[실습9] python + mod_wsgi

# yum install mod_wsgi

# vi /etc/httpd/conf.d/wsgi.conf (new file)

-------------------------------------

WSGIScriptAlias /wsgi /www1/test_wsgi.py

-------------------------------------

 

# vi /www1/test_wsgi.py (new file)

-------------------------------------

def application(environ, start_response):

html = '<html><body><center><h1> Python Web Page </h1></center></body></html>'

status = '200 OK'

response_header = [('Content-Type', 'text/html')]

start_response(status, response_header)

return [html]

-------------------------------------

# chmod 555 /www1/test_wsgi.py

# systemctl restart httpd

# firefox http://www.linux2XX.example.com/wsgi &

 

 

 

 

 

 

[실습10] (보안) .htaccess 파일 설정

# vi /etc/httpd/conf.d/vhost.conf

------------------------------------

<VirtualHost *:80>

DocumentRoot /www1

ServerName www.linux249.example.com

<Directory /www1>

Options Indexes Includes

AllowOverride AuthConfig <--- 라인 추가

Require all granted

</Directory>

ScriptAlias /cgi-bin/ /www1/cgi-bin/

</VirtualHost>

------------------------------------

 

# vi /www1/.htaccess

AuthName "restricted stuff"

AuthType Basic

AuthUserFile /etc/httpd/conf/mypasswd

require valid-user

 

# htpasswd -mc /etc/httpd/conf/mypasswd testuser

 

# systemctl restart httpd

# firefox http://www.linux2XX.example.com &

 

 

 

 

 

 

[실습11] 가상 호스트 설정

(Name-based Virtual Hosting)

 

(전제조건) DNS 설정

----------------------------------

www1 IN A 172.16.6.1XX

www2 IN A 172.16.6.1XX

www3 IN A 172.16.6.1XX

----------------------------------

 

# mkdir -p /www1 /www2 /www3

# vi /www1/index.html

# vi /www2/index.html

# vi /www3/index.html

 

# view /usr/share/doc/httpd-*/httpd-vhost.conf

# vi /etc/httpd/conf.d/vhost.conf

--------------------------------------

<VirtualHost *:80>

DocumentRoot /www1

ServerName www.linux249.example.com

ServerAlias linux249.example.com

<Directory /www1>

Options Indexes Includes

AllowOverride AuthConfig

Require all granted

</Directory>

ScriptAlias /cgi-bin/ /www1/cgi-bin/

</VirtualHost>

 

<VirtualHost *:80>

DocumentRoot /www1

ServerName www1.linux249.example.com

<Directory /www1>

Require all granted

</Directory>

</VirtualHost>

 

<VirtualHost *:80>

DocumentRoot /www2

ServerName www2.linux249.example.com

<Directory /www2>

Require all granted

</Directory>

</VirtualHost>

 

<VirtualHost *:80>

DocumentRoot /www3

ServerName www3.linux249.example.com

<Directory /www3>

Require all granted

</Directory>

</VirtualHost>

--------------------------------------

 

# systemctl restart httpd

# firefox http://www1.linux2XX.example.com &

# firefox http://www2.linux2XX.example.com &

# firefox http://www3.linux2XX.example.com &

 

(IP-based Virtual Hosting)

 

(전제조건)NIC => 172.16.6.149, 172.16.6.199, 172.16.6.99

# nmcli connection modify ens33 ipv4.addresses '172.16.6.149/24, 172.16.6.199/24, 172.16.6.99/24'

 

# vi /etc/httpd/conf.d/vhost.conf

--------------------------------------

<VirtualHost *:80>

DocumentRoot /www1

ServerName www.linux249.example.com

ServerAlias linux249.example.com

<Directory /www1>

Options Indexes Includes

AllowOverride AuthConfig

Require all granted

</Directory>

ScriptAlias /cgi-bin/ /www1/cgi-bin/

</VirtualHost>

 

<VirtualHost 172.16.6.149:80>

DocumentRoot /www1

ServerName www1.linux249.example.com

<Directory /www1>

Require all granted

</Directory>

</VirtualHost>

 

<VirtualHost 172.16.6.199:80>

DocumentRoot /www2

ServerName www2.linux249.example.com

<Directory /www2>

Require all granted

</Directory>

</VirtualHost>

 

<VirtualHost 172.16.6.99:80>

DocumentRoot /www3

ServerName www3.linux249.example.com

<Directory /www3>

Require all granted

</Directory>

</VirtualHost>

--------------------------------------

 

# systemctl restart httpd

# httpd -S

 

# firefox http://172.16.6.149 &

# firefox http://172.16.6.199 &

# firefox http://172.16.6.99 &

 

(복원)

# nmcli connection modify ens33 ipv4.addresses 172.16.6.1XX/24

# nmcli connection up ens33

 

# vi /etc/httpd/conf.d/vhost.conf

:16,38s/^/#/

# systemctl restart httpd

 

 

 

 

 

 

[실습12] http://www.example.com/server-info

# cp /usr/share/doc/httpd-*/httpd-info.conf /etc/httpd/conf.d/server-info.conf

# vi server-info.conf

------------------------------------

<Location /server-info>

SetHandler server-info

Require host .example.com

Require ip 172.16.6.1XX <-- 변경(127 => 172.16.6.1XX)

</Location>

------------------------------------

 

# systemctl restart httpd

# firefox http://www.linux2XX.example.com/server-info &

 

 

 

 

 

 

[실습13] http://www.example.com/server-status

# vi server-info.conf

------------------------------------

<Location /server-status>

SetHandler server-status

Require host .example.com

Require ip 172.16.6.1XX <-- 변경(127 => 172.16.6.1XX)

</Location>

------------------------------------

# systemctl restart httpd

# firefox http://www.linux2XX.example.com/server-status &

 

 

 

 

 

 

[실습14] 웹 통계/사용량

# yum --enablerepo=epel install webalizer

# vi /etc/httpd/conf.d/webalizer.conf

--------------------------------------

Alias /usage /var/www/usage

 

<Location /usage>

# Alternative e.g. "Require ip 192.168.10"

Require local

Require host .example.com <--- 라인 추가

Require ip 172.16.6 <--- 라인 추가

</Location>

--------------------------------------

 

# systemctl restart httpd

 

# cd /var/www/usage

# webalizer

# ls /var/www/usage

 

# crontab -e

0 * * * * webalizer

 

# firefox http://localhost/usage &

 

 

[참고] Web Stress 툴

* web stress 툴

 

 

(보안)

WAF(Web Application Firewall) : 웹방화벽

공개용 웹방화벽 대표적인 제품

* WebKnight for IIS

* ModSecurity for Apache

KR-CERT 서비스(www.krcert.or.kr/webprotect/samCompany.do)

휘슬(Whistl) - 웹서버에 설치하는 악성프로그램 탐지 S/W

캐슬(Castle) - 웹방화벽 S/W

웹 취약점 점검 서비스(https://www.krcert.or.kr/webprotect/webVulnerability.do)

 

 

 

 

 

 

 

 

 

 

 

5. FTP(File Transfer Protocol)

 

 

 

 

 

■ vsftpd FTP Server on CentOS 7.X

---------------------------------

● Program: vsftpd ftp

● Daemon & Port & Protocol: vsftpd(20/tcp, 21/tcp)

● Configuration File(s): /etc/vsftpd/vsftpd.conf

● Sub Configuration File(s): /etc/vsftpd/*

● Service: vsftpd.service

---------------------------------

● 추가 정리 부분은 : 기능

---------------------------------

 

 

 

 

 

[실습1] vsftpd 서버에 root 사용자 접속 허용

# yum install ftp vsftpd

# cd /etc/vsftpd ; vi {ftpusers|user_list}

# systemctl restart vsftpd

# systemctl enable vsftpd

 

 

 

 

 

[실습2] vsftpd 사용자 접근 제어

* /etc/vsftpd/ftpusers

* /etc/vsftpd/user_list

 

 

 

 

 

[실습3] ftp 클라언트 툴 사용법

* gftp

* ftp CMD

 

(gftp)

# yum install epel-release

# yum --enablerepo=epel install gftp

# gftp &

 

(ftp CMD)

# ftp 172.16.6.252

root 사용자로 로그인

(ㄱ) 업로드/다운로드 포인터 맞추기(cd/lcd)

(ㄴ) 편리한 기능 설정(bin/hash/prompt)

(ㄷ) 파일전송(mget/mput)

(ㄹ) 확인/해제(ls/!ls, quit/bye)

 

 

 

 

 

[실습4] (WIN)ftp CMD <-- download -- (LINUX)vsftpd

 

 

 

 

 

[실습5] 배너 메세지 설정

* banner_file

 

# vi /etc/vsftpd/vsftpd.conf

banner_file=/etc/vsftpd/banner.txt

# systemctl restart vsftpd

# ftp localhost

<CTRL + C>

 

 

 

 

 

[실습6] 인사 메세지 설정

* ftpd_banner

 

# vi /etc/vsftpd/vsftpd.conf

ftpd_banner="Welcome to my server."

# systemctl restart vsftpd

# ftp localhost

<CTRL + C>

 

 

 

 

 

[실습7] 인증된 사용자에 대한 chroot 구성

chroot_local_user=YES

!!!! 점검요망 !!!!

 

 

chroot_local_user

If set to YES, local users will be (by default) placed in a chroot() jail

in their home directory after login. Warning: This option has security

implications, especially if the users have upload permission, or shell

access. Only enable if you know what you are doing. Note that these secu-

rity implications are not vsftpd specific. They apply to all FTP daemons

which offer to put local users in chroot() jails.

 

Default: NO

 

 

allow_writeable_chroot

Allow chroot()'ing a user to a directory writable by that user. Note that

setting this to YES is potentially dangerous. For example, if the user

creates an 'etc' directory in the new root directory, they could poten-

tially trick the C library into loading a user-created configuration file

from the /etc/ directory.

 

Default: NO

 

 

Allow chroot()'ing a user to a directory writable by that user. Note that

setting this to YES is potentially dangerous. For example, if the user

creates an 'etc' directory in the new root directory, they could poten-

tially trick the C library into loading a user-created configuration file

from the /etc/ directory.

 

 

chroot_local_user=YES

allow_writeable_chroot=YES

* 홈디렉토리를 빠져 나갈수 없다.

 

# systemctl restart vsftpd

# ftp localhost

root 사용자로 로그인

ftp> pwd

ftp> cd /etc

 

 

 

 

 

 

 

 

 

 

728x90
저작자표시

'정보보안공부 > 정보보안전문과정' 카테고리의 다른 글

모의해킹 침해대응 정보보안 전문가 양성과정 Day20  (1) 2020.09.29
모의해킹 침해대응 정보보안 전문가 양성과정 Day19  (0) 2020.09.28
모의해킹 침해대응 정보보안 전문가 양성과정 Day17  (0) 2020.09.24
모의해킹 침해대응 정보보안 전문가 양성과정 Day16  (0) 2020.09.23
모의해킹 침해대응 정보보안 전문가 양성과정 Day15  (0) 2020.09.22

+ Recent posts

티스토리툴바