Linux 系統管理與安全：進階系統管理系統防駭與資訊安全

•
root:log/ # ls -‐F
anaconda/ btmp dmesg httpd/ mariadb/ ppp/ secure tuned/
audit/ chrony/ dmesg.old lastlog messages sa/ spooler wtmp
boot.log cron grubby maillog php-‐fpm/ sa-‐update.log tallylog yum.log

• kernel message buffer kernel
• kernel
$ dmesg
• /var/log/dmesg
•
•

• /var/log/messages
•
• syslog
Feb 14 00:01:50 localhost kernel: smpboot: CPU0: Intel(R) Celeron(R) CPU
E3400 @ 2.60GHz (fam: 06, model: 17, stepping: 0a)
Feb 14 00:01:50 localhost kernel: Performance Events: unsupported p6 CPU model 23 no
PMU driver, software events only.
Feb 14 00:01:50 localhost kernel: Brought up 1 CPUs
Feb 14 00:01:50 localhost kernel: smpboot: Total of 1 processors activated (5202.48
BogoMIPS)

• /var/log/cron
• cron
Apr 2 09:01:01 localhost run-‐parts(/etc/cron.hourly)[528]: starting 0yum-‐hourly.cron
Apr 2 09:01:01 localhost run-‐parts(/etc/cron.hourly)[544]: finished 0yum-‐hourly.cron

• /var/log/secure
•
•
Apr 1 16:12:16 localhost login: pam_unix(login:session): session opened for
user root by LOGIN(uid=0)
Apr 1 16:12:16 localhost login: ROOT LOGIN ON tty1
Mar 29 07:43:34 yuki sshd[18247]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=183.136.216.6
user=root
Mar 29 07:43:36 yuki sshd[18247]: Failed password for root from
183.136.216.6 port 45215 ssh2

• daily weekly monthly yearly
• anacron
•
/etc/cron.daily/logrotate

• /etc/logrotate.d/httpd
/var/log/httpd/*log {
daily #
minsize 1M # 1MB
missingok #
rotate 14 # 14
compress # gzip
delaycompress #
notifempty #
create 640 root adm #
sharedscripts #
postrotate #
/bin/systemctl reload httpd.service > /dev/null 2>/dev/null || true
endscript
prerotate #
# do nothing
endscript
}
$ man logrotate

•
•
• 192.168.1.10 -‐> 11000000 10101000 00000001 00001010

•
•
• 192.168.1.100
• 192.168.1.100 -‐> 11000000 10101000 00000001 01100100
• 255.255.255.224
• 255.255.255.224 -‐> 11111111 11111111 11111111 11100000
• 11000000 10101000 00000001 01100000
• 192.168.1.96

•
255.255.255.224 -‐> 11111111 11111111 11111111 11100000
• 11100000 -‐> 3 1 -‐> 2^3 -‐> 8 subnet
• 256 / 8 = 32
• 32 IP
• 192.168.1.96 ~ 192.168.1.127
• 192.168.1.127 broadcast

•
• class netmask subnet id
• 255.255.224.0
11111111 11111111 11111111 11100000 27 1
• -‐> a.b.c.d/27
• 192.168.1.96/27
•
• 140.115.0.0/16
140.115.1.1 ~ 140.115.255.255 ( 255.255.0.0)
• 192.168.1.0/24
192.168.1.1 ~ 192.168.1.255 ( 255.255.255.0)
Q 140.115.1.0/32

•
• # netstat –r / route
• # ip route
# netstat -‐r
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 192.168.1.1 0.0.0.0 UG 0 0 0 eth0
10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
10.8.0.2 * 255.255.255.255 UH 0 0 0 tun0
link-‐local * 255.255.0.0 U 1000 0 0 eth0
192.168.1.0 * 255.255.255.0 U 0 0 0 eth0
10.8.0.0~10.8.0.255 IP tun0 10.8.0.2 gateway
10.8.0.2 IP
192.168.1.0~192.168.1.255 IP eth0 192.168.1.1 gateway

• gateway
# route add default gw 192.168.1.1
• IP
# route add -‐net 192.168.115.0 netmask
255.255.255.0 -‐dev eth1
• IP
# ifconfig eth0 192.168.1.1 netmask 255.255.255.0

•
•
•
# arp
Address HWtype HWaddress Flags Mask Iface
192.168.56.1 ether 08:00:27:00:c4:7a C enp0s8
10.0.2.2 ether 52:54:00:12:35:02 C enp0s3

• ARP
# arp -‐s 192.168.1.1 AA:BB:CC:DD:EE:FF
• ARP
# arp -‐d 192.168.1.1

•
•
•
•
•
•
•
•

•
• enp0s8
# tcpdump -‐i enp0s8
• port ASCII
# tcpdump -‐A -‐i enp0s8 'port 21'
# tcpdump -‐A -‐i enp0s8 'tcp and port 21 and host
192.168.1.1'
22:03:44.870107 IP localhost.localdomain.54068 > adl-‐
12.csie.ncu.edu.tw.http: Flags [P.], seq 1:17, ack 1, win
14600, length 16
E..8..@.@...
....s5..4.P...x.t6.P.9.....GET / HTTP/1.1

• telnet sparc11.cc.ncu.edu.tw
tcpdump

• # yum install logwatch
• # cp /usr/share/logwatch/default.conf/logwatch.conf
/etc/logwatch/conf/logwatch.conf
• /etc/cron.daily/0logwatch

• # vim /etc/logwatch/conf/logwatch.conf
# stdout mail file
Output = mail
# Html
Format = text
# email
MailTo = root
MailFrom = Logwatch
# log
Range = yesterday
# log level Low, Med, High
Detail = Low
# /usr/share/logwatch/default.conf/services
Service = All

•
# logwatch -‐-‐detail Low -‐-‐output stdout -‐-‐service
all -‐-‐range today
•
# logwatch -‐-‐detail Low -‐-‐output mail -‐-‐mailto
sntc06@gmail.com -‐-‐service all -‐-‐range yesterday

•
• /etc/cron.d/sysstat
# sar | head -‐n 5
Linux 3.10.0-‐123.20.1.el7.x86_64 (localhost.localdomain)
00 00 01 CPU %user %nice %system %iowait %steal %idle
00 10 01 all 0.02 0.00 0.05 0.01 0.00 99.92
00 20 01 all 0.02 0.00 0.05 0.00 0.00 99.93
# Run system activity accounting tool every 10 minutes
*/10 * * * * root /usr/lib64/sa/sa1 1 1
# 0 * * * * root /usr/lib64/sa/sa1 600 6 &
# Generate a daily summary of process accounting at 23:53
53 23 * * * root /usr/lib64/sa/sa2 -‐A

•
• $ uptime
18:20:06 up 220 days, 19:46, 2 users, load
average: 0.00, 0.01, 0.05
•
•
•
•

•
•
$ free -‐h
total used free shared buffers cached
Mem: 7.8G 7.6G 193M 42M 111M 3.3G
-‐/+ buffers/cache: 4.2G 3.6G
2.0G 38M 2.0G
# vmstat -‐S MB
procs -‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐memory-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐ -‐-‐-‐swap-‐-‐ -‐-‐-‐-‐-‐io-‐-‐-‐-‐ -‐system-‐-‐ -‐-‐-‐-‐-‐-‐cpu-‐-‐-‐-‐-‐
r b swpd free buff cache si so bi bo in cs us sy id wa st
1 0 38 191 116 3395 0 0 8 6 15 1 2 0 98 0 0

•
• $ netstat
• -‐n IP
• -‐a socket ( )
• -‐p port root
• -‐r

•
• LISTEN SYN_RECV SYN_SENT ESTABLISHED
FIN_WAIT1…
• $ man netstat
# netstat -‐nap
Active Internet connections (servers and established)
Proto Recv-‐Q Send-‐Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:9091 0.0.0.0:* LISTEN 906/transmission-‐da
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 1758/mysqld
tcp 0 0 127.0.0.1:6379 0.0.0.0:* LISTEN 1841/redis-‐server 1
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 1379/vsftpd
tcp 0 0 127.0.0.1:3350 0.0.0.0:* LISTEN 2030/xrdp-‐sesman
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1569/sshd
tcp 0 0 192.168.1.200:64414 203.177.28.183:15044 SYN_RECV -‐
tcp 0 0 192.168.1.200:64414 117.211.86.108:258 SYN_RECV -‐
tcp 0 0 192.168.1.200:57429 82.78.229.223:8325 TIME_WAIT -‐
tcp 0 1 192.168.1.200:55339 79.112.227.120:6881 SYN_SENT 906/transmission-‐da
tcp 0 1 192.168.1.200:56382 36.230.128.108:8290 SYN_SENT 906/transmission-‐da
tcp 0 0 192.168.1.200:22 36.231.168.75:5091 ESTABLISHED 29422/sshd: sntc06
tcp 0 0 192.168.1.200:64414 61.58.102.97:55302 ESTABLISHED 906/transmission-‐da
tcp 0 0 127.0.0.1:3306 127.0.0.1:42814 ESTABLISHED 1758/mysqld

•
• iostat [ ] [< >[< >]]
• %util
$ iostat -‐d -‐x 1
Device: rrqm/s wrqm/s r/s w/s rkB/s
wkB/s avgrq-‐sz avgqu-‐sz await r_await w_await svctm %util
sda 0.00 0.00 0.00 16.00 0.00
188.00 23.50 0.00 0.00 0.00 0.00 0.00 0.00

•
•
•
•
•
# yum install munin munin-‐node
# systemctl enable munin-‐node
• ( epel )

• /etc/crontab
• /etc/httpd/conf.d/munin.conf
*/5 * * * * munin test -‐x /usr/bin/munin-‐cron && /usr/bin/munin-‐cron
<Directory /var/cache/munin/www>
Order allow,deny
Allow from 127.0.0.0/8 140.115.0.0/16 ::1
# Require ip 140.115
#if apache 2.4
Options None
</Directory>

•
# htpasswd -‐c /etc/munin/munin-‐htpasswd < >
• /etc/munin/munin.conf
[local.example.com]
address 127.0.0.1
use_node_name yes

•
• $ ls /etc/munin/plugins
•
• Q
cpu if_err_enp0s3 mysql_innodb_bpool_act mysql_qcache_mem postfix_mailvolume
df if_err_enp0s8 mysql_innodb_insert_buf mysql_replication processes
df_inode interrupts mysql_innodb_io mysql_select_types proc_pri
diskstats irqstats mysql_innodb_io_pend mysql_slow swap
entropy load mysql_innodb_log mysql_sorts threads
forks memory mysql_innodb_rows mysql_table_locks uptime
fw_conntrack mysql_bin_relay_log mysql_innodb_semaphores mysql_tmp_tables users
fw_forwarded_local mysql_commands mysql_innodb_tnx netstat vmstat
fw_packets mysql_connections mysql_myisam_indexes open_files
if_enp0s3 mysql_files_tables mysql_network_traffic open_inodes
if_enp0s8 mysql_innodb_bpool mysql_qcache postfix_mailqueue

•
•
•
• # munin-‐node-‐configure -‐-‐shell
-‐-‐snmp <snmp_device> -‐-‐snmpversion <ver>
-‐-‐snmpcommunity <comm>

Linux 系統管理與安全：進階系統管理系統防駭與資訊安全

More Related Content

What's hot (20)

Similar to Linux 系統管理與安全：進階系統管理系統防駭與資訊安全 (20)

Recently uploaded (20)

Linux 系統管理與安全：進階系統管理系統防駭與資訊安全