セキュリティ強化による堅牢な環境構築法

以下のテキストは、執筆時当時の情報を元に書いたものであり、 現在の情勢にそぐわないことを含む場合があるので注意されたい。 また、テキストは最終提出原稿で校正を経る前のものなので、実際にUNIXUSER 本誌に記載されたものとは異なる。誤字脱字等そのままである。

致命的な誤り以外は加筆修正等は行なわないので情報の鮮度に気をつけつつ 利用して欲しい。

目次


PartIII



PC-UNIX
 tcp_wrappers 
NetBSD(1.3)FreeBSD(3.2R)



 ssh OS







tcp_wrappers

	tcp_wrappers 
	(wrap)IP
	
	 ucspi-tcp(tcpserver)[*1] 
	
	DoS(Denial of Service:) 
	
	
	
	
	make
	
	
	ucspi-tcp inetd OS
	
	 tcp_wrappers  inetd 
	

	FreeBSD tcp_wrappers 
	
	OS
	UNIX
	

	*1-------------------------------------------------------
	ftp://koobera.math.uic.edu/www/ucspi-tcp.html
	-----------------------------------------------------------------
	
  tcp_wrappers

	NetBSD 1.3FreeBSD 3.2R
	inetd tcp_wrappers (libwrap)
	
	
	 FreeBSD 3.x FreeBSD 2.2.8R 
	tcp_wrappers 
	3.x tcp_wrappers 
	
	NetBSDFreeBSD

    

	tcp_wrappers_7.6.tar.gz FreeBSD
	ftp
	 make 
	make
	NetBSD/FreeBSD tcp_wrappers  
	PROCESS_OPTIONS make
	 /etc/hosts.allow, 
	 /etc/hosts.deny 
	PROCESS_OPTIONS 
	hosts.allow 
	 REAL_DAEMON_DIR 
	
	make 
	

	(NetBSD)# make READ_DAEMON_DIR=/usr/libexec/realdir netbsd
	(FreeBSD)# make READ_DAEMON_DIR=/usr/libexec/realdir freebsd

    

	 make install 
	tcp_wrappers  tcpd  /usr/libexec 
	(inetd.conf)tcpd
	
	

	 /etc/inetd.conf
	 tcpd 
	inetd.conf  ftpd 

	ftp  stream tcp   nowait  root /usr/libexec/ftpd    ftpd -ll

	/usr/libexec/ftpd tcpdftpd
	REAL_DAEMON_DIR

		# cd /usr/libexec
		# mkdir realdir
		# mv ftpd realdir ; ln tcpd ftpd

	 3.x  /etc/inetd.conf,
	/etc/hosts.allow 

	 tcp_wrappers  NetBSD 1.3FreeBSD
	3.2R

  /etc/hosts.allow

	tcpd
	/etc/hosts.allow  /etc/hosts.deny 
	
	
	
	hosts.allow, hosts.deny 
	hosts.deny
	hosts.allow
	
	
	 hosts.allow 
	
	NetBSDFreeBSD hosts.allow 
	 hosts.allow 
	

    hosts.allow 

	hosts.allow 11
	\
	:()

		() : () : \
			 :  ....

	12 ,() 
	1
	 inetd.conf 
	(
	)2
	
	IP(netmask)
	3
	
	
	 ALLOW 
	(hosts.allow )

	
	

		rshd rlogind telnetd : .my.domain.com mypc
		ftpd : .my.domain.com 10.0.
		ALL : ALL : DENY

	1 rshd, rlogind, telnetd DNS 
	my.domain.com mypc(hosts 
	)2
	 ftpd  my.domain.com 
	10.0. 
	IP
	10.0.0.0/255.255.0.0 netmask
	3 ALL 1,2
	
	3(tcpd
	)(DENY)
	hosts.allow 
	

	 User@Address IDENT
	

    

	2ALL

	LOCAL - ()
		hosts ()
		

	UNKNOWN - IP 
		  
		  

	KNOWN - UNKNOWN

	PARANOID - 
		   IP
		   DNSIP
		   DNS
		   
		   tcpd hosts.allow 
		   PARANOID
		   tcpd(BSD
		   /var/log/maillog)"host name/address
		   mismatch" 
		   IPDNS
		   
		   DNS
		   DNS
		   Linux
		   /NetBSD/FreeBSDtcp_wrappers
		   DNS
		   
		   
		    address mismatch 
		   
		   

	EXCEPT - 
	
	

		ALL : .my.office.com EXCEPT dialup.my.office.com

	my.office.com
	 dialup.my.office.com 

    

	3
	 man hosts_options(5) 
	

	allow - 

	deny - deny
	deny
	

	spawn ShellCommand - `ShellCommand' 
	telnet
	(%d%h)

		telnetd : .telnet-ok.domain.com : allow
		telnetd : ALL : \
		  spawn (/usr/bin/mail -s %d-%h root)& : deny

	setenv Variable Value -  Variable  Value 
	qmail
	POP before SMTP 
	

	%
	 `%' [
	1]

	[1]
	-----------------------------------------------------------------
	%a (%A)	()IP
	%c	(
		user@host, user@address, host, address)
	%d	(argv[0])
	%h (%H)	() (
		)
	%n (%N)	()(
		"unknown"  "paranoid" )
	%p	ID
	%s	(
		daemon@host, daemon@address, daemon )
	%u	 ("unknown")
	%%	%
	-----------------------------------------------------------------

  hosts.allow

	tcp_wrappers hosts.allow 
	tcpdchk  hosts.allow 
	tcpdmatch 

		# tcpdmatch  ()

	
	
	 hosts.allow 
	
	

    FreeBSD 3.2R/3.3R 

	tcpdchk, tcpdmatch  /etc/inetd.conf tcpd
	 FreeBSD 3.3R/3.3R 
	 libwrap  inetd.conf tcpd
	tcpdchk 
	

	hosts.allow 
	tcpdmatch IP
	IP
	tcpdmatchIP
	

	portmap(NFS)libwrap
	 hosts.allow portmap
	IP
	3.3R hosts.allow 
	3.2R
	

	tcp_wrappers3.2R 
	inetd  HUP  inetd.conf 
	()
	inetd.conf tcpd
	inetd(3.3R
	:-)

	FreeBSD 3.2R/3.3R  tcp_wrappers  inetd 
	
	
	

	NetBSD libwrap tcpdchk 
	

ssh

	UNIXOS
	 rsh, rlogin, rcp r
	
	ssh(Secure Shell)

	ssh
	ssh
	UNIXOSssh
	ssh
	
	rsh~/.rhosts
	ssh
	
	

	- X
	- (-C)
	- ssh(:
	  -R, -L)

	
	

  libwrap

	./configure 
	FreeBSD
	tcp_wrappers 
	ssh tcp_wrappers 
	(libwrap)/usr/lib/ 
	libwrap* configure 
	--with-libwrap 

		# ./configure --with-libwrap=/usr/lib
		# make && make install

	tcp_wrappers
	libwrap.a
	sshd/etc/hosts.allow 
	ssh
	

  RSA

	sshssh
	rsh
	ssh
	RSA
	RSA
	ssh-agent
	

    sshRSA

	
	
	RSArlogin
	
	
	
	
	

	sshRSA
	
	
	
	
	
	
	RSA
	[*2]

	*2-------------------------------------------------------
	12?
	-----------------------------------------------------------------

	sshRSA
	UNIX
	RSA
	ssh-agent
	ssh-agent
	sshd
	
	
	RSA 
	ssh-agent
	
	()
	RSA /etc/sshd_config 

	  RSAAuthentication yes

	
	ssh yes  no 
	sshd
	 /etc/sshd_config  man sshd(8)
	

    

	RSA ssh-keygen 
	
	()

	% ssh-keygen

	
	
	 ~/.ssh/ 
	(identity)(identity.pub)
	
	[*3]

	% cat ~/.ssh/identity.pub | \
	      ssh remotehost 'cat >> ~/.ssh/authorized_keys'

	*3-------------------------------------------------------
	remotehost ~/.ssh/ 
	remotehos
	ssh
	
	-----------------------------------------------------------------

	

	% ssh remotehost
	Enter passphrase for RSA key 'user@your.domain.com': 

	
	

	% ssh remotehost
	user@remotehost's passwd:
	
	
	

    ssh-agent

	ssh-agent X
	
	X xinit  startx 
	

	% ssh-agent xinit
	( ssh-agent startx)

	X
	ssh-agent 
	SSH_AUTH_SOCK ssh-agent 
	
	
	
	 ssh-add  
	ssh-agent X ~/.xinitrc 
	

		ssh-add < /dev/null

	2

	   2 ssh-add askpass.gif

	
	!
	
	[*4]
	:-)

	*4-------------------------------------------------------
	
	-----------------------------------------------------------------

	ESC
	ssh-add
	

		% ssh-add -l

	ssh
	
	ssh
	
	
	ssh3ssh-agent
	ssh-addhost-1 
	ssh-agent
	ssh-agent 

	3
	+---------+           +------------------------------+
	| host-1  |----ssh--->|      remotehost-1            |
	|ssh-agent|~~~~~~~~~~~|~host-1agent|
	+---------+           +------------------------------+
	                        ||ssh
	                      +------------------------------+
			      |      remotehost-2            |
			      |~host-1agent|
			      +------------------------------+

	 X  ssh-agent X
	

    

	ssh-agent
	
	xlock[*5]
	1
	ssh-add 
	

	*5-------------------------------------------------------
	
	
	-----------------------------------------------------------------

	1 [ssh-lock.sh]
+----------------------------------------------------------------------------
|#!/bin/sh
|if [ "$DISPLAY" = "" ]; then
|        echo Cannot lock terminal
|        echo Use this lock script in X environment
|        exit 1
|fi
|
|#  (/usr/include/sys/signal.h)
|trap '' 2 3
|
|ssh-add -D                      #
|while ! ssh-add < /dev/null     #ssh-add
|do
|        echo "Invalid passphrase."
|        echo "Try again."
|done
|ssh-add -l
+----------------------------------------------------------------------------

  Port Forwarding

	ssh
	ssh
	 The Internet 
	ssh
	
	
	 Port Forwarding 
	sshWindows
	
	
	FreeBSDWindowsFreeBSD
	Windows
	

	UNIX
	Windows Port Forwarding 

  Port Forwarding

	UNIX
	
	 ssh  -L localhost
	8110remotehost110(POP3)ssh
	

	% ssh -L 8110:remotehost.hogehoge.jp:110 remotehost.hogehoge.jp

	-L
	

	% ssh -L 8110:remotehost.hogehoge.jp:110 anotherhost.hogehoge.jp

	 anotherhost  remotehost 110
	-L
	ssh Port Forwarding 
	 
	~/.ssh/config 

	+---[ ~/.ssh/config ]------------------------------------------
	|Host remotehost.hogehoge.jp
	| LocalForward     8021 remotehost.hogehoge.jp:21
	| LocalForward     8025 remotehost.hogehoge.jp:25
	| LocalForward     8110 remotehost.hogehoge.jp:110
	| Compression      yes
	| CompressionLevel 9
	+--------------------------------------------------------------

	ftp-control(21)SMTP(25)POP3(110)
	Port Forwarding Compression
	
	 ~/.ssh/config 
	 man ssh 

	Windows
	 TeraTermPRO[*6] ssh
	 ttssh 1.5[*7] 
	Windowsssh
	 Port Forwarding 
	

	ttssh.exe(remotehost)ssh
	TeraTermPRO
	[Setup]  [SSH Forwarding] Forwarding Setup
	 Forwarding [Add]
	 Port Forwarding 
	[OK](4)
	Windows1024
	localhost
	
	()

	4 ttssh Port Forwarding  portforward.gif
	
	*6,7-------------------------------------------------------
	http://www.vector.co.jp/authors/VA002416/
	http://www.zip.com.au/~roca/ttssh.html
	-----------------------------------------------------------------

	 Port Forwarding [Setup]  [Save setup] 
	
	

  Port Forwarding

	Port Forwarding ftp,
	POP3
	

	UNIX ftp  localhost:8021POP3 localhost:8110 
	  Windows ftp  localhost:21 POP3
	  localhost:110 

	ftpPort Forwarding 
	(21)
	
	ftpscprsync 
	 Port Forwarding 
	
	

	UNIX
	(1)ftp
	FereBSDftppassive mode 
	 -p 8021

	% ftp -p localhost 8021

	
	ncftp 2.x localhost
	ftp

	% ncftp -u -p 8021 localhost

	remotehostftp
	ncftp
	localhost passive mode
	mode localhost:8021 
	ftpls 
	passive mode 
	

	% ncftp
	ncftp> open
	(localhost)
	ncftp> /ed

	

	Can user passive FTP:			Yes

	 localhost:8021 
	passive mode 

	Emacsftp ange-ftp 
	 Port Forwarding ange-ftp.el 
	Emacs-Lisp  ange-ftp-ftp-program-args  "-p" 
	 ~/.emacs Emacs20 
	ange-ftp.el 

	+--[ ~/.emacs ]-------------------------------------------------
	|(setq ange-ftp-ftp-program-args '("-p" "-i" "-n" "-g" "-v"))
	+---------------------------------------------------------------

	find-file 

	+---------------------------------------------------------------
	| Find file: /localhost 8021:~/hoge.txt
	+---------------------------------------------------------------

	 "localhost 8021" 
	SPCSPC C-q SPC 
	M-SPC 

	(2)POP3
	Mew(IM)fetchmail
	Mew ~/.im/Config 

	+--[ ~/.im/Config ]---------------------------------------------
	|Imget.Src=pop/POP@localhost/8110
	+---------------------------------------------------------------

	 / 
	fetchmail man fetchmail 
	~/.fetchmailrc 

	+--[ ~/.fetchmailrc ]-------------------------------------------
	|poll remotehost.hogehoge.jp with protocol pop3:
	|     via localhost port 8110
	+---------------------------------------------------------------

	 fetchmail POP
	ssh
	

	+--[ ~/.fetchmailrc ]-------------------------------------------
	|poll remotehost.hogehoge.jp with protocol pop3:
	|     via localhost port 8110
	|     preconnect "ssh -f -C -L 8110:remotehost.hogehoge.jp:110 \
	|		 sleep 5 /dev/null";
	+---------------------------------------------------------------

	 \ 

	Windows
	 Forwarding ttssh
	
	(1)ftp
	Passive mode ftp[*8]
	WsFTP(LE)WsFTP
	
	 localhost "Advanced" 
	Passive transfers (5)
	 FTP Explorer Passive mode
	 Port Forwarding 

	*8---------------------------------------------------------
	Windows 9x ftp Passive mode 
	
	-----------------------------------------------------------------
	5 WsFTP Advanced  wsftp.gif

	(2)POP3
	MUAPOP
	POP localhost 

     /etc/hosts.allow 

	
	ftpPOP3
	Port Forwarding 
	
	remotehost IP 10.0.10.2 ftp, POP3
	 ftpd, ipop3d 

		ftpd ipop3d : 10.0.10.2 localhost : ALLOW
		ftpd ipop3d : ALL : DENY

	 hosts.allow 
	ssh -L (10.0.10.2)
	 10.0.10.2  10.0.10.2 
	 hosts.allow 
	FreeBSDIP
	loopback interface (lo0)
	OSIP 
	 netstat 
	

	+---------------------------------------------------------------
	|% netstat -nr
	|Routing tables
	| 
	|Destination Gateway            Flags     Refs  Use Netif Expire
	|10.0.10.2   xx:xx:xx:xx:xx:xx  UHLW        3   60  lo0
	|                                                   ~~~
	+---------------------------------------------------------------


	




yuuji@gentei.org
Fingerprint16 = FF F9 FF CC E0 FE 5C F7 19 97 28 24 EC 5D 39 BA
HIROSE Yuuji - ASTROLOGY / BIKE / EPO / GUEST BOOK / YaTeX [Tweet]