qLĤ@g大A{bAӤwgQ Linux sW Internet FCOA Linux {b٬OwC ]Ab}lA]weAڭ̥nAtαjǡIHקKQcN cracker ҧڡIbo@A ڭ̷|Ыʥ]yVAMھڸӬyVӨqtαjƪy{I]AuW۰ʤɯšBAȺޱH SELinux C{bNAAoI |
bo@Aڭ̭nQתOAӦۤ@ӺWsunDQiJڭ̪DɡA
oӺʥ]biJDڨoƪӬy{OpHAѤFӬy{A
A~|o{GӨtξާ@OpnI
ӧA]~|AѭnpO@ADwoIܤֻA̻@@@C
bĤ@ڭ̴NLsuy{A |ҤlOƱAiHzѬԣ[]AݭnAѧ@~tΪ[Cbo@Aڭ̭nNӬy{ӽoƻA ]AzLoӬy{RAA|Dԣڭ̪DݭniL@Ǩ@AtΤ~jC~AzLĤGAA]AѤFOVAAPΤݳon IP:port ~n糊۷qC{bA]ADO WWW AAzLUϥܡAʥ]piJADOH
boǨBJ~Aڭ̪ Linux Hάn鳣iٷ|䴩nɰO\AFOv{A HKz̦bӪ~dPJIA}nRnɪߺDO@wnإߪAרO /var/log/messages P /var/log/secure oǭɮסIMUjDn Linux distribution jhXAXL̦ۤvnɤRnAҦp CentOS logwatch ALӳnäoAXҦ distributions AҥHզۤvgF@ logfile.sh shell scriptAAiHbU}Uӵ{G
nFAھڳoǬy{AAıo cracker oǭaJ˪ڭ̪tΩOHonQn}aA ڭ̤~QkӸɱjtιIUkoC
ڭ̥ 7.1-1 AѨƶǰe쥻ɩһݭngLXDuAvO̫᪺աI {bAӤMڭ̱``b¦g̭@ͨ]wTviHO@ADFaH cracker OpzLWzy{ٯAtΰڡHUNڭ̨ӤRRC
ھڥeRA{bADʥ]yVHΥDݭni檺@FCLAγ\٬Oü{ANOA
JMڳwgFAvްաBKXYKʰաBAn骺sաBSELinux յA
O_NSonOHOʥ]iJĤ@dIoYAiHyLePܡH...AFI
}YǪAȪAӻAAyڥ@ˡAOSΪIzOH
ھڳo˪RAڭ̥iHDAHɧstγnBsufHγzLҰ SELinux ӭAȪvAgLoT²檺BJAAtαNiHo۷jO@IMաA HΨtεnɤRu@Oݭni檺CN̾ڳoTIӲ`JСC
b{bںWAcracker bOӦhFIoǶH|QΤwgsbtκ|}AӶi氻BJIADC
]AFӬ[]𤧥~A̭n Linux `zu@ALn骺ɯŤFI
LApGϥΪٱonۤvC[wqAåDʥhdߦUj distribution woǺ|}ӴѤɯųn]A
uOӤHʤƤFI]AثeNܦhuWsX{FIFoǽuWsn骺qPkA
ڭ̨tκzbzDtΤWAiNPhoI
q`w˦n Linux A|}Ҩtιw]AMĤ@ƱNOitΧsաI O@M Linux Oo˰A]nקKnwDInFA Linux WnӦpisPɯũOH ٰOoAOpw˳n骺ܡHNO rpm, tarball P dpkg ܡH ҥHoAAnpGQnɯšANo̾ڷɧAw˸ӳn骺觋ӶiɯŰڡIӨCؤ觋AΩʡG
|ҨӻApGAtάO CentOS Aڭ̪DLϥΪO RPM nzҦApGAQnw B2D nHn`NA B2D Oϥ debian dpkg Ӻzn骺ĄäۦPڡInۦwˤFI ҥHAnɯŪܡAoAѨAtΤWnw˻Pzk~C
LAӯSרҡANOª Linux (Ҧp Red Hat 9) nɯŸӦpOnH ѩªn䴩ץӴNtAӷ~qΪ̬Os]SohߤObª䴩WA ҥHAAoӮɭԥiHܡG (1)ɯŨsAҦp CentOS 5.xAΪ̬O (2)Q Tarball ӦۦɯŮ֤PnCLAijɯŨsաA]nۦHʤ觋 Tarball w˨̷sAbOܶOɶOOAӥBٱon``d\xұX̷sA |L@hio͵LkwpC
ڭ̳ob Windows ҤUALѤ@ Live update إiH۰ʪuWɯšA ƦܫܦhrnP차n]XYɪuWsAp@ӥiHznb̷spA uOnڡIxIڭ̪ Linux O_o˪\HpGܡAtΦ۰ʶinɯšA NiHPSּ֤FHSITOo˪IҥHNڭ̨ӽͤ@ Linux uWɯžaI
b Linux ̱`nwˤ觋G RPM / Tarball / dpkg ATarball ѩoOlXA ҥHn Tarball ӧ@uW۰ʧsOӥii檺AҥHȯ RPM dpkg oسnz觋ӶiuWsFC
RPM P dpkg OҿתۨݩʶܡHoˤݭnߧoI]ڭ̪ RPM P dpkg nɮ׳@dzn骺TA æPɰOFn骺ۨݩ (Ooϥ rpm -q d߶)AҥHRoǰTèϥΤ@ǾNoǬ̸ۨTOUӫA AzL@B~\AN۰ʪRAtλPɳn𫗪tA åii@BARһݭnɯŻPۨݩʪnANiF۰ʤɯŪzQաI
ѩUa distributions bztΤWۤvWSQkAҥHbR RPM dpkg nP觋WNҤPA ]NUoǤPuWɯžաG
FoǤɯžåBP distribution @FAANAѨGyC distribution iHϥΪuWɯžۦPzڡIҥHаѦҧA distribution ҴѪӶiuWɯŪ]wI_hNonۦʤUwˤFI @_@
o̳Oϥ CentOS o Red Hat ۮe distributions ӤЪA]AUȤФF yum ӤwC LAyum wgAΩ CentOS, Red Hat Enterprise Linux, Fedora A]ӬOΪFI t~A¦g̭wgL rpm P yum ΪkAҥHbo̶ȬO[jлPsΪkӤwI
ڭ̴gb¦g̭L yum FAWLzOAڭ̪ CentOS |] yum AWYAUFxX RPM YMơAӸưFOC RPM n骺̩ۨʤ~A]F RPM ɮשҩme (repository) ҦbC]zLRoǸơAڭ̪ CentOS Nϥ yum hUPw˩һݭnnFI ԲӹϥܻPy{IoˡG
ѩAҤUMwgtҦxX RPM ɮתYۨݩʪYA ҥHpGAQnw˪n]tYǩ|w˪̳ۨnɡAڭ̪ yum |KAUһݭnLnAww˫A Aw˧AҹڻݭnnIqRBUwˡA@fdwI²檺աI
LA٬ODCpG@ɨϥ CentOS BͳqqsuP@ Yum AhUһݭn RPM ɮסAzI WeNܮeQzIHSYAҿתMgڡI CentOS b@ɦUaMgAoǬMg|Nx yum Aƽƻs@APɦbMgW]ѦP˪ yum \A]AAiHb@ yum AMgWUPw˳nCUO CentOS xWCXȬwaϬMg@G
{b yum SoA|۰ʪhRAD̪MgAM᪽ϥθӳMgD@A yum ӷA ]AyzפWzAݭnʥ]wAbxWAA CentOS N|ϥΥxWaϪ yum AoINo²I ҥHAUӴNڭ̪ӽͽͫϥ yum aI
yum zPϥΡAڭ̦b¦g̭wgOйLFA]UȴNnФ@UoIyum iuW۰ʤɯŦӤwAL٥iH@dߡBnsժwˡB骩ɯŵAnΪI ӽͽפ@U yum oӫOΪkaG
[root@www ~]# yum [option] [dߪu@] [Ѽ] ﶵPѼơG optionGDnѼơA]AG -y G yum ߰ݨϥΪ̪NɡADʦ^ yes ӤݭnLJF [dߪu@]GѩPϥαAӦ@ǿܪءA]AG install Gww˪nW١AҥH᭱ݱy nW z update GiɯŪ欰FM]iHYӳnAȤɯŤ@ӳnF remove GYӳnA᭱ݱnW١F search GjMYӳnΪ̬OnrF list GCXثe yum ҺzҦnWٻPAI rpm -qaF info GPWALI rpm -qai 浲GF clean GUɮ׳Q /var/cache/yum Aiϥ clean NLA iMءGpackages | headers | metadata | cache F b[dߪu@]٥iH㦳Ӹsճn骺wˤ觋ApUҥܡG grouplist GCXҦiϥΪynsաzAҦp Development Tools F groupinfo G᭱ group_nameAhiAѸ group tҦnWF groupinstallGoӦnΡIiHwˤ@ժnsաA۷ΡI `P --installroot=/some/path @ΨӦw˷st groupremove GYӳnsաF # dҤ@GjM CentOS xѪnW٬O_P RAID H [root@www ~]# yum search raid Loaded plugins: fastestmirror Determining fastest mirrors <==o̴NObճ̧֪Mg * addons: ftp.twaren.net <==@|Ӯee * base: ftp.twaren.net <==CӮeb ftp.twaren.net W * extras: ftp.twaren.net * updates: ftp.twaren.net addons | 951 B 00:00 <==Un骺YM椤 base | 2.1 kB 00:00 extras | 2.1 kB 00:00 extras/primary_db | 187 kB 00:00 updates | 1.9 kB 00:00 =============== Matched: raid ====================== <==쪺GpU ....(ٲ).... lvm2.i386 : ϧΤƪUzu mdadm.i386 : mdadm Linux md ˸m]n RAID }C^ mkinitrd.i386 : إ߹wҲթһݪl ramdisk MɡC # dҤGGWzXGA mdadm \ରH [root@www ~]# yum info mdadm Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * addons: ftp.twaren.net * base: ftp.twaren.net * extras: ftp.twaren.net * updates: ftp.twaren.net Installed Packages <==o̻oOwgw˪nI Name : mdadm Arch : i386 Version : 2.6.9 Release : 3.el5 Size : 1.8 M Repo : installed Summary : mdadm Linux md ˸m]n RAID }C^ URL : http://www.kernel.org/pub/linux/utils/raid/mdadm/ License : GPL ....(Uٲ).... |
yum uOӫܦnΪFAiHd߬O_YǯSnW١C|ҨӻAAiHQΩUӤ觋onW١G
MAHWܪkorAΪ̬Oy yum
list "nW" zNDӳn骺γ~A̫AMwnnw˰ڡIWdҤ@NObXϺа}CznC
pGTwnwˮɡANѦҰѦҩUy{aI
# dҤTGwˬYӳnaIH mdadm oӳnWҡG [root@www ~]# yum install mdadm ....(eٲ).... Setting up Install Process Package mdadm-2.6.9-3.el5.i386 already installed and latest version Nothing to do [root@www ~]# yum install mdadma Setting up Install Process No package mdadma available. Nothing to do |
JӪݤWzӫOAĤGӫOGNgrAnW٥ mdadm ܦ mdadma FIPǦpGrɩҿXTCѤWzTAiHDAP˵GOyNothing to dozAO yum |iDAӳnOyww (installed and lastest version)z٬OySӳn (No package mdadma avaliable)zC@oӽdҬOƱB̯ͭJӪݿXTաInաIڭ٬OӦwˤ@Ӥ˹LA N javacc oMnӸˬݬݦnFI
[root@www ~]# yum list javacc* Available Packages javacc.i386 4.0-3jpp.3 base javacc-demo.i386 4.0-3jpp.3 base javacc-manual.i386 4.0-3jpp.3 base # @TMnAOO javacc, javacc-demo, javacc-manual A 4.0-3jpp.3A # nOmW٬ base esC [root@www ~]# yum install javacc ....(eٲ).... Setting up Install Process Resolving Dependencies --> Running transaction check <==}lˬdSۨݩʪnD ---> Package javacc.i386 0:4.0-3jpp.3 set to be updated --> Finished Dependency Resolution Dependencies Resolved ======================================================= Package Arch Version Repository Size ======================================================= Installing: javacc i386 4.0-3jpp.3 base 850 k Transaction Summary ======================================================= Install 1 Package(s) <==w˳nJA@w 1 ӡAɯ 0 ӳn Upgrade 0 Package(s) Total download size: 850 k Is this ok [y/N]: y Downloading Packages: javacc-4.0-3jpp.3.i386.rpm | 850 kB 00:00 Running rpm_check_debug Running Transaction Test Finished Transaction Test Transaction Test Succeeded Running Transaction Installing : javacc 1/1 Installed: javacc.i386 0:4.0-3jpp.3 Complete! |
@IgL yum ڭ̥iHܻPNw˦n@ӳnAåBoӳnwgDʪڭ̰nۨݩʪJAFA uOKzIt~ACentOS 5.x w]pUAyum UưFCӮeYMɮפ~AҦU RPM ɮ׳|bw˧ᤩHRI o˧AtδN|eqQUƶzDCpGAQnU RPM ɮ~Odb /var/cache/yum ANonק /etc/yum.conf ]wɤFI
[root@www ~]# vim /etc/yum.conf [main] cachedir=/var/cache/yum keepcache=1 debuglevel=2 logfile=/var/log/yum.log distroverpkg=redhat-release tolerant=1 exactarch=1 obsoletes=1 gpgcheck=1 plugins=1 |
WzSraN 0 令 1 Ao˴NA RPM ɮOsUӡCLADAnhDnsA
AQQΤ@x yum ɯťBUAMNҦ RPM ɮצ_ӵɯ (rpm -Fvh *.rpm) ~A
W vim קʧ@ijקI]A /var ȷ|QzڡIAI
OynsաzOHѩ RPM nN@ӤjMפnXӤppeӰACӤppeiHWߦwˡA o˪nBOiHϥΪ̻Pnoi̦wˤPҡI|ҨӻAڭ̨ϥ KDE ୱANO@Τ᪺ϥΦӤwA èSݭnb Linux Uw KDE oiuէaH KDE MpeNn@ϥ "KDE (K Desktop Environment)" εoi "KDE Software Development" ҡACӳnsդSthӤP RPM nɮסI o˰γ~OKϥΪ̦wˤ@MMװաI
tΦhֳnsթOHSӦp[Yӳnsզ֦ RPM ɮשOHڭ̴NQ KDE oӱMרӻ@UoG
# dҥ|GdߨtΦnsզh֭ӡH [root@www ~]# LANG=C yum grouplist Installed Groups: <==oӬOww˪ns Administration Tools DNS Name Server Dialup Networking Support Editors FTP Server ....(ٲ).... Available Groups: <==oӬO|iw˪ns Authoring and Publishing Base Beagle Cluster Storage ....(ٲ).... KDE (K Desktop Environment) KDE Software Development ....(᭱ٲ).... # dҤG KDE (K Desktop Environment) th֭ RPM nOH [root@www ~]# yum groupinfo "KDE (K Desktop Environment)" Group: KDE ୱ Description: KDE Oӥ\jjϧΨϥΪ̤AtOBୱBtιϥ HιϧɮzC Mandatory Packages: arts kdebase Default Packages: <==Dn|Qw˪n驰o desktop-printing im-chooser kdeaccessibility kdeaddons ....(ٲ).... Optional Packages: <==~A|iD諸n驰o kdeadmin # pGATwnw˳oӳnsժܡANo˰G [root@www ~]# yum groupinstall "KDE (K Desktop Environment)" |
Qγoӡy yum groupinstall "nsզW" ziHA@fw˫ܦhnA
Ӥ߬YӳnѰOˤFIbOܤաӥBQ groupinfo \A]iHo{@ǤnơA
p@ӡAANiHKzA Linux tΤFAܤaI
ڭ̳DϥΡyyum updatezNiHin骺sCLAoܡH yum update ]iHiP@ɯųI|ҨӻAAiHq 5.5 ɯŨ 5.6 IӥBL{LhI N@nɯŦӤwAèSPIr֧aI
LApGAOQnqª CentOS 4.x ɯŨ 5.x ܡAiNonhOǥ\ҤFCԣn֩OH]AiwgǸƳ]wnAҥHQܧI ѹ껡AP (ex> 4.x --> 5.x) ɯų̦n٬OnհաIsw˥iO̦npC UCXžǶ骺eѪɯŤ觋AH CentOS xѪɯŤ觋AѦҰѦҡG
DG
г]w@Uu@Ƶ{AA centOS iHCѦ۰ʧst
G
iHϥΡy crontab -e zӰʧ@A]iHsy vim /etc/crontab zӰʧ@A
ѩoӧsOtΤ譱AҥHߺDϥ vim /etc/crontab ӶiOC
ꤺe²G
40 5 * * * root yum -y update && yum clean packageso˴NiH۰ʧsFA ɶqbCѪ 5:40 C |
M yum OADsuW Internet NiHϥΪALAѩ CentOS Mgxi|A |ҨӻAڭ̦bxWAO CentOS MgxoܨFj_ʩΪ̬O饻hASioͰڡI ڡIоǤ譱N``oͳo˪DAnDAڭ̳sujΤ饻tOD`COIH MNOʪק@U yum ]wɴNnoI
bxWAx CentOS MgxDntPqjǡAӤntߡA Gstפ֡AӥBsxWdzN]D`ֳtI]AUijxWBͨϥΰtߪ ftp D귽ӧ@ yum AӷIثet߹ CentOS ҴѪ}pUG
pGAsWz}AN|o{̭@sAdzsNOo yum AҴѪeFI ҥHtߤ]ѤF addons, centosplus, extras, fasttrack, os, updates eA̦n{eNO os (tιw]n) P updates (nɯŪ) oIѩbڪեΥDOQ i386 A ] os AIihN|opUiѦw˪}G
bWz}OHSI̭nSNOӡy repodata zؿIӥؿNOR RPM nҲͪnݩʬ̸ۨƩmBI]AAneҦb}ɡA ̭nNOӺ}U@wnӦW repodata ؿsbINOe}FI LeT}ANЦUݭۦM@UI{bڭ̭ק]wɧaI
[root@www ~]# vim /etc/yum.repos.d/CentOS-Base.repo
[base]
name=CentOS-$releasever - Base
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os
#baseurl=http://mirror.centos.org/centos/$releasever/os/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
|
pWҥܡAȦCX base oӮeeӤwALeeЦۦd\oIWƻݭn`NOG
Aѳoӳ]wɤAUڭ̭קɮתeAڭ̳oDiHϥΰtߪ귽aI ק諸觋ȦCX base oӮeئӤwALؽбzۦ̷ӤWz@kӳBzYiI
[root@www ~]# vim /etc/yum.repos.d/CentOS-Base.repo [base] name=CentOS-$releasever - Base baseurl=http://ftp.twaren.net/Linux/CentOS/5/os/i386/ gpgcheck=1 gpgkey=http://mirror.centos.org/centos/RPM-GPG-KEY-CentOS-5 # ULeءAЦۦ찪tߥhd߫ۤvBzI |
UӷMNOLդ@UoIpթOHAϥ yum YiڡI
# dҡGCXثe yum server ҨϥΪeǡH [root@www ~]# yum repolist all repo id repo name status addons CentOS-5 - Addons enabled: 0 base CentOS-5 - Base enabled: 2,599 c5-media CentOS-5 - Media disabled centosplus CentOS-5 - Plus disabled contrib CentOS-5 - Contrib disabled extras CentOS-5 - Extras enabled: 335 updates CentOS-5 - Updates enabled: 488 repolist: 3,422 # b status Wg enabled ~OҰʪIѩ /etc/yum.repos.d/ # hӳ]wɡAҥHA|o{٦LesbC |
ѩڭ̬Oקtιw]]wɡAƹWAڭӭnb /etc/yum.repos.d/ Usؤ@ɮסA ӰɦWO .repo ~I]ڭ̨ϥΪOwSwMgxAӤOLn}oʹѪeA ]~קtιw]]wɡCOiѩϥΪes¤AAonDA yum |UeM쥻 /var/cache/yum ̭hIڭ̭קF}oSקeW (r)A iN|yMP yum AM椣PBAɴN|X{LksDFI
ڡH²ANMW¸ƧYiIݭnʳBzܡHݭnA zL yum clean بӳBzYiI
[root@www ~]# yum clean [packages|headers|all] ﶵPѼơG packagesGNwUnɮקR headers GNUnYR all GNҦeƳRI # dҡGRwULҦe (tn饻PM) [root@www ~]# yum clean all |
DG
@Ӻ}G http://free.nchc.org.tw/drbl-core/i386/RPMS.drbl-stable/ A̭]tFxWatߩҵoiۥѳnC
Ш̾ڸӺ}ѪơAtΥiH۰ʺw˪ yum 榡C
G
ѩ http://free.nchc.org.tw/drbl-core/i386/RPMS.drbl-stable/ ̭N repodata/ ؿA]AoӺ}iH yum e]wɡC
AiHoG
|
ڭ̪D|^W@ǭnDʥ]OHҦpڭ̳]wF@ WWW DAӦ Internet WWW
nDɡAڭ̪DN|H^AoO]ڭ̪DҥΤF WWW ťfڡIҥHAڭ̱ҥΤF@ daemon
ɡANi|yDfbiťʧ@Aɸ daemon NOwgWѪAȤFIU@o
daemon {|}A]LѤF Internet AȡAҥHNeQ Internet W cracker
ҧFIҥHAJӪˬdۤvtΤWf쩳}Fh֭ӡAåBHY檺zA~CQiʰڡI
걼FIpҰʤ@ӺAȡAoӪAȷ|̾ TCP/IP qTwҰʤ@ӰfbiťA NO TCP/UDP ʥ] port (f) FCڭ̱qĤG]DsuOVAAݱonҰʤ@ӺťfA ΤݱonHҰʤ@Ӱfӱ^Ƥ~CAݪAȬO_ݭnҰʦbTwfH ΤݪfO_SOTwOHڭ̱NĤGP port ƵoJ@UG
nFAڭ̲{bDo port OFFAAӴNOnAѤ@UAڭ̪D쩳O}Fh֪ port OHѩ port ҰʻPAȦAyAȡzy port zɮO@ӡHA@IOy /etc/services zաIӱ`Ψ[ port hUӵ{G
LjYIϥ nmap |HkHѩ nmap \ӱjjFAҥHܦh cracker |HLӰOHDAoӮɭԴNiyHkաIunAϥ nmap ɭԤnhOHqDAN|DաIUڭ̤Oӻ@o_aI
bA Linux tΤA}ҪAȶVֶVnI ]֪AȥiHe (debug) PAѦw|}AåiקKnJIDI ҥHAoӮɭԽAѤ@UztηSǪAȳQ}ҤFOH nAѦۤvtηAȶءA²KkNOϥ netstat FIoӪF褣²AӥB\]OܤC oӫOϥΤkb Linux `κ\OзLFA Uڭ̶ȴѦpϥγoӤu㪺koI
[root@www ~]# netstat -tunl
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 127.0.0.1:2208 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
tcp 0 0 :::22 :::* LISTEN
udp 0 0 0.0.0.0:111 0.0.0.0:*
udp 0 0 0.0.0.0:631 0.0.0.0:*
|
[root@www ~]# netstat -tun
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 132 192.168.1.11:22 192.168.201.101:2896 ESTABLISHED
|
[root@www ~]# netstat -tunp Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/P name tcp 0 148 192.168.1.11:22 192.168.201.101:2896 ESTABLISHED 2549/sshd |
[root@www ~]# kill -9 2549
|
pGAn]ƨèSiAnJ@~tήɡAӫH|ҨӻAAQnAѤ@UqLO_}YǨwɡA ӦpBzڡH{bAD netstat iHΨӬd\W\hťqTwA ҦpLo˪D]ơAnpd߰ڡHI nmap NFI
nmap (1)n黡W٬GyNetwork exploration tool and security / port scannerzAUWqA oӪFOQtκzΨӺztΦwʬd֪uILyz]FA nmap iHgѵ{ۦwqX port ơAӬdX port AȬAҥHڭ̤]iHǦAѧڭ̥D port 쩳OFΪIb CentOS YO nmap A pGASwˡANϥ yum hw˥LaI
[root@www ~]# nmap [] [˰Ѽ] [hosts }Pd] ﶵPѼơG []GDnUXءG -sTG TCP ʥ]wإߪsu connect() I -sSG TCP ʥ]a SYN Ҫ -sPGH ping 觋i汽 -sUGH UDP ʥ]榡i汽 -sOGH IP w (protocol) iD [˰Ѽ]GDn˰ѼƦXءG -PTGϥ TCP Y ping 觋Ӷi汽ˡAiHثeXqs(`) -PIGϥιڪ ping (a ICMP ʥ]) Ӷi汽 -p GoӬO port range AҦp 1024-, 80-1023, 30000-60000 ϥΤ觋 [Hosts }Pd]GoӦhFAX 192.168.1.100 GgJ HOST IP ӤwAˬd@F 192.168.1.0/24 G C Class AA 192.168.*.*@@GKKIhܬ B Class AFI˪dܼsFI 192.168.1.0-50,60-100,103,200 GoجOܧΪDdաIܦnΧaI # dҤ@Gϥιw]ѼƱ˥ұҥΪ port (u| TCP) [root@www ~]# nmap localhost PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp 111/tcp open rpcbind 631/tcp open ipp # bw]pUA nmap ȷ| TCP wI |
nmap Ϊk²oINbO᭱W IP Ϊ̬ODW٧YiCLAbw]pU nmap ȷ|AR TCP oӳqTwӤwAWoӨҤlXGCuIOD]N}ҸӰfAȤ]CXӤFA uOnI ^_^IpGQnPɤR TCP/UDP oӱ`qTwOHiHo˰G
# dҤGGPɱ˥ TCP/UDP f [root@www ~]# nmap -sTU localhost PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp 111/tcp open rpcbind 631/tcp open ipp 137/udp open|filtered netbios-ns 138/udp open|filtered netbios-dgm 631/udp open|filtered unknown |
KKIPedҤ@UAA|o{ohFX UDP fAoˤRnhFIMA pGAQnAѤ@U쩳XDbAɡAhiHo˰G
# dҤTGzL ICMP ʥ]˴ARϺXDOҰʪ [root@www ~]# nmap -sP 192.168.1.0/24 Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2010-09-15 00:30 CST Host www.centos.vbird (192.168.1.11) appears to be up. Host 192.168.1.254 appears to be up. MAC Address: 00:0C:6E:85:D5:69 (Asustek Computer) Nmap finished: 256 IP addresses (2 hosts up) scanned in 5.596 seconds |
ݨ_HҷⳡDۧoIåB IP ҹ MAC ]|QOUӡA ܤaIpGAٷQnNUӥDҰʪ port @@fܡANonϥΡG
[root@www ~]# nmap 192.168.1.0/24
|
AN|ݨ@ port number QXùWopGQnHɰOӺqDO_p߶}FYǪAȡA KKIQ nmap tXƬyɦV (>, >> ) ӿXɮסA HɥiHxzϰCDAȱҰʪpڡI ^_^
ЯSOdNAo nmap \۷jjA]O]pAҥHܦhbmߪ«ȷ|ϥγoӳnӰOHqC oӮɭԽбzSOdNAثeܦhHwgySO觋zӶinu@IҦpH TCP_Wrappers (/etc/hosts.allow, /etc/hosts.deny) \ӰOgL port IPI oӳnΨӡyۤvwʡzOܤ@ӤuAOpGΨӰOHDA iO|yYWxqzISOdNII
qĤGƧڭ̴NDA port OѰYdzn𫗪QnҰʪCҥHnY port
ɡANNYӵ{LNOFIkAMiHϥ
killALoOΪѨMDA] kill
oӫOq`㦳jYǵ{\Aڭ̷Qn`ӵ{ڡI
ҥHANQΨtεڭ̪ script NnFڡC
bPɡAڭ̴NoAӵyLƲߤ@UA@DzΪAȦXH
ڭ̦b¦Dz߽gͨAb@륿` Linux tҤUAAȪҰʻPzDnؤ觋G
ԲӪAȻAаѦҰ¦g{ѪA@A bo̤AحzCnApGڷQnNڨtΤW port 631 ܡA ӦpOH²檺@kNOX port 631 Ұʵ{I
[root@www ~]# netstat -tnlp | grep 631 tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 2058/cupsd # ӥΪO cupsd oӪAȵ{I [root@www ~]# which cupsd /usr/sbin/cupsd # ɮAAH rpm BzBz [root@www ~]# rpm -qf /usr/sbin/cupsd cups-1.3.7-18.el5_5.4 # FINOoӳnIҥHNLkiNOG [root@www ~]# rpm -qc cups | grep init /etc/rc.d/init.d/cups [root@www ~]# /etc/init.d/cups stop |
zLWoӤRy{AAiHQΨtδѪܦhKuӹFYӪAȪI ԣo·СHOQ kill -9 2058 NiHRӪAȤFܡH OSաILAADӪAȬOԣΪܡHADNLAAtη|XDܡH pGDܡAQΤWy{NiHXӪAȮMAAQ rpm dߥ\A NDӪAȪ@ΤFHҥHAoӤ觋٬Oz|UաI Uбzյ۱Nz CentOS Ϊ̬OL Linux Telnet }լݬݡC
DG
ڭ̪DtΪ Telnet Aȳq`OH super daemon ӱުAбzҰʱztΪ telnet լݬݡC
G
|
WY@kȬOyߧYNӪAȱҰʩzIä|vTU}ɡAoӪAȬO_w]ҰʪpC pGAQnb}ɭԴNҰʩΤҰʬYAȮɡANonAѤ@U¦Dz߽g̭ͨ쪺}y{zeաIb Unix like tηڭ̳OzL run level ӳ]wYǰ浥ŻݭnҰʪAȡAH Red Hat tΨӻAo run level ҰʪƳOmb /etc/rc.d/rc[0-6].d/ ̭ApzӥؿU script OHʳBzܡH|ƱoIҥHAnx chkconfig Red Hat tΪ ntsysv oXӫO~I
oXӫOܡHoӮɭԳoFGy man ΪݥΡAݵL man Ŧ۲qzL man UhաI
DG
(1)pd\ portmap oӵ{@}NH (2)pG}NApNLאּ}ɤnҰʡH
(3)pߧYo portmap AȡH
G
|
oA@w|ݻGyAANOunNtΩҦAȳAtδN|woHz M....OI]yܦhtΪAȬOnsbA_htαN|XDz |ҨӻAӫOtΥiH㦳u@Ƶ{ crond AȴN@wnsbAӨӰOtΪp syslogd ]Mnsb_h窾DtΥXFԣDHҥHoADADCӪAȪتOԣA_hnHKӪAȡC UCXXӱ`nsbtΪAȵjaѦҰѦҥIoǪAȽФnڡI
AȦW | AȤe |
acpid | sqzҲաAq`ij}ҡALAYǵOqiण䴩AȡANo |
atd | bz@wRO檺AȡAӭnҰʪ |
crond | bzu@Ƶ{nAȡAаȥnҰʰڡI |
haldaemon | @tεwܧAȡAP USB ]Yܤj |
iptables | Linux تnAoӤ]iHҰʰաI |
network | oӭnFaHnNnLڡI |
sendmail | tΤlǻAȡAnHKLI |
sshd | oOtιw]|ҰʪAiHAbݥHrAݾnJI |
syslog | tΪnɰOAܭnAȥҰʰڡI |
xinetd | NO super daemon IҥH]nҰʰաI |
xfs | ΨӺz X Window rθƪAȡApGA|ݭn X Window ɡAoӪAȭnҰʡC |
WCXODݭnIAȡAбznLIDAD@F|GC|ҨӻAApGݭn X window A N xfs ]SYڡIpGAݭnѻݳsu\A sshd ]iHڡILADAȫH SYAunOAȡAAiHOdLIpGOAȩOH...ijADAȴNLI Hڭ̽ͨCӬAȮɡAA@Ӥ@ӥ}YiCUڭ̴NӰ@ݳoӳI
ڭ̪ Linux distribution ܦnߪϥΪ̷QܦhFAҥHb@w˧A tη|}Ҥ@靈SAȡAҦp portmap NNAHκL cups AȵA oǪFAγ\Dγ\DALLNO}ҡڭ̪DNOΨӰAA ҥHoǥӹwpn client ϥΪAȨ꦳Iyh@|zPı ҥHաAЧANLaIUڭ|²檺ҤlӳBzANAANnALbtΤAȡA NȮɫOdaI
DG
XثetΤWbB@AȡAåB۹Ұʸ} (b /etc/init.d ɦWN)C
G
nXAȡANQ netstat -tunlp YiIHqĤ@w˪ܽdҡAثeҰʪAȦUoǡG
|
WҤlAAAUF netstat -tlunp A|oȳ port 25, 22 ӤwI p@ӡAjAΤ쪺AȴNQAAӥBYϭs}]|QҰʪաI ^_^
SELinux ϥΩҿתes (Mandatory Access Control, MAC) ALiHwSw{ǻPSwɮ귽ӶivޡI ]NOAYϧAO root AbϥΤP{ǮɡAAүovä@wO root Aӱonݷɸӵ{Ǫ]wөwC p@ӡAڭ̰wﱱyDzܦFy{ǡzӤOyϥΪ̡zI]AovzҦNSOAXAȪy{ǡzFI ]AYϧA{Ǩϥ root hҰʡApGoӵ{dzQӳQoާ@vAӵ{ǯ@Ʊ٬OA ]Q SELinux Fi檺u@FI
|ҨӻA WWW An骺F{Ǭ httpd o{A ӹw]pUA httpd ȯb /var/www/ oӥؿUsɮסApG
httpd oӵ{ǷQnLؿhsƮɡAFWh]wn}~AؼХؿ]on]w httpd iŪҦ (type)
~ID`hI ҥHAYϤp httpd Q cracker oFvAL]Lvs /etc/shadow n]wɳI
Aƻ@UASELinux OzL MAC 觋ӱ{ǡALDO{ǡA ӥؼЫhOӵ{ǯ_Ūyɮ귽zIҥHӻ@UoǩNNʰաI
WϪIbyDzpoyؼСz귽svI
ѤWϧڭ̥iHo{A(1)D{ǥnqL SELinux FWhANiHPؼи귽iwʥ媺A
(2)Y異ѫhLksؼСAY令\hiH}lsؼCDOA̲ׯ_sؼ٬OPɮרtΪ rwx
v]wIp@ӡA[JF SELinux AX{vŪpɡAANon@B@BRiDFI
CentOS 5.x target Fwgڭ̨qnD`hWhFA]AunDp}/YWhP_YiC Ӧwʥ·СI]Aiݭnۦ]wɮתwʥOIݭnۦ]wڡH |ҨӻAA]``iɮת rwx s]wܡHowʥANNLQ SELinux ƪ rwx NOFIoˤnzѰաC
wʥsbD{ǤPؼɮ귽C{ǦbO馎AҥHwʥiHsJOSDC ɮתwʥOOb̩OHƹWAwʥOmɮת inode A]D{ǷQnŪؼɮ귽ɡAP˻ݭnŪ inode A o inode NiHwʥH rwx vȬO_TAӵAŪv̾ڡC
wʥ쩳O˪sbOHڭ̥Ӭݬ /root UɮתwʥnFC [wʥiϥΡy ls -Z zh[pUG(`NGAwgҰʤF SELinux ~IY|ҰʡAoеyLݹL@MYiCU|ЦpҰ SELinux I)
[root@www ~]# ls -Z drwxr-xr-x root root root:object_r:user_home_t Desktop -rw-r--r-- root root root:object_r:user_home_t install.log -rw-r--r-- root root root:object_r:user_home_t install.log.syslog # WzSr骺ANOwʥ媺eI |
pWҥܡAwʥDnΫ_TAoT쪺NqG
Identify:role:type ѧO:: |
oTpQΩOHڭ̨@@D{ǦboT쪺NqIzLѧOP쪺wqA ڭ̥iHDYӵ{ǩҥNNqIWAoǹƦb targeted FUpUG
ѧO | ӹb targeted Nq | |
root | system_r | N root bnJɩҨov |
system_u | system_r | ѩtαbA]ODͦtιB@{ |
user_u | system_r | @inJϥΪ̪{oI |
NpWҭzA̭nOADPؼФO_㦳iHŪgvAP{Ǫ domain ɮת type Io̪Yڭ̥iHϥιF WWW A\ httpd o{P /var/www/html oӺmؿӻC AݬݳoөNNwʥ夺eG
[root@www ~]# ll -Zd /usr/sbin/httpd /var/www/html -rwxr-xr-x root root system_u:object_r:httpd_exec_t /usr/sbin/httpd drwxr-xr-x root root system_u:object_r:httpd_sys_content_t /var/www/html # ̪쳣O object_r ANOɮסI httpd ݩ httpd_exec_t A # /var/www/html hݩ httpd_sys_content_t oI |
httpd ݩ httpd_exec_t oӥiH檺A /var/www/html hݩ httpd_sys_content_t oӥiH httpd (domain) ŪCrݰ_ӤӮeAѧaIڭ̨ϥιϥܨӻo̪YI
WϪNqڭ̥iHoˬݪG
Wzy{iDڭ̴XӭIAĤ@ӬOFݭnqԲӪ domain/type ʡFĤGӬOYɮת type ]w~A Yv]w rwx } 777 AӥD{Ǥ]LkŪؼɮ귽աILp@ӡA ]NiHקKϥΪ̱NLaؿ]w 777 ɩҳyvxZC
ëDҦ Linux distributions 䴩 SELinux AҥHAn[@UAtΪI o̤Ъ CentOS 5.x N䴩 SELinux աIҥHAݭnۦsĶ SELinux A Linux ֤ߤI ثe SELinux 䴩TؼҦAOpUG
ADثe SELinux ҦOHNzL getenforce aI
[root@www ~]# getenforce Enforcing <==աINܥXثeҦ Enforcing oI |
t~Aڭ̤SpD SELinux F (Policy) OHoɥiH[]wɰաG
[root@www ~]# vim /etc/selinux/config SELINUX=enforcing <==վ enforcing|disabled|permissive SELINUXTYPE=targeted <==ثeȦ targeted P strict |
WOw]FPҰʪҦIAn`NOApGܤFFhݭns}FpG enforcing permissive 令 disabled AΥ disabled 令LӡA]ns}CoO] SELinux OX֤߸̭hA AuiHb SELinux B@Uj (enforcing) μee (permissive) ҦA SELinux I pGAo{ getenforce X{ disabled ɡAШWzɮק令 enforcing M᭫s}aI
LAn`NOApGq disable Ұ SELinux ҦɡA ѩtΥnwɮgJwʥ媺TA]}L{|O֮ɶbݭsgJ SELinux wʥ (ɤ]٬ SELinux Label) AӥBbgٱonAs}@IAnݯ@qɶI U}\AAϥ getenforce [ݬݦ_\Ұʨ Enforcing ҦoI
pGAwgb Enforcing ҦAOiѩ@dz]wDɭP SELinux YǪAȵLk`B@A ɧAiHN Enforcing Ҧאּee (permissive) ҦA SELinux u|ĵiLkQsuTA ӤOץD{ǪŪvC SELinux Ҧb enforcing P permissive kG
[root@www ~]# setenforce [0|1] ﶵPѼơG 0 Gন permissive eeҦF 1 Gন Enforcing jҦ # dҤ@GN SELinux b Enforcing P permissive P[ [root@www ~]# setenforce 0 [root@www ~]# getenforce Permissive [root@www ~]# setenforce 1 [root@www ~]# getenforce Enforcing |
LЪ`NA setenforce Lkb Disabled ҦUiҦI
JM SELinux (type) onApקPܧoAMNO̭n@oC Aڭ̨ӬݬݦpGƻs@ɮר줣PؿhA|oͤpaI
# dҡGN /etc/hosts ƻs root aؿA[ SELinux ܤ [root@www ~]# cp /etc/hosts /root [root@www ~]# ls -dZ /etc/hosts /root/hosts /root -rw-r--r-- root root system_u:object_r:etc_t /etc/hosts drwxr-x--- root root root:object_r:user_home_dir_t /root -rw-r--r-- root root root:object_r:user_home_t /root/hosts # dҡGN /root/hosts ʨ /tmp UA[ SELinux ܤ [root@www ~]# mv /root/hosts /tmp [root@www ~]# ls -dZ /tmp /tmp/hosts drwxrwxrwt root root system_u:object_r:tmp_t /tmp -rw-r--r-- root root root:object_r:user_home_t /tmp/hosts |
ݨSHAªƻsɡASELinux type O|~ӥؼХؿAҥH /root/hosts N|ܦ user_home_t oFCOpGOʩOHsP SELinux ]|QʹLhA] /tmp/hosts |«O user_home_t Ӥ|ܦ /tmp tmp_t oIn`NIn`NIApN /tmp/hosts ܧ̭l etc_t oOHNonϥ chcon oI
[root@www ~]# chcon [-R] [-t type] [-u user] [-r role] ɮ [root@www ~]# chcon [-R] --reference=d ɮ ﶵPѼơG -R GsPӥؿUؿ]PɭקF -t G᭱wʥ媺IҦp httpd_sys_content_t F -u G᭱ѧOAҦp system_uF -r G᭱AҦp system_rF --reference=dɡGYɮdҨӭקɮתI # dҡGN𫍧 /tmp/hosts אּ etc_t [root@www ~]# chcon -t etc_t /tmp/hosts [root@www ~]# ll -Z /tmp/hosts -rw-r--r-- root root root:object_r:etc_t /tmp/hosts # dҡGH /var/spool/mail/ ̾ڡAN /tmp/hosts ק令 [root@www ~]# ll -dZ /var/spool/mail drwxrwxr-x root mail system_u:object_r:mail_spool_t /var/spool/mail [root@www ~]# chcon --reference=/var/spool/mail /tmp/hosts [root@www ~]# ll -Z /tmp/hosts -rw-r--r-- root root system_u:object_r:mail_spool_t /tmp/hosts |
chcon ק觋Aڭ̥nD̲קڭ̪ SELinux type OԣA~ܧ\C pGAQn@Oy_즨즳 SELinux typezOHiHѦҩUOӶiI
[root@www ~]# restorecon [-Rv] ɮשΥؿ ﶵPѼơG -R GsPؿ@_קF -v GNL{ܨùW # dҡGN /tmp/hosts ʦ /root åHw]wʥ勵L [root@www ~]# mv /tmp/hosts /root [root@www ~]# ll -Z /root/hosts -rw-r--r-- root root system_u:object_r:mail_spool_t /root/hosts [root@www ~]# restorecon -Rv /root restorecon reset /root/hosts context system_u:object_r:mail_spool_t:s0-> root:object_r:user_home_t:s0 # WoOP@IܱN hosts mail_spool_t אּ user_home_t |
zLWoXӽmߡAAN|DաASELinux type ȷ|bɮתƻs/ʮɲͤ@ܤơA]ݭn chcon, restorecon OӶiqCA٬O|Q@ơANOA restorecon |DCӥؿOw] SELinux type OHoO]tΦOIOb /etc/selinux/targeted/contextsAOӥؿܦhPơA nϥΤrs边hd\ܳ·СAɡAڭ̥iHzL semanage oӫO\ӬdPקI
[root@www ~]# semanage {login|user|port|interface|fcontext|translation} -l [root@www ~]# semanage fcontext -{a|d|m} [-frst] file_spec ﶵPѼơG fcontext GDnΦbwʥ譱γ~A -l dߪNF -a GW[NAAiHW[@ǥؿw]wʥ]wF -m Gק諸NF -d GRNC # dҡGdߤ@U /var/www/ w]wʥ]wI [root@www ~]# semanage fcontext -l | grep '/var/www' SELinux fcontext type Context /var/www(/.*)? all files system_u:object_r:httpd_sys_content_t:s0 ....(᭱ٲ).... |
qWAڭ̪D semanage iHBzD`hȡALAboӤp`ڭ̥DnQAѪOCӥؿw]wʥC pWdҩҥܡAڭ̥iHdߪCӥؿwʥաIӥؿ]wiHϥWܪkhw@ӽdCpGڭ̷QnW[YǦۭqؿwʥOH |ҨӻAڷQnq /srv/vbird public_content_t ɡAӦpwOH
# dҡGQ semanage ]w /srv/vbird ؿw]wʥ婴 public_content_t [root@www ~]# mkdir /srv/vbird [root@www ~]# ll -Zd /srv/vbird drwxr-xr-x root root root:object_r:var_t /srv/vbird # pWҥܡAw]pӬO var_t oөNNI [root@www ~]# semanage fcontext -l | grep '/srv' /srv/.* all files system_u:object_r:var_t:s0 <==ݳo /srv/([^/]*/)?ftp(/.*)? all files system_u:object_r:public_content_t:s0 ....(Uٲ).... # WhOw] /srv UwʥơALAèSw /srv/vbird [root@www ~]# semanage fcontext -a -t public_content_t "/srv/vbird(/.*)?" [root@www ~]# semanage fcontext -l | grep '/srv/vbird' /srv/vbird(/.*)? all files system_u:object_r:public_content_t:s0 [root@www ~]# cat /etc/selinux/targeted/contexts/files/file_contexts.local # This file is auto-generated by libsemanage # Please use the semanage command to make changes /srv/vbird(/.*)? system_u:object_r:public_content_t:s0 # NOgJoɮתoI ^_^ [root@www ~]# restorecon -Rv /srv/vbird* <==ի_w] [root@www ~]# ll -Zd /srv/vbird drwxr-xr-x root root system_u:object_r:public_content_t /srv/vbird # w]ȡAH restorecon ӭק²I |
semanage \ܦhALDnΨ쪺Ȧ fcontext oӶتʧ@ӤwCpWҥܡA AiHϥ semanage ӬdߩҦؿw]ȡA]ϥΥLӼW[w]Ȫ]wIpGzǷ|oǰ¦uA SELinux AӻA]ONNoI
eAnqL SELinux Ҥ~}lɮv rwx P_A SELinux P_DnO (1)FWhP
(2){ǻPɮת SELinux type nŦX~Ce@Ӥp`ͪO SELinux type AoӤp`NOnͤ@UFWhoA
]ApdPקWhP_oC
CentOS 5.x w]Ϩϥ targeted FAoӬFѦh֬WhOHɥiHzL seinfo Ӭd߳I
[root@www ~]# seinfo [-Atrub] ﶵPѼơG -A GCX SELinux ABWhLȡBѧOBBOҦT -t GCX SELinux ҦO (type) -r GCX SELinux Ҧ (role) -u GCX SELinux ҦѧO (user) -b GCXҦWh (L) # dҤ@GCX SELinux bFUέpA [root@www ~]# seinfo Statistics for policy file: /etc/selinux/targeted/policy/policy.21 Policy Version & Type: v.21 (binary, MLS) <==CXFҦbɻP Classes: 61 Permissions: 220 Types: 1831 Attributes: 214 Users: 3 Roles: 6 Booleans: 263 Cond. Expr.: 246 Sensitivities: 1 Categories: 1024 Allow: 128513 Neverallow: 0 Auditallow: 42 Dontaudit: 7215 Role allow: 5 Role trans: 0 ....(Uٲ).... # qWڭ̥iHݨoӬFO targeted AF SELinux type 1831 ӡF # ӰwAȪWh (Booleans) @qF 263 WhI # dҤGGCXP httpd Wh (booleans) ǡH [root@www ~]# seinfo -b | grep httpd Rule loading disabled Conditional Booleans: 263 allow_httpd_mod_auth_pam allow_httpd_bugzilla_script_anon_write httpd_enable_ftp_server ....(Uٲ).... # AiHݨAD`hP httpd WhqwOI |
qWڭ̥iHݨP httpd LȡAP˪ApGAQn즳 httpd r˪wʥOɡA NiHϥΡy seinfo -t | grep httpd zӬdߤFIpGdߨOΪ̬OLȫAQnDԲӪWhɡA Nonϥ sesearch oӫOFI
[root@www ~]# sesearch [-a] [-s DO] [-t ؼO] [-b L] ﶵPѼơG -a GCXOΥLȪҦT -t G᭱٭nOAҦp -t httpd_t -b G᭱٭nLȪWhAҦp -b httpd_enable_ftp_server # dҤ@GXؼɮ귽O httpd_sys_content_t T [root@www ~]# sesearch -a -t httpd_sys_content_t Found 95 av rules: allow rpm_t httpd_sys_content_t : file { ioctl read write ... }; allow semanage_t httpd_sys_content_t : file { ioctl read ... }; allow rpm_t httpd_sys_content_t : dir { ioctl read write ... }; ....(Uٲ).... # y allow D{ǦwʥO ؼɮצwʥO z # pWAoOiHQӥDD{ǪOŪAHΥؼɮ귽榡C # dҤGGXD{Ǭ httpd_t BؼɮO httpd ҦT [root@www ~]# sesearch -s httpd_t -t httpd_* -a Found 205 av rules: ....(ٲ).... allow httpd_t httpd_sys_content_t : file { ioctl read getattr lock }; allow httpd_t httpd_sys_content_t : dir { ioctl read getattr lock search }; allow httpd_t httpd_sys_content_t : lnk_file { ioctl read getattr lock }; ....(᭱ٲ).... # qWƴNiHݥX{Ǭ httpd_t oOAOiHŪ # httpd_sys_content_t I |
AiHܻdߨYӥD{ (subject) iHŪؼɮ귽 (Object) A qڭ̤WmߡAڭ̤]iHܻPNDA httpd_t iHŪ httpd_sys_content_t oI pGOLȩOH̭SWdFHڭ̨ӬݬݥG
# dҤTGڪDӥLȬ httpd_enable_homedirs AаݸӥLȳWdhֳWhH [root@www ~]# sesearch -b httpd_enable_homedirs -a Found 21 av rules: allow httpd_suexec_t user_home_dir_t : dir { getattr search }; allow httpd_suexec_t cifs_t : file { ioctl read getattr ... }; allow httpd_suexec_t cifs_t : dir { ioctl read getattr ... }; ....(᭱ٲ).... |
qoӥLȪ]wڭ̥iHݨ̭WdFD`hD{ǻPؼɮ귽P_I
ҥHADFAڳWdodzWhANOLȪذաI]NOڭ̤eһ@WhO]I
AD{ǯ_YǥؼɮisAPoӥLȫD`YI]LȥiHNWh]wҰ (1)
Ϊ̬O (0) աI
Wڭ̳zL sesearch DFA Subject P Object _svAOPLȦA tΦh֥LȥiHzL seinfo -b ӬdߡAACӥLȬOҰʪ٬OOHoNӬd߬ݬݧaG
[root@www ~]# getsebool [-a] [Lȱ] ﶵPѼơG -a GCXثetΤWҦLȱڳ]w}ҩ # dҤ@GdߥtΤҦLȳ]wp [root@www ~]# getsebool -a NetworkManager_disable_trans --> off aisexec_disable_trans --> off allow_console_login --> off ....(Uٲ).... # z@IoNiDAثeLȪAoI |
pGdߨYӥLȡAåBH sesearch DӥLȪγ~AQnαҰʥLASӦpBmH
[root@www ~]# setsebool [-P] L=[0|1] ﶵPѼơG -P GN]wȼgJ]wɡAӳ]wƥӷ|ͮĪI # dҤ@Gd httpd_enable_homedirs O_AYALI [root@www ~]# getsebool httpd_enable_homedirs httpd_enable_homedirs --> on <==GO on ADNLI [root@www ~]# setsebool -P httpd_enable_homedirs=0 [root@www ~]# getsebool httpd_enable_homedirs httpd_enable_homedirs --> off |
o setsebool ̦nOo@wn[W -P ﶵI]oˤ~N]wgJ]wɡI oOD`ΪuաIA@wnDpϥ getsebool P setsebool ~I
WzO\AרO setsebool, chcon, restorecon AOFAYǺAȵLk`Ѭ\ɡA
~ݭniק諸@ǫOʧ@COAڭ̫DӮɭԤ~ݭnioǫOקڡHڭ̫DtΦ] SELinux
DɭPAȤlڡHpGnaΤݳsuѤ~ӭDA]ӨSIJvFIҥHAڭ̪ CentOS 5.x
Ѥ@䰻AȦbn SELinux ͪ~INO setroubleshoot C
XGҦ SELinux {|H se }YAoӪAȤ]OH se }YI troubleshoot jaDO~JAA ]o setroubleshoot ۵MNonҰʥLաIoӪAȷ|N SELinux ~TPJAkO /var/log/messages YAҥHA@wonҰʳoӪAȤ~nCҰʳoӪAȤeMNOonw˥աIoN`@ݭnӳnAOO setroublshoot P setroubleshoot-serverApGASwˡAЦۦϥ yum w˧aI pb}ɭԴNҰ setroubleshoot OHo˳BzG
[root@www ~]# chkconfig --list setroubleshoot setroubleshoot 0:off 1:off 2:off 3:on 4:on 5:on 6:off # ڭ̪ Linux B@ҦOb 3 5 A]oӭn on YiC [root@www ~]# chkconfig setroubleshoot on # chkconfig ڭ̷|b᭱`СA --list OCXثe浥ŬO_ҰʡA # pG[W on AhOb}ɱҰʡAY off h}ɤҰʡC |
oAȹw]XG|ҰʰաIDAݨ 3:off 5:off ɡA~ݭnHy chkconfig setroubleshoot on z h]w@UCpGoͿ~ɡATOHڭ̨ϥ httpd o{ͪ~ӻnFC]AݭnҰ WWW AA ڭ̪ WWW O httpd oAȴѪA]Anw˥BҰʥ~G
[root@www ~]# yum install httpd [root@www ~]# /etc/init.d/httpd start [root@www ~]# netstat -tlnp | grep http tcp 0 0 :::80 :::* LISTEN 2455/httpd tcp 0 0 :::443 :::* LISTEN 2455/httpd # ݨSHҰ port 80 FIoOII |
oӮɭԧڭ̪ WWW ANw˧FCڭ̪Om /var/www/html ؿUABɦWnO index.htmlC pGڨϥΩUҦӶi歺BzɡAiN| SELinux DFIڭ̴NӼ@UXDpaI
[root@www ~]# echo "My first selinux check" & index.html [root@www ~]# ll index.html -rw-r--r-- 1 root root 23 9 20 23:27 index.html <==vSD [root@www ~]# mv index.html /var/www/html |
ɧڭ̴NiH}sAMbsWJ Linux ۤv IP ӬdݡAݯणsWۤv WWW C Oo}Cݭno˿J~Ghttps:///index.htmlAA|ݨpUeG
e̩㪺aNOiDAAAèSviHs index.html IFIvO諸IH SYANzL setroubleshoot \hˬdݬݡCɽФR@U /var/log/messages eaIIoˡG
[root@www ~]# cat /var/log/messages | grep setroubleshoot Sep 20 23:29:55 www setroubleshoot: SELinux is preventing the httpd from using potentially mislabeled files (/var/www/html/index.html). For complete SELinux messages. run sealert -l 077202c1-561a-4f27-9ba7-bf08e134f006 |
W~TiOP@IjOySElinux QΨקK httpd Ū~wʥA Qnd\㪺ơAа sealert -l ...zSIA`NFIINO sealert -l աI WѪTäAQn㪺ona sealert tX쪺~NXӳBzC ڳBz|oˡG
[root@www ~]# sealert -l 077202c1-561a-4f27-9ba7-bf08e134f006 Summary: SELinux is preventing the httpd from using potentially mislabeled files (/var/www/html/index.html). <==NO /var/log/messages T Detailed Description: <==UO㪺yzInݡI SELinux has denied httpd access to potentially mislabeled file(s) (/var/www/html/index.html). This means that SELinux will not allow httpd to use these files. It is common for users to edit files in their home directory or tmp directories and then move (mv) them to system directories. The problem is that the files end up with the wrong file context which confined applications are not allowed to access. Allowing Access: <==Yn\sAAݭni檺ʧ@I If you want httpd to access this files, you need to relabel them using restorecon -v '/var/www/html/index.html'. You might want to relabel the entire directory using restorecon -R -v '/var/www/html'. ....(Uٲ).... |
INOWSrܪaIAunӵۡyAllowing Accessz̭ܥhiBzA
NA SELinux ]wFIڭ̤WӤp`쪺 restorecon
P chcon ANDA setroubleshoot ѪThĤFaI
ޥXFԣ SELinux DAjb setroubleshoot AȤN|iDAѨMDIҥHAܦhF卖έII
pGCճon /var/log/messages hRAuO·ЪڡISYAڭ̥iHzL email console 觋ӱNT͡I ]NOAڭ̥iH setroubleshoot DʪoeͪTڭ̫w email Ao˥iHKڭ̧YɪRIH Nק setroubleshoot ]wɧYiCAiHd\ /etc/setroubleshoot/setroubleshoot.cfg oɮתeA ڭ̥uݭnק諸apUG
[root@www ~]# vim /etc/setroubleshoot/setroubleshoot.cfg [email] # jb 76 楪kAonsb~I recipients_filepath = /var/lib/setroubleshoot/email_alert_recipients # jb 169 楪kAN쥻 False ק令 True I console = True [root@www ~]# vim /var/lib/setroubleshoot/email_alert_recipients root@localhost your@email.address [root@www ~]# /etc/init.d/setroubleshoot restart |
ANiHzLRA email Өo SELinux ~ToID`²aIuOn`NAWzg email ɮפA ugbAAnsP @localhost gWAo˥W root ~বHINo²I ^_^
ڭ̨²檺`aI]AsunqL SELinux ~vPw~~ rwx vC SELinux DnSG (1)ݭnqLFUWh (2)~i SELinux type wʥ媺Aoⶵu@onT~Cӫ SELinux קDnOzL chcon, restorecon, setsebool OӳBzCOpBzOHiHzLR /var/log/messages Ѫ setroubleshoot TӳBmIo˴NܻPiHzA SELinux oI
OpG]Yǭ]A|Ҩӻ CentOS SWd쪺 setroubleshoot TɡAiA٬OLkAѨƱ쩳O̥XC ɧڭ̷|o˫ijG
o˴NܻPzA SELinux աIݭnQӦhIRnɴNաI
pGADQӳQoavܡAӧA]ѩAѨDʱݭnAҥHb̵uɶo{@ƥA
ӦpwoӳQJIDӭ״_HpGAn״_ܡAAoӺޤHٻݭnB~ޯH
Uڭ̴Nӽͤ@͡C
qĤ@p`RAA|o{ٯuO֪ALݭn@~tΦ@w{תxA {ǪB@PvhݭnAѡA_hN·ФFIF@~tΪ~A ̺ٻݭnԣSޥOHMݭnڡI@Ḏ`oͰDpA Oѡy~ΩҲͪzAҥHڡAAuަnDӤwOySkDzաI UNӽͽͧAٻݭnԣޥOH
ҿסyʱK@zڡAHOA`|Ҽ{gpAU@ADN]oy@zɭPQJIFA ӫHѤWAڭ̪Dy차zOYA]L|bAtΤU}ӫ (Back door) ̥iHnJADAӥBٷ|«A Linux W{AA䤣Ӥ차{IH
ܦhBͳߺDyϥunN root KX^ӴNnFz o˪[IAƹWAˤ@D٬OQ~MIڡIҥHA U@ADQJIFA̦nk٬OyswLinux z|bI
Ӧpsw˩OHܦhBͤ@AawˡAo@AaQJI㬰OH]LSyOаVzڡII Uڭ̴Nӽͤ@͡A@QJIDӦp״_nH
gLo@sꪺʧ@AADӷ|_bҡA٤౼HߡA ̦n٬OѦҨ𪺳]wAåBh譱Ѧ Internet W@ǦѤ⪺gAnADiHw@ǡI