Ä¿ÇÇÇâÀÌ ³ª´Â *NIX
Ä¿ÇǴнº
½Ã½ºÅÛ/³×Æ®¿÷/º¸¾ÈÀ» ´Ù·ç´Â °÷
*
HanIRCÀÇ #coffeenix ¹æ
[
Àåºñ ¹× ȸ¼± ÈÄ¿ø
]
> Forum <
IT ÀÏÁ¤
N
e
w
!
ÀÚµ¿È ÇÁ·ÎÁ§Æ®
HOME
>
³×Æ®¿öÅ©(network)
>
ssh / telnet
µµ¿ò¸»
°Ë»ö :
»çÀÌÆ®
WHOIS
À¥¼¹ö Á¾·ù
pam_geoip¸¦ È°¿ëÇÑ sshd ¼³Á¤
ÀÛ¼ºÀÏ : 2011/08/22 18:39
±Û¾´ÀÌ : Ƽ´Ï (
http://tini4u.net/
)
Á¶È¸¼ö : 7410
[
ÀÌÀüȸé
/
¼öÁ¤
] ºñ¹Ð¹øÈ£ :
--------------------------------------------------------------------------------------
- ÀÛ¼ºÀÚ : ±èÇõÁß(Ƽ´Ï) [sky #at# tini4u.net]
- ÀÛ¼ºÀÏ : 2011-08-22
- »çÀÌÆ® :
http://linux.tini4u.net/
- ¿øÁ¦¸ñ : pam_geoip¸¦ È°¿ëÇÑ sshd ¼³Á¤
- ȯ¡¡°æ : CentOS 5.6
- Å°¿öµå : pam_geoip, geoip, pam, sshd
--------------------------------------------------------------------------------------
ÀÌ ¹®¼¿¡¼´Â MaxMindÀÇ GeoIP µ¥ÀÌÅÍ¿Í pam ¸ðµâÀÇ ¿¬µ¿ ¹æ¹ýÀ» ´Ù·çµµ·Ï ÇÏ°Ú½À´Ï´Ù.
ÀÌ¹Ì ¿Â¶óÀÎ»ó¿¡ GeoIP DB¸¦ È°¿ëÇÏ´Â ¹æ¹ýÀº ¸¹ÀÌ Á¸ÀçÇÕ´Ï´Ù.
Apache, Nginx, PHP, iptables ±âŸ µîµî..
ÀÌ·± ¹æ¹ýÁß¿¡ ÇÑ°¡Áö·Î PAM ¸ðµâ°ú ¿¬µ¿ÇÏ¿© È°¿ëÇÏ´Â ¹æ¹ýÀ» ¾Ë¾Æº¸µµ·Ï ÇÏ°Ú½À´Ï´Ù.
1. GeoIP C API ¼³Ä¡ [ÃֽŹöÀü:
http://www.maxmind.com/app/c]
c ¾ð¾î·Î Á¦ÀÛµÈ ¸ðµâµéÀ» ºôµåÇϱâ À§Çؼ´Â MaxMind¿¡¼ Á¦°øÇÏ´Â GeoIP C API°¡ ÇÊ¿äÇÕ´Ï´Ù.
[root@localhost]# wget
http://geolite.maxmind.com/download/geoip/api/c/GeoIP-1.4.8.tar.gz
[root@localhost]# tar xfz GeoIP-1.4.8.tar.gz; cd GeoIP-1.4.8
[root@localhost]# ./configure --prefix=/usr/local/GeoIP
[root@localhost]# make
[root@localhost]# make install
2. GeoIP DataBase ´Ù¿î·Îµå (µµ½ÃÄÚµå)
GeoIP ¿¬µ¿½Ã »ç¿ëÇÒ DB¸¦ ´Ù¿î·Îµå ÇÕ´Ï´Ù.
MaxMind ¿¡¼ Á¦°øÇÏ´Â Open DB´Â 2°¡Áö Á¾·ù°¡ Àִµ¥
±¹°¡Äڵ常 Á¦°øÇÏ´Â GeoIP.dat, ±¹°¡ÄÚµå ¹× µµ½ÃÄÚµå±îÁö Á¦°øÇÏ´Â GeoLiteCity.datÀÌ ÀÖ½À´Ï´Ù.
¿©±â¼´Â GeoLiteCity.dat¸¦ ´Ù¿î·Îµå ¹Þµµ·Ï ÇÏ°Ú½À´Ï´Ù.
[root@localhost]# wget
http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz
[root@localhost]# gzip -d GeoLiteCity.dat.gz
[root@localhost]# mv GeoLiteCity.dat /usr/local/GeoIP/share/GeoIP/GeoLiteCity.dat
3. pam_geoip ¼³Ä¡ [ÃֽŹöÀü:
http://ankh-morp.org/code/pam_geoip/]
ÀÌÁ¦ GeoIP¿Í ¿¬µ¿À» µµ¿ÍÁÙ ½ÇÁ¦ PAM ¸ðµâÀ» ¼³Ä¡Çϵµ·Ï ÇÏ°Ú½À´Ï´Ù.
[root@localhost]# wget
http://ankh-morp.org/code/pam_geoip/pam_geoip-0.9.tar.gz
[root@localhost]# tar xfz pam_geoip-0.9.tar.gz; cd pam_geoip-0.9
[root@localhost]# sed -i 's|CCFLAGS=|CCFLAGS=-I/usr/local/GeoIP/include |g' Makefile
[root@localhost]# sed -i 's|LDFLAGS=|LDFLAGS=-L/usr/local/GeoIP/lib |g' Makefile
[root@localhost]# make module
-- i386
[root@localhost]# cp -a pam_geoip.so /lib/security/pam_geoip.so
-- x86_64
[root@localhost]# cp -a pam_geoip.so /lib64/security/pam_geoip.so
4. geoip.conf ¼³Á¤
¡Ø ¿©±â¼´Â SSHd¿Í ¿¬µ¿ÇÏ´Â ¹æ¹ý¸¸ ¼³¸íÇÕ´Ï´Ù. ³ª¸ÓÁö´Â ÀÀ¿ëÇÏ½Ã¸é µÇ°Ú½À´Ï´Ù.
GeoIP PAM ¸ðµâÀÌ ÂüÁ¶ÇÒ ½ÃÅ¥¸®Æ¼ ¼³Á¤ÆÄÀÏÀ» »ý¼ºÇϵµ·Ï ÇÏ°Ú½À´Ï´Ù.
¾Æ·¡ ¼³Á¤Àº Çѱ¹°ú ¹Ì±¹, ±×¸®°í ¿µ±¹À» Á¦¿ÜÇÑ ¸ðµç ±¹°¡ÀÇ Á¢¼ÓÀ» Â÷´ÜÇÏ°Ú´Ù´Â ¼³Á¤ ÀÔ´Ï´Ù.
location ¼½¼Ç¿¡¼ ÄÞ¸¶¸¦ ±âÁØÀ¸·Î ¾ÕÀÌ ±¹°¡ÄÚµå, µÚ°¡ µµ½ÃÄÚµå ÀÔ´Ï´Ù.
¿©·¯°³¸¦ ÀÔ·ÂÇϽ÷Á¸é ¼¼¹ÌÄÝ·ÐÀ¸·Î ÀÔ·ÂÇÏ½Ã¸é µË´Ï´Ù.
[root@localhost]# vi /etc/security/geoip.conf
#
# /etc/security/geoip.conf - config for pam_geoip.so
#
#
#<domain> <service> <action> <location>
* sshd allow KR,Seoul
* sshd allow KR,*
* sshd allow US,*; GB,*
* sshd deny *
5. sshd¿ÍÀÇ ¿¬µ¿
ÀÌÁ¦ sshd¿¡¼ »ç¿ëÇÏ´Â pam ¼³Á¤ ÆÄÀÏ¿¡ geoip¸¦ ¿¬µ¿½ÃÅ°µµ·Ï ÇÏ°Ú½À´Ï´Ù.
±âÁ¸ ¼³Á¤ÀÇ ÃÖ»ó´Ü¿¡ pam_geoip.so ¸ðµâÀ» ¿¬µ¿Çϵµ·Ï ¾Æ·¡¿Í °°ÀÌ ¼³Á¤À» Ãß°¡ÇØ ÁÖ½Ã¸é µË´Ï´Ù.
[root@localhost]# vi /etc/pam.d/sshd
#%PAM-1.0
#-- pam_geoip
account required pam_geoip.so system_file=/etc/security/geoip.conf \
geoip_db=/usr/local/geoip/GeoLiteCity.dat action=allow
#-- end
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
session optional pam_keyinit.so force revoke
session include system-auth
session required pam_loginuid.so
6. ÀÛµ¿ Å×½ºÆ®
¡Ø Á¤»óÀûÀ¸·Î ·Î±×ÀÎ µÇ¾úÀ» °æ¿ì
Jan 01 00:00:00 localhost sshd[29200]: pam_geoip(sshd:account): location matched: KR,*
Jan 01 00:00:00 localhost sshd[29200]: Accepted password for root from 123.123.123.123 port 1743 ssh2
Jan 01 00:00:00 localhost sshd[29200]: pam_unix(sshd:session): session opened for user root by (uid=0)
Jan 01 00:00:00 localhost sshd[29200]: pam_unix(sshd:session): session closed for user root
¡Ø ·Î±×ÀÎÀÌ °ÅºÎ µÇ¾úÀ» °æ¿ì
Jan 01 00:00:00 localhost sshd[29231]: pam_geoip(sshd:account): location matched: *,*
Jan 01 00:00:00 localhost sshd[29231]: Failed password for root from 123.123.123.123 port 1744 ssh2
Jan 01 00:00:00 localhost sshd[29232]: fatal: Access denied for user root by PAM account configuration
Ä¿ÇǴнº Ä«Æä ÃÖ±Ù ±Û
[04/25]
±¹°¡
[04/24]
º¸Çè
[04/22]
Re: OpenSSL Ãë¾àÁ¡ Á¤¸®, Logjam(·Î±×Àë)¿¡¼ Heartbleed±îÁö
[04/21]
LET¡¯S START WITH ON
[04/21]
º¸Çè
[04/20]
Á¦ÁÖ
[04/20]
±¹³»
[04/19]
Á¦ÁÖ
[04/18]
??? ?????
[04/17]
???? onion ?????? -
[04/11]
±¹°¡
[04/10]
Stride Into Dream:
[03/20]
Re: ¿Â¶óÀΰÔÀÓÀÇ Á¾ÁÖ±¹ ´ëÇѹα¹
[10/20]
Cross Compiler ±ò
[07/14]
SSL ¬¡¬°
N
e
w
! ÃÖ±Ù¿¡ µî·ÏÇÑ ÆäÀÌÁö
KiCad EDA Suite project (Free/Libre/Open-Source EDA Suite) (CAD)
¿ÀÇÂij½ºÄÉÀ̵å ijµå (OpenCASCADE CAD)
QCad for Windows --- GNU GPL (Free Software)
The Hello World Collection
IPMI¸¦ È°¿ëÇÑ ¸®´ª½º ¼¹ö°ü¸®
DNS ¼³Á¤ °Ë»ç
nagiosgraph ¼³Ä¡ ¹æ¹ý
Slony-I ¼³Ä¡ ¹æ¹ý (postgresql replication tool)
Qmail±â¹ÝÀÇ Anti spam ½Ã½ºÅÛ ±¸ÃàÇϱâ
clusterssh
[ ÇÔ²²ÇÏ´Â »çÀÌÆ® ]
¿î¿µÁø :
ÁÁÀºÁøÈ£(truefeel)
, ¾ß¼ö(yasu), ¹ü³ÃÀÌ, sCag
2003³â 8¿ù 4ÀÏ~