linux (ubuntu) 해킹 방어 (webserver, database 등)

개인 펫 프로젝트 용으로 AWS를 운영 중이라, 초기에 보안에는 크게 신경을 쓰지 않았는데

서버상태를 자세히 보니 여러 형태의 해킹흔적을 발견했다.

 

  1. Tomcat web-shell 악성코드 deploy

    ubuntu:/var/lib/tomcat8/webapps$ ls -lrt
    total 840
    drwxr-xr-x 3 root    root      4096 Mar 12 18:01 ROOT
    drwxr-xr-x 3 tomcat8 tomcat8   4096 Mar 14 00:35 mydata
    drwxr-xr-x 4 tomcat8 tomcat8   4096 Mar 19 21:03 wanli
    drwxr-xr-x 3 tomcat8 tomcat8   4096 Mar 27 00:17 aDRT
    drwxr-xr-x 3 tomcat8 tomcat8   4096 Mar 27 13:34 qdmS

    Tomcat admin site를 편의상 사용 중이 었는데, admin 계정의 password가 허술했던게 원인으로 보인다.
    해당 web-shell project들을 삭제하고 admin 계정의password의 복잡도를 올려 변경하였다.


  2. Database(MYSQL) 서버 접속 흔적 (mysql, error.log)

    error.log:2018-03-26T21:27:53.763227Z 7160 [Note] Access denied for user 'root'@'43.226.33.xxx' (using password: YES)
    error.log:2018-03-26T21:27:54.414126Z 7161 [Note] Access denied for user 'root'@'43.226.33.xxx' (using password: YES)
    error.log:2018-03-26T21:27:55.043999Z 7162 [Note] Access denied for user 'root'@'43.226.33.xxx' (using password: YES)
    error.log:2018-03-26T21:27:55.589774Z 7163 [Note] Access denied for user 'root'@'43.226.33.xxx' (using password: YES)
    error.log:2018-03-26T21:27:56.210796Z 7164 [Note] Access denied for user 'root'@'43.226.33.xxx' (using password: YES)
    error.log:2018-03-26T21:27:56.786349Z 7165 [Note] Access denied for user 'root'@'43.226.33.xxx' (using password: YES)
    error.log:2018-03-26T21:27:57.406633Z 7166 [Note] Access denied for user 'root'@'43.226.33.xxx' (using password: YES)
    error.log:2018-03-26T21:27:58.000088Z 7167 [Note] Access denied for user 'root'@'43.226.33.xxx' (using password: YES)
    error.log:2018-03-26T21:27:58.434606Z 7168 [Note] Access denied for user 'root'@'43.226.33.xxx' (using password: YES)
    error.log:2018-03-26T21:27:58.991067Z 7169 [Note] Access denied for user 'root'@'43.226.33.xxx' (using password: YES)
    error.log:2018-03-26T21:27:59.321888Z 7170 [Note] Access denied for user 'root'@'43.226.33.xxx' (using password: YES)
    error.log:2018-03-26T21:27:59.687066Z 7171 [Note] Access denied for user 'root'@'43.226.33.xxx' (using password: YES)
    error.log:2018-03-26T21:28:00.211582Z 7172 [Note] Access denied for user 'root'@'43.226.33.xxx' (using password: YES)
    error.log:2018-03-26T21:28:00.792386Z 7173 [Note] Access denied for user 'root'@'43.226.33.xxx' (using password: YES)
    error.log:2018-03-26T21:28:01.222343Z 7174 [Note] Access denied for user 'root'@'43.226.33.xxx' (using password: YES)
    error.log:2018-03-26T21:28:01.544091Z 7175 [Note] Access denied for user 'root'@'43.226.33.xxx' (using password: YES)
    error.log:2018-03-26T21:28:02.213445Z 7176 [Note] Access denied for user 'root'@'43.226.33.xxx' (using password: YES)
    error.log:2018-03-26T21:28:02.845606Z 7177 [Note] Access denied for user 'root'@'43.226.33.xxx' (using password: YES)

    web-shell을 통해 취득한 db접속정보를 이용해 원격접속을 계속해서 시도한 흔적이 발견되었다.  mysql user host 접속 제한으로 denied 된 것으로 보이나,
    추가 적으로 접속가능 host를 제한하여 user 정보를 변경하였다.


  3. 접속자 IP정보 조회 및 IP차단 (linux – iptables)

    접속흔적이 남은 ip를 whois에서 searching 해보았다.  역시 나 중국으로 예상된다.

    iptables를 이용해 해당 ip를 차단 처리 하였다.

    root:/# iptables -A INPUT -s 43.226.33.156 -j DROP
    root:/# iptables -A INPUT -s 221.229.204.101 -j DROP
    root:/# iptables -L
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination
    DROP       all  --  43.226.33.156        anywhere
    DROP       all  --  221.229.204.101      anywhere
    
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination
    

     

linux (ubuntu) – 사용자(user) 관련 (생성/삭제/권한 등)

1 . adduser  : 계정생성시 비밀번호 까지 입력받으며 기본정보를 바로 입력.  홈 디렉토리 또한 자동으로 생성.

root# adduser tomcat
Adding user `tomcat' ...
Adding new group `tomcat' (1002) ...
Adding new user `tomcat' (1002) with group `tomcat' ...
Creating home directory `/home/tomcat' ...
Copying files from `/etc/skel' ...
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Changing the user information for tomcat
Enter the new value, or press ENTER for the default
        Full Name []:
        Room Number []:
        Work Phone []:
        Home Phone []:
        Other []:
Is the information correct? [Y/n] Y

 

2. useradd  : 순수계정만 생성되며 홈디렉토리, 비밀번호 설정은 별도로 필요.

3. usermod  : 계정의 Group, 홈디렉토리 등을 핸들링.

root# usermod -aG sudo tomcat

 

usermod -aG sudo