Linux lastlog

[root@localhost transmission-1.61]# lastlog Username         Port     From             Latest root             pts/1                   Mon May 18 12:45:08 +0900 2009 bin                                        **Never logged in** daemon                                     **Never logged in** adm                                        **Never logged in** lp                                         **Never logged in** sync                                       **Never logged in** shutdown                                   **Never logged in** halt                                       **Never logged in** mail                                       **Never logged in** news                                       **Never logged in** uucp                                       **Never logged in** operator                                   **Never logged in** games                                      **Never logged in** gopher                                     **Never logged in** ftp                                        **Never logged in** nobody                                     **Never logged in** rpm                                        **Never logged in** dbus                                       **Never logged in** avahi                                      **Never logged in** rpc                                        **Never logged in** mailnull                                   **Never logged in** smmsp                                      **Never logged in** nscd                                       **Never logged in** vcsa                                       **Never logged in** haldaemon                                  **Never logged in** rpcuser                                    **Never logged in** sshd                                       **Never logged in** netdump                                    **Never logged in** pcap                                       **Never logged in** xfs                                        **Never logged in** beaglidx                                   **Never logged in** named                                      **Never logged in** ntp                                        **Never logged in** apache                                     **Never logged in** gdm                                        **Never logged in** tomcat                                     **Never logged in** bestakas         pts/3                  Sun May 31 03:48:04 +0900 2009 mysql                                      **Never logged in** blog                                       **Never logged in** moodle                                     **Never logged in** moo                                        **Never logged in** echangjun                                  **Never logged in** communityart     pts/2                 Sun May 24 15:39:46 +0900 2009 moo                                          **Never logged in** css              pts/2    85.186.129.154   Sun May 31 03:21:12 +0900 2009 saeumart         pts/3                    Wed May 27 06:25:23 +0900 2009 danpungsori                                Wed May 27 08:41:44 +0900 2009 colsu              pts/2                     Sun May 24 15:39:46 +0900 2009 fridayman       pts/2                     Sun May 24 11:10:13 +0900 2009

내가 지인들끼리만 쓰는 웹서버중 하나가 갑자기 속도가 현저히 떨어진다는 연락을 받았다. 연락받은 시각이 2009년 5월 31일 새벽 3시 30분이었다. lastllog 명령으로 최근 사용자들이 로그인한 계정들을 보았다.

CSS를 테스트하느라 임시로 만들어놓은 CSS계정으로 알수없는 IP로 약 9분전에 들어왔음을 알수있었다. 85.186.129.154 어디로부터의 IP인가?

지인들끼리 쓰는 서버라, 그다지 보안을 염두해두지 않았다. 어디로부터 온 IP인가 슬슬 재밌는 작업이 시작되기 시작했다.

[root@localhost transmission-1.61]# whois 85.186.129.154 [Querying whois.ripe.net] [whois.ripe.net] % This is the RIPE Whois query server #3. % The objects are in RPSL format. % % The RIPE Database is subject to Terms and Conditions. % See http://www.ripe.net/db/support/db-terms-conditions.pdf % Note: This output has been filtered. %       To receive output for a database update, use the "-B" flag. % Information related to '85.186.129.0 - 85.186.129.255' inetnum:        85.186.129.0 - 85.186.129.255 netname:        ASTRAL-PH-DOCSIS-6 descr:          ASTRAL Ploiesti Docsis 6 country:        RO admin-c:        AH1598-RIPE tech-c:         CN3389-RIPE tech-c:         AM15077-RIPE tech-c:         TRI1-RIPE tech-c:         CM8934-RIPE remarks:        INFRA-AW status:         ASSIGNED PA mnt-by:         ASTRALTELECOM-MNT mnt-lower:      ASTRALTELECOM-MNT mnt-routes:     ASTRALTELECOM-MNT source:         RIPE # Filtered person:         Astral Telecom Hostmaster address:        UPC Romania Srl address:        ROMANIA phone:          +40 264 414688 fax-no:         +40 264 414687 e-mail:         lir@astral.ro nic-hdl:        AH1598-RIPE remarks:        *************************************** remarks:        *  for abuse please use abuse@upc.ro  * remarks:        *************************************** mnt-by:         ASTRALTELECOM-MNT source:         RIPE # Filtered person:       Teodor Remus IACOB address:      Astral Telecom SA address:      Bd. Mihai Bravu nr. 223 address:      Complex Optidol, sector 3 address:      Bucharest - Romania phone:        +40-1-3266196 fax-no:       +40-1-3266197 e-mail:       theo@kappa.ro nic-hdl:      TRI1-RIPE mnt-by:       KAPPA-MNT source:       RIPE # Filtered person:       Alin Moldovan address:      CODEC Electronic Products address:      37, Decebal address:      3400 Cluj-Napoca address:      Romania phone:        +40-264-432450 fax-no:       +40-264-418205 e-mail:       alinux@codec.ro nic-hdl:      AM15077-RIPE mnt-by:       AS3233-MNT source:       RIPE # Filtered person:         Catalin Muresan address:        UPC Romania address:        str. Nordului, 62D address:        Bucuresti, 104014 address:        Romania phone:          +40-31-1018100 fax-no:         +40-31-1018101 e-mail:         catalin.muresan@astral.ro nic-hdl:        CM8934-RIPE mnt-by:         ASTRALTELECOM-MNT source:         RIPE # Filtered person:         Camelia Nastase address:        MediaSat S.A. address:        Bld. Ferdinand, Nr. 99, Sector 2, Bucuresti address:        Romania mnt-by:         MEDIASAT-MNT phone:          +40-31-8240635 e-mail:         camelia.nastase@mediasat.ro nic-hdl:        CN3389-RIPE source:         RIPE # Filtered % Information related to '85.186.0.0/16AS6746' route:          85.186.0.0/16 descr:          UPC Romania Srl origin:         AS6746 mnt-by:         ASTRALTELECOM-MNT source:         RIPE # Filtered

멀리 동유럽 루마니아로부터의 접속이다. ^ ^ 헉... 저멀리 루마니아에서 어찌 공개되지도 않은 내서버에 접속될수 있는가...

우선 최근에 설치된 데몬과 프로그램을 알아보고  해당지역의 IP의 차단, 각포트들의 보안설정부터 들어가야 겠다.
이제부터 보안에 관한 포스팅을 해야겠다.