\uc548\ub155\ud558\uc138\uc694, \uc131\uc7a5\ud558\ub294 \uac1c\ubc1c\uc790 \uc5ec\ub7ec\ubd84!<\/p>\n\n\n\n
“\uc11c\ubc84 \ubcf4\uc548”\uc774\ub77c\uace0 \ud558\uba74 \ubb54\uac00 \ubcf5\uc7a1\ud558\uace0 \uc5b4\ub824\uc6b4 \uac83\ucc98\ub7fc \ub290\uaef4\uc9c0\uc2dc\ub098\uc694? \ud558\uc9c0\ub9cc \uc2e4\uc81c\ub85c\ub294 \uba87 \uac00\uc9c0 \ud575\uc2ec \uc6d0\uce59<\/strong>\ub9cc \uc81c\ub300\ub85c \uc9c0\ud0a4\uba74 90%\uc758 \uacf5\uaca9\uc744 \ub9c9\uc744 \uc218 \uc788\uc2b5\ub2c8\ub2e4. \uc624\ub298\uc740 \uac00\uc7a5 \uae30\ubcf8\uc774\uba74\uc11c\ub3c4 \uac15\ub825\ud55c \ub450 \uac00\uc9c0 \ubcf4\uc548 \ub3c4\uad6c\uc778 \ubc29\ud654\ubcbd\uacfc OpenSSH<\/strong>\ub97c \ud65c\uc6a9\ud574 \uc11c\ubc84\ub97c \uc548\uc804\ud558\uac8c \uc9c0\ud0a4\ub294 \ubc29\ubc95\uc744 \uc54c\ub824\ub4dc\ub9ac\uaca0\uc2b5\ub2c8\ub2e4.<\/p>\n\n\n\n \uc2e4\ubb34\uc5d0\uc11c \uc81c\uac00 \uc9c1\uc811 \uacaa\uc5c8\ub358 \ubcf4\uc548 \uc0ac\uace0\ub4e4\uacfc \uadf8 \ud574\uacb0 \uacfc\uc815\uc744 \ud1b5\ud574 \ubc30\uc6b4 \uc2e4\uc804 \ub178\ud558\uc6b0<\/strong>\ub97c \ud568\uaed8 \uacf5\uc720\ud558\ub2c8, \ub05d\uae4c\uc9c0 \uc9d1\uc911\ud574\uc11c \uc77d\uc5b4\ubcf4\uc2dc\uae38 \ubc14\ub78d\ub2c8\ub2e4! \ud83d\udd12<\/p>\n\n\n\n \uc774\ub7f0 \ub85c\uadf8\ub4e4\uc774 \ubcf4\uc774\uc2dc\ub098\uc694? \uc774\ubbf8 \uc5ec\ub7ec\ubd84\uc758 \uc11c\ubc84\uac00 \uacf5\uaca9\ubc1b\uace0 \uc788\uc744 \uc218 \uc788\uc2b5\ub2c8\ub2e4!<\/p>\n\n\n\n Firewalld\uc758 \uc7a5\uc810:<\/strong><\/p>\n\n\n\n Firewalld\uc758 \uac00\uc7a5 \uac15\ub825\ud55c \uae30\ub2a5 \uc911 \ud558\ub098\uac00 Zone\uc785\ub2c8\ub2e4:<\/p>\n\n\n\n \ud544\uc218 \ubcf4\uc548 \uc124\uc815\ub4e4:<\/strong><\/p>\n\n\n\n \uc124\uc815 \ud6c4 \uc11c\ube44\uc2a4 \uc7ac\uc2dc\uc791:<\/p>\n\n\n\n SSH Config \uc608\uc2dc:<\/strong><\/p>\n\n\n\n \uc0ac\uc6a9\ubc95:<\/p>\n\n\n\n [sshd]<\/p>\n\n\n\n enabled = true\nport = ssh\nlogpath = \/var\/log\/secure\nmaxretry = 3\nbantime = 7200\n<\/p>\n\n\n\n \uc624\ub298 \ubc30\uc6b4 \ub0b4\uc6a9\uc744 \ubc14\ud0d5\uc73c\ub85c:<\/p>\n\n\n\n \uae30\uc5b5\ud558\uc138\uc694<\/strong>: \uc644\ubcbd\ud55c \ubcf4\uc548\uc740 \uc874\uc7ac\ud558\uc9c0 \uc54a\uc2b5\ub2c8\ub2e4. \ud558\uc9c0\ub9cc \uae30\ubcf8\uc801\uc778 \ubcf4\uc548 \uc218\uce59\uc744 \uc9c0\ud0a4\ub294 \uac83\ub9cc\uc73c\ub85c\ub3c4 \ub300\ubd80\ubd84\uc758 \uacf5\uaca9\uc73c\ub85c\ubd80\ud130 \uc11c\ubc84\ub97c \uc548\uc804\ud558\uac8c \uc9c0\ud0ac \uc218 \uc788\uc2b5\ub2c8\ub2e4.<\/p>\n\n\n\n \ubcf4\uc548\uc740 \ud55c \ubc88 \uc124\uc815\ud558\uace0 \ub05d\ub098\ub294 \uac83\uc774 \uc544\ub2c8\ub77c \uc9c0\uc18d\uc801\uc73c\ub85c \uad00\ub9ac\ud558\uace0 \uac1c\uc120\ud574\uc57c \ud558\ub294 \uc5ec\uc815<\/strong>\uc785\ub2c8\ub2e4. \uc624\ub298\ubd80\ud130 \uc5ec\ub7ec\ubd84\ub3c4 \uc774 \uc5ec\uc815\uc5d0 \ud568\uaed8\ud574\uc8fc\uc138\uc694! \ud83d\udee1\ufe0f<\/p>\n\n\n\n \ub2e4\uc74c \ud3ec\uc2a4\ud2b8\uc5d0\uc11c\ub294 “\ub85c\uadf8 \uad00\ub9ac\uc640 \ubaa8\ub2c8\ud130\ub9c1 \uc2e4\uc804 \uac00\uc774\ub4dc”\uc5d0\uc11c \ub354 \uace0\uae09 \ubaa8\ub2c8\ud130\ub9c1 \uae30\ubc95\ub4e4\uc744 \ub2e4\ub904\ubcf4\uaca0\uc2b5\ub2c8\ub2e4. \uae30\ub300\ud574 \uc8fc\uc138\uc694!<\/em><\/p>\n","protected":false},"excerpt":{"rendered":" \uc548\ub155\ud558\uc138\uc694, \uc131\uc7a5\ud558\ub294 \uac1c\ubc1c\uc790 \uc5ec\ub7ec\ubd84! “\uc11c\ubc84 \ubcf4\uc548”\uc774\ub77c\uace0 \ud558\uba74 \ubb54\uac00 \ubcf5\uc7a1\ud558\uace0 \uc5b4\ub824\uc6b4 \uac83\ucc98\ub7fc \ub290\uaef4\uc9c0\uc2dc\ub098\uc694? \ud558\uc9c0\ub9cc \uc2e4\uc81c\ub85c\ub294 \uba87 \uac00\uc9c0 \ud575\uc2ec \uc6d0\uce59\ub9cc \uc81c\ub300\ub85c \uc9c0\ud0a4\uba74 90%\uc758 \uacf5\uaca9\uc744 \ub9c9\uc744 \uc218 \uc788\uc2b5\ub2c8\ub2e4. \uc624\ub298\uc740 \uac00\uc7a5 \uae30\ubcf8\uc774\uba74\uc11c\ub3c4 \uac15\ub825\ud55c \ub450 \uac00\uc9c0 \ubcf4\uc548 \ub3c4\uad6c\uc778 \ubc29\ud654\ubcbd\uacfc OpenSSH\ub97c \ud65c\uc6a9\ud574 \uc11c\ubc84\ub97c \uc548\uc804\ud558\uac8c \uc9c0\ud0a4\ub294 \ubc29\ubc95\uc744 \uc54c\ub824\ub4dc\ub9ac\uaca0\uc2b5\ub2c8\ub2e4. \uc2e4\ubb34\uc5d0\uc11c \uc81c\uac00 \uc9c1\uc811 \uacaa\uc5c8\ub358 \ubcf4\uc548 \uc0ac\uace0\ub4e4\uacfc \uadf8 \ud574\uacb0 \uacfc\uc815\uc744 \ud1b5\ud574 \ubc30\uc6b4 \uc2e4\uc804 \ub178\ud558\uc6b0\ub97c \ud568\uaed8 […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[51],"tags":[74,75,56,73,72],"class_list":["post-30","post","type-post","status-publish","format-standard","hentry","category-security","tag-ssh","tag-75","tag-56","tag-73","tag-72"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/hed-g.me\/index.php?rest_route=\/wp\/v2\/posts\/30","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/hed-g.me\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hed-g.me\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hed-g.me\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/hed-g.me\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=30"}],"version-history":[{"count":3,"href":"https:\/\/hed-g.me\/index.php?rest_route=\/wp\/v2\/posts\/30\/revisions"}],"predecessor-version":[{"id":68,"href":"https:\/\/hed-g.me\/index.php?rest_route=\/wp\/v2\/posts\/30\/revisions\/68"}],"wp:attachment":[{"href":"https:\/\/hed-g.me\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=30"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hed-g.me\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=30"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hed-g.me\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=30"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}1. \uc11c\ubc84 \ubcf4\uc548\uc758 \uae30\ubcf8 \uc6d0\uce59: \ucd5c\uc18c \uad8c\ud55c\uacfc \ub2e4\uce35 \ubc29\uc5b4<\/h2>\n\n\n\n
\ubcf4\uc548\uc758 \ud669\uae08\ub960<\/h3>\n\n\n\n
\n
\uc2e4\ubb34\uc5d0\uc11c \uc790\uc8fc \ubc1c\uc0dd\ud558\ub294 \ubcf4\uc548 \uc704\ud611\ub4e4<\/h3>\n\n\n\n
# \uc2e4\uc81c \uacf5\uaca9 \uc2dc\ub3c4 \ub85c\uadf8 \uc608\uc2dc\ngrep \"Failed password\" \/var\/log\/secure | tail -5\n# Jan 15 14:32:11 server sshd[1234]: Failed password for root from 192.168.1.100 port 22\n# Jan 15 14:32:13 server sshd[1235]: Failed password for admin from 192.168.1.100 port 22\n# Jan 15 14:32:15 server sshd[1236]: Failed password for user from 192.168.1.100 port 22\n\n# \uc758\uc2ec\uc2a4\ub7ec\uc6b4 \uc811\uc18d \uc2dc\ub3c4 \ud655\uc778\njournalctl -u sshd | grep \"authentication failure\" | tail -10<\/code><\/pre>\n\n\n\n2. Firewalld: \ud604\ub300\uc801\uc778 \ubc29\ud654\ubcbd \uad00\ub9ac\uc758 \ud575\uc2ec<\/h2>\n\n\n\n
Firewalld vs iptables: \uc65c Firewalld\ub97c \uc368\uc57c \ud560\uae4c?<\/h3>\n\n\n\n
\n
\uae30\ubcf8 \uc124\uc815\uacfc \uc0c1\ud0dc \ud655\uc778<\/h3>\n\n\n\n
# 1. Firewalld \uc0c1\ud0dc \ud655\uc778\nsudo systemctl status firewalld\nsudo firewall-cmd --state\n\n# 2. \ud604\uc7ac \uc124\uc815 \ud655\uc778\nsudo firewall-cmd --list-all\n\n# 3. \ud65c\uc131 \uc601\uc5ed(Zone) \ud655\uc778\nsudo firewall-cmd --get-active-zones\n\n# 4. \uae30\ubcf8 \uc601\uc5ed \ud655\uc778\nsudo firewall-cmd --get-default-zone<\/code><\/pre>\n\n\n\nZone \uac1c\ub150 \uc774\ud574\ud558\uae30<\/h3>\n\n\n\n
# \uc0ac\uc6a9 \uac00\ub2a5\ud55c \ubaa8\ub4e0 Zone \ud655\uc778\nsudo firewall-cmd --get-zones\n# block dmz drop external home internal public trusted work\n\n# \uac01 Zone\uc758 \ud2b9\uc131\n# - drop: \ubaa8\ub4e0 \ub4e4\uc5b4\uc624\ub294 \ud328\ud0b7 \ucc28\ub2e8 (\uac00\uc7a5 \uc5c4\uaca9)\n# - block: \ub4e4\uc5b4\uc624\ub294 \ud328\ud0b7 \uac70\ubd80 \uc751\ub2f5\n# - public: \uae30\ubcf8 Zone, SSH\uc640 DHCP \ud074\ub77c\uc774\uc5b8\ud2b8\ub9cc \ud5c8\uc6a9\n# - external: \uc678\ubd80 \ub124\ud2b8\uc6cc\ud06c\uc6a9, NAT \ud658\uacbd\uc5d0\uc11c \uc0ac\uc6a9\n# - internal: \ub0b4\ubd80 \ub124\ud2b8\uc6cc\ud06c\uc6a9, \ub354 \ub9ce\uc740 \uc11c\ube44\uc2a4 \ud5c8\uc6a9\n# - home: \ud648 \ub124\ud2b8\uc6cc\ud06c\uc6a9, \ud30c\uc77c \uacf5\uc720 \ub4f1 \ud5c8\uc6a9\n# - work: \uc9c1\uc7a5 \ub124\ud2b8\uc6cc\ud06c\uc6a9\n# - trusted: \ubaa8\ub4e0 \ud328\ud0b7 \ud5c8\uc6a9 (\uac00\uc7a5 \uad00\ub300)<\/code><\/pre>\n\n\n\n\uc2e4\ubb34 \uc2dc\ub098\ub9ac\uc624\ubcc4 \ubc29\ud654\ubcbd \uc124\uc815<\/h3>\n\n\n\n
\uc2dc\ub098\ub9ac\uc624 1: \uc6f9 \uc11c\ubc84 \ubcf4\uc548 \uc124\uc815<\/h4>\n\n\n\n
# \uae30\ubcf8 Zone\uc744 public\uc73c\ub85c \uc124\uc815 (\uc774\ubbf8 \uae30\ubcf8\uac12)\nsudo firewall-cmd --set-default-zone=public\n\n# HTTP\/HTTPS \uc11c\ube44\uc2a4 \uc601\uad6c \ud5c8\uc6a9\nsudo firewall-cmd --permanent --add-service=http\nsudo firewall-cmd --permanent --add-service=https\n\n# \ucee4\uc2a4\ud140 \ud3ec\ud2b8 \ud5c8\uc6a9 (\uc608: 8080)\nsudo firewall-cmd --permanent --add-port=8080\/tcp\n\n# \uc124\uc815 \uc801\uc6a9\nsudo firewall-cmd --reload\n\n# \ud655\uc778\nsudo firewall-cmd --list-services\nsudo firewall-cmd --list-ports<\/code><\/pre>\n\n\n\n\uc2dc\ub098\ub9ac\uc624 2: \ub370\uc774\ud130\ubca0\uc774\uc2a4 \uc11c\ubc84 \ubcf4\uc548 \uac15\ud654<\/h4>\n\n\n\n
# \ud2b9\uc815 IP\uc5d0\uc11c\ub9cc MySQL \uc811\uadfc \ud5c8\uc6a9\nsudo firewall-cmd --permanent --add-rich-rule='rule family=\"ipv4\" source address=\"192.168.1.0\/24\" port protocol=\"tcp\" port=\"3306\" accept'\n\n# \ud2b9\uc815 \uc11c\ubc84\uc5d0\uc11c\ub9cc PostgreSQL \uc811\uadfc \ud5c8\uc6a9\nsudo firewall-cmd --permanent --add-rich-rule='rule family=\"ipv4\" source address=\"192.168.1.100\" port protocol=\"tcp\" port=\"5432\" accept'\n\n# \ubaa8\ub4e0 \uc678\ubd80 \uc811\uadfc \ucc28\ub2e8\ud558\uace0 \ub0b4\ubd80 \ub124\ud2b8\uc6cc\ud06c\ub9cc \ud5c8\uc6a9\nsudo firewall-cmd --permanent --zone=internal --add-source=192.168.1.0\/24\nsudo firewall-cmd --permanent --zone=internal --add-service=mysql\nsudo firewall-cmd --permanent --zone=internal --add-service=postgresql\n\nsudo firewall-cmd --reload<\/code><\/pre>\n\n\n\n\uc2dc\ub098\ub9ac\uc624 3: \uac1c\ubc1c \uc11c\ubc84 \uc784\uc2dc \ud3ec\ud2b8 \uc5f4\uae30<\/h4>\n\n\n\n
# \uc784\uc2dc\ub85c \ud3ec\ud2b8 \uc5f4\uae30 (\uc7ac\ubd80\ud305 \uc2dc \uc0ad\uc81c\ub428)\nsudo firewall-cmd --add-port=3000\/tcp\nsudo firewall-cmd --add-port=8080\/tcp\n\n# \ud655\uc778\nsudo firewall-cmd --list-ports\n\n# \uc601\uad6c \uc124\uc815\uc73c\ub85c \ubcc0\uacbd (\ud544\uc694\ud55c \uacbd\uc6b0)\nsudo firewall-cmd --runtime-to-permanent<\/code><\/pre>\n\n\n\nRich Rules: \uace0\uae09 \ubc29\ud654\ubcbd \uc815\ucc45<\/h3>\n\n\n\n
# 1. \ud2b9\uc815 \uc2dc\uac04\ub300\uc5d0\ub9cc SSH \uc811\uadfc \ud5c8\uc6a9 (\uace0\uae09 \uc124\uc815)\n# \ud3c9\uc77c 9\uc2dc-18\uc2dc\uc5d0\ub9cc \ud2b9\uc815 IP\uc5d0\uc11c SSH \uc811\uadfc \ud5c8\uc6a9\nsudo firewall-cmd --permanent --add-rich-rule='rule family=\"ipv4\" source address=\"192.168.1.100\" service name=\"ssh\" log prefix=\"SSH Access: \" level=\"info\" limit value=\"3\/m\" accept'\n\n# 2. \ubb34\ucc28\ubcc4 \ub300\uc785 \uacf5\uaca9 \ubc29\uc9c0\n# \ub3d9\uc77c IP\uc5d0\uc11c 5\ubc88 \uc774\uc0c1 \uc2e4\ud328 \uc2dc 10\ubd84\uac04 \ucc28\ub2e8\nsudo firewall-cmd --permanent --add-rich-rule='rule family=\"ipv4\" source address=\"192.168.1.0\/24\" service name=\"ssh\" log prefix=\"SSH Brute Force: \" level=\"warning\" limit value=\"5\/m\" drop'\n\n# 3. \ud3ec\ud2b8 \uc2a4\uce94 \uac10\uc9c0 \ubc0f \ucc28\ub2e8\nsudo firewall-cmd --permanent --add-rich-rule='rule family=\"ipv4\" port port=\"22\" protocol=\"tcp\" log prefix=\"SSH Scan: \" level=\"warning\" limit value=\"1\/m\" accept'<\/code><\/pre>\n\n\n\n\ubc29\ud654\ubcbd \ub85c\uadf8 \ubaa8\ub2c8\ud130\ub9c1<\/h3>\n\n\n\n
# \ubc29\ud654\ubcbd \ub85c\uadf8 \uc2e4\uc2dc\uac04 \ubaa8\ub2c8\ud130\ub9c1\nsudo journalctl -u firewalld -f\n\n# \ud2b9\uc815 \ud0a4\uc6cc\ub4dc\ub85c \ub85c\uadf8 \ud544\ud130\ub9c1\nsudo journalctl -u firewalld | grep \"SSH\"\nsudo journalctl -u firewalld | grep \"DROP\"\n\n# \ub85c\uadf8 \ubd84\uc11d \uc2a4\ud06c\ub9bd\ud2b8\n#!\/bin\/bash\necho \"=== \uc624\ub298\uc758 \ubc29\ud654\ubcbd \ub85c\uadf8 \uc694\uc57d ===\"\necho \"\ucd1d \ucc28\ub2e8\ub41c \uc5f0\uacb0 \uc218:\"\nsudo journalctl -u firewalld --since today | grep -c \"DROP\"\necho \"SSH \uc811\uadfc \uc2dc\ub3c4:\"\nsudo journalctl -u firewalld --since today | grep -c \"SSH\"\necho \"\uac00\uc7a5 \ub9ce\uc774 \uc2dc\ub3c4\ud55c IP:\"\nsudo journalctl -u firewalld --since today | grep -oP 'from K[0-9.]+' | sort | uniq -c | sort -nr | head -5<\/code><\/pre>\n\n\n\n3. OpenSSH: \uc548\uc804\ud55c \uc6d0\uaca9 \uc811\uc18d\uc758 \ubaa8\ub4e0 \uac83<\/h2>\n\n\n\n
SSH \uae30\ubcf8 \ubcf4\uc548 \uac15\ud654<\/h3>\n\n\n\n
1. SSH \uc124\uc815 \ud30c\uc77c \ucd5c\uc801\ud654<\/h4>\n\n\n\n
# SSH \uc124\uc815 \ud30c\uc77c \ubc31\uc5c5\nsudo cp \/etc\/ssh\/sshd_config \/etc\/ssh\/sshd_config.backup\n\n# \uc8fc\uc694 \ubcf4\uc548 \uc124\uc815\nsudo nano \/etc\/ssh\/sshd_config<\/code><\/pre>\n\n\n\n# \/etc\/ssh\/sshd_config \uad8c\uc7a5 \uc124\uc815\n\n# 1. \uae30\ubcf8 \ud3ec\ud2b8 \ubcc0\uacbd (\uc120\ud0dd\uc0ac\ud56d)\nPort 2222\n\n# 2. Root \ub85c\uadf8\uc778 \uc644\uc804 \ucc28\ub2e8\nPermitRootLogin no\n\n# 3. \ud328\uc2a4\uc6cc\ub4dc \ub85c\uadf8\uc778 \ube44\ud65c\uc131\ud654 (\ud0a4 \uc778\uc99d\ub9cc \ud5c8\uc6a9)\nPasswordAuthentication no\nChallengeResponseAuthentication no\nUsePAM no\n\n# 4. \ube48 \ud328\uc2a4\uc6cc\ub4dc \uae08\uc9c0\nPermitEmptyPasswords no\n\n# 5. X11 \ud3ec\uc6cc\ub529 \ube44\ud65c\uc131\ud654 (\ud544\uc694\uc5c6\ub294 \uacbd\uc6b0)\nX11Forwarding no\n\n# 6. \ub85c\uadf8\uc778 \uc2dc\uac04 \uc81c\ud55c\nLoginGraceTime 30\n\n# 7. \ucd5c\ub300 \ub3d9\uc2dc \uc138\uc158 \uc81c\ud55c\nMaxSessions 3\n\n# 8. \ud2b9\uc815 \uc0ac\uc6a9\uc790\ub9cc SSH \uc811\uadfc \ud5c8\uc6a9\nAllowUsers developer admin\n\n# 9. \ud2b9\uc815 \uadf8\ub8f9\ub9cc SSH \uc811\uadfc \ud5c8\uc6a9\nAllowGroups ssh-users\n\n# 10. \uc5f0\uacb0 \uc720\uc9c0 \uc124\uc815\nClientAliveInterval 300\nClientAliveCountMax 2<\/code><\/pre>\n\n\n\n# \uc124\uc815 \ud30c\uc77c \ubb38\ubc95 \uac80\uc0ac\nsudo sshd -t\n\n# SSH \uc11c\ube44\uc2a4 \uc7ac\uc2dc\uc791\nsudo systemctl restart sshd\n\n# \uc0c1\ud0dc \ud655\uc778\nsudo systemctl status sshd<\/code><\/pre>\n\n\n\nSSH \ud0a4 \uae30\ubc18 \uc778\uc99d: \ud328\uc2a4\uc6cc\ub4dc\ubcf4\ub2e4 1000\ubc30 \uc548\uc804\ud55c \ubc29\ubc95<\/h3>\n\n\n\n
1. SSH \ud0a4 \uc30d \uc0dd\uc131<\/h4>\n\n\n\n
# RSA \ud0a4 \uc0dd\uc131 (4096\ube44\ud2b8, \ub354 \uc548\uc804)\nssh-keygen -t rsa -b 4096 -C \"your-email@domain.com\"\n\n# \ub610\ub294 \ub354 \ucd5c\uc2e0\uc758 Ed25519 \ud0a4 (\uad8c\uc7a5)\nssh-keygen -t ed25519 -C \"your-email@domain.com\"\n\n# \ud0a4 \uc0dd\uc131 \uc2dc \uc635\uc158\ub4e4\n# -t: \ud0a4 \ud0c0\uc785 (rsa, ed25519)\n# -b: \ud0a4 \ube44\ud2b8 \uc218\n# -C: \ucf54\uba58\ud2b8 (\ubcf4\ud1b5 \uc774\uba54\uc77c)\n# -f: \ud0a4 \ud30c\uc77c \uc774\ub984 \uc9c0\uc815<\/code><\/pre>\n\n\n\n2. \uacf5\uac1c\ud0a4 \uc11c\ubc84\uc5d0 \ubcf5\uc0ac<\/h4>\n\n\n\n
# \uc790\ub3d9\uc73c\ub85c \uacf5\uac1c\ud0a4 \ubcf5\uc0ac\nssh-copy-id username@server-ip\n\n# \ucee4\uc2a4\ud140 \ud3ec\ud2b8 \uc0ac\uc6a9 \uc2dc\nssh-copy-id -p 2222 username@server-ip\n\n# \ud2b9\uc815 \ud0a4 \ud30c\uc77c \uc9c0\uc815\nssh-copy-id -i ~\/.ssh\/custom_key.pub username@server-ip\n\n# \uc218\ub3d9\uc73c\ub85c \ubcf5\uc0ac (ssh-copy-id \uc0ac\uc6a9 \ubd88\uac00 \uc2dc)\ncat ~\/.ssh\/id_rsa.pub | ssh username@server-ip \"mkdir -p ~\/.ssh && cat >> ~\/.ssh\/authorized_keys\"<\/code><\/pre>\n\n\n\n3. SSH \ud0a4 \uad00\ub9ac \ubc0f \ubcf4\uc548<\/h4>\n\n\n\n
# \ud0a4 \uad8c\ud55c \uc124\uc815 (\ub9e4\uc6b0 \uc911\uc694!)\nchmod 700 ~\/.ssh\nchmod 600 ~\/.ssh\/id_rsa\nchmod 644 ~\/.ssh\/id_rsa.pub\nchmod 600 ~\/.ssh\/authorized_keys\n\n# \uc5ec\ub7ec \ud0a4 \uad00\ub9ac\ub97c \uc704\ud55c SSH config \uc124\uc815\nnano ~\/.ssh\/config<\/code><\/pre>\n\n\n\n# ~\/.ssh\/config\nHost prod-server\n HostName 192.168.1.100\n Port 2222\n User developer\n IdentityFile ~\/.ssh\/prod_server_key\n\nHost dev-server\n HostName 192.168.1.200\n Port 22\n User admin\n IdentityFile ~\/.ssh\/dev_server_key\n\nHost git-server\n HostName github.com\n User git\n IdentityFile ~\/.ssh\/github_key\n\n# \ubaa8\ub4e0 \uc11c\ubc84\uc5d0 \ub300\ud55c \uae30\ubcf8 \uc124\uc815\nHost *\n ServerAliveInterval 60\n ServerAliveCountMax 3\n StrictHostKeyChecking ask\n UserKnownHostsFile ~\/.ssh\/known_hosts<\/code><\/pre>\n\n\n\n# \uac04\ub2e8\ud558\uac8c \uc811\uc18d\nssh prod-server\nssh dev-server\n\n# \ud30c\uc77c \ubcf5\uc0ac\ub3c4 \ud3b8\ub9ac\ud558\uac8c\nscp myfile.txt prod-server:~\/<\/code><\/pre>\n\n\n\nSSH \ud130\ub110\ub9c1: \uc548\uc804\ud55c \ud3ec\ud2b8 \ud3ec\uc6cc\ub529<\/h3>\n\n\n\n
\ub85c\uceec \ud3ec\ud2b8 \ud3ec\uc6cc\ub529<\/h4>\n\n\n\n
# \uc6d0\uaca9 \uc11c\ubc84\uc758 MySQL\uc744 \ub85c\uceec\uc5d0\uc11c \uc811\uadfc\nssh -L 3306:localhost:3306 username@server-ip\n\n# \uc6d0\uaca9 \uc11c\ubc84\uc758 \uc6f9 \uc560\ud50c\ub9ac\ucf00\uc774\uc158\uc744 \ub85c\uceec\uc5d0\uc11c \uc811\uadfc\nssh -L 8080:localhost:80 username@server-ip\n\n# \ubc31\uadf8\ub77c\uc6b4\ub4dc \uc2e4\ud589\nssh -f -N -L 3306:localhost:3306 username@server-ip<\/code><\/pre>\n\n\n\n\ub9ac\ubaa8\ud2b8 \ud3ec\ud2b8 \ud3ec\uc6cc\ub529<\/h4>\n\n\n\n
# \ub85c\uceec\uc758 \uc11c\ube44\uc2a4\ub97c \uc6d0\uaca9\uc5d0\uc11c \uc811\uadfc \uac00\ub2a5\ud558\uac8c (\uc8fc\uc758 \ud544\uc694)\nssh -R 8080:localhost:3000 username@server-ip\n\n# \ubc31\uadf8\ub77c\uc6b4\ub4dc \uc2e4\ud589\nssh -f -N -R 8080:localhost:3000 username@server-ip<\/code><\/pre>\n\n\n\nSOCKS \ud504\ub85d\uc2dc<\/h4>\n\n\n\n
# SOCKS \ud504\ub85d\uc2dc \uc0dd\uc131\nssh -D 1080 username@server-ip\n\n# \ube0c\ub77c\uc6b0\uc800\uc5d0\uc11c localhost:1080\uc744 SOCKS \ud504\ub85d\uc2dc\ub85c \uc124\uc815\ud558\uba74\n# \ubaa8\ub4e0 \ud2b8\ub798\ud53d\uc774 \uc11c\ubc84\ub97c \ud1b5\ud574 \uc804\uc1a1\ub428<\/code><\/pre>\n\n\n\n4. \uc2e4\uc804 \ubcf4\uc548 \ubaa8\ub2c8\ud130\ub9c1\uacfc \uc790\ub3d9\ud654<\/h2>\n\n\n\n
SSH \uc811\uc18d \ub85c\uadf8 \ubd84\uc11d<\/h3>\n\n\n\n
# \uc131\uacf5\ud55c SSH \ub85c\uadf8\uc778 \ud655\uc778\nsudo grep \"Accepted\" \/var\/log\/secure\n\n# \uc2e4\ud328\ud55c SSH \ub85c\uadf8\uc778 \ud655\uc778\nsudo grep \"Failed password\" \/var\/log\/secure\n\n# \ud2b9\uc815 IP\uc758 \uc811\uc18d \uc2dc\ub3c4 \ubd84\uc11d\nsudo grep \"192.168.1.100\" \/var\/log\/secure\n\n# \uc624\ub298\uc758 SSH \ud65c\ub3d9 \uc694\uc57d\nsudo journalctl -u sshd --since today | grep -E \"(Accepted|Failed)\"<\/code><\/pre>\n\n\n\n\uc790\ub3d9 \ubcf4\uc548 \ubaa8\ub2c8\ud130\ub9c1 \uc2a4\ud06c\ub9bd\ud2b8<\/h3>\n\n\n\n
#!\/bin\/bash\n# ssh_monitor.sh - SSH \ubcf4\uc548 \ubaa8\ub2c8\ud130\ub9c1 \uc2a4\ud06c\ub9bd\ud2b8\n\nLOG_FILE=\"\/var\/log\/ssh_monitor.log\"\nSECURE_LOG=\"\/var\/log\/secure\"\nALERT_THRESHOLD=5\n\necho \"=== SSH \ubcf4\uc548 \ubaa8\ub2c8\ud130\ub9c1 \uc2dc\uc791: $(date) ===\" >> $LOG_FILE\n\n# 1. \uc2e4\ud328\ud55c \ub85c\uadf8\uc778 \uc2dc\ub3c4 \uce74\uc6b4\ud2b8\nFAILED_ATTEMPTS=$(grep \"Failed password\" $SECURE_LOG | grep \"$(date +%b %d)\" | wc -l)\n\nif [ $FAILED_ATTEMPTS -gt $ALERT_THRESHOLD ]; then\n echo \"\u26a0\ufe0f \uacbd\uace0: \uc624\ub298 $FAILED_ATTEMPTS \ubc88\uc758 \ub85c\uadf8\uc778 \uc2e4\ud328\uac00 \ubc1c\uc0dd\ud588\uc2b5\ub2c8\ub2e4!\" >> $LOG_FILE\n\n # \uac00\uc7a5 \ub9ce\uc774 \uc2dc\ub3c4\ud55c IP \ucc3e\uae30\n TOP_ATTACKERS=$(grep \"Failed password\" $SECURE_LOG | grep \"$(date +%b %d)\" | \n grep -oP 'from K[0-9.]+' | sort | uniq -c | sort -nr | head -3)\n\n echo \"\uc8fc\uc694 \uacf5\uaca9 IP\ub4e4:\" >> $LOG_FILE\n echo \"$TOP_ATTACKERS\" >> $LOG_FILE\n\n # \uc790\ub3d9 \ucc28\ub2e8 (\uc120\ud0dd\uc0ac\ud56d)\n echo \"$TOP_ATTACKERS\" | while read count ip; do\n if [ $count -gt 10 ]; then\n echo \"IP $ip \uc790\ub3d9 \ucc28\ub2e8 (\uc2dc\ub3c4 \ud69f\uc218: $count)\" >> $LOG_FILE\n sudo firewall-cmd --add-rich-rule=\"rule family='ipv4' source address='$ip' drop\"\n fi\n done\nfi\n\n# 2. \uc0c8\ub85c\uc6b4 SSH \ud0a4 \ucd94\uac00 \uac10\uc9c0\nAUTHORIZED_KEYS=\"\/home\/*\/.ssh\/authorized_keys\"\nfor auth_file in $AUTHORIZED_KEYS; do\n if [ -f \"$auth_file\" ]; then\n KEY_COUNT=$(wc -l < \"$auth_file\")\n echo \"$(dirname $auth_file): $KEY_COUNT \uac1c\uc758 SSH \ud0a4\" >> $LOG_FILE\n fi\ndone\n\n# 3. Root \ub85c\uadf8\uc778 \uc2dc\ub3c4 \uac10\uc9c0\nROOT_ATTEMPTS=$(grep \"Failed password for root\" $SECURE_LOG | grep \"$(date +%b %d)\" | wc -l)\nif [ $ROOT_ATTEMPTS -gt 0 ]; then\n echo \"\ud83d\udea8 \uc704\ud5d8: Root \uacc4\uc815\uc73c\ub85c $ROOT_ATTEMPTS \ubc88\uc758 \ub85c\uadf8\uc778 \uc2dc\ub3c4\uac00 \uc788\uc5c8\uc2b5\ub2c8\ub2e4!\" >> $LOG_FILE\nfi\n\necho \"=== \ubaa8\ub2c8\ud130\ub9c1 \uc644\ub8cc: $(date) ===\" >> $LOG_FILE\necho \"\" >> $LOG_FILE<\/code><\/pre>\n\n\n\nFail2Ban: \uc790\ub3d9 \uce68\uc785 \ucc28\ub2e8 \uc2dc\uc2a4\ud15c<\/h3>\n\n\n\n
# Fail2Ban \uc124\uce58\nsudo dnf install fail2ban -y\nsudo systemctl enable fail2ban\nsudo systemctl start fail2ban\n\n# SSH \ubcf4\ud638 \uc124\uc815\nsudo nano \/etc\/fail2ban\/jail.local<\/code><\/pre>\n\n\n\n[DEFAULT]\n# \ucc28\ub2e8 \uc2dc\uac04 (\ucd08)\nbantime = 3600\n# \uad00\ucc30 \uc2dc\uac04 (\ucd08)\nfindtime = 600\n# \ucd5c\ub300 \uc2dc\ub3c4 \ud69f\uc218\nmaxretry = 5<\/code><\/pre>\n\n\n# Fail2Ban \uc7ac\uc2dc\uc791\nsudo systemctl restart fail2ban\n\n# \uc0c1\ud0dc \ud655\uc778\nsudo fail2ban-client status\nsudo fail2ban-client status sshd\n\n# \ucc28\ub2e8\ub41c IP \ud655\uc778\nsudo fail2ban-client get sshd banned\n\n# \uc218\ub3d9\uc73c\ub85c IP \ucc28\ub2e8\/\ud574\uc81c\nsudo fail2ban-client set sshd banip 192.168.1.100\nsudo fail2ban-client set sshd unbanip 192.168.1.100<\/code><\/pre>\n\n\n\n5. \ubcf4\uc548 \uc810\uac80 \uccb4\ud06c\ub9ac\uc2a4\ud2b8\uc640 \ubca0\uc2a4\ud2b8 \ud504\ub799\ud2f0\uc2a4<\/h2>\n\n\n\n
\uc77c\uc77c \ubcf4\uc548 \uc810\uac80 \uccb4\ud06c\ub9ac\uc2a4\ud2b8<\/h3>\n\n\n\n
#!\/bin\/bash\n# daily_security_check.sh\n\necho \"=== \uc77c\uc77c \ubcf4\uc548 \uc810\uac80 $(date) ===\"\n\n# 1. \uc2dc\uc2a4\ud15c \uc5c5\ub370\uc774\ud2b8 \ud655\uc778\necho \"1. \uc2dc\uc2a4\ud15c \uc5c5\ub370\uc774\ud2b8 \uc0c1\ud0dc:\"\ndnf check-update | wc -l\n\n# 2. \ubc29\ud654\ubcbd \uc0c1\ud0dc \ud655\uc778\necho \"2. \ubc29\ud654\ubcbd \uc0c1\ud0dc:\"\nsudo systemctl is-active firewalld\n\n# 3. SSH \uc11c\ube44\uc2a4 \uc0c1\ud0dc \ud655\uc778\necho \"3. SSH \uc11c\ube44\uc2a4 \uc0c1\ud0dc:\"\nsudo systemctl is-active sshd\n\n# 4. \ud65c\uc131 \ub124\ud2b8\uc6cc\ud06c \uc5f0\uacb0 \ud655\uc778\necho \"4. \ud604\uc7ac \ud65c\uc131 \uc5f0\uacb0 (\uc0c1\uc704 10\uac1c):\"\nsudo ss -tuln | head -10\n\n# 5. \ub9c8\uc9c0\ub9c9 \ub85c\uadf8\uc778 \ud655\uc778\necho \"5. \ucd5c\uadfc \ub85c\uadf8\uc778 \uae30\ub85d:\"\nlast -n 5\n\n# 6. \uc218\uc0c1\ud55c \ud504\ub85c\uc138\uc2a4 \ud655\uc778\necho \"6. \ub192\uc740 CPU \uc0ac\uc6a9 \ud504\ub85c\uc138\uc2a4:\"\nps aux --sort=-%cpu | head -5\n\n# 7. \ub514\uc2a4\ud06c \uc0ac\uc6a9\ub7c9 \ud655\uc778\necho \"7. \ub514\uc2a4\ud06c \uc0ac\uc6a9\ub7c9:\"\ndf -h | grep -v tmpfs\n\n# 8. \uc2e4\ud328\ud55c \ub85c\uadf8\uc778 \uc2dc\ub3c4\necho \"8. \uc624\ub298\uc758 \uc2e4\ud328\ud55c \ub85c\uadf8\uc778 \uc2dc\ub3c4:\"\nsudo grep \"Failed password\" \/var\/log\/secure | grep \"$(date +%b %d)\" | wc -l\n\necho \"=== \uc810\uac80 \uc644\ub8cc ===\"<\/code><\/pre>\n\n\n\n\uc6d4\uac04 \ubcf4\uc548 \ub9ac\ubdf0 \uccb4\ud06c\ub9ac\uc2a4\ud2b8<\/h3>\n\n\n\n
\n
\ubcf4\uc548 \uc0ac\uace0 \ub300\uc751 \uc808\ucc28<\/h3>\n\n\n\n
1. \uc989\uc2dc \ub300\uc751 (5\ubd84 \uc774\ub0b4)<\/h4>\n\n\n\n
# \uc758\uc2ec\uc2a4\ub7ec\uc6b4 IP \uc989\uc2dc \ucc28\ub2e8\nsudo firewall-cmd --add-rich-rule=\"rule family='ipv4' source address='SUSPICIOUS_IP' drop\"\n\n# \ubaa8\ub4e0 SSH \uc5f0\uacb0 \ud655\uc778\nwho\nw\n\n# \uc758\uc2ec\uc2a4\ub7ec\uc6b4 \uc138\uc158 \uac15\uc81c \uc885\ub8cc\nsudo pkill -u suspicious_user\n\n# \uae34\uae09 \uc0c1\ud669 \uc2dc SSH \ud3ec\ud2b8 \uc784\uc2dc \ubcc0\uacbd\nsudo sed -i 's\/Port 22\/Port 2222\/' \/etc\/ssh\/sshd_config\nsudo systemctl restart sshd<\/code><\/pre>\n\n\n\n2. \uc870\uc0ac \ubc0f \ubd84\uc11d (30\ubd84 \uc774\ub0b4)<\/h4>\n\n\n\n
# \uc0c1\uc138 \ub85c\uadf8 \ubd84\uc11d\nsudo grep -E \"($(date +%b %d)|$(date -d yesterday +%b %d))\" \/var\/log\/secure > security_incident_$(date +%Y%m%d).log\n\n# \ub124\ud2b8\uc6cc\ud06c \uc5f0\uacb0 \uc0c1\ud0dc \uc800\uc7a5\nsudo ss -tuln > network_status_$(date +%Y%m%d).log\n\n# \ud504\ub85c\uc138\uc2a4 \uc0c1\ud0dc \uc800\uc7a5\nps aux > process_status_$(date +%Y%m%d).log<\/code><\/pre>\n\n\n\n3. \ubcf5\uad6c \ubc0f \uac15\ud654 (1\uc2dc\uac04 \uc774\ub0b4)<\/h4>\n\n\n\n
# \ud328\uc2a4\uc6cc\ub4dc \uac15\uc81c \ubcc0\uacbd\nsudo passwd username\n\n# SSH \ud0a4 \uad50\uccb4\nssh-keygen -t ed25519 -C \"incident-response-$(date +%Y%m%d)\"\n\n# \ubc29\ud654\ubcbd \uaddc\uce59 \uac15\ud654\nsudo firewall-cmd --set-default-zone=drop\nsudo firewall-cmd --zone=trusted --add-source=ADMIN_IP<\/code><\/pre>\n\n\n\n\ub9c8\uce58\uba70: \ubcf4\uc548\uc740 \uc5ec\uc815\uc774\uc9c0 \ubaa9\uc801\uc9c0\uac00 \uc544\ub2d9\ub2c8\ub2e4<\/h2>\n\n\n\n
\ud575\uc2ec \uc6d0\uce59 \uc7ac\uc815\ub9ac<\/h3>\n\n\n\n
\n
\uc2e4\ubb34\uc5d0\uc11c \uae30\uc5b5\ud560 \uc810<\/h3>\n\n\n\n
\n
\ub2e4\uc74c \ub2e8\uacc4<\/h3>\n\n\n\n
\n
\n\n\n\n