Linuxの最近のブログ記事
久々にIPTABLEの設定を見直すことにしたので,現在の設定をまず確認。
[root@desktop conf]# service iptables status
テーブル: filter
Chain INPUT (policy DROP)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
2 ACCEPT icmp -- 0.0.0.0/0 192.168.11.5 icmp type 8
3 ACCEPT icmp -- 0.0.0.0/0 192.168.11.5 icmp type 0
4 ACCEPT tcp -- 192.168.11.0/24 192.168.11.5 tcp dpt:22
5 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
6 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
7 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
8 LOGGING all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP)
num target prot opt source destination
Chain OUTPUT (policy DROP)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
2 ACCEPT icmp -- 192.168.11.5 0.0.0.0/0 icmp type 0
3 ACCEPT icmp -- 192.168.11.5 0.0.0.0/0 icmp type 8
4 ACCEPT tcp -- 192.168.11.5 192.168.11.0/24 tcp spt:22
5 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:80
6 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:443
7 LOGGING all -- 0.0.0.0/0 0.0.0.0/0
Chain LOGGING (2 references)
num target prot opt source destination
1 LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/hour burst 5 LOG flags 0 level 4 prefix `DROP:'
2 DROP all -- 0.0.0.0/0 0.0.0.0/0
[root@desktop conf]#
[root@desktop conf]# iptables -v -L INPUT
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
8 560 ACCEPT all -- lo any anywhere anywhere
0 0 ACCEPT icmp -- eth0 any anywhere desktop.localdomain icmp echo-request
0 0 ACCEPT icmp -- eth0 any anywhere desktop.localdomain icmp echo-reply
1062 71555 ACCEPT tcp -- eth0 any 192.168.11.0/24 desktop.localdomain tcp dpt:ssh
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:http
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:https
0 0 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
15 2088 LOGGING all -- any any anywhere anywhere
[root@desktop conf]# iptables -v -L OUTPUT
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
8 560 ACCEPT all -- any lo anywhere anywhere
0 0 ACCEPT icmp -- any eth0 desktop.localdomain anywhere icmp echo-reply
0 0 ACCEPT icmp -- any eth0 desktop.localdomain anywhere icmp echo-request
1144 149K ACCEPT tcp -- any eth0 desktop.localdomain 192.168.11.0/24 tcp spt:ssh
0 0 ACCEPT tcp -- any any anywhere anywhere tcp spt:http
0 0 ACCEPT tcp -- any any anywhere anywhere tcp spt:https
86 7988 LOGGING all -- any any anywhere anywhere
[root@desktop conf]#
[root@desktop conf]# /sbin/iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere desktop.localdomain icmp echo-request
ACCEPT icmp -- anywhere desktop.localdomain icmp echo-reply
ACCEPT tcp -- 192.168.11.0/24 desktop.localdomain tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
LOGGING all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- desktop.localdomain anywhere icmp echo-reply
ACCEPT icmp -- desktop.localdomain anywhere icmp echo-request
ACCEPT tcp -- desktop.localdomain 192.168.11.0/24 tcp spt:ssh
ACCEPT tcp -- anywhere anywhere tcp spt:http
ACCEPT tcp -- anywhere anywhere tcp spt:https
LOGGING all -- anywhere anywhere
Chain LOGGING (2 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/hour burst 5 LOG level warning prefix `DROP:'
DROP all -- anywhere anywhere
[root@desktop conf]# /sbin/iptables -L -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
8 560 ACCEPT all -- lo any anywhere anywhere
0 0 ACCEPT icmp -- eth0 any anywhere desktop.localdomain icmp echo-request
0 0 ACCEPT icmp -- eth0 any anywhere desktop.localdomain icmp echo-reply
1137 76219 ACCEPT tcp -- eth0 any 192.168.11.0/24 desktop.localdomain tcp dpt:ssh
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:http
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:https
0 0 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
15 2088 LOGGING all -- any any anywhere anywhere
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
8 560 ACCEPT all -- any lo anywhere anywhere
0 0 ACCEPT icmp -- any eth0 desktop.localdomain anywhere icmp echo-reply
0 0 ACCEPT icmp -- any eth0 desktop.localdomain anywhere icmp echo-request
1205 157K ACCEPT tcp -- any eth0 desktop.localdomain 192.168.11.0/24 tcp spt:ssh
0 0 ACCEPT tcp -- any any anywhere anywhere tcp spt:http
0 0 ACCEPT tcp -- any any anywhere anywhere tcp spt:https
98 8840 LOGGING all -- any any anywhere anywhere
Chain LOGGING (2 references)
pkts bytes target prot opt in out source destination
6 673 LOG all -- any any anywhere anywhere limit: avg 3/hour burst 5 LOG level warning prefix `DROP:'
113 10928 DROP all -- any any anywhere anywhere
[root@desktop conf]#
[root@desktop conf]# /sbin/iptables -nvxL
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
8 560 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- eth0 * 0.0.0.0/0 192.168.11.5 icmp type 8
0 0 ACCEPT icmp -- eth0 * 0.0.0.0/0 192.168.11.5 icmp type 0
1230 82035 ACCEPT tcp -- eth0 * 192.168.11.0/24 192.168.11.5 tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
15 2088 LOGGING all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
8 560 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * eth0 192.168.11.5 0.0.0.0/0 icmp type 0
0 0 ACCEPT icmp -- * eth0 192.168.11.5 0.0.0.0/0 icmp type 8
1318 172832 ACCEPT tcp -- * eth0 192.168.11.5 192.168.11.0/24 tcp spt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:443
106 9408 LOGGING all -- * * 0.0.0.0/0 0.0.0.0/0
Chain LOGGING (2 references)
pkts bytes target prot opt in out source destination
6 673 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/hour burst 5 LOG flags 0 level 4 prefix `DROP:'
121 11496 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
[root@desktop conf]#
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
IPテーブルの再設定
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
「メモ:スクリプト作成用」
[root@desktop conf]# myhost=`ifconfig eth0 | grep "inet addr" | awk '{print $2}' | sed 's/addr://'`
[root@desktop conf]# echo $myhost
192.168.11.5
[root@desktop conf]#
[root@desktop conf]# bcast=`ifconfig eth0 | grep "inet addr" | awk '{print $3}' | sed 's/Bcast://'`
[root@desktop conf]# echo $bcast
192.168.11.255
[root@desktop conf]#
[root@desktop conf]# mask=`ifconfig eth0 | grep "inet addr" | awk '{print $4}' | sed 's/Mask://'`
[root@desktop conf]# echo $mask
255.255.255.0
[root@desktop conf]#
① 既存の設定を初期化して,削除。(SAVEはしない)
[root@desktop ~]# /sbin/iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere desktop.localdomain icmp echo-request
ACCEPT icmp -- anywhere desktop.localdomain icmp echo-reply
ACCEPT tcp -- 192.168.11.0/24 desktop.localdomain tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
LOGGING all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- desktop.localdomain anywhere icmp echo-reply
ACCEPT icmp -- desktop.localdomain anywhere icmp echo-request
ACCEPT tcp -- desktop.localdomain 192.168.11.0/24 tcp spt:ssh
ACCEPT tcp -- anywhere anywhere tcp spt:http
ACCEPT tcp -- anywhere anywhere tcp spt:https
LOGGING all -- anywhere anywhere
Chain LOGGING (2 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/hour burst 5 LOG level warning prefix `DROP:'
DROP all -- anywhere anywhere
[root@desktop ~]# /sbin/iptables -P INPUT ACCEPT
[root@desktop ~]# /sbin/iptables -P FORWARD DROP
[root@desktop ~]# /sbin/iptables -P OUTPUT ACCEPT
[root@desktop ~]# /sbin/iptables -F
[root@desktop ~]# /sbin/iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain LOGGING (0 references)
target prot opt source destination
[root@desktop ~]#
②INPUT基本設定
[root@desktop ~]# /sbin/iptables -A INPUT -i lo -j ACCEPT
[root@desktop ~]# /sbin/iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain LOGGING (0 references)
target prot opt source destination
[root@desktop ~]#
③INPUT詳細設定と確認
[root@desktop ~]# /sbin/iptables -A INPUT -i eth0 -p icmp -j ACCEPT
[root@desktop ~]# /sbin/iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
[root@desktop ~]# /sbin/iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
[root@desktop ~]# /sbin/iptables -A INPUT -i eth0 -s 192.168.11.0/24 -p all -j ACCEPT
[root@desktop ~]# /sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
[root@desktop ~]# /sbin/iptables -P INPUT DROP
[root@desktop ~]# /sbin/iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT all -- 192.168.11.0/24 anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain LOGGING (0 references)
target prot opt source destination
[root@desktop ~]#
④OUTPUT詳細設定と確認
[root@desktop ~]# /sbin/iptables -A OUTPUT -o lo -j ACCEPT
[root@desktop ~]# /sbin/iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT all -- 192.168.11.0/24 anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain LOGGING (0 references)
target prot opt source destination
[root@desktop ~]# /sbin/iptables -A OUTPUT -o eth0 -p icmp -j ACCEPT
[root@desktop ~]# /sbin/iptables -A OUTPUT -o eth0 -p tcp --dport 22 -j ACCEPT
[root@desktop ~]# /sbin/iptables -A OUTPUT -o eth0 -p tcp --dport 80 -j ACCEPT
[root@desktop ~]# /sbin/iptables -A OUTPUT -o eth0 -s 192.168.11.0/24 -p all -j ACCEPT
[root@desktop ~]# /sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
[root@desktop ~]# /sbin/iptables -P OUTPUT DROP
[root@desktop ~]# /sbin/iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT all -- 192.168.11.0/24 anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT all -- 192.168.11.0/24 anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
Chain LOGGING (0 references)
target prot opt source destination
[root@desktop ~]#
⑤設定の確認と保存
[root@desktop ~]# /sbin/iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT all -- 192.168.11.0/24 anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT all -- 192.168.11.0/24 anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
Chain LOGGING (0 references)
target prot opt source destination
[root@desktop ~]#
[root@desktop ~]# /etc/init.d/iptables save
ファイアウォールのルールを /etc/sysconfig/iptables に保存中[ OK ]
[root@desktop ~]# /etc/init.d/iptables restart
ファイアウォールルールを適用中: [ OK ]
チェインポリシーを ACCEPT に設定中filter [ OK ]
iptables モジュールを取り外し中 [ OK ]
iptables ファイアウォールルールを適用中: [ OK ]
iptables モジュールを読み込み中ip_conntrack_netbios_ns [ OK ]
[root@desktop ~]# /sbin/iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT all -- 192.168.11.0/24 anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT all -- 192.168.11.0/24 anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
Chain LOGGING (0 references)
target prot opt source destination
[root@desktop ~]#
※ /etc/hosts.allow & /etc/hosts.denyも利用しているので上記の設定でもSSHも特定のセグメントのみしか
利用出来ないようにしている。
/sbin/iptables -A INPUT -i eth0 -s 192.168.11.0/24 -p all -j ACCEPT に関しては,よりセキュアにするには
外して良いかと考えている。
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
tarでのバックアップ
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
[root@localhost ~]# tar zcvf $HOME/backup`date +%m%d`.tar.gz $HOME/ATBK5TH
tar: メンバ名から先頭の `/' を取り除きます
/home/admin/ATBK5TH/
/home/admin/ATBK5TH/atmarkit.ini
/home/admin/ATBK5TH/index.html
/home/admin/ATBK5TH/insert.php
/home/admin/ATBK5TH/update.ini
/home/admin/ATBK5TH/select.php
/home/admin/ATBK5TH/jscripts.ini
/home/admin/ATBK5TH/update.php
/home/admin/ATBK5TH/insert_form.ini
/home/admin/ATBK5TH/grant.sql
/home/admin/ATBK5TH/select_form.ini
/home/admin/ATBK5TH/ADDRESS.sql
/home/admin/ATBK5TH/image/
/home/admin/ATBK5TH/image/back.gif
/home/admin/ATBK5TH/image/0.gif
/home/admin/ATBK5TH/image/sakujo.gif
/home/admin/ATBK5TH/image/title1.gif
/home/admin/ATBK5TH/image/1shori.gif
/home/admin/ATBK5TH/image/title2.gif
/home/admin/ATBK5TH/image/henko.gif
/home/admin/ATBK5TH/image/xpress2.gif
/home/admin/ATBK5TH/image/line.gif
/home/admin/ATBK5TH/image/uketsuke.gif
/home/admin/ATBK5TH/image/kensaku.gif
/home/admin/ATBK5TH/delete.php
[root@localhost ~]# ls
ATBK5TH backup0105.tar.gz dumpbackup2 iptable_config_base.sh dumpbackup index.html.1 modsecurity_crs_20071222.conf source
[root@localhost ~]#
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
tarアーカイブの中身を確認する。 (tfオプション)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
[root@localhost ~]# tar tf backup0105.tar.gz
home/admin/ATBK5TH/
home/admin/ATBK5TH/atmarkit.ini
home/admin/ATBK5TH/index.html
home/admin/ATBK5TH/insert.php
home/admin/ATBK5TH/update.ini
home/admin/ATBK5TH/select.php
home/admin/ATBK5TH/jscripts.ini
home/admin/ATBK5TH/update.php
home/admin/ATBK5TH/insert_form.ini
home/admin/ATBK5TH/grant.sql
home/admin/ATBK5TH/select_form.ini
home/admin/ATBK5TH/ADDRESS.sql
home/admin/ATBK5TH/image/
home/admin/ATBK5TH/image/back.gif
home/admin/ATBK5TH/image/0.gif
home/admin/ATBK5TH/image/sakujo.gif
home/admin/ATBK5TH/image/title1.gif
home/admin/ATBK5TH/image/1shori.gif
home/admin/ATBK5TH/image/title2.gif
home/admin/ATBK5TH/image/henko.gif
home/admin/ATBK5TH/image/xpress2.gif
home/admin/ATBK5TH/image/line.gif
home/admin/ATBK5TH/image/uketsuke.gif
home/admin/ATBK5TH/image/kensaku.gif
home/admin/ATBK5TH/delete.php
[root@localhost ~]#
[root@localhost ~]#
━━━━━━━━━━━━━━━━━━━━━━━━━━
for文やwhile文にて繰り返し,部分はdo~doneとして定義する。
━━━━━━━━━━━━━━━━━━━━━━━━━━
以下の文は,3分毎にログファイル末尾10桁を表示している。
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
コンソールでのログイン,ネットワーク経由でのコンソールログイン時に表示される情報
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
[root@localhost ~]# vi /etc/issue
issue issue.net
[root@localhost ~]# vi /etc/issue
[root@localhost ~]# vi /etc/issue.net
/etc/issueに記述できるシーケンス
|
シーケンス |
説明 | |
| \d | 日付を表示 | |
| \l | 仮想コンソールの番号を表示 | |
| \m | マシン(ハードウェア)タイプを表示 | |
| \n | ホスト名を表示 | |
| \o | ドメイン名を表示 | |
| \r | OSのリリースを表示 | |
| \t | 現在の時刻を表示 | |
| \s | OSの名前を表示 | |
| \u | ログインしているユーザー数を表示 | |
| \U | ログインしているユーザー数を「x users」と表示(「x」はユーザー数) | |
| \v | OSのバージョンを表示 |
/etc/issue.netに記述できるシーケンス
|
シーケンス |
説明 | |
| %t | 現在のtty(端末名)を表示 | |
| %h | システムのノード名(FQDN)を表示 | |
| %D | ドメイン名を表示 | |
| %d | 現在の時刻と日付を表示 | |
| %s | OSの名前を表示 | |
| %m | マシン(ハードウェア)タイプを表示 | |
| %r | OSのリリースを表示 | |
| %v | OSのバージョンを表示 | |
| %% | 1個の%文字を表示 |
※セキュリティの設定でリモートから接続した場合は,表示されない設定になっている事が多い。
関連: /etc/motd
━━━━━━━━━━━━━━━━━━━━━━━━━━━━
aproposコマンドは,マニュアルの一行説明の中から指定したキーワードでの検索を行う。
━━━━━━━━━━━━━━━━━━━━━━━━━━━━
[root@localhost ~]# apropos pas
cracklib (rpm) - A password-checking library.
gnome-keyring (rpm) - A framework for managing user passwords and other secrets
openssh-askpass (rpm) - A passphrase dialog for OpenSSH and X
pam_passwdqc (rpm) - Pluggable password quality-control module.
passivetex (rpm) - Macros to process XSL formatting objects.
passwd (rpm) - The passwd utility for setting/changing passwords using PAM
shadow-utils (rpm) - Utilities for managing accounts and shadow password files.
[root@localhost ~]# apropos mount
autofs (rpm) - A tool for automatically mounting and unmounting filesystems.
gnome-mount (rpm) - Mount replacement which uses HAL to do the mounting
mtools (rpm) - Programs for accessing MS-DOS disks without mounting the disks.
units (rpm) - A utility for converting amounts from one unit to another.
xorg-x11-drv-penmount (rpm) - Xorg X11 penmount input driver
[root@localhost ~]#
[root@localhost ~]# man 8 mount
[root@localhost ~]#
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
依存関係情報格納ファイル
[root@localhost ~]# ls -l /lib/modules/`uname -r`/modules.dep
-rw-r--r-- 1 root root 195218 1月 5 21:24 /lib/modules/2.6.18-8.1.14.el5/modules.dep
depmodコマンドで依存関係情報更新
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
[root@localhost ~]# head /lib/modules/2.6.18-8.1.14.el5/modules.dep
/lib/modules/2.6.18-8.1.14.el5/kernel/lib/ts_fsm.ko:
/lib/modules/2.6.18-8.1.14.el5/kernel/lib/reed_solomon/reed_solomon.ko:
/lib/modules/2.6.18-8.1.14.el5/kernel/lib/crc16.ko:
/lib/modules/2.6.18-8.1.14.el5/kernel/lib/zlib_deflate/zlib_deflate.ko:
/lib/modules/2.6.18-8.1.14.el5/kernel/lib/crc-ccitt.ko:
/lib/modules/2.6.18-8.1.14.el5/kernel/lib/ts_bm.ko:
/lib/modules/2.6.18-8.1.14.el5/kernel/lib/ts_kmp.ko:
/lib/modules/2.6.18-8.1.14.el5/kernel/arch/i386/crypto/aes-i586.ko:
/lib/modules/2.6.18-8.1.14.el5/kernel/arch/i386/kernel/cpuid.ko:
/lib/modules/2.6.18-8.1.14.el5/kernel/arch/i386/kernel/microcode.ko:
[root@localhost ~]# depmod
[root@localhost ~]#
━━━━━━━━━━━━━━━━━━━━━━━━
ロードされているカーネルモジュール確認 (lsmod)
━━━━━━━━━━━━━━━━━━━━━━━━
[admin@localhost ~]$ lsmod
Module Size Used by
ipv6 250369 20
autofs4 23749 2
hidp 23105 2
l2cap 29633 5 hidp
bluetooth 53925 2 hidp,l2cap
sunrpc 142973 1
ip_conntrack_netbios_ns 6977 0
ipt_LOG 10177 1
xt_limit 6721 1
xt_state 6209 1
ip_conntrack 53153 2 ip_conntrack_netbios_ns,xt_state
nfnetlink 10713 1 ip_conntrack
xt_tcpudp 7105 6
iptable_filter 7105 1
ip_tables 17029 1 iptable_filter
x_tables 17349 5 ipt_LOG,xt_limit,xt_state,xt_tcpudp,ip_tables
dm_mirror 29713 0
dm_mod 56665 1 dm_mirror
video 19269 0
sbs 18533 0
i2c_ec 9025 1 sbs
button 10705 0
battery 13637 0
asus_acpi 19289 0
ac 9157 0
lp 15849 0
floppy 57125 0
snd_ymfpci 62177 0
gameport 18633 1 snd_ymfpci
snd_ac97_codec 87009 1 snd_ymfpci
snd_ac97_bus 6337 1 snd_ac97_codec
snd_seq_dummy 7877 0
snd_seq_oss 32705 0
snd_seq_midi_event 11073 1 snd_seq_oss
snd_seq 49841 5 snd_seq_dummy,snd_seq_oss,snd_seq_midi_event
snd_pcm_oss 42849 0
snd_mixer_oss 19137 1 snd_pcm_oss
snd_pcm 71621 3 snd_ymfpci,snd_ac97_codec,snd_pcm_oss
snd_opl3_lib 14017 1 snd_ymfpci
snd_timer 24901 4 snd_ymfpci,snd_seq,snd_pcm,snd_opl3_lib
snd_hwdep 12997 1 snd_opl3_lib
pcspkr 7105 0
snd_page_alloc 13641 2 snd_ymfpci,snd_pcm
snd_mpu401_uart 12097 1 snd_ymfpci
snd_rawmidi 26817 1 snd_mpu401_uart
snd_seq_device 11853 5 snd_seq_dummy,snd_seq_oss,snd_seq,snd_opl3_lib,snd_rawmidi
snd 51909 13 snd_ymfpci,snd_ac97_codec,snd_seq_oss,snd_seq,snd_pcm_oss ,snd_mixer_oss,snd_pcm,snd_opl3_lib,snd_timer,snd_hwdep,snd_mpu401_uart,snd_rawmidi,snd_se q_device
i2c_piix4 12109 0
i2c_core 23745 2 i2c_ec,i2c_piix4
soundcore 13217 1 snd
ide_cd 40033 0
cdrom 36705 1 ide_cd
serio_raw 10693 0
tulip 50785 0
parport_pc 29157 1
parport 37513 2 lp,parport_pc
sym53c8xx 70745 0
scsi_transport_spi 26177 1 sym53c8xx
sd_mod 22977 0
scsi_mod 130637 3 sym53c8xx,scsi_transport_spi,sd_mod
ext3 123081 3
jbd 56553 1 ext3
ehci_hcd 32845 0
ohci_hcd 23261 0
uhci_hcd 25421 0
[admin@localhost ~]$
━━━━━━━━━━━━━━━━━━━━━━━━
ロードされているカーネルモジュール確認 (/dev/modules or /proc/modules)
━━━━━━━━━━━━━━━━━━━━━━━━
[root@localhost ~]# cat /proc/modules
ipv6 250369 20 - Live 0xd4bb4000
autofs4 23749 2 - Live 0xd4b36000
hidp 23105 2 - Live 0xd4b1e000
l2cap 29633 5 hidp, Live 0xd4b61000
bluetooth 53925 2 hidp,l2cap, Live 0xd4b27000
sunrpc 142973 1 - Live 0xd4b3d000
ip_conntrack_netbios_ns 6977 0 - Live 0xd4b00000
ipt_LOG 10177 1 - Live 0xd4afc000
xt_limit 6721 1 - Live 0xd4a3e000
xt_state 6209 1 - Live 0xd4a41000
ip_conntrack 53153 2 ip_conntrack_netbios_ns,xt_state, Live 0xd4b08000
nfnetlink 10713 1 ip_conntrack, Live 0xd4a57000
xt_tcpudp 7105 6 - Live 0xd49ad000
iptable_filter 7105 1 - Live 0xd4949000
ip_tables 17029 1 iptable_filter, Live 0xd4a51000
x_tables 17349 5 ipt_LOG,xt_limit,xt_state,xt_tcpudp,ip_tables, Live 0xd4a4b000
dm_mirror 29713 0 - Live 0xd4a6c000
dm_mod 56665 1 dm_mirror, Live 0xd4a5d000
video 19269 0 - Live 0xd4a45000
sbs 18533 0 - Live 0xd49d8000
i2c_ec 9025 1 sbs, Live 0xd49e7000
button 10705 0 - Live 0xd49e3000
battery 13637 0 - Live 0xd49de000
asus_acpi 19289 0 - Live 0xd4956000
ac 9157 0 - Live 0xd49a9000
lp 15849 0 - Live 0xd4999000
floppy 57125 0 - Live 0xd49eb000
snd_ymfpci 62177 0 - Live 0xd49c7000
gameport 18633 1 snd_ymfpci, Live 0xd4993000
snd_ac97_codec 87009 1 snd_ymfpci, Live 0xd49b0000
snd_ac97_bus 6337 1 snd_ac97_codec, Live 0xd4953000
snd_seq_dummy 7877 0 - Live 0xd4950000
snd_seq_oss 32705 0 - Live 0xd498a000
snd_seq_midi_event 11073 1 snd_seq_oss, Live 0xd494c000
snd_seq 49841 5 snd_seq_dummy,snd_seq_oss,snd_seq_midi_event, Live 0xd497c000
snd_pcm_oss 42849 0 - Live 0xd4970000
snd_mixer_oss 19137 1 snd_pcm_oss, Live 0xd493c000
snd_pcm 71621 3 snd_ymfpci,snd_ac97_codec,snd_pcm_oss, Live 0xd495d000
snd_opl3_lib 14017 1 snd_ymfpci, Live 0xd4942000
snd_timer 24901 4 snd_ymfpci,snd_seq,snd_pcm,snd_opl3_lib, Live 0xd4919000
snd_hwdep 12997 1 snd_opl3_lib, Live 0xd4937000
pcspkr 7105 0 - Live 0xd4831000
snd_page_alloc 13641 2 snd_ymfpci,snd_pcm, Live 0xd48e7000
snd_mpu401_uart 12097 1 snd_ymfpci, Live 0xd4915000
snd_rawmidi 26817 1 snd_mpu401_uart, Live 0xd492f000
snd_seq_device 11853 5 snd_seq_dummy,snd_seq_oss,snd_seq,snd_opl3_lib,snd_rawmidi, Live 0xd4911000
snd 51909 13 snd_ymfpci,snd_ac97_codec,snd_seq_oss,snd_seq,snd_pcm_oss,snd_mixer_oss,snd_pcm,snd_opl3_lib,snd_timer,snd_hwdep,snd_mpu401_uart,snd_rawmidi,snd_seq_device, Live 0xd4921000
i2c_piix4 12109 0 - Live 0xd489a000
i2c_core 23745 2 i2c_ec,i2c_piix4, Live 0xd48f1000
soundcore 13217 1 snd, Live 0xd48ec000
ide_cd 40033 0 - Live 0xd4906000
cdrom 36705 1 ide_cd, Live 0xd48be000
serio_raw 10693 0 - Live 0xd4849000
tulip 50785 0 - Live 0xd48f8000
parport_pc 29157 1 - Live 0xd48c9000
parport 37513 2 lp,parport_pc, Live 0xd485f000
sym53c8xx 70745 0 - Live 0xd48d4000
scsi_transport_spi 26177 1 sym53c8xx, Live 0xd4857000
sd_mod 22977 0 - Live 0xd4842000
scsi_mod 130637 3 sym53c8xx,scsi_transport_spi,sd_mod, Live 0xd4879000
ext3 123081 3 - Live 0xd489e000
jbd 56553 1 ext3, Live 0xd486a000
ehci_hcd 32845 0 - Live 0xd484d000
ohci_hcd 23261 0 - Live 0xd4819000
uhci_hcd 25421 0 - Live 0xd483a000
[root@localhost ~]#
ユーザープロファイル管理
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
パスワードに有効期限を設定
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
[root@localhost ~]# chage
Usage: chage [options] user
Options:
-d, --lastday LAST_DAY set last password change to LAST_DAY
-E, --expiredate EXPIRE_DATE set account expiration date to EXPIRE_DATE
-h, --help display this help message and exit
-I, --inactive INACTIVE set password inactive after expiration
to INACTIVE
-l, --list show account aging information
-m, --mindays MIN_DAYS set minimum number of days before password
change to MIN_DAYS
-M, --maxdays MAX_DAYS set maximim number of days before password
change to MAX_DAYS
-W, --warndays WARN_DAYS set expiration warning days to WARN_DAYS
[root@localhost ~]#
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
アカウントの確認
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
[root@localhost ~]# chage -l admin
Last password change : 10月 04, 2007
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7
[root@localhost ~]#
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
↑のアカウントはディフォルトのままなので,設定を変更する
パスワード変更には最低1日
パスワード有効期限90日
パスワードが切れる30日前から警告が出る
パスワードが切れると7日間待ってアカウントロック
アカウント無効化の日は2010年4月1日に設定
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
[root@localhost ~]# chage -m 1 -M 90 -W 30 -I 7 -E 2010-04-01 admin
[root@localhost ~]# chage -l admin
Last password change : 10月 04, 2007
Password expires : 1月 02, 2008
Password inactive : 1月 09, 2008
Account expires : 4月 01, 2010
Minimum number of days between password change : 1
Maximum number of days between password change : 90
Number of days of warning before password expires : 30
[root@localhost ~]#
[root@localhost ~]# cat /etc/shadow | grep admin
admin:$1$FssAdbea$.hYb8/RSdjmqZ4yDuFcAd1:13790:1:90:30:7:14700:
administrator:!!:13835:0:99999:7:::
[root@localhost ~]#
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
パスワード変更
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
[root@localhost ~]# chage -l admin
Last password change : 12月 30, 2007
Password expires : 3月 29, 2008
Password inactive : 4月 05, 2008
Account expires : 4月 01, 2010
Minimum number of days between password change : 1
Maximum number of days between password change : 90
Number of days of warning before password expires : 30
[root@localhost ~]#
※ 一般ユーザーのログインを禁止する設定
/etc/nologinファイルを作成しておく。 (touch /etc/nologin)
※ usermod -s /bin/false ユーザー名 (特定ユーザーのログイン禁止)
※ /etc/passwdファイルを直接編集でも可
ユーザーのリソース利用制限をulimitにて変更できます。
[root@localhost ~]# ulimit -a
core file size (blocks, -c) 0
data seg size (kbytes, -d) unlimited
max nice (-e) 0
file size (blocks, -f) unlimited
pending signals (-i) 5119
max locked memory (kbytes, -l) 32
max memory size (kbytes, -m) unlimited
open files (-n) 1024
pipe size (512 bytes, -p) 8
POSIX message queues (bytes, -q) 819200
max rt priority (-r) 0
stack size (kbytes, -s) 10240
cpu time (seconds, -t) unlimited
max user processes (-u) 5119
virtual memory (kbytes, -v) unlimited
file locks (-x) unlimited
[root@localhost ~]#
RPMからインストールされたファイルの検証。
rpm -Vコマンド
━━━━━━━━━━━━━━━━━━━━━━━━━━━
8桁検証記号 c=設定ファイル
━━━━━━━━━━━━━━━━━━━━━━━━━━━
[root@localhost ~]# rpm -Va
..5....T c /etc/pki/nssdb/secmod.db
.M...... c /etc/cups/classes.conf
S.5....T c /etc/php.ini
SM5....T /usr/lib/perl5/5.8.8/CGI.pm
SM5....T /usr/lib/perl5/5.8.8/CGI/Carp.pm
SM5....T /usr/lib/perl5/5.8.8/CGI/Cookie.pm
SM5....T /usr/lib/perl5/5.8.8/CGI/Fast.pm
SM5....T /usr/lib/perl5/5.8.8/CGI/Util.pm
SM5....T /usr/lib/perl5/5.8.8/File/Temp.pm
SM5....T /usr/lib/perl5/5.8.8/Test/Builder.pm
.M5....T /usr/lib/perl5/5.8.8/Test/Builder/Module.pm
SM5....T /usr/lib/perl5/5.8.8/Test/Builder/Tester.pm
SM5....T /usr/lib/perl5/5.8.8/Test/More.pm
.M5....T /usr/lib/perl5/5.8.8/Test/Simple.pm
SM5....T /usr/lib/perl5/5.8.8/i386-linux-thread-multi/auto/List/Util/Util.so
SM5....T c /etc/sysconfig/iptables-config
.......T c /etc/inittab
S.5....T c /etc/sysconfig/system-config-securitylevel
S.5....T c /etc/sudoers
S.5....T c /etc/aliases
S.5....T c /etc/printcap
..5....T c /etc/profile
S.5....T c /etc/dumpdates
S ファイルサイズが異なる
M アクセス権限かファイルタイプが変更されている
5 MD5チェックサム地が異なる
L シンボリックリンクが変更されている
U 所有者が変更されている
G 所属グループが変更されている
T ファイルの更新時刻が異なる
D デバイスファイルが変更されている
? 不明
c 設定ファイル
━━━━━━━━━━━━━━━━━━━━━━━━━━━
MD5チェックサムの確認 md5sum
━━━━━━━━━━━━━━━━━━━━━━━━━━━
[root@localhost mysql-rpms]# md5sum MySQL-server-community-5.0.45-0.rhel4.i386.rpm
80897d276a381df8aa6277d29d861ca3 MySQL-server-community-5.0.45-0.rhel4.i386.rpm
[root@localhost mysql-rpms]#
━━━━━━━━━━━━━━━━━━━━━━━━━━━
GPG検証
━━━━━━━━━━━━━━━━━━━━━━━━━━━
[root@localhost mysql-rpms]# rpm --checksig MySQL-server-community-5.0.45-0.rhel4.i386.rpm
MySQL-server-community-5.0.45-0.rhel4.i386.rpm: sha1 md5 (GPG) OK ではありません。(見つからない鍵: GPG#5072e1f5)
[root@localhost mysql-rpms]#
公開鍵は,ベンダーウエブサイトなどから取得できます。
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
suid(set user id)やsgidが設定された実行ファイルを実行すると,そのプログラムは実行ファイルの所有ユーザ
または所有グループの権限で動作します。なのでスーパーユーザーが所有者であるプログラムにSUIDを設定
すると,ユーザーが実行した場合でもそのプログラムはスーパーユーザー権限で動作します。
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
[root@localhost ~]# find / -perm -u+s -exec ls -la '{}' ';'
-rwsr-xr-x 1 root root 55016 3月 15 2007 /sbin/mount.nfs4
-rwsr-xr-x 1 root root 12280 3月 15 2007 /sbin/pam_timestamp_check
-rwsr-xr-x 1 root root 55012 3月 15 2007 /sbin/mount.nfs
-rwsr-xr-x 1 root root 20796 3月 15 2007 /sbin/unix_chkpwd
-rwsr-xr-x 1 root root 55016 3月 15 2007 /sbin/umount.nfs4
-rwsr-xr-x 1 root root 55016 3月 15 2007 /sbin/umount.nfs
--wS--xr-x 1 root root 0 10月 5 04:59 /media/.hal-mtab-lock
-rwsr-xr-x 1 root root 31244 3月 15 2007 /bin/ping6
-rwsr-xr-x 1 root root 57588 3月 15 2007 /bin/mount
-rwsr-xr-x 1 root root 38552 3月 15 2007 /bin/umount
-rwsr-xr-x 1 root root 24060 3月 22 2007 /bin/su
-rwsr-xr-x 1 root root 35864 3月 15 2007 /bin/ping
-rwsr-xr-x 1 root root 6808 3月 22 2007 /usr/sbin/usernetctl
-rws--x--x 1 root root 34824 3月 15 2007 /usr/sbin/userhelper
-rwsr-xr-x 1 root root 6240 1月 6 2007 /usr/sbin/ccreds_validate
-rwsr-xr-x 1 root root 172200 3月 22 2007 /usr/libexec/openssh/ssh-keysign
-rwsr-xr-x 1 root root 144537 3月 15 2007 /usr/kerberos/bin/ksu
-rwsr-xr-x 1 root root 18544 3月 15 2007 /usr/bin/rcp
-rws--x--x 1 root root 17900 3月 15 2007 /usr/bin/chfn
-rwsr-xr-x 1 root root 13108 3月 15 2007 /usr/bin/rlogin
-rws--x--x 1 root root 70892 1月 10 2007 /usr/bin/sperl5.8.8
-rwsr-xr-x 1 root root 46748 3月 15 2007 /usr/bin/chage
---s--x--x 2 root root 159096 1月 7 2007 /usr/bin/sudoedit
-rws--x--x 1 root root 1820868 3月 15 2007 /usr/bin/Xorg
-rwsr-xr-x 1 root root 8876 3月 15 2007 /usr/bin/rsh
-rwsr-sr-x 1 root root 311288 3月 15 2007 /usr/bin/crontab
-rwsr-xr-x 1 root root 47352 3月 15 2007 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 43976 1月 6 2007 /usr/bin/at
-rws--x--x 1 root root 19064 3月 15 2007 /usr/bin/chsh
---s--x--x 2 root root 159096 1月 7 2007 /usr/bin/sudo
-rwsr-xr-x 1 root root 24556 3月 15 2007 /usr/bin/newgrp
-rwsr-xr-x 1 root root 22984 1月 7 2007 /usr/bin/passwd
[root@localhost ~]#
「chmod u+s」 コマンドや「chmod 4755」 コマンドにてコマンドにsuidを付与する事が出来ます。
