'팁&테크/Linux'에 해당되는 글 69건
- 2011.08.18 Nginx YUM으로 설치하기
- 2011.08.18 Nginx 설정 예제(영문)
- 2011.08.18 Nginx 가상호스트 설정(영문)
- 2011.08.17 Nginx 와 Apache 동시사용 설정(영문) 1
- 2011.08.17 Nginx 설치(간략) 1
- 2011.08.09 필수 rpm 소속 패키지(메모)
- 2011.08.08 리눅스 명령(메모)
- 2011.07.25 리눅스보안 - 필수 보안 조치법
- 2011.07.13 PHP에 MCRYPT 모듈 설치(DSO) 1
- 2011.04.07 리눅스 fail2ban 설치 (Centos 5.5)
EPEL에는 일반적으로 개별적으로 설치해야 했던 fail2ban 과 같은 유용한 패키지가 많이 있다.
1. 버젼에 맞는 EPEL 패키지 설치
CentOS 6.x 32-bit (x86/i386):
CentOS 6.x 64-bit (x64):
CentOS 5.x 32-bit (x86/i386):
CentOS 5.x 64-bit (x64):
yum install nginx 하면 끝.
다만 현재 최신버젼이 1.10 인데 비해 yum 에는 0.8.54가 등록되어 있다.
소스 컴파일 설치도 비교적 어렵지 않으니 그냥 소스컴파일 해서 쓸련다.
Example Configuration
nginx.conf
user www www; worker_processes 5; error_log logs/error.log; pid logs/nginx.pid; worker_rlimit_nofile 8192; events { worker_connections 4096; } http { include conf/mime.types; include /etc/nginx/proxy.conf; include /etc/nginx/fastcgi.conf; index index.html index.htm index.php; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] $status ' '"$request" $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log logs/access.log main; sendfile on; tcp_nopush on; server_names_hash_bucket_size 128; # this seems to be required for some vhosts server { # php/fastcgi listen 80; server_name domain1.com www.domain1.com; access_log logs/domain1.access.log main; root html; location ~ \.php$ { fastcgi_pass 127.0.0.1:1025; } } server { # simple reverse-proxy listen 80; server_name domain2.com www.domain2.com; access_log logs/domain2.access.log main; # serve static files location ~ ^/(images|javascript|js|css|flash|media|static)/ { root /var/www/virtual/big.server.com/htdocs; expires 30d; } # pass requests for dynamic content to rails/turbogears/zope, et al location / { proxy_pass http://127.0.0.1:8080; } } upstream big_server_com { server 127.0.0.3:8000 weight=5; server 127.0.0.3:8001 weight=5; server 192.168.0.1:8000; server 192.168.0.1:8001; } server { # simple load balancing listen 80; server_name big.server.com; access_log logs/big.server.access.log main; location / { proxy_pass http://big_server_com; } } }
nginx.conf
user www www; worker_processes 2; pid /var/run/nginx.pid; # [ debug | info | notice | warn | error | crit ] error_log /var/log/nginx.error_log info; events { worker_connections 2000; # use [ kqueue | rtsig | epoll | /dev/poll | select | poll ] ; use kqueue; } http { include conf/mime.types; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] ' '"$request" $status $bytes_sent ' '"$http_referer" "$http_user_agent" ' '"$gzip_ratio"'; log_format download '$remote_addr - $remote_user [$time_local] ' '"$request" $status $bytes_sent ' '"$http_referer" "$http_user_agent" ' '"$http_range" "$sent_http_content_range"'; client_header_timeout 3m; client_body_timeout 3m; send_timeout 3m; client_header_buffer_size 1k; large_client_header_buffers 4 4k; gzip on; gzip_min_length 1100; gzip_buffers 4 8k; gzip_types text/plain; output_buffers 1 32k; postpone_output 1460; sendfile on; tcp_nopush on; tcp_nodelay on; send_lowat 12000; keepalive_timeout 75 20; # lingering_time 30; # lingering_timeout 10; # reset_timedout_connection on; server { listen one.example.com; server_name one.example.com www.one.example.com; access_log /var/log/nginx.access_log main; location / { proxy_pass http://127.0.0.1/; proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; client_max_body_size 10m; client_body_buffer_size 128k; client_body_temp_path /var/nginx/client_body_temp; proxy_connect_timeout 90; proxy_send_timeout 90; proxy_read_timeout 90; proxy_send_lowat 12000; proxy_buffer_size 4k; proxy_buffers 4 32k; proxy_busy_buffers_size 64k; proxy_temp_file_write_size 64k; proxy_temp_path /var/nginx/proxy_temp; charset koi8-r; } error_page 404 /404.html; location /404.html { root /spool/www; charset on; source_charset koi8-r; } location /old_stuff/ { rewrite ^/old_stuff/(.*)$ /new_stuff/$1 permanent; } location /download/ { valid_referers none blocked server_names *.example.com; if ($invalid_referer) { #rewrite ^/ http://www.example.com/; return 403; } # rewrite_log on; # rewrite /download/*/mp3/*.any_ext to /download/*/mp3/*.mp3 rewrite ^/(download/.*)/mp3/(.*)\..*$ /$1/mp3/$2.mp3 break; root /spool/www; # autoindex on; access_log /var/log/nginx-download.access_log download; } location ~* ^.+\.(jpg|jpeg|gif)$ { root /spool/www; access_log off; expires 30d; } } }
Auxilary Files
proxy_conf
proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; client_max_body_size 10m; client_body_buffer_size 128k; proxy_connect_timeout 90; proxy_send_timeout 90; proxy_read_timeout 90; proxy_buffers 32 4k;
fastcgi_conf
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param QUERY_STRING $query_string; fastcgi_param REQUEST_METHOD $request_method; fastcgi_param CONTENT_TYPE $content_type; fastcgi_param CONTENT_LENGTH $content_length; fastcgi_param SCRIPT_NAME $fastcgi_script_name; fastcgi_param REQUEST_URI $request_uri; fastcgi_param DOCUMENT_URI $document_uri; fastcgi_param DOCUMENT_ROOT $document_root; fastcgi_param SERVER_PROTOCOL $server_protocol; fastcgi_param GATEWAY_INTERFACE CGI/1.1; fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; fastcgi_param REMOTE_ADDR $remote_addr; fastcgi_param REMOTE_PORT $remote_port; fastcgi_param SERVER_ADDR $server_addr; fastcgi_param SERVER_PORT $server_port; fastcgi_param SERVER_NAME $server_name; fastcgi_index index.php; fastcgi_param REDIRECT_STATUS 200;
mime_types
types { text/html html htm shtml; text/css css; text/xml xml rss; image/gif gif; image/jpeg jpeg jpg; application/x-javascript js; text/plain txt; text/x-component htc; text/mathml mml; image/png png; image/x-icon ico; image/x-jng jng; image/vnd.wap.wbmp wbmp; application/java-archive jar war ear; application/mac-binhex40 hqx; application/pdf pdf; application/x-cocoa cco; application/x-java-archive-diff jardiff; application/x-java-jnlp-file jnlp; application/x-makeself run; application/x-perl pl pm; application/x-pilot prc pdb; application/x-rar-compressed rar; application/x-redhat-package-manager rpm; application/x-sea sea; application/x-shockwave-flash swf; application/x-stuffit sit; application/x-tcl tcl tk; application/x-x509-ca-cert der pem crt; application/x-xpinstall xpi; application/zip zip; application/octet-stream deb; application/octet-stream bin exe dll; application/octet-stream dmg; application/octet-stream eot; application/octet-stream iso img; application/octet-stream msi msp msm; audio/mpeg mp3; audio/x-realaudio ra; video/mpeg mpeg mpg; video/quicktime mov; video/x-flv flv; video/x-msvideo avi; video/x-ms-wmv wmv; video/x-ms-asf asx asf; video/x-mng mng; }
Virtual Hosts Examples
Two Virtual Hosts, Serving Static Files
http { index index.html; server { server_name www.domain1.com; access_log logs/domain1.access.log main; root /var/www/domain1.com/htdocs; } server { server_name www.domain2.com; access_log logs/domain2.access.log main; root /var/www/domain2.com/htdocs; } }
A Default Catchall Virtual Host
http { index index.html; server { listen 80 default; server_name _; access_log logs/default.access.log main; server_name_in_redirect off; root /var/www/default/htdocs; } }
Wildcard Subdomains in a Parent Folder
This is just a really easy way to keep adding new subdomains, or to add new domains automatically when DNS records are pointed at the server. Note that I have included FCGI here as well. If you want to just serve static files, strip out the FCGI config and change the default document to index.html. Rather than creating a new vhost.conf file for every domain, just create one of these:
server { # Replace this port with the right one for your requirements listen 80 [default|default_server]; #could also be 1.2.3.4:80 # Multiple hostnames separated by spaces. Replace these as well. server_name star.yourdomain.com *.yourdomain.com; # Alternately: _ root /PATH/TO/WEBROOT/$host; error_page 404 errors/404.html; access_log logs/star.yourdomain.com.access.log; index index.php index.html index.htm; # serve static files directly location ~* \.(jpg|jpeg|gif|css|png|js|ico|html)$ { access_log off; expires max; } location ~ \.php$ { include fastcgi_params; fastcgi_intercept_errors on; # By all means use a different server for the fcgi processes if you need to fastcgi_pass 127.0.0.1:YOURFCGIPORTHERE; } location ~ /\.ht { deny all; } }
Reconfiguring Apache
There are two main aspects of your Apache configuration that will need to be edited in order to allow both Apache and Nginx to work together at the same time. But let us first clarify where we are coming from, and what we are going towards.
Configuration overview
At this point, you probably have the following architecture set up on your server:
- A web server application running on port 80, such as Apache
- A dynamic server-side script processing application such as PHP, communicating with your web server via CGI, FastCGI, or as a server module
The new configuration that we are going towards will resemble the following:
- Nginx running on port 80
- Apache or another web server running on a different port, accepting requests coming from local sockets only
- The script processing application configuration will remain unchanged
As you can tell, only two main configuration changes will be applied to Apache as well as the other web server that you are running. Firstly, change the port number in order to avoid conflicts with Nginx, which will then be running as the frontend server. Secondly, (although this is optional) you may want to disallow requests coming from the outside and only allow requests forwarded by Nginx. Both configuration steps are detailed in the next sections.
Resetting the port number
Depending on how your web server was set up (manual build, automatic configuration from server panel managers such as cPanel, Plesk, and so on) you may find yourself with a lot of configuration files to edit. The main configuration file is often found in /etc/httpd/conf/ or /etc/apache2/, and there might be more depending on how your configuration is structured. Some server panel managers create extra configuration files for each virtual host.
There are three main elements you need to replace in your Apache configuration:
- The Listen directive is set to listen on port 80 by default. You will have to replace that port by another such as 8080. This directive is usually found in the main configuration file.
- You must make sure that the following configuration directive is present in the main configuration file: NameVirtualHost A.B.C.D:8080, where A.B.C.D is the IP address of the main network interface on which server communications go through.
- The port you just selected needs to be reported in all your virtual host configuration sections, as described below.
The virtual host sections must be transformed from the following template
<VirtualHost A.B.C.D:80>
ServerName example.com
ServerAliaswww.example.com
[...]
</VirtualHost>
to the following:
<VirtualHost A.B.C.D:8080>
ServerName example.com:8080
ServerAliaswww.example.com
[...]
</VirtualHost>
In this example, A.B.C.D is the IP address of the virtual host and example.com is the virtual host's name. The port must be edited on the first two lines.
Accepting local requests only
There are many ways you can restrict Apache to accept only local requests, denying access to the outside world. But first, why would you want to do that? As an extra layer positioned between the client and Apache, Nginx provides a certain comfort in terms of security. Visitors no longer have direct access to Apache, which decreases the potential risk regarding all security issues the web server may have. Globally, it's not necessarily a bad idea to only allow access to your frontend server.
The first method consists of changing the listening network interface in the main configuration file. The Listen directive of Apache lets you specify a port, but also an IP address, although, by default, no IP address is selected resulting in communications coming from all interfaces. All you have to do is replace the Listen 8080 directive by Listen 127.0.0.1:8080; Apache should then only listen on the local IP address. If you do not host Apache on the same server, you will need to specify the IP address of the network interface that can communicate with the server hosting Nginx.
The second alternative is to establish per-virtual-host restrictions:
<VirtualHost A.B.C.D:8080>
ServerName example.com:8080
ServerAliaswww.example.com
[...]
Order deny,allow
allow from 127.0.0.1
allow from 192.168.0.1
eny all
</VirtualHost>
Using the allow and deny Apache directives, you are able to restrict the allowed IP addresses accessing your virtual hosts. This allows for a finer configuration, which can be useful in case some of your websites cannot be fully served by Nginx.
Once all your changes are done, don't forget to reload the server to make sure the new configuration is applied, such as service httpd reload or /etc/init.d/ httpd reload.
Configuring Nginx
There are only a couple of simple steps to establish a working configuration of Nginx, although it can be tweaked more accurately as seen in the next section.
Enabling proxy options
The first step is to enable proxying of requests from your location blocks. Since the proxy_pass directive cannot be placed at the http or server level, you need to include it in every single place that you want to be forwarded. Usually, a location / { fallback block suffices since it encompasses all requests, except those that match location blocks containing a break statement.
Here is a simple example using a single static backend hosted on the same server:
server {
server_name .example.com;
root /home/example.com/www;
[...]
location / {
proxy_passhttp://127.0.0.1:8080;
}
}
In the following example, we make use of an Upstream block allowing us to specify multiple servers:
upstream apache {
server 192.168.0.1:80;
server 192.168.0.2:80;
server 192.168.0.3:80 weight=2;
server 192.168.0.4:80 backup;
}
server {
server_name .example.com;
root /home/example.com/www;
[...]
location / {
proxy_passhttp://apache;
}
}
So far, with such a configuration, all requests are proxied to the backend server; we are now going to separate the content into two categories:
- Dynamic files: Files that require processing before being sent to the client, such as PHP, Perl, and Ruby scripts, will be served by Apache
- Static files: All other content that does not require additional processing, such as images, CSS files, static HTML files, and media, will be served directly by Nginx
We thus have to separate the content somehow to be provided by either server.
Separating content
In order to establish this separation, we can simply use two different location blocks—one that will match the dynamic file extensions and another one encompassing all the other files. This example passes requests for .php files to the proxy:
server {
server_name .example.com;
root /home/example.com/www;
[...]
location ~* \.php.$ {
# Proxy all requests with an URI ending with .php*
# (includes PHP, PHP3, PHP4, PHP5...)
proxy_passhttp://127.0.0.1:8080;
}
location / {
# Your other options here for static content
# for example cache control, alias...
expires 30d;
}
}
This method, although simple, will cause trouble with websites using URL rewriting. Most Web 2.0 websites now use links that hide file extensions such as http://example.com/articles/us-economy-strengthens/; some even replace file extensions with links resembling the following:http://example.com/useconomy- strengthens.html.
When building a reverse-proxy configuration, you have two options:
- Port your Apache rewrite rules to Nginx (usually found in the .htaccess file at the root of the website), in order for Nginx to know the actual file extension of the request and proxy it to Apache correctly.
- If you do not wish to port your Apache rewrite rules, the default behavior shown by Nginx is to return 404 errors for such requests. However, you can alter this behavior in multiple ways, for example, by handling 404 requests with the error_page directive or by testing the existence of files before serving them. Both solutions are detailed below.
Here is an implementation of this mechanism, using the error_page directive :
server {
server_name .example.com;
root /home/example.com/www;
[...]
location / {
# Your static files are served here
expires 30d;
[...]
# For 404 errors, submit the query to the @proxy
# named location block
error_page 404 @proxy;
}
location @proxy {
proxy_passhttp://127.0.0.1:8080;
}
}
Alternatively, making use of the if directive from the Rewrite module:
server {
server_name .example.com;
root /home/example.com/www;
[...]
location / {
# If the requested file extension ends with .php,
# forward the query to Apache
if ($request_filename ~* \.php.$) {
break; # prevents further rewrites
proxy_passhttp://127.0.0.1:8080;
}
# If the requested file does not exist,
# forward the query to Apache
if (!-f $request_filename) {
break; # prevents further rewrites
proxy_passhttp://127.0.0.1:8080;
}
# Your static files are served here
expires 30d;
}
}
There is no real performance difference between both solutions, as they will transfer the same amount of requests to the backend server. You should work on porting your Apache rewrite rules to Nginx if you are looking to get optimal performance.
Nginx 는 러시아에서 만든 웹서버로 접속이 많을 경우에도 안정적인 처리량을 보여주기때문에 사용자가 늘어나고 있는 추세이다. 다만 Nginx 에서 동적페이지인 PHP를 구동할 경우 오히려 Apache보다 처리능력이 떨어지기 때문에 이미지 웹서버만 분리해서 운영하려고 할때 좋은 성능을 보여준다.
가벼운 nginx를 전면에 두고 PHP처리가 필요한 호출에 대해서는 백단의 Apache에서 처리하도록 할 것이다.
Nginx 는 80포트, Apache는 8080으로 설정
Apache, PHP, MySql 등은 YUM을 통해 설치된 상태임. Apache포트는 8080으로 변경(가상호스트도 마찬가지)
1. Nginx 최신버젼 다운로드
wget http://nginx.org/download/nginx-1.1.0.tar.gz
2. configure 및 설치
./configure --prefix=/usr/local/nginx && make && make install
다른 옵션도 많으니 ./configure --help 로 확인해볼 것.
3. 환경설정
/usr/local/nginx/conf/nginx.conf 에보면 예제로 PHP확장자의 처리에 대한 부분이 있다.
주석처리된 부분을 아래와 같이 수정한다.
아래 라인을 주석 해제하고 설정해줌
location ~ \.php$ {
root html;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
include fastcgi_params;
}
#다른 port 에서 운영중인 웹서버를 이용할 경우(reverse proxy)
location ~ \.php$ {
여러 확장자를 처리하고 싶으면 ~ \.(php|htm|html)$ 과 같이 쓰면 됨
/usr/local/nginx/sbin/nginx 를 실행하면 웹서버가 시작함
du -h --max-depth=1
파일 확장자별 압축(합친 후 압축)
find . -name "*.c*" -o -name "*.h" | xargs tar rvf src0503.tar
gzip -f src0503.tar
DNS 호스트 등록 확인
nslookup -type=ns tistory.com
PCI 장치 확인
lspci
프로세스가 사용중인 파일확인
lsof -p pid번호
사용자 생성 관련 환경 설정 파일
/etc/login.defs
사용자 생성시 디렉토리 퍼미션을 700 에서 755로 줄려고 할 경우
위 파일의 UMASK 를 077 에서 022로 변경
리눅스 배포판 확인
포트가 사용하는 프로그램 확인
netstat -atp | grep 문자열
또는
netstat -lnpt
rsync 명령
rsync -avrz --delete 아이피::심볼 /경로 -> 받을때
파일내 문자열 검색
find . -exec grep -i -l "찾는문자열" {} \; 2>/dev/null
-i : 대소문자 무시
검색한 프로세스 KILL
ps aux | grep 검색어 | awk '{ print $2 }' | xargs kill -9
라이브러리 들이 어떤 버전의 GLIBC를 필요로 하는지 확인(예: GLIBC_2.5 ~ 2.9까지를 필요로 하는 확장 검색 후 file.txt로 저장)
find /lib* /usr/lib* -type f -name '*.so' | xargs -i nm {} | grep "GLIBC_2.[5-9]" > file.txt
출처 : [기타] 인터넷 : IT네트워크정보보안교육센터
1. mhash 모듈 설치
yum install mhash* 을 하거나(추천) 파일을 다운받아 configure & make & makeinstall
2. libmcrypt 모듈 설치
yum install libmcrypt* 을 하거나 (추천)
mcrypt 모듈 소스 설치 ---------------------------------
파일을 다운받아(소스포지) configure & make & makeinstall -> 이 경우 /etc/ld.so.conf 에 /usr/local/lib 경로 추가 후 ldconfig 실행
소스포지에서 파일 다운로드 후 압축 해제
configure
make
make install 을 하면 파일이 /usr/local/bin/mcrypt 와 같이 생성됨
----------------- 소스설치끝
php소스/ext/mcrypt 로 이동하여
phpize
aclocal
configure --with-php-config=/usr/local/php/bin/php-config
make clean
make
make install
순으로 명령을 실행하면 특정폴더에 mcrypt.so 파일을 생성했다는 내용이 나옮니다.
보통은 /usr/local/lib/php/extensions/no-debug-non-zts-20060613/ 와 같이 생성
해당 폴더로 이동해 보면 mcrypt.so 파일이 존재 하는데 해당 파일을 php extension 디렉토리로 옮기고
php.ini 에 extension=mcrypt.so 처럼 하거나 다른 디렉토리에 복사했을 경우 경로를 다 적어주면 됨
extension=/usr/local/lib/php/extensions/mcrypt.so
그후 아파치 리스타트!!
---------------------------------------------------------------------------------------------------
참고
Get and Install mhash
wget http://internap.dl.sourceforge.net/sourceforge/mhash/mhash-0.9.9.9.tar.gz
or go to sourceforge and find the latest.
tar -xvzf mhash-0.9.9.tar.gz
cd mhash-0.9.9
./configure --prefix=/usr/local/mhash
make
make install
Get and install libmcrypt
wget http://jaist.dl.sourceforge.net/sourceforge/mcrypt/libmcrypt-2.5.8.tar.gz
tar -xvzf libmcrypt-2.5.8.tar.gz
cd libmcrypt-2.5.8
./configure --prefix=/usr/local/libmcrypt --disable-posix-threads
make
make install
Get and install mcrypt.
wget http://cdnetworks-kr-1.dl.sourceforge.net/project/mcrypt/MCrypt/2.6.8/mcrypt-2.6.8.tar.gz
or go to source forge and get the latest.
tar -zxvf mcrypt-2.6.8.tar.gz
cd mcrypt-2.6.8
./configure
make
make install
Create the mcrypt php5 module to load.
Find you source code for your php version.
use: find / -name "php"
mine was found here /usr/src/redhat/SOURCES/php-5.1.6/
cd to php-5.2.6/ext/mcrypt
phpize
aclocal
./configure
make clean
make
make install
If you are using a 64 bit computer, create a symbolic link.
cd /usr/lib64/modules
ln -s /usr/local/lib/php/extensions/no-debug-non-zts-20050922/mcrypt.so ./mcrypt.so
Create a new file named mcrypt.so in /etc/php.d directory and enter the following.
;Enable mcrypt extension module
extension=mcrypt.so
Create the mhash extension:
cd to php-5.2.6/ext/mhash
phpize
aclocal
./configure
make clean
make
make install
cd /usr/lib64/modules
[root modules]# ln -s /usr/local/lib/php/extensions/no-debug-non-zts-20050922/mhash.so ./mhash.so
Create a new file named mcrypt.so in /etc/php.d directory and enter the following.
;Enable mhash extension module
extension=mhash.so
Bounce Apache
[root /]#service httpd restart
Stopping httpd: [ OK ]
Starting httpd: [ OK ]
Check Apache for mcrypt loaded.
Move to your website loaction and create a file named phpinfo.php and enter.
<?=phpinfo();?>
Now open a brower and point it to your site /phpinfo.php
Look for a section named mcrypt and mhash, they should show the version, supported ciphers, enabled, etc.
1. fail2ban 을 받기 위해 사이트 http://www.fail2ban.org 로 가서 중간부분에 Downloads를 클릭
2. 여러가지 리눅스에 맞는 다운로드 링크가 나옵니다. 사용하시는 버젼에 맞게 클릭
저는 Centos 5.5 를 사용하고 있으니 EPEL 이라고 된 곳을 클릭합니다.
3. 중간쯤에 What packags and Versions are available in EPEL? 부분을 보면 EPEL6,5,4 에 해당하는
부분이 있는데 Centos 버젼과 똑같으니 Centos 5에 32bit를 사용하는 저는 EPEL5 i386에서 패키지를 찾으면
되겠습니다.
4. 패키지들이 쭉 나오는데 윗쪽에 f 를 클릭하시면 f로 시작하는 패키지가 전부 나옵니다. 그중에 fail2ban을
선택하도록 합니다.
5. 이제 fail2ban을 다운 받으면 되겠죠. 쉽게 하시려면 위에 처럼 다운로드 링크를 그냥 링크만 복사해
설치하려는 리눅스에서 wget 을 통해 다운로드 하면 쉽게 다운이 받아집니다.
6. 다운받은 rpm을 설치하려고 보니 의존성 때문에 설치가 안되네요!!
문구를 자세히 보면 shorewall 이 필요하다고 하니 설치하러 갑니다.!!
7. 아까 EPEL 에서 shorewall을 찾아서 다운로드 합시다!
다만 주의 할것은 EPEL 페이지에 있는 rpm 을 받으면 부가적인 shorewall 패키지지를 먼저 설치하라고 나오니
기왕이면 최신버젼을 받으러 홈페이지로 가보도록합니다.
8. shorewall.net 사이트에 방문해서 download -> standard download sites 에 가보시면 몇개의 미러사이트
중에 마음에 드는 곳에서 다운받으시면 되겠습니다. 저는 소스포지에서 다운받겠네요.
최신버젼은 4.4.16.1.tar.bz2 라고 친절하게 안내가 되있는데 소스설치는 귀찮으니깐
리스트에 나와있는 버젼을 클릭해서 rpm 파일을 다운받도록 합니다.
9. 다운받은 shorewall 을 설치하구요.
10. fail2ban도 설치하도록 합시다. 모르면 어려운데 알고 나면 참 쉽게 설치가 되네요.
11. fail2ban 파일들은 /etc/fail2ban 에 설치가 됩니다.
12. 설정파일인 jail.conf를 열어 bantime(차된 할 시간) 과 maxretry(실패한 횟수)를 적절하게 고쳐주고요.
13. 적용하려는 서비스를 찾아서 enabled = true로 고쳐주면 해당 서비스만 적용이 됩니다.
저 같은 경우에는 ssh 와 vsftp 만 적용을 했습니다.
섹션의 내용을 보시면 대충 이해하기 쉽게 되있네요.
enabled 는 사용여부
filter 는 /etc/fail2ban/filter 에 보시면 로그를 읽을때 사용할 필터가 정의되있습니다.
action 은 iptable로 차단 하고 메일을 발송하겠다는 내용이구요.
logpath 는 읽어서 처리할 로그파일 위치
maxretry 는 차단할 실패횟수
bantime 은 차단시간입니다.
14. 그럼 이제 서비스를 시작하구요. 부팅 시에도 자동 시작되도록 ntsysv 명령으로 등록하면 작업이 완료됩니다.
이제부터는 중국 봇들이 얼씬도 못하겠네요
퍼가실땐 출처를 반드시 밝혀주시구요. 출처를 밝히지 않으시는 경우는 어떤 경우에도 퍼가실 수 없습니다.
Prev
Rss Feed