´ÙÀ½ ÀÌÀü Â÷·Ê

7. ¸®´ª½º ¼­¹ö ½Ã½ºÅÛ¿¡ ´ëÇÑ ÀÌÇØ

¸®´ª½ºÀÇ ÀÎÅͳ×Æ® ¼­ºñ½º¿¡´Â ±×¿¡ ÇØ´çµÇ´Â µ¥¸óµéÀÌ Àֱ⠸¶·ÃÀÌ´Ù. µ¥¸óµéÀº Á¤È®È÷ ¼­¹ö¿¡¼­ È°µ¿ ÁßÀÎ ÇÁ·Î¼¼½º¸¦ ¸»Çϴµ¥ Æò¼Ò¿¡´Â ÄðÄð ÀḸ ÀÚ°í ÀÖ´Ù°¡ Ŭ¶óÀ̾ðÆ®ÀÇ Á¢¼Ó ¿ä±¸°¡ »ý±â¸é ±ú¾î³­´Ù. ÅÚ³Ý ¼­ºñ½º¿¡´Â telnet µ¥¸óÀÌ, FTP ¼­ºñ½º¿¡ ´ëÇؼ­´Â ftp µ¥¸óÀÌ, ¸ÞÀÏ ¼­ºñ½º¿¡ ´ëÇؼ­´Â mail µ¥¸óÀÌ ±×¸®°í NFS ¼­ºñ½º¿¡ ´ëÇؼ­´Â nfs µ¥¸óÀÌ, ¸¶Áö¸·À¸·Î À¥ ¼­ºñ½º¿¡ ´ëÇؼ­´Â À¥ µ¥¸óÀÌ ÇÊ¿äÇÏ´Ù. ¸ÞÀÏ¿¡ ´ëÇؼ­´Â sendmail ¶Ç´Â smailÀ̶ó´Â µ¥¸óÀÌ ±×¸®°í NFS¿¡ ´ëÇؼ­´Â Àü¼úÇÑ rpc.mountd, rpc.nfsd°¡ Çùµ¿ÇØ¾ß ÇÏ°í À¥ ¼­ºñ½º´Â º¸Åë httpd¶ó´Â µ¥¸óÀÌ Àִµ¥ telnet°ú ftp ÀÇ °æ¿ì¿¡´Â ±×·¸°Ô ´Üµ¶À¸·Î ¶á´Ù±â º¸´Ù´Â inetd ¼öÆÛ µ¥¸óÀ̶ó´Â °Í¿¡ ÀÇÇؼ­ Á¦¾î¸¦ ¹Þ¾Æ¼­ ÇÊ¿äÇÒ ¶§¸¸ ½ÇÇàµÇµµ·Ï µÇ¾î ÀÖ´Ù. ºÎÆà °úÁ¤À» Àß »ìÆ캸¸é inetd¶ó´Â °ÍÀÌ ¶ß´Â °ÍÀ» º¼ ¼ö ÀÖ´Ù. inetd µ¥¸ó¿¡ Áß¿äÇÑ ¼³Á¤ÆÄÀÏÀº /etc/inetd.conf¶ó´Â ÆÄÀÏÀÌ´Ù. ±× ³»¿ëÀ» ÀϺθ¸ »ìÆ캸µµ·Ï ÇÏÀÚ.

# See "man 8 inetd" for more information.
#
# If you make changes to this file, either reboot your machine or send the
# inetd a HUP signal:
# Do a "ps x" as root and look up the pid of inetd. Then do a
# "kill -HUP <pid of inetd>".
# The inetd will re-read this file whenever it gets that signal.
#
# <service_name>  <sock_type> <proto>   <flags> <user> <server_path>
<args>
#

#
# These are standard services.
#
ftp     stream  tcp     nowait  root    /usr/sbin/tcpd  wu.ftpd
telnet  stream  tcp     nowait  root    /usr/sbin/tcpd  in.telnetd
nntp    stream  tcp     nowait  root    /usr/sbin/tcpd  in.nntpd
# The comsat daemon notifies the user of new mail when biff is set to y:
comsat        dgram   udp     wait    root    /usr/sbin/tcpd  in.comsat
#
# Shell, login, exec and talk are BSD protocols.
#
shell   stream  tcp     nowait  root    /usr/sbin/tcpd  in.rshd -L
login   stream  tcp     nowait  root    /usr/sbin/tcpd  in.rlogind
# exec  stream  tcp     nowait  root    /usr/sbin/tcpd  in.rexecd
# talk  dgram   udp     wait    root    /usr/sbin/tcpd  in.talkd
ntalk   dgram   udp     wait    root    /usr/sbin/tcpd  in.talkd
#
# Pop et al
#
# pop2  stream  tcp     nowait  root    /usr/sbin/tcpd  in.pop2d
pop3    stream  tcp     nowait  root    /usr/sbin/tcpd  in.pop3d

#
# Finger, systat and netstat give out user information which may be
# valuable to potential "system crackers."  Many sites choose to disable
# some or all of these services to improve security.
# Try "telnet localhost systat" and "telnet localhost netstat" to see that
# information yourself!
#
finger  stream  tcp     nowait  nobody  /usr/sbin/tcpd  in.fingerd -w
systat  stream  tcp     nowait  nobody  /usr/sbin/tcpd  /bin/ps -auwwx
netstat stream  tcp     nowait  root    /usr/sbin/tcpd  /bin/netstat -a

À§ ¼³Á¤ ÆÄÀÏÀ» Á¶±ÝÀÌ¶óµµ ¹Ù²Ù´Â °æ¿ì¿¡´Â ¾Õ ºÎºÐ¿¡¼­ ¼³¸íÇÑ °Íó·³ inetd¸¦ kill -HUP Çؼ­ ÇÁ·Î¼¼½º¸¦ Á×ÀÎ ÈÄ ´Ù½Ã ¶ç¿ö¾ß ÇÑ´Ù. À§¿¡¼­ ¿­°ÅÇÑ °ÍÀº ½Ã½ºÅÛ ¿î¿µ¿¡¼­ ¾ÆÁÖ Áß¿äÇÑ µ¥¸óµéÀ̶ó°í ÇÒ ¼ö ÀÖ´Ù. ÀÌ ¸ðµç °ÍÀ» °ü¸®ÇϹǷΠ¼öÆÛ µ¥¸óÀ̶ó°í ÇÒ ¼ö ÀÖ´Ù. Âü°í·Î /etc/services¶ó´Â ÆÄÀÏÀ» º¸¸é ¿©·¯ºÐÀÇ ¼­ºñ½º°¡ ¾î¶² ÇÁ·ÎÅäÄÝ( TCP Àΰ¡? UDP Àΰ¡? )Àΰ¡ ±×¸®°í ¾î¶² Æ÷Æ®¸¦ »ç¿ëÇϴ°¡¿¡ ´ëÇؼ­ °¨ÀâÀ» ¼ö ÀÖÀ¸¸®¶ó º»´Ù. ²À ÇÑ ¹ø ÆÄÀÏÀÇ ³»¿ëÀ» ¸ð¸£´õ¶óµµ ÈȾ±â ¹Ù¶õ´Ù. ¸¶Áö¸·À¸·Î À§ÀÇ inetd.conf ÆÄÀÏÀ» Àß »ìÆ캸¸é ±×³É in.telnetd¸¦ ¼öÇà½ÃÅ°´Â °ÍÀÌ ¾Æ´Ï¶ó /usr/sbin/tcpd¶ó´Â °Í¿¡ ÀÇÇؼ­ º¸È£µÇ¾î(Wrap) ¼öÇàµÈ´Ù. ÀÌ·¸°Ô tcpd¶ó°í ºÎ¸£´Â °Í¿¡ ÀÇÇØ ¼öÇàµÇ´Â ¼­ºñ½ºµéÀº Á¢±Ù Á¦¾î¿Í ¸ð´ÏÅ͸µÀÌ °¡´ÉÇØÁø´Ù. ¸Ç ÆäÀÌÁö¸¦ º¸¸é Á¤¸» ÀåȲÇÏ°Ô ¼³¸íµÇ¾î ÀÖÀ¸¹Ç·Î Âü°íÇϱ⠹ٶõ´Ù. ÀÏ´ÜÀº tcpd¿¡ ÀÇÇؼ­ ¾î¶»°Ô È£½ºÆ®º° Á¢±Ù Á¦ÇÑÀ» °¡ÇÒ ¼ö ÀÖ´ÂÁö ¾Ë¾Æº¸ÀÚ. ¾Çµ¶ÇÑ »ç¿ëÀÚµéÀÌ ¸¹Àº È£½ºÆ®´Â Á¢±ÙÀ» °ÅºÎÇغ¸ÀÚ. ¼­·Î Å©·¢Å·À» ¸¹ÀÌ ÇÏ´Â Çб³ °úµé »çÀÌ¿¡¼­´Â Á¢±Ù Á¦ÇÑÀ» °¡ÇÏ´Â °Íµµ ÁÁÀ» °ÍÀÌ´Ù. °ü°èµÈ ÆÄÀÏÀº 2°³ÀÌ´Ù. /etc/hosts.allow ¿Í /etc/hosts.deny Áï ÀüÀÚ´Â Çã¿ëÇÏ´Â »çÀÌÆ®, ÈÄÀÚ´Â °ÅºÎÇÏ´Â »çÀÌÆ®°¡ µÈ´Ù. ±ÔÄ¢Àº /etc/hosts.deny¿¡ ³Ö´Â È£½ºÆ®¿¡¼­´Â Á¢±ÙÀÌ ºÒÇãµÈ´Ù. ÇÏÁö¸¸ /etc/hosts.allow¿¡ µé¾î°£ »çÀÌÆ®´Â ÀüÀÚ¿¡ °ÅºÎ È£½ºÆ® ¸ñ·Ï¿¡ »ó°ü¾øÀÌ Á¢±ÙÀÌ Çã¿ëµÈ´Ù. µû¶ó¼­ /etc/hosts.allow´Â Àß ÀÛ¼ºÇØ¾ß ÇÑ´Ù. ¿¹Á¦¸¦ ÇÑ ¹ø »ìÆ캸±â ¹Ù¶õ´Ù. µÑ ´Ù Çü½ÄÀº °°À¸´Ï Çϳª¸¸ ¾Ë¾Æº¸°Ú´Ù.

µ¥¸ó ¸®½ºÆ®: È£½ºÆ® ¸®½ºÆ®
ALL: ALL EXCEPT terminalserver.foobar.edu
in.talkd: ALL
in.ntalkd: ALL
in.fingerd: ALL
in.ftpd: LOCAL, .my.domain
ALL EXCEPT in.fingerd: other.host.name

ÄÝ·Ð(:)¾Õ¿¡´Ù ¼­ºñ½º µ¥¸ó ¸®½ºÆ®¸¦ Àû¾îÁÖ°í µÚ¿¡´Â È£½ºÆ®¸íÀ» Àû¾îÁØ´Ù. À§ÀÇ ¿¹¿¡¼­ º¸¸é ALL, EXCEPT, LOCAL µîÀÇ Æ¯¼öÇÑ ¸íĪÀÌ ³ª¿À´Âµ¥ °¢°¢Àº ¿©·¯ºÐÀÌ »çÀü¿¡¼­ ãÀ» ¼ö ÀÖ´Â ÀÇ¹Ì¿Í °°´Ù°í º¸¸é µÈ´Ù. ALL°ú EXCEPT´Â µ¥¸ó ¸®½ºÆ®¿Í È£½ºÆ® ¸®½ºÆ® ¾çÀÚ¿¡ ¾²ÀÏ ¼ö ÀÖ´Ù. º¸¾ÈÀÌ Á¤¸»·Î ¹®Á¦µÇ´Â »çÀÌÆ®¿¡¼­´Â ¿ì¼±Àº hosts.deny ÆÄÀÏ¿¡ ALL: ALLÀ̶ó°í ½áÁØ´Ù. ÀÌ·¸°Ô ÇÏ¸é ¸ðµç È£½ºÆ®¿¡ ´ëÇÏ¿© ¾î¶² ¼­ºñ½ºµµ ÀÏ´Ü ºÒÇãÇسõ´Â´Ù. ±×¸®°í hosts.allow¿¡¼­ Çϳª¾¿ Çã¿ëÇØÁÖ¸é µÈ´Ù. ÀÚ¼¼ÇÑ »çÇ×Àº ¸Ç ÆäÀÌÁö¸¦ º¸¸é µÈ´Ù.

$ man 5 hosts_access


´ÙÀ½ ÀÌÀü Â÷·Ê