Security Quick-Start HOWTO for Linux

Hal Burgiss

     hal@foobox.net
    

[ - {

kahara@mars.dti.ne.jp

v. 1.2, 2002-07-21

Revision History                                                       
Revision v. 1.2             2002-07-21         Revised by: hb          
A few small additions, and fix the usual broken links.                 
Revision v. 1.1             2002-02-06         Revised by: hb          
A few fixes, some additions and many touch-ups from the original.      
Revision v. 1.0             2001-11-07         Revised by: hb          
Initial Release.                                                       

̕ Linux N҂邽߂̊{IȃXebv̂
Bɂ̍ŏ̎ɂȂ邱ƂڎwĂ܂B 

 

Table of Contents
1. Introduction
   
    1.1. ǂĎH
    1.2. Rs[Cgi쌠j
    1.3. ӎ
    1.4. Ɛӎ
    1.5. Vo[WƕύXO
    1.6. tB[hobN
   
2. ͂߂
   
    2.1. zIȐݒ
    2.2. n߂O
   
3. XebvPF{ɕKvȂ̂͂ǂ̃T[BXH
   
    3.1. VXe
    3.2. 댯nсi܂ r00t m3 pl34s3j
    3.3. T[BX̒~
    3.4. O
    3.5. XebvP̂܂Ƃ߂ƌ_
   
4. XebvQFAbvf[g
   
    4.1. XebvQ̂܂Ƃ߂ƌ_
   
5. XebvRFt@CA[EH[ƃANZX|V[̐ݒ
   
    5.1. 헪
    5.2. pPbgtB^[\ ipchains  iptables
    5.3. Tcpwrappers (libwrap)
    5.4. PortSentry
    5.5. vLV
    5.6. ʂ̃AvP[V
    5.7. 
    5.8. O
    5.9. n܂̏ꏊ
    5.10. XebvR̂܂Ƃ߂ƌ_
   
6. sN̔
   
    6.1. NVXe(Intrusion Detection System, IDS)
    6.2. nbNĂH
    6.3. MVXe̕
   
7. ʓI Tips
8. 
   
    8.1. T[oA|[gApPbg
    8.2. |[g
    8.3. Netstat `[gA
    8.4. UƋ
    8.5. NW
    8.6. eLXgt@C̕ҏW
    8.7. nmap
    8.8. Sysctl ̃IvV
    8.9. ZLAȑ֕
    8.10. ipchains  iptables Ă
   
9. {Ŏӎ

1. Introduction

1.1. ǂĎH

̕ǂ񂾕ǂ̂͂ǂȐlł傤BāAʂ
Linux [U[AZLeB̖CɂĂǂ͉̂
ł傤B܂ Linux S҂A Linux VXeC^[lbg
̂悤ȑ傫ȃlbg[NɌq鎞̊{IȃZLeB̖Ɋ
ĂȂlɁA̕ǂł炢ƎvĂ܂B "ZLeB"
̖͂̑ʂLۑłA̕A{EFbu
낢ȃTCgɂ̂Ȃǂł́A͂邩ɏڍׂɍL̖
܂BA̕ Linux Ɋ֌W邻̍ł{IȊTOقǂ
̂ŁAق̍ŏ̈ɉ߂܂B 

  Jul 15 04:24:13  Jul 22 04:06:00ԂiptablesTԃO
ubNꂽڑsF

ړI|[gɋۂꂽ tcp pPbg

port                 count
111                  19
53                   12
21                   9
515                  9
27374                8
443                  6
1080                 2
1138                 1

ړI|[gɋۂꂽ udp pPbg

port                 count
137                  34
22                   1

    

̕\͌̂̂ŁATԂ̉䂪ƂLAN ́A܂ɍOɂ
Ăf[^łB͓̑ Linux VXe^[Qbgɂ
̂悤łBWIɂꂽ"ړI"|[g̑͂悭mĂ Linux 
Unix ̃T[BXŗpĂ̂AȂ̃VXeł͂̑S
CXg[Ă邩mꂸAǂ납̑SĂ
邩m܂B 

ł̏œ_͑SĂ Linux [U[A܂AfAu[g̃z[[
U[ɂA傫ȏpTCgɂʂ̋ЂłBŁAƂ́Ar
IfłȒPȃXebv𓥂ނƂŁA Linux ĂT^IȎ
̃fXNgbv⏬ȃItBX̃VXeȂǂAȂɈSȂ
ɂĊŐЂ̂قƂǂ܂傤BƂA傫ȁA܂
蕡GȊ Linux VXeɑΉ邱ƂɂȂĂA͂̕Ȃ
ȂQlɂȂł傤ǍAɂꂼŗL̏󋵂ɉ
ǂŁAm𓾂邱Ƃł܂BہÁ̕A炭SĂ̐l
ɖ𗧂낤ƎvĂ܂B 

̕ł́Aǎ҂ Linux, lbg[NATCP/IP,  Linux ̂悤
T[o[Iy[eBOVXe𓮂߂̂ڍׂȓ_ɂẮA
قƂǒmȂ̂Ɖ肵܂B܂A̖̕ړIASẴ[
J[U["Mpł"[U[łƉ肵AIȁA܂̓[
Jȃlbg[ÑZLeB̖̏ڍׂɂĂ͑Sc_܂
B̂悤ȏꍇłA͂A͂̕𑱂ēǂނƂ߂
B 

̒T𓱂͈ȉ̒ʂłB

 E eA܂ꔭŉ|閂@Ȃǂ܂B̎iŉX
    邱Ƃ͂ł܂BȂɒPȂƂł͂Ȃ̂łB
   
 E ZLeBƂ͌pKvȃvZXłāABڕWł͂
    ܂B
   
 E 100p[ZgSȃvOApbP[WAfBXgr[V
    ̂͂܂B댯̒x̑召邾łB
   
ŎׂXebv͈ȉ̂悤ɂȂ܂F

 E XebvPFsKvȃT[BX͑SĒ~AꍇɂĂ̓AC
    Xg[B
   
 E XebvQFCXg[Ăǂ̃T[BXɂĂAŐV
    Sȃo[WɃAbvf[gpb`ĂĂ邩mFA
    \A𑱂邱ƁBǂ̃T[o[AvP[VH
    \ĂāÅ͂܂ĂȂł
    B
   
 E XebvRFt@CA[EH[̐|V[A܂̗͂
    邱ƂŁAO̐ڑ𐧌BڕW͌X̏󋵂ł
    AKvŏ̃gtBbN݂̂邱ƂłB
   
 E ӎ邱ƁB̃VXemAɂK؂ɈێS
    邩m邱ƁBVȎ_͏ɌApĂB
    ̈SȃVXeɂ́A܂ĂȂ_Ă邩
    ȂB
   
̕ŜǂގԂȂȂÃXebvPAQARɏW
B̂R̖̖{łBɃT|[g񂪑R
B͖ɗm܂񂪁ASĂ̓ǎ҂ɕKvȏƂ킯
ł͂Ȃm܂B

 

1.2. Rs[Cgi쌠j

Security-Quickstart HOWTO for Linux

Copyright 2001 Hal Burgiss.

̓̕t[łBȂ킿A Free Software Foundation ɂďo
ꂽ GNU ʌp (GNU General Public License) io[W 2
܂͂ȍ~̔Cӂ̃o[Włj̋K̉ŁAĔzz邱
ƁAсi܂́jAς邱Ƃ\łB

͖̕ɗƂ҂ĔzzĂ܂Au̕ۏ؂
vA܂Ahusꐫv܂́uړIKvɂ
Ă̕ۏ؂܂Bڂ GNU ʌp (GNU General Public
License) QƂĂB

GNU GPL http://www.gnu.org/copyleft/gpl.htmlŎɓ邱Ƃ
܂B 

 

1.3. ӎ

̍̕쐬Ăȉ̕XɊӂ܂B

 E Bill Staehle ɂ́AACfAAҏWA܂AĂȂǁASĂ̖ʂŉ
    珕ĂB̑͂̕Ɋ܂܂ĂB Bill ͑傢
    ɁA̓̕eɂďɂȂĂꂽB
   
 E Ǝ菕Ăꂽق̕XF Dave Wreski, Ian Jones, Jacco de
    Leeuw, Indulis Bernsteins ɊӂB
   
 E Linux ƃZLeBɂĊwׂ̑ȏꏊA
    comp.os.linux.security ւ̐X̓e҂ɊӂB
   
 E iptables ƐڑǐՁAVXe邽߂ɖ𗧂Ő[̃c[ɂ
    ẮA The Netfilter Development `[̎dɊӂB
   
 

1.4. Ɛӎ

҂͂̓̕eɂĉӔC𕉂܂B̊̕TO
Ȃ̓eɂĂ͓ǎҎg̐ӔCɂĎgpĂB
͐Vł̂ŁAԈႢsmȕ邩܂BقƂ
ǂȂƎv܂AĂ}܂B

͐̕Vl[UɁÃVXeC^[lbgɐڑĂ鎞
ɁÃVXeSɎ邽߂̏o_ƂĂ̂łB
̓̕eKAɓIɈSŁA̐SzȂAvZ@
̂Ǝ咣́ASȂƂƂ𗝉ĂBZL
eB͕GȖłB͌̕o̐󂢃[Uӂׂł
{IȖ̈ꕔl̂ɉ߂܂B

ǎ҂ɂ̓ZLeBɊւق̕LǂނƂ߂܂B
āAWɂāAZLeB̍ŐVɒxȂ悤ɂĂ
BZLeB͈̒BڕWł͂ȂāApvZXȂ̂
B

 

1.5. Vo[WƕύXO

݂̌o[W͂˂ http://www.linuxdoc.org/HOWTO/
Security-Quickstart-HOWTO/ Ō܂Bv[Xo[W 
http://feenix.burgiss.net/ldp/quickstart/ ɂ܂B

PDF, PS, ̃t@Cɂ܂Ƃ܂ HTML ȂǁǍ`̃t@ĆA
Linux Documentation Howto ̃CfbNXy[WF http://tldp.org/
docs.html#howto Ō邩܂B

ύXO

Version 1.2: t@CA[EH[XNvg̗̐AunbN
Hv̏͂ɏǉB Zonealarm ^̃AvP[VɂĂ̒ӁBX
NvgLfBBɂ "chattr" ̎gpɂĂɁAĂǂ
`FbN邩B̑̏ȒǉƐB

Version 1.1: lXȒAg[Ƃ̂قƂǂ͏ȒǉB
肷ăXgɂ͏o܂BA "Red Hat" ̂Âo
Ƃ ;-)

Version1.0: ͂̍̕ŏ̃[XłBRg}܂B

 

1.6. tB[hobN

̕ɂĂ̂ǂȃRgłSđ傢Ɋ}܂BĂ
eOɃo[WŐVł邱ƂmFĂI
<hal@foobox.net>ɃCő܂B

 

2. ͂߂

e_ɓOɁAȂAZLeBɒӂ𕥂Kv̂A
ƂɊȒPɓĂ݂܂傤B

pTCgICsA܂͈ɒӂv镶悤Ȑ
{@ւZLeBɊ֐SR͗eՂɗł܂BA
ʂ̃[U[ɂĂ͂ǂł傤HǂĎ̃fXNgbv
Linux gĂ郆[U[AZLeBɂĐSzׂȂ̂ł
H

C^[lbgɐڑĂNWIȂ̂łB͕AP
ƂłBԂ_CAAbvڑĂ̂A펞ڑ
̂́A҂͂傫ȕWIɂȂƂ͌̂́AׂȈႢɉ߂
܂BlɁA傫ȃTCg͂傫ȕWIɂȂ܂A
ďK̓[U[BOɂȂ킯ł͂܂BȂȂA"K
[U["͋ZpႢmꂸA̕AȒPȊlɂȂ₷
mȂ̂łB

܂ɂ̊ȒPȊlTĂ悤Ȕyɂɂ̂łB
Ȃ]܂Ȃڑs̋L^n߂Ȃ΁ÂƂɂCt
Ƃł傤B^ȂA̎s͈̑ӂ̓@AA^bJ
[iUҁj́Aɂ́ANbN̖ڕWƂ Linux box TĂ
̂łBn̔ΑɂNÃv^[{Ɏ؂肽Ă
Ǝv܂H

ł́Aނ͉߂Ă̂ł傤H΂΁Aނ͒PɂȂ̃R
s[^[AIPAhXA܂͑ш悪~m܂B̏
ɂ́Aނ̖͑ڕWU邽߂ɁA܂́AЂƂAƍ߂
Ƃ߂݂邽߂ɂȂ𗘗pA̔wɎ̐̂B
łB͑SɂӂꂽViIłBڂ₷pTCg
͂ƒړIɕWIƂA傫ȖĂ܂AX͊FA
̎̋ʂ̋ЂɌĂ̂łB

[YiuȓAȌĂ΁A Linux ͔ɈSɂȂ蓾܂
ASĎgp\ȃc[pāA΂炵yptȃC^[l
bgڑAT[o[ɂȂ邱ƂA\łBقƂǂ̐N͖̐m
ƕsӂ̌ʂȂ̂łB

_́\

 E g̃VXeRg[łAȂłH
   
 E mȂɔƍߍsׂ̕Ж_SłH
   
 E ̒NɗpꂽłH
   
 E C^[lbgڑXNɂ炳ꂽłH
   
 E VXe𕜋邽߂̂񂴂肷悤ȍƂɎԂ₷͂߂
    Ȃ肽łH
   
 E VXẽf[^댯`łH
   
͑SČIȉ\łBȂK؂ȏȂB


                              Warning                               

ȂɐNĂ܂Ă邩A܂́A^Ă邱Ƅ
Rł̕ǂł̂Ȃ΁Aɂ𓾂邽߂̃VX
e[eBeB͑SĐMp邱Ƃł܂BāAȉ̏͂Ʉ
ĂẮAVXe𕜋邽߂̏ɂ͂ȂȂł傤
B܂ɂnbNĂH̏͂ɔŁA܂ǂł
B                                                              

 

2.1. zIȐݒ

zIɂ́At@C[EH[ƃ[^[ƂĈp̃Rs[^
̂]܂ł傤B̓xA{[A܂AKvȃT[BX
R|[lg̃CXg[ŁAT[oނ͈ؓȂ̂łB
VXe̎c͂̐̕p[^[/t@CA[EH[VXeoR
Đڑ܂Bɐڑ\ȃT[oiEFuACȂǁj~
ꍇɂ́A "DMZ" (De-militarized Zone 񕐑nсj̒ɂ
ׂ傤B̃[^[/t@CA[EH[́AO DMZ œĂ
ǂ̃T[BXւ̐ڑvɂĂA̗v"tH[[h"
邱ƂĐڑ܂A̓lbg[N̎c(LAN ƌĂ΂
Ă)Ƃ͐؂藣Ă܂BɂāAȊO̓lbg[N
ǗArISɂĂƂł܂BŁA "댯n"
DMZ ɐ܂B

AN̎̃[^/t@CA[EH[pɂ邽߂̃n[hE
FAĂ킯ł͂܂Bɂ͍Œł̃Rs[^
Kvł傤Bɗp\ȃT[oȂi
ŏ͗ǂlƂ͌܂񂪁jAOɂȂ܂B܂́A܂
 Linux S҂ƁAǂ悢̂܂\ɕĂȂm
܂BŁA̗zIȐݒ肪oȂȂAP̍Ƃ邱
ƂɂȂ܂B

 

2.2. n߂O

ۂ̐ݒ̏͂ɓOɁA̒ӓ_B

܂ɁALinux ̋[ʂ̈Ƃ Caldera, Red Hat, SuSE,
Debian ƌfBXgr[V̍ق܂B͑S
"Linux" łAʂ̓Ă܂AftHgŃCXg[
邩mȂ[eBeBQɂ͂炩̍mɑ݂܂B
lɁAقƂǂ Linux ̃fBXgr[V͂̃VXe̎O̐
c[Ăł傤B Linux ɂẮAuL̔𔍂
͏ɈR̕@v̂łBAX̋c_̖ړIɂ
ẮAoʓIȃc[QŐׂł傤BcOȂAGUI
c[͂̎̕ŎgƂ͂ł܂BX͂قƂǂ̏ꍇɂ
āAeLXgx[X̃R}hCc[gƂɂȂł傤B
AfBXgr[Ṽ[eBeBɐełȂAK؂ȏ
łɂĂ\܂BAłȂȂÂ悤
c[QK؂ȑpwԂׂł傤B

̏͂́Aǂ߂΂Ŋ߂Ă葱ۂɎsł悤
ɏĂ܂B́̕A^Cgɂ悤 "Quick Start" Ȃ
I

̂߂ɁAȉ̐ݒŕKvɂȂ̂܂F

 E eLXgGfB^BFXȂ̂g܂BȂt@C}l[
    W[AvP[VgȂAgݍ݂̃GfB^܂܂Ă
    ł傤B\łB pico  mcedit ̓́AȂɂ
    Cɓ̃GfB^ĂȂȂAȂȂg₷GfB^
    BɃeLXgGfB^ւ̎葁܂̂ŁA
    dɎ肩ŏɂȂ邩܂BVXe̐ݒt
    @CҏWOɂ́AɃobNAbvRs[Ă悤ɂ
    Ɨǂł傤B
   
 E  GUI GfB^R}hgɂ́A^[~iEBhEJKv
    ܂B xterm, rxvt, gnome-terminal Ȃǂ͑SĎg܂A
    ̂̂ł܂܂B
   
 E eu[gœĂT[BX~邽߂́AefBXgr[
    Vł̕@ǂmׂłA܂炪ǂăpbP[
    Wirpm, deb ȂǁjCXg[AăACXg[̂
    mȂĂ͂܂BĎ̃VXẽ[X̃Abvf
    [głǂŌ邱Ƃł邩B̏͂̃[X
    ̒A܂̓x_̃EFuTCgŌ܂B
   
̕ł͗ƂāA "bigcat" ƂzXgl[VXe
pĐ邱Ƃɂ܂B Bigcat ͍ŐVō Linux fBXgr
[VĂA^VCXg[΂̃fXNgbv}
VłB Bigcat ͏펞AڂɃC^[lbgڑĂ܂BȂ
CXg[Ȃ"^V"ȂĂAŎvƂǂ܂Ȃŉ
BxƂAʂɂ͏AłB

 

3. XebvPF{ɕKvȂ̂͂ǂ̃T[BXH

̏͂ł́AVCXg[X̃VXeŁAǂ̃T[BX
Ă邩āAǂꂪ{ɕKvȂ̂߁AȊÔ̂؂
̂Ă܂傤Bǂ̂悤ɃT[o TCP ڑĂ邩ɏڂȂ
A܂̃T[oƃ|[gɂĂ̏͂ǂނƗǂł傤B܂ 
netstat [eBeBɓ݂ȂȂA炩߂̊ȒPȊT
ނƗǂł傤Bɕɂ̓|[gɂĂ̏͂ƁAɑΉT
[BX̏͂܂̂ŁAQlɂȂ邩܂B

ł̖ړI͉\Ȍ葽̃T[BX~邱ƂłBA
S~łȂA܂͏ȂƂOɐڑĂ̂~߂
ȂAςɌ\ȂƂłBȉɎɂȒPȃ[܂
傤F

 E OANZX\ł悤ȃT[BXĂȂĂ
    A\SȃC^[lbgڑƂ͊ɉ\łB\ł
    邾łȂȀꍇꂪ]܂܂Bł̌́A
    JĂȂ|[gʂĎ悭N邱Ƃ͌ďo
    ȂƂƂłBȂȂAJĂȂ΁Aǂ̃T[o
    listen āi܂ājȂłBT[oȂAJĂ|
    [gȂA_ȂAłBȂƂO̐ڑɊւĂ͂
    łB
   
 E ȂT[BXFĂȂƂƁA{ɂ͂
    KvƂĂȂ\͂Ȃ肠܂B肵āA~
    Ă܂Ƃɂ܂傤B͊댯ɕ邩܂񂪁A
    ɑȂȂǂ[łB
   
 E ̃T[BX͂AC^[lbg𑖂点悤ɐ
    vĂ܂BȂ{ɕKvȂ̂ƌ肵
    ĂBɂĂ͊댯Ɗ𗧂ĂĂāȀ͂Ŏg
    Ƃɂ܂̂ŁA炪{ɕKvȃT[BXŁAɗǂ֍
    Ȃꍇɂ́AĂB
   
 

3.1. VXe

ŁAǂ̃VXeł͎ۂɉĂ̂ł傤HĂ
"ႢȂ"̂A܂́A"vĂ"̂ۂɓĂ邩
ǂAR̂ƂƎv̂͂߂܂傤B

cOȂAW Linux CXg[Ƃ݂̂͑܂B\
T[BXɂ͕LoGeBAefBXgr[Vɂ͂
̃CXg[IvVĂāAOẴXg
Ƃ͕s\łBőP̂Ƃ́AĂSẴT[BX𐔂グ
@AՓIȕ֓ƂłB

Axterm JāA su Ń[gɂȂ܂傤Bs܂ԂȂ
ɃEBhELKvł傤BR}hAnetstat -tap |grep
LISTEN gĂBɂāALISTEN ƂL[[h
ĂSĂ̌ݓ쒆̃T[oAeT[BXX^[g "PID" 
"vO" ƂƂɁAXgAbv܂F


# netstat -tap |grep LISTEN                                                       
  *:exec               *:*        LISTEN    988/inetd                             
  *:login              *:*        LISTEN    988/inetd                             
  *:shell              *:*        LISTEN    988/inetd                             
  *:printer            *:*        LISTEN    988/inetd                             
  *:time               *:*        LISTEN    988/inetd                             
  *:x11                *:*        LISTEN    1462/X                                
  *:http               *:*        LISTEN    1078/httpd                            
  bigcat:domain        *:*        LISTEN    956/named                             
  bigcat:domain        *:*        LISTEN    956/named                             
  *:ssh                *:*        LISTEN    972/sshd                              
  *:auth               *:*        LISTEN    388/in.identd                         
  *:telnet             *:*        LISTEN    988/inetd                             
  *:finger             *:*        LISTEN    988/inetd                             
  *:sunrpc             *:*        LISTEN    1290/portmap                          
  *:ftp                *:*        LISTEN    988/inetd                             
  *:smtp               *:*        LISTEN    1738/sendmail: accepting connections  
  *:1694               *:*        LISTEN    1319/rpc.mountd                       
  *:netbios-ssn        *:*        LISTEN    422/smbd                              
                                                                                  
                                                                                  


ł́A͂߂̎O̃R͌₷悤ɏȂĂ邱ƂɒӂĂ
BȂXg̗Ɠ炢̂ȂAꂩ
班Ȃʎd҂\Ă܂Iɋ߂̃T[oۂɓ
ĂKv邱Ƃ́A܂肻ɂȂƂłB

̗͂̃VXeݒ̂ق̈̗ɉ߂ȂAƂƂ
ӂĂBȂ̏ꍇɂ͂Ԃƈ̂ł邩m
B

̂ǂ̂Ƃ番ȂHnetstat ̃`[gAǂ
A̓𗝉ĂĂ邱ƂƎv܂AɋŊeT[o
Ȃ̂ÂAmɗ邱Ƃ́A͈̔͂̕Ɋ
܂܂BÃT[BXۂɏdvȂ̂Ȃ΁AX̃VXe
ɂĂ̕iႦ΁ACXg[KChA man y[WȂǁj𒲂
Ȃ΂ȂȂł傤BႦ΁A"exec", "login", "shell" ͏dv
܂H񂻂łBA͎ۂ͂̌ʂ̂
̂ł͂܂B̂ƂA rexec, rlogin, rsh Ƃ"r"
R}hA܂胊[gp̃R}hłB͌ÏLāAsKvŁA
ۂ̂ƂAC^[lbgɂ炵ĂƔɊ댯łB

KvŉKvłȂAĉ̂Ăĉ bigcat ɂĂ
ɂĊȒPȉAOApӂĂ܂傤B bigcat ̓fXN
gbvő点Ă܂A X11 ͎cKv܂B
bigcat ̃T[oɎgĂȂA X11 ͕svł傤
BIɂȂv^ȂAv^ (lp) f[͎c
ׂłBłȂȂv܂BvgT[o͖QɌ
A|[gJ܂܂ɏôŁA͂ݓIȃ^[QbgɂȂ
B̃zXg bigcat ̒ɃOC\肪ȂA sshd
iZLAVFf[jKvł傤BX LAN  Microsoft ̃z
XgȂ΁A Samba ~܂BłAsmbd ͎c
ȂĂ͂܂񂪁AłȂΑSsKvłB̗ł͂̑
̂͑SAiÎ͎RłAjʏ̋@\̃VXeȂsKv
ŁA炭؂̂Ăׂł傤BȂFĂȂ̂H
ӂȂ̂H͐؂܂傤I

_Fbigcat ̓v^ȂĂfXNgbv}VłA
"x11"  "printer" KvɂȂł傤B bigcat  MS zXgƂƂ
LAN ɂāAt@CLA炩肵܂A
"netbios-ssn" (smbd) KvłB܂̃}V烍OCł悤
A "ssh" KvłB̓̏ꍇɂẮȂ̂̂͑SĕsKv
łB

ꂪSzłHȂAsύX߂ĂA܂
AR}hF netstat -tap |grep LISTEN > ~/services.lstgāA 
netstat 瓾T[õXgۑĂ̂悢ł傤B̃R}
hŏɎQƂ邽߂̃Xg "services.lst" ̖OŃz[fB
Ngɕۑ܂B

ŎcƂɌ߂̂ASȂ̂Ƃ͌܂BP
A炪Kvł낤AƂłBłAt@CA[EH[
iȉɂ悤ȁj̕@ʂāAȂ΂܂B

̗̒ telnet  ftp f[̓T[ołA "Xi["i|[g
Ŏ܂ẮjƂƂ́AӂĂlł傤
B͂Ȃ̃}VɓĂڑ󂯕t܂BȂP 
ftp ܂ telnet NCAgg߂ɂ́A͕KvȂA]
łȂƂłBႦ΁AȂ͒P ftp NCAgpāA FTP
TCgt@C_E[h邱Ƃł܂BȂ̑ ftp T
[o𑖂点Kv͂܂܂񂵁A[ȃZLeB̖
ƂɂȂ܂B

X̎ɂẮAœ_ɗO݂ǂƂł
傤B̏͂QƂĂB 

 

3.2. 댯nсi܂ r00t m3 pl34s3j

ȉ̓C^[lbgő点ׂłȂT[BX̃XgłB
͓Ȃ悤ɂĂiȉĂjAACXg[
ĂB܂́A{ɂ̃T[BX[Jő点
ȂA炪ŐṼpb`𓖂Ăo[WłAAʓIɃt@
CA[EH[ŎĂ邱ƂmFĂBāÂƂ
t@CA[EH[ĂȂƂȂAt@CA[EH[
ēK؂ɓĂ邱Ƃ؂܂ŁÃT[BX~߂
ĂB͂̐炵ĐݓIɊ댯łANbJ[
̈Ԃ̕WIɂȂ܂B

 E NFS (Network File System lbg[Nt@CVXe)ƁA nfsd,
    lockd, mountd, statd, portmapper Ȃǂ́Å֘AT[BXB NFS
    ̓lbg[NoRăt@CVXeLW Unix T[
    BXłBLAN ŗpɂ͑f炵VXełAC^[lb
    gł͊댯łBāAX^hA[̃VXeł͂܂s
    vȂ̂łB
   
 E rpc.* T[BXA[gvV[W Call.*, ȂǁBT^IȂ̂
    NFS  NIS Ɋ֌ẂiQƁjłB
   
 E v^T[BXilpdj
   
 E  r* T[BXi"remote" ܂ARemote SHell  r jF
    rsh, rlogin, rexec, rcp ȂǁBsKvŁASłȂAݓIɊ댯
    A̋@\KvȂƂɂ͂ǂ[eBeB܂
    B ssh ͂̃R}hɏo邱Ƃ͉łoł傤A
    ͂邩ɌSȕ@łł܂BȂ炻ꂼ man y[W
    ĂB͑A "r"  netstat o͂ɎĂ
    ł傤FႦ΁Arlogin ͒P "login" ȂǁB
   
 E telnet T[oB͂₱p闝R͂܂B sshd 
    gĂB
   
 E ftp T[oBقƂǂ̃VXeɂ́A scp Ahttp oRȂǂ́iȉ
    QƂ̂ƁjAt@C邽߂̂ǂAƈSȕ@
    ܂B ftp ͐p ftp T[o𑖂点ĂāAƂ̖
    |鎞ԂƃXL̂lɂƂĂK؂ȃvgRłB
    łȂ΁AݓIɑ傫ȃgǔɂȂ܂B
   
 E BIND (named), DNS pbP[WB炩΁A͑傫ȃ
    XNȂɎg܂Ȁꍇɂ͕Kv̂Ȃ̂łA
    gɂʂȈv܂BȌ͂ƁAʂ̃AvP[
    V̓ʂȈQƂĂB
   
 E CzG[WFgA܂ "MTA" (sendmail, exim, postfix,
    qmail)B̃Rs[^̃CXg[ł͂قƂǂ̏ꍇA
    炪{ɕKvɂȂ邱Ƃ͂Ȃł傤BȂAC^[lbgz
    Xgiw肳ꂽ MX box ƂājڂɃC󂯎̂ł͂
    AvoC_ POP T[oĝȂKv܂B LAN ̑
    ̃zXg璼ڃC󂯎Ă̂Ȃ΁AKv܂
    Aŏ͂𓮂ȂSłBɁAt@CA[EH[
    ANZX|V[ݒ肳ĂA[JC^[tF[Xœ
    Ƃł܂B
   
ȏ͕KSȃXgł͂܂BAftHg Linux C
Xg[ł͎XAŏ瓮ĂT[BXƂėǂ̂
ƂƂłBċtɌ΁ÃXgɏoĂȂ̃T[BX
ƂSȂ̂ƂƂł܂B

 

3.3. T[BX̒~

̃Xebv͉X́uẼXgvɋĂeT[oǂŊJn
ꂽ̂𒲂ׂ邱ƂłBꂪ netstat ̏o͂疾炩łȂȂ
AŌ̃R "Program name"  "PID" ̏񂩂Aps, find, grep, 
locate Ȃǂ̃R}hgĂȂ𓾂ĂB̗Ⴊ
netstat `[gÃvZX̏L҂̏͂ɋĂ܂BT
[BX|[gԍ݂̂Ȃ̂ȂÃVXe /etc/
services t@CɊȒPȉ܂B

AX͎̃VXe󂵂āA~ɕԂ炸ȂǂƂ
ɂȂȂAƐSzĂ̂ł͂ȂłHȂAĂ
ĂF܂A"댯n"ŏ̃XgɋSĂ~A
Ă΂炭̊ԃVXe𑖂点Ă݂܂BvłHŕsKvƔ
f̂̈~߂Ă݂܂傤Bł΂炭VXe𑖂点
Ă݂܂B̎葱ŏ̏ԂɂȂ܂ŌJԂ܂Bꂪ܂
΁A̕ύX̗pĂ̂܂ܕۂ܂傤BiȉQƂĂ
Bj

ɂ̖ړĨ͍T[BX~邱Ƃł͂ȂāAꂪPIɒ
~Ă邱Ƃ͂肳邱ƂłIłAȂłǂ
悤ȃXebvƂɂAɃu[gɂ͕KmFĂ
B

VXẽT[BX͗lX̏ꏊŐFXȕ@ŊJn܂B̍ł
ʂ̕@Ă݂܂傤BȂ̃VXe炭̂悤ɓĂ
邾낤Ǝv܂BقƂǂ̃fBXgr[VɂāAVXe
̃T[BX͓T^Iɂ "init" XNvgA܂ inetd i܂͂̑
֕ł xinetdĵǂ炩ɂĊJn܂Biinit XNvg
uĂꏊ̓fBXgr[VɂāAlX܂B
j

 

3.3.1. init T[BX~

init T[BX͓T^Iɂ́Au[gvZXA܂̓x̐؂ւ
ɎIɊJn܂Bǂ̃T[BXǂ̃xŊJnA~
邩肷邽߂ɂ́AV{bNNg@܂BXN
vgg /etc/init.d/ ̒i܂́A /etc/rc.d/init.d/ ̒
܂jɒuĂ͂łB init ̕ Red Hat, SuSE,
Mandrake, Debian, COnectiva ȂǂقƂǂ Linux ŗpĂ܂B
Slackware ͒ӂׂÖłIiŋ߂̃o[Wł͂̃IvV
Ă܂BjT^Iɂ Slackware ł̓VXeT[BX͈
̃t@C /etc/rc.d/rc.inet2 őSĐݒ肳܂B

ȉ̂悤ɂ΁ÃXNvg̃Xg𓾂邱Ƃł܂B


  # ls -l /etc/init.d/ | less                                       
                                                                    
                                                                    


܂͊efBXgr[VŗpӂĂÂ߂̃c[g
ĂB

iɈʓI SysV init X^C̃VXeł́jĂT[BX
A~߂ɂ́A root ɂȂĈȉ̂悤ɂ܂F


 # /etc/init.d/<$SERVICE_NAME> stop                                 
                                                                    
                                                                    


 "$SERVICE_NAME" ͂ init XNvg̖OŁAɂł͂܂
񂪁A΂΂̃T[BX̖Ô̂ƓłB͂قƂǂ
fBXgr[VŎgłBÂ Red Hat o[Wł͑
 /etc/rc.d/init.d/ pXɂȂĂ邩܂B

͂̓̃T[BXA~邱Ƃł邾ŁAǉIȃX
ebvƂȂ΁Ãu[gA܂̓xύXɂ͍ăX^
[gĂ܂܂BłAinit ^̃T[BXɂẮA̍Ƃ
ۓiK̃vZXƂƂɂȂ܂B

efBXgr[Vł́AlXȃxłǂ̃T[BXJn
邩𐧌䂷邽߂̃[eBeBg悤ɂȂĂł傤B
Debian ɊÂVXeł͂̂߂ update-rc.d ܂A Red
Hat ɊÂVXeł chkconfig ܂B̃c[Ɋe
łȂAgāÃu[ǧɍă`FbNĂ
B̃c[ɊĂȂ̂łA man y[WčA׋
܂傤I͒mĂȂĂ͂ȂȂ̂łB Debian ł͎̂悤
ɂ܂iȉŁA$SERVICE_NAME  init XNvg̖OłjF


                                                                    
  # update-rc.d -f $SERVICE_NAME remove                             
                                                                    
                                                                    


Red Hat ł́F


                                                                    
 # chkconfig $SERVICE_NAME off                                      
                                                                    
                                                                    


T[BXKvłȂƂ킩ĂȂA܂̎i
̃pbP[WACXg[Ă܂ƂłB͂ȂȂǂ
AԈႢ̂Ȃ@ŁAPIɒ~ł܂B܂̕@́ACXg[
Ă邷ׂẴpbP[WAbvf[gčŐV̂̂ɕۂ
iXebvQjAƂݓIȖĂĂ܂B RPM  DEB
ƂpbP[WǗVXeg΁ACςƂɃpbP[W
ăCXg[̂ƂĂȒPłB

 

3.3.2. inetd

inetd ̓Tuf[𐶂ނ߂ɎĝŁA "X[p[f[" ƌ
΂܂B inetd g͈ʂ init XNvgoRŊJnAݒt@C
 /etc/inetd.conf ŉ\ɂȂĂT[BXɂČ܂lXȃ|[
g "܂"ƂɂȂ܂BŋĂǂ̃T[BX
inetd ɐ䂳܂BlɁA"vO"̌̍Ō̃R
"inetd" ƏĂ netstat o͂̒ listen Ăi܂A
܂ĂjT[o͊FA inetd ɂĊJn邱ƂɂȂ܂B
̃T[BX~邽߂ɂ́A inetd ̐ݒ𒲐Kvł
傤B xinetd  inetd ̂̊gꂽ֕łAݒ@͈قȂ܂
iȉ̎̏͂ĂjB

ȉ͓T^I inetd.conf ̔łBs̍ŏ "#" ĂT
[BX "RgAEg"ĂāA inetd ɂ͖̂ŁA
ƂĖɂ܂B


#                                                                         
# inetd.conf  This file describes the services that will be available     
#    through the INETD TCP/IP super server.  To re-configure              
#    the running INETD process, edit this file, then send the             
#    INETD process a SIGHUP signal.                                       
#                                                                         
# Version:  @(#)/etc/inetd.conf  3.10  05/27/93                           
#                                                                         
# Authors:  Original taken from BSD UNIX 4.3/TAHOE.                       
#    Fred N. van Kempen, <waltje@uwalt.nl.mugnet.org>                     
#                                                                         
# Modified for Debian Linux by Ian A. Murdock <imurdock@shell.portal.com> 
#                                                                         
# Echo, discard, daytime, and chargen are used primarily for testing.     
#                                                                         
# To re-read this file after changes, just do a 'killall -HUP inetd'      
#                                                                         
#echo  stream  tcp  nowait  root  internal                                
#echo  dgram  udp   wait    root  internal                                
#discard  stream  tcp  nowait  root  internal                             
#discard  dgram  udp   wait    root  internal                             
#daytime  stream tcp   nowait  root  internal                             
#daytime  dgram  udp   wait    root  internal                             
#chargen  stream tcp   nowait  root  internal                             
#chargen  dgram  udp   wait    root  internal                             
time  stream    tcp   nowait  root  internal                              
#                                                                         
# These are standard services.                                            
#                                                                         
#ftp     stream  tcp   nowait  root  /usr/sbin/tcpd  in.ftpd -l -a        
#telnet  stream  tcp   nowait  root  /usr/sbin/tcpd  in.telnetd           
#                                                                         
# Shell, login, exec, comsat and talk are BSD protocols.                  
#                                                                         
#shell  stream  tcp  nowait  root  /usr/sbin/tcpd  in.rshd                
#login  stream  tcp  nowait  root  /usr/sbin/tcpd  in.rlogind             
#exec   stream  tcp  nowait  root  /usr/sbin/tcpd  in.rexecd              
#comsat dgram   udp  wait    root  /usr/sbin/tcpd  in.comsat              
#talk   dgram   udp  wait    root  /usr/sbin/tcpd  in.talkd               
#ntalk  dgram   udp  wait    root  /usr/sbin/tcpd  in.ntalkd              
#dtalk  stream  tcp  wait    nobody /usr/sbin/tcpd in.dtalkd              
#                                                                         
# Pop and imap mail services et al                                        
#                                                                         
#pop-2   stream  tcp     nowait  root    /usr/sbin/tcpd  ipop2d           
pop-3    stream  tcp     nowait  root    /usr/sbin/tcpd  ipop3d           
#imap    stream  tcp     nowait  root    /usr/sbin/tcpd  imapd            
#                                                                         
# The Internet UUCP service.                                              
#                                                                         
#uucp  stream tcp nowait uucp /usr/sbin/tcpd  /usr/lib/uucp/uucico -l     
#                                                                         
                                                                          
<snip>                                                                    
                                                                          
                                                                          


̗ł͓̃T[BXA time  pop3 \ɂȂĂ܂B
𖳌ɂɂ́AeLXgGfB^ł̃t@CJāA̓̃T
[BX "#" ŃRgAEgAt@CۑāAi[gƂāj
inetd ăX^[g邾łF


  # /etc/init.d/inetd restart                                       
                                                                    
                                                                    
                                                                    


G[ȂO𒲂ׂāA netstat Ăё点ASĂ܂sĂ
邩m߂ĂB

葁ɂ́Aȉ̂悤 grep g܂B


 $ grep  -v '^#' /etc/inetd.conf                                    
 time     stream  tcp     nowait  root  internal                    
 pop-3    stream  tcp     nowait  root  /usr/sbin/tcpd  ipop3d      
                                                                    
                                                                    


܂ĂAꂪmȂ̂oĂ܂HłA\
゠Ȃ͂gĂȂ̂ŁAׂłB

init T[BX̐ݒƂ͈āA͌܂őύXȂ̂ŁAKvȂ̂
̃Xebv񂾂łB

ɍLĂ̐_b\I܂傤F /etc/services t@C
獀ڂRgAEg폜肷邱ƂŁAT[BX𖳌
ׂł͂܂B͂ꍇɂ́A]񂾌ʂ邩
܂񂪁A@ł͂ȂÃVXe[eBeB̒ʏ̑
ז邱ƂɂȂ邩܂B

 

3.3.3. xinetd

xinetd ͊gꂽ@\ inetd ̑֕łB͖{I inetd
ƓړIʂ܂Aݒ肪قȂ܂Bݒ /etc/xinetd.conf t
@CA /etc/xinetd.d/ fBNǧʂ̃t@CōsƂł
܂B xinetd T[BX̒~́AΉݒӏt@C폜
Ƃŉ\łB܂́AeLXgGfB^pāAPɓKȃT[BX
ɂ disable = yes Ɛݒ肷邱Ƃł\łB̂ƂAxinetd 
ăX^[gKv܂B\ƐݒIvVɂĂ man xinetd
 man xinetd.conf ĂBȉxinetd ̐ݒłF


 # default: on                                                            
 # description: The wu-ftpd FTP server serves FTP connections. It uses \  
 #       normal, unencrypted usernames and passwords for authentication.  
 service ftp                                                              
 {                                                                        
        disable                 = no                                      
        socket_type             = stream                                  
        wait                    = no                                      
        user                    = root                                    
        server                  = /usr/sbin/in.ftpd                       
        server_args             = -l -a                                   
        log_on_success          += DURATION USERID                        
        log_on_failure          += USERID                                 
        nice                    = 10                                      
 }                                                                        
                                                                          
                                                                          


ȉ̂悤ɁA삵ĂT[BX̃XgȒPɓ邱Ƃł܂
B


 $ grep disable /etc/xinetd.d/* |grep no                            
 /etc/xinetd.d/finger:   disable = no                               
 /etc/xinetd.d/rexec:    disable = no                               
 /etc/xinetd.d/rlogin:   disable = no                               
 /etc/xinetd.d/rsh:      disable = no                               
 /etc/xinetd.d/telnet:   disable = no                               
 /etc/xinetd.d/wu-ftpd:  disable = no                               
                                                                    
                                                                    


ŁȀo͂ɂ͂ԐM_Ă܂B|ĨVXe
ł́ÂǂeȂɒ~ł܂BmāH̃T[BX
~ĎĂ݂ĂBsKvȃT[BX𖳌āAxinetd 
X^[gĂB


  # /etc/init.d/xinetd restart                                      
                                                                    
                                                                    
                                                                    


 

3.3.4. SsƂɂ

ȂT[BX~"" @ȂƂĂA
܂́AJnĂ邠T[BXǂĂǂŊJnꂽ̂
ȂƂĂAvB̃vZX"E"Ƃł܂Bs
ɂ́APIDivZXI.D.jmKv܂B ps, top, fuser
ƂR}hA܂͑̃VXe[eBeBgČ邱
ł܂B top  ps ɂẮAŏ̃RɏoĂ鐔ł
BɂẮÃ|[gƃvZXI[i[ĂB

i[gŁjF


 # kill 1163                                                        
                                                                    
                                                                    


āÃvZXĂ邱ƂmF邽߂ɁAx top  
ps 𑖂点ĂB


 # kill -KILL 1163                                                  
                                                                    
                                                                    


̓ԖڂɏoĂ "KILL" ɒӂĂB̖߂́ÃvZ
XLĂ郆[UA܂̓[ĝǂ炩ɂāAsȂ
΂Ȃ܂BāÃvZXǂǂĊJnꂽ
ɂ܂傤 ;-)

/proc t@CVXe͊evZXɂĂ̂Ȃo
߂ɗp邱Ƃł܂B PID gāÃvZXւ̃pX
Ƃł܂B


 $ /bin/ps ax|grep tcpgate                                          
  921 ?   S    0:00        tcpgate                                  
                                                                    
                                                                    



 # ls -l /proc/921/exe                                                            
 lrwxrwxrwx 1 root  root  0 July 21 12:11 /proc/921/exe -> /usr/local/bin/tcpgate 
                                                                                  
                                                                                  


 

3.4. O

ł́ASĂ̕sKvȃT[BX~p܂Aɂ
͂ȂɖȂƂł͂܂BāA܁Al̐ݒŗv
Ă邱Ƃ́A̐lɂƂĂ̂̂ƈقȂ邩m܂B̂悤
JeS[ɓAÖʓIȃT[BXĂ݂܂傤B

ĂсAX̖ڈƂȂ̂́AKvƂĂȂ̂͂点ȂA
ƂPȃ[łB̂ǂKvƂĂȂȂAt@C
[EH[̃[⑼̎dg݁iȉĂjɂ邱̎̐
|V[^cɂāAԂɒ~ׂłB

 E identd - ͂ȂNG̓vgRŁA΂΃ftHg
    CXg[ꑖĂ܂B̓T[oɂȂĂ҂ɂ
    Ă̍ŏ̏𓾂邽߂̂̂łBA͑̏ꍇAK
    vł͂܂Bł́AǂŕKvɂȂł傤HقƂǂ IRC
    T[o͂KvƂ܂B̃CT[ogĂ܂
    Aۂ͕Kv܂Bꔲł̃CݒĂ݂Ă
    BAidentd ɂȂȂA̗R̓T[oC𑗂
    󂯎肷OɃ^CAEg邱Ƃł傤BłAC
    ͂ꔲłƓ͂łA͒xȂ邩܂
    BAO ftp T[o͂KvƂ܂BAقƂǂ̂
    ł͗v܂B
   
    Aidentd KvȂ΁Aȉ̂悤ɁA񂹂傢Ɍ炵
    ݒIvV܂F
   
    
                                                            
        /usr/sbin/in.identd in.identd -l -e -o -n -N        
                                                            
                                                            
    
   
    -o tbO identd ɁȀőĂOS ̃^CvA
    ̂ɏ "OTHER" Ԃ悤`܂B -e tbO identd 
    A "NO-USER"  "INVALID-PORT" G[̑ɏ "UNKNOWN-ERROR"
    Ԃ悤`܂BȂ[U閧ɂĂȂA
    -n tbO identd ɁA[ȖɏɃ[UԍԂ悤
    ɓ`܂B -N tbO identd ɁAf[[UԂ
    Ă邻̃[Ũz[fBNgɂ .noident `FbN
    ܂B̃t@C݂΁Af[͕ʂ "USERID" ̑
     "HIDDEN-USER" G[Ԃ܂B
   
 E CT[oisendmail, qmail Ȃǂ̂悤MTAj|΂ sendmail
    ̂悤ȊSȋ@\CT[oftHgŃCXg[
    Ă܂BꂪۂɕKvɂȂ̂́AhC̃zXgĂāA
    ڂɓĂ郁C󂯎ƂłB邢́ALAN Ń
    CƂłȀꍇɂ̓C^[lbgɂ炷Kv
    ܂񂵁ASɃt@CA[EH[Ŏ邱Ƃł܂Bvo
    C_ւ POP CANZX̂߂ɂ́A悭sĂݒł͂
    ܂ACT[oKvƂ܂B̑̎ï́A
    [JȔzG[WFg -m IvVŎw肵 fetchmail  POP
    Cɍs邱ƂłFႦ΁Afetchmail -m procmail 
    sendmail f[SĂȂĂƓ܂B sendmail
    ͑点Ăƕ֗Ȃ̂ł͂܂Ał̃|CǵA
    ͑̏ꍇ͕Kvł͂ȂA~邩A܂̓t@CA[EH[
    ňSɎ邱ƂoAƂƂȂ̂łB
   
 E BIND (named) |͂΂΃ftHgŃCXg[Ă܂
    AۂɕKvɂȂ̂́AhĆAI[\CYꂽl[T
    [o^pƂłBȂꂪӖĂ̂
    悭킩ȂȂA͐΂ɕsvłB炭ABIND ̓C^[
    lbgňԑ_Ă^[Qbgł傤B BIND ́A "LbV
    O" I[[hł΂ΗpĂāA͑ϕ֗ł
    AC^[lbgɊSɂ炷Kv͂܂B܂A͓Kp
    𐧌邩At@CA[EH[ŎׂłBȉ̌ʂ̃Av
    P[V̓ʂȉ^p@̉ӏQƂĂB
   
 

3.5. XebvP̂܂Ƃ߂ƌ_

̏͂ł́AVXełǂȃT[BXĂ邩𓯒肷@
wсAǂꂪKvȃT[BX߂邽߂̃|CgЉ
BɁÃT[BXǂŊJnꂽ̂A
~@wт܂Bꂪ悭ĂȂ悤ȂA
ݕԂǂ`XłB

]ނ炭́AȂ͏ŎXebvɂƂĂĂ邱Ƃł
B̌ʂ netstat ōēxeXgāA]݂̌ʂBĂ邱
AāA{ɕKvȃT[BXĂ邱ƂmFĂ
B

̃u[gApbP[WXViVݒ肪ƔEэ
ȂƂmF邽߂łjAăVXeAbvO[hꂽ
VɃCXg[ꂽ͏ɁÂ悤ȃ`FbN邱Ƃ
߂܂B

 

4. XebvQFAbvf[g

mɁȀ͂͏̏͂ɔׂāAZAPŁAړIȂ̂ł͂܂
Ȁ͂Ɠ炢dvłB

VȃCXg[̌ɂ܂ŏɂׂƂ́AfBXgr[V
̃Abvf[gƃZLeB̒ӂ`FbNāAׂẴpb`
Ă邱ƂłBNÂȂAłāH͎ے
ԂAŜ߂ɂ͏[VƂ͌܂BA܂
TԂłāHƂɂ`FbNĂBH
͂ł傤BZLeB֌W̃Abvf[gAJ
v[XtFCYƃ[XTCN̊ԂɃ[XĂ邱Ƃ́A
ɂ肤邱ƂłB̍ƂłȂƂȂAł܂Ō
ɃANZX\ȌJT[BX͑SĒ~ĂB

Linux ̃fBXgr[V͐ÓIȂ̂ł͂܂BKvɉ
AVApb`ĂꂽpbP[WɃAbvf[gĂ܂BAb
vf[gƂ̓IWĩCXg[ƑSxɏdvłB
A̓tBbNXiCjł镪Advł܂BɁA
̃Abvf[g̓oOEtBbNXłAƂ΂΋N̂́A
VɃZLeBz[߂́AZLeBEtBbNX
ꍇłB̂悤"iZLeBz[j" ̓NbJ[̃R~
jeBɂɒm܂BĔނ͂΂₭傫Lp
Ă܂͂łBUAZLeBz[mꂽAʂ
N邱Ƃ͋ɂ߂ĊȒPȂƂŁAT҂Rł傤B
 Linux J҂͓炢ftBbNX܂Bɂ́AZL
eBz[mꂽ܂ɂ̓ɁI

CXg[ꂽSẴpbP[WŐV̂̂ɕۂƂ́ASȃVX
eێōłdvȃXebv̈łBgpĂ̂
͂ȂACXg[ꂽSẴpbP[WŐVɕۂׂł邱Ƃ
A狭Ă\ł͂܂Bꂪʓ|Ȃ΁AgȂp
bP[WSăACXg[邱ƂlĂBہAǂ
A͗ǂlłB

A̍ŐVǂŎɓ̂ł傤BŐṼZLe
Bj[XfĂEFuTCg͂񂠂܂B܂Ãgs
bNĂ郁COXg񂠂܂BہAĂ̏
AVXe̊ex_gA_Ƃ̃tBbNX@𔭕\邽߂̃
XgJĂł傤B̓[XŐV̂̂ɕۂf
炵@ŁA߂܂B http://linuxsecurity.com  Linux 
̏ɂĂ̗ǂTCgłB܂TԂ̃j[X^[ȉŎɓ
܂F http://www.linuxsecurity.com/general/newsletter.html.

܂ÃfBXgr[Vł́A ftp oRŎIɃCXg[
pbP[WXVĂ郆[eBeBpӂĂ܂B͒
ƖƂ cron Wuő点邱Ƃ\ŁAC^[lbgAN
ZX\ȂłyȂł傤B

͈xŏIvZXł͂܂ -- ƑĂ̂
BŐVɕۂƂ厖Ȃ̂łBłZLeB񍐂ɏɒڂ
ĂĂBĊex_̃ZLeBCOXg
wǂĂIȂfADSL Ȃ̏펞ڑ̎i
ĂȂAMSɍsȂƂɕى͂肦܂Bǂ̃fB
Xgr[Vł͏[ɊȒPȂłI

Ō̒ӁFVpbP[WCXg[ɂ͏ɁAVݒA
܂͉肳ꂽݒɃCXg[ꂽ\܂B܂
ÃpbP[W̃T[oł΁AAbvf[ǧʂƂē
oĂ܂Ă邩ȂƂƂłB͍@łA
ۂ肦܂BłAAbvf[gVXeύX̌ɂ͂łAm
netstat ̂̂𑖂点āAVXe]ނ悤ɂȂĂ邱
mF܂傤BہÂ悤ȕύXȂĂAIɊmFĂ
B

 

4.1. XebvQ̂܂Ƃ߂ƌ_

͒PȂƂłFȂ Linux VXeŐV̂̂ł邱Ƃm
FĂBAbvf[gꂽpbP[W\Aex_̃y
[W`FbN܂傤BÂ[Xł𑖂点ĂƎ̂ɂ͉
ss܂񂪁ÃpbP[W͏[Xȍ~Ɋex_
̂ɏ]ăAbvf[gĂȂ΂Ȃ܂BȂƂex
_T|[g𑱂ĂÃ[XƃAbvf[g͒񋟂ꑱ
Ă܂B

 

5. XebvRFt@CA[EH[ƃANZX|V[̐ݒ

āA"t@CA[EH["Ƃ͉ł傤H͔RƂpŁAX
ƊO̐EƂ̊Ԃ̕یoA[Ƃē̂Ȃ牽łӖĂ܂B
͐p̃VXewł傤A@\Ƃĉʂ
̃AvP[V̂Ƃ܂B܂́AlXȃn[hEFA
\tgEFA܂ޗvf̑gݍ킹ƂƂł傤Bt@CA[
EH[͗^ꂽVXeւ̏̏oɂāA邩
`"["琬Ă܂Bł́ALinux ŊȒPɎg邻̍\v
fĂ݂܂傤BāAǂ̂悤ɂēKɈSȃt@C
A[EH[헪邩Ă݂܂傤B

̃XebvPł́AKvłȂT[BXSĒ~܂B̗ł
A点ĂKv̂͂킸łB̏͂ł́ÃXebv
i݁Aǂ\̐EɊJĂA炩̕@Ő邱Ƃł
̂͂ǂꂩ肵܂BSĂubNłΑό\ȂƂł
A͑̏ꍇAIł͂܂B

 

5.1. 헪

ł̖ړÍAŗL̏󋵂łÂ߂ɕKvŏ
悤ɁAڑƒʐM𐧌邱ƂłBꍇɂ́AOĂ
SĂ"V"ڑsubNƂƂ肦܂BႦ΁AX
𑖂点ANO͂ɃANZX悤Ƃ͎vĂȂȂ
AO̐ڑSɃubN邱ƂɂȂł傤B̏󋵂ł́A
OĂڑMpłô̂ɐ܂
BقǁAǂƌ܂BႦ΁AOX̃VXe 
ssh œ肽̂łAۂ̂ƂX͎̎dꂩ炵
ڑȂƂ܂BȂAsshd ڑd̃AhX͈̔͂
̂ɐĂƂɂȂł傤B̂߂̕@͐FX܂A
ԕʂ̂Ă݂܂傤B

܂AX́At@CA[EH[̃AvP[VɌ肵悤
͎vĂ܂B "wɂȂ"A܂A[ɉd̖h̃Av
[`Ƃ̂ɈƂ͉܂BO̖h̓pPbgtB^
OA ipchains  iptables iȉQƂĂĵǂ炩ɂȂ
ł傤BɁAt@CA[EH[⋭邽߂́AǉIȃc[
JjY𗘗p邱Ƃł܂B

ȒPȗЉ܂傤BPȕjƂāAftHg̃|V
[͑SĂۂAKvȂ̂JƂɂ܂B̖͍ݓ
GȂ̂ɂȂ肦܂A\ȌPɕۂAł{IȃRZ
vĝɏW邱ƂS܂傤B̃gsbNɂĂ̂
i񂾓eɂẮAN̏͂QƂĂB

 

5.2. pPbgtB^[\ ipchains  iptables

iipchains ̂悤ȁj "pPbgtB^"͌X̃pPbgāA̓
eɊÂĔf邱ƂłAlXȖړIɎgƂł܂B
̂悭ړI̓t@CA[EH[̐ݒułB

Linux ŕʂ̃pPbgtB^ ipchains ŁA 2.2 J[lŕW
ɂȂĂ܂B iptables łA͂ŋ߂ 2.4 J[l
g悤ɂȂĂ܂B iptables ͂ɐi񂾃pPbgtB^̔\
͂A 2.4 J[l𑖂点ĂȂNɂł߂łBA
̖ړIɂ͏[ɌʓIłB ipfwadm  2.0 J[l̂߂̓
l̃[eBeBłAł͋c_܂B

 ipchains ܂ iptables t@CA[EH[̋K̐ݒ肪
Ɏv悤łẢߒł邳܂܂ȃTCg
܂BN̏͂QƂĂB܂AŋĂo
_Ƃėp邱Ƃł邩܂B܂AfBXgr[V
ɂẮAt@CA[EH[̃XNvg𐶐Ă悤ȃ[
eBeB܂܂Ă邩܂B͂܂܂̓Ă
܂Â悤ȃc[͔ɒPȓAŐKݒ肷ȏ̂
͖őɂĂ܂̂ŁAK؂ȕ@ƗlXȃJjYǂ̂悤ɓ
m邱Ƃ߂܂B

    Note: ȉɗlXȗႪĂ܂B͂ŋc_
    ̊TO߂̎Ƃċ̂łB͂Ȃg
    XNvg߂̏o_ƂĂ𗧂ƂƎv܂ASĂ
    ꍇ܂ł킯ł͂ȂƂɒӂĂB̃XNvg
    ǂ̂悤ɓgŗ悤ɋ߂Ǝv܂
    BɂāAg̏󋵂ɂ҂ƂXNvg
    ɂȂł傤B
   
    ɋXNvg͒PɈ̃C^[tF[XiC^[lbg
    ڑꂽ́jւ̓ւ̐ڑh䂷邾̂̂łB͑
    ̎[Ȕ󋵂ɂ͏[Ȃ̂m܂񂪁AtɌ΁A
    ͑SĂ̏󋵂ɑÓȂ킯ł͂܂B
   
 

5.2.1. ipchains

ipchains  2.2 ܂ 2.4 J[lŗp邱Ƃł܂Bipchains 
Ă鎞́ÃVXeʂčsSẴpPbg`FbN
BpPbg͂炪ǂoāAǂɍsɂāAقȂ"`F
Cij"ʂĈړ܂B "`FC"K̏W܂ƍlĂ
Bi񂾐ݒɂẮAX͎gpɂ炦`FC
`邱ƂɂȂł傤BftHgőgݍݍς݂̎O̃`FĆA
ĂgtBbN input, očsgtBbN output, ĂC
^[tF[Xʂ̂ǂփtH[hiT^Iɂ"}XJ[f
BO"ɗp܂jgtBbN forward łB`FC̓VXe
o肷ʐM̗̐邽߂ɁAlXȕ@ő삷邱Ƃł
܂BK͖]݂̌ʂB邽߂Ɏ̔fŕt邱Ƃł
܂B

SĂ"`FC"̏I["^[Qbg"łB^[Qbg̓R}h -j I
vVē肵܂B^[Qbg̓pPbg̉^߂̂ŁA
̓̃`FC{IɏI点̂łBłʂɌ^[
QbǵAȉ̂悤ɂقƂǂ̖OӖ킩܂F ACCEPT,
DENY, REJECT,  MASQ łB MASQ "IP}XJ[fBO"̂߂
̂łB DENY  REJECT ͈͂̂Ⴂ܂A{Iɂ͓
܂Bł́Âǂ炪ł傤Hɂ͎Rقǋc_
Ȃ̂łA͈̔͂̕𒴂鑼̃t@N^[Ɉˑ܂BX
̖ړIɂ͂ǂł[ł傤B

ipchains ͔ɏ_Ȑݒ肪ł܂B|[gi܂̓|[gWjAC
^[tF[XAs̃AhXAoAhX𑼂̗lXȃIvV
lɓ肷邱Ƃł܂B man y[Wŏ[ڂĂ
܂̂ŁAł͏ڍׂɗȂƂɂ܂傤B

C^[lbgX̃VXeɓĂʐḾA input ̃`FC
ʂēĂ܂BꂱXo萧Kv̂ł
B

ȉ͉zIȃVXê߂̒ZXNvg̗łB̃XNvg
邩̓RgŐĂ܂B "#" Ŏn܂Ăs͑SăR
głB ipchains ̋K͈ʂɃVFXNvgɎ荞܂At
@CA[EH[̃WbN̐ݒ邽߂ɃVFϐp܂B

#!/bin/sh                                                                       
#                                                                               
# ipchains.sh                                                                   
#                                                                               
# An example of a simple ipchains configuration.                                
# P ipchains ݒ                                                        
#                                                                               
# This script allows ALL outbound traffic, and denies                           
# ALL inbound connection attempts from the outside.                             
# ̃XNvg͑SĂ̊Oւ̃gtBbNA                            
# SĂ̒ւ̐ڑsۂ܂B                                            
#                                                                               
###################################################################             
# Begin variable declarations and user configuration options ######             
# ϐ̐錾ƃ[UݒIvV̎n܂                                      
#                                                                               
IPCHAINS=/sbin/ipchains                                                         
# This is the WAN interface, that is our link to the outside world.             
#  WAN C^[tF[XA܂OɂȂĂX̃NB         
# For pppd and pppoe users.                                                     
# pppd  pppoe [Û߂ɁB                                                
# WAN_IFACE="ppp0"                                                              
WAN_IFACE="eth0"                                                                
                                                                                
## end user configuration options #################################             
### Gh[UݒIvV    #################################             
###################################################################             
# The high ports used mostly for connections we initiate and return             
# traffic.                                                                      
# ԍ̃|[g̓gtBbN̏Ɖ̐ݒ̂߂                    
# ɗpB                                                              
LOCAL_PORTS=`cat /proc/sys/net/ipv4/ip_local_port_range |cut -f1`:\             
`cat /proc/sys/net/ipv4/ip_local_port_range |cut -f2`                           
                                                                                
# Any and all addresses from anywhere.                                          
# Cӂ̏ꏊ̔Cӂ̑SẴAhX                                          
ANYWHERE="0/0"                                                                  
                                                                                
# Let's start clean and flush all chains to an empty state.                     
# SẴ`FC̏ԂɁB                                          
$IPCHAINS -F                                                                    
                                                                                
# Set the default policies of the built-in chains. If no match for any          
# of the rules below, these will be the defaults that ipchains uses.            
# gݍ݂̃`FCftHg̃|V[ɃZbgBȉ̃[̂ǂɂ      
# }b`ȂȂA ipchains pftHgɂȂB                
$IPCHAINS -P forward DENY                                                       
$IPCHAINS -P output ACCEPT                                                      
$IPCHAINS -P input DENY                                                         
                                                                                
# Accept localhost/loopback traffic.                                            
# localhost/loopback gtBbN͎󂯓B                                 
$IPCHAINS -A input -i lo -j ACCEPT                                              
                                                                                
# Get our dynamic IP now from the Inet interface. WAN_IP will be our            
# IP address we are protecting from the outside world. Put this                 
# here, so default policy gets set, even if interface is not up                 
# yet.                                                                          
# Inet C^[tF[XX̓I IP 𓾂B                       
# WAN_IP ͉XO̐EĂ IP AhXɂȂB                     
# łĂƁAC^[tF[X܂pӂĂȂĂA      
# ftHg̃|V[ZbgB                                          
WAN_IP=`ifconfig $WAN_IFACE |grep inet |cut -d : -f 2 |cut -d \  -f 1`          
                                                                                
# Bail out with error message if no IP available! Default policy is             
# already set, so all is not lost here.                                         
# ǂIP gȂȂAG[bZ[WoĔoB                 
# ftHg̃|V[ɐݒ肳Ă̂ŁASĂŎ            
# 킯ł͂ȂB                                                                
[ -z "$WAN_IP" ] && echo "$WAN_IFACE not configured, aborting." && exit 1       
                                                                                
# Accept non-SYN TCP, and UDP connections to LOCAL_PORTS. These are             
# the high, unprivileged ports (1024 to 4999 by default). This will             
# allow return connection traffic for connections that we initiate              
# to outside sources. TCP connections are opened with 'SYN' packets.            
# -SYN TCP 󂯓ALOCAL_PORTS ւ UDP ڑ󂯓B                
# ͍ԍŁA蓖Ă̂Ȃ|[giftHgł10244999)B       
# ͉XÕ\[X֒ʐMn߂鎞̐ڑ́A                            
# ԓ̐ڑʐMB                                                    
# TCP ڑ 'SYN' pPbgƂƂɊJĂB                               
$IPCHAINS -A input -p tcp -s $ANYWHERE -d $WAN_IP $LOCAL_PORTS ! -y -j ACCEPT   
                                                                                
# We can't be so selective with UDP since that protocol does not                
# know about SYNs.                                                              
# UDP SYNɂĒmȂ̂ŁAƑIĂ͎gȂB                     
$IPCHAINS -A input -p udp -s $ANYWHERE -d $WAN_IP $LOCAL_PORTS -j ACCEPT        
                                                                                
## ICMP (ping)                                                                  
#                                                                               
# ICMP rules, allow the bare essential types of ICMP only. Ping                 
# request is blocked, ie we won't respond to someone else's pings,              
# but can still ping out.                                                       
# ICMP ̋KAICMP ̍Œ̖{IȌ^B                            
# Ping v̓ubNB܂AX͒Nping ɂ͉A            
# ping oƂ͂łB                                                     
$IPCHAINS -A input  -p icmp  --icmp-type echo-reply \                           
   -s $ANYWHERE -i $WAN_IFACE -j ACCEPT                                         
$IPCHAINS -A input  -p icmp  --icmp-type destination-unreachable \              
   -s $ANYWHERE -i $WAN_IFACE -j ACCEPT                                         
$IPCHAINS -A input  -p icmp  --icmp-type time-exceeded \                        
   -s $ANYWHERE -i $WAN_IFACE -j ACCEPT                                         
                                                                                
###################################################################             
# Set the catchall, default rule to DENY, and log it all. All other             
# traffic not allowed by the rules above, winds up here, where it is            
# blocked and logged. This is the default policy for this chain                 
# anyway, so we are just adding the logging ability here with '-l'.             
# Outgoing traffic is allowed as the default policy for the 'output'            
# chain. There are no restrictions on that.                                     
# ȂłiftHg[ DENYjASẴOƂB               
# ̃[ŋȂ̑SĂ̒ʐḾAňグA                    
# ubNăOBƂɂA͂̃`FC                  
# ftHg̃|V[Ȃ̂ŁA'-l' IvVŃO\͂t邾B 
# O֏očsʐM 'output' `FC̃ftHg|V[ƂċB      
# ɂĂ͉̐ȂB                                            
$IPCHAINS -A input -l -j DENY                                                   
                                                                                
echo "Ipchains firewall is up `date`."                                          
                                                                                
##-- eof ipchains.sh                                                            
                                                                                
                                                                                

̃XNvggɂ́As\t@CɂȂĂȂ΂Ȃ܂
i܂Achmod +x ipchains.sh ŁAs\ɂ܂jBāAroot 
ő点ă`FCAt@CA[EH[킯łB

̗ōsƂ܂Ƃ߂ƁA܂n߂ɓ̕ł̃VF
ݒ肵܂B͂̃XNvǧ̕ŗp܂BāA
SĂ̓̒ʐMƃtH[h̒ʐMۂAO̒ʐM͑Sċ
ƂftHg̃[iipchain ͂ "policiesi|V[j"
ƌĂт܂jݒ肵܂B bigcat ÕAhXւ̒ʐM̏s
ڑ̕ԓ󂯎邽߂ɁAԍA蓖ĂĂȂ|[
gɂJȂ΂Ȃ܂BႦ΁AÑEFuT[o
ɐڑȂ΁A HTML f[^ɂ͂ɖ߂ėĂ炢킯ł
BƂ̃lbg[NʐMɂĂ͂܂܂B ICMP vg
R̓AO̓̃^Cv܂iقƂǂ͈ˑRubNĂ
܂jB܂ݒ肵[j悤ȁA܂艽Ă̂
悤ȓ̒ʐḾAׂăO܂Bł IP AhXp
Ă邾łāAǂȎނ̃zXggĂȂƂɒӂ
B́Ãt@CA[EH[A DNS ̎s悤ȏꍇ
łA DNS Xv[tBO̗ނ̂܂āA삷悤
łB

@̊SȐɂĂ ipchains  man y[WQƂĂB
ŗpdvȂ͈̂ȉ̂̂łF

    -A input: "input" `FCɋKǉBftHg̃`FC 
    input, output, forward.                                            
   
    -p udp: ̃[ "UDP" "vgR" ɓKpB -p IvV 
     tcp, udp ܂ icmp vgRɗp邱ƂoB           
   
    -i $WAN_IFACE: ̃[͓̃C^[tF[X݂̂ɓKpAQ
    Ƃꂽiinput, output ܂ outputj`FCSĂɓKpB  
   
    -s <IP address> [port]: ̃[͏o_̃AhXw肳Ă 
    Ƃɂ̂ݓKpBIvVƂĂɃ|[gԍiႦ 
    22ԁjA܂̓|[gԍ͈̔́AႦ 1023:4999 Ƃo
    B                                                                 
   
    -d <IP address> [port]: ̃[͓_̃AhXw肳Ă 
    Ƃɂ̂ݓKpB܂A|[gԍ܂̓|[gԍ͈̔͂ 
    ߂邱Ƃ\B                                                   
   
    -l : ̃IvṼ[ɃqbgCӂ̃pPbg̃Oi
    "L"jB                                                    
   
    -j ACCEPT: "ACCEPT" "^[Qbg" ɃWvB͌ʓIɂ
    `FCIA̓̃pPbg̍ŏIIȉ^A̗ł   
    "ACCEPT" 邱ƁA肷BƂ DENY ̂悤ȑ -j ^[
    QbgɂĂB                                           
   
TāAR}hCIvVu鏇͏dvł͂܂񂪁A
`FC̖OiႦ΁A inputj͈ԍŏɂȂĂ͂Ȃ܂B

XebvPŉX netstat 𑖂点ɁÂ̂̒ X ƃvg
T[oƂvoĂBX́Aꂽ@p
łAC^[lbgɂ炵܂B͖
Ȃ bigcat őĂ܂A܂ ipchains ɊÂt@C
A[EH[̔wɎāASɓĂ̂łBȂ
VXeɂ́ÃJeS[ɓ鑼̃T[BX邩
ˁB

̗͋ɓxɒPꂽI[EIAEibVO̕jłB܂
Ag̊O̒ʐM͑Sċi͕KǂACfAł͂
܂񂪁jAOĂSĂ̐ڑsubN܂B
͈̃C^[tF[XĂ邾ŁAۂɂ͂ɂ̃C^[
tF[X̓Ă邾łBAȂ̃VXep
܂ɂ́Aڍׂȃ`[jOKvƂȂ邱Ƃ
傤Bɐi񂾋Kmɂ́AQƂĂB 
http://tldp.org/HOWTO/IPCHAINS-HOWTO.html iJF{ŁFhttp://
www.linux.or.jp/JF/JFdocs/IPCHAINS-HOWTO.htmljǂނƗǂł傤B

t@CA[EH[ɕύX͂łA̐mFׂ
łBݒ肵[Ӑ}悤ɓĂ邱ƂmF邽߂̈
̕@́A ipchains ǂ̂悤ɃXNvg߂Ă邩邱Ƃ
Bɂ xterm Ƒ傫JāAȉ̃R}hĂ
F


 # ipchains -L -n -v | less                                         
                                                                    
                                                                    


̏o͂̓`FCɂăO[vĂ܂BɁAȂ͎
gXL@m˂΂Ȃ܂Biȉ̌؂̏͂QƂ
ĂjBĎ̃Oڂ𗣂AڎwĂ̂ub
NĂ邱ƂmFĂB

 

5.2.2. iptables

iptables  Linux p̎^̃pPbgtB^[ŁA2.4 J[lK
vƂ܂B ipchains ɂł邱ƂȂ牽łł܂Aӂ
l̂g@\񎝂Ă܂B@̖͑ʂ ipchains 
Ă܂Bڂ man y[WQƂĂB

łLlg@\"RlNVEgbLO" iڑǐՁj
傤B"XeCgtECXyNV" iXeCgtȌj
OłmĂ܂B iptables ɊepPbg̏Ԃ̂
LxȒm^̂łB̃pPbg TCP pPbg UDP pPbg
̂ǂł邩A SYN  ACK tbÔǂ炪ZbgĂ邩
ł͂ȂAꂪ݂Ăڑ̈ꕔł邩ǂA݂Ă
ڑƉ֌WĂ邩ǂ܂Œm邱Ƃł܂Bt@CA[EH[
̐ݒƂ̊֌W͖ł傤B

_ƂāAt@CA[EH[ݒ肷ɂ́A ipchains p
A iptables ̕ȒPłBłAꂪ߂̕@łB

ȉ͏ɋ̂ƓXNvg iptables pɏ̂ł
F

#!/bin/sh                                                                       
#                                                                               
# iptables.sh                                                                   
#                                                                               
# An example of a simple iptables configuration.                                
# iptables ݒ̃Vvȗ                                                   
#                                                                               
# This script allows ALL outbound traffic, and denies                           
# ALL inbound connection attempts from the Internet interface only.             
# ̃XNvg͑SĂ̊O̒ʐMA                                  
# SĂ̓ւ̐ڑsۂ܂B                                          
###################################################################             
# Begin variable declarations and user configuration options ######             
# ϐ錾ƃ[UݒIvV̊JnB                                        
#                                                                               
IPTABLES=/sbin/iptables                                                         
# Local Interfaces                                                              
# [JC^[tF[X                                                      
# This is the WAN interface that is our link to the outside world.              
# ͊O̐E։XȂĂ WAN C^[tF[XB                     
# For pppd and pppoe users.                                                     
# ppd  pppoe [Û߁B                                                   
# WAN_IFACE="ppp0"                                                              
WAN_IFACE="eth0"                                                                
#                                                                               
                                                                                
## end user configuration options #################################             
## Gh[UݒIvV                                                   
###################################################################             
                                                                                
# Any and all addresses from anywhere.                                          
# Cӂ̏ꏊ̔Cӂ̑SẴAhX                                          
ANYWHERE="0/0"                                                                  
                                                                                
# This module may need to be loaded:                                            
# ̃W[̓[hKv邩mȂ                              
modprobe ip_conntrack_ftp                                                       
                                                                                
# Start building chains and rules #################################             
# `FCƋK̍쐬̊Jn                                                    
# Let's start clean and flush all chains to an empty state.                     
# SẴ`FC̏Ԃɏ                                              
$IPTABLES -F                                                                    
                                                                                
# Set the default policies of the built-in chains. If no match for any          
# of the rules below, these will be the defaults that IPTABLES uses.            
# gݍ݂̃`FC̃ftHg̃|V[ݒ肷B                          
# ȉ̃[̂ǂɂ}b`ȂȂA炪 IPTABLES [U        
# ftHgƂȂB                                                            
$IPTABLES -P FORWARD DROP                                                       
$IPTABLES -P OUTPUT ACCEPT                                                      
$IPTABLES -P INPUT DROP                                                         
                                                                                
# Accept localhost/loopback traffic.                                            
# localhost/loopback ʐM                                                 
$IPTABLES -A INPUT -i lo -j ACCEPT                                              
                                                                                
## ICMP (ping)                                                                  
#                                                                               
# ICMP rules, allow the bare essential types of ICMP only. Ping                 
# request is blocked, ie we won't respond to someone else's pings,              
# but can still ping out.                                                       
# ICMP [BICMP ̍Œ̖{I^Cv݂̂B                          
# ping ̗v̓ubNA܂AX͒N ping ɂ                 
# ȂAping oƂ͉\B                                         
$IPTABLES -A INPUT  -p icmp  --icmp-type echo-reply \                           
   -s $ANYWHERE -i $WAN_IFACE -j ACCEPT                                         
$IPTABLES -A INPUT  -p icmp  --icmp-type destination-unreachable \              
   -s $ANYWHERE -i $WAN_IFACE -j ACCEPT                                         
$IPTABLES -A INPUT  -p icmp  --icmp-type time-exceeded \                        
   -s $ANYWHERE -i $WAN_IFACE -j ACCEPT                                         
                                                                                
###################################################################             
# Set the catchall, default rule to DENY, and log it all. All other             
# traffic not allowed by the rules above, winds up here, where it is            
# blocked and logged. This is the default policy for this chain                 
# anyway, so we are just adding the logging ability here with '-j               
# LOG'. Outgoing traffic is allowed as the default policy for the               
# 'output' chain. There are no restrictions on that.                            
# ȂłiftHg[ DENYjASẴOƂB               
# ̃[ŋȂ̑SĂ̒ʐḾAňグA                    
# ubNăOBƂɂA͂̃`FC                  
# ftHg̃|V[Ȃ̂ŁA'-l' IvVŃO\͂t邾B 
# O֏očsʐM 'output' `FC̃ftHg|V[ƂċB      
# ɂĂ͉̐ȂB                                            
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT               
$IPTABLES -A INPUT -m state --state NEW -i ! $WAN_IFACE -j ACCEPT               
$IPTABLES -A INPUT -j LOG -m limit --limit 30/minute --log-prefix "Dropping: "  
                                                                                
echo "Iptables firewall is up `date`."                                          
                                                                                
##-- eof iptables.sh                                                            
                                                                                
                                                                                

XNvg̃WbNŗpĂ̂ŁÁAO ipchains
XNvgƂقړƂs܂B@Iɂ͂킸ɍ܂B
`FC̖O̕ωꍇɋCĂiႦ΁AINPUT 
input ȂǁjBO邱ƂɂĂقȂ܂Bx͎g
"^[Qbg" (-j LOG)Aɏ_ɂȂĂ܂B

lɂ߂č{IȈႢ܂A͂Ȃɖ炩
̂ł͂Ȃ܂B̏͂łipchains XNvg̈ȉ̕
voĂF

# Accept non-SYN TCP, and UDP connections to LOCAL_PORTS. These are the high,  
# unprivileged ports (1024 to 4999 by default). This will allow return         
# connection traffic for connections that we initiate to outside sources.      
# TCP connections are opened with 'SYN' packets. We have already opened        
# those services that need to accept SYNs for, so other SYNs are excluded here 
# for everything else.                                                         
# LOCAL_PORTS ւ̔-SYN TCP  UDP ڑ󂯓B                         
# ͍ԍŁA蓖Ă̂Ȃ|[giftHgł10244999)B      
# ͉XÕ\[X֒ʐMn߂鎞̐ڑ́Aԓ̐ڑʐMB 
# TCP ڑ 'SYN' pPbgƂƂɊJĂB                              
# X͊ SYN 󂯓Kv̂T[BXJĂ̂ŁA            
# SYN ɂẮAȊȎSĂŏB                           
$IPCHAINS -A input -p tcp -s $ANYWHERE -d $WAN_IP $LOCAL_PORTS ! -y -j ACCEPT  
                                                                               
# We can't be so selective with UDP since that protocol does not know          
# about SYNs.                                                                  
# UDP  SYN ɂĒmȂ̂ŁA                                            
# ̃vgRƂقǑIIɂ͂ȂȂB                                 
$IPCHAINS -A input -p udp -s $ANYWHERE -d $WAN_IP $LOCAL_PORTS -j ACCEPT       
                                                                               
                                                                               

X͓ɓĂ]܂ʐڑo萧邽߂ɁA ipchains
ɂāAŗւ̋Ȍ|܂BہAXsałB

ȏ̕iptables ł̃XNvg͔Ă܂B̏ꍇ̓RlN
VEgbLOiڑǐՁj܂Ă邽ߕsvŁA
ǂȂĂȂ̂łB iptables "XeCgtlX" ̂
łB͊epPbgɂāA ipchains ̂ƂmĂ
̂łBႦ΁A̓pPbg"V"ڑ̈ꕔȂ̂A"m
"ڑA܂"֘A"ڑ̈ꕔȂ̂mĂ̂łBꂪ
ARlNVEgbLOɂ "XeCgtECXyNV"
łB

iptables ɂ́Ał͐GȂ@\܂܂񂠂܂Blb
gtB^[vWFNg iptables ɂĂ̂ȂǂݕƂẮA
http://netfilter.samba.org QƂĂB܂Ai񂾃[
ݒɂẮAQƂĂB

 

5.3. Tcpwrappers (libwrap)

tcpwrappers ͏ ipchains  iptables Ƃقړ]݂̌ʂ炵
Ă܂A̓dg݂͑SႢ܂BہAtcpwrappers ͐ڑ
sɊ荞ŁA̐ݒt@C𒲂ׁAv󂯓邩ۂ邩
肷̂łB tcpwrappers ́A iptables  ipchains ̂悤Ƀ\Pbg
̃xŐ䂷̂ł͂ȂAAvP[ṼxŃANZX𐧌
܂B͔ɌʓIł̂ŁA Linux VXeŕW̃R|
[lgɂȂĂ܂B

tcpwrappers ͐ݒt@C /etc/hosts.allow  /etc/hosts.deny 
A̋@\̂ libwrap CuŒ񋟂܂B

tcpwrappers ͂܂A /etc/hosts.allow t@CŃANZXĂ
邩ǂ𒲂ׂāAĂ΂̃ANZXF߂܂B /etc/
hosts.allow t@CɂȂ΁A /etc/hosts.deny t@CŃANZX
ĂȂǂ𒲂ׂāAĂȂȂÃANZX
ۂ܂BȊȌꍇ́AANZX܂B̎dg݂炵
āA/etc/hosts.deny t@Cɂ ALL: ALL Ƃŝׂ݂ł
BɂāAANZX /etc/hosts.allow t@CɃGg[
̂͂ŁAɂ͓̃T[BXAɃAN
ZX邱Ƃ̃zXg̃AhXƂƂɏ܂BŃz
Xgp邱Ƃł܂AzXggpƁAÔȂ肷܂
Ƃ킸Ȋ댯c܂B

tcpwrappers ͕ʁA inetd (܂ xinetd) oRĊJnT[B
X邽߂Ɏg܂BA libwrap T|[g悤ɃRpC
ꂽvOA tcpwrappers ɎĂ炤Ƃł܂B
SẴvOlibwrap T|[ĝƃrhĂƉ肵
͂܂BہAłȂłBAقƂǂ̂̂͂ł
Ȃł傤BłAX͂ł́A inetd oRŊJnꂽT[B
XƂɂp邱Ƃɂ܂傤BāA(x)inetd T[
BX邱ƂɂẮAX̃pPbgtB^Õt@CA[EH
[A܂͑̎dg݂ɗ邱Ƃɂ܂傤B

ȉ͓T^I inetd.conf t@CꕔôłF


 # Pop and imap mail services et al                                 
 #                                                                  
 #pop-2   stream  tcp     nowait  root    /usr/sbin/tcpd ipop2d     
 #pop-3   stream  tcp     nowait  root    /usr/sbin/tcpd ipop3d     
 #imap    stream  tcp     nowait  root    /usr/sbin/tcpd imapd      
 #                                                                  
                                                                    
                                                                    


ŌォԖڂ̃R tcpwrappers f[A܂/usr/sbin/tcpd 
Bf[̂ɂ̂Ah䂳Ă̂ŁȀꍇɂ́A
POP  IMAP CT[ołBfBXgr[VɂẮAɂ
̕ŏpӂĂ邩܂B libwrap Cuɂ
āA tcpwrapper őgݍ݃T|[gĂAÕAvP[V
ẮÂ悤Ƀf[w肷Kv͂܂B

ł܂g܂F܂AftHg̃|V[ƂāAS
ĂۂAKvŏ̒ʐM邽߂ɌJ܂B

āAŃeLXgGfB^̏oԂłB su  root ɂȂA /etc/
hosts.deny t@CJ܂傤B̃t@C݂Ȃ悤Ȃ
AĂB͂̃v[ȃeLXgt@CłBɈ
̂悤ɏ܂F


 ALL: ALL                                                           
                                                                    
                                                                    


ꂪɂ΁A\BȂ΁AŁAۑAt
@CĂBȒPłˁB "ALL"  tcpwrapper Ă
L[[ḧłB̃tH[}bg $SERVICE_NAME : $WHO ̌`
̂ŁAőSẴT[BXւ̑SĂ̐ڑۂĂ邱ƂɂȂ
BȂƂA tcpwrappers gĂSẴT[BXɂĂ͂
łBꂪ inetd T[BXł邱ƂvoĂB
̃t@C̕@ɂĂ̏ڍׂ man 5 hosts_access QƂĂ
B "5" ɒӂĂI

čx́Ao萧AKvȃT[BXJ܂傤B
͊ȒPȈ̗łF


 ALL: 127.0.0.1                                                     
 sshd,ipop3d: 192.168.1.                                            
 sshd: .myworkplace.com, hostess.mymomshouse.com                    
                                                                    
                                                                    


ŏ̍s͑SĂ "localhost" ڑĂ܂B͕Kvł傤B
̍śAX̉zIȎ LAÑvCx[gAhX͈̔͂ł
192.168.1. n܂IP AhX sshd  ipop3d T[BXւ̐
܂B "." Ă邱ƂɒӂĂB͏dv
łBOsڂ .myworkplace.com ƑCӂ̃zXgAX sshd f
[ւ̐ڑ܂Bx́AO "." Ă邱Ƃɒӂ
ĂBꂩA̃zXgł hostess.mymomshouse.com 
Ă܂BʁAlocalhost ƉX̑SĂ LAN ڑ́A bigcat ̑S
 tcpwrapper ŎꂽT[BXւ̐ڑĂ܂BA
O bigcat  sshd gƂł̂́AX̎d̃Ah
XƂꂳ̉Ƃ炾łB̑SĂ /etc/hosts.deny t@C
ftHg|V[ɂċۂ܂B

 .myworkplace.com  192.168.1. ̂悤ȃChJ[h̃^Cv
ipchains  iptables A̖ɂĂ̑ Linux AvP[V
ł̓T|[gĂ܂B܂A tcpwrappers  IP AhX̂
zXggƂłA͂ꍇɂ͂ƂĂ֗łB
ipchains  iptables ł͎g܂B

ō tcpwrappers ݒ́A tcpdchk [eBeBŃ`Fb
N邱Ƃł܂iman y[WĂjBx́A xinetd
ƈꏏɂ͓ȂƁȀꍇɂ͊܂܂ȂȂƂɒ
ӂĂB

tcpwrappers  ipchains ̂悤ȃpPbgtB^Õt@CA[EH
[̗gƂɂ͉͂܂BہÂ悤 "w
ꂽ"Av[`p邱Ƃ߂܂B͂ݒ~X
Ƃ̖hɂȂ܂B̏ꍇAꂼ̐ڑA܂pPbgtB
^ɂă`FbNA tcpwrapper Ń`FbN܂B

YꂸɃVXeݒt@CҏWOɂ̃Rs[obNAbvA
f[ăX^[gāAG[bZ[W̃O`FbNĂ
B

 

5.3.1. xinetd

ɏqׂ悤ɁA xinetd <http://www.xinetd.org> ͊gꂽ inetd 
B͂قړ@\ʂ܂A̒ڂׂg
܂B tcpwrappers ̃T|[g\ɂȂA tcpd ւ̂ȎQ
Ƃsvł邱ƂłB /etc/hosts.allow  /etc/hosts.deny 
IɗLɂȂ邱ƂӖ܂BłAKƂ͌܂̂
AeXgāAO𒭂߂Ă݂āA tcpwrappers T|[gI
`FbNĂB

xinetd ̑̊g@\ɂ́A܂ IP AhXw肷邱Ɓi
̓ANZX̔ɗLȕ@łjAւ̐ڑ̊Ɠڑ
𐧌邱ƁA̓̎ԂɃT[BX𐧌邱ƂȂǂ
܂B xinetd  xinetd.conf ɂẮAڂɂĂ man
y[WQƂĂB

@͂܂قȂ܂Bȉ /etc/xinetd.d/tftp ̈
F


 service tftp                                                       
 {                                                                  
        socket_type     = dgram                                     
        bind            = 192.168.1.1                               
        instances       = 2                                         
        protocol        = udp                                       
        wait            = yes                                       
        user            = nobody                                    
        only_from       = 192.168.1.0                               
        server          = /usr/sbin/in.tftpd                        
        server_args     = /tftpboot                                 
        disable         = no                                        
 }                                                                  
                                                                    
                                                                    


bind ̋LqɒӂĂBł̓vCx[g LAN C^[tF
[XɎ܂Ă邾A܂́A "binding" Ăiѕt
jłBÕ|[g͊JĂȂ̂ŁAOւ̐ڑ͑S
Ȃ܂B 192.168.1.0  LAN ̐ڑ܂B
xinetd ̖ړÎ߂ɂ́A "192.168.1" n܂SĂ IP Ah
XĂ܂B@ inetd ƈقȂ邱ƂɒӂĂB̏ꍇ
 server ڂ̋Lq tftp f[Ain.tftpd łB܂łA
libwrap/tcpwrappers T|[g xinetd ɑgݍ݃RpCĂ邱
Ƃ肵Ă܂Bf[𑖂点Ă user ڂ "nobody" ɂȂ
܂BłA "nobody" ƌĂ΂郆[UAJEĝłBB
͉\Ȃ΁A̎̃f[񃋁[g[UƂđ点錫@
łBŌɁA disable ̍ڂ̓T[BXIA܂̓Itɂ
xinetd ̕@ŁȀꍇɂ "on" ɂȂĂ܂B͂ł̈
ăIɂȂĂ邾łBSłȂȂA tftp ̃T[oƂ
đ点Ắu܂vB

 

5.4. PortSentry

portsentry <http://www.psionic.org/products/portsentry.html> ͂܂
c_̃c[Ƃ͂܂قȂ铭܂B portsentry ̖͂
̒ʂ̂Ƃ܂A܂A|[gĂ̂łB portsentry
 /etc/portsentry/portsentry.conf t@CŐݒ肵܂B

ŋc_̃AvP[VƂ͈āA͎ۂɎg|[
gŎ܂T[oɂȂ邱ƂɂāA̎d܂B㩂
̂ɎĂ܂B portsentry ĂԁA root Ƃ
netstat -taup 𑖂点ƁA portsentry ݒ肳Ă|[gł
A LISTENER Ƃ portsentry ܂BAportsentry 
smƁASɃubN܂BĎ̒iKɐi
Aȏ̒ʐMSĒ~邽߂ɁÃzXgւ̌oHubN
BɁAipchains  iptables Sɂ̃zXgubN邽
ɗp邱Ƃł܂B킯ł́A͈͂ɂ킽|[gX
L߂f炵c[ɂȂ̂łB

 portsentry ͐ڑ邩ǂɂĂ͎RĂ
AI[IAibVOőSSۂ邩łB
IPAhX /etc/portsentry/portsentry.ignore t@CŒ`ł܂
AX̃|[gɑ΂đIIȃANZX邱Ƃ͏o܂B
ŔAɓ̈̃|[gɌѕt̂͗B̃T[o
ŁȀꍇɂ portsentry gƂƂɂȂ܂BłA
X^hA[̃t@CA[EH[ƂĂ͗Lp܂B
At@CA[EH[Ŝ̐헪̈ꕔƂẮAAƂĂLpȂ̂ł
BقƂǂ̏ꍇA͖h̍őOɎgׂł͂ȂÃc[ƌ
тĎgׂł傤B

ǂȎ portsentry ֗Ɏg邩̃AhoCXF

 E h̓Ԗڂ̑wƂāA ipchains  iptables ̔wŎgBpPb
    gtB^O܂pPbg߂܂邱ƂɂȂ̂ŁA
    portsentry ɓĂ̂́Aꂪł낤ݒ~Xł邱
    ɂȂ܂B inetd T[BXƈꏏɎgȂ悤ɁB͓܂
    B̓͂Ԃ肠Ă܂܂B
   
 E S͈͂̃|[gXLLb`@ƂāBpPbgtB^[
    Ɉ̏ȌJāA portsentry ɂ߂܂A
    Ή܂B
   
 E Oɂ炳ꂽJT[o͑SȂƂ΂̊mMAN
    qƂĂ̂m肽̂ƂBA portsentry 
    Ă̂ɂāA낤AƂ͉ɉ肵Ȃł
    BftHgł́A͑SẴ|[gĂ킯ł͂ȂA
    悭OT邱Ƃ邢̃|[gJ܂܂ɂĂ
    Ƃ肦܂BłA󋵂ɉĐݒ肳Ă邱
    mFĂBāA܂AȂ̐ݒ肪eXgؖ
    Ă邱ƁAOɂ炳ĂȂƂmFĂB
   
ǁA_ƂẮApPbgtB^[̕ǂt@CA[EH[
邽߂ɖ𗧂ƂƂłB

 

5.5. vLV

ɂ΁A"proxyivLVj" Ƃt́A̐l̑ɍs
錠܂͗͂ƒ`Ă܂B̓\tgEFÃvLVɂ
ȂȂǂɂȂĂ܂BvLV͒ʐMoH̒ԕłBႦ
΁AX "squid" (http://www.squid-cache.org/) ̂悤 Web vLV
pĂƂ΁A Web TCg{xɁAۂ̂Ƃ́AX
[Jɑ点Ă squid T[oɐڑĂ̂łBāAsquid
̗͂vŏI_́A{̖ړIꏊɃ[܂BĎ squid 
Web y[W[ĂɕԂĂ̂łB܂vLV͒
łB "t@CA[EH[" ̂悤ɁA "vLV" ͑̓̃Av
P[VAvLVEAvP[V𑖂点ĂpT[oQ
ł܂B

vLV͗lXȎdʂĂ܂ȂSĂZLeBɐ[
֌WĂ킯ł͂܂BAvLV͒ʐM̒ł邽
ɁAANZX̃|V[{ăt@CA[EH[ʂ钼ڂ̐ڑ
𐧌AvLV̔wɂlbg[NÕC^[lbg
̂悤Ɍ邩𐧌䂷iD̏ꏊɂȂ̂łBɂāAvL
V̓t@CA[EH[S̐헪̈ꕔƂāA͂ȌɂȂ܂B
āAAɃpPbgtB^Õt@CA[EH[̑ɗp
邱Ƃ܂B̃[Ut@CA[EH[ɔwɂ
悤ȏꍇɂ́A炭vLVɊÂt@CA[EH[̕
Ił傤BAʂ̎ł̃VXeɂẮA܂D揇
ʂ͍Ȃ܂B

vLVݒ肵Ǘ邱Ƃ͎ɕGŁA͈̔͂̕𒴂Ă܂
Bt@CA[EH[ƃvLVT[o HOWTO http://tldp.org/HOWTO/
Firewall-HOWTO.html <http://tldp.org/HOWTO/Firewall-HOWTO.html > iJF
{ <http://www.linux.or.jp/JF/JFdocs/Firewall-HOWTO.html>jɃv
LVt@CA[EH[ݒ肷ႪڂĂ܂B squid ̎g 
http://squid-docs.sourceforge.net/latest/html/book1.htm ŋc_Ă
܂B

 

5.6. ʂ̃AvP[V

T[o̒ɂ͂ꎩg̃ANZX@\Ă̂܂B
点ĂT[oAvP[V̂ꂼɂāA`Fb
Nׂł傤B̏͂ł́AAÔ悭̂ɂĂ邱
ɂ܂B man y[WAvP[Vʂ̕Ȃǂ𗧂܂B
͎̃t@CA[EH[ɎMĂĂȂĂAsׂ
łBĂтłAh̑wɃxXgȂ̂łB

 E BIND : l[T[ő@\ʂɂӂꂽpbP[WłB
    ̃f[̂ "named" łB́AO̐Eɑ΂āAȏ
    ̃hCɂĂDNS QƂ񋟂ĂȂAC^[lbgɊ
    Sɂ炷Kv܂BꂪӖ̂Ȃɂ悭
    ȂȂA\ɂ炷KvȂAׂłȂ̂
    炩łBقƂǂ̐l͂̏ꍇɂł傤BہA͔
    ɂӂꂽNbÑ^[QbgłB
   
    A̓LbVOI[[hŃCXg[Ă邩
    ܂񂵁Ȁꍇ͕֗ɎgƂł܂B̂Ƃ̓C
    ^[lbgɑ΂ĊSɂ炷Kv܂B /etc/named.conf t
    @CҏWāAꂪ"Ă"C^[tF[X𐧌Ă
    iȉ͗̈łjF
   
    
                                                            
     options {                                              
       directory "/var/named";                              
       listen-on { 127.0.0.1; 192.168.1.1; };               
       version "N/A";                                       
     };                                                     
                                                            
                                                            
    
   
    "listen-on" ̋Lq́A DNS vɑ΂ named Jꏊ𐧌
    Ă܂B̗ł́Alocalhost  bigcat  LAN C^[tF[X
    ݂̂𕷂܂Bc̐EɂĂ͑S|[gJ܂B
    PɂɂȂ̂łBύXĂA named ăX^[gĂ
    B
   
 E X11  -nolisten tcp R}hCIvVp邱ƂŁATCP 
    Ȃ悤ɂ邱Ƃł܂B startx gĂȂ
    A ~/.bashrc t@CA܂̓VXeŜ̃t@C /etc/bashrc 
    AeLXgGfB^g alias startx="startx -- -nolisten tcp"
    ƏƂŁAIɍsƂo܂B xdm (܂ gdm,
    kdm Ȃǂ̂悤Ȃ̃oG[V)gĂȂÃIvV
     /etc/X11/xdm/Xservers i܂͂̃Rp`jɂ:0 local /
    usr/bin/X11/X -nolisten tcp Ǝw肳邱ƂɂȂ܂BہAgdm
     /etc/X11/gdm/gdm.conf t@Cg܂B
   
    u[gɎI X X^[g邽߂ xdm i܂͂̃Rp
    `ujgĂȂA /etc/inittab t@C xdm -udpPort 0
    ̂悤ɕύXāAȂڑ邱Ƃł܂B͓T^
    Iɂ /etc/inittab t@C̈ԉ̂ɂ܂B
   
 E sendmail ̍ŋ߂̃o[ẂÃAhX݂̂𕷂悤ɐݒ
    ܂B
   
    
     # SMTP daemon options                                  
     O DaemonPortOptions=Port=smtp,Addr=127.0.0.1, Name=MTA 
                                                            
                                                            
    
   
    ̔/etc/sendmail.cf t@CłBύX̓eLXgGfB^
    ŒӐ[s˂΂Ȃ܂B sendmail.mc fBNeB͈ȉ̂
    ɂȂ܂F
   
    
                                                                                
     dnl This changes sendmail to only listen on the loopback device 127.0.0.1  
     dnl and not on any other network devices.                                  
     DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')                       
                                                                                
                                                                                
    
   
    ꍇɂẮAɂ̂ҏWAV sendmail.cf 
    肽Ƃł傤B̃CT[of[Al
    ݒIvVĂ܂B֘A̕`FbNĂ݂Ă
    B
   
 E SAMBA ̐ڑ͈ȉ̂悤 smb.conf Ő邱Ƃł܂F
   
    
     bind interfaces = true                                 
     interfaces = 192.168.1. 127.                           
     hosts allow = 192.168.1. 127.                          
                                                            
                                                            
    
   
     localhost (127.0.0.1) ƃ[J LAN ̃AhX͈̔͂̂
    AڑJA邱ƂɂȂ܂BKvɉ LAN AhX
    ĂB
   
 E CUPS vgf[́Aڑ̂߂ɁuvꏊĂ邱Ƃ
    ł܂B /etc/cups/cupsd.conf Ɉȉ̂悤ɒǉĂF
   
    
     Listen 192.168.1.1:631                                 
                                                            
                                                            
    
   
    œ̃AhXƃ|[gԍ̃|[gJ悤ɂȂ܂B
   
 E xinetd ̓f[ɑ΂āA "bind" ݒ̕ɂ킹āA
    AhX𕷂悤ɂ邱Ƃł܂BႦ΁A LAN C
    ^[tF[XAhXȂǂłB̂Ƃ⑼̕@ɂĂ man
    xinetd.conf  man y[WQƂĂBɂFX̐̎dg
    ݂܂B
   
܂łƓlɁAVXeɕύXɁA܂ݒt@Cob
NAbvŁÃf[ăX^[gAỸOăG[
bZ[W`FbNĂB

 

5.7. 

t@CA[EH[ݒ̍Ō̃Xebv́AȂ̖ڎwʂ̂Ƃ
sĂ邩؂邱ƂłBȂ̃VXeݒɍׂȕύX
ƂłAɂ̌؂邱Ƃł傤B

āAǂĂ܂傤BȂɂł邱Ƃ͐FX܂B

ipchains  iptables ̂悤ȃpPbgtB^[ɂẮAX̋KA
`FCAĊ֘ȂSĂ iptables -nvL | less ɂăX
gAbv邱Ƃł܂iKvɉ ipchains ɂĂ
jB xterm oLJāAs܂ȂȂ悤ɂ܂
傤B

Őݒ肵`FCA]񂾒ʂ̂ƂĂ邩ǂAx
͂łBisȃIC̍ƁAႦ΁AWeb y[WJ
ƂAC𑗎M邱ƂȂǂAĂׂ݂łB́A
̂ƂłA tcpwrapper  portsentry ɂĂ͉̏^Ă
܂B tcpwrapper ̐ݒ؂ɂ́ixinetd ājA tcpdchk
p邱Ƃł܂B

Ď́AgXL܂傤B nmap ̃XL̂߂
c[ŁAefBXgr[VʂĎɓł傤A http://
www.insecure.org/nmap/nmap_download.html ɓ܂B nmap ͔
ɎRxA{Iɂ"|[gc["łB΁A
͑̂̂̒JĂ|[gT܂Bڂ nmap  man y[
WQƂĂB

gɑ΂ nmap 𑖂点ƁiႦ΁Anmap localhost ȂǁjAJ
Ă|[gŁAA[JɉIł́AĂ͂
łB܃t@CA[EH[܂Ă΁A͊O猩
̂Ƃ͑SႢ܂BłAgXLAɐMp
łFBATCgiNĂjAOXL
ĂĂB|[gXLvoC_̃T[rXK
ᔽĂȂmFĂB|͗hłĂA͋
ĂȂƂm܂BÕXL͊O̐E玩̃VX
eǂ̂悤ɌĂ邩mŗǂ̕@łB̓t@CA[EH
[ǂ̂悤ɓĂ邩Ă܂B nmap ̎g̗ɂ
Ă͕ nmap ̏͂QƂĂB

xFvoC_̒ɂ͂̃|[gtB^[Ă
Ȁꍇɂ́Aǂ̂悤Ɏ̃t@CA[EH[Ă邩
Amɂ͒m邱ƂłȂł傤BtɌ΁Ȁꍇ web v
LVɂāA|[gJĂ悤ɌĂ̂łBXL
̂ 80 ԃ|[g web vLVāAȂ̃VXe̊J
|[gƂČĕ񍐂Ă܂m܂B

܂̑I̓|[g̑S͈͂̃eXg񋟂Ă web TCg
邱ƂłB http://www.hackerwhacker.com ̂悤ȃTCg̈ł
B̂悤ȃTCĝǂłAPɔrÎ悭mꂽ|[gXL
邾ł͂ȂƂmFāAgpĂB

t@CA[EH[̕ύXVXẽAbvO[hA܂VȃCXg
[邽тɁAăVXêǂȏdvR|[lgύXꂽ
ɂA̎葱JԂĂB

܂AۂꂽSĂ̒ʐM̃O悤ɂׂł傤BȂ
ƂAꎞIɂ́Bƌ̂AUAt@CA[EH[ڎwƂ
ɓĂ邱ƂmFAāAOƂĂɕȂق
|IȗʂȂAÔ~Ȃ邩܂񂩂B

S portsentry ɗĂȂA̕ǂłBݒɂ
ẮA̓XLi[ւ̌oH𗎂ƂĂ܂A܂͓Ƃ
ipchains/iptables ̃[Kp邩̂ǂ炩ł傤B܂A
̃|[g"܂"܂ASẴ|[g"JĂ
"Ǝ܂B̏ꍇ͋ǓxłB

 

5.8. O

Linux ͂̃OƂ܂Bʂ͕̃t@CɂƂ܂B
烍OɋL^Ă̑SĂɂāAǂ̂Ȃ̂̂Ȃ̂A
܂͂ǂł悢̂Ȃ̂́AɖȂ킯ł͂܂Bt@CA
[EH[͂ꂼꂩȂ̗ʂ̃O쐬łBA"
"~߂̂łA̖QȒʐMRȂ瓯lɕ߂܂Ă
܂BC^[lbg͂̔wimCYɂӂĂ̂łB

̏ꍇAĂpPbg̖ړIm邱Ƃ͂قƂǕs\łBN
݂̎Ȃ̂AԈvgRȂ̂AƂ IP AhX̃~X^
Cvm܂B_͍s|[gAo|[gAvgRA
̂ق̕ϐȂǂ̈qɊÂē܂BAt@CA[EH[
̃Ỏ߂ɂẮAołB͑̏ꍇAoɊ
uA[gv̗̈Ȃ̂łB

ł́AX͖{ɃOƂKv̂ł傤HĂǂꂭ
񃍃OƂׂȂ̂ł傤HOƂ邱Ƃ̗_́At@C
A[EH[ۂɋ@\ʂĂ邱Ƃ킩邱ƂłBXO
̓êقƂǂ𗝉łȂƂĂAꂪ""Ă̂A
ƂƂ͒m邱Ƃł܂BāAKv΁ÃO
@NāAɂȂĂf[^邱Ƃłł傤B

ł́AOƂ邱Ƃ́Aꂪ܂ɉߏŁAK؂ȃf[^
邱ƂłȂقǂȂ爫łAn[hfBXNtɂĂ܂
悤ȂAȂłB܂́Aߏ蔽̂܂ASĂ̍ŐVGg[
SďP̏؋ƂƂĂ܂Ƃǂ܂BoXo
ŃO邱Ƃ͑f炵vɂȂ܂A͂̒`炵Ă
Ƃǂ̏ꍇAVă[UɌĂ\͂ł܂B܂AЂƂуt
@CA[EH[؂ꂽȂAȃOɍČ
ĂȂ΁ÃfXNgbv[U̓OƂ邱Ƃ\Ȍ菭
Ƃǂ߂ƎvƂł傤B傫ȐӔĈl̓OƂׂ
ŁAَȏtB^[ɂāAOK؂ȃf[^o
߂̕@T˂΂Ȃ܂B

Õf[^ǂŒT΂悢̂AmłȂłH͂Ȃ̃f
BXgr[VlXȃf[syslogd ǂݒ肵Ɉˑ
đ̏ꏊ肦܂BقƂǂ̃O /var/log/* ɎĂ܂
B ls -l /var/log/ ƂāÃfBNg𒲂ׂĂ݂ĂB
ÃTCYƃ^CX^v画fāAƂpɂɕωĂ郍
O͂ǂꂩĂ݂܂傤B܂AftHg̃Ouꏊ͂ǂm
߂ɁA /etc/syslog.conf ĂB /var/log/messages t@C
ŏɒT̂悢ł傤B

portsentry  tcpwrapper ł͈ʂ̃OƂA͒ł܂B
xinetd ł́AO̊g@\Iɂ邱Ƃł܂BAipchains
 iptables ł́ÃO邩ɂāAɏ_܂B

ipchains ł -l IvVCӂ̃[ɒǉł܂B iptables ł
-j LOG ^[Qbgp܂Bɂ́Aꎩg̕ʂ̑p̃[Kv
łB iptables ͂iłāAOGg[JX^}C
YAς邱Ƃł܂Bman y[WQƂĂB
炭AubNꂽʐMɂ苻Ăł傤A DENY
 REJECT ̃[ɌăO邱ƂɂȂł傤B

Ȃ̃OAǂꂭ炢邩AẴOǂ邩A͌
X̔fɂȂ܂BĂ炭AO܂悤ɂȂɂ́A
炩̎s낪KvɂȂł傤Bȉ̂悤ȁAc[Ɖ
c[͔ɏɂȂ܂F

Oj^[ĂAKvȎɋĂc[B܂g
ɂ́A炩ݒ̎s낪KvɂȂł傤F

 E ipchains  iptables ̂߂̑f炵OGg[̓c[Ƃ
    āA Manfred Bartz ̂̂܂F http://www.logi.cc/linux/
    NetfilterLogAnalyzer.php3. O̓eǂ̂ƂAӖĂ
    ̂܂B
   
 E LogSentry (O logcheck) ́A http://www.psionic.org/products/
    logsentry.html ɓ܂B portsentry ƓO[v
    ̂łB LogSentry ͏_Ȑݒ̂łA\̃Oj^
    Oc[ŁÃO܂B
   
 E http://freshmeat.net/projects/firelogd/@́AIan Jones ɂt@C
    A[EH[̃Of[ŁA iptables ipchains ̃Of[^
    āAx𑗂悤ɐ݌vĂ܂B
   
 E http://freshmeat.net/projects/fwlogwatch/  Boris Wesslowski ɂ
    ̂ŁAl̃ACfAłA葽̃O`T|[gĂ
    ܂B
   
 

5.9. n܂̏ꏊ

t@CA[EH[̃XNvgǂJn̂AԒPɌĂ݂
傤B

portsentry ͑̃VXeT[BXƓlɁA init vZXƂđ点
邱Ƃł܂Bꂪs邩͂قǏdvł͂܂B
tcpwrapper  inetd  xinetd ɂĎIɌĂяôŁA
Sz͂܂B

ApPbgtB^ÕXNvǵAǂŊJnKv
܂BāÃXNvǵÃ[J IP AhXp
dg݂Ă܂B͂̃XNvgÃC^[tF[X
オ IP AhX蓖ĂꂽŁAX^[gȂ΂Ȃ
ƂӖĂ܂BzIɂ́A̓C^[tF[Xオ
łׂłBłA̓C^[lbgɐڑĂ@
Ɉˑ܂B܂APPP  DHCP ̂悤ɁA蓖ĂIAĐ
̖ɈقȂ IP ɂȂ邩ȂvgRɂẮAK؂ȃf[
ɂẴXNvg𑖂点̂őPłB

PPP ɂẮA /etc/ppp/ip-up t@C邱Ƃł傤B
ڑAĐڑ̓xɎs܂Bt@CA[EH[XNvgւ̃tp
XɏĂBꏊɂĂ͌ʂ̃hLg`
FbNĂB Debian  /etc/ppp/ip-up.d/ ɂt@CQg
Ă܂̂ŁAɃXNvgguA܂̓VNĂ
B Red Hat ̓[U`[J PPP ݒɂĂ /etc/ppp/
ip-up.local p܂B

DHCP ́ÃNCAgɈˑ܂B dhcpcd ́A IP ̊蓖Ă
ꂽXV鎞͂łA /etc/dhcpcd/dhcpcd-<interface>.exe (Ⴆ
 dhcpcd-eth0.exe)s܂BłAt@CA[EH[XN
vgւ̎QƂuꏊɂȂ܂B pumpɂẮÃC̐ݒt
@C /etc/pump.conf łB Pump ́AV IP ̊蓖Ă
XVƂłAȉ̂悤ɁA"XNvg"Xe[gg
`ꂽSẴXNvg𑖂点܂F

 script /usr/local/bin/ipchains.sh                                     
                                                                       
                                                                       

ȂŒIP AhXĂꍇi܂AIP AhX
ĕύXȂꍇjɂ́Ȁꏊ͂قǏdvł܂񂪁A
C^[tF[XオOɂׂłB

 

5.10. XebvR̂܂Ƃ߂ƌ_

̏͂ł́A"t@CA[EH["\̂ɗplXȃR|[
lgi\vfjɂČ܂Băt@CA[EH[́A
̃AvP[VR|[lgłƓɁA̐헪ł
AR|[lg̑gݍ킹łƂƂwт܂BSĂł͂
܂񂪂قƂǂ Linux VXeŁAłʂɗpAvP[V
ɂČ܂AɌ̂ł͂܂B

ǁȀ͂͑̏xɗv񂵂̂łāAǎ҂̑Sɂ
SĂ𗝉Ă炢̂łB܂o_Ƃėp邱Ƃo
AƂvĂAlɁAi񂾓eւ̃t@XɂȂ邱Ƃ
҂Ă܂BpPbgtB^[ɂt@CA[EH[̗Ao_
Ƃėp邱Ƃł܂BPɁAeLXgGfB^ŃJbgAhy[X
gāAt@CɓK؂ȖOA chmod +x ƂĎs\t@C
ɂĎg܂BϐAҏWKv邩܂
B܂p̃XNvg邽߂ɗp邱Ƃ̂łTCg⃆[eB
eBɂĂ̓N̏͂QƂĂBŖʓ|ȎdȂ
܂B

܂łŉX̓XebvPCQCRʂ܂B܂ł̂ƂŁA
Ȃ͊Ɋ{IȎiݒ肵Albg[NɐގGlXȋ
VXeĂ邱ƂƎv܂B܂ɋǂ̃Xebv
ĂȂȂAf̂ɂ悢ꏊłAɖ߂Ă
BԏdvȃXebv͊ɏŋȂ̂łB

AO̒Z_c

"iptables, ipchains, tcpwrapper, ܂ portsentry ̒ŁAǂꂪxXg
傤H" Zɓ΁A iptables ̂̂̂Ƃ
܂BłA2.4 J[lpĂȂA iptables gĂ
BāA2.2 J[lȂ ipchains łBłA{̏ڂ
A "͒PɁAȂĂ邩AΏۂ͉ɂ" ƂƂ
Ȃ܂B݂܂B̃c[͂ꂼɗ^ꂽɂė_
A܂Aǂ󋵂ŎgΌʓIɂȂ肦܂B

"SẴpbP[WKvł傤H" BA̃Av
[`Agݍ킹ĉBāȂSĂ̊߂ɂ
ĂB iptables ̗ǂ̂łȂ̎igݍ
킹ƁAƋȂ܂BSmۂ̂ɁA̕@ɗ
ȂłB "wɂȂ"h䂪ɃxXgłBSȊǗ̎
ł悤ɁBEōō iptables XNvgpY̒PȂ
̃s[Xɉ߂AVXȇ̎_B߂ɗpׂł͂
B

"͏ȉƒ LAN Ă܂AeRs[^Ƀt@CA[E
H[Kv܂H" BLAN Q[gEFCɓK؂ɐݒ肳
ꂽt@CA[EH[肳΁AKv܂B]܂ȂʐM
ŐH~߂͂łBĂꂪ]񂾒ʂɓĂA
LAN ɂ͖]܂ʒʐM݂͑Ȃ͂łBARŁAeRs
[^Ƀt@CA[EH[ĂA͂ȂƂmłB
傫 LAN ŁAFXȃvbgtH[ĂAMpłȂ
[U肷ꍇɂ́Aǂƌł傤B

 

6. sN̔

̏͂́AɂđɑOɋCÂAɂĎ̌ɌxԐ
Ƃ邩AĂɂĐN̊ĂVXeN[ȏԂɕ
邩A܂B

 

6.1. NVXe(Intrusion Detection System, IDS)

NVXe(Intrusion Detection Systems, IDS) ̓t@CA[EH[
ʂ߂ĉNȂƂA߂܂悤݌v
Ă܂B܂Ais̔\IȐN̊Ă߂܂悤ɂA܂͎
̌ɐN𔭌悤ɂ݌vĂ܂B̏ꍇɂ́A
ȂQɂx߂܂AȂƂɖɋCÂ
o܂B IDS ɂ͓̊{Iȃ^Cv܂B́Albg[
Nی삷̂ƁAʂ̃zXgی삷̂łB

zXgɊÂ IDS ́At@CVXe̕ύXj^郆[eBeB
ɂĂȂ܂BύXׂłȂVXet@CAύX
̂ł͂Ȃ̂ɁA炩̕@ŕύXĂƂƁA͉
ƂN؋ƌ܂BNɓAroot 𓾂āA
炭VXêǂɕύXĂ̂ł傤B͒ʏAN
ԍŏɂȂ邱ƂłBŁAN҂̓obNhAʂċAĂ
邵Aɑ̒Nւ̍Un߂邱Ƃł܂Bǂ̏ꍇAN
҂̓VXeɑ΂t@CύX邩AtKv܂B

ł tripwire (http://www.tripwire.org) ̂悤ȃc[ʂ
܂B̂悤ȃc[̓t@CVXe̗lXȑʂj^A
~ςĂf[^x[XƔr܂BĂȂύX
ĂAx񂹂悤ɐݒł܂B̂悤ȃc["N[ł
"iNĂȂjƂĂVXeɂCXg[
łB

̃fXNgbv}VƉƒ LAN ɂẮA͂炭ZL
eB̑S̐헪ɂĐΕsȕƂ킯ł͂Ȃł傤B
AS̕^Ă܂A݈Ӌ`邱Ƃ͊młBł
D揇ʂƂẮAɂƂ肩OɁA܂̃XebvPCQCR
ƂmFāA܂Ă邱Ƃm߂ĂB

RPM [ÚA rpm -Va ő̓ʂ܂B͑SẴpbP[
W𒲂ׂĂ܂AS@\Ă킯ł͂܂BႦ
΁A͂قƂǂ̃fBNgł́AVt@CǉĂC
܂B܂AgύXꂽt@Co܂iႦ΁A
chattr +i, man chattr  man lsattr ŎQƂ̂ƁjB܂g
́AN[CXg[̌ōs˂΂Ȃ܂񂵁AǂȃpbP[W
AbvO[hA܂͒ǉĂA̓xɍsKv܂F


                                                                    
 # rpm -Va > /root/system.checked                                   
                                                                    
                                                                    


̂悤ɂāAŔrł悤ɁAVXẽXibvVbgۊ
Ă̂łB

Debian [Uɂ͗ގc[ debsums ܂B


                                                                    
 # debsums -s > /root/system.checked                                
                                                                    
                                                                    


܂ʂ̃ACfAɂ́A chkrootkit (http://www.chkrootkit.org/) 𖈏T
cron WuƂđ点Ƃ@܂B͒ʏ "rootkit"
iNU[gCXg[c[Qjo܂B

 

6.2. nbNĂH

Ȃǂł̂́AVXeɉ""Ƃ낪̂
CÂāANɐNꂽ̂ł͂ȂƋ^Ă邩炩m܂
Bȉ肪ɂȂ͂łB

T^IȐN҂ŏɍsƂ́A "rootkit" ̃CXg[łBC^
[lbgł͂ rootkit ̃pbP[Wɓ܂B rootkit
͖{Iɂ̓XNvgA܂̓XNvg̑gݍ킹ŁAN҂VXe
Rg[ɂA܂gB߂ɁA葁VXeύX
̂Ɏg߂̂̂łBN҂́Aʏ̃VXe[eBeB̉
oCiCXg[邱ƂƁAOt@Cς邱ƂŁA
s܂B܂́AľʂʂȃJ[lW[g
܂BłAls ̂悤ȕʂ̃R}hAN҂t@Cۑ
ꏊ\Ȃ悤ɁAύXĂ邩mȂ̂łBȂČ
̂ł傤I

܂݌vꂽ rootkit ͋ɂ߂ČʓIłB̃VXȅ̉A
ԂĂ邩{ɂ͐MpłȂȂ܂BłI
ɁA̕ω_ʂقǂ炩ł͂ȂAȂ
Ƃqg^Ă܂Bȉ͊댯MmȂ̂
łF

 E login R}ĥӂ܂B܂͒N login łȂB܂
     root  login łBӂ܂̂ login R}h͑S
    ċ^ׂłBpX[hǉAύXɂĂȏ̂
    lłB
   
    ̃VXeR}hiႦ΁A top  psĵlɋ^
    ׂvłB
   
 E VXe[eBeB̓삪ʏxȂĂAgA
    ́AȁA\ʌʂBύX邩Ȃ
    ʂ̃[eBeB́A ls, find, who, w, last, netstat, login, ps, 
    top ȂǂłB񂱂Ɍ܂I
   
 E "..."  ".. "ihbgAhbgA󔒁jƖÂꂽt@CfB
    NgB̏ꍇ͂ȂłB "r00t-ȂɂȂ" ̂悤ȃnb
    J[ۂÕt@CB
   
 E łȂш̎gpڑBXNvgLfB IRC D
    Â悤Ȑڑ͐ԐMƂׂłB
   
 E OSɎĂA܂͑傫ȕĂB܂ 
    syslog ̂ӂ܂ɓˑR̕ωB
   
 E ̊J|[gA܂̓vZXB
   
 E 폜邱Ƃ move 邱ƂłȂt@CB rootkit ̒ɂ̓t
    @C"s"ɂA܂͕ύXs\ɂ邽߂ chattr R}h
    ĝ܂B̎̕ύX́A ls  rpm -V ł͎Ȃ
    ̂ŁÃt@C͈ꌩ͐Ɍ܂Bɂ͂ǂ
    ΂悢A chattr  lsattr man y[WQƂĂB
    āAłグɂȂVXe𕜋邽߂̎̏͂Ă
    B
   
    ͂܂܂ӂꂽ̃XNvgLfB̃gbNɂȂĂĂ
    ܂BہA^킵VXeő点葁́iroot ɂ
    āĵ悤ɂ܂G
   
    
      /usr/bin/lsattr `echo $PATH | tr ':' ' '` | grep i--  
                                                            
    
   
     root  PATH ɂSĂ"sς"t@CĂ܂
    BWIȃfBXgr[VŃt@C̏ԂŏoׂĂ
    ̂͂܂̂ŁA͂قڊmɃgu̒łBA
    ̃R}hǂȂ̂łẴt@C\Aiȉ
    QƂājVXeSɕAvĂĂB
    葁S`FbNɂ͎̂悤ɂ܂F
   
    
      # chattr +i /bin/ps                                       
      # /usr/bin/lsattr `echo $PATH | tr ':' ' '` | grep "i--"  
        ---i---------- /bin/ps                                  
      # chattr -i /bin/ps                                       
                                                                
    
   
    ͒PɁAlsattr SɂĂɂȂȂƌƂ܂ł́AVXe
    ύXĂ͂ȂƂƂmFĂ邾łBOs
    ڂ܂ɂ̒ڂׂӏłB
   
 E "sniffer"igtBbNA̓c[̗ށj̒BႦ΁A"
    "[hɂȂC^[tF[X̃ObZ[WB
   
 E /etc/inetd.conf, rc.local, rc.sysint, /etc/passwd ւ̕ύXBɁA
    ǉB cat  tail gāÃt@CĂ݂܂傤Bǉ
    ͍Ō̍sɕtĂ邱Ƃł傤BÂ悤
    ȕῶǂ̃VXec["Ȃ" ȂƂY
    ŉB
   
ɁAN҂͂قǌȂA root  .bash_history ̂ƂYꂽ
AO̓êYꂽA܂͊ȁAgc̃t@C
/tmp ɎcĂ肷邱Ƃ܂BłAɃ`FbN
܂傤B炪ƕK҂Ȃ悤ɁB΂΁A
̎gc̃t@C⃍OGg[́AɃXNvgLfBۂO
ɂȂĂł傤BႦ΁A"r00t.sh" ȂǁB

tcpdump (http://www.tcpdump.org) ̂悤ȃpPbgXjt@(sniffer)͏
ꂴʐMôɗLp܂BAXjt@̏o
߂邱Ƃ́A炭ϓIȐVl[Ũx𒴂Ăł
B snort (http://www.snort.org)  ethereal (http://www.ethereal.com)
LpłB Ethereal  GUI Ă܂B

ɏqׂ悤ɁAMłȂVXe͋^ȂAVXeoCi
ύXĂ܂Ăł傤ÃVXẽ[eBeB̏o͂
MׂłȂł傤B̃VXẻAȂɐ^Sē`
ƐMp邱Ƃ͂ł܂Bʂ̃pbP[WăCXg[
Ƃ́AɂȂ邩mȂAȂȂm܂Bƌ̂A
Ă̂́AVXeCuJ[lW[mȂ
łBł̃|CǵAǂ̃R|[lgɕύXꂽA
ΓIɊmɒm@݂͑ȂƂƂłB

RPM [U͑SẴpbP[W̐mF邽߂ɁA rpm -Va |less 
gƂł܂BAłĂсArpm gύXĂ
ȂƂۏ؂͂ȂA RPM ˑĂVXeR|[lg
Ă܂Ă邩mȂ̂łB

VXe pstree R}hȂAWI ps R}h
ɎgĂ݂ĂBXAXNvgLfBiXNvgg̈
SAVăNbJ[j͂̂ƂYĂ̂ŁBA
Ƃۏ؂͂܂B

܂A/proc t@CVXegāAȉ̂悤ɒׂĂ݂邱Ƃł
܂Bɂ́AݑĂvZXɂăJ[lmĂ邱
̑SĂ܂܂Ă܂F


                                                                    
 # cat /proc/*/stat | awk '{print $1,$2}'                           
                                                                    
                                                                    


͑SẴvZX PID ԍi׈ȃJ[lW[B
ȂƉ肵Ă̘błj̃XgĂ܂B

܂ʂ̕@ http://www.chkrootkit.org TCgK˂āArootkit Lb
`[_E[hāAɒׂĂ݂邱Ƃł傤B

̖ɂ܂鋻[c_̏ꂪA http://www.fish.com/security/ 
Ǝv܂Bɂ́AK؂ɂ"̓" (The Coroner's
Toolkit, TCT) ƌĂ΂Ăc[܂B

N畜邽߂̃XebvɂĂ͈ȉǂłB

 

6.3. MVXe̕

āAȂ͐NmFAN̐l root ANZXĂ邱
킩܂BAVXeɈȏ̉BꂽobNhAij
Ă\ɂ߂čBȂ̓Rg[Ă܂
BǂĂ|ARg[߂΂悢ł傤B

葁sɂ́ASȍăCXg[mȕ@͂
BSĂ̕ύXꂽt@CƎcĂ邩ȂobNhAm
Ɍo@͂܂BMVXeUƂ
Ƃ́AԈZLeBӎłāAہAɈ󋵂ɂ
VXeɈ\܂B

ȉ̏Ԃɏ]āAiK𓥂ł܂傤F

 E vO𔲂āA}Vlbg[Nؒf܂傤BȂ͖]
    ܂ʔƍ߂̕Ж_SĂ邩ꂸAɎĂ܂
    ƂAlɑ΂čsĂŒȂ̂łB
   
 E VXe񕜂邽߂Ɏg鎞ԂƕKvɈˑ܂A
    ьqA܂N҂AĂ̂邽߂ɁAo̎Ԃ
    āAU҂ǂ̂悤ɂĐNꂽ̂𒲍邱Ƃ
    vɂȂ܂Bz悤ɁA͎Ԃ̂ƂɂȂ肦
    AɎsł킯ł͂܂BA̍Ƃɂ͓T^I
    ȃ[UĂAxȏnKvƂȂ邩܂B
   
 E 厖ȃf[^̃obNAbvƂ܂傤BVXet@CobN
    AbvɊ܂߂ȂƁB inetd.conf ̂悤ȃVXeݒt@C
    BobNAbv̂́AlIȃf[^t@Ĉ݂ɌĂ
    BobNhA₻̑̌J邩mȂ̂܂ŃobNA
    bvāA͂Ȃł傤B
   
 E ŏăCXg[Ac蕨BĂȂƂmɂ邽
    ɂCXg[̍ۂɂ́AhCuătH[}bg܂傤(mke2fs
    )Bۂ̂ƂAɁAꂩ͂s߂ɐMf[^
    ۑĂꍇɂ́AhCuƓւ͈̂ȂACf
    AłB
   
 E obNAbvf[^߂܂BN[ȃCXg[̌オA
    tripwire (http://www.tripewire.org <http://www.tripwire.org>) Ȃ
     IDS (NVXe Intrusion Detection System) CXg[
    ԗǂ^C~OłB
   
 E ̃fBXgr[V̑SĂ̍ŐṼAbvf[gt@CKp
    Apb`Ă܂BZLeB֌W̏W߂邽߂Ƀx_
    web TCg`FbNĂB
   
 E VXesKvȃT[BX𑖂点ĂȂă`FbN܂傤
    Bt@CA[EH[ƃANZX|V[ČASĂ̌
    ߂ĂBVpX[hgĂB܂Ă
    Ƃ͔ɂ肻ȂƂłB
   
 E VXeĐڑ܂ ;-)
   
̎_ł́AICŎɓ rootkit 쏜c[gƂ͂
ł܂B͂قƂǂ̏ꍇɂ͂܂Ăł傤AJ
Ԃ܂AI[P[ŁAN̑SĂ̌`ՂƁAǂĐ
΂̊mMĂƂ̂ł傤B

 

7. ʓI Tips

̏͂́ASŐMłVXelbg[Nێ邽߂̈
ʓIȃRZvgZɏЉ܂BRs[^VXe͂̎̊
̕ωɘAāAXςčŝłAł́A"ێ"
ƂƎv܂Bɏqׂ悤ɁAVXeS
悤ȁA̕@Ƃ݂̂͑܂Bɂ͂܂ɑ
̕ϐ̂łBZLeBƂ͓̐iAvP[V|
V[ɗ邱Ƃł͂ȂAւ̃Av[`A܂͂̑ԓx̂ƂȂ̂
B

 E u root OCȂƁB /etc/securetty 
    悤Ȑݒt@CŐłł傤B "pts" n܂ĂS
    ̍s폜ĂB͑傫ȃZLeBz[łB
   
 E Aroot ƂăOCȂŉBȏBKv΃[
    UAJEgŃOCāA su  root ɂȂĂBOC
    ułĂA[JłĂłB܂ sudo p
    B̓[gŌʂ̃R}h𑖂点邱Ƃł܂
    Biex_ sudo pbP[Wɓ͂łj͊
    ̂ɏX܂AƂsł̐@łB܂A
    Sȕ@ł܂BāAɂA܂܂A莩
    Rȕ@ɎvĂ邱Ƃł傤B
   
    N܂ɍAĂ̂܂B "ł{ɖʓ|
    ȂAl root Ȃ񂾂Aɂ͖l̃VXeȂ
    "AƁB낵A root ͓ʂȃAJEgłAʏ̃
    [UAJEgƂĎg悤ɈӐ}ĂȂ̂łB root
    ͑SĂ̂̂ւ́An[hEFAfoCXɂAANZXĂ
    ܂BVXe root "MpĂ"̂łBVXe root 
    Ă̂mĂ̂AƐM܂BȂԈႢ
    AVXe͂Ӑ}̂Ɖ肵A߂̒ʂɂ悤S
    sł傤cႦÃVXej󂹂AƂ߂
    ĂB
   
    Ⴆ΁Aroot Ƃ X X^[gA Netscape JA web TCg
    KꂽƂ܂傤B web y[W͍U镑 java XN
    vg܂łƂ΁A̍ java XNvgAȂ"
    "@łȂAȂ̃VXeɑ΂āAƐ[
    ANZXAƂƂ[l܂B
   
 E pX[ĥƂ^ɍlĂBNɂnĂ͂
    ܂BSĂ̂̂ɓpX[hgȂƁB root pX[h
    𑼂̂̂ɎgȂƁi root ̃pX[hāIjB
    Ȃ̃VXẽpX[hgāA΂ɃICŃTCAb
    vo^ȂƁBpX[h͑啶ƏAt@x
    bgAAi܂́jL̑gݍ킹ɂA[Ȓi8
    j̂ɂׂłB "cat"  "dog" ̂悤ɊȒPɐ
    A""PpȂƁBOtzXĝ悤
    lIȏgȂƁBpX[hǂɂAɋL
    邱ƁB
   
    S"VhE"pX[hg܂傤B͍ASĂ̍
    ߂ Linux fBXgr[VŃftHgɂȂĂ͂łB
     /etc/shadow t@CȂAɎg悤ɂȂĂ܂B
    pwconv  grpconv R}hȂApX[ht@CƃO[v
    t@CVhEtH[}bgɕϊł܂B
   
 E C^[lbĝ悤ȐMłȂlbg[NʂāAeLXg
    ̂܂܂̃OCv悤ȃvOĝ͔܂傤B 
    telnet Ԃ̗łB ssh Ɨǂ@łB SSL (Secure
    Socket Layer) ̃T|[g΁Ag܂傤BႦ΁A
    ̃voC_ SSL oR POP  IMAP C񋟂Ă܂H
    ŋ߂̃fBXgr[Vł openssl <http://www.openssl.org/>
    ܂ł܂A Linux AvP[V́A SSL T|[g
    Ă鏊ł͂gƂł܂B
   
 E \[Xɐ܂傤B̂߂ɂ͐FXȕ@܂B
    炭A̕Kv͗^ꂽVXeɃANZXĂ郆[U
    đł傤B̂悤ȐĂ΁AfBXNe
    I[o[̂悤ȗ\ꂽЊQh邾łȂAAvP[V
    vZX̗\ʌ듮ɑ΂hɂȂ܂B quota R}h
    (man quota) ̓fBXNXy[XɐûɎg܂B bash  
    ulimit R}h(man ulimit ܂ man bash) ܂łāA[U
    ɉėlXȋ@\𐧌ł܂B
   
    ܂Ał͒͋c_܂񂪁A PAM (Pluggable Authentication
    Modules) ͗lXȃVXe̋@\⃊\[X𐧌䂷邽߂̔ɐ
    ꂽAv[`񋟂Ă܂Bn߂ man pam QƂĂ
    B PAM  /etc/pam.conf  /etc/pam.d/* t@CɂĐݒ肳
    ܂B܂A /etc/security/* ̒̃t@CA /etc/security/
    limits.conf ȂǂŁAlXȓKȐƂł܂B PAM ɂ
    ďڂ邱Ƃ͈͂̔͂̕𒴂܂̂ŁAڂ
    User-Authentication HOWTO (http://tldp.org/HOWTO/
    User-Authentication-HOWTO/index.html)QƂĂBiJF
    http://www.linux.or.jp/JF/JFdocs/User-Authentication-HOWTO.txtj
   
 E NƂm̂l root ւ̃C󂯎Ă邱
    mF܂傤B "alias" gĂł܂BT^IȃCT
    [oł́Aꂪ`ꏊ /etc/aliases t@CłBK
    vȂ΁Ã}ṼAJEgɂĂ\܂F
   
    
                                                            
     # Person who should get root's mail.  This alias       
     # must exist.                                          
     # CHANGE THIS LINE to an account of a HUMAN            
     # root C󂯎ׂЂƁB                      
     # ̃GCAX͕KvłB                           
     # ̍slԂ̃AJEg֕ύXĂB         
     root:           hal@bigcat                             
                                                            
                                                            
    
   
    ̌ŁA newaliases iÁj𑖂点̂Y
    Ȃ悤ɁB
   
 E \tgEFAɓꏊɒӂĂBMpł񌹂
    p܂傤BȂ͂܂̑lǂꂭ炢Mp܂H
    ̃pbP[WTĂȂA܂ex_`FbNĂB
    炭AƂɂ̃VXeɂƂčŗǂł傤B܂́A
    ̃pbP[W̃vWFNg̃IWiTCglɗǂł傤
    B̃\[XR[hi܂ tarball  src.rpm jCXg[
    邱ƂŁAȂƂgł̃R[h`FbN邱Ƃ
    ܂Bۂ͂ꂪłȂƂĂ ;-)  Linux \tgE
    FATCgōLgĂɌȂ܂񂪁Al
    ɂƂĂ̓R[hɂق̐stāAQɌoCiA
    VXeɗhAJ "gC̖ؔn"ɕςĂ܂Ƃ́Aɂ߂
    ȒPȂƂȂ̂łBȂAςȂƂłB
   
 E NVXeXLĒׂĂA܂͒NVXeɐN
    悤ƂĂ悤AƂ܂傤B񕜂ȂłBIP
    AhX͐MłȂVXemȂA̎傪ɋ]
    ҂Ȃ̂܂B܂͎̃T[rXKjĂāA
    g̃voC_ƃguNĂ̂܂B̏ꍇ
    AłǂΏ@́AO IP ̃voC_AL҂̋W
    邱ƂłB͂΂ "abuse@someisp.com" ̂悤ȃAhX
    BA܂ƂɑĂ炦Ɗ҂Ȃ悤ɁBʓI
    ΁Aۂ̐NsȂÂ悤ȍs͖@Iɂ͔
    ߂ł͂܂BɌ΁Aƍ߂łƂĂAdȑQ
    iƂjȂA@Iɑi邱Ƃ͖ł傤B
   
 E Red Hat  Mandrake  Debian ̃[U "Bastille Hardening
    System" (http://www.bastille-linux.org/) gƂł܂B
     Red Hat  Mandrake ̃VXeZLeB ""鑽ړIV
    XeŁAꂩt@CA[EH[̃XNvg\A PAM ₻
    ̐FX̂̂ݒ肷邽߂GUI C^[tF[XĂ܂B
    Debian ̃T|[g͐V̂łB
   
 E P[uf DSL ʂāAC^[lbg֏펞ڑĂƂ
    ܂傤BAɎgĂł傤H܂͏ɂꂪ
    KvłH "B̐^ɃZLAȃVXéAlbg[Nؒf
    ꂽVXe"AƐ̂猾Ă܂B͊mɈ̑I
    傤BłAC^[tF[X𗎂Ƃ~鐧f[ (
    dhcpcd, pppoed Ȃ) gĂB܂́AĩXPW[
    gp@ɂĐڑ؂q肷 cron Wuݒ肷
    Ƃl܂B
   
 E ΂"t@CA[EH["ƂĐ`ĂP[u[^܂
     DSL [^͂ǂł傤Hlĩjbg͂قƂ NAT
    (Network Address Translation) ɓ̂ŁAt@CA[EH[
    āAʂă|[ĝ߂̌J\͂Ă܂B NAT
    ̂ NAT QCgEFC̔w̃VXeȂ̒xɂ͈Sɕۂ
    Ă܂A͔ɏIȃt@CA[EH[ȊÔȂɂ
    ^Ă܂BāAJĂȂ΁A͂܂Ђ
    炳Ă̂łB܂AȂ߂ɂ́A[^̃t@[
    EFAɈˑ邱ƂɂȂ܂B̂悤ȃ[^̔wł
    ǉIȖĥA@ł傤B
   
 E CAX̃lbg[NJ[hnu͂ǂł傤HȂ
    ASł͂܂B̐ڑ̓C^[lbgڑƑS
    ̂ƈĂB ssh ̂悤ȈSȃvgRp
    ܂傤BƂꂪPɁA LAN {bNX̂̂ւ
    ڑłB
   
 E ̃T[BX𑖂点KvƕAĂ
    ĝ͎ł邩ArI̐l̂߂̂̂ȂAW
    IłȂ|[gԍg܂傤BقƂǂ̃T[of[͂
    T|[gĂ܂BႦ΁Asshd ̓ftHgł 22 ԃ|[gg
    ܂B[XNvgLfB݂͂Ȃ҂āA̔ԍT
    ܂BłAʂ̃|[gԍő点܂傤I sshd  man y[
    WQƂĂB
   
 E AvP[VɂăC^[lbgڑubNt@CA[
    EH[iႦ΁AEBhEY痈 ZoneAlarm Ȃǁj͂ǂ
    傤H͎ɁA MS OS ɂ܂ɂӂꂽ̂ƂȂB
    [A܂Rs[^EBXƃgC̖ؔn̉ߏǂɑΉ悤
    ɐ݌vĂ̂łB Linux ɂƂĂ͎ہAł͂
    ܂BłALinux ł́ÂƂ낱̂悤ȃAvP[V
    ݂͑Ȃ̂łBāANԂ[
    Ȏv悤ɂ͎v܂BLinux ɂ͂ǂt@CA[EH
    [܂B̑̒̕Ăɂčs΂悢̂łB
   
 E ŌɁAg̃VXem܂傤BȂ Linux ̐V
    [UƂȂAgƂ̂Ȃ̂ɗǂmĂ͂
    Ȃ̂AƂɌ܂傤B܂傤BāA
    wK̃vZX̒ŁÂƂAłՂł͂ȂāA
    ōs@wт܂傤B̂Ƃ"@"s
    ̔wɂ́A\N̗ĵłB͎ԂƂ
    蔲ĂĂ܂BꂪsKvŖʓ|ȂƂ̂悤ɌƂ
    A₪Ă͂ɈӖ邱Ƃ킩ł傤B
   
    点ĂT[BXł낤ƁAɐe݂܂傤B
    AȂƂɂ́ÃT[BXVXeS
    ̌Nɑ΂ĎȂ֘Aɐe݂܂傤Bł
    ̂ǂ݁A₵܂傤B "Pɂꂪł邩"AƂRA
    CXg[AƂRŁAT[BXƂđ
    点Ă͂܂B炩ɁANn߂oς񂾃VXeǗ
    ҂ł邱Ƃ͂ł܂BÃVXeɂď[Ɋw
    ߂ɓw͂AVXeRg[ɂƂł܂B
    *nix  MS VXeʂ̈łB܂AMS VXe
    ł͌ĊSȃRg[邱Ƃ͂ł܂񂪁A *nix ł͉
    \łBtɌ΁AƂNA΂ΎȊO̒N
    ӂ߂邱ƂłȂ̂łB
   
 

8. 

8.1. T[oA|[gApPbg

lbg[N̂̊TOAɂ炪ǂ̂悤ɃZLeBɐ
ݓIȉe^̂AZpIɂȂȂ悤ɎZɌĂ݂܂傤
Blbg[NɂĂȂɑmKv͂ȂĂAǂ̂悤ɂ
ƂĂ邩̈ʓIȃACfAm邱Ƃ́At@CA[EH[
̖̑𗝉鏕ɂȂł傤B

CÂɂȂĂ邩܂񂪁A Linux ͔Ƀlbg[Nw
ȃIy[eBOVXełB̂Ƃ̃^Cv́A܂͂
̂ق"T[o"AႦ΁AX T[oAtHgT[oAvgT[oA
ɐڑ邱Ƃɂčs܂B

T[o"T[BX"񋟂ÃT[BX͗lXȔ\͂A[JV
XeƁAݓIɂ͑̃[gVXe̗ʂɒ񋟂܂BʓIɂ
AT[ő@\񋟂Ă܂Bꂼ̏ʂ̔wŐÂ
ĂT[o܂A܂̃T[o͂̐ƂāAƃC
^NeBuɓĂ܂BX͉KvƂɁAv
gT[ȏ݂ɋCÂm܂񂪁AۂɎgg
܂igƂ\łƉ肵ĂłjA͂
ĂāA܂ĂāAڑv҂Ă̂łBT^I
Linux CXg[ł͖{ɑR̃^CṽT[og悤ɂȂĂ
ł傤BftHg̃CXg[͂΂΁Â"I
"ɂĂ܂A܂葖点Ă܂܂B

łA펞A{̃lbg[NɐڑĂȂƂĂA͂A
"lbg[Nɂ"̂łBႦ΁Aݐ[[J X T[
oƂ܂傤B͒P GUI C^[tF[X񋟂邾̂̂
lꂪ܂񂪁A͂_ɂĂ̂ݐłB
̓NCAg̃AvP[V"T[BX񋟂" Ƃł
sĂāA܂ۂɃT[oȂ̂łB X Window ̓lbg[Nz
Ƀ[gNCAgɃT[BX񋟂邱Ƃł܂BC^[l
bĝ悤ȑ傫ȃlbg[NzłB炭ۂɂ͂ȂƂ
]łȂƂĂ ;-)

āAłAȂt@CA[EH[𑖂点Ă炸A܂́A
̎iƂĂ炸AC^[lbgɐڑĂƂA
͒NAANłAȂ X T[oɐڑĂ\Ƃ
ƂȂ̂łB X11 ̓ftHgł 6000 ԂTCP "|[g"Ŏ܂
Ă܂B̌͑̂قƂǂ̃T[oɂlɓKpł܂B܂
Aڑ𐧌邩邽߂ɉ肪łĂȂANȒP
ڑł̂łB

ŋc_Ă Linux C^[lbgł TCP/IP (Transmission
Control Protocol/Internet Protocol) lbg[Nł́ASĂ̐ڑꂽ
Rs[^ӂ "IP AhX" Ă܂Bdbԍ̂悤ɍl
΂ł傤Bel̓dbԍĂāAāA̒N
db邽߂ɂ͂̐l̓dbԍmKvA̓dbԍ_
CA킯łBdbԍ@\ɂ́Aԍ͂̃VXeňӂ
Ȃ΂Ȃ܂B IP AhX͈ʓIɃhbgŕꂽl̐
ŁAႦ 152.19.254.81 ̂悤ɋLqĂ܂B

̎̃lbg[NŁAT[o "listen ĂiĂA
܂Ăj" Ȃǂƌ܂B̈ӖƂ́A炪"|[g"
JĂāÃ|[gɓĂڑ҂ĂƂƂłB
́AX T[oT^Iȏꍇł悤ɁA[JȂ̂܂
A[gA܂"ǂɂ" ̃Rs[^̂̂
BłAT[o͓Ăڑɑ΂āÃ|[g"
Ă"̂łBقƂǂ̃T[o̓ftHg̃|[gĂ܂B
΁Aweb T[o 80 Ԃ̃|[gŁAX11  6000 ԂłBʓIȃ|[g
Ƃ炪񋟂T[BX̃XgɂẮA /etc/services t@C
ĂB

"|[g" ͎ۂɂ̓J[l̃lbg[LOX^bN̒̈̃Ah
XłA TCP Ƒ̃vgRڑ𐧌䂵ARs[^Ԃ̃f[^
邽߂ɗp@̈Ȃ̂łBŜł 65,536  TCP 
UDP |[gg܂Aʂ͏펞̒̔rÎ̂g
Ă܂B 1024 "̂"|[gƁA 1024 ȏ"
Ȃ"|[g̓ɕĂ܂BقƂǂ̃T[ô͓|[g
g܂B

B̃T[oxɈ̃|[gɎ܂Ă邩A܂"
"Ă܂BT[o͂̈̃|[gʂĕ̐ڑJ
ł܂BRs[^͑̃Rs[^ɂ"|[g" ̐ڑ
ʂĘb̂łB̃Rs[^͑̃Rs[^̈"|
[g" ɐڑJAĂẽ|[g̊ԂɊmꂽڑʂ
ăf[^邱Ƃł̂łB

db̚gɖ߂܂傤BbgāAGȓdbVXe傫
ȑgDĂяoƂl܂傤B̑gD͂""
܂BZ[XہAo׉ہAہA׉ہAJX^}[T[rXہA
JہAȂǂȂǁBeۂ͂ꂼ""ԍĂ܂B܂Ao
׉ۂ͓ 21 ԁAZ[Xۂ͓ 80 ԁAȂǂłB̚gł́A
\ԍ IP AhXŁAe̓ԍ|[gԍƂƂɂȂ
܂BĂяoɂ́A""̔ԍ͏ɓłBĈʓIɂ
AɂĂ鑽̓dbƂ\łB

f[^g"pPbg"̒Ɋ܂܂Ă܂BpPbgƂ̓f[^̏
܂ŁAʓIɂ 1500 oCgȉłBpPbg̓f[^^Ԃ
ł͂ȂAڑ𐧌䂵gD邽߂ɗp܂BpPbgɂ͈قȂ
^Cv܂B̂͐ڑ𐧌䂷邽߂ɓʂɗpA܂
pPbg͂̐ωׂƂăf[^^т܂B̃f[^
΁Ã͕pPbgɕ܂BۂقƂǂ̏ꍇłB
ẴpPbg͈ꎞɈAƂ"gݗ
"̂łBႦ΁A web y[WMƂ͂
́A炭S̃pPbgɕ܂B̑SĂ
ԂɁAȂƂŋNĂ̂łB

ȉ netstat ̏o͂̈s̈pŁA̃Rs[^̊Ԃ̓T^I
Ȑڑ邱Ƃł܂F


 tcp    30    0 169.254.179.139:1359    18.29.1.67:21      CLOSE_WAIT 
                                                                      
                                                                      


[͎lԖڂƌܔԖڂ̃R IP AhXƃ|[gԍłB|
[gԍ̓R̉Eɂ鐔łBR̍eRs[^ IP
AhXɂȂ܂BlԖڂ̃R̓[JAhXA܂ڑ̂
瑤̒[łB̏ꍇA169.254.179.139 AvoC_ɂĊ蓖
ꂽ IP AhXłBꂪ 18.29.1.67 i rpmfind.net ̃A
hXłj 21 ԃ|[g(FTP)ɐڑĂ܂B rpmfind.net
 FTP _E[h̒̂̂łB 21 ԃ|[g FTP T[
oƐڑĂԂɁA FTP NCAgɂėpĂ鎄
|[gԍ 1359 łB̔ԍ̓_"̂Ȃ"|[g犄
ĂAo(2-way)"Θb"̂瑤̒[_ƂĎg܂Bf[^
Ɉړ܂F瑤:1359 ԃ|[g <->瑤:21ԃ|[gAƂ
悤ɁB FTP vgR͎ۂ͂΂蕡GłA
ׂ͂ɓ̂͂߂Ă܂傤B CLOSE_WAIT ͂̎_
̐ڑ TCP ԂłBŌǁAڑ͗̒[ŊSɕA
netstat ͉ȂȂ܂B

ڑ̂瑤ŗpĂ""|[g͈ꎞIȂ̂ŁA[Jɑ
ĂT[oɂ͊֌W܂B͐ڑIƂɁAJ[l
ĕ܂B"܂Ă"T[oɂĊJ
Ă|[gƂ͑SႤ̂łB̃|[g͉iIȂ̂ŁA
[gڑI"J"܂B

āA̗pĂ܂Ƃ߂Ă݂܂傤BX̓T[o(rpmfind.net)ɃN
CAgijڑA̐ڑ͗[̂ꂼ̃|[gɂĒ`
ꐧ䂳܂Bf[^̓pPbgɂđꐧ䂳܂BT[o"
"|[gi܂A1024 ̔ԍ̃|[gjpāA|[gJڑ
̂߂Ɏ܂Ă܂B̃NCAgɂėpĂ鎄
̒[ ""|[g͈ꎞIȂ̂ŁAڑĂԂJ
āAڑ̑[̃T[õ|[gւ̉s܂BʓIɌ
Ã^Cṽ|[g͍UN̎_ɂ͂Ȃ܂BT[õ|[g
ꂪJĂ邪䂦Ɋ댯Ȃ̂łB FTP T[o̊Ǘ҂̓T[o
Sł悤ɁAK؂ȌxĂKv܂B̃C^[lb
gڑAႦ web T[o⃁CT[ô悤Ȑڑ́AT[õ|[g
͈Ⴂ܂A̗ƓlɓĂ܂B SMTP CT[o 25
ԃ|[gp܂A web T[o͓T^Iɂ 80 Ԃg܂B̂悭
pĂ|[gԍ₻̃T[BXɂẮA|[g̏͂QƂ
ĂB

|[gɂẴ|CgF|[g͂Ɏ܂Ă鉽
ƂɁAANZX\ł邾łBŎ܂ĂT
[BXf[āAĂڑvɉ悤҂󂯂Ă
Ȃ΁AN|[gJ悤ɋ邱Ƃ͂ł܂BĂ|
[g͂܂SȂ̂łB

NCAgƃT[o̊Ԃ̈ႢɂĂ̍Ō̃|CgB̗ł 
netstat LISTENER ̉ӏ telnet  ftp Ȃǂ̍ڂ܂ł
B΁Â悤ȃT[o̓[JɑĂȂ̂łBN
 telnet ܂ ftp T[oɐڑ邽߂ɁA telnet  ftp ̃T[of
[𑖂点Kv͂܂B͐ڑ悤Ƃ鑼̐l
΂āAT[BX񋟂邽߂ɂ̂łBقƂǂ̏ꍇA{ɂ
l͏Ȃł傤BT[o𑖂点ĂȂĂA telnet  ftp
̃NCAg\tgEFAgp̂ɁA̖Ȃ̂łB

 

8.2. |[g

ʏǂApĂ|[gAʏ킻ɕtĂT[BX
Ƃ̊댯ɂāAȒPɌĂ݂܂傤BSẴ|[g͂Ȃ炩̊
ƂȂĂ܂BPɁA̓̂́AjIɑ̂̂葽
̍U󂯂ĂƂ̂ƂłBȉł炪ǂ̂悤ɕ]
邩܂AKꂼ̃T[BXSłȂ
߂Ƃ͌܂B

1Ԃ19ԂƁAɌтvgȒ͌ÏLāA炭
̂ǂ̃VXeł͕KvȂł傤BȂ炪Ȃ 
ǂmȂȂAmɕKv܂B 7ԃ|[g echo T[B 
Xʏ ping vOƍĂ͂܂BSĂIt̂ 
܂ɂĂĂB                                               

20ԃ|[giFTP-DATAjB"ANeBu" FTP ڑ͓̃|[gg܂
F21 ԃ|[g͐p|[gŁA 20 ԃ|[g̓f[^ʂ邽߂ɗp
܂B󓮓I FTP ͑S 20 ԃ|[gp܂BXN͏ł
AȉĂB                                                 

21 ԃ|[giFTP T[o|[gAȂ킿t@C]vgRjBVXe
ԂŃt@C]邽߂́AɊmꂽvgRłBϊ 
傫Aio[̍U^[Qbg܂B               

22 ԃ|[giSSH, Secure Shell, ܂͎ PCAnywhere vgRjB 
͒ႢxBiA"S" T[BXɑ΂ĂU
͂܂j                                                         

23 ԃ|[giTelnet T[ojBLAN ł̎gp݂̂ɁBSłȂɂ 
ẮA ssh pĂB댯͒xB                    

25 ԁiSMTP, Simple Mail Transfer Protocol, ܂̓CT[o|[gj 
̓COɑ邽߂ƁACꏊ瑼̂Ƃ֓]邽 
ɗp܂B댯͒xB͒ԁAUɂ炳Ă܂ 
Aŋ߉PĂĂ܂B                                       

37 ԃ|[gitime T[BXjB͑gݍ݂ inetd time T[BX 
łB댯x͒BLAN ł̎gp݂̂ɁB                                 

53 ԃ|[giDNS, Domain Name Server |[gjBl[T[o͂̃|[g
Ŏ܂AzXg IP AhXɉ邽߂̖₢킹ɉ 
B댯x͍B                                                       

67 (UDP)|[giBOOTP, DHCP ̃T[o|[gjB댯x͒B LAN 
DHCP pȂAC^[lbgɂ炷Kv͂܂B      

68 (UDP)|[giBOOTP ܂ DHCP ̃NCAg|[gjB댯x͒ 
B                                                                     

69 ԃ|[gitfpt, Trivial File Transfer Protcol)Bɂ߂Ċ댯B{ɁA
{ɕKvȂALAN ݂̂ŎgĂB                             

79 ԃ|[gifinger, VXeƃOCĂ郆[Ȕ񋟂邽
߂ɗpjBNbN̕WIƂĂ͊댯x͒ႢA܂ɑ 
𗬂߁A点ׂł͂ȂB                                 

80 ԃ|[giWWW ܂ HTTP W web T[o|[gjBC^[lbg 
ƂʏɗpT[BXB댯x͒ႢB                     

98 ԃ|[giLinuxconf web ANZXǗ|[gjBA{ɕKvȂ
ALAN ݂̂ŁB                                                         

110 ԃ|[giPOP3 ܂ Post Office Protocol, CT[o|[gjB 
POP Cł́A[U[gVXe烁Co܂B댯 
x͒B                                                               

111 ԃ|[gisunrpc, Sun Remote Procudure Call, ܂ portmapper |[
gjB NFS (Network File System), NIS (Network Information Service), 
ėlX̊֌WT[BXɗp܂B댯ɕ܂Aۊ 
x͍łB LAN ̎gp݂̂ŁBNbJ[̂Cɓ̕WIłB

113 ԃ|[giidentd ܂ auth T[o|[gjBÂX^C̃T[B
XiSMTP  IRC ̂悤ȁjŁAڑ邽߂ɗp邱Ƃ 
AɕKvłB炭قƂǂ̏ꍇł͕Kvł͂ȂA댯x͒Ⴂ 
AU҂ɂ܂ɑ̃VXe^Ă܂\܂ 
B                                                                     

119 ԃ|[ginntp ܂̓j[XT[o|[gjB댯x͒B

123 ԃ|[gixKv time T[oœ邽߂ Network   
Time vgRjB댯x͒ႢłA炭قƂǂ̃[Uɂ͕Kv
łȂł傤BVXeNbNXVɂ́A rdate p̂
ȒPňSłBāALAN VXe𓯊邽߂ɂ time T[BX 
Ƀrhꂽ inetd gƂIł傤B                  

137 139 ԃ|[giNetBios (SMB) T[BXjBقƂǂ̏ꍇA     
Windows ֌WłB Linux ł͊댯x͒ႢłALAN ł̎gp݂̂ɂ
B 137 Ԃւ̍U͔ɗǂ܂B͖Qł͂܂
̃mCY𐶐邱ƂŁAꂪ Redmond YvgR
łB                                                                 

143 ԃ|[giIMAP, Interim Mail Access ProtocoljB܂AC 
MvgRB댯x͒Ⴉ璆B                                     

161 ԃ|[giSNMP, Simple Network Management ProtocoljB[^XC 
b`vdȃTCj^邽߂ɂƂʂɗp܂B 
قƂǂ̏ꍇɂ͕KvłȂA댯xႢłB                       

177 ԃ|[giXDMCP, X T[oɃ[gڑ邽߂ X Display        
Management Control ProtocoljB댯x͒ႢłALAN ł̎gp݂̂ɂ
邱Ƃ߂܂B                                                 

443 ԃ|[giHTTPS, LpĂS HTTP (WWW) vgRjB
댯x͒B                                                           

465 ԃ|[giSSL oRSMTP (secure mail server protocol) jB댯x
B                                                                   

512 (TCP)|[ginetstatł exec ƕ\܂AہA̓K؂ 
Ăѕ̓[gł̎ŝ߂ rexec łBj댯ɕł
Aۊ댯łB댯x͍Aǂȏꍇł LAN ł̎gp݂̂ɂ
B                                                             

512 (UDP)|[gibiff, CʒmvgRjB댯x͒BLAN ݂̂
B                                                                     

513 ԃ|[gilogin,  rlogin ܂胊[gOCjBOC
鎞ɗpĂW /bin/login Ƃ͉̊֌W܂B 
댯ɕł傤Aۊ댯łB댯x͍A{ɕKvȂ 
ɂ LAN ݂̂ŗpĂB                                    

514 (TCP)|[gishell ̕ʖŁA netstat ł͂܂B 
ہArsh  "Remote Shell" ̂߂̃AvP[VłBjׂĂ "r" 
R}hƓlɁAÂǂAamIւ̐cԂłB܂ 
SłȂA댯x͍Bǂȏꍇɂ LAN ł̎gp݂̂ɂĂ
B                                                                   

514 (UDP)|[gisyslog f[̃|[gŁA[gOCړÎ 
߂ɂ̂ݗpjBϓIȃ[Uɂ͕Kv܂B炭댯x 
͒Ⴂł傤A{ɕKvȎɂł΂ LAN gpŁB              

515 ԃ|[gilp ܂vgT[o|[gjBXNB LAN  
݂̂ŁBE̔ΑɂN͂Ȃ̃v^{̖ړIŎg͂ 
܂I                                                               

587 ԃ|[giMSA, ܂""ACG[WFg (Mail          
Submission Agent)vgRjBقƂǂ MTA iCT[ojɂ 
T|[gĂVC^pvgRB댯x͒B             

631 ԃ|[giCUPS ivgf[j web }l[Wg|[gjB   
LAN ݂̂̎gpŁB댯x͒B                                         

635 ԃ|[gimountd, NFS ̈ꕔjBLAN ݂̂̎gpŁB

901 ԃ|[giSWAT, Samba Web Ǘc[|[gjB LAN ݂̂̎gpŁB

993 ԃ|[giSSL oRIMAP, S IMAP CT[BXjB댯x 
ɒႢB                                                           

995 ԃ|[giSSL oR POP, S POP CT[BXjB댯x͔
ɒႢB                                                             

1024 ԃ|[gi͍ŏ""|[gŁAvAvP[V
ɑ΂J[lɂēIɊ蓖ĂjB͂قƂǉɂł 
Ȃ܂B̃|[g̋LqɓB                                   

1080 ԃ|[giSocks Proxy T[ojBNbJ[̂Cɓ̕WIłB

1243 ԃ|[giSubSeven TrojanjBWindows ݂̖̂łB

1433 ԃ|[giMS SQL T[o|[gjBɕWIɂȂ܂BLinux ɂ͓K 
p܂.                                                          

2049 ԃ|[ginfsd, ܂ Network File Service Daemon |[gjB댯 
x͍BLAN Ŏgp邱Ƃ߂܂B                             

3128 ԃ|[gisquid proxy T[o|[gjB댯x͒ႢłAقƂ
̏ꍇ LAN ł̎gp݂̂ɂׂłB                                

3306 ԃ|[giMySQL T[o|[gj댯x͒ႢłAقƂǂ̏ꍇ  
LAN ł̎gp݂̂ɂׂłB                                         

5432 ԃ|[giPostgreSQL T[o|[gjLAN ݂̂ŁBrI჊XNB

5631 (TCP), 5632 (UDP)|[giPCAnywhere |[gjB Windows ̂݁B 
PCAnywhere ͑"mCY̑" ̂ɂȂ肦܂AL͈͂̃AhX 
Ƀu[hLXg܂B                                             

6000 ԃ|[gi[gڑ̂߂ X11 TCP |[gjB댯x͒Ⴉ璆 
xłA͂ALAN ł̎gp݂̂ɂׂłBہAX ͕̃fB 
XvCƊefBXvCɎg̃|[gƂT|[gĂ 
ŁA 6000 Ԃ 6009 Ԃ̃|[g܂މ\܂B ssh   
X11 tH[fBO 6010 Ԃ|[ggn߂܂B               

6346 ԃ|[gignutellajB

6667 ԃ|[giircd, ܂ Internet Relay Chat DaemonjB

6699 ԃ|[ginapsterjB

7100-7101 ԃ|[gitHgT[oɂ̃|[gĝ܂ 
jB댯x͒ႢłALAN ł̎gp݂̂ŁB                           

8000 Ԃ 8080 ԃ|[giʏ web LbVƃvLṼT[o|[gj 
B LAN ̂݁B                                                          

10000 ԃ|[giwebmin, ܂ web x[X̃VXeǗ[eBeBj
B̓_ł͊댯x͒B                                               

27374 ԃ|[giSubSeven, ܂ Windows ݂̂ Trojan Ŏgp܂j
B1243 ԃ|[głB                                            

31337 ԃ|[giBack Orifice, ܂A܂ʂ̗ǂ Windows ̂
 Trojan Ŏg܂jB                                             

ɑ̃T[BXƑΉ|[gԍ /etc/services Ō邱Ƃ
ł܂B܂A""Xg http://www.iana.org/assignments/
port-numbers ɂ܂B

Ƒ̃|[gւ̃v[uӖĂ邩ɂẮA Robert
Graham ɂf炵͂ȉɂ܂F http://
www.linuxsecurity.com/resource_files/firewalls/firewall-seen.html 
͔ɗǂłB

ł̂̃|CǵA炪W̃|[gw肾ƂƂł
Bǂ̃T[BX̃|[gőĂƌ@͂܂B
͕W|[ggĂ܂AɂłƂ͌܂B

̃t@CA[EH[̃Oɂ̃^Cṽ|[g
ƌāAˑRQĂKv͂ȂƂƂoĂĂBO
q̃XebvPRɏ]āAt@CA[EH[Ă邱
mFĂ΁A܂͈SłB̒ʐM̑"e"m܂
A܂C^[lbg̔wimCYAǂ̃NCAg[^
ݒ~XAmCY̑ Windows ֘A\tg痈̂mȂ̂ł
B 

 

8.3. Netstat `[gA

8.3.1. T

netstat ̓lbg[Ň݂̏Ԃ̂ɔɕ֗ȃ[eBeB
łB܂AǂȃT[oĂڑɎ܂Ă邩Aǂ̃C
^[tF[XɎ܂Ă邩AɐڑĂ̂͒NA
炩ڑĂ̂͒NAȂǂłB񂠂R}hCIvV
̂ɂĂ man y[WɖڂʂĂBł́Ar
ĨIvV܂B

ƂāAzIzXg big cat  TCP  UDP ɂāA
ĂT[oƃANeBuȐڑ̑SĂ`FbNĂ݂܂傤B big
cat ͎̃fXNgbv}VŁA̗ł DSL C^[lbgڑ
܂B bigcat ͓񖇂̃C[TlbgJ[h}ĂāA̓voC
_ւ̊OڑɁA̓AhX 192.168.1.1 ̏ LAN ɗp
܂B


                                                                                
$ netstat -tua                                                                  
Active Internet connections (servers and established)                           
Proto Recv-Q Send-Q Local Address           Foreign Address         State       
tcp        0      0 *:printer               *:*                     LISTEN      
tcp        0      0 bigcat:8000             *:*                     LISTEN      
tcp        0      0 *:time                  *:*                     LISTEN      
tcp        0      0 *:x11                   *:*                     LISTEN      
tcp        0      0 *:http                  *:*                     LISTEN      
tcp        0      0 bigcat:domain           *:*                     LISTEN      
tcp        0      0 bigcat:domain           *:*                     LISTEN      
tcp        0      0 *:ssh                   *:*                     LISTEN      
tcp        0      0 *:631                   *:*                     LISTEN      
tcp        0      0 *:smtp                  *:*                     LISTEN      
tcp        0      1 dsl-78-199-139.s:1174   64.152.100.93:nntp      SYN_SENT    
tcp        0      1 dsl-78-199-139.s:1175   64.152.100.93:nntp      SYN_SENT    
tcp        0      1 dsl-78-199-139.s:1173   64.152.100.93:nntp      SYN_SENT    
tcp        0      0 dsl-78-199-139.s:1172   207.153.203.114:http    ESTABLISHED 
tcp        1      0 dsl-78-199-139.s:1199   www.xodiax.com:http     CLOSE_WAIT  
tcp        0      0 dsl-78-199-139.sd:http  63.236.92.144:34197     TIME_WAIT   
tcp      400      0 bigcat:1152             bigcat:8000             CLOSE_WAIT  
tcp     6648      0 bigcat:1162             bigcat:8000             CLOSE_WAIT  
tcp      553      0 bigcat:1164             bigcat:8000             CLOSE_WAIT  
udp        0      0 *:32768                 *:*                                 
udp        0      0 bigcat:domain           *:*                                 
udp        0      0 bigcat:domain           *:*                                 
udp        0      0 *:631                   *:*                                 
                                                                                
                                                                                


炭̏o͂͂Ȃg̃VXeɂĂ̂̂ƂԂƈ
Ă邩܂B "Local Address"  "Foreign Address"
̗̊Ԃ̋Lq̈ႢƁAꂼꂪΉ|[gԍi\Ȏ͂̃T
[BXjŘɂǂ̂悤ɏĂ邩ɒӂĂB
"Local Address" ͐ڑ̉X̑̒[_łBԉE̗ LISTEN Ə
Ăŏ̃O[v͂̃VXełܑĂT[BXłB
 bigcat ̔wőĂāAĂڑ "܂Ă"T
[ołBłA͊J|[gA"܂"
܂B̐ڑ̓[JVXei܂ bigcat gj
Ă̂m܂񂵁A܂̓[gVXê̂܂
B͔ɏdvȏłỈ̑̂̂͂̃VXe瑼
VXe֊mĂڑłBꂼ̐ڑ͍Ō̗ɃL[[h
ŎĂ悤ɁAlXȏԂɂ܂BŌɂŌ̗ɃL[
[hĂȂ̂ UDP ڑɑΉT[ołB UDP 
TCP Ƃ͑SقȂvgRłÃvCIeB̒Ⴂlbg
[NʐMŗpĂ܂B

ŁA"T[BX"ւ̕ϊȂ߂ɁA "-n" tbO
ƂĂ݂ƁAۂɈȉ̂悤Ƀ|[gԍ邱Ƃł܂
F


$ netstat -taun                                                               
Active Internet connections (servers and established)                         
Proto Recv-Q Send-Q Local Address           Foreign Address      State        
tcp        0      0 0.0.0.0:515             0.0.0.0:*            LISTEN       
tcp        0      0 127.0.0.1:8000          0.0.0.0:*            LISTEN       
tcp        0      0 0.0.0.0:37              0.0.0.0:*            LISTEN       
tcp        0      0 0.0.0.0:6000            0.0.0.0:*            LISTEN       
tcp        0      0 0.0.0.0:80              0.0.0.0:*            LISTEN       
tcp        0      0 192.168.1.1:53          0.0.0.0:*            LISTEN       
tcp        0      0 127.0.0.1:53            0.0.0.0:*            LISTEN       
tcp        0      0 0.0.0.0:22              0.0.0.0:*            LISTEN       
tcp        0      0 0.0.0.0:631             0.0.0.0:*            LISTEN       
tcp        0      0 0.0.0.0:25              0.0.0.0:*            LISTEN       
tcp        0      1 169.254.179.139:1174    64.152.100.93:119    SYN_SENT     
tcp        0      1 169.254.179.139:1175    64.152.100.93:119    SYN_SENT     
tcp        0      1 169.254.179.139:1173    64.152.100.93:119    SYN_SENT     
tcp        0      0 169.254.179.139:1172    207.153.203.114:80   ESTABLISHED  
tcp        1      0 169.254.179.139:1199    216.26.129.136:80    CLOSE_WAIT   
tcp        0      0 169.254.179.139:80      63.236.92.144:34197  TIME_WAIT    
tcp      400      0 127.0.0.1:1152          127.0.0.1:8000       CLOSE_WAIT   
tcp     6648      0 127.0.0.1:1162          127.0.0.1:8000       CLOSE_WAIT   
tcp      553      0 127.0.0.1:1164          127.0.0.1:8000       CLOSE_WAIT   
udp        0      0 0.0.0.0:32768           0.0.0.0:*                         
udp        0      0 192.168.1.1:53          0.0.0.0:*                         
udp        0      0 127.0.0.1:53            0.0.0.0:*                         
udp        0      0 0.0.0.0:631             0.0.0.0:*                         
                                                                              
                                                                              


̍ŏ̐sڂČ܂傤Bsڂ́A


 tcp        0      0 0.0.0.0:515            0.0.0.0:*          LISTEN       
                                                                            
                                                                            


"Local Address"  0.0.0.0 ŁAgp\ȑSẴC^[tF[XӖ
Ă܂B[J|[gԍ 515 ԁA܂W̃vgT[o|[g
ŁAʏ lpd f[ɂĎgĂ܂Bʏ̃T[BXƑΉ
|[g /etc/services t@CŌ邱Ƃł܂B

ꂪSẴC^[tF[X̏Ŏ܂ĂƂ͏dł
B̏ꍇł́A lo (localhost [JzXgjA eth0  eth1 
Bv^ڑ͂̃C^[tF[X̂ǂʂĎgp邱Ƃ
ł܂B̃VXẽ[U PPP Őڑ̂ȂAvgf[
͂̃C^[tF[X (ppp0) Ŏ܂邱ƂɂȂł傤B
"Foreign Address" ܂ 0.0.0.0 ŁA"ǂł"Ӗ܂B

܂ÃT[o͑SẴC^[tF[XŎ܂悤ɁAJ[l
Ɉ˗Ă͂܂AĂڑtB^Ot@CA[E
H[Ă邩ǂɂẮA netstat o͂ɂ͉\Ă
ȂƂ́AŒӂĂlł傤B̓_ɂ
́AɂĒPɉƂłȂƂƂłB炩ɁA
̃T[oɂƂẮAڑtB^O邱Ƃ͔ɖ]܂
ƂłBႦ΁ALAN ̊OɂNAȂ̃vgT[o|[gɐڑ
悤Ƃ闝R͑SȂł傤B

sڂ͏Ⴂ܂F


 tcp        0      0 127.0.0.1:8000         0.0.0.0:*          LISTEN       
                                                                            
                                                                            


x "Local Address" ̓[JzXg̃AhX 127.0.0.1 ɂȂĂ
܂B͂̃}Vւ̃[JڑĂƂƂ
AϏdvȎłB܂Abigcat  bigcat  8000 ԁiTCP) |
[gɐڑ邱Ƃł܂BZLeB̈Ӗ͖ł傤BS
̃T[o̎̐\ɂݒIvVĂ킯ł͂
܂BA̂ɂĂ͔ɗLȋ@\łB̗
ł 8000 ԃ|[g web vLV Junkbuster gĂ܂B

̎O̃Ggł́A܂SẲ\ȃC^[tF[X̏Ŏ
悤ɖ߂Ă܂F


 tcp        0      0 0.0.0.0:37             0.0.0.0:*           LISTEN      
 tcp        0      0 0.0.0.0:6000           0.0.0.0:*           LISTEN      
 tcp        0      0 0.0.0.0:80             0.0.0.0:*           LISTEN      
                                                                            
                                                                            


/etc/services ƁA 37 ԃ|[g "time" T[BXŁA܂肱
T[o time T[oł邱Ƃ킩܂B 6000 ԃ|[g X11 ŁA
80 ԃ|[g Apache ̂悤 HTTP T[o̕W|[głBł͎
ʂłȂƂ͉ȂA͑S Linux łɎgp\ɂȂĂ
T[BXłB

̍ŏ̓͐΂ɁA̒NɐڑĂ炢ނ̃T[BX
͂܂B͊O̐ڑSċۂ悤Ƀt@CA[EH
[ŕی삳ׂłBƓlɁȀo͂́Ãt@CA[
EH[Ă邩ǂA܂Ă₻ꂪɌʓIɐݒ肳Ă
邩ǂɂẮA܂B

80 ԃ|[g web T[og͑傫ȃZLeB̃XNł͂܂
B HTTP ͂΂ΑSĂ̖K҂ɊJĂvgRłBႦ΁A
g̃z[y[W̃zXgɂȂ肽Ȃ΁A Apache Ȃǂg
ɂȂł傤Bt@CA[EH[ŃItɂāACglbg
ꕔƂĉX LAN NCAgg悤ɐݒ肷邱Ƃ\
B܂A web T[o𑖂点邱Ƃ𐳓闝RȂȂA
񊮑SɎgps\ɂĂׂł傤B

̓̍s͋[̂łF


 tcp        0      0 192.168.1.1:53         0.0.0.0:*           LISTEN      
 tcp        0      0 127.0.0.1:53           0.0.0.0:*           LISTEN      
                                                                            
                                                                            


ĂсA"Local Address"  0.0.0.0 ł͂ȂƂɒӂ܂傤B͌
\ȂƂłIx̃|[gԍ 53 ԁA܂ named ̂悤ȃlCT[
oɂėp DNS |[głBÃlCT[of[
lo C^[tF[Xilocalhost)A bigcat  LAN ɐڑĂC^[
tF[XŎ܂Ă邾ƂƂ킩܂BłAJ[
l localhost A܂ LAN ̐ڑ݂̂Ă܂BO
\Ȑڑ 53 ԃ|[gɂ͑S܂B͂Ɍʂ̃Av
P[VSɐݒł邩ǂłB̏ꍇł́ADNS v
߂̑Ή{̃lCT[oȂ琢EɌ 53 ԃ|[g
JKvł傤AŌĂ̂͂炭LbVO
DNS T[oȂ̂łBOɂ܂ŊJȂA͈̃ZLeB̃
XNŁAʂȑΉKvłB

Ō̎O LISTENERA܂|[gŎ܂ĂGgłF


 tcp        0      0 0.0.0.0:22             0.0.0.0:*           LISTEN      
 tcp        0      0 0.0.0.0:631            0.0.0.0:*           LISTEN      
 tcp        0      0 0.0.0.0:25             0.0.0.0:*           LISTEN      
                                                                            
                                                                            


͂܂SẲ\ȃC^[tF[XŎ܂Ă܂B 22 
|[g sshd ܂A Secure Shell T[of[łB͗ǂ
łIŏ̗̏o͂ɁA631 ԃ|[g̃T[BX͖OĂ
܂B͂ŉʂłȂƂNĂ؋܂B
i̓ɂĂ͎̓̏͂ĂBjčŌɁA25 ԃ|[
gA܂ SMTP Cf[̕W|[głBقƂǂ Linux CX
g[ł͂炭 SMTP f[Ăł傤A͕K
ُȂƂł͂܂BłA{ SMTP f[Kvł傤
H

̃O[v͊mꂽڑłBX̖ړIɂ́AŌ̃RŎ
Ăڑ̏Ԃ͂قǏdvł͂܂B man y[Wŏڂ
Ă܂B


 tcp        0      1 169.254.179.139:1174    64.152.100.93:119    SYN_SENT      
 tcp        0      1 169.254.179.139:1175    64.152.100.93:119    SYN_SENT      
 tcp        0      1 169.254.179.139:1173    64.152.100.93:119    SYN_SENT      
 tcp        0      0 169.254.179.139:1172    207.153.203.114:80   ESTABLISHED   
 tcp        1      0 169.254.179.139:1199    216.26.129.136:80    CLOSE_WAIT    
 tcp        0      0 169.254.179.139:80      63.236.92.144:34197  TIME_WAIT     
 tcp      400      0 127.0.0.1:1152          127.0.0.1:8000       CLOSE_WAIT    
 tcp     6648      0 127.0.0.1:1162          127.0.0.1:8000       CLOSE_WAIT    
 tcp      553      0 127.0.0.1:1164          127.0.0.1:8000       CLOSE_WAIT    
                                                                                
                                                                                


ɂ͑S 9 ̐ڑ܂Bŏ̎O 119 ԃ|[giW
NNTP j[X|[gjŃ[g̃zXg֐ڑĂOC^[tF[
XłBł͓j[XT[oւ̎O̐ڑ܂B͓
̃j[XT[oɑd̐ڑJƂĂ܂A炩ɁA
̃AvP[V̓}`XbhĂ܂B̓̃Gg
5 Ԗڂ̃RɃŘ 80 ԃ|[gƎĂ悤ɁA[g
 web T[oɐڑĂ܂B炭قƂǂ̏ꍇɂ͔ɗǂ
̂ł傤BÂ̍sł͂̋tɁA 4 Ԗڂ̃R
 80 ԃ|[g܂B܂肱͒NÅOAC^[lb
g̃C^[tF[Xʂ bigcat  web T[oɐڑĂ̂ł
BŌ̎O̃Ggׂ͂ă[JzXg烍[JzXgւ̐ڑ
łB܂AgɐڑĂ̂łB 8000 ԃ|[g bigcat 
web vLVłƂvԂΕ悤ɁA̓[Jɑ
vLVɐڑĂ web uEUłBvLV͂ꎩg̊O
J܂A̐ڑ炭 4 sڂ 5 sڂŋNĂ邱Ƃ
傤B

netstat  -t  -u IvV̗̂ŁA TCP  UDP ̗
܂ĂT[o\Ă܂BŌ̐s UDP ̂̂łF


 udp        0      0 0.0.0.0:32768          0.0.0.0:*                       
 udp        0      0 192.168.1.1:53         0.0.0.0:*                       
 udp        0      0 127.0.0.1:53           0.0.0.0:*                       
 udp        0      0 0.0.0.0:631            0.0.0.0:*                       
                                                                            
                                                                            


Ō̎O̃Gg͏̋c_Ōꂽ|[gĂ܂B
T[o TCP  UDP ̗̐ڑɎ܂Ă̂łB̏ꍇ
T[oAقȂ̃vgRgĂ̂łB[J|[g
32768 ԂgĂŏ̈͏łA /etc/services ̒ɂ̓T[
BX͂܂BłAꌩ́A͋^ׂ̂ŁAX̍D
Sh܂B̐ɂĂ͎̏͂ĂB

̉zIȏ󋵂ǂȌ_ł傤HقƂǂ̏ꍇɂ
āA Linux ɂĔɃm[}Ɍlbg[NT[B
XƐڑłBł͉ߓxɑ̃T[oĂ悤ɂ͌܂
ASẴT[o{ɕKvȂ̂łȂmȂ΁A
ɂ͑債Ӗ͂܂B̂ǂʓIɃt@CA[EH[
Ă邩ǂA netstat ͉ĂȂ̂łBłA
Sǂꂭ炢SȂ̂AƂ͂ł܂B܂
́AׂĂ̎܂ĂT[o̎ɂĖ{ɕKv
Ă̂ǂA܂킩܂B̓CXg[̏󋵂
ĕLςĂ܂ƂłBႦ΁Abigcat ɂ̓v^
ڑĂ̂ł傤H炭ł傤AłȂ΁A͑S
Kv̂ȂXNłB

 

8.3.2. |[gƃvZXL

̏͂ł bigcat ̃lbg[NŉNĂ邩ɂĂ
Ƃwт܂BAł͊w񂾂Ƃł́A̓̃T[
BXX^[ĝ܂Bx͂𒲂ׂ܂傤B܂A
X͓̃T[BX~ƎvĂ̂łA͏̏o
͖炩ȂƂł͂Ȃ̂łB

-p IvVgƁAŌ̃RɁÃvZX PID Ƃ̃vZ
XJnvO\܂BĂ TCP T[BX̃Xg
Ă݂܂傤ix̓Xy[X̊֌WAŏ̎O̃R͏ȗĂ
܂jBpłSē邽߂ɁA root ƂĂsKv
܂B


# netstat -tap                                                              
Active Internet connections (servers and established)                       
  Local Address           Foreign Address      State       PID/Program name 
  *:printer               *:*                  LISTEN       988/inetd       
  bigcat:8000             *:*                  LISTEN       1064/junkbuster 
  *:time                  *:*                  LISTEN       988/inetd       
  *:x11                   *:*                  LISTEN       1462/X          
  *:http                  *:*                  LISTEN       1078/httpd      
  bigcat:domain           *:*                  LISTEN       956/named       
  bigcat:domain           *:*                  LISTEN       956/named       
  *:ssh                   *:*                  LISTEN       972/sshd        
  *:631                   *:*                  LISTEN       1315/cupsd      
  *:smtp                  *:*                  LISTEN       1051/master     
                                                                            
                                                                            


̒ɂ͊ɊȂ݂̂̂܂B́A515 ԃ|[g
̃v^f[ "988" Ԃ PID  inetd ʂĊJnꂽƂ
܂B inetd ͓ʂȏ󋵂łB inetd ͂΂ "X[p[T[o"
ƌĂ΂܂A͂̎ȖTuf[YݏoƂ
Bŏ̍sƁAinetd ̓v^T[BX̂߂ 515 ԃ|[g
܂Ă܂B̃|[gɐڑĂƁAinetd r
ŕ߂܂āAK؂ȃf[A܂肱̏ꍇɂ̓vgf[𐶐
̂łB inetd ǂ̐ݒ́AT^Iȏꍇł /etc/
inetd.conf łȂ܂BłAPI inetd ɐ䂳Ă
T[o~Ȃ΁Ainetd i܂ xinetdj̐ݒڂׂȂ
΂Ȃ܂B܂ time T[ol inetd oRŊJnĂ
B̎́A̃T[BX tcpwrapper ĩXeb
vRŐ܂jŎ邱Ƃł邱ƂӖĂ܂B̓VX
eT[BX𐧌䂷̂ inetd p闘_̈łB

̏͂ł 631 ԃ|[g̃T[BXɂĂ͊mMĂ܂łˁB
ƌ̂AꂪWIȃT[BXĂȂŁA
炭A畁ʂłȂA퓹ɊOĂ邱ƂӖĂ邩
łBA₻ꂪ cupsd ɂďLĂ邱Ƃm邱Ƃ
܂B Linux Ŏgp\ȃvgT[öłBꂪ
܃v^T[BX𐧌䂷邽߂ web C^[tF[XɂȂĂ
̂łB cupsd 邱Ƃ͎ہÃvgT[oƂقƂǕς܂
B

̍Ō̃Gg bigcat  SMTP CT[ołB΂΁A
̃fBXgr[V sendmail ɂȂĂ܂BȀ
͂ł͂܂B̃R}h "master" ŁA댯ł͂Ȃ̂
v܂BvO킩΁Alocate  find Ƃc[Ńt@
CVXeTɍsƂłł傤Aꂪ΁Aǂ
pbP[WɑĂ邩邱Ƃł܂BA PID m
Ă̂łAȉ̂悤 ps R}hŁA邩
Ƃł܂F


 $ /bin/ps ax |grep 1051 |grep -v grep                              
  1051 ?        S        0:24 /usr/libexec/postfix/master           
                                                                    
                                                                    


ł͋ߓ邽߂ ps R}h grep ƍ킹ĎgĂ܂B
̃t@C postfix ɑĂ悤łB͎ sendmail Ɠ
CT[õpbP[WłB

ps --forest tbOiȗ` -f jƂƂɎgƁAǂ̃vZXe
vZXqvZX܂ʂ̂̂Ȃ̂肷̂ɕ֗łBȉ͂
̈łiҏWĂ܂jF


 $ /bin/ps -axf                                                         
  956 ?        S      0:00 named -u named                               
  957 ?        S      0:00  \_ named -u named                           
  958 ?        S      0:46      \_ named -u named                       
  959 ?        S      0:47      \_ named -u named                       
  960 ?        S      0:00      \_ named -u named                       
  961 ?        S      0:11      \_ named -u named                       
 1051 ?        S      0:30 /usr/libexec/postfix/master                  
 1703 ?        S      0:00  \_ tlsmgr -l -t fifo -u -c                  
 1704 ?        S      0:00  \_ qmgr -l -t fifo -u -c                    
 1955 ?        S      0:00  \_ pickup -l -t fifo -c                     
 1863 ?        S      0:00  \_ trivial-rewrite -n rewrite -t unix -u -c 
 2043 ?        S      0:00  \_ cleanup -t unix -u -c                    
 2049 ?        S      0:00  \_ local -t unix                            
 2062 ?        S      0:00  \_ smtpd -n smtp -t inet -u -c              
                                                                        
                                                                        


œAOӂ܂B܂łɓ݂ɂȂf[
F named  postfix (smtpd) łBƂTuvZXƂĐ
̂łB named ̏ꍇɂ́AĂ̂̓XbhŁAɐ
ĂlXȃTuvZXłB Postfix ꂽTuvZXłA
"Xbh"ƂĂł͂܂BeTuvZX͂ꎩg̓̎d
Ă܂BqvZX͐evZXɈˑĂƂƂ͒ӂ
lł傤BłAe PID EƁǍʁASĂ̎qv
ZXE܂B

̂ǂ̌ĂȂȂA locate gĂ
ł傤F


 $ locate /master                                                   
 /etc/postfix/master.cf                                             
 /var/spool/postfix/pid/master.pid                                  
 /usr/libexec/postfix/master                                        
 /usr/share/vim/syntax/master.vim                                   
 /usr/share/vim/vim60z/syntax/master.vim                            
 /usr/share/doc/postfix-20010202/html/master.8.html                 
 /usr/share/doc/postfix-20010202/master.cf                          
 /usr/share/man/man8/master.8.gz                                    
                                                                    
                                                                    


find R}h͂炭ƂRx̍t@CT[eBeB
łA locate 悤Ƀf[^x[XgȂ̂ŁAƒxł
F


 $ find / -name master                                              
 /usr/libexec/postfix/master                                        
                                                                    
                                                                    


 lsof CXg[Ă΁ANvZX|[gLĂ
邩̂ɕ֗Ȃ܂̃R}hłF


 # lsof -i :631                                                     
 COMMAND  PID  USER    FD   TYPE DEVICE SIZE NODE NAME              
 cupsd   1315  root    0u   IPv4   3734       TCP *:631 (LISTEN)    
                                                                    
                                                                    


͍ĂсAcupsd vgf[ 631 ԃ|[g̏L҂ł邱Ƃ
ĂĂ܂BƂA@œ킯łB𓾂܂
̕@ fuser ŁACXg[Ă͂łF


 # fuser -v -n tcp 631                                              
                                                                    
                      USER        PID  ACCESS  COMMAND              
 631/tcp              root       1315  f....   cupsd                
                                                                    
                                                                    


fuser  lsof R}h̕@ɂĂ man y[WQƂĂB

T[BXJnꏊT܂ʂ̏ꏊ́A init.d fBNg
ÁiSysVinit VXeɂẮj init XNvgZł
ꏊłB ls -l /etc/init.d/ ̂悤ȂƂ΁ÃXg
͂łB netstat pӂĂ悤ɁAKm"vO
"ƈvȂmȂ̂łA΂΁AXNvg̖Og
̃T[BXJn̂̃qgɂȂ܂B܂́Agrep R}h
pāAt@C̒gTăp^[}b`邱Ƃł܂B 
rpc.statd JnꂽꏊTKvāA̖Oł͂ǂ̃XNv
g킩ȂHł́c


 # grep rpc.statd /etc/init.d/*                                             
 /etc/init.d/nfslock: [ -x /sbin/rpc.statd ] || exit 0                      
 /etc/init.d/nfslock:    daemon rpc.statd                                   
 /etc/init.d/nfslock:    killproc rpc.statd                                 
 /etc/init.d/nfslock:    status rpc.statd                                   
 /etc/init.d/nfslock:    /sbin/pidof rpc.statd >/dev/null 2>&1; STATD="$?"  
                                                                            
                                                                            


̑S̏񂪎ەKvȂ킯ł͂܂񂪁AȂƂ␳mɂ
̃XNvgJnĂ̂킩܂BSẴT[BX
̂悤ɊJn̂ł͂ȂƂƂoĂĂB inetd
 xinetd oRŊJn邱Ƃ܂B

/proc t@CVXeĂvZXɂĒm肽Ƃ̑S
Ă܂BevZXɂĂȂ邽߂ɁA
₢킹邱Ƃł܂BvZXJnR}hւ̃tpX
m肽HȂ炱łB


 # ls -l /proc/1315/exe                                                       
 lrwxrwxrwx  1 root  root   0 July 4 19:41 /proc/1315/exe -> /usr/sbin/cupsd  
                                                                              
                                                                              


ŌɁAUDP Ɏ܂ĂT[BXɂĈqׂďI邱
Ƃɂ܂傤B 32768 ԃ|[gŕςȂƂƂvoĂ
B̓T[BXĂȂ̂łB


 # netstat -aup                                                                     
 Active Internet connections (servers and established)                              
  Local Address           Foreign Address         State       PID/Program name      
   *:32768                 *:*                                 956/named            
   bigcat:domain           *:*                                 956/named            
   bigcat:domain           *:*                                 956/named            
   *:631                   *:*                                 1315/cupsd           
                                                                                    
                                                                                    


 -p tbO "PID/ vO"IvV܂߂邱ƂɂāA
 named ܂lCT[of[ɑĂ邱Ƃ킩܂B
BIND ̍ŐṼo[W͂^Cv̒ʐMɂĂ͔|[gg
B̏ꍇɂ́A BIND 9.x łBłAł͖{̊댯
Ȃ̂łBł͂̔|[gnamed OƃAhXQƂ
߂ɑ̃lCT[oɘb̂ɎgĂāAt@CA[EH[
łhׂł͂Ȃ̂łB

܂X̂̉zIȏ󋵂ɂẮA傫ȋ͉ȂƂ
ƂłB

SĂ݂̎sāAJ|[gɂăvZX̏L҂
Ȃꍇɂ́Aꂪ RPC (Remote Procedure Call) T
[BXmȂƋ^ĂB͉̃WbNѐ
_Ɋ蓖Ăꂽ|[ggĂAT^Iɂ portmap f[
ɂĐ䂳Ă܂Bꍇɂ́A netstat  lsof R}
hŃvZXL҂m邱Ƃł܂B portmap ~߂Ă݂āA̕s
vcȃT[BXȂȂ邩ǂĂ݂܂傤B܂Ȃ RPC T
[BXĂ邩ȂƁî߂ portmap Ă
łj邽߂ɁA rpcinfo -p localhost R}hgƂł
B


                              Warning                               

ȂɐNĂ邩ȂƋ^Ă̂łA  
netstat  ps ̏o͂MȂłB̃VXevfł
Aɂ₂Ă܂ĂāȀo͂MpłȂȂĄ
\[ɂ܂B                                        

 

8.4. UƋ

̏͂ł́Ał悭鋺ЂƃeNjbNɂĊȒPɏ
āA炩̌ʂ^܂傤B

@l̐EA{@ւALڂĂC^[lbgTCgł́A
T^IȎł̃fXNgbv[UA͂邩ɍLЂɒ
˂΂Ȃ܂BN̒ÑRs[^ɐN悤Ƃ闝R
񂠂܂B͒PɃXړI܂񂪁Aӂ̂闝
R͑ɂł肦ł傤Bނ͒Pɑ̒NU邽߂
𓾂܂B͔ɂ悭铮@̈ł
B

X̂قƂǂɂƂāAƂ悭"U"͊ɏĂV
Xê̂łBC^[lbg͊ɐNĂ܂Rs[
^ɂӂĂāAl̖߂܂Ń]r̂悤ɖӖړIɎsłB
͋ȃAhX͈͂ɓnăXLAŊeʂ IP Ah
X悤ɃvO~OĂ܂Bȏ̊J|[g
TāA`XΊm̎_܂B́Aɔli
IŁAɕ@_IŁAɌʓIłBX͊F̂悤Ȏ
ꂽXL{bg̒ʂ蓹ɂ̂łBXsĂ̂́A
VXe r00t 邱Ƃ邽߂̃XebvAVXe
΂ނ̑Ήs邽߂Ȃ̂łB

̃XL͐ڑƂɎ郍OCoi[邽߂ɂ
̂ł͂܂B͂Ȃ炩sĂȃIy[eBOV
Xe𑖂点Ă邩̂悤ɋU悤ɁAȂ /etc/issue.net 
XƂƂƂ̂łBނ͎܂Ă|[
gƁÃVXeǂȎw^悤܂킸ɁÃ|
[gɑ΂ĂĂ͂܂SĂ̍UĂ݂ł傤Bꂪ܂
΁Aނ͓Ă܂AʖڂȂAʂ̕WIɈړ킯ł
B

 

8.4.1. |[gXLƃv[u

"XL""v[uij" Ƃt͉xɂȂĂ܂
A܂̌t̒`n߂܂傤B "v[u"Ƃ́A^
|[gJĂ邩Ă邩AẴ|[gŉ܂
邩AeXg邱ƂӖ܂B "XL"Ƃ́A܂͂
̃VXeŕ̃|[g "v[u"ƂłB܂͕̃VX
e̓̃|[g܂BłAႦ΁ÃVXe
̑SẴ|[g "XL"ƂA܂̓NbJ[ 111 ԃ|[g
JĂ̂͒Nm邽߂ 216.78.*.* AhX"XLĂ"
AȂǂƌ̂łB

black hat iXqA҃nbJ[j͗^ꂽVXełǂȃT
[BXĂ邩ɂĂ̏XLv[u邱Ƃł
AɂĂǂȍUĂׂ݂m܂Bނ͂ǂȃIy
[eBOVXeĂ邩ÃJ[l̃o[W͉A
ē邱ƂAɂ́AƑ̏𓾂邱Ƃ\m
܂Bł́A"[(worm)"͎ĂāAӖړIɃXL
AʓIɂ͊JĂ|[gA܂ア]҂TĂ邾łB
̓NbJ[邩mȂ悤 "wK"͑S悤Ƃ܂
B

"XL""v[u"̊Ԃ̋ʂ͂΂ΞBłBƂNA
߂ɁAŝɈˑāAǂӖɂӖɂg܂BႦ
At@CA[EH[̐ݒ肪܂sĂ邩m邽߂ɁAȂFB
ɂȂgXLĂ炤悤ނm܂B nmap 
悤ȃXLpc[̍@IȎgpƂƂɂȂ܂BA
̒mȂNƂǂł傤Hނ̖ړI͉ł傤
HꂪȂ̃voC_Ȃ΁AT[BX_񏑂̏点
ƂĂ̂m܂B܂́ANVł邾ŁAɒN
"oĂ邩"Ă邾܂BAƂ肻Ȃ̂
Aꂪ̂悤ȑPӂ̈Ӑ}ĂȂNł邱ƂłB

S͈͂̃|[g̃XLĩ}V̑̃|[gv[u
邱Ɓj͎ł̃lbg[NɂĂ͂قǂ悭鋺Ђł͂Ȃ
łBmɁÃVXeɑ΂ē̃|[gXL
Ƃ́AɁAɁA悭NĂ邱ƂłB

 

8.4.2. [gLbg (rootkit)

"[gLbg(rootkit)" Ƃ̓XNvgLfBĩXNvgg̈
ǂAVăNbJ[j̓ƂĒ񋟂Ă̂łBN
܂ƂA΂΍ŏɂȂ邱Ƃ́Â悤"[gLb
g"_E[hACXg[邱ƂȂ̂łB

[gLbg͓T^Iɂ ls, ps, netstat, login Ȃǂ̊{IȃVXe
R}hu܂BpX[hAɃf[X^[g
AOύX肷邩܂񂵁AmɈȏ̃obNh
AijJł傤BBꂽobNhAɂāAU҂͓肽
ƂɂłȒPɓĂ悤ɂȂ܂BĂ΂΂̃VX
e̎_g邱Ƃ܂BƂ̂AV"L"
̃VXȇSĂ̂̂ɂ邽߂łBŜ̃vZX̓XNv
gĂ܂̂ŁȀ͔ɑfȂ܂B̐M
VXe̐K̏L҂͈ʓIɂ͉NĂ邩킩
ł傤AaHɂȂĂ͔̂ނȂ̂łB܂݌vꂽ[g
Lbĝ͔ɓ̂łB

 

8.4.3. [ƃ]r

"["Ƃ͎ȕUvOłB[̓VXeɊ
ƁAT^IȊƂẮAVXe̎_ʂĎg΂܂
Ƃ܂B܂܂"["ɁAC^[lbg̃AhXԑS
ɂ̂ĂāA̍sƂɎg΂܂Ă܂B

A]r̔ŵǂɂ́AĂ̂܂BN
[𗧂グAN܂Ń[񂹂̂ł
BāAVXeǂ̂悤ɎgĂ邩m킯łB

̑ Linux VXeŁA_ʂĊ悤Ƒ
Linux VXeTĂ܂BقƂǂ̃Iy[eBOVXe
͂̋Ђ킯Ă܂BЂƂѐƎȃVXeƁA
̎ۂ̐NƏ͔ɑf̂ŁA̎̌łƒm邱
͍܂BN҂ŏɂ邱Ƃ́iꂪlԂł"[
"łjA̐Ň`ՂBƂ邱ƂłB "[gLbg"_E
[hăCXg[܂B̗s̓P[uf DSL L
܂ƂňĂ܂BC^[lbgւ̏펞ڑ͋}ɍL
A΂΂炪傫ȃTCgƓ悤ɂ͏[Sł͂Ȃ
߁Â悤ȋЂɑ΂ĖLȓy񋟂Ă܂Ă̂łB

͕sgȘbɕ܂AAO̊ȒPȒӂŌʓIɖhƂ
܂B̈ՂaHɂ̂ɁA킴킴Ȃ̃VX
eɐN邽߂ɑȓw͂₷ł傤H{CŔɓ
Ƃɒ킷CZeBu͂܂BPɃXLāAāA
AʖڂȂ玟֍sB̒ɂ̓XL IP ɂ܂ł
̂łBȂ̃t@CA[EH[ʓIɂ̎̂Ƃhł
΁AȂɂ͂܂Ђɂ͂Ȃ܂BCyɍ\āAߏ蔽
悤ɂ܂傤B

̃[""Ă邱Ƃ͂łȂAƂƂ͒
Ălł傤B[ɂ͊JĂăANZX\ȃ|[g
KvŁAAɒmĂ_KvłB̎n߂̏͂ł"Iptables
̍T̃Ov" voĂ炦΁Ȃ͂̃^CṽXL
̌ʂ܂BȂ HOWTO ŎXebvɏ]
Ă΁AȂ͏[ɈSłB͏[ȒPɈ点邱Ƃł
B

 

8.4.4. XNvgLfB

"XNvgLfB"Ƃ"NbJ[" ir[iȂ肽艮jŁAނ܂
ޏg̍Ûɏ[Ȓm͂ȂǂȂɑ̒N
J"XNvg"UgÂƂłB "["̂悤ɁA
͈ՂaHTĂāA[ƓlɁAmĂ_
̃|[gT߂ɁAL͈͂ɓnăAhXXL邩
܂B΂΁Aۂ̃XL͊ɏVXes܂
BƂ̂AΔނ玩gɂ܂ŐՂĤȂ邩łB

XNvgLfB͎gĩgbNꂽĂāA
ɂ͗lXȃIy[eBOVXe"[gLbg" ̕ɂ܂܂
܂BU₷]҂邱Ƃ́A[ȎԂƃv[u邽
߂̏[ɍLAhXԂ^΁AقǓƂł͂
B̓@͂܂̊ƓlłBPȂ邢A web TCg
UANWbgJ[hԍ𓐂ށAŋߗs"Denial of ServiceiT[
BXہj"UiȉQƂ̂ƁjȂǁBނ̓gtB[̂悤Ƀ]r
W߁AړIłꂻB邽߂ɗp̂łB

ĂсAł̃L[|Cg͔ނ炪"XNvg"gAՂaHT
ĂƂƂłB[̋ЂƓlɁA@\ʂĂt@CA
[EH[ƁAAO̊{IȗpS΁Ał̂ǂȋЂ[
炷Ƃł͂łBAȂ̖͂rISł
͂łB

 

8.4.5. IP ̂Ȃ肷܂

IP AhX܂Ƃ͂ǂꂭ炢ՂƂł傤HK؂ȃc[
΁AɊȒPȂƂȂ̂łB͂ǂꂭ炢̋ЂɂȂł
Hۂ́AقƂǂɏꍇɂ͂قǑ傫ȋЂł͂ȂAЂƂĉ
ɐ`Ă܂B

TCP/IP @ƂāAepPbg͂̏o_ƂĐ IP AhX
^ł܂Bɑ΂ԓ̒ʐM͑SāȀɊÂĂ
܂BłAIP ̂Ȃ肷܂ɂāA܂pPbg𑗂oU
҂ɑ΂ẮA̗LpȏċAĂȂƂɂȂ܂B
ʐM͂Ȃ肷܂Ă IP AhXwꏊǂł낤ƁA
ɌċAĂ܂BU҂̂Ƃɂ͌ǉ߂Ă܂B

A͕WIɂVXeɂĉm邱ƂdvłȂꍇ
A "DoS" UiȉQƁj̉\mɎĂ܂BēlɁA
̂ɂg邩܂B

 

8.4.6. WI߂U

[ƍL͈͂ɓnAhX̃XĹAlIȂ̂łB
͒PɐƎȃVXeTĂ邾łBꂪgbvV[Nb
g̐{@ւł낤AȂ̂ꂳ̃EBhEY}Vł낤
ÄႢ܂BÃVXelbg[NɐN
邱Ƃɑȓw͂₷"Xq"i҂ĵłB
̃VXelbg[NɐN邽߂̏nlꂽfƂ납
AX͂"WI߂"UƌĂԂƂɂ܂傤B

̏ꍇɂ́AU҂͒ɂ肱ނ߂̗􂯖ڂ܂ŁA܂
߂܂ŁÃVXe̎_TA炭̈قȂނ̎
Ă݂ł傤B͖hq̂łBU҂͕
ĂA댯ŁA΋]҂_Ă̂łB

JԂ܂ÃViI͓T^IȎ̃VXeɂẮA߂
ɂ肻ɂȂƂłBʓIɂ́AƑ傫Ȋl鎞ɁA
ȋɎԂƓw͂gCZeBuPɂȂłBWIɂȂ邩
ȂlXɂẮAőP̖h͉Xɋc_Ă@̑
܂ł܂BӐ[邱ƂdvȂƂłBǂO̎
wсA IDS iIntrusion Detection System, NmVXejg
ł傤BɁABUGTRAQ ̂悤ȃZLeB֌W̃COXg
̈ȏwǂAāAǍx𖈓ǂŁAK؂
ΉƂׂłB

 

8.4.7. T[BXۍU(Denial fo Service DoS)

"DoS" Ƃ͂܂ʂ̃^Cv̍UŁA̖ړÍAڕW̃VXelbg
[N̋@\𐳏ɉʂȂȂ悤ɁAAgtBbNʂ
|邱ƂłB DoS ɂ͗lXȌ`肦܂AC^[lbgł
͂΂΁Aʂ̃pPbg𑗂AʓIɐڑs\ɂ邱
ƂŁA]҂̑шA܂ TCP/IP X^bN|Ă܂ƂӖ
܂BŌĂ̂́AbԂɖc̐̃pPbgƂƂŁA
ꍇɂ͐ƂƂ肦ł傤BɁAЂƂA
W̓T[oNbV邱Ƃ܂B

̍U͎[UAƂALڂĂTCg^[Qb
gɂ邱Ƃ̕A肠肻ȂƂłBẴeNjbNɋ
̂H~߂邱Ƃ͋ɂ߂ēƂɂȂ肦܂BĂ̂߂
́AʓIɂ́A̕WIɓBOɂ̗~߂邩A܂͍ŏ
邽߂ɁǍƕWI̊Ԃ̃lbg[N̋͂KvɂȂ܂BЂ
сA炪ڕWɓ͂Ă܂΁ASɂ𖳎ǂ@͂
܂B

"DDoS" (Distributed Denial of Service), ܂蕪UꂽT[BX
ÚǍʂő剻邽߂ɕ̌ĝłB܂A
ڃz[[UWIɂ邱Ƃ͂肻ɂȂł傤B"N
bJ["܂̓XNvgLfBɂ "LĂ""zꂽ(slaves)
"ŁAڂo܂Ƌ]҂ɏP̂łB̍Uɂ͂̃R
s[^܂܂邩܂B

Ȃz[[UŁAI IP AhXgĂ΁AȂ
̕WIɂȂƂɂ́AV IP 𓾂邽߂ɐڑ؂čĐڑ
ƂAʓIȑΏ@܂B炭B

 

8.4.8. Brute Force i͂܂AlԂUj

"Brute forcei͂܂A݂Ԃj"U͍U҂mĂ铯
_ɑ΂JԂsȂ܂BjƂ̂悤ɁBÓTIȗ́A
 telnet T[oɃANZX邽߂ɁAPɃpX[hXɓ
邱ƂŁA͂̈܂s낤Ɗ҂̂ł傤B
̓T[oNbV邱Ƃ҂̂܂B͂
Ǒz͂KvƂ܂񂵁ÃVXeɑ΂Ēʏp
͂܂B

ƂŁA͉u root OC邱Ƃɔ΂A
̗ǂ__^Ă܂B root AJEg͑SẴVXeő݂
B炭̂悤ȐAJEg͂ꂾł傤BȂ
ݓIȍU҂ɁAOCƃpX[h̗𐄑ł傤
A root Ƀ[gOCĂ΁AU҂̓pX[h
𐄑΂悢ƂɂȂĂ܂܂I

 

8.4.9. EBX

͐Sz邱Ƃ̂Ȃ̂łBEBX͎ Microsoft [U̖
Ɏv܂B̗RɂāAEBX Linux [UɂƂđ傫ȋ
Ђɂ͂Ȃ܂BꂩɂƂ͌܂񂪁A Microsoft
VXeY܂ĂEBXQ̔IȊg Linux i܂ Unix
jx[X̃VXeɂ͊gȂ͂łBہǍۂ\ɂĂ
lXȕ@́A Linux ł͗Lł͂܂BłEBXh\
tgEFAX̕ɂɓ邱Ƃ͂߂܂BȂƂ Linux
݂̂̃lbg[NłԂ́B

 

8.5. NW

Ȃǂݕւ̃t@Xȉɋ܂BȂgĂfB
Xgr[ṼTCgAZLeBy[WAftp _E[hTCg
͋Ă܂̂ŁAŌKv܂BĂ
KubN}[NĂI

 E ̊֘A Linux hLgvWFNgŌ܂F
   
    Security HOWTO: http://tldp.org/HOWTO/Security-HOWTO.html <http:// 
    tldp.org/HOWTO/Security-HOWTO.html > iJF{http://           
    www.linux.or.jp/JF/JFdocs/Security-HOWTO.htmlj                    
   
    Firewall HOWTO: http://tldp.org/HOWTO/Firewall-HOWTO.html iJF{ 
    http://www.linux.or.jp/JF/JFdocs/Firewall-HOWTO.htmlj         
   
    Ipchains HOWTO: http://tldp.org/HOWTO/IPCHAINS-HOWTO.html <http:// 
    tldp.org/HOWTO/IPCHAINS-HOWTO.html > iJF{http://           
    www.linux.or.jp/JF/JFdocs/IPCHAINS-HOWTO.htmlj                    
   
    User Authentication: http://tldp.org/HOWTO/                        
    User-Authentication-HOWTO/index.html,  PAM ɂĂ̑f炵
    c_܂ł܂BiJF{http://www.linux.or.jp/JF/JFdocs/
    User-Authentication-HOWTO.txtj                                    
   
    VPN (Virtual Private Network): http://tldp.org/HOWTO/VPN-HOWTO.html
     http://tldp.org/HOWTO/VPN-Masquerade-HOWTO.html iJF{    
    http://www.linux.or.jp/JF/JFdocs/VPN-HOWTO.txt <http://            
    www.linux.or.jp/JF/JFdocs/VPN-HOWTO.html/>j                       
   
    The Remote X Apps Mini HOWTO, http://www.tldp.org/HOWTO/mini/      
    Remote-X-Apps.html, ɂ X Window ZLAɎ邽߂̑f 
    c_܂܂Ă܂B                                         
   
    The Linux Network Administrators Guide: http://tldp.org/LDP/nag2/  
    index.html, ̓lbg[N TCP/IP ƃt@CA[EH[ɂĂ 
    ǂTϐ܂ł܂B                                       
   
    The Linux Administrator's Security Guide: http://www.seifried.org/ 
    lasg/ <http://www.seifried.org/lasg/>, ́At@CA[EH[ApX
    [hAF؁APAM ȂǂȂǂɂẮA[̃gsbN܂ 
    ł܂B                                                         
   
    Securing Red Hat: http://tldp.org/LDP/solrhe/                      
    Securing-Optimizing-Linux-RH-Edition-v1.3/index.html               
   
 E ipchains  iptables t@CA[EH[XNvg̃JX^ݒ
    邽߂̃c[F
   
    Firestarter: http://firestarter.sourceforge.net
   
    ̊֘AvWFNgF http://seawall.sourceforge.net/           
    (ipchains), http://shorewall.sourceforge.net/ (iptables).          
   
 E netfilter fBxbp[ netfilter  iptables ̕i
    ̌ł\jF
   
    FAQ: http://netfilter.samba.org/documentation/FAQ/                 
    netfilter-faq.html                                                 
    pPbgtB^OF http://netfilter.samba.org/documentation/ 
    HOWTO/packet-filtering-HOWTO.html                                  
    lbg[LOF http://netfilter.samba.org/documentation/HOWTO/ 
    networking-concepts-HOWTO.html                                     
    NAT/}XJ[fBOF http://netfilter.samba.org/documentation/ 
    HOWTO/NAT-HOWTO.html                                               
   
 E |[gԍ蓖āAXLi[XL邩Ȃ̂ɂ
    āF
   
    http://www.linuxsecurity.com/resource_files/firewalls/             
    firewall-seen.html                                                 
   
    http://www.sans.org/newlook/resources/IDFAQ/oddports.htm
   
    http://www.iana.org/assignments/port-numbers, ̃|[gԍ 
    āB                                                             
   
 E ʓIȃZLeBTCgBɂ͑SāAAxAj[X
    ^[ACOXgÂق̏񌹂ɂẴR[i[
    B
   
    Linux Security.com: http://www.linuxsecurity.com, ǂ񂪏W߂ 
    ĂBLinux ŗL̏BǂRF http://               
    www.linuxsecurity.com/docs/                                        
   
    CERT, http://www.cert.org
   
    The SANS Institute: http://www.sans.org/
   
    The Coroner's Toolkit (TCT)i̓j: http://www.fish.com/
    security/, N̖̂̌iN҂Nčŏɂ邱Ɓjɂ
    Ă̋c_ƃc[QB                                             
   
 E vCoV[F
   
    Junkbuster: http://www.junkbuster.com, web vLVANbL[}l[
    WB                                                             
   
    PGP: http://www.gnupg.org/
   
 E ̕ƎQlTCgF
   
    Linux Security.com: http://www.linuxsecurity.com/docs/
   
    Linux Newbie: http://www.linuxnewbie.org/nhf/intel/security/       
    index.html                                                         
   
    The comp.os.linux.security FAQ: http://www.linuxsecurity.com/docs/ 
    colsfaq.html                                                       
   
    The Internet Firewall FAQ: http://www.interhack.net/pubs/fwfaq/
   
    The Site Security Handbook RFC: http://www.ietf.org/rfc/rfc2196.txt
   
 E [TCg낢F
   
    http://www.bastille-linux.org, Mandrake  Redhat ̂݁B
   
    SAINT: http://www.wwdsi.com/saint/, VXeZLeB́B
   
    SSL: http://www.openssl.org/
   
    SSH: http://www.openssh.org/
   
    gXLFhttp://www.hackerwhacker.com
   
    PAM: http://www.kernel.org/pub/linux/libs/pam/index.html
   
    gC̖ؔnꂽ Linux J[lW[oF http://
    members.prestige.net/tmiller12/papers/lkm.htm                      
   
    [gLbgE`FbJ[http://www.chkrootkit.org
   
    |[gXLEc[ nmap ̃z[y[WF http://               
    www.insecure.org                                                   
   
    NessusiPȂ|[gXLi[ȏ̂́jF http://www.nessus.org
   
    tripwire, Noc[F http://www.tripwire.org
   
    snort, Xjbt@[ȂF http://www.snort.org
   
    http://www.mynetwatchman.com  http://dshield.org "UNo 
    VXe"łB͑Oėpӂ"G[WFg" ɂă 
    OW߁Af[^͂邱ƂŎ׈Ȋĕ񍐂Ă 
    BȂA`FbN܂傤B                     
   
 

8.6. eLXgt@C̕ҏW

By Bill Staehle

SĂ̐E͈̃t@CłB

t@Cɂ͔ɗlXȃ^Cv܂Ał͖ɓ̂Ȃ
LɕĂ݂܂F

  ł܂ɂȂǂłeLXgt@CƁA
@Ƃ͈قȂ̂łoCit@CB
    

oCit@C̓}Vǂނ̂ŁAeLXgt@C͐lԂɂėe
ՂɕҏWłAʓIɂ͐lԂǂނ̂łBAeLXgt@C
}VɂǂނƂ\ŁAۂ΂΂Ă܂B̗͐ݒt
@CXNvgQƂƂɂȂł傤B

*nix ł͗lXɈقȂeLXgGfB^gp\łBAÔ̂͑S
ẴVXeɂ܂B '/bin/ed'  '/bin/vi' ͂ł傤B 'vi'
͂Ă̏ꍇACZX̖ɂ 'vim' ̂悤ȃN[ɂȂ
Ă܂B 'vi'  'ed' ̖_́A͋낵[U[ɗD
AƂƂłB܂̂悭݂GfB^ 'emacs' łA
ɃftHgŃCXg[ĂƂ͌܂B͂葽̋@
\Ɣ\͂Ă܂AlɊwԂ̂Ղ܂B

u[UɗDvGfB^ƂẮA 'mcedit'  'pico' ͎n߂̂ɗ
IłB͂΂ *nix ɊĂȂlɂƂẮA
̂肸ƈՂ̂łB

ŏɊwԂׂƂ́AɕҏW̃ZbVI邩AɃt@C
̕ύXۑ邩AĐ܂ԂׂłȂs̐܂Ԃ
ɂ͂ǂ邩ibvA܂s̐܂Ԃ̖jł傤B

'vi' GfB^

'vi'  Unix ̐Eł͍łʂ̃eLXgGfB^̈ŁAقƂǑS
 *nix VXeɌ܂Bۂ́ACZX̖ɂāALinux
VXe'/bin/vi' ͏ 'elvis'  'nvi', 'vim' ƂuN[
vłiɂ܂jB̃N[̓IWi 'vi' Ƃ܂
lɂӂ܂܂AĂ̏ꍇ͒ǉ@\AgȂȂ
悤ɂȂĂ܂B

'vi' Ȃɋ낵㕨ȂAǂĂwԕKv̂ł傤
H̗R܂B܂ɁAOq̂悤ɁA͂قƂǊm
ɃCXg[Ă邱Ƃۏ؂ĂāÁiƃ[UɗD
jGfB^̓ftHgŃCXg[ĂƂ͌ȂłB
̗ŔÁuR}hv̑̃AvP[Vł
łiႦ man y[W邽߂ɂpĂ 'less' ̂悤ȁjB
'less' gĂƂɁA 'v' ̃L[Ă܂ƁAقƂ
ǂ̎ł 'vi' X^[gĂ܂܂B

'vi' ɂ͓̃[h܂B́uR}h[hvŁAL[{[h
͂̓R}hƂĉ߂܂B̃[h́u}[hvŁA
قƂǑSẴL[{[h͂͑}eLXgƂĉ߂܂B

==> 'vi' I@ 1. Rs[^r[v炷AXN
[tbV܂ŁA <esc> L[O񉟂܂B 2. :q! <Enter> 
L[͂B

܂ARA Q, ăGNXN[V}[NAŌɃG
^[isjL[łB

'vi' R}h͈ȉ̂悤ɂȂĂ܂B͑SāuR}h[hv
Ŏg܂B

a    J[\̌ォ}[hɓB
A    ݂s̏Iő}[hɓB
i    J[\̑Oő}[hɓB
o    ݂śuɁvVsJ}[hɓB
O    ݂śuɁvVsJ}[hɓB
h    J[\ꕶAɈړB
l    J[\ꕶAEɈړB
j    J[\sAɈړB
k    J[\sAɈړB
/قɂ    ̃eLXg̑OŁAɕuقɂvꂽ

               ɃJ[\ړB
?قɂ    ̃eLXĝڂāAɕuقɂv
ꂽӏ
               ɃJ[\ړB
n    ÕT[`JԂiƂ̂ɁuقɂvŁA
     ? ܂ / jB
u    ŌɍsύXB
^B    EBhEɃXN[B
^F    EBhEOɃXN[B
^U    EBhEXN[AbvB
^D    EBhEXN[_EB

:w    t@CɕۑB
:wq   t@CɕۑāAIB
:q    IB
:q!   ۑɏIB

<esc>   }[hIăR}h[hɁB

    

ӁFl́uvL[́uR}h[hvłu}[hvłق
ǏɎg܂B

'ed' GfB^

'ed' GfB^̓CGfB^łBAvP[Vɂ͂KvƂ
̂Ƃ͌ASĂ *nix Rs[^Ŏg邱ƂzIɕ
؂ĂƂȏɂ́Aɂ͎ЉIɂ͂܂lł̂
@\܂B 1975 Nȗu悤ƂA
̂̂񋟂Ă܂B

'ed' ̋I

1. ꎩgňs̃sIh^CvA <Enter> BŃR}h
[hɓ邩AȂɃR}h[hɂƂΈs̃eL
Xg󎚂܂B 2. q ^CvA<Enter> Bt@Cɉ̕ύX
ȂȂA̓ 'ed' 𔲂o܂B '?' ƕ\ꂽȂ
A̓t@CɕύXƂӖA 'ed' ύXۑ邩
Ȃɐq˂Ă̂łB q <Enter> ƂāA̓ڂł
Ȃ{ɏIƂƂmF܂B

'pico' GfB^

'pico' ̓VgwiAJOjŊJꂽ Pine C/j
[XpbP[WɊ܂܂Ă܂B͔Ƀ[UɗDGfB^ł
AȒZ܂B 'pico' ͈siʁj74 𒴂
ɁAقĉs}čs܂ԂĂ܂܂B̓Cj
[XL⃁Ƃ镪ɂ͌\ȂƂłAVXet@C鎞
ɂ͂΂ΒvIȖɂȂ܂B̖̉͊ȒPłBvO
ĂяoƂɁAȉ̂悤 -w IvV܂傤F

pico -w file_2_edit

'pico' ͂ƂĂ[UɗD̂ŁAȏ͕̐Kv܂B
͎ہAƂĂAȒPłiKvȃR}h̓XN[̉ɂ܂jB
Ȃwv@\܂B 'pico' ͂قƂǑSẴfBXgr[
VŎgp\łAftHgŃCXg[ĂȂ
B

==> 'pico' ̋I

<Ctrl> L[Ȃ當 x ĂBt@CɕύX
ĂȂȂA 'pico' I܂BύXĂ΁A
ۑ邩ǂu˂܂B n ďIĂB

'mcedit' GfB^

'mcedit'  Unix CNȃVXê߂̊Sȋ@\rWAVF
vOAMidnight Comander shell program Ɋ܂܂Ă܂B
R}hC璼ڃANZXł܂ (mcedit file_2_edit), ܂
'mc' ̈ꕔƂĂg܂iL[gĕҏWt@CIA
F4 L[܂jB

'mcedit' ͂炭łIɎgGfB^ŁAgwvĂ
BuR}hv F* L[ő삵܂B Midnight Commander ͂قƂ
SẴfBXgr[VŎgp\łAftHgŃCXg[
ĂȂ܂B

==> 'mcedit' ̋I

F10 L[܂Bt@CɕύXȂĂȂ΁A 'mcedit'
I܂BύXȂĂ΁A̓LZ邩ǂ
u˂Ă܂B n ďI܂B

 

8.7. nmap

nmap ̃XLǂ̂悤Ȃ̂AO̊ȒPȗ݂Ă݂܂傤B
ł̖ړI͉X̃t@CA[EH[ƃVXe̊S؂邽߂ɂ
̂悤 nmap gЉ邱ƂłB nmap ɂ͉XɕKv̂Ȃ
̑̎g܂BȂ̏L҂狖𓾂ĂȂA
Ȃĝ̂ł͂ȂVXe nmap ΂ɎgȂŉB
͒ÑT[BX_̈ᔽł܂񂪁A̎̂Ƃ́AقƂǂ
lXɂ͓GӂƎł傤B

Ɍ悤ɁAnmap ͐ꂽ|[gXLpc[łB́Az
Xg""邩ǂAǂ̃|[gJĂ\̂𒲂
悤Ƃ܂Bɂ́Ã|[gǂȏԂɂ̂B nmap 
GȃR}hCAFXȃ^Cv"XL"\łBڍׂ
Ă man y[W݂ĂB

܂AOӂĂ܂傤B portsentry gĂȂA
~ĂB̓XLǂ痈悤ǍoH
𗎂ƂĂ܂܂BׂẴO擾~Ă悢
܂BłȂ΁AȂƂÃXLƂɂ́A
O󂯎邱ƂɂȂ邱ƂɋCĂB

PȁA"[JzXg"̃ftHgXLF


 # nmap localhost                                                         
                                                                          
 Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ )  
 Interesting ports on bigcat (127.0.0.1):                                 
 (The 1507 ports scanned but not shown below are in state: closed)        
                                                                          
 Port       State       Service                                           
 22/tcp     open        ssh                                               
 25/tcp     open        smtp                                              
 37/tcp     open        time                                              
 53/tcp     open        domain                                            
 80/tcp     open        http                                              
 3000/tcp   open        ppp                                               
                                                                          
 Nmap run completed -- 1 IP address (1 host up) scanned in 2 seconds      
                                                                          
                                                                          


̂̕قƂǂɊɖڂʂĂɂ́A₱̃T[BX
ꂽ̂ɂȂĂ邱Ƃł傤B̒ɂ͍܂ł̗̑Ō
Ă̂Ɠ|[g܂B̃XLŒӂׂƂ́AXL
 1500 ""|[gɑ΂sꂽłiSẴ|[
gɑ΂Ăł͂ȂjƂƂłBȏ̃XL΁A
ݒ\łiman y[WQƂĂjBɁATCP |[
ĝ݂XLĂ܂B]߂΁AȊÕXL
\łB netstat SĂ̊J|[gA܂Ă悤
܂\̂Ƃ͈قȂāA "܂Ă"T[BXsb
NAbv܂Bł̍Ō 3000 ԂƂȂĂ"J"|[ǵA
"PPP" łƔFĂ܂BԈႢłI͂̃|[gԍɂ
 /etc/services t@CɊ܂܂ĂɊÂ nmap wK
ʂ̐ɉ߂ȂłBہȀꍇ ntop (network traffic
monitor)łB̂悤ɃT[BX͑ĉ߂ĂB 
nmap {ɂ̃|[gȂ̂m@݂͑Ȃ̂łBT[B
XɃ|[gԍ}b`邱Ƃ͎Ɋ댯łB͕W̃|[g
Ă܂A|[gԍgׂƂƂł͂܂
B

̑̕SĂ netstat ̗ɂẮAX͊J|[g̃N
XɕĂ܂F܂ĂT[oƁAXڑ]
[gzXgiႦ΁Aǂɂ web T[ojƐڑmĂ
̂łB nmap ͍ŏ̃O[v܂A܂莨܂ĂT[
ołIX[gT[oɌqĂ|[g͕sŁA䂦ɁA
댯ł͂Ȃ̂łB̃|[g͂̐ڑɂ"vCx[g"
Ȃ̂Ȃ̂ŁAڑIɕ܂B

łAŊJ|[gƕ|[gĂ킯łB[
PŁA bigcat őĂ邩ɂāAȂȂǂ^
ĂĂ܂BA͕K̃VXeO̐E
Ă邩Ă킯ł͂܂Bƌ̂A̓[J
zXgXLĂ邱ƂłāÃt@CA[EH[
̃ANZX̎dg݂̉e󂯂ĂȂłB

͂ȃXLĂ݂܂傤Bx́ASẴ|[gATCP 
UDP A`FbN܂B


 # nmap -sT -sU -p 1-65535 localhost                                      
                                                                          
 Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ )  
 Interesting ports on bigcat (127.0.0.1):                                 
 (The 131050 ports scanned but not shown below are in state: closed)      
                                                                          
 Port       State       Service                                           
 22/tcp     open        ssh                                               
 25/tcp     open        smtp                                              
 37/tcp     open        time                                              
 53/tcp     open        domain                                            
 53/udp     open        domain                                            
 80/tcp     open        http                                              
 3000/tcp   open        ppp                                               
 8000/tcp   open        unknown                                           
 32768/udp  open        unknown                                           
                                                                          
 Nmap run completed -- 1 IP address (1 host up) scanned in 385 seconds    
                                                                          
                                                                          


x͂""|[gł͂ȂASẴ|[g𒲂ׂĂ܂B
̃vZXŐVɓ̂̂sbNAbv܂BX͈ȑOɊ
 netstat pČ̂ŁAX͂炪ł邩mĂ
B 8000/tcp |[g Junkbuster EFuvLVƁA32768/udp
|[g named łBɂ͑ȌꍇƁAƒԂ
܂ASẴ|[g𒲂ׂ邽߂̗B̕@łB

 bigcat ̏łǂ̃|[gJĂ邩ɂĂȂȂǂ
܂Bł̓[JzXg烍[JzXgXLĂ
܂ASẴ|[głBX͈ˑRƂĊO̐EX
Ă̂͂킩܂BŁA LAN ̑̃zXg ssh
ڑĂ݂āA܂XLĂ݂܂B


 # nmap bigcat                                                            
                                                                          
 Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ )  
 Interesting ports on bigcat (192.168.1.1):                               
 (The 1520 ports scanned but not shown below are in state: closed)        
                                                                          
 Port       State       Service                                           
 22/tcp     open        ssh                                               
 3000/tcp   open        ppp                                               
                                                                          
 Nmap run completed -- 1 IP address (1 host up) scanned in 1 second       
                                                                          
                                                                          


ł͋̂߂ iptables ̃[ɎĂ邱Ƃ𔒏󂵂܂
B̃XLł͂̃|[gĂ܂B̑SĂ"
(closed)"܂Bꂪ nmap ̕񍐂łBxĂ݂܂傤F


 # nmap bigcat                                                                    
                                                                                  
 Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ )          
 Note: Host seems down. If it is really up, but blocking our ping probes, try -P0 
                                                                                  
 Nmap run completed -- 1 IP address (0 hosts up) scanned in 30 seconds            
                                                                                  
                                                                                  


ƁAx͎dĂԂɁA ICMP (ping) ubNĂ܂
悤łBF


 # nmap -P0 bigcat                                                        
                                                                          
 Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ )  
 All 1523 scanned ports on bigcat (192.168.1.1) are: filtered             
                                                                          
 Nmap run completed -- 1 IP address (1 host up) scanned in 1643 seconds   
                                                                          
                                                                          


łBɒԂĂ邩ɒӂĂB|[g͍
A""ɁA "tB^["Ă邱ƂɒӂĂ
B "nmap" ͂ǂĂm̂ł傤H "Ă(closed)"
tӖ̂ bigcat "ɂ͉Ă܂"AƃpP
bg𑗂ԂĂAƂƂŁA܂A|[gĂA
ƂɂȂ܂B̍Ō̗ł́Aiptables ̋K ICMP (ping) 
ASĂ̓ĂpPbg "Ƃ(DROP)"悤ɕύXĂ
B΁A܂̕Ԏ܂BƂ̕ԎȂ
ƂĂA nmap ͈ˑRƂăzXgɂ邱Ƃ͒mĂ̂ł
Aɂ͔ȍ܂Bł̈̋ṔAȂXL
xȂApPbg"DROP" (܂ "DENY") ΂悢ƌ
ƂłBɂāAe|[ǧ؂ɂāA[gڑ TCP ^
CAEg邱ƂɂȂ܂BǁAXL̂悤ȌʂĂ
ȂA܂Ғʂ̓ĂA܂AȂ̃t@CA[EH
[̎dʂĂ̂łB

UDP ɂĂ̒ZӁF nmap ͎ۂɂ́AtB^[Ă΁A
̃|[g̏Ԃ𔻒肷邱Ƃ͂ł܂B̏ꍇ炭A"J
"ԂłƂԈ󂯎ł傤B UDP ڑ
ȂvgRł邱ƂɊ֌WĂ܂B nmap ̕ԓȂ
΁iႦ΁A "DROP" ̂߂ɁjApPbgڕWɓ͂̂Ɖ肵
Ǎʂ̃|[g"JĂ"ƕ񍐂ł傤B nmap Ƃ
Ă""łB

O̐EVXeǂĂ邩V~[g邽߂ɁA LAN
̐ݒŃt@CA[EH[Ă݂邱Ƃł܂BȂ[
āAĂ邩Ƃ킩ĂāAƂ񂾂ւ܂
Ȃ΁A炭VXȅԂȂzłł傤B
͂A\ȂۂɊO`FbNĂ炤@T̂x
Xg̕@ł͂܂B̏ꍇvoC_̉^p[jĂȂ
ƂmFĂBvoC_gĂFB܂H

 

8.8. Sysctl ̃IvV

"sysctl" ̃IvV /proc t@CVXeʂĐݒłJ[l
p[^łB̓^CɓIɒ邱Ƃł܂B
T^Iɂ͂̃IvV "0" ɃZbgĂ΃ItŁA "1" 
Ƃ̓IłB

̂̓ZLeBĂ܂i炱̃e[}
Ă킯ł ;-)jBł͊֘AƎv̂X
gAbv邾ɂ܂BRɃJbgAhy[XgāAt@CA[E
H[̃XNvgAu[gɋN鑼̃t@Ci/etc/rc.local
̂悤ȁjɎgĂB܂́AefBXgr[V
肷Ǝ̕@pӂĂ邩܂B̈ӖɂĂ /
usr/src/linux/Documentation/sysctl/README t@CƃJ[lfB
Nĝ̑̃t@Cǂ߂Βm邱Ƃł܂B  

#!/bin/sh                                                                 
#                                                                         
# Configure kernel sysctl run-time options.                               
# kernel sysctl ^CIvVݒ                                  
###################################################################       
                                                                          
# Anti-spoofing blocks                                                    
# A`EXv[tBOubN                                        
for i in /proc/sys/net/ipv4/conf/*/rp_filter;                             
do                                                                        
 echo 1 > $i                                                              
done                                                                      
                                                                          
# Ensure source routing is OFF                                            
# \[X[eBOIt                                              
for i in /proc/sys/net/ipv4/conf/*/accept_source_route;                   
 do                                                                       
  echo 0 > $i                                                             
 done                                                                     
                                                                          
# Ensure TCP SYN cookies protection is enabled                            
# TCP SYN NbL[veNV\                                  
[ -e /proc/sys/net/ipv4/tcp_syncookies ] &&\                              
 echo 1 > /proc/sys/net/ipv4/tcp_syncookies                               
                                                                          
# Ensure ICMP redirects are disabled                                      
# ICMP _CNgs\                                             
for i in /proc/sys/net/ipv4/conf/*/accept_redirects;                      
 do                                                                       
  echo 0 > $i                                                             
 done                                                                     
                                                                          
# Ensure oddball addresses are logged                                     
# ȃAhX̓O                                            
[ -e /proc/sys/net/ipv4/conf/all/log_martians ] &&\                       
 echo 1 > /proc/sys/net/ipv4/conf/all/log_martians                        
                                                                          
[ -e /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ] &&\                 
 echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts                  
                                                                          
[ -e /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ] &&\           
 echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses            
                                                                          
## Optional from here on down, depending on your situation. ############  
# 牺̓VXeɉIvVB                                
#                                                                         
# Ensure ip-forwarding is enabled if                                      
# we want to do forwarding or masquerading.                               
# tH[fBO}XJ[fBOȂ ip-forwarding \ɁB 
[ -e /proc/sys/net/ipv4/ip_forward ] &&\                                  
 echo 1 > /proc/sys/net/ipv4/ip_forward                                   
                                                                          
# On if your IP is dynamic (or you don't know).                           
# IP Iłi܂͂ǂmȂj̓IB                       
[ -e /proc/sys/net/ipv4/ip_dynaddr ] &&\                                  
 echo 1 > /proc/sys/net/ipv4/ip_dynaddr                                   
                                                                          
# eof                                                                     
                                                                          
                                                                          

 

8.9. ZLAȑ֕

̏͂ł͐ݓIɃZLAłȂ@ɑ΂āASȑ֕ZɏЉ
܂BNCAgƃT[ô܂ɂȂĂ܂B

 E telnet, rsh  ssh ɁB
   
 E ftp, rcp  scp ܂ sftp ɁBƂ ssh pbP[WɊ܂܂Ă
    ܂B܂A Apache ɑĂ΁A HTTP oRŃt@C
    ȒPɓ]ł܂B Apache  SSL (HTTPS) p邱Ƃłɂ
    ƌ܂B
   
 E sendmail  postfix, qmail ɁB sendmail ̐Vo[W炪S
    łȂƌĂ킯ł͂܂BPɁAɂ͍܂ł̍
    jA܂ɍLpĂ̂ŁANbJ[Ăъ
    ƂƂłB
   
    ŏqׂ悤ɁALinux CXg[͂΂ΊSȋ@\̃CT
    [o܂ł܂Bɂ͗Lȓ_܂APɃ
    C𑗂ė邾̑̏ꍇɂ͕sKvłB͑S"
    CT[of["[JőĂȂĂ\ȂƂłB
   
 E POP3  SPOP3, SSL oR POP3 ɁB{ɂȂg POP T[
    o^pKv̂Ȃ΁Aꂪ̐@łBvoC
    _̃T[o炠Ȃ̃CĂꍇ́AvoC_񋟂
    ̂ɏ]킴𓾂܂B
   
 E IMAP  IMAPS ɁBɓB
   
 E ̃T[BXKvŁAꂪgA܂͏̗Fl
    ̏ꍇɂ́A̕WłȂ|[gő点邱Ƃl܂傤
    BقƂǂ̃T[of[łꂪ\łAڑl
    mĂ͂܂BႦ΁Asshd ̕W|[gԍ
    22 ԂłBǂ̃[XL̃|[gԍv[uł
    BłA_ɑI񂾃|[gԍő点̂łB
     sshd  man y[WQƂĂB
   
 

8.10. ipchains  iptables Ă

̏͂ł ipchains  iptables ɂł邱Ƃ̂ڂ
Ă݂܂B͊{Iɂ͏̃XebvRŌ̂ƓXNvg
łA炩ɐi񂾐ݒIvVǉĂ܂B "}XJ
[fBO"A "|[gtH[fBO"A郆[UɌ肵T[B
Xւ̃ANZXÂقAŐ@\񋟂Ă܂B̐
ɂĂ̓RgǂłB

 

8.10.1. ipchains II

#!/bin/sh                                                                       
#                                                                               
# ipchains.sh                                                                   
#                                                                               
# An example of a simple ipchains configuration. This script                    
# can enable 'masquerading' and will open user definable ports.                 
# P ipchains ݒ̗B̃XNvǵu}XJ[fBOv              
# \ŁA[U`|[gJB                                            
###################################################################             
# Begin variable declarations and user configuration options ######             
# ϐ錾ƃ[UݒIvV                                                
# Set the location of ipchains (default).                                       
# ipchains iftHgj̏ꏊݒB                                         
IPCHAINS=/sbin/ipchains                                                         
                                                                                
# Local Interfaces                                                              
# [JC^[tF[X                                                      
# This is the WAN interface, that is our link to the outside world.             
#  WAN C^[tF[XAO̐EɉXȂB                       
# For pppd and pppoe users.                                                     
# pppd  pppoe [Û߁B                                                  
# WAN_IFACE="ppp0"                                                              
WAN_IFACE="eth0"                                                                
#                                                                               
# Local Area Network (LAN) interface.                                           
# [JGAlbg[N(LAN)C^[tF[X                               
#LAN_IFACE="eth0"                                                               
LAN_IFACE="eth1"                                                                
                                                                                
# Our private LAN address(es), for masquerading.                                
# X̃vCx[g LAN AhXijA}XJ[fBÔ߂́B         
LAN_NET="192.168.1.0/24"                                                        
                                                                                
# For static IP, set it here!                                                   
# X^eBbN IP ̂߁BŐݒ肹I                                      
#WAN_IP="1.2.3.4"                                                               
                                                                                
# Set a list of public server port numbers here...not too many!                 
# These will be open to the world, so use caution. The example is               
# sshd, and HTTP (www). Any services included here should be the                
# latest version available from your vendor. Comment out to disable             
# all PUBLIC services.                                                          
# ŃpubNT[õ|[gԍ̃XgݒBȂ悤ɁI          
# ͐EɌĊĴŁAvӁB̗ sshd, HTTP(www).           
# ̂ǂ̃T[BXF_̍ŐVo[WɂׂB                      
# SẴpubNT[BXs\ɂ邽߂ɂ̓RgAEgB          
#PUBLIC_PORTS="22 80 443"                                                       
PUBLIC_PORTS="22"                                                               
                                                                                
# If we want to do port forwarding, this is the host                            
# that will be forwarded to.                                                    
# |[gtH[fBOȂAꂪtH[h̃zXg        
#FORWARD_HOST="192.168.1.3"                                                     
                                                                                
# A list of ports that are to be forwarded.                                     
# tH[hׂ|[g̃Xg                                            
#FORWARD_PORTS="25  80"                                                         
                                                                                
# If you get your public IP address via DHCP, set this.                         
#  DHCP ʂăpubN IP AhXݒ肷ȂAŁB            
DHCP_SERVER=66.21.184.66                                                        
                                                                                
# If you need identd for a mail server, set this.                               
# CT[ô߂ identd KvȂ炱ŁB                                
MAIL_SERVER=                                                                    
                                                                                
# A list of unwelcome hosts or nets. These will be denied access                
# to everything, even our 'PUBLIC' services. Provide your own list.             
# ]܂ʋq̃zXgƃlbg̃XgB͑SĂւ̃ANZXA                  
# X̃pubNT[BXAۂ                                  
# g̃XgpӂB                                                  
#BLACKLIST="11.22.33.44 55.66.77.88"                                            
                                                                                
# A list of "trusted" hosts and/or nets. These will have access to              
# ALL protocols, and ALL open ports. Be selective here.                         
# uMpłvzXg/܂̓lbg̃XgB͑SĂ                   
# vgRƑSĂ̊J|[gɃANZXłB                              
# ͐IāB                                                              
#TRUSTED="1.2.3.4/8  5.6.7.8"                                                   
                                                                                
## end user configuration options #################################             
## Gh[UݒIvV                                                   
###################################################################             
                                                                                
# The high ports used mostly for connections we initiate and return             
# traffic.                                                                      
# gtBbNAԐM̂߂̐ڑɎɗp                        
# ԍ|[gB                                                                
LOCAL_PORTS=`cat /proc/sys/net/ipv4/ip_local_port_range |cut -f1`:\             
`cat /proc/sys/net/ipv4/ip_local_port_range |cut -f2`                           
                                                                                
# Any and all addresses from anywhere.                                          
# Cӂ̏ꏊ̑SẴAhX                                                
ANYWHERE="0/0"                                                                  
                                                                                
# Start building chains and rules #################################             
# `FCƋK̐ݒ̎n܂                                                  
# Let's start clean and flush all chains to an empty state.                     
# ܂SẴ`FC̏ԂɁB                                              
$IPCHAINS -F                                                                    
                                                                                
# Set the default policies of the built-in chains. If no match for any          
# of the rules below, these will be the defaults that ipchains uses.            
# gݍ݂̃`FC̃ftHg|V[ݒBȉ̃[̂ǂɂ          
# vȂ΁A炪 ipchains ̎gftHgɂȂB                    
$IPCHAINS -P forward DENY                                                       
$IPCHAINS -P output ACCEPT                                                      
$IPCHAINS -P input DENY                                                         
                                                                                
# Accept localhost/loopback traffic.                                            
# localhost/loopback gtBbN󂯓B                                 
$IPCHAINS -A input -i lo -j ACCEPT                                              
                                                                                
# Get our dynamic IP now from the Inet interface. WAN_IP will be our            
# IP address we are protecting from the outside world. Put this                 
# here, so default policy gets set, even if interface is not up                 
# yet.                                                                          
#  Inet C^[tF[XX̃_Ci~bN IP 擾B                
# WAN_IP ͊O̐EX IP AhXɂȂB                           
# C^[tF[X܂オĂȂĂAɂĂ̂ŁA          
# ftHg̃|V[B                                            
[ -z "$WAN_IP" ] &&\                                                            
  WAN_IP=`ifconfig $WAN_IFACE |grep inet |cut -d : -f 2 |cut -d \  -f 1`        
                                                                                
# Bail out with error message if no IP available! Default policy is             
# already set, so all is not lost here.                                         
# ǂ IP \łȂȂG[bZ[WƂƂɔoB                    
# ftHg|V[͊ɐݒ肳Ă̂ŁAׂĂ                    
# 킯ł͂ȂB                                                        
[ -z "$WAN_IP" ] && echo "$WAN_IFACE not configured, aborting." && exit 1       
                                                                                
WAN_MASK=`ifconfig $WAN_IFACE | grep Mask | cut -d : -f 4`                      
WAN_NET="$WAN_IP/$WAN_MASK"                                                     
                                                                                
## Reserved IPs:                                                                
#@\ IP:                                                                     
# We should never see these private addresses coming in from outside            
# to our external interface.                                                    
# OX̊OC^[tF[XցÃvCx[gAhX          
# Ă邱Ƃ͌Ăׂł͂ȂB                                      
$IPCHAINS -A input -l -i $WAN_IFACE -s 10.0.0.0/8     -j DENY                   
$IPCHAINS -A input -l -i $WAN_IFACE -s 172.16.0.0/12  -j DENY                   
$IPCHAINS -A input -l -i $WAN_IFACE -s 192.168.0.0/16 -j DENY                   
$IPCHAINS -A input -l -i $WAN_IFACE -s 127.0.0.0/8    -j DENY                   
$IPCHAINS -A input -l -i $WAN_IFACE -s 169.254.0.0/16 -j DENY                   
$IPCHAINS -A input -l -i $WAN_IFACE -s 224.0.0.0/4    -j DENY                   
$IPCHAINS -A input -l -i $WAN_IFACE -s 240.0.0.0/5    -j DENY                   
# Bogus routing                                                                 
# Û̃[eBO                                                          
$IPCHAINS -A input -l -s 255.255.255.255 -d $ANYWHERE -j DENY                   
                                                                                
## LAN access and masquerading                                                  
# LAN ANZXƃ}XJ[fBO                                              
#                                                                               
# Allow connections from our own LAN's private IP addresses via the LAN         
# interface and set up forwarding for masqueraders if we have a LAN_NET         
# defined above.                                                                
# LAN C^[tFXʂẮAXg LAN ̃vCx[g IP AhX       
# ̐ڑA LAN_NET `Ă΃}XJ[_[           
# tH[fBOݒ肷B                                                  
if [ -n "$LAN_NET" ]; then                                                      
 echo 1 > /proc/sys/net/ipv4/ip_forward                                         
 $IPCHAINS -A input  -i $LAN_IFACE  -j ACCEPT                                   
 $IPCHAINS -A forward -s $LAN_NET -d $LAN_NET -j ACCEPT                         
 $IPCHAINS -A forward  -s $LAN_NET -d ! $LAN_NET -j MASQ                        
fi                                                                              
                                                                                
## Blacklist hosts/nets                                                         
# ubNXg hosts/nets                                                     
#                                                                               
# Get the blacklisted hosts/nets out of the way, before we start opening        
# up any services. These will have no access to us at all, and will be          
# logged.                                                                       
# ubNXgɂ̂zXg/lbgAǂ̃T[BXJ                 
# OɕߏoB͂܂XɃANZXA                      
# OƂB                                                              
for i in $BLACKLIST; do                                                         
 $IPCHAINS -A input -l -s $i -j DENY                                            
done                                                                            
                                                                                
## Trusted hosts/nets                                                           
# MpłzXg/lbg                                                       
#                                                                               
# This is our trusted host list. These have access to everything.               
# MpzXg̃XgB͑SĂւ̃ANZXB                    
for i in $TRUSTED; do                                                           
 $IPCHAINS -A input -s $i -j ACCEPT                                             
done                                                                            
                                                                                
# Port Forwarding                                                               
# |[gtH[fBO                                                        
#                                                                               
# Which ports get forwarded to which host. This is one to one                   
# port mapping (ie 80 -> 80) in this case.                                      
# NOTE: ipmasqadm is a separate package from ipchains and needs                 
# to be installed also. Check first!                                            
# ǂ̃|[gǂ̃zXgփtH[h邩B͂̏ꍇ                    
# Έ̃}bsOi܂A80  80 ցjB                                 
# ӁF ipmasqadm  ipchains Ƃ͕ʂ̃pbP[WŁA                     
# CXg[KvB܂`FbN邱ƁB                            
[ -n "$FORWARD_HOST" ] && ipmasqadm portfw -f &&\                               
 for i in $FORWARD_PORTS; do                                                    
   ipmasqadm portfw -a -P tcp -L $WAN_IP $i -R $FORWARD_HOST $i                 
 done                                                                           
                                                                                
## Open, but Restricted Access ports/services                                   
# JAꂽANZX̃|[g/T[BX                           
#                                                                               
# Allow DHCP server (their port 67) to client (to our port 68) UDP traffic      
# from outside source.                                                          
# O\[XNCAǵiX68ԃ|[gւ́jUDP gtBbN          
# ց@DHCP T[oi67ԃ|[gjB                                     
[ -n "$DHCP_SERVER" ] &&\                                                       
 $IPCHAINS -A input -p udp -s $DHCP_SERVER 67 -d $ANYWHERE 68 -j ACCEPT         
                                                                                
# Allow 'identd' (to our TCP port 113) from mail server only.                   
# CT[ô݂iX TCP 113 ԃ|[gւ́j'identd'             
[ -n "$MAIL_SERVER" ] &&\                                                       
 $IPCHAINS -A input -p tcp -s $MAIL_SERVER  -d $WAN_IP 113 -j ACCEPT            
                                                                                
# Open up PUBLIC server ports here (available to the world):                    
#  PUBLIC T[o|[gJiE֌q邽߁jF                        
for i in $PUBLIC_PORTS; do                                                      
 $IPCHAINS -A input -p tcp -s $ANYWHERE -d $WAN_IP $i -j ACCEPT                 
done                                                                            
                                                                                
# So I can check my home POP3 mailbox from work. Also, so I can ssh             
# in to home system. Only allow connections from my workplace's                 
# various IPs. Everything else is blocked.                                      
# ĂΎdꂩ玩 POP3 C{bNX`FbNłB          
# ܂AVXe ssh œ邱ƂłBd̂܂܂               
# IP AhX̐ڑ邾B͑SăubNB                 
$IPCHAINS -A input -p tcp -s 255.10.9.8/29 -d $WAN_IP 110 -j ACCEPT             
                                                                                
# Uncomment to allow ftp data back (active ftp). Not required for 'passive'     
# ftp connections.                                                              
# ftp f[^obNiANeBu ftpjƂ̓RgAEgOB      
# pbVu ftp ڑɂĂ͕KvȂB                                         
#$IPCHAINS -A input -p tcp -s $ANYWHERE 20 -d $WAN_IP $LOCAL_PORTS -y -j ACCEPT 
                                                                                
# Accept non-SYN TCP, and UDP connections to LOCAL_PORTS. These are             
# the high, unprivileged ports (1024 to 4999 by default). This will             
# allow return connection traffic for connections that we initiate              
# to outside sources. TCP connections are opened with 'SYN' packets.            
# We have already opened those services that need to accept SYNs                
# for, so other SYNs are excluded here for everything else.                     
# LOCAL_PORTS ւ̔ SYN TCP  UDP ڑ󂯓B                  
# ԍ̍|[giftHgł 1024  4999ԁjB                   
# ͊Õ\[X֏ڑ̂߂̕ԐMڑgtBbN              
# BTCP ڑ 'SYN' pPbgƂƂɊJĂB                     
# SYN 󂯓Kv̂邻̃T[BX͊ɊJĂ̂ŁA            
#  SYN ͂ȊȎSĂɂĂŋ₷B                             
$IPCHAINS -A input -p tcp -s $ANYWHERE -d $WAN_IP $LOCAL_PORTS ! -y -j ACCEPT   
                                                                                
# We can't be so selective with UDP since that protocol does not know           
# about SYNs.                                                                   
# UDP  SYN ɂĒmȂ̂ŁAقǑIIɂłȂB                   
$IPCHAINS -A input -p udp -s $ANYWHERE -d $WAN_IP $LOCAL_PORTS -j ACCEPT        
                                                                                
# Allow access to the masquerading ports conditionally. Masquerading            
# uses it's own port range -- on 2.2 kernels ONLY! 2.4 kernels, do not          
# use these ports, so comment out!                                              
# ꍇɂĂ̓}XJ[hĂ|[gւ̐ڑB                  
# }XJ[fBO͎g̃|[g͈͂pi2.2 J[l݂̂ŁIjB        
# 2.4 J[l͂̃|[ggȂ̂ŁARgAEg悤ɁI        
[ -n "$LAN_NET" ] &&\                                                           
 $IPCHAINS -A input -p tcp -s $ANYWHERE -d $WAN_IP 61000: ! -y -j ACCEPT &&\    
 $IPCHAINS -A input -p udp -s $ANYWHERE -d $WAN_IP 61000: -j ACCEPT             
                                                                                
## ICMP (ping)                                                                  
#                                                                               
# ICMP rules, allow the bare essential types of ICMP only. Ping                 
# request is blocked, ie we won't respond to someone else's pings,              
# but can still ping out.                                                       
# ICMP ̋KAICMP ̂ނo̖{Iȃ^CvB                      
# Ping v̓ubNB܂A̒N ping ɂ͓ȂA           
#  ping out 邱ƂłB                                            
$IPCHAINS -A input  -p icmp  --icmp-type echo-reply \                           
   -s $ANYWHERE -i $WAN_IFACE -j ACCEPT                                         
$IPCHAINS -A input  -p icmp  --icmp-type destination-unreachable \              
   -s $ANYWHERE -i $WAN_IFACE -j ACCEPT                                         
$IPCHAINS -A input  -p icmp  --icmp-type time-exceeded \                        
   -s $ANYWHERE -i $WAN_IFACE -j ACCEPT                                         
                                                                                
#######################################################################         
# Set the catchall, default rule to DENY, and log it all. All other             
# traffic not allowed by the rules above, winds up here, where it is            
# blocked and logged. This is the default policy for this chain                 
# anyway, so we are just adding the logging ability here with '-l'.             
# Outgoing traffic is allowed as the default policy for the 'output'            
# chain. There are no restrictions on that.                                     
# ȂłiftHg[ DENYjȂSẴOƂB           
# ̃[ŋĂȂ̑SẴgtBbNA                  
# nAubNOƂB͂̃`FCɂĂ                
# ftHg̃|V[Ał '-l' ŃO\͂ǉ̂݁B          
# OɌgtBbN 'output' `FCɂẴftHg                
# |V[ƂċĂBɂĂ͉̐ȂB              
$IPCHAINS -A input -l -j DENY                                                   
                                                                                
echo "Ipchains firewall is up `date`."                                          
                                                                                
##-- eof ipchains.sh                                                            
                                                                                
                                                                                

 

8.10.2. iptables II

#!/bin/sh                                                                        
#                                                                                
# iptables.sh                                                                    
#                                                                                
# An example of a simple iptables configuration. This script                     
# can enable 'masquerading' and will open user definable ports.                  
# P ipchains ݒ̗B̃XNvǵu}XJ[fBOv               
# \ŁA[U`|[gJB                                             
###################################################################              
# Begin variable declarations and user configuration options ######              
#  ϐ錾ƃ[UݒIvV                                                
# Set the location of iptables (default).                                        
# ipchains iftHgj̏ꏊݒB                                          
IPTABLES=/sbin/iptables                                                          
                                                                                 
# Local Interfaces                                                               
# [JC^[tF[X                                                       
# This is the WAN interface that is our link to the outside world.               
#  WAN C^[tF[XAO̐EɉXȂB                        
# For pppd and pppoe users.                                                      
# pppd  pppoe [Û߁B                                                   
                                                                                 
# WAN_IFACE="ppp0"                                                               
WAN_IFACE="eth0"                                                                 
#                                                                                
# Local Area Network (LAN) interface.                                            
# [JGAlbg[N(LAN)C^[tF[X                                
#LAN_IFACE="eth0"                                                                
LAN_IFACE="eth1"                                                                 
                                                                                 
# Our private LAN address(es), for masquerading.                                 
# X̃vCx[g LAN AhXijA}XJ[fBÔ߂́B          
LAN_NET="192.168.1.0/24"                                                         
                                                                                 
# For static IP, set it here!                                                    
# X^eBbN IP ̂߁BŐݒ肹I                                       
#WAN_IP="1.2.3.4"                                                                
                                                                                 
# Set a list of public server port numbers here...not too many!                  
# These will be open to the world, so use caution. The example is                
# sshd, and HTTP (www). Any services included here should be the                 
# latest version available from your vendor. Comment out to disable              
# all Public services. Do not put any ports to be forwarded here,                
# this only direct access.                                                       
# ŃpubNT[õ|[gԍ̃XgݒBȂ悤ɁI           
# ͐EɌĊĴŁAvӁB̗ sshd, HTTP(www).            
# ̂ǂ̃T[BXF_̍ŐVo[WɂׂB                       
# SẴpubNT[BXs\ɂ邽߂ɂ̓RgAEgB           
# tH[h|[g͂ǂɂȂƁA͒ڂ                 
# ANZX̂݁B                                                                 
#PUBLIC_PORTS="22 80 443"                                                        
PUBLIC_PORTS="22"                                                                
                                                                                 
# If we want to do port forwarding, this is the host                             
# that will be forwarded to.                                                     
# |[gtH[fBOȂAꂪtH[h̃zXgB       
#FORWARD_HOST="192.168.1.3"                                                      
                                                                                 
# A list of ports that are to be forwarded.                                      
# tH[hׂ|[g̃Xg                                             
#FORWARD_PORTS="25  80"                                                          
                                                                                 
# If you get your public IP address via DHCP, set this.                          
#  DHCP ʂăpubN IP AhXݒ肷ȂAŁB             
DHCP_SERVER=66.21.184.66                                                         
                                                                                 
# If you need identd for a mail server, set this.                                
# CT[ô߂ identd KvȂ炱ŁB                                 
MAIL_SERVER=                                                                     
                                                                                 
# A list of unwelcome hosts or nets. These will be denied access                 
# to everything, even our 'Public' services. Provide your own list.              
# ]܂ʋq̃zXgƃlbg̃XgB͑SĂւ̃ANZXA                   
# X̃pubNT[BXAۂ                                   
# g̃XgpӂB                                                   
#BLACKLIST="11.22.33.44 55.66.77.88"                                             
                                                                                 
# A list of "trusted" hosts and/or nets. These will have access to               
# ALL protocols, and ALL open ports. Be selective here.                          
# uMpłvzXg/܂̓lbg̃XgB͑SĂ                    
# vgRƑSĂ̊J|[gɃANZXłB                               
# ͐IāB                                                               
#TRUSTED="1.2.3.4/8  5.6.7.8"                                                    
                                                                                 
## end user configuration options #################################              
## Gh[UݒIvV                                                    
###################################################################              
                                                                                 
# Any and all addresses from anywhere.                                           
# Cӂ̏ꏊ̑SẴAhX                                                 
ANYWHERE="0/0"                                                                   
                                                                                 
# These modules may need to be loaded:                                           
# ̃W[ǂݍޕKv邩B                                   
modprobe ip_conntrack_ftp                                                        
modprobe ip_nat_ftp                                                              
                                                                                 
# Start building chains and rules #################################              
## `FCƋK̐ݒ̎n܂                                                  
# Let's start clean and flush all chains to an empty state.                      
# ܂SẴ`FC̏ԂɁB                                               
$IPTABLES -F                                                                     
$IPTABLES -X                                                                     
                                                                                 
                                                                                 
# Set the default policies of the built-in chains. If no match for any           
# of the rules below, these will be the defaults that IPTABLES uses.             
# gݍ݂̃`FC̃ftHg|V[ݒBȉ̃[̂ǂɂ           
# vȂ΁A炪 IPTABLES ̎gftHgɂȂB                     
$IPTABLES -P FORWARD DROP                                                        
$IPTABLES -P OUTPUT ACCEPT                                                       
$IPTABLES -P INPUT DROP                                                          
                                                                                 
# Accept localhost/loopback traffic.                                             
# localhost/loopback gtBbN󂯓B                                  
$IPTABLES -A INPUT -i lo -j ACCEPT                                               
                                                                                 
# Get our dynamic IP now from the Inet interface. WAN_IP will be the             
# address we are protecting from outside addresses.                              
#  Inet C^[tF[XX̃_Ci~bN IP 擾B                 
# WAN_IP ͊O̐EX IP AhXɂȂB                            
[ -z "$WAN_IP" ] &&\                                                             
  WAN_IP=`ifconfig $WAN_IFACE |grep inet |cut -d : -f 2 |cut -d \  -f 1`         
                                                                                 
# Bail out with error message if no IP available! Default policy is              
# already set, so all is not lost here.                                          
# ǂ IP \łȂȂG[bZ[WƂƂɔoB                     
# ftHg|V[͊ɐݒ肳Ă̂ŁAׂĂ                     
# 킯ł͂ȂB                                                         
[ -z "$WAN_IP" ] && echo "$WAN_IFACE not configured, aborting." && exit 1        
                                                                                 
WAN_MASK=`ifconfig $WAN_IFACE |grep Mask |cut -d : -f 4`                         
WAN_NET="$WAN_IP/$WAN_MASK"                                                      
                                                                                 
## Reserved IPs:                                                                 
#@\ IP:                                                                      
# We should never see these private addresses coming in from outside             
# to our external interface.                                                     
# OX̊OC^[tF[XցÃvCx[gAhX           
# Ă邱Ƃ͌Ăׂł͂ȂB                                       
$IPTABLES -A INPUT -i $WAN_IFACE -s 10.0.0.0/8      -j DROP                      
$IPTABLES -A INPUT -i $WAN_IFACE -s 172.16.0.0/12   -j DROP                      
$IPTABLES -A INPUT -i $WAN_IFACE -s 192.168.0.0/16  -j DROP                      
$IPTABLES -A INPUT -i $WAN_IFACE -s 127.0.0.0/8     -j DROP                      
$IPTABLES -A INPUT -i $WAN_IFACE -s 169.254.0.0/16  -j DROP                      
$IPTABLES -A INPUT -i $WAN_IFACE -s 224.0.0.0/4     -j DROP                      
$IPTABLES -A INPUT -i $WAN_IFACE -s 240.0.0.0/5     -j DROP                      
# Bogus routing                                                                  
# Û̃[eBO                                                           
$IPTABLES -A INPUT -s 255.255.255.255 -d $ANYWHERE -j DROP                       
                                                                                 
# Unclean                                                                        
$IPTABLES -A INPUT -i $WAN_IFACE -m unclean -m limit \                           
        --limit 15/minute -j LOG --log-prefix "Unclean: "                        
$IPTABLES -A INPUT -i $WAN_IFACE -m unclean -j DROP                              
                                                                                 
## LAN access and masquerading                                                   
#LAN ANZXƃ}XJ[fBO                                                
# Allow connections from our own LAN's private IP addresses via the LAN          
# interface and set up forwarding for masqueraders if we have a LAN_NET          
# defined above.                                                                 
# LAN C^[tFXʂẮAXg LAN ̃vCx[g IP AhX        
# ̐ڑA LAN_NET `Ă΃}XJ[_[            
# tH[fBOݒ肷B                                                   
if [ -n "$LAN_NET" ]; then                                                       
 echo 1 > /proc/sys/net/ipv4/ip_forward                                          
 $IPTABLES -A INPUT -i $LAN_IFACE  -j ACCEPT                                     
# $IPTABLES -A INPUT -i $LAN_IFACE -s $LAN_NET -d $LAN_NET  -j ACCEPT            
 $IPTABLES -t nat -A POSTROUTING -s $LAN_NET -o $WAN_IFACE -j MASQUERADE         
fi                                                                               
                                                                                 
## Blacklist                                                                     
#@ubNXg                                                                
# Get the blacklisted hosts/nets out of the way, before we start opening         
# up any services. These will have no access to us at all, and will              
# be logged.                                                                     
# ubNXgɂ̂zXg/lbgAǂ̃T[BXJ                  
# OɕߏoB͂܂XɃANZXA                       
# OƂB                                                               
for i in $BLACKLIST; do                                                          
 $IPTABLES -A INPUT -s $i -m limit --limit 5/minute \                            
   -j LOG --log-prefix "Blacklisted: "                                           
 $IPTABLES -A INPUT -s $i -j DROP                                                
done                                                                             
                                                                                 
## Trusted hosts/nets                                                            
#MpłzXg/lbg                                                         
# This is our trusted host list. These have access to everything.                
# MpzXg̃XgB͑SĂւ̃ANZXB                     
for i in $TRUSTED; do                                                            
 $IPTABLES -A INPUT -s $i -j ACCEPT                                              
done                                                                             
                                                                                 
# Port Forwarding                                                                
#|[gtH[fBO                                                          
# Which ports get forwarded to which host. This is one to one                    
# port mapping (ie 80 -> 80) in this case.                                       
# ǂ̃|[gǂ̃zXgփtH[h邩B͂̏ꍇ                     
# Έ̃}bsOi܂A80  80 ցjB                                  
[ -n "$FORWARD_HOST" ] &&\                                                       
 for i in $FORWARD_PORTS; do                                                     
   $IPTABLES -A FORWARD -p tcp -s $ANYWHERE -d $FORWARD_HOST \                   
     --dport $i -j ACCEPT                                                        
   $IPTABLES -t nat -A PREROUTING -p tcp -d $WAN_IP --dport $i \                 
     -j DNAT --to $FORWARD_HOST:$i                                               
 done                                                                            
                                                                                 
## Open, but Restricted Access ports                                             
#JAꂽANZX̃|[g/T[BX                             
# Allow DHCP server (their port 67) to client (to our port 68) UDP               
# traffic from outside source.                                                   
# O\[XNCAǵiX68ԃ|[gւ́jUDP gtBbN           
# ց@DHCP T[oi67ԃ|[gjB                                      
[ -n "$DHCP_SERVER" ] &&\                                                        
 $IPTABLES -A INPUT -p udp -s $DHCP_SERVER --sport 67 \                          
   -d $ANYWHERE --dport 68 -j ACCEPT                                             
                                                                                 
# Allow 'identd' (to our TCP port 113) from mail server only.                    
# CT[ô݂iX TCP 113 ԃ|[gւ́j'identd'              
[ -n "$MAIL_SERVER" ] &&\                                                        
 $IPTABLES -A INPUT -p tcp -s $MAIL_SERVER  -d $WAN_IP --dport 113 -j ACCEPT     
                                                                                 
# Open up Public server ports here (available to the world):                     
#  PUBLIC T[o|[gJiE֌q邽߁jF                         
for i in $PUBLIC_PORTS; do                                                       
 $IPTABLES -A INPUT -p tcp -s $ANYWHERE -d $WAN_IP --dport $i -j ACCEPT          
done                                                                             
                                                                                 
# So I can check my home POP3 mailbox from work. Also, so I can ssh              
# in to home system. Only allow connections from my workplace's                  
# various IPs. Everything else is blocked.                                       
# ɂĎdꂩ玩 POP3 C{bNX`FbNłB             
# ܂AVXe ssh œ邱ƂłBd̂܂܂                
# IP AhX̐ڑ邾B͑SăubNB                  
$IPTABLES -A INPUT -p tcp -s 255.10.9.8/29 -d $WAN_IP --dport 110 -j ACCEPT      
                                                                                 
## ICMP (ping)                                                                   
#                                                                                
# ICMP rules, allow the bare essential types of ICMP only. Ping                  
# request is blocked, ie we won't respond to someone else's pings,               
# but can still ping out.                                                        
# ICMP ̋KAICMP ̂ނo̖{Iȃ^CvB                       
# Ping v̓ubNB܂A̒N ping ɂ͓ȂA            
#  ping out 邱ƂłB                                             
$IPTABLES -A INPUT  -p icmp  --icmp-type echo-reply \                            
   -s $ANYWHERE -d $WAN_IP -j ACCEPT                                             
$IPTABLES -A INPUT  -p icmp  --icmp-type destination-unreachable \               
   -s $ANYWHERE -d $WAN_IP -j ACCEPT                                             
$IPTABLES -A INPUT  -p icmp  --icmp-type time-exceeded \                         
   -s $ANYWHERE -d $WAN_IP -j ACCEPT                                             
                                                                                 
# Identd Reject                                                                  
# Identd                                                                     
#                                                                                
# Special rule to reject (with rst) any identd/auth/port 113                     
# connections. This will speed up some services that ask for this,               
# but don't require it. Be careful, some servers may require this                
# one (IRC for instance).                                                        
# SĂ identd/auth/port 113 ڑ (rst ƁjۂʋKB                 
# v邪KvƂ͂ȂT[BXXs[hAbvB                 
# vӁAKvƂT[BXiIRC ȂǁjB                         
#$IPTABLES -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset         
                                                                                 
###################################################################              
# Build a custom chain here, and set the default to DROP. All                    
# other traffic not allowed by the rules above, ultimately will                  
# wind up here, where it is blocked and logged, unless it passes                 
# our stateful rules for ESTABLISHED and RELATED connections. Let                
# connection tracking do most of the worrying! We add the logging                
# ability here with the '-j LOG' target. Outgoing traffic is                     
# allowed as that is the default policy for the 'output' chain.                  
# There are no restrictions placed on that in this script.                       
# ł炦̃`FC\zADROP ւ̃ftHgݒB                  
# ̋KŋȂ̃gtBbN͑SāAŏIIɂ                   
# nAESTABLISHED  RELATED ڑɂẴXeCgtK              
# pXĂȂAubNOƂBڑǐՋ@\ɐSz             
# قƂǂ点܂傤Ił '-j LOG' ^[QbgŃO@\             
# ǉBOɌgtBbN 'output' `FCɂĂ                 
# ftHg|V[Ȃ̂ŋĂB̃XNvgł                     
# ̐ȂB                                                           
                                                                                 
# New chain...                                                                   
# V`FC                                                                 
$IPTABLES -N DEFAULT                                                             
# Use the 'state' module to allow only certain connections based                 
# on their 'state'.                                                              
#  'state' ɊÂĂ̐ڑ邽߂                            
# 'state' W[gB                                                     
$IPTABLES -A DEFAULT -m state --state ESTABLISHED,RELATED -j ACCEPT              
$IPTABLES -A DEFAULT -m state --state NEW -i ! $WAN_IFACE -j ACCEPT              
# Enable logging for anything that gets this far.                                
# ꂪ̂͑SăOƂB                                           
$IPTABLES -A DEFAULT -j LOG -m limit --limit 30/minute --log-prefix "Dropping: " 
# Now drop it, if it has gotten here.                                            
# ł܂΁AhbvB                                                 
$IPTABLES -A DEFAULT -j DROP                                                     
                                                                                 
# This is the 'bottom line' so to speak. Everything winds up                     
# here, where we bounce it to our custom built 'DEFAULT' chain                   
# that we defined just above. This is for both the FORWARD and                   
# INPUT chains.                                                                  
# ꂪ΁Au_vBSĂŎnA܂ɏ                     
# `炦ō 'DEFAULT' `FCɉ߂B                      
#  FORWARD  INPUT `FĈ̗߁B                                 
$IPTABLES -A FORWARD -j DEFAULT                                                  
$IPTABLES -A INPUT   -j DEFAULT                                                  
                                                                                 
echo "Iptables firewall is up `date`."                                           
                                                                                 
##-- eof iptables.sh                                                             
                                                                                 
                                                                                 

 

8.10.3. ܂Ƃ

ŏdv|CgȒPɂ炢Ă݂܂傤c

X̓zXgɊÂANZX̋KF "ubNXgɂ"
"Mpł" ̓ɂĂ̋K܂BėlXȎނ
T[BXƃ|[gɊÂANZXK܂BƂ΁Abigcat
 POP3 T[oւ̃ANZXɔɋAdꂩ炾
ł悤ɂ܂B܂AvoC_ DHCP T[oɂĂ
K܂B̋ḰAÖ IP AhẌ
|[gɉX̃|[g̈ɁAUDP vgRʂĂ̂݁Aڑ
̂łB͔Ɍ肳ꂽ[łĨ|[gA
hXɑ΂đ̂ǂȒʐM闝R͂Ȃ̂łA肳
ׂȂ̂łBX̖ڕẂA̓̏󋵂ł̕Kvŏ̒
Mɐ邱ƂłƂvoĂB

łAŏqׂ̗OāAȊO bigcat ̑S
̃T[BXɂẮAO̐ڑAۏASɃubN
łBł bigcat ŉ̖Ȃ삵Ă܂AApP
bgtB^Õt@CA[EH[̔wɎĈSSɓ
Ă̂łBȂg̏ꍇlɁÃJeS[ɓ邻̑
T[BX𓮂Ă邩܂B

̗ł́AȎ̃lbg[NĂ܂A̒ʐM
ubN邽߂̑΍͎܂łBłA LAN ł
bigcat őĂSẴT[BXɃANZXł܂BĂ͂
"}XJ[h"ĂāA "tH[h"ꂽ`FCgƂŁA
C^[lbgւ̃ANZXĂ܂iʂ HOWTO QƁjB LAN
̓t@CA[EH[̔wɂ̂łA͂t@CA[EH[
ĎĂ܂BX bigcat oĂʐMɂẮAȂ
̋K܂łB󋵂ɂẮA͂悢lł傤B

A͒PȂ鉼zIȈłBȂl̏󋵂͊mɈق
̂ł傤A炩̕ύXA̋Kɂǉ邱ƂK
vƂȂł傤BƂ΁AȂ̃voC_ DHCP gĂȂ
΁i͎gĂ܂jA̋K͈ӖȂ܂B PPP ͈قȂ
܂Â悤ȋK͕Kv܂B

̗ł̂悤ɃT[o𑖂点邱ƂAK"S"ȕ@łƂ͎v
ȂŉB (a) {ɕKvłȂA (b) ŐV̈Sȃo[W
点ĂȂAāA (c) ̃T[BXɉe^邾낤
ZLeB֘ȀɏɒxȂ悤ɂĂȂA̕@
sׂł͂܂BłxƒӂX̐ӔCɊ܂܂̂
B

 

8.10.4. iptables mini-me

ŏ̏󋵂łɊȌ iptables ݒ肷邩߂ɁAȉ
܂傤B Netfilter team  Rusty's Really Quick Guide To Packet
Filtering ̈płB

    "قƂǂ̐l͒PɃC^[lbgւ PPP ڑĂ邾
    ŁANɂ̃lbg[Nt@CA[EH[ɓĂĂ炢
    ȂF"
   
 ## Insert connection-tracking modules (not needed if built into kernel).    
 ## ڑǐՃW[}iJ[lgݍ݂ȂsvjB                   
 insmod ip_conntrack                                                         
 insmod ip_conntrack_ftp                                                     
                                                                             
 ## Create chain which blocks new connections, except if coming from inside. 
 ## 痈̈ȊOAVڑubN`FC쐬B           
 iptables -N block                                                           
 iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT            
 iptables -A block -m state --state NEW -i ! ppp0 -j ACCEPT                  
 iptables -A block -j DROP                                                   
                                                                             
 ## Jump to that chain from INPUT and FORWARD chains.                        
 ## INPUT  FORWARD `FC炻̃`FCփWvB                    
 iptables -A INPUT -j block                                                  
 iptables -A FORWARD -j block                                                
                                                                             
                                                                             

̒PȃXNvg͉XSĂ̊O̐ڑ܂Aׂ
 NEW ڑ܂iACCEPT ̃ftHg̃|V[͕ύXĂ
̂ŁjBāAɂ"ESTABLISHED"  "RELATED" ꂽSĂ
ʐM܂BɁAWAN ̃C^[tF[XAppp0, Ă
̂ł͂ȂSĂ̐ڑ܂B lo A܂ eth1 ̂悤
 LAN C^[tF[Xł傤BłXƂ͉łS
\łAC^[lbǵA]܂ʁAɓĂڑs͑S
܂BB

܂ÃXNvg͂炦̃`FC̍쐬Ă܂B
ł "block" ƒ`ĂāA INPUT  FORWARD `FC̗ɗp
Ă܂B

 

9. {Ŏӎ

ZSĂnӐjƎR`VAMdȂӌ
 JF oɌ\グ܂B뎚EEE󓙂Ȃɂ܂
 <JF@linux.or.jp> ܂łm点B

