[ZEROCOOL]님이 남기신 글:
>-----------------------------------------
>답변자가 기본적으로 참고할 내용입니다.
>- 배포판(옵션) :
>- 커널버전(옵션)
:
>- 데몬버전(예:apache
1.3.27) :
>- 데몬설치유형(RPM/컴파일/기타)
:
>-----------------------------------------
> ################### LogWatch 5.2.2 (06/23/04) ####################
> Processing Initiated: Tue Jul 18 04:03:11 2006
> Date Range Processed: yesterday
> Detail Level of Output: 0
> Logfiles for Host: ns
> ################################################################
>
> --------------------- IMAP Begin ------------------------
>
>[IMAPd] Logout stats:
>====================
> User | Logouts | Downloaded | Mbox
Size
>--------------------------------------- | ------- | ---------- | ----------
<=IMAP 서비스를 이용한 접속을 보여주는 것으로
보입니다.
> jh_park | 8 | |
왜 로그인이 아닌 로그아웃 횟수가
나오는건지는 모르겠습니다.
>----------------------------------------------------------------------------
> 8 | 0 |
0
>
>
>
>**Unmatched Entries**
> Command stream end of file, while reading line user=??? host=[211.41.128.112]: 1
Time(s)
>
> ---------------------- IMAP End -------------------------
>
>
> --------------------- ipop3d Begin ------------------------
>
>
>**Unmatched Entries**
> Mailbox vulnerable - directory /var/spool/mail must have 1777 protection: 752
Time(s) <=일종의 보안경고로 보여집니다. /var/spool/mail 의
퍼미션을 1777로 변경하라고합니다.
>
> ---------------------- ipop3d End -------------------------
>
>
> --------------------- Named Begin ------------------------
>
>
>Zone update refused:
> 218.234.73.136 (kings.co.kr/IN): 52 Time(s)
<= Zone 파일의 로드된 횟수입니다.IN 은 인터넷을
의미하는 클래스라고 되어있습니다.
>
> ---------------------- Named End -------------------------
>
>
> --------------------- pam_unix Begin ------------------------
<= 로그인에 관련된 로그입니다.
>
>crond:
> Unknown Entries:
> session closed for user root: 25 Time(s)
> session opened for user root by (uid=0): 25 Time(s)
>
>sshd:
> Authentication Failures:
> unknown (61.134.1.11): 17 Time(s)
> root (61.134.1.11): 3 Time(s)
> root (202.143.134.178): 1 Time(s)
> test (61.134.1.11): 1 Time(s)
>
>
> ---------------------- pam_unix End -------------------------
>
>
> --------------------- Connections (secure-log) Begin ------------------------
>
>
>Connections:
> Service pop3:
<= 해당 아이피에서 POP3 로 접속
> 218.234.73.136: 394 Time(s)
접속한 횟수가 나옵니다.
> 218.234.73.155: 288 Time(s)
> Service imap:
<= 마찬가지로 imap 으로 접속한
기록입니다.
> 127.0.0.1: 8 Time(s)
로컬에서 8번
> 211.41.128.112: 1 Time(s)
>
> ---------------------- Connections (secure-log) End -------------------------
>
>
> --------------------- sendmail Begin ------------------------
>
>
>
>Bytes Transferred: 6732072 <= 전체 보내진 메일의
용량입니다.
>Messages Sent: 572 <= 전체 보낸 메일의
수입니다.
>Total recipients: 685 <= 전체 받은 메일의 수입니다.
>
>4 messages returned after 2 hours <=
>
>82 User Unknown notifications
>
>Unknown local users: <= 알수없는 로컬유저의
수
>
> Total: 239 <= 총 239명
>
>
>Top relays (recipients/connections - min 10 rcpts, max 50 lines):
> 49/49: [211.229.226.126]
> 33/33: [59.29.36.72]
> 27/18: c-67-162-122-135.hsd1.il.comcast.net [67.162.122.135]
> 26/17: 80-74-74-65.gci.net [65.74.74.80]
> 20/20: [221.201.2.160]
> 15/13: [220.64.48.61]
> 14/2: [125.190.62.34]
> 14/2: [125.190.63.190]
> 14/2: [125.190.63.148]
> 11/11: [219.241.207.109]
> 11/11: [59.17.218.224]
> 11/3: [222.235.223.70]
> 11/11: [125.137.16.222]
> 10/9: [221.201.0.26]
>
>
>Relaying denied:
> From [220.165.246.62] to bocks@gmx.net: 1
Time(s)
> From [221.201.215.60] to silee@yurim.skku.ac.kr: 1
Time(s)
> From [221.201.215.60] to sjkim@yurim.skku.ac.kr: 1
Time(s)
> From [221.201.215.60] to sjklee@yurim.skku.ac.kr: 1
Time(s)
> From [221.201.215.60] to skim@yurim.skku.ac.kr: 1
Time(s)
> From [221.201.215.60] to skjeong@yurim.skku.ac.kr: 1
Time(s)
> From [221.201.215.60] to skkwon@yurim.skku.ac.kr: 1
Time(s)
> From [221.201.215.60] to smcho@yurim.skku.ac.kr: 1
Time(s)
> From [221.201.215.60] to smhan@yurim.skku.ac.kr: 1
Time(s)
> From [222.122.60.184] to charliem634@gmail.com: 1
Time(s)
> From [60.51.132.169] to mohanif@lovemail.com: 1
Time(s)
> From [61.34.46.144] to dnftks1156@hanmail.net: 1
Time(s)
> From adsl-d7.87-197-195.telecom.sk [87.197.195.7] to mohanian@ucsd.edu: 1 Time(s)
> From lns-bzn-58-82-251-253-175.adsl.proxad.net [82.251.253.175] to cgoh88@korea.com: 1 Time(s)
> From mta.hanmail.net [211.233.30.68] to spambuster@ohora.hanmail.net: 1
Time(s)
>
> Total: 15
>
>
>Rejected mail:
> eunjeong.kwon@kor.ccamatil.com
(450 4.4.0 Relaying temporarily denied. Cannot resolve PTR record for 71.93.78.34):
1 Time(s)
> eunsung.ra@kor.ccamatil.com (450
4.4.0 Relaying temporarily denied. Cannot resolve PTR record for 71.93.78.34): 1
Time(s)
> eunjeong.kim@kor.ccamatil.com (450
4.4.0 Relaying temporarily denied. Cannot resolve PTR record for 71.93.78.34): 1
Time(s)
>
> Total: 3
>
>
>Client quit before communicating:
> 125-228-87-124.dynamic.hinet.net : 2 Time(s)
> 190.44.66.68 : 1 Time(s)
> 200.92.229.163 : 1 Time(s)
> 201.27.181.215 : 1 Time(s)
> 201.58.251.158 : 1 Time(s)
> 211.234.104.188 : 1 Time(s)
> 217.132.105.213 : 1 Time(s)
> 218.71.36.163 : 1 Time(s)
> 222.122.60.184 : 1 Time(s)
> 24.206.224.136 : 7 Time(s)
> 36.Red-88-1-104.dynamicIP.rima-tde.net : 1 Time(s)
> 59.10.78.15 : 1 Time(s)
> 68.150.236.237 : 1 Time(s)
> 83.15.18.2 : 1 Time(s)
> 83.28.198.188 : 1 Time(s)
> 84.100.76.83 : 1 Time(s)
> 85.201.14.196 : 1 Time(s)
> 85.68.129.94 : 1 Time(s)
> 87.206.255.31 : 1 Time(s)
> 88.241.252.52 : 1 Time(s)
> actae.ath.forthnet.gr : 1 Time(s)
> doc-24-206-224-136.doc-kw.tx.cebridge.net : 3 Time(s)
>
>
>Authentication warnings:
> [218.234.73.133] didn't use HELO protocol: 1 Time(s)
>
>**Unmatched Entries**
> k6H6TT4U002456[2]: Contains an URL listed in the OB SURBL blocklist\n\t*
[URIs: weilfone.com]\n\t* 3.9 URIBL_SC_SURBL Contains an URL listed in the SC SURBL
blocklist\n\t* [URIs: weilfone.com]: 1 Time(s)
> k6GK8gYq032733[2]: Contains an URL listed in the SC SURBL blocklist\n\t*
[URIs: autoomiaticcat.com]: 1 Time(s)
> k6HDZ9Gk003721: return to sender: Cannot send message for 1 day: 1
Time(s)
> k6H6Tp31002459[2]: SURBL blocklist\n\t* [URIs: pw2005893.com
aer23ret4.com]\n\t* 1.7 MSGID_RANDY Message-Id has pattern used in spam\n\t* 0.1
HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML tag\n\t* 0.0
MIME_HTML_ONLY_MULTI Multipart message only has text/html MIME parts\n\t* 1.4
FORGED_MUA_THEBAT_BOUN Mail pretending to be from The Bat! (boundary)\n\t* 1.1
FORGED_THEBAT_HTML The Bat! can't send HTML message only\n\t* 0.0
RCVD_DOUBLE_IP_LOOSE Received: by and from look like IP addresses: 1
Time(s)
> k6GGZ8g9031578: return to sender: Cannot send message for 1 day: 1
Time(s)
> k6H53nVp002138[2]: in this format\n\t* 1.3 FORGED_MUA_OIMO Forged mail
pretending to be from MS Outlook IMO: 1 Time(s)
> k6H1SAND001390[2]: [URIs: arboursterile.com]: 1 Time(s)
> k6HCTa2o003559[2]: Contains an URL listed in the SC SURBL blocklist\n\t*
[URIs: trollshouse.com]: 1 Time(s)
> k6GIDHat031933[2]: fanbuild.com]\n\t* 3.9 URIBL_SC_SURBL Contains an URL listed
in the SC SURBL blocklist\n\t* [URIs: fanbuild.com]: 1 Time(s)
> k6HDZ9Gj003721: return to sender: Cannot send message for 1 day: 1
Time(s)
> k6H35qeD001580[2]: URL listed in the WS SURBL blocklist\n\t* [URIs:
miernitnebrebt.com ieruwu34h5.com]\n\t* 1.7 MSGID_RANDY Message-Id has pattern used
in spam\n\t* 0.0 FORGED_OUTLOOK_HTML Outlook can't send HTML message only\n\t* 0.1
HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML tag\n\t* 0.0
FORGED_OUTLOOK_TAGS Outlook can't send HTML in this format\n\t* 0.0
MIME_HTML_ONLY_MULTI Multipart message only has text/html MIME parts\n\t* 0.0
RCVD_DOUBLE_IP_LOOSE Received: by and from look like IP addresses\n\t* 3.0
FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook: 1
Time(s)
> k6H3qHFg001775[2]: URL listed in the WS SURBL blocklist\n\t* [URIs:
miernitnebrebt.com ieruwu34h5.com]\n\t* 1.7 MSGID_RANDY Message-Id has pattern used
in spam\n\t* 0.1 HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML
tag\n\t* 0.2 FORGED_QUALCOMM_TAGS QUALCOMM mailers can't send HTML in this
format\n\t* 0.0 MIME_HTML_ONLY_MULTI Multipart message only has text/html MIME
parts\n\t* 0.1 FORGED_MUA_EUDORA Forged mail pretending to be from Eudora\n\t* 0.0
RCVD_DOUBLE_IP_LOOSE Received: by and from look like IP addresses: 1
Time(s)
> k6GHZ8IT031830: return to sender: Cannot send message for 1 day: 1
Time(s)
> k6H0LDPj001210[2]: HTML in this format\n\t* 1.3 FORGED_MUA_OIMO Forged mail
pretending to be from MS Outlook IMO: 1 Time(s)
> k6GMEO6Y000881[2]: superaspect.com]\n\t* 3.9 URIBL_SC_SURBL Contains an URL
listed in the SC SURBL blocklist\n\t* [URIs: superaspect.com]: 1
Time(s)
> k6H08nbn001161[2]: [URIs: healfs.com]\n\t* 3.9 URIBL_SC_SURBL Contains an URL
listed in the SC SURBL blocklist\n\t* [URIs: healfs.com]: 1 Time(s)
> k6GJQUkS032641[2]: [URIs: fanbuild.com]\n\t* 3.9 URIBL_SC_SURBL Contains
an URL listed in the SC SURBL blocklist\n\t* [URIs: fanbuild.com]: 1
Time(s)
> k6H3Uh0l001676[2]: listed in the WS SURBL blocklist\n\t* [URIs:
healfs.com]\n\t* 2.0 URIBL_OB_SURBL Contains an URL listed in the OB SURBL
blocklist\n\t* [URIs: healfs.com]\n\t* 3.9 URIBL_SC_SURBL Contains an URL
listed in the SC SURBL blocklist\n\t* [URIs: healfs.com]: 1 Time(s)
>
>
>Summary:
> Total Mail Rejected: 257
>
> ---------------------- sendmail End -------------------------
>
>
> --------------------- SSHD Begin ------------------------
>
>
>Failed logins from these:
> root/password from ::ffff:202.143.134.178: 1 Time(s)
> root/password from ::ffff:61.134.1.11: 3 Time(s)
> test/password from ::ffff:61.134.1.11: 1 Time(s)
>
>**Unmatched Entries**
>Invalid user scanner from ::ffff:61.134.1.11
>Failed password for invalid user scanner from ::ffff:61.134.1.11 port 57970
ssh2
>Invalid user billing from ::ffff:61.134.1.11
>Failed password for invalid user billing from ::ffff:61.134.1.11 port 58322
ssh2
>Invalid user ringo from ::ffff:61.134.1.11
>Failed password for invalid user ringo from ::ffff:61.134.1.11 port 58496
ssh2
>Invalid user cvsuser from ::ffff:61.134.1.11
>Failed password for invalid user cvsuser from ::ffff:61.134.1.11 port 58675
ssh2
>Invalid user nishida from ::ffff:61.134.1.11
>Failed password for invalid user nishida from ::ffff:61.134.1.11 port 58815
ssh2
>Invalid user jimu from ::ffff:61.134.1.11
>Failed password for invalid user jimu from ::ffff:61.134.1.11 port 58966
ssh2
>Invalid user cherry from ::ffff:61.134.1.11
>Failed password for invalid user cherry from ::ffff:61.134.1.11 port 59117
ssh2
>Invalid user sasaki from ::ffff:61.134.1.11
>Failed password for invalid user sasaki from ::ffff:61.134.1.11 port 59217
ssh2
>Invalid user simon from ::ffff:61.134.1.11
>Failed password for invalid user simon from ::ffff:61.134.1.11 port 59462
ssh2
>Invalid user angelique from ::ffff:61.134.1.11
>Failed password for invalid user angelique from ::ffff:61.134.1.11 port 59833
ssh2
>Invalid user admin from ::ffff:61.134.1.11
>Failed password for invalid user admin from ::ffff:61.134.1.11 port 59962
ssh2
>Invalid user vmware from ::ffff:61.134.1.11
>Failed password for invalid user vmware from ::ffff:61.134.1.11 port 60111
ssh2
>Invalid user ventas from ::ffff:61.134.1.11
>Failed password for invalid user ventas from ::ffff:61.134.1.11 port 60314
ssh2
>Invalid user yamada from ::ffff:61.134.1.11
>Failed password for invalid user yamada from ::ffff:61.134.1.11 port 60447
ssh2
>Invalid user nagios from ::ffff:61.134.1.11
>Failed password for invalid user nagios from ::ffff:61.134.1.11 port 60575
ssh2
>Invalid user svn from ::ffff:61.134.1.11
>Failed password for invalid user svn from ::ffff:61.134.1.11 port 60734
ssh2
>Invalid user temp from ::ffff:61.134.1.11
>Failed password for invalid user temp from ::ffff:61.134.1.11 port 60818
ssh2
>
> ---------------------- SSHD End -------------------------
>
>
>
>------------------ Disk Space --------------------
>
>/dev/mapper/VolGroup00-LogVol00
>/dev/hda1 99M 8.9M 85M 10% /boot
>
>
> ###################### LogWatch End #########################
>
>
>이런식으로 제가 어느 부분이 어떤 것을 알려주는지 여기저기
찾아서
>조금 적어봤는데 나머지를 모르겠습니다. 간단하게라도
나머지 부문이
>어떤 것을 나타내는지만 알려주시면 정말 감사드리겠습니다.
>또 가능하시면 로그와치에서 메일이 왔을때 주의깊게
제일먼저
>봐야할 부분을 좀 알려주시면 정말 감사드리겠습니다.
>
========================================
와 부지런하십니다.
ㅎㅎ
일단 logwatch 는 /var/log 의 messages, maillog, secure, crond 등등의
로그를 LogWatch 가 나름대로(?) 분석해서 그 결과를 메일로
보내는
구조를 갖습니다.
따라서 위의 포맷을 보기 힘들면 직접 해당 로그를 보면
됩니다.
(저 같은 경우)
위의 내용을 하나 하나 주석(?) 다는 것은 솔직히 좀 힘듭니다.
ㅠㅠ
주의 깊게 보아야 할 내용은
sshd 관련 내용과 maillog 에서 스팸 정도입니다.
나머지도 중요하나 그 중요성이 조금 떨어집니다.
1. sshd
ssh 는 특정 유저 그리고 특정 IP/network 에서만 접근하기 때문에
이 부분만 접속을 허용하고 나머지는 모두 막습니다.(hosts.allow,
hosts.deny)
또는 방화벽(iptables) 에서 설정하면 더 좋겠죠.
위의 로그에서 보듯이 61.134.1.11 에서 로그인 할려고 기(?)를
쓰는
모습이 보이네요.
2. maillog
위의 로그에서 스패머으로 의심되는 IP 주소(예:221.201.215.60)
는 RELAY 를 모두 막습니다. iptables 이면 더 좋겠죠.
막을 수 없는 어쩔 수 없는 스팸도 있는데 이 경우는 따로 MUA
에서
필터링하면됩니다(메일서버에서
필터링 해도 됨).
(참고로 제가 관리하는 메일서는 스팸이 있기는 하나 매우
작아서
그냥 방치수준입니다.
ㅠㅠ)
만약 위의 메일서버가 중소규모의 메일서버가 아닌 대용량
또는
웹호스팅용 메일서버라면 사정이 다릅니다.
이 경우는 메일 서버 보안 정책부터 수립(유저 권한, 포트별
접근 정책, 기타)하는 것이 급선무입니다.
원론적인 얘기라서 많은 도움이 못 되었군요.
|
오늘은 대한입니다.
/board/read.php:소스보기 
