참고 페이지:https://wiki.rvijay.in/index.php/Configuring_iSCSI_target_using_targetcli

https://www.rootusers.com/how-to-configure-an-iscsi-target-and-initiator-in-linux/

http://atodorov.org/blog/2015/04/07/how-to-configure-iscsi-target-on-red-hat-enterprise-linux-7/

 

iscsi-server

targetcli 설치

[root@centos74 ~]# yum install -y targetcli

 

targetcli 실행

[root@centos74 ~]# systemctl start target

 

[root@centos74 ~]# targetcli
Warning: Could not load preferences file /root/.targetcli/prefs.bin.
targetcli shell version 2.1.fb46
Copyright 2011-2013 by Datera, Inc and others.
For help on commands, type 'help'.

/>

 

몇가지가 더 있지만 자주 사용하는것 위주로 작성 하였습니다.

fileio: file 을 지정 ex) disk.img

block: block Device 를 지정 ex) lvm 및 /dev/sdb1

fileio Test 진행

[root@centos74 ~]# mkdir /images
[root@centos74 ~]# targetcli
/> backstores/fileio create disk1 /images/disk1.img 10G
Created fileio disk1 with size 10737418240
/>

/> 위치에서 생성을 해야 합니다. 위치 이동은 cd 명령어를 통하여 이동하실수 있습니다.

/> iscsi/ create iqn.2017-12.com.example:target1
Created target iqn.2017-12.com.example:target1.
Created TPG 1.
Global pref auto_add_default_portal=true
Created default portal listening on all IPs (0.0.0.0), port 3260.
/> cd iscsi/iqn.2017-12.com.example:target1/tpg1/
/iscsi/iqn.20...:target1/tpg1> ls
o- tpg1 ................................................. [no-gen-acls, no-auth]
  o- acls ............................................................ [ACLs: 0]
  o- luns ............................................................ [LUNs: 0]
  o- portals ...................................................... [Portals: 1]
    o- 0.0.0.0:3260 ....................................................... [OK]
/iscsi/iqn.20...:target1/tpg1> portals/ create
Using default IP port 3260
Binding to INADDR_ANY (0.0.0.0)
This NetworkPortal already exists in configFS
/iscsi/iqn.20...:target1/tpg1> luns/ create /backstores/fileio/disk1
Created LUN 0.

 

ACL Disable 및 read/write mode

/iscsi/iqn.20...:target1/tpg1> set attribute authentication=0
Parameter authentication is now '0'.
/iscsi/iqn.20...:target1/tpg1> set attribute demo_mode_write_protect=0
Parameter demo_mode_write_protect is now '0'.
/iscsi/iqn.20...:target1/tpg1> set attribute generate_node_acls=1
Parameter generate_node_acls is now '1'.
/iscsi/iqn.20...:target1/tpg1> exit
Global pref auto_save_on_exit=true
Last 10 configs saved in /etc/target/backup.
Configuration saved to /etc/target/saveconfig.json
[root@centos74 ~]#

 

block Test 진행

/dev/sdb lvm Type 으로 지정 (별도로 지정 하지 않고 lvm 을 생성 하여도 무방합니다)

[root@centos74 ~]# fdisk  -l

Disk /dev/sdb: 10.7 GB, 10737418240 bytes, 20971520 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes


Disk /dev/sda: 42.9 GB, 42949672960 bytes, 83886080 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk label type: dos
Disk identifier: 0x000bfdf3

   Device Boot      Start         End      Blocks   Id  System
/dev/sda1   *        2048     4196351     2097152   83  Linux
/dev/sda2         4196352    12584959     4194304   82  Linux swap / Solaris
/dev/sda3        12584960    83886079    35650560   83  Linux
[root@centos74 ~]# fdisk /dev/sdb
Welcome to fdisk (util-linux 2.23.2).

Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.

Device does not contain a recognized partition table
Building a new DOS disklabel with disk identifier 0x4f132fd5.

Command (m for help): n
Partition type:
   p   primary (0 primary, 0 extended, 4 free)
   e   extended
Select (default p): p
Partition number (1-4, default 1): 1
First sector (2048-20971519, default 2048):
Using default value 2048
Last sector, +sectors or +size{K,M,G} (2048-20971519, default 20971519):
Using default value 20971519
Partition 1 of type Linux and of size 10 GiB is set

Command (m for help): t
Selected partition 1
Hex code (type L to list all codes): 8e
Changed type of partition 'Linux' to 'Linux LVM'

Command (m for help): wq
The partition table has been altered!

Calling ioctl() to re-read partition table.
Syncing disks.
[root@centos74 ~]#

 

lvm 생성

[root@centos74 ~]# pvcreate /dev/sdb1
  Physical volume "/dev/sdb1" successfully created.
[root@centos74 ~]# vgcreate vg00 /dev/sdb1
  Volume group "vg00" successfully created
[root@centos74 ~]#
[root@centos74 ~]# lvcreate -L 1G -n lv-vol1 vg00
  Logical volume "lv-vol1" created.
[root@centos74 ~]# lvcreate -L 1G -n lv-vol2 vg00
  Logical volume "lv-vol2" created.
[root@centos74 ~]# lvcreate -L 1G -n lv-vol3 vg00
  Logical volume "lv-vol3" created.
[root@centos74 ~]# lvs
  LV      VG   Attr       LSize Pool Origin Data%  Meta%  Move Log Cpy%Sync Convert
  lv-vol1 vg00 -wi-a----- 1.00g
  lv-vol2 vg00 -wi-a----- 1.00g
  lv-vol3 vg00 -wi-a----- 1.00g
[root@centos74 ~]#

 

iscsi block Device 생성

[root@centos74 ~]# targetcli
targetcli shell version 2.1.fb46
Copyright 2011-2013 by Datera, Inc and others.
For help on commands, type 'help'.
/> cd /backstores/block
/> cd /backstores/block
/backstores/block> create lv-vol1 /dev/vg00/lv-vol1
Created block storage object lv-vol1 using /dev/vg00/lv-vol1.
/backstores/block> create lv-vol2 /dev/vg00/lv-vol2
Created block storage object lv-vol2 using /dev/vg00/lv-vol2.
/backstores/block> create lv-vol3 /dev/vg00/lv-vol3
Created block storage object lv-vol3 using /dev/vg00/lv-vol3.
/backstores/block>

 

wwn 생성 ( cd iscsi or iscsi/ create)

/iscsi> create iqn.2017-12.com.example:target2
Created target iqn.2017-12.com.example:target2.
Created TPG 1.
Global pref auto_add_default_portal=true
Created default portal listening on all IPs (0.0.0.0), port 3260.
/iscsi>

 

lun 생성

/iscsi> cd iqn.2017-12.com.example:target2/
/iscsi/iqn.20...ample:target2> ls
o- iqn.2017-12.com.example:target2 .......................................................................... [TPGs: 1]
  o- tpg1 ...................................................................................... [no-gen-acls, no-auth]
    o- acls ................................................................................................. [ACLs: 0]
    o- luns ................................................................................................. [LUNs: 0]
    o- portals ........................................................................................... [Portals: 1]
      o- 0.0.0.0:3260 ............................................................................................ [OK]
/iscsi/iqn.20...ample:target2> cd tpg1/luns
/iscsi/iqn.20...et2/tpg1/luns> create /backstores/block/lv-vol1
Created LUN 0.
/iscsi/iqn.20...et2/tpg1/luns> create /backstores/block/lv-vol2
Created LUN 1.
/iscsi/iqn.20...et2/tpg1/luns> create /backstores/block/lv-vol3
Created LUN 2.
/iscsi/iqn.20...et2/tpg1/luns>
/iscsi/iqn.20...et2/tpg1/luns> ls
o- luns ..................................................................................................... [LUNs: 3]
  o- lun0 ...................................................... [block/lv-vol1 (/dev/vg00/lv-vol1) (default_tg_pt_gp)]
  o- lun1 ...................................................... [block/lv-vol2 (/dev/vg00/lv-vol2) (default_tg_pt_gp)]
  o- lun2 ...................................................... [block/lv-vol3 (/dev/vg00/lv-vol3) (default_tg_pt_gp)]
/iscsi/iqn.20...et2/tpg1/luns>

 

ACL Disable 및 read/write mode

/iscsi/iqn.20...et2/tpg1/luns> cd

/iscsi/iqn.20...:target2/tpg1> set attribute authentication=0
Parameter authentication is now '0'.
/iscsi/iqn.20...:target2/tpg1> set attribute demo_mode_write_protect=0
Parameter demo_mode_write_protect is now '0'.
/iscsi/iqn.20...:target2/tpg1> set attribute generate_node_acls=1
Parameter generate_node_acls is now '1'.
/iscsi/iqn.20...:target2/tpg1> exit
Global pref auto_save_on_exit=true
Last 10 configs saved in /etc/target/backup.
Configuration saved to /etc/target/saveconfig.json
[root@centos74 ~]#

 

 

iscsi-Client

[root@centos7-test ~]# yum install -y iscsi-initiator-utils

 

fileio Test

iscsi lun 확인

[root@centos7-test ~]# iscsiadm --mode discoverydb --type sendtargets --portal 192.168.186.100 --discover
192.168.186.100:3260,1 iqn.2017-12.com.example:target1
[root@centos7-test ~]#

 

iscsi login 

[root@centos7-test ~]# iscsiadm --mode node --targetname iqn.2017-12.com.example:target1 --portal 192.168.186.100 --login
Logging in to [iface: default, target: iqn.2017-12.com.example:target1, portal: 192.168.186.100,3260] (multiple)
Login to [iface: default, target: iqn.2017-12.com.example:target1, portal: 192.168.186.100,3260] successful.
[root@centos7-test ~]#

 

scsi 확인 

[root@centos7-test ~]# cat /proc/scsi/scsi
Attached devices:
Host: scsi2 Channel: 00 Id: 00 Lun: 00
  Vendor: VMware,  Model: VMware Virtual S Rev: 1.0
  Type:   Direct-Access                    ANSI  SCSI revision: 02
Host: scsi4 Channel: 00 Id: 00 Lun: 00
  Vendor: NECVMWar Model: VMware SATA CD01 Rev: 1.00
  Type:   CD-ROM                           ANSI  SCSI revision: 05
Host: scsi34 Channel: 00 Id: 00 Lun: 00
  Vendor: LIO-ORG  Model: disk1            Rev: 4.0
  Type:   Direct-Access                    ANSI  SCSI revision: 05
[root@centos7-test ~]#

 

fdisk 확인 

[root@centos7-test ~]# fdisk  -l

Disk /dev/sda: 42.9 GB, 42949672960 bytes, 83886080 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk label type: dos
Disk identifier: 0x000bfdf3

   Device Boot      Start         End      Blocks   Id  System
/dev/sda1   *        2048     4196351     2097152   83  Linux
/dev/sda2         4196352    12584959     4194304   82  Linux swap / Solaris
/dev/sda3        12584960    83886079    35650560   83  Linux

Disk /dev/sdb: 10.7 GB, 10737418240 bytes, 20971520 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 4194304 bytes

[root@centos7-test ~]#

 

iscsi logout

[root@centos7-test ~]# iscsiadm --mode node --targetname iqn.2017-12.com.example:target1 --portal 192.168.186.100 -u
Logging out of session [sid: 2, target: iqn.2017-12.com.example:target1, portal: 192.168.186.100,3260]
Logout of [sid: 2, target: iqn.2017-12.com.example:target1, portal: 192.168.186.100,3260] successful.
[root@centos7-test ~]# iscsiadm --mode node --targetname iqn.2017-12.com.example:target1 --portal 192.168.186.100 -o delete

 

fdisk 확인

[root@centos7-test ~]# fdisk  -l

Disk /dev/sda: 42.9 GB, 42949672960 bytes, 83886080 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk label type: dos
Disk identifier: 0x000bfdf3

   Device Boot      Start         End      Blocks   Id  System
/dev/sda1   *        2048     4196351     2097152   83  Linux
/dev/sda2         4196352    12584959     4194304   82  Linux swap / Solaris
/dev/sda3        12584960    83886079    35650560   83  Linux
[root@centos7-test ~]#

 

block Test

iscsi lun 확인

[root@centos7-test ~]# iscsiadm --mode discoverydb --type sendtargets --portal 192.168.186.100 --discover
192.168.186.100:3260,1 iqn.2017-12.com.example:target1
192.168.186.100:3260,1 iqn.2017-12.com.example:target2
[root@centos7-test ~]#

 

iscsi login 

[root@centos7-test ~]# iscsiadm --mode node --targetname iqn.2017-12.com.example:target2 --portal 192.168.186.100 --login
Logging in to [iface: default, target: iqn.2017-12.com.example:target2, portal: 192.168.186.100,3260] (multiple)
Login to [iface: default, target: iqn.2017-12.com.example:target2, portal: 192.168.186.100,3260] successful.
[root@centos7-test ~]#

 

scsi 확인

[root@centos7-test ~]# cat /proc/scsi/scsi
Attached devices:
Host: scsi2 Channel: 00 Id: 00 Lun: 00
  Vendor: VMware,  Model: VMware Virtual S Rev: 1.0
  Type:   Direct-Access                    ANSI  SCSI revision: 02
Host: scsi4 Channel: 00 Id: 00 Lun: 00
  Vendor: NECVMWar Model: VMware SATA CD01 Rev: 1.00
  Type:   CD-ROM                           ANSI  SCSI revision: 05
Host: scsi35 Channel: 00 Id: 00 Lun: 00
  Vendor: LIO-ORG  Model: lv-vol1          Rev: 4.0
  Type:   Direct-Access                    ANSI  SCSI revision: 05
Host: scsi35 Channel: 00 Id: 00 Lun: 01
  Vendor: LIO-ORG  Model: lv-vol2          Rev: 4.0
  Type:   Direct-Access                    ANSI  SCSI revision: 05
Host: scsi35 Channel: 00 Id: 00 Lun: 02
  Vendor: LIO-ORG  Model: lv-vol3          Rev: 4.0
  Type:   Direct-Access                    ANSI  SCSI revision: 05
[root@centos7-test ~]#

 

fdisk 확인

[root@centos7-test ~]# fdisk -l

Disk /dev/sda: 42.9 GB, 42949672960 bytes, 83886080 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk label type: dos
Disk identifier: 0x000bfdf3

   Device Boot      Start         End      Blocks   Id  System
/dev/sda1   *        2048     4196351     2097152   83  Linux
/dev/sda2         4196352    12584959     4194304   82  Linux swap / Solaris
/dev/sda3        12584960    83886079    35650560   83  Linux

Disk /dev/sdb: 1073 MB, 1073741824 bytes, 2097152 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 4194304 bytes


Disk /dev/sdc: 1073 MB, 1073741824 bytes, 2097152 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 4194304 bytes


Disk /dev/sdd: 1073 MB, 1073741824 bytes, 2097152 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 4194304 bytes

[root@centos7-test ~]#

 

iscsi logout

[root@centos7-test ~]# iscsiadm --mode node --targetname iqn.2017-12.com.example:target2 --portal 192.168.186.100 -u
Logging out of session [sid: 3, target: iqn.2017-12.com.example:target2, portal: 192.168.186.100,3260]
Logout of [sid: 3, target: iqn.2017-12.com.example:target2, portal: 192.168.186.100,3260] successful.
[root@centos7-test ~]# iscsiadm --mode node --targetname iqn.2017-12.com.example:target2 --portal 192.168.186.100 -o delete
[root@centos7-test ~]#

 

fdisk 확인

[root@centos7-test ~]# fdisk -l

Disk /dev/sda: 42.9 GB, 42949672960 bytes, 83886080 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk label type: dos
Disk identifier: 0x000bfdf3

   Device Boot      Start         End      Blocks   Id  System
/dev/sda1   *        2048     4196351     2097152   83  Linux
/dev/sda2         4196352    12584959     4194304   82  Linux swap / Solaris
/dev/sda3        12584960    83886079    35650560   83  Linux
[root@centos7-test ~]#

 

방화벽 사용시 

[root@centos74 ~]# firewall-cmd --add-service=iscsi-target --permanent 
success
[root@centos74 ~]# firewall-cmd --reload

 

추가적인 내용은 차후 정리하도록 하겠습니다.

LINUX 보안 설정 정리

일반적으로 많이 사용하는 리눅스 보안 설정을 대략적으로 정리하였습니다.

외부망에 노출이 된 Host 라면 sshd port 변경및 root user 접속제한은 꼭하시기 바랍니다.

sshd_config 에서 Permitroot no 설정과 Port number 만 변경하여도 특정사용자 root 또는 다른 계정을 통한

사전공격(binary attack)은 감소 합니다.

root/root 로  설정후 공인 ip 사용시 하루 안에 해킹을 당할수 있습니다.

iptables 의 경우 차후 CentOS firewalld 와 같이 설명하도록 하겠습니다.

Test OS 환경: CentOS7.4

  • TCP Wrapper
  • login.defs 
  • pam_tally2
  • sshd_config 변경

 

TCP Wrapper

hosts allow / deny 의 경우 deny 에서 ALL:ALL 로 설정후 hosts.allow 에서 Service 별로 open 하는 형식으로 사용 합니다.

 

ex) 테스트 시나리오 centos7-test System 에서 centos74로 ssh 접속

centos74 , centos7-test

 

접속 확인

[root@centos74 ~]# tail -f /var/log/secure
Nov 30 22:30:21 centos74 sshd[2233]: Accepted password for root from 192.168.186.130 port 48408 ssh2
Nov 30 22:30:21 centos74 sshd[2233]: pam_unix(sshd:session): session opened for user root by (uid=0)

정상적으로 접속된것을 확인 할수 있습니다.

 

Test 시 공인망을 통하여 열어 놓았기 때문에 ssh root 로 접속시도가 상당히 많은것을 확인할수 있습니다.

접속을 시도하는 ip 의 경우 A클래스를 x 처리 하였습니다.  sshd_config 에서 PermitRootLogin no 변경 및 Port 변경이 필요 합니다.

Nov 30 22:30:38 centos74 sshd[2235]: Failed password for root from x.38.145.226 port 52215 ssh2
Nov 30 22:30:38 centos74 sshd[2235]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Nov 30 22:30:40 centos74 sshd[2235]: Failed password for root from x.38.145.226 port 52215 ssh2
Nov 30 22:30:40 centos74 sshd[2235]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Nov 30 22:30:42 centos74 sshd[2235]: Failed password for root from x.38.145.226 port 52215 ssh2
Nov 30 22:30:43 centos74 sshd[2235]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Nov 30 22:30:45 centos74 sshd[2235]: Failed password for root from x.38.145.226 port 52215 ssh2
Nov 30 22:30:45 centos74 sshd[2235]: error: maximum authentication attempts exceeded for root from x.38.145.226 port 52215 ssh2 [preauth]
Nov 30 22:30:45 centos74 sshd[2235]: Disconnecting: Too many authentication failures [preauth]
Nov 30 22:30:45 centos74 sshd[2235]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.38.145.226  user=root
Nov 30 22:30:45 centos74 sshd[2235]: PAM service(sshd) ignoring max retries; 6 > 3

 

TCP Wrapper 설정

[root@centos74 ~]# vi /etc/hosts.deny
ALL:ALL

 

/var/log/secure 확인시

[root@centos74 ~]# tail -f /var/log/secure
Nov 30 22:42:45 centos74 sshd[2537]: refused connect from 192.168.186.130 (192.168.186.130)

 

centos7-test 에서 확인 ssh-client 확인

[root@centos7-test ~]# ssh centos74
ssh_exchange_identification: read: Connection reset by peer
[root@centos7-test ~]#

정상적으로 접속 할수 없습니다.

 

sshd: 192.168.186 대역추가

대역으로 추가시 반드시 ex) 192.168.0. 로 옥텟을 찍어 줘야 합니다.

특정 아이피만 접속 허가시 192.168.0.10 으로 설정 하시면 됩니다.

[root@centos74 ~]# vi /etc/hosts.allow
sshd:192.168.186.


[root@centos74 ~]# tail -f /var/log/secure
Nov 30 22:45:59 centos74 sshd[2579]: Accepted password for root from 192.168.186.130 port 48416 ssh2
Nov 30 22:45:59 centos74 sshd[2579]: pam_unix(sshd:session): session opened for user root by (uid=0)

 

별도의 설정 없이 VMHOST 에서 접속 하였지만 정상적으로 Web-site 에 접속 할수 있습니다.

apache 의 경우 mod_access 를 이용하여 allow 와 Deny 를 설정 할수 있습니다.

 

ldd 명령어를 통하여 libwrap 의 라이브러리를 사용하는지 확인 할수 있습니다.

httpd 확인

[root@centos74 ~]# which httpd
/usr/sbin/httpd
[root@centos74 ~]# ldd /usr/sbin/httpd |grep libwrap
[root@centos74 ~]#

 

sshd 확인

[root@centos74 ~]# ldd /usr/sbin/sshd
        linux-vdso.so.1 =>  (0x00007ffe8f1e9000)
        libfipscheck.so.1 => /lib64/libfipscheck.so.1 (0x00007ff0e08ee000)
        libwrap.so.0 => /lib64/libwrap.so.0 (0x00007ff0e06e3000)
        libaudit.so.1 => /lib64/libaudit.so.1 (0x00007ff0e04ba000)
        libpam.so.0 => /lib64/libpam.so.0 (0x00007ff0e02ab000)
        libselinux.so.1 => /lib64/libselinux.so.1 (0x00007ff0e0084000)
        libsystemd.so.0 => /lib64/libsystemd.so.0 (0x00007ff0e005b000)
        libcrypto.so.10 => /lib64/libcrypto.so.10 (0x00007ff0dfbfa000)
        libdl.so.2 => /lib64/libdl.so.2 (0x00007ff0df9f6000)
        libldap-2.4.so.2 => /lib64/libldap-2.4.so.2 (0x00007ff0df7a1000)
        liblber-2.4.so.2 => /lib64/liblber-2.4.so.2 (0x00007ff0df592000)
        libutil.so.1 => /lib64/libutil.so.1 (0x00007ff0df38f000)
        libz.so.1 => /lib64/libz.so.1 (0x00007ff0df178000)
        libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007ff0def41000)
        libresolv.so.2 => /lib64/libresolv.so.2 (0x00007ff0ded27000)
        libgssapi_krb5.so.2 => /lib64/libgssapi_krb5.so.2 (0x00007ff0dead9000)
        libkrb5.so.3 => /lib64/libkrb5.so.3 (0x00007ff0de7f1000)
        libk5crypto.so.3 => /lib64/libk5crypto.so.3 (0x00007ff0de5be000)
        libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00007ff0de3b9000)
        libc.so.6 => /lib64/libc.so.6 (0x00007ff0ddff6000)
        libnsl.so.1 => /lib64/libnsl.so.1 (0x00007ff0ddddd000)
        libcap-ng.so.0 => /lib64/libcap-ng.so.0 (0x00007ff0ddbd6000)
        libpcre.so.1 => /lib64/libpcre.so.1 (0x00007ff0dd974000)
        /lib64/ld-linux-x86-64.so.2 (0x000055f3da440000)
        libcap.so.2 => /lib64/libcap.so.2 (0x00007ff0dd76f000)
        libm.so.6 => /lib64/libm.so.6 (0x00007ff0dd46c000)
        librt.so.1 => /lib64/librt.so.1 (0x00007ff0dd264000)
        liblzma.so.5 => /lib64/liblzma.so.5 (0x00007ff0dd03e000)
        libgcrypt.so.11 => /lib64/libgcrypt.so.11 (0x00007ff0dcdbc000)
        libgpg-error.so.0 => /lib64/libgpg-error.so.0 (0x00007ff0dcbb7000)
        libdw.so.1 => /lib64/libdw.so.1 (0x00007ff0dc970000)
        libgcc_s.so.1 => /lib64/libgcc_s.so.1 (0x00007ff0dc759000)
        libpthread.so.0 => /lib64/libpthread.so.0 (0x00007ff0dc53d000)
        libsasl2.so.3 => /lib64/libsasl2.so.3 (0x00007ff0dc320000)
        libssl3.so => /lib64/libssl3.so (0x00007ff0dc0d3000)
        libsmime3.so => /lib64/libsmime3.so (0x00007ff0dbeac000)
        libnss3.so => /lib64/libnss3.so (0x00007ff0dbb82000)
        libnssutil3.so => /lib64/libnssutil3.so (0x00007ff0db954000)
        libplds4.so => /lib64/libplds4.so (0x00007ff0db750000)
        libplc4.so => /lib64/libplc4.so (0x00007ff0db54b000)
        libnspr4.so => /lib64/libnspr4.so (0x00007ff0db30c000)
        libfreebl3.so => /lib64/libfreebl3.so (0x00007ff0db109000)
        libkrb5support.so.0 => /lib64/libkrb5support.so.0 (0x00007ff0daefa000)
        libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00007ff0dacf6000)
        libattr.so.1 => /lib64/libattr.so.1 (0x00007ff0daaf0000)
        libelf.so.1 => /lib64/libelf.so.1 (0x00007ff0da8d8000)
        libbz2.so.1 => /lib64/libbz2.so.1 (0x00007ff0da6c7000)
[root@centos74 ~]#

 

해당 내용은 아래 사이트에서 확인 하실수 있습니다.

정리가 잘되어있어 링크만 추가 합니다.

TCP Wrapper 의 경우 xinetd 기반으로 동작하는 서비스들의 접근 거부를 설정 할수 있는것으로 일반적으로 알고 있습니다.

TCP Wrapper https://www.joinc.co.kr/w/man/12/tcpwrapper

bsd 의 경우 inetd 설정으로 TCP Wrapper 로 apache 접근을 할수 있을것으로 보입니다.

상당히 오래된 자료라 테스트를 해보고 싶기는 하나 사용을 안할것으로 보여 링크만 남겨 놓습니다.

FreeBSD inetd 기반 apache http://freebsdhowtos.com/113.html

 

login.defs 

/etc/login.defs 설정시 패스워드 정책을 설정 할수 있습니다.

PASS_MAX_DAYS  9999      패스워드 최대사용 기간

PASS_MIN_DAYS        0       패스워드 변경최소 기간

PASS_MIN_LEN          0       패스워드 최소길이

PASS_WARN_AGE      7       패스워드 소멸 이전 경고 발송

login.defs 파일을 수정 하여도 기존 사용자는 영향을 받지 않으며 설정이후 추가된 사용자 부터 적용이 됩니다.

 

/etc/shadow 파일 설명 

[root@centos74 ~]# cat /etc/shadow
1   :                                                    2                                             :  3  :4:  5  :6:7:8:9
root:$6$ZayMBeKp$aTokocQJQg77pDbkUGqYuBC21ESGCkKafchr2OMMWzplyQnid4ECxNPkNFIXd8K0vkDiVJvQv0nJDpq4Hb3qh/:17497:0:99999:7:::
bin:*:17110:0:99999:7:::
daemon:*:17110:0:99999:7:::
adm:*:17110:0:99999:7:::
lp:*:17110:0:99999:7:::
test:$6$S9l9DJ9Q$SswkqlquRVyZOUZVETnrn1HJCjW3FQS9AvWSFe.ZUtSvfOJPnjgkc7XxHq4kdKqoe0StGEmJrqeZoZPYpw6Ig/:17500:0:99999:7:::
test1:$6$/wcpiL/o$vd.Gsw/aehbJ6WTgWSjohq0A9W3ks/5PA12SLA7MlVqdLxl0iJv8MkdmfThsb2s.Ux4mo1.QyleHgrfsNNmxt0:17500:0:99999:7:::
test2:$6$SWU0NjnK$8LA3TVRXCnveva/kETFn4vhaRL6tQooaGoaH9wT/mdD0CW6oVPA7f8z/vjGJL.p37HRjxkYRRmhpEgjQScMAr1:17500:0:99999:7:::
test3:!!:17500:0:99999:7:::
[root@centos74 ~]#

필드설명

1. Login Name : 사용자 계정

2. Encrypted : 패스워드를 암호화 시킨값

3. Last Changed: 1970년 1월 1일 부터 패스워드가 수정된 날짜의 일수를 계산

4. Minimum: 패스워드 변경되기 전 최소 사용기간(일)

5. Maximum: 패스워드 변경 전 최대사용 기간(일)

6. Inactive: 로그인 접속차단 기간(일)

7. Expire: 로그인 사용을 금지한 기간(일) (월/일/연도)

8. Reserved: 사용되지 않음

 

test 유저의 경우 default 로 /etc/login.defs 에서 설정한 값으로 설정이 되어 있습니다.

 

test:$6$S9l9DJ9Q$SswkqlquRVyZOUZVETnrn1HJCjW3FQS9AvWSFe.ZUtSvfOJPnjgkc7XxHq4kdKqoe0StGEmJrqeZoZPYpw6Ig/:17500:0:99999:7:::

PASS_MIN_DAYS: 0

PASS_MAX_DAYS: 99999

PASS_WARN_AGE: 7

 

/etc/login.defs 수정후 test4 User 생성

[root@centos74 ~]# vi /etc/login.defs
PASS_MAX_DAYS   90
PASS_MIN_DAYS   7
PASS_MIN_LEN    5

최대 사용기간 90일로 변경

최소 사용기간 7 일

패스워드 최소길이 5

 

test4:$6$QVwi5qjn$2g4IuWJOdmgOkXxwZFFGFdxroOFhtcKa0v.7.5NmHFl0PCXbK5km3yb1.MIHR9/m4GxXqOcLvkqbk8qEg5tDG/:17500:7:90:7:::

PASS_MIN_DAYS: 7

PASS_MAX_DAYS: 90

PASS_WARN_AGE: 7

패스워드 최소 길이의 경우 User password 변경시에만 적용 된니다. test3 User가 자신의 password 적용시 적용

root 로 password 변경시 적용되지 않습니다.

login.defs 설정시 cron 작업의 경우 해당 작업이 정지가 됩니다.

해당내역의 테스트 Note 는 별도로 하단에 작성해 놓았습니다.

 

pam_tally2

pam_tally2 의 경우 login counter module 입니다.

pam_tally2는 패스워드의 최소길이 및 영문 소문자 대문자, 숫자 , 특수문자 및 ssh login fail 시 계정잠금정책을 설정 할수 있습니다.

자세한내역은 : http://www.linux-pam.org/Linux-PAM-html/sag-pam_tally2.html 에서 확인하실수 있습니다.

일부 pam_tally 에서 설정하던 설정이 pam_tally2 로 바뀌면서 authconfig 로 바뀜에 따라 별도로 authconfig 포스팅 하도록 하겠습니다.

본 포스트에서는 pam_tally2 oner=fail deny , unlock_time 까지만 다루도록 하겠습니다.

 

pam 설치 확인

[root@centos74 ~]# rpm -aq |grep -i pam
pam-1.1.8-18.el7.x86_64

 

/etc/pam.d/system-auth 수정 (콘솔을 통한 접속 및 su 전환시)

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        required      pam_tally2.so deny=5 unlock_time=1200
auth        required      pam_faildelay.so delay=2000000
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        required      pam_deny.so

account     required      pam_unix.so
account     required      pam_tally2.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so

 

password-auth 파일 수정 (원격접속 및 X-window 접속)

[root@centos74 ~]# vi /etc/pam.d/password-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        required      pam_tally2.so deny=5 unlock_time=1200
auth        required      pam_faildelay.so delay=2000000
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        required      pam_deny.so

account     required      pam_unix.so
account     required      pam_tally2.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so

deny= 횟수 설정 후 unlock_time 으로 시간으로 설정 할수도 있습니다.

centos5, centos6 의 pam_cracklib 설정은 authconfig 로 대체된것으로 보입니다.

 

ssh login fail 확인 3번이 넘은 시점에서는 test4 유저는 로그인 할수 없습니다.

[root@centos74 ~]# pam_tally2
Login           Failures Latest failure     From
test4               1    12/01/17 00:07:11  192.168.186.1
[root@centos74 ~]# pam_tally2
Login           Failures Latest failure     From
test4               2    12/01/17 00:07:15  192.168.186.1
[root@centos74 ~]# pam_tally2
Login           Failures Latest failure     From
test4               3    12/01/17 00:07:19  192.168.186.1
[root@centos74 ~]# pam_tally2
Login           Failures Latest failure     From
test4               4    12/01/17 00:07:26  192.168.186.1
[root@centos74 ~]#

 

test4 User unlock

[root@centos74 ~]# pam_tally2 -r -u test4
Login           Failures Latest failure     From
test4               5    12/01/17 00:07:31  192.168.186.1
[root@centos74 ~]# pam_tally2

 

일반유저 passwd 변경 관련 오류메시지

[test4@centos74 ~]$ passwd
Changing password for user test4.
Changing password for test4.
(current) UNIX password:
You must wait longer to change your password
passwd: Authentication token manipulation error

/etc/shadow 파일에서 PASS_MIN_DAYS 필드를 변경 해야 정상적으로 변경이 가능합니다.

root 유저의 경우 패스워드 정책에서 관계 없겠지만 일반유저의 경우 패스워드 정책에 걸려 변경이 안됩니다.

 

/etc/pam.d/password-auth 파일 password remember 테스트

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        required      pam_tally2.so deny=5 unlock_time=1200
auth        required      pam_faildelay.so delay=2000000
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        required      pam_deny.so

account     required      pam_unix.so
account     required      pam_tally2.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=2

 

remember=2 사용후 테스트

[test4@centos74 ~]$ passwd
Changing password for user test4.
Changing password for test4.
(current) UNIX password:
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
[test4@centos74 ~]$

변경된 패스워드를 사용하여 ssh 로그인
기존에 사용하던 패스워드로 다시 설정

[test4@centos74 ~]$ passwd
Changing password for user test4.
Changing password for test4.
(current) UNIX password:
New password:
Retype new password:
Password has been already used. Choose another.
passwd: Authentication token manipulation error
[test4@centos74 ~]$

정상적으로 패스워드 설정을 할수 없습니다.

 

해당라인 제거후 테스트 (주석처리)

[root@centos74 ~]# cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
#auth       required      pam_tally2.so deny=5 unlock_time=1200
auth        required      pam_faildelay.so delay=2000000
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        required      pam_deny.so

account     required      pam_unix.so
#account     required      pam_tally2.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=2
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
[root@centos74 ~]#

password 변경

[test4@centos74 ~]$ passwd
Changing password for user test4.
Changing password for test4.
(current) UNIX password:
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
[test4@centos74 ~]$

정상적으로 패스워드를 변경 할수 있습니다.

다른 옵션 내용의 경우 http://www.linux-pam.org/Linux-PAM-html/sag-pam_tally2.html 에서 확인하실수 있습니다.

 

sshd_config 설정

 

 

[root@centos74 ~]# cat /etc/ssh/sshd_config
#       $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#
#Port 22          / Default 설정의 경우  Port 22 번을 사용 합니다.  
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none

# Logging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m         /   User 가 로그인에 실패했을 경우 서버가 연결을 끊는 시간 / Default 는 0 이며 제한이 없습니다. 
PermitRootLogin yes

/ root login 허용여부 / Default 는 yes 이며 root user 로그인이 가능 합니다.

#StrictModes yes

/ 로그인을 허용하기 전에 파일모드, 사용자 홈디렉토리를 sshd 가 체크

#MaxAuthTries 6
#MaxSessions 10

#PubkeyAuthentication yes

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile      .ssh/authorized_keys

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

/ .rhosts 파일을 사용할지 여부 Default 설정은 yes 로 rhost 값을 사용 하지 않는다.

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes

# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
#GSSAPIEnablek5users no

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several
# problems.
UsePAM yes

/ sshd 에서 PAM Module 을 사용할지 여부 Default 는 yes 입니다. no 설정시 pam설정은 무시 됩니다.

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes

/ X11 포워딩 사용 여부 / Default 값으로 yes 입니다.

#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes                 / 클라이언트의 접속이 끊어졌는지 체크하기 위해 서버가 일정시간 메시지를 전달 
#UseLogin no
#UsePrivilegeSeparation sandbox
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0

/ AliveInterval 설정

#ClientAliveCountMax 3

/ Alive Interval * AliveCountMax = 세션 유지 시간을 설정 (보통 .bash_profile TMOUT=초단위로 설정 합니다. ex) TMOUT=600 (10분)

#ShowPatchLevel no
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

/ Default 는 none 이며 ex) Banner /etc/issue.net 으로 설정 할수 있습니다. issue.net file 을 설정 하여 banner 를 설정하면 됩니다.

 

# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS

# override default of no subsystems
Subsystem       sftp    /usr/libexec/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#       X11Forwarding no
#       AllowTcpForwarding no
#       PermitTTY no
#       ForceCommand cvs server
[root@centos74 ~]#

PermitRootLogin no / root user 접속 금지 

Port 22 -> unknown Port ex) 4320 등으로 변경 하여 사용 하는걸 권장 합니다. 

추가적인 sshd_config 설정내용은 https://linux.die.net/man/5/sshd_config 에서 확인하실수 있습니다.