
chgrp wheel /usr/bin/sz
chgrp wheel /bin/ps
chgrp wheel /bin/dmesg
chgrp wheel /usr/bin/finger
chgrp wheel /usr/bin/last
보안 사용자 권한 핸들링
=======================
chmod 750 : 보안에 취약한 명령어는 관리자 권한을 적용한다.
chmod 750 /usr/bin/finger
chmod 750 /usr/bin/nslookup
chmod 750 /usr/bin/gcc
chmod 750 /usr/bin/whereis
chmod 750 /usr/bin/cc
chmod 750 /usr/bin/c++
chmod 750 /usr/bin/make
chmod 750 /usr/bin/pstree
chmod 750 /usr/bin/rlog
chmod 750 /usr/bin/rlogin
chmod 750 /usr/bin/which
chmod 750 /usr/bin/who
chmod 750 /usr/bin/w
chmod 750 /bin/mail
chmod 750 /usr/sbin/sendmail
chmod 750 /usr/lib/sendmail
chmod 750 /usr/bin/top
chmod 750 /usr/bin/free
chmod 750 /usr/bin/last
chmod 750 /usr/bin/wget
chmod 750 /etc/hosts
chmod 750 /bin/ps
sleep 1
echo "Done"
보안에 취약한 사용자 삭제.
==========================
userdel adm
userdel lp
userdel shutdown
userdel halt
userdel news
userdel uucp
userdel operator
userdel game
userdel gopher
userdel sync
보안에 취약한 그룹 삭제.
========================
groupdel adm
groupdel lp
groupdel games
groupdel gopher
groupdel ftp
groupdel dip
groupdel news
groupdel uucp
groupdel games
groupdel dip
보안에 취약한 서비스 부팅 런레벨 보안정책
=========================================
chkconfig --level 345 acpid off
chkconfig --level 345 anacron off
chkconfig --level 345 apmd off
chkconfig --level 345 atd off
chkconfig --level 345 autofs off
chkconfig --level 345 cpuspeed off
chkconfig --level 345 cups off
chkconfig --level 345 dovecot on
chkconfig --level 345 gpm off
chkconfig --level 345 haldaemon off
chkconfig --level 345 iiim off
chkconfig --level 345 irqbalance off
chkconfig --level 345 isdn off
chkconfig --level 345 kudzu off
chkconfig --level 345 mdmonitor off
chkconfig --level 345 messagebus off
chkconfig --level 345 microcode_ctl off
chkconfig --level 345 netfs off
chkconfig --level 345 nfslock off
chkconfig --level 345 openibd off
chkconfig --level 345 pcmcia off
chkconfig --level 345 portmap off
chkconfig --level 345 rawdevices off
chkconfig --level 345 readahead off
chkconfig --level 345 readahead_early off
chkconfig --level 345 rpcgssd off
chkconfig --level 345 rpcidmapd off
chkconfig --level 345 saslauthd on
chkconfig --level 345 smartd off
chkconfig --level 345 vsftpd on
chkconfig --level 345 xfs off
서비스 목록 권한 변경
======================
chmod -R 700 /etc/rc.d/init.d/*
chmod 600 /etc/xinetd.conf
필요한 서비스 목록 정의 파일.
============================
mv services /etc/services
데이터베이스 설치
=================
tar zxvf mysql-4.*.*
cd mysql-4.*.*
CFLAGS="-static -O2 -march=i686 -funroll-loops" \
CXXFLAGS="-static -O2 -march=i686 -funroll-loops -felide-constructors -fno-exceptions -fno-rtti" \
./configure --prefix=/usr/local/mysql \
--with-charset=euckr \
--disable-shared \
--enable-assembler \
--with-thread-safe-client \
--with-mysqld-user="mysql" \
--with-client-ldflags=-all-static \
--with-mysqld-ldflags=-all-static \
--with-readline \
--without-debug \
--without-docs
make;make install
rm -rf /etc/my.cnf
cp /usr/local/mysql/share/mysql/my-huge.cnf /etc/my.cnf
/usr/local/mysql/bin/mysql_install_db
데이터베이스 사용자 추가
/usr/sbin/useradd mysql -M -s /bin/false
chown -R root /usr/local/mysql
chown -R mysql.mysql /usr/local/mysql/var
chgrp -R mysql /usr/local/mysql
echo "/usr/local/mysql/bin/mysqld_safe --language=korean --user=mysql -O max_connections=500 -O max_connect_error=999999999 &" >> /etc/rc.d/rc.local
s -auxwww | grep mysqld
sleep 2
echo "PATH=\$PATH:.:/usr/local/mysql/bin" >> /etc/profile
source /etc/profile
echo "mysql install done!"
cd ../
웹 서버 설치
============
tar zxvf httpd-2*.tar.gz
# 아파치 경로가 절대경로로 지정되었기 때문에 버전이 변경되면 다시 변경하시기
# 바랍니다.
./chg httpd-2.0.59/server/mpm/prefork/prefork.c "define DEFAULT_SERVER_LIMIT 256" "define DEFAULT_SERVER_LIMIT 2048"
cd httpd-2*
CFLAGS="-O2 -march=i686 -funroll-loops -fPIC"; export CFLAGS
./configure \
--prefix=/usr/local/apache2 \
--enable-access=shared \
--enable-actions=shared \
--enable-alias=shared \
--enable-auth=shared \
--enable-auth-dbm=shared \
--enable-auth-digest=shared \
--enable-autoindex=shared \
--enable-cern-meta=shared \
--enable-cgi=shared \
--enable-dav=shared \
--enable-dav-fs=shared \
--enable-dir=shared \
--enable-env=shared \
--enable-expires=shared \
--enable-file-cache=shared \
--enable-headers=shared \
--enable-include=shared \
--enable-log-config=shared \
--enable-mime=shared \
--enable-mime-magic=shared \
--enable-negotiation=shared \
--enable-rewrite=shared \
--enable-setenvif=shared \
--enable-speling=shared \
--enable-ssl=shared \
--enable-unique-id=shared \
--enable-usertrack=shared \
--enable-vhost-alias=shared \
--disable-auth-anon \
--disable-charset-lite \
--disable-disk-cache \
--disable-mem-cache \
--disable-cache \
--disable-deflate \
--disable-ext-filter \
--disable-case-filter \
--disable-case-filter-in \
--disable-example \
--disable-proxy \
--disable-proxy-connect \
--disable-proxy-ftp \
--disable-proxy-http \
--disable-status \
--disable-asis \
--disable-info \
--disable-suexec \
--disable-cgid \
--with-z \
--with-ssl \
--with-mpm=prefork
make;make install
echo "Apache2 install done"
echo "/usr/local/apache2/bin/apachectl start" >> /etc/rc.local
웹 언어 PHP 설치
================
tar zxvf zlib-1.2.1.tar.gz
cd zlib-1.2.1
./configure
make
make install
cp -f *.h /usr/local/include/
cd ..
tar zxvf freetype-2.1.5.tar.gz
cd freetype-2.1.5
./configure
make
make install
cd ..
tar zxvf libpng-1.2.5.tar.gz
cd libpng-1.2.5
make -f scripts/makefile.linux
cp -f *.h /usr/local/include/
cp -f lib* /usr/local/lib/
cd ../
tar zxvf jpegsrc.v6b.tar.gz
cd jpeg-6b
./configure
make
make install
cp -f libjpeg.a /usr/lib/
cp -f *.h /usr/local/include/
cd ../
tar zxvf gd-2.0.34.tar.gz
cd gd-2.0.34
./configure
make
make install
cp -f libgd* /usr/lib/
cp -f *.h /usr/local/include/
cd ../
tar zxvf php-5.*.*.tar.*
cd php-5.*.*
CFLAGS="-O2 -march=i686 -funroll-loops -fPIC"; export CFLAGS
./configure \
--prefix=/usr/local \
--with-apxs2=/usr/local/apache2/bin/apxs \
--with-openssl \
--with-zlib \
--with-iconv \
--with-gd=/usr/local \
--with-ttf \
--with-png \
--with-jpeg-dir=/usr/local \
--with-png-dir=/usr/local \
--with-freetype-dir=/usr/local \
--with-gmp \
--with-xml \
--with-mysql=/usr/local/mysql \
--with-mysql-sock=/tmp/mysql.sock \
--disable-debug \
--disable-posix \
--disable-rpath \
--enable-safe-mode \
--enable-magic-quotes \
--enable-bcmath \
--enable-dio \
--enable-gd-native-ttf \
--enable-sysvsem \
--enable-sysvshm \
--enable-wddx \
--enable-pic \
--enable-inline-optimization \
--enable-memory-limit \
--enable-ftp \
--enable-socket \
--enable-mbstring
make;make install
sed -i '867iAddType application/x-httpd-php .html .htm .php .php4' /usr/local/apache2/conf/httpd.conf
sed -e '426d' /usr/local/apache2/conf/httpd.conf > httpd.conf
sed -i '426iDirectoryIndex index.html index.htm index.cgi index.php index.php3 index.php4' /usr/local/apache2/conf/httpd.conf
touch /usr/local/apache2/htdocs/apm_ver.php;chmod 755 /usr/local/apache2/htdocs/apm_ver.php
echo "<?
phpinfo();
?>" >> /usr/local/apache2/htdocs/apm_ver.php
cp php.ini-dist /usr/local/lib/php.ini
cd ../
./chg /usr/local/lib/php.ini "register_globals = Off" "register_globals = On"
./chg /usr/local/lib/php.ini "upload_max_filesize = 2M" "upload_max_filesize = 8M"
./chg /usr/local/lib/php.ini "allow_url_fopen = On" "allow_url_fopen = Off"
echo " Zend install"
sleep 2
tar xvfz ZendOptimizer-2.6.2-linux-glibc21-i386.tar.gz
cd ZendOptimizer*
mkdir -p /usr/local/Zend
cp data/5_1_x_comp/ZendOptimizer.so /usr/local/Zend
echo "[Zend]" >> /usr/local/lib/php.ini
echo "zend_optimizer.optimization_level=1023" >> /usr/local/lib/php.ini
echo "zend_extension=/usr/local/Zend/ZendOptimizer.so" >> /usr/local/lib/php.ini
chmod 700 /usr/local/apache2/conf
/usr/local/apache2/bin/httpd -t
sleep 2
/usr/local/apache2/bin/apachectl start
/usr/local/mysql/bin/mysqld_safe --language=korean --user=mysql -O max_connections=500 -O max_connect_error=999999999 &
ps -auxwww | grep httpd
cd ../
echo " SSH & VSFTPD Work! "
sleep 2
./chg /etc/ssh/sshd_config "#PermitRootLogin yes" "PermitRootLogin no"
./chg /etc/vsftpd/vsftpd.conf "#enable for standalone mode" "chroot_local_user=YES"
./chg /etc/vsftpd/vsftpd.conf "anonymous_enable=YES" "anonymous_enable=NO"
/sbin/service xinetd restart
echo "All Done' View This Site *** http://your ip/apm_ver.php
Have a nice day!!"
exit 0
댓글 없음:
댓글 쓰기