linux 系統管理與安全:進階系統管理系統防駭與資訊安全
TRANSCRIPT
•
•
•
•
•
root:log/ # ls -‐Fanaconda/ btmp dmesg httpd/ mariadb/ ppp/ secure tuned/audit/ chrony/ dmesg.old lastlog messages sa/ spooler wtmpboot.log cron grubby maillog php-‐fpm/ sa-‐update.log tallylog yum.log
• kernel message buffer kernel
• kernel $ dmesg
• /var/log/dmesg
•
•
•
•
•
• /var/log/messages
•
• syslog
Feb 14 00:01:50 localhost kernel: smpboot: CPU0: Intel(R) Celeron(R) CPU E3400 @ 2.60GHz (fam: 06, model: 17, stepping: 0a)Feb 14 00:01:50 localhost kernel: Performance Events: unsupported p6 CPU model 23 no PMU driver, software events only.Feb 14 00:01:50 localhost kernel: Brought up 1 CPUsFeb 14 00:01:50 localhost kernel: smpboot: Total of 1 processors activated (5202.48 BogoMIPS)
• /var/log/cron
• cron
Apr 2 09:01:01 localhost run-‐parts(/etc/cron.hourly)[528]: starting 0yum-‐hourly.cronApr 2 09:01:01 localhost run-‐parts(/etc/cron.hourly)[544]: finished 0yum-‐hourly.cron
• /var/log/secure
•
•
Apr 1 16:12:16 localhost login: pam_unix(login:session): session opened for user root by LOGIN(uid=0)Apr 1 16:12:16 localhost login: ROOT LOGIN ON tty1
Mar 29 07:43:34 yuki sshd[18247]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=183.136.216.6 user=rootMar 29 07:43:36 yuki sshd[18247]: Failed password for root from 183.136.216.6 port 45215 ssh2
•
•
•
• daily weekly monthly yearly
• anacron
•/etc/cron.daily/logrotate
• /etc/logrotate.d/httpd
/var/log/httpd/*log {daily # minsize 1M # 1MB missingok # rotate 14 # 14compress # gzipdelaycompress # notifempty # create 640 root adm # sharedscripts # postrotate #
/bin/systemctl reload httpd.service > /dev/null 2>/dev/null || trueendscriptprerotate #
# do nothingendscript
}
$ man logrotate
•
•
• 192.168.1.10 -‐> 11000000 10101000 00000001 00001010
•
•
•
•
•
•
• 192.168.1.100
• 192.168.1.100 -‐> 11000000 10101000 00000001 01100100
• 255.255.255.224
• 255.255.255.224 -‐> 11111111 11111111 11111111 11100000
• 11000000 10101000 00000001 01100000
• 192.168.1.96
•255.255.255.224 -‐> 11111111 11111111 11111111 11100000
• 11100000 -‐> 3 1 -‐> 2^3 -‐> 8 subnet
• 256 / 8 = 32
• 32 IP
• 192.168.1.96 ~ 192.168.1.127
• 192.168.1.127 broadcast
•
• class netmask subnet id
• 255.255.224.0 11111111 11111111 11111111 11100000 27 1
• -‐> a.b.c.d/27
• 192.168.1.96/27
•
• 140.115.0.0/16 140.115.1.1 ~ 140.115.255.255 ( 255.255.0.0)
• 192.168.1.0/24 192.168.1.1 ~ 192.168.1.255 ( 255.255.255.0)
Q 140.115.1.0/32
•
• # netstat –r / route
• # ip route
# netstat -‐rKernel IP routing tableDestination Gateway Genmask Flags Metric Ref Use Ifacedefault 192.168.1.1 0.0.0.0 UG 0 0 0 eth010.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun010.8.0.2 * 255.255.255.255 UH 0 0 0 tun0link-‐local * 255.255.0.0 U 1000 0 0 eth0192.168.1.0 * 255.255.255.0 U 0 0 0 eth0
10.8.0.0~10.8.0.255 IP tun0 10.8.0.2 gateway10.8.0.2 IP
192.168.1.0~192.168.1.255 IP eth0 192.168.1.1 gateway
• gateway# route add default gw 192.168.1.1
• IP # route add -‐net 192.168.115.0 netmask255.255.255.0 -‐dev eth1
• IP# ifconfig eth0 192.168.1.1 netmask 255.255.255.0
•
•
•
# arpAddress HWtype HWaddress Flags Mask Iface192.168.56.1 ether 08:00:27:00:c4:7a C enp0s810.0.2.2 ether 52:54:00:12:35:02 C enp0s3
• ARP # arp -‐s 192.168.1.1 AA:BB:CC:DD:EE:FF
• ARP # arp -‐d 192.168.1.1
•
•
•
•
•
•
•
•
•
• enp0s8 # tcpdump -‐i enp0s8
• port ASCII # tcpdump -‐A -‐i enp0s8 'port 21'# tcpdump -‐A -‐i enp0s8 'tcp and port 21 and host 192.168.1.1'
22:03:44.870107 IP localhost.localdomain.54068 > adl-‐12.csie.ncu.edu.tw.http: Flags [P.], seq 1:17, ack 1, win 14600, length 16E..8..@[email protected] / HTTP/1.1
• telnet sparc11.cc.ncu.edu.twtcpdump
•
•
• # yum install logwatch
• # cp /usr/share/logwatch/default.conf/logwatch.conf/etc/logwatch/conf/logwatch.conf
• /etc/cron.daily/0logwatch
• # vim /etc/logwatch/conf/logwatch.conf
# stdout mail fileOutput = mail# HtmlFormat = text# email MailTo = rootMailFrom = Logwatch
# log Range = yesterday
# log level Low, Med, HighDetail = Low
# /usr/share/logwatch/default.conf/services Service = All
•# logwatch -‐-‐detail Low -‐-‐output stdout -‐-‐service all -‐-‐range today
•# logwatch -‐-‐detail Low -‐-‐output mail -‐-‐mailto [email protected] -‐-‐service all -‐-‐range yesterday
•
•
• /etc/cron.d/sysstat
# sar | head -‐n 5Linux 3.10.0-‐123.20.1.el7.x86_64 (localhost.localdomain)00 00 01 CPU %user %nice %system %iowait %steal %idle00 10 01 all 0.02 0.00 0.05 0.01 0.00 99.9200 20 01 all 0.02 0.00 0.05 0.00 0.00 99.93
# Run system activity accounting tool every 10 minutes*/10 * * * * root /usr/lib64/sa/sa1 1 1# 0 * * * * root /usr/lib64/sa/sa1 600 6 &# Generate a daily summary of process accounting at 23:5353 23 * * * root /usr/lib64/sa/sa2 -‐A
•
• $ uptime18:20:06 up 220 days, 19:46, 2 users, load average: 0.00, 0.01, 0.05
•
•
•
•
•
•
$ free -‐htotal used free shared buffers cached
Mem: 7.8G 7.6G 193M 42M 111M 3.3G-‐/+ buffers/cache: 4.2G 3.6G
2.0G 38M 2.0G# vmstat -‐S MBprocs -‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐memory-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐ -‐-‐-‐swap-‐-‐ -‐-‐-‐-‐-‐io-‐-‐-‐-‐ -‐system-‐-‐ -‐-‐-‐-‐-‐-‐cpu-‐-‐-‐-‐-‐r b swpd free buff cache si so bi bo in cs us sy id wa st1 0 38 191 116 3395 0 0 8 6 15 1 2 0 98 0 0
•
• $ netstat
• -‐n IP
• -‐a socket ( )
• -‐p port root
• -‐r
•
• LISTEN SYN_RECV SYN_SENT ESTABLISHEDFIN_WAIT1…
• $ man netstat# netstat -‐napActive Internet connections (servers and established)Proto Recv-‐Q Send-‐Q Local Address Foreign Address State PID/Program nametcp 0 0 0.0.0.0:9091 0.0.0.0:* LISTEN 906/transmission-‐datcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 1758/mysqldtcp 0 0 127.0.0.1:6379 0.0.0.0:* LISTEN 1841/redis-‐server 1tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 1379/vsftpdtcp 0 0 127.0.0.1:3350 0.0.0.0:* LISTEN 2030/xrdp-‐sesmantcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1569/sshdtcp 0 0 192.168.1.200:64414 203.177.28.183:15044 SYN_RECV -‐tcp 0 0 192.168.1.200:64414 117.211.86.108:258 SYN_RECV -‐tcp 0 0 192.168.1.200:57429 82.78.229.223:8325 TIME_WAIT -‐tcp 0 1 192.168.1.200:55339 79.112.227.120:6881 SYN_SENT 906/transmission-‐datcp 0 1 192.168.1.200:56382 36.230.128.108:8290 SYN_SENT 906/transmission-‐datcp 0 0 192.168.1.200:22 36.231.168.75:5091 ESTABLISHED 29422/sshd: sntc06tcp 0 0 192.168.1.200:64414 61.58.102.97:55302 ESTABLISHED 906/transmission-‐datcp 0 0 127.0.0.1:3306 127.0.0.1:42814 ESTABLISHED 1758/mysqld
•
• iostat [ ] [< >[< >]]
• %util
$ iostat -‐d -‐x 1
Device: rrqm/s wrqm/s r/s w/s rkB/s wkB/s avgrq-‐sz avgqu-‐sz await r_await w_await svctm %utilsda 0.00 0.00 0.00 16.00 0.00 188.00 23.50 0.00 0.00 0.00 0.00 0.00 0.00
•
•
•
•
•# yum install munin munin-‐node# systemctl enable munin-‐node
• ( epel )
• /etc/crontab
• /etc/httpd/conf.d/munin.conf
*/5 * * * * munin test -‐x /usr/bin/munin-‐cron && /usr/bin/munin-‐cron
<Directory /var/cache/munin/www>Order allow,denyAllow from 127.0.0.0/8 140.115.0.0/16 ::1# Require ip 140.115#if apache 2.4Options None
</Directory>
•# htpasswd -‐c /etc/munin/munin-‐htpasswd < >
• /etc/munin/munin.conf
[local.example.com]address 127.0.0.1use_node_name yes
•
• $ ls /etc/munin/plugins
•
• Q
cpu if_err_enp0s3 mysql_innodb_bpool_act mysql_qcache_mem postfix_mailvolumedf if_err_enp0s8 mysql_innodb_insert_buf mysql_replication processesdf_inode interrupts mysql_innodb_io mysql_select_types proc_pridiskstats irqstats mysql_innodb_io_pend mysql_slow swapentropy load mysql_innodb_log mysql_sorts threadsforks memory mysql_innodb_rows mysql_table_locks uptimefw_conntrack mysql_bin_relay_log mysql_innodb_semaphores mysql_tmp_tables usersfw_forwarded_local mysql_commands mysql_innodb_tnx netstat vmstatfw_packets mysql_connections mysql_myisam_indexes open_filesif_enp0s3 mysql_files_tables mysql_network_traffic open_inodesif_enp0s8 mysql_innodb_bpool mysql_qcache postfix_mailqueue
•
•
•
• # munin-‐node-‐configure -‐-‐shell -‐-‐snmp <snmp_device> -‐-‐snmpversion <ver> -‐-‐snmpcommunity <comm>
•
•
•