![\"\"](\"http:\/\/pchero21.com\/wp-content\/uploads\/1\/XWdB3iyG6m.png\")
<\/p>\n* psad\ub97c \uc774\uc6a9\ud55c \ud3ec\ud2b8 \uc2a4\uce94 \ud0d0\uc9c0.<\/p>\n
TCP\/IP \uc288\ud2b8 \uc804\uccb4\ub97c \ubaa8\ub450 \uad6c\ud604\ud558\uba74 \ub300\uaddc\ubaa8\uc758 \ubcf5\uc7a1\ud55c \ucf54\ub4dc\uac00 \ub418\uba70, \uc774\ub7ec\ud55c \ubcf5\uc7a1\ub3c4\ub294 \uc815\ud0d0 \uc2dc\ub3c4\uc5d0\uc11c \uc11c\ube44\uc2a4 \uac70\ubd80 \uacf5\uaca9\uc5d0 \uc774\ub974\ub294 \ubaa8\ub4e0 \uacf5\uaca9\uc758 \uc88b\uc740 \ubaa9\ud45c\uac00 \ub41c\ub2e4.<\/p>\n
\ud3ec\ud2b8 \uc2a4\uce94\uc740 \uc6d0\uaca9 \ubaa9\ud45c\uc5d0\uc11c \uc815\ubcf4\ub97c \uc5bb\uae30 \uc704\ud55c \uc911\uc694\ud55c \uae30\uc220\ub85c psad\ub294 \uae30\ubcf8\uc801\uc73c\ub85c \ub9ac\ub205\uc2a4 \uc2dc\uc2a4\ud15c\uc744 \uc704\ud55c \uace0\uae09 \ud3ec\ud2b8 \uc2a4\uce94 \ud0d0\uc9c0 \uae30\ub2a5\uc744 \uc81c\uacf5\ud560 \ubaa9\uc801\uc73c\ub85c \uac1c\ubc1c\ub410\ub2e4.<\/p>\n
3\uc7a5\uc5d0\uc11c\uc640 \ub9c8\ucc2c\uac00\uc9c0\ub85c \uc2dc\uc2a4\ud15c\uc744 \ud3ec\ud2b8 \uc2a4\uce94\ud558\uae30 \uc704\ud574 Nmap\uc744 \uc0ac\uc6a9\ud55c\ub2e4. \uadf8\ub7ec\ub098 \uc774\ubc88\uc5d0\ub294 \uc2a4\uce94 \ubaa9\ud45c\uac00 iptables \ub85c\uadf8\ub97c \ubd84\uc11d\ud558\uae30 \uc704\ud55c psad\ub97c \uc2e4\ud589 \uc911\uc774\ub2e4. Nmap\uc744 \uc0ac\uc6a9\ud574\uc11c \ub2e4\uc74c\uacfc \uac19\uc740 \uc885\ub958\uc758 \ud3ec\ud2b8 \uc2a4\uce94\uc744 \uc0dd\uc131\ud558\uace0 \uc774\ub97c psad\uac00 \uc5b4\ub5bb\uac8c \ud0d0\uc9c0\ud558\ub294\uc9c0 \uc54c\uc544\ubcf4\uc790.<\/p>\n
TCP connect() \uc2a4\uce94
TCP SYN\uc774\ub098 \ubc18\uac1c\ubc29 \uc2a4\uce94
TCP FIN, XMAS, NULL \uc2a4\uce94
UDP \uc2a4\uce94<\/p>\n
\uba3c\uc800 psad\ub97c \uc2e4\ud589\uc2dc\ud0a4\uc790.<\/p>\n
<\/p>\n
NMAP\uacfc \uc655\ubcf5\uc2dc\uac04.<\/p>\n
\uc774 \uc808\uc758 \uc2a4\uce94 \uc608\uc81c \ub300\ubd80\ubd84\uc5d0\uc11c Nmap\uc758 \uc2dc\uac04 \uad00\ub828 \uc635\uc158(\uc608\ub97c \ub4e4\uc5b4 -T\uc640 –max-rtt-timeout)\uc740 Nmap\uc774 \uc5bc\ub9c8\ub098 \ube68\ub9ac \ubaa9\ud45c\ub97c \uc2a4\uce94\ud560 \uc218 \uc788\ub294\uc9c0\uc5d0 \uc601\ud5a5\uc744 \ubbf8\uce5c\ub2e4. iptables\ub294 \ub85c\uceec \uc2a4\ud0dd\uc774 \uac01 \uc2a4\uce94 \ud0d0\uc0ac\uc5d0\uac8c \uc804\uc1a1\ud560 \uc218 \uc788\ub294 \uc751\ub2f5\uc744 \uac15\ud558\uac8c \uc81c\ud55c\ud558\uae30 \ub54c\ubb38\uc5d0 Nmap\uc774 \uc808\ub300\ub85c \ubc1b\uc9c0 \ubabb\ud55c \uc751\ub2f5\uc744 \uae30\ub2e4\ub9ac\ub294 \uc2dc\uac04\uc744 \uc81c\ud55c\ud558\ub294 \uac83\uc774 \uc88b\ub2e4. \uc608\ub97c \ub4e4\uc5b4 Nmap\uc774 \ud3ec\ud2b8 5000\uc73c\ub85c SYN \ud328\ud0b7\uc744 \uc804\uc1a1\ud558\ub294 \uacbd\uc6b0 iptables\ub294 \uc774\uac83\uc744 \ubc84\ub9ac\uae30 \ub54c\ubb38\uc5d0 \ubaa9\ud45c \uc2a4\ud0dd\uc740 \uc808\ub300 Nmap\uc774 \uae30\ub2e4\ub9ac\ub294 SYN\/ACK\uc774\ub098 RST\/ACK\ub97c \uc804\uc1a1\ud558\uc9c0 \uc54a\ub294\ub2e4. (–max-rtt-timeout \uc635\uc158\uc744 \uc0ac\uc6a9\ud574\uc11c) Nmap\uc774 \uc774\ub7ec\ud55c \uc751\ub2f5\uc744 \uae30\ub2e4\ub9ac\ub294 \uc2dc\uac04\uc744 \uc904\uc784\uc73c\ub85c\uc368 \uc2dc\uc2a4\ud15c \uc2a4\uce94\uc5d0 \ud544\uc694\ud55c \uc804\uccb4 \uc2dc\uac04\uc744 \ub2e8\ucd9c\ud560 \uc218 \uc788\ub2e4(–max-rtt-timeout \uac12\uc758 \uc801\uc808\ud55c \uc0c1\ud5a5 \uac12\uc744 \uacb0\uc815\ud558\ub294 \ubc29\ubc95 \uc911 \ud558\ub098\ub294 \uc2a4\uce94 \uc2dc\uc791 \uc804\uc5d0 \ubaa9\ud45c\uae4c\uc9c0\uc758 \uc655\ubcf5 \uc2dc\uac04\uc744 \uce21\uc815\ud558\uae30 \uc704\ud574 ping \uc720\ud2f8\ub9ac\ud2f0\ub97c \uc0ac\uc6a9\ud558\ub294 \uac83\uc774\ub2e4).<\/p><\/blockquote>\n
– TCP connect() \uc2a4\uce94<\/p>\n
Nmap TCP connect() \uc2a4\uce90\ub2dd \ubaa8\ub4dc(-sT)\ub294 \uc720\ub2c9\uc2a4 \ubc29\uc2dd\uc758 \uc6b4\uc601\uccb4\uc81c\uc5d0\uc11c\ub294 \ud2b9\uad8c\uc744 \uac00\uc9c0\uc9c0 \uc54a\uc740 \uc0ac\uc6a9\uc790\ub3c4 \uc774\ub97c \uc0ac\uc6a9\ud560 \uc218 \uc788\ub2e4. \uc6b0\uc120 \ubaa9\ud45c IP \uc8fc\uc18c X.X.X.X\uc5d0 \ub300\ud55c TCP connect() \uc2a4\uce94\uc744 \uc0b4\ud3b4\ubcf4\uc790.<\/p>\n
soft-ftp:\/etc# nmap -sT -n 117.17.172.120 –max-rtt-timeout 500<\/p>\n
Starting Nmap 4.11 ( http:\/\/www.insecure.org\/nmap\/ ) at 2010-07-01 23:34 KST
Interesting ports on 117.17.172.120:
Not shown: 1672 filtered ports
PORT STATE SERVICE
20\/tcp closed ftp-data
21\/tcp open ftp
22\/tcp open ssh
43\/tcp closed whois
53\/tcp closed domain
80\/tcp open http
443\/tcp closed https
873\/tcp closed rsync<\/p><\/blockquote>\nchd 1672 \uac1c \uc774\uc0c1\uc758 \ud3ec\ud2b8\ub97c \uc2a4\uce94 \ud588\uc9c0\ub9cc, iptables \uac00 connection \uc2dc\ub3c4\uc758 \ub300\ubd80\ubd84\uc744 \ubc84\ub9ac\uae30 \ub54c\ubb38\uc5d0 \uc608\uc0c1\ub300\ub85c \uac70\uc758 \uc804\ubd80 \ud544\ud130\ub9c1\ub410\ub2e4. \uc2a4\uce94\uc774 \ub05d\ub098\uba74 psad\uac00 \uc2a4\uce94\uc744 \ud0d0\uc9c0\ud588\ub294\uc9c0 \uc54c\uc544\ubcf4\uae30 \uc704\ud574 \/var\/log\/message \ud30c\uc77c\uc744 \ubcf4\uc790.<\/p>\n
Jul 1 23:51:01 seclab psad: scan detected: Y.Y.Y.Y -> X.X.X.X tcp: [1-65301] flags: SYN tcp pkts: 1498 DL: 4
Jul 1 23:51:06 seclab psad: scan detected: Y.Y.Y.Y -> X.X.X.X tcp: [44-13701] flags: SYN tcp pkts: 51 DL: 4<\/p><\/blockquote>\npsad syslog \uba54\uc2dc\uc9c0\uc5d0\uc11c\ub294 \ucd9c\ubc1c\uc9c0\uc640 \ubaa9\uc801\uc9c0 IP \uc8fc\uc18c, \uc2a4\uce94\ub41c TCP \ud3ec\ud2b8\uc758 \ubc94\uc704(1 ~ 655301), \uc804\uc1a1\ub41c \ud50c\ub798\uadf8(\uc774 \uacbd\uc6b0 SYN), \uc804\uc1a1\ub41c \uc804\uccb4 \ud328\ud0b7 \uc218, psad\uac00 \uc774 \uc2a4\uce90\ub108\uc5d0 \ud560\ub2f9\ud55c \uc704\ud5d8 \uc218\uc900(DL:4)\uc744 \ud655\uc778\ud560 \uc218 \uc788\ub2e4.<\/p>\n
\uc774 \uacbd\uc6b0 psad\uac00 \uac10\uc2dc\ud55c \ud328\ud0b7 \uc218\ub294 1498 + 51\uac1c\uc774\uba70 \uc774\ub294 (\/etc\/psad\/psad.conf \uc5d0 DANGER_LEVEL4 \ubcc0\uc218\ub85c \uc815\uc758\ub41c) \uc704\ud5d8 \uc218\uc900 4\uc5d0 \ub3c4\ub2ec\ud558\uae30 \uc704\ud55c 1500\uac1c\ub97c \ub118\ub294 \uc218\uce58\uc774\ub2e4. psad\ub294 \uba54\uc77c \uacbd\uace0\ub3c4 \uc0dd\uc131\ud558\uba70 \uba54\uc77c \uacbd\uace0\uc5d0\ub294 \ud55c \uc904\uc9dc\ub9ac syslog \uba54\uc2dc\uc9c0\uc5d0 \ub2f4\uc744 \uc218 \uc788\ub294 \uac83\ubcf4\ub2e4 \ud6e8\uc52c \ub354 \ub9ce\uc740 \uc815\ubcf4\uac00 \ud3ec\ud568\ub41c\ub2e4.<\/p>\n
\uc2a4\uce94\ud558\uae30 \uc704\ud574 psad\uac00 \uc0ac\uc6a9\ud55c iptables \ub85c\uadf8 \uba54\uc2dc\uc9c0\ub97c \ubcf4\uae30 \uc704\ud574\uc11c \/var\/log\/psad\/fwdata \ud30c\uc77c\uc744 \uc0b4\ud3b4\ubcf4\uc790.<\/p>\n
Jul 1 23:50:41 seclab kernel: [3742118.695465] DROP IN=eth0 OUT= <\/span>MAC=00:21:5e:4e:bb:da:00:11:88:42:99:43:08:00 SRC=Y.Y.Y.Y<\/span> DST=X.X.X.X LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=37394 DF PROTO=TCP<\/span> SPT=50333 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A240A475B0000000001030304)
Jul 1 23:50:41 seclab kernel: [3742118.695615] DROP IN=eth0 OUT= MAC=00:21:5e:4e:bb:da:00:11:88:42:99:43:08:00 SRC=Y.Y.Y.Y DST=X.X.X.X LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=35732 DF PROTO=TCP SPT=43748 DPT=3389 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A240A475B0000000001030304)
Jul 1 23:50:41 seclab kernel: [3742118.695676] DROP IN=eth0 OUT= MAC=00:21:5e:4e:bb:da:00:11:88:42:99:43:08:00 SRC=Y.Y.Y.Y DST=X.X.X.X LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=44122 DF PROTO=TCP SPT=47712 DPT=1723 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A240A475B0000000001030304)
Jul 1 23:50:41 seclab kernel: [3742118.696293] DROP IN=eth0 OUT= MAC=00:21:5e:4e:bb:da:00:11:88:42:99:43:08:00 SRC=Y.Y.Y.Y DST=X.X.X.X LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=931 DF PROTO=TCP SPT=45962 DPT=389 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A240A475B0000000001030304)<\/p><\/blockquote>\n\uc774\uc81c \ub85c\uadf8\ub97c \ubd84\uc11d\ud574\ubcf4\uc790.<\/p>\n
\uba3c\uc800 \ucd9c\ub825 \uc778\ud130\ud398\uc774\uac00 \ube48\uce78\uc778 \ubb38\uc790\uc5f4 OUT= \uc740 \ub85c\uadf8 \uba54\uc2dc\uc9c0\ub97c \uc0dd\uc131\ud55c \ud328\ud0b7\uc774 iptables INPUT \uccb4\uc778 \ub0b4\uc5d0\uc11c LOG \uaddc\uce59\uacfc \ub9e4\uce6d\ub410\ub294\uc9c0 \uc544\ub2c8\uba74 \ucee4\ub110\uc5d0\uc11c \ub77c\uc6b0\ud305 \uacc4\uc0b0\uc744 \uc218\ud589\ud558\uae30 \uc804\uc5d0 \uc5b4\ub5a4 \uccb4\uc778(\uc608\ub97c \ub4e4\uc5b4 raw \ud14c\uc774\ube14\uc758 PREROUTING \uccb4\uc778)\uc758 LOG \uaddc\uce59\uacfc \ub9e4\uce6d\ub410\ub294\uc9c0 \uc54c\ub824\uc900\ub2e4.<\/p>\n
iptables \ub85c\uae45 \ud615\uc2dd\uc740 LOG \uaddc\uce59\uc744 \ud3ec\ud568\ud558\ub294 iptables \uccb4\uc778\uc744 \uba85\uc2dc\uc801\uc73c\ub85c \ud3ec\ud568\ud558\uc9c0 \uc54a\uae30 \ub54c\ubb38\uc5d0 \uc704 \ub85c\uadf8 \uba54\uc2dc\uc9c0\ub85c\ubd80\ud130\ub294 \ud328\ud0b7\uc774 INPUT \uccb4\uc778\uacfc PREROUTING \uccb4\uc778 \uc911 \uc5b4\ub290 \ucabd\uc73c\ub85c\ubd80\ud130 \uae30\ub85d\ub410\ub294\uc9c0 \uc54c \uc218 \uc5c6\ub2e4. \uadf8\ub7ec\ub098 iptables \uc815\ucc45\uc774 PREROUTING\uc774\ub098 POSTROUTING \uccb4\uc778\ubcf4\ub2e4\ub294 INPUT, FORWARD, OUTPUT \uccb4\uc778\uc5d0 \ub354 \ub9ce\uc740 \uae30\ubcf8 LOG \uaddc\uce59\uc744 \ub450\uae30 \ub54c\ubb38\uc5d0 psad\ub294 \uc624\ub4e0 iptables \ub85c\uadf8 \uba54\uc2dc\uc9c0\uc5d0 \ub2e4\uc74c\uacfc \uac19\uc740 \uaddc\uce59\uc774 \uc801\uc6a9\ub41c\ub2e4\uace0 \uac00\uc815\ud55c\ub2e4.<\/p>\n
– \ucd9c\ub825 \uc778\ud130\ud398\uc774\uc2a4\ub97c \ud3ec\ud568\ud558\uc9c0 \uc54a\ub294 \uba54\uc2dc\uc9c0\ub294 INPUT \uccb4\uc778\uc5d0\uc11c \uae30\ub85d\ub41c \uac83\uc774\ub2e4.
– \uc785\ub825 \uc778\ud130\ud398\uc774\uc2a4\ub97c \ud3ec\ud568\ud558\uc9c0 \uc54a\ub294 \uba54\uc2dc\uc9c0\ub294 OUTPUT \uccb4\uc778\uc5d0\uc11c \uae30\ub85d\ub41c \uac83\uc774\ub2e4.
– \uc785\ub825\uacfc \ucd9c\ub825 \uc778\ud130\ud398\uc774\uc2a4\ub97c \ubaa8\ub450 \ud3ec\ud568\ud558\ub294 \uba54\uc2dc\uc9c0\ub294 FORWARD \uccb4\uc778\uc5d0\uc11c \uae30\ub85d\ub41c \uac83\uc774\ub2e4. <\/p><\/blockquote>\n\uadf8\ub7ec\ubbc0\ub85c \uc55e\uc11c \ub17c\uc758\ud55c TCP connect() \uc2a4\uce94\uc758 \uacbd\uc6b0 psad\ub294 \uc2a4\uce94\uc774 INPUT \uccb4\uc778\uc744 \ud1b5\ud574 \uae30\ub85d\ub410\ub2e4\uace0 \uac00\uc815\ud558\uba70, iptables.sh \uc2a4\ud06c\ub9bd\ud2b8\uac00 \uc0dd\uc131\ud55c iptables \uc815\ucc45\uc73c\ub85c\ubd80\ud130 \ub530\uc838\ubcf4\uba74 \uc774\uac83\uc774 \uc0ac\uc2e4\uc784\uc744 \uc54c \uc218 \uc788\ub2e4. \ucd9c\ubc1c\uc9c0 IP \uc8fc\uc18c Y.Y.Y.Y \ub294 \ub85c\uadf8 \uba54\uc2dc\uc9c0\uc5d0 \ud3ec\ud568\ub418\ubbc0\ub85c psad\ub294 \uc2a4\uce94\uc774 \uc2dc\uc791\ub41c \uc9c0\uc810\uc744 \uc54c \uc218 \uc788\ub2e4.<\/p>\n
– \ub54c\ub54c\ub85c \uc2a4\uce94\uc774 \uc815\uad50\ud558\uac8c \uc2a4\ud478\ud551\ub420 \uc218 \uc788\uae30 \ub54c\ubb38\uc5d0 \uc774 IP \uc8fc\uc18c\uac00 \uc2a4\uce94\uc758 \uc2e4\uc81c \ucd9c\ubc1c\uc9c0\ub77c\uace0 \uc804\uc801\uc73c\ub85c \ubbff\uc744 \uc218 \uc5c6\ub2e4\ub294 \uc0ac\uc2e4\uc744 \uae30\uc5b5\ud558\uc790. Nmap\uc740 \ub8e8\ud2b8\ub85c \uc2e4\ud589\ub420 \ub54c \ubbf8\ub07c(decoy) \uc635\uc158(-D)\uc744 \uc0ac\uc6a9\ud574\uc11c \uc2a4\ud478\ud551\ub41c \uc2a4\uce94\uc744 \uc804\uc1a1\ud560 \uc218 \uc788\uc73c\uba70, Idle \uc2a4\uce94\uc740 \ud544\uc218 \uad6c\uc131 \uc694\uc18c\ub85c IP \uc2a4\ud478\ud551\uc744 \uc0ac\uc6a9\ud55c\ub2e4.<\/p><\/blockquote>\n
\ub2e4\uc74c\uc73c\ub85c \uad75\uac8c \ud45c\uc2dc\ub41c PROTO=TCP \uc640 \uc774\ud6c4\uc758 \ud56d\ubaa9\ub4e4\uc744 \uc870\ud569\ud574 \ubcf4\uba74 \uc2a4\uce94\ub41c \ud504\ub85c\ud1a0\ucf5c\uacfc \ud3ec\ud2b8, \uc0ac\uc6a9\ub41c \ud50c\ub798\uadf8 \ub4f1\uc744 \uc54c \uc218 \uc788\ub2e4. \uc774 \uc608\uc5d0\uc11c \uc2a4\uce94 \uc218\ud589\uc790\ub294 TCP \ud3ec\ud2b8\uc5d0 \uad00\uc2ec\uc774 \uc788\uc73c\uba70, \uc2a4\uce94 \ud328\ud0b7\uc740 SYN \ud50c\ub798\uadf8\ub9cc\uc744 \uc124\uc815\ud558\uace0 \uc788\ub2e4.<\/p>\n
\uc55e\uc120 connect() \uc2a4\uce94\uc5d0\uc11c\ub294 \ucd1d 1672 \uac1c\uc758 \ud3ec\ud2b8\ub97c \uc2a4\uce94\ud588\uc9c0\ub9cc \/var\/log\/psad\/fwdata \ud30c\uc77c\uc5d0 \uae30\ub85d\ub41c iptables \ub85c\uadf8 \uba54\uc2dc\uc9c0\ub294 1498 + 51 \uac1c \ubfd0\uc774\ub77c\ub294 \uac83\uc744 \uc0c1\uae30\ud558\uc790. \uc774 \ucc28\uc774\ub294 iptables\uac00 \ub85c\uadf8 \uba54\uc2dc\uc9c0\ub97c \uc0dd\uc131\ud558\ub294 \uc18d\ub3c4\uc640 Nmap\uc73c\ub85c\ubd80\ud130\uc758 SYN \ud328\ud0b7 \uc7ac\uc804\uc1a1\uc774\ub77c\ub294 \ub450 \uac00\uc9c0 \uc694\uc18c\uc5d0\uc11c \uae30\uc778\ud55c\ub2e4. \ub0b4\ubd80\uc801\uc73c\ub85c\ub294 iptables\ub294 \ucee4\ub110 \ub0b4\uc758 \uace0\ub9ac \ubc84\ud37c\uc5d0 \uae30\ub85d\ud558\uae30 \ub54c\ubb38\uc5d0 \uc774\uc804 \uba54\uc2dc\uc9c0\ub97c \uba85\uba85\ub41c \ud30c\uc774\ud504 \/var\/lib\/psad\/psadfifo \uc5d0 \uae30\ub85d\ud558\uae30 \uc804\uc5d0 \uc0c8\ub85c\uc6b4 \uba54\uc2dc\uc9c0\ub85c \uace0\ub9ac \ubc84\ud37c\ub97c \ub36e\uc5b4\uc4f8 \uc218 \uc788\uc744 \uc815\ub3de\ud3ec \ud2b8\ub798\ud53d \uc18d\ub3c4\uac00 \ube60\ub974\ub2e4\uba74 \uc774\uc804 \uba54\uc2dc\uc9c0\ub294 \uc190\uc2e4\ub41c\ub2e4. \ud2b8\ub808\uc774\ub4dc \uc624\ud504\ub294 \uba87 \uac1c\uc758 \ub85c\uae45 \uba54\uc2dc\uc9c0\ub97c \uc783\ub294 \ub300\uc2e0 \uc2dc\uc2a4\ud15c\uc774 \uc5b4\ub290 \uc815\ub3c4 \uc548\uc815\ub41c \uc218\uc900\uc744 \uc720\uc9c0\ud558\uba70 \uc791\uc5c5\uc744 \uc9c0\uc18d\ud560 \uc218 \uc788\ub2e4\ub294 \uac83\uc774\ub2e4.(\uc774\ub294 \uc88b\uc740 \ud2b8\ub808\uc774\ub4dc\uc624\ud504\ub85c \ubcfc \uc218 \uc788\ub2e4). Nmap\uc740 \uc8fc\ub85c \uc751\ub2f5\ud558\uc9c0 \uc54a\ub294 \ud3ec\ud2b8\ub2f9 \ud558\ub098\uc758 \uc7ac\uc2dc\ub3c4 \ud328\ud0b7\uc744 \uc804\uc1a1\ud558\uae30 \ub54c\ubb38\uc5d0 \uc774 \uc608\uc758 \uc2a4\uce94\uc5d0\uc11c Nmap\uc740 \uc2e4\uc81c\ub85c \uc774\ubcf4\ub2e4 \ub354 \ub9ce\uc740 \ud328\ud0b7\uc744 \uc804\uc1a1\ud588\ub2e4.<\/p>\n
– TCP SYN \uc774\ub098 \ubc18\uac1c\ubc29 \uc2a4\uce94<\/p>\n
\uc774\uc81c Nmap\uc758 SYN(\ub610\ub294 \ubc18\uac1c\ubc29) \uc2a4\uce94 \ubc29\ubc95\uc744 \uc0b4\ud3b4\ubcf4\uc790. SYN \uc2a4\uce94\uc740 Nmap\uc774 \ud2b9\uad8c \uc0ac\uc6a9\uc790\uc5d0 \uc758\ud574 \uc2e4\ud589\ub420 \ub54c\uc758 \uae30\ubcf8 \uc2a4\uce94 \ubc29\uc2dd\uc774\ub2e4(\uc2e4\uc81c\ub85c \uc774 \uc2a4\uce94\uc744 \ud3ec\ud568\ud55c \uae30\ud0c0 \ud765\ubbf8\ub85c\ub204 Nmap \uc2a4\uce94 \ubc29\uc2dd\uc774 \uc6d0\uc2dc \uc18c\ucf13\uc73c\ub85c\uc758 \uc811\uadfc\uc744 \ud544\uc694\ub85c \ud558\uae30 \uc9f8\ubb38\uc5d0 \ud2b9\uad8c \uc0ac\uc6a9\uc790\ub9cc\uc774 \uc2e4\ud589\ud560 \uc218 \uc788\ub2e4).<\/p>\n
\ubaa9\ud45c \uc2dc\uc2a4\ud15c\uc758 iptables \ubc29\ud654\ubcbd\uc774 TCP \ud3ec\ud2b8 80\uc73c\ub85c \uc804\uc1a1\ub418\ub294 \ubaa8\ub4e0 SYN \ud328\ud0b7\uc744 \ubc84\ub9ac\uac8c \uc124\uc815\ub410\uae30 \ub54c\ubb38\uc5d0 \ub124\ud2b8\uc6cc\ud06c\uc0c1\uc5d0\uc11c SYN \uc2a4\uce94\uc740 \uc815\uaddc TCP connect() \uc2a4\uce94\uacfc \uac70\uc758 \ub3d9\uc77c\ud558\uac8c \ubcf4\uc774\ub294\ub370, \uc774\ub294 \uc2a4\uce90\ub108\uc758 TCP \uc2a4\ud0dd\uc774 \uc751\ub2f5\ud574\uc57c \ud558\ub294 SYN\/ACK \ud328\ud0b7\uc774 \uac70\uc758 \uc5c6\uae30 \ub54c\ubb38\uc774\ub2e4. \ub3d9\uc77c\ud55c \ucd9c\ubc1c\uc9c0 \uc8fc\uc18c\ub85c\ubd80\ud130\uc758 SYN \ud328\ud0b7\uc744 \ubcfc \uc218 \uc788\uc744 \ubfd0 \uadf8 \ubc16\uc758 \uc5b4\ub5a4 \uac83\ub3c4 \ubcfc \uc218 \uc5c6\ub2e4.<\/p>\n
\uc774\ub7ec\ud55c \ub17c\uc99d\uc774 \uc774\ub860\uc801\uc73c\ub85c\ub294 \uc77c\ubc18\uc801\uc73c\ub85c \uc815\ub2f9\ud574 \ubcf4\uc774\uc9c0\ub9cc \uc2e4\uc81c\ub85c\ub294 SYN \uc2a4\uce94\uacfc connect() \uc2a4\uce94 \ubaa8\ub450\uc5d0\uc11c iptables\uc774 \ucd08\uae30 SYN \ud328\ud0b7\uc744 \ubc84\ub9bc\uc5d0\ub3c4 \ubd88\uad6c\ud558\uace0 \ub450 \uc2a4\uce94\uac04\uc5d0\ub294 \uba87 \uac00\uc9c0 \uc911\ub300\ud55c \ucc28\uc774\uc810\uc774 \uc874\uc7ac\ud55c\ub2e4. \uc774\ub7ec\ud55c \ucc28\uc774\uc810\uc740 SYN \uc2a4\uce94 \ubaa8\ub4dc\uc758 Nmap\uc774 \uc804\uc1a1\ud55c SYN \ud328\ud0b7\uacfc Nmap connect() \uc2a4\uce94\uc744 \ud1b5\ud574 TCP \uc2a4\ud0dd \uc790\uccb4\uac00 \uc804\uc1a1\ud55c SYN \ud328\ud0b7\uacfc Nmap connect() \uc2a4\uce94\uc744 \ud1b5\ud574 TCP \uc2a4\ud0dd \uc790\uccb4\uac00 \uc804\uc1a1\ud55c SYN \ud328\ud0b7\uc758 \ud2b9\uc815 \ud328\ud0b7 \ud5e4\ub354 \ud56d\ubaa9\uc5d0 \uc874\uc7ac\ud55c\ub2e4. 3\uc7a5\uc5d0\uc11c \uc0b4\ud3b4\ubcf4\uc558\ub4ef\uc774 SYN \uc2a4\uce94\ubcf4\ub2e4 connect() \uc2a4\uce94\uc5d0 \uc758\ud574 \uc804\uc1a1\ub418\ub294 TCP \uc635\uc158\uc774 \ud6e8\uc52c \ub354 \ub9ce\ub2e4.<\/p>\n
\uc544\ub798 \uba85\ub839\uc5b4\ub97c \ud1b5\ud574 IP \uc8fc\uc18c\uac00 X.X.X.X \uc5d0 \ub300\ud55c SYN \uc2a4\uce94\uc744 \uc2dc\uc791\ud55c\ub2e4.<\/p>\n
soft-ftp:\/etc# nmap -n X.X.X.X –max-rtt-timeout 500<\/p>\n
Starting Nmap 4.11 ( http:\/\/www.insecure.org\/nmap\/ ) at 2010-07-02 01:01 KST
Interesting ports on X.X.X.X:
Not shown: 1672 filtered ports
PORT STATE SERVICE
20\/tcp closed ftp-data
21\/tcp open ftp
22\/tcp open ssh
43\/tcp closed whois
53\/tcp closed domain
80\/tcp open http
443\/tcp closed https
873\/tcp closed rsync<\/p>\nNmap finished: 1 IP address (1 host up) scanned in 19.909 seconds<\/p><\/blockquote>\n
\/var\/log\/message \ud30c\uc77c\uc744 \ubcf4\uba74 psad\uac00 \uc774 \uc2a4\uce94\uc744 \ud0d0\uc9c0 \ud588\uc74c\uc744 \uc54c \uc218 \uc788\ub2e4.<\/p>\n
Jul 2 01:17:54 seclab psad: scan detected: Y.Y.Y.Y -> X.X.X.X tcp: [5-61439] flags: SYN tcp pkts: 1002 DL: 4
Jul 2 01:18:01 seclab psad: scan detected: Y.Y.Y.Y -> X.X.X.X tcp: [2-65301] flags: SYN tcp pkts: 1166 DL: 4
Jul 2 01:18:06 seclab psad: scan detected: Y.Y.Y.Y -> X.X.X.X tcp: [7-44334] flags: SYN tcp pkts: 469 DL: 4<\/p><\/blockquote>\n3\ucc28\ub840\uc5d0 \uac78\uccd0 1500 \uac1c\uac00 \ub118\ub294 \ud328\ud0b7\uc774 \uc804\uc1a1\ub410\uc73c\uba70, \uc774\ub294 psad.conf \ud30c\uc77c\uc758 DANGER_LEVEL4 \ubcf4\ub2e4 \ud06c\uae30 \ub54c\ubb38\uc5d0 \uc2a4\uce90\ub108\ub294 \uc704\ud5d8 \uc218\uc900 4\uc5d0 \ub3c4\ub2ec\ud588\ub2e4.<\/p>\n
connect() \uc2a4\uce94\uc5d0\uc11c\uc640 \uac19\uc774 \ubaa9\ud45c \uc2dc\uc2a4\ud15c\uc758 iptables\ub294 tmzosdml SYN \ud328\ud0b7\uc744 \uae30\ub85d\ud588\ub2e4.<\/p>\n
Jul 2 01:18:02 seclab kernel: [3747359.638824] DROP IN=eth0 OUT= MAC=00:21:5e:4e:bb:da:00:11:88:42:99:43:08:00 SRC=210.125.219.48 DST=117.17.172.120 LEN=44<\/span> TOS=0x00 PREC=0x00 TTL=53<\/span> ID=14339 PROTO=TCP SPT=61604 DPT=1413 WINDOW=4096<\/span> RES=0x00 SYN URGP=0 OPT (020405B4)<\/span><\/p><\/blockquote>\n
\uc774\ubc88\uc5d0\ub294 iptables \ub85c\uadf8 \uba54\uc2dc\uc5d0\uc11c TCP connect() \uc2a4\uce94\uacfc \ub2e4\ub978 \ubd80\ubd84\uc744 \uad75\uac8c \ub098\ud0c0\ub0c8\ub2e4. \uc774 \ud56d\ubaa9\uacfc \uc774\ub4e4\uc774 connect() \uc2a4\uce94\uacfc \ub2e4\ub978 \uc774\uc720\ub294 \ub2e4\uc74c\uacfc \uac19\ub2e4.<\/p>\n
– LEN : IP \ud5e4\ub354\uc758 \uae38\uc774 \ud56d\ubaa9\uc73c\ub85c \uc2e4\uc81c TCP \uc2a4\ud0dd\uc740 SYN \ud328\ud0b7\uc5d0 connect() \uc2a4\uce94\uc744 \ud1b5\ud574 \uc804\uc1a1\ud558\ub294 SYN \ud328\ud0b7\ubcf4\ub2e4 \ub354 \ub9ce\uc740 \uc635\uc158\uc744 \ud3ec\ud568\ud558\uae30 \ub54c\ubb38\uc5d0 SYN \uc2a4\uce94\uc774 14 \ubc14\uc774\ud2b8\ub9cc\ud07c \uc9e7\ub2e4.<\/p>\n
– TTL : IP \ud5e4\ub354\uc758 \ud574\ud0b7 \uc720\uc9c0 \uc2dc\uac04(TTL, Time-to-Live) \uac12\uc740 TCP connect() \uc2a4\uce94 \ub3d9\uc548 \ud074\ub77c\uc774\uc5b8\ud2b8 \uc2dc\uc2a4\ud15c\uc758 \uc2e4\uc81c IP \uc2a4\ud0dd\uc5d0 \uc758\ud574 \ud56d\uc0c1 \ub3d9\uc77c\ud55c \uac12\uc73c\ub85c \ucd08\uae30\ud654\ub41c\ub2e4. \uadf8\ub7ec\ub098 SYN \uc2a4\uce94 \uc2dc Nmap\uc740 TCP SYN \ud328\ud0b7\uc744 \uc9c1\uc811 \uc0dd\uc131\ud558\uae30 \ub54c\ubb38\uc5d0 TTL \uac12\uc744 \uc5b4\ub5a4 \uac12\uc73c\ub85c\ub3c4 \uc124\uc815\ud560 \uc218 \uc788\uc73c\uba70, Nmap\uc740 37\uacfc 60 \uc0ac\uc774\uc758 TTL \uac12 \uc911 \ud558\ub098\ub97c \ubb34\uc791\uc704\ub85c \uc120\ud0dd\ud55c\ub2e4.<\/p>\n
– WINDOW : Nmap\uc774 SYN \uc2a4\uce94 \ub3d9\uc548 \uc124\uc815\ud558\ub294 TCP \uc708\ub3c4\uc6b0 \ud06c\uae30\ub294 1024, 2048, 3072, 4096 \uc911 \ud558\ub098\ub2e4. \ubc18\uba74 \uc2e4\uc81c TCP \uc2a4\ud0dd\uc740 TCP \uc5f0\uacb0\uc744 \ud56d\uc0c1 \uc708\ub3c4\uc6b0 \ud06c\uae30 5840\uc73c\ub85c \ucd08\uae30\ud654\ud55c\ub2e4.<\/p>\n
– OPT : TCP \ud5e4\ub354\uc758 \uc635\uc158 \ubd80\ubd84\uc740 Nmap SYN \uc2a4\uce94\uc758 \uacbd\uc6b0\uac00 \ud6e8\uc52c \ub354 \uc9e7\ub2e4. \uc774 \uc608\uc5d0\uc11c Nmap\uc740 \ucd5c\ub300 \uc138\uadf8\uba3c\ud2b8 \ud06c\uae30 \uc635\uc158\ub9cc\uc744 \uc0ac\uc6a9\ud558\uba70 \uc774\ub97c 1460\uc73c\ub85c \uc124\uc815\ud55c\ub2e4. \ub300\ubd80\ubd84\uc758 \uc2e4\uc81c TCP \uc2a4\ud0dd\uc740 \ucd5c\ub300 \uc138\uadf8\uba3c\ud2b8 \ud06c\uae30 \uc678\uc5d0\ub3c4 \ud0c0\uc784\uc2a4\ud0ec\ud504, \uc5f0\uc0b0 \uc5c6\uc74c(NOP), \uc120\ud0dd\uc801 \uc2b9\uc778\uc774 \uac00\ub2a5\ud55c\uc9c0 \uc5ec\ubd80(SACK)\uc640 \uac19\uc774 \ub2e4\uc218\uc758 \uc635\uc158\uc744 \uc804\uc1a1\ud55c\ub2e4.<\/p><\/blockquote>\n
* psad \ub97c \uc774\uc6a9\ud55c \uacbd\uace0\uc640 \ubcf4\uace0.<\/p>\n
psad\ub294 \uc77c\ub2e8 iptables\uc5d0 \ub300\ud574 \uc218\uc0c1\ud55c \ud558\ub098\uc758 \uc774\ubca4\ud2b8\ub098 \uc774\ubca4\ud2b8\ub4e4\uc774 \ubc1c\uc0dd\ud588\ub2e4\uace0 \ud310\ub2e8\ud558\uba74 \uad00\ub9ac\uc790\uc5d0\uac8c \uacbd\uace0\ud55c\ub2e4. psad \uc758 \ubaa9\ud45c\ub294 \uad00\ub9ac\uc790\uac00 \uc801\uc808\ud55c \uc751\ub2f5\uc744 \uc120\ud0dd\ud560 \uc218 \uc788\uac8c \ucd5c\ub300\ud55c \ub9ce\uc740 \uc815\ubcf4\ub97c \uc81c\uacf5\ud558\ub294 \uac83\uc774\ub2e4.<\/p>\n
– psad \uba54\uc77c \uacbd\uace0.<\/p>\n
\uba54\uc77c \uba54\uc2dc\uc9c0\ub294 syslog \uacbd\uace0\ubcf4\ub2e4 \ud6e8\uc52c \ub354 \ub9ce\uc740 \uc815\ubcf4\ub97c \ud3ec\ud568\ud560 \uc218 \uc788\uc73c\uba70, \uc5b4\ub514\uc11c\ub098 \ud655\uc778\ud560 \uc218 \uc788\uace0 \ud734\ub300\ud3f0\uc774\ub098 \uae30\ud0c0 \ud734\ub300 \uc7a5\ube44\uc640 \uc798 \ud1b5\ud569\ub3fc \uc788\uae30 \ub54c\ubb38\uc5d0 \uba54\uc77c\uc740 psad\uc758 \uc81c 1\ucc28 \uacbd\uace0 \uae30\ubc95\uc774\ub2e4.<\/p>\n
Message 1054537:
From root@A.B.C.D Thu Jul 1 23:23:40 2010
X-Original-To: root@localhost
To: root@localhost
Subject: [psad-alert] DL5 src: 169.254.X.X dst: 255.255.255.255
Date: Thu, 1 Jul 2010 23:23:39 +0900 (KST)
From: root@A.B.C.D (root)<\/p>\n=-=-=-=-=-=-=-=-=-=-=-= Thu Jul 1 23:23:39 2010 =-=-=-=-=-=-=-=-=-=-=-=<\/p>\n
* \uc2a4\uce94 \uc704\ud5d8 \uc218\uc900, \ud3ec\ud2b8, \ud50c\ub798\uadf8——————————————-
Danger level: [5] (out of 5)<\/p>\nScanned UDP ports: [67: 1 packets, Nmap: -sU]
iptables chain: INPUT (prefix “DROP”), 1 packets<\/p>\n* \ucd9c\ubc1c\uc9c0\uc640 \ubaa9\uc801\uc9c0 IP \uc8fc\uc18c ——————————————–
Source: 169.254.X.X
DNS: [No reverse dns info available]<\/p>\nDestination: 255.255.255.255
DNS: [No reverse dns info available]<\/p>\n* syslog \ud638\uc2a4\ud2b8\uba85, \uc2dc\uac04 \uac04\uaca9, \uc694\uc57d \uc815\ubcf4 ———————————
Overall scan start: Tue Nov 24 21:47:43 2009
Total email alerts: 167109
Syslog hostname: seclab<\/p>\nGlobal stats: chain: interface: TCP: UDP: ICMP:
INPUT eth0 0 36101 0 <\/p>\n* whois \ub370\uc774\ud130\ubca0\uc774\uc2a4 \uc815\ubcf4 ——————————————–
[+] Whois Information:<\/p>\nOrgName: Internet Assigned Numbers Authority
OrgID: IANA
Address: 4676 Admiralty Way, Suite 330
City: Marina del Rey
StateProv: CA
PostalCode: 90292-6695
Country: US<\/p>\nNetRange: 169.254.0.0 – 169.254.255.255
CIDR: 169.254.0.0\/16
NetName: LINKLOCAL-RFC3927-IANA-RESERVED
NetHandle: NET-169-254-0-0-1
Parent: NET-169-0-0-0-0
NetType: IANA Special Use
NameServer: BLACKHOLE-1.IANA.ORG
NameServer: BLACKHOLE-2.IANA.ORG
Comment: This is the “link local” block. It was set
Comment: aside for this special use in the Standards
Comment: Track document, RFC 3927 and was further
Comment: documented in the Best Current Practice
Comment: RFC 5735, which can be found at:
Comment: http:\/\/www.rfc-editor.org\/rfc\/rfc3927.txt
Comment: http:\/\/www.rfc-editor.org\/rfc\/rfc5735.txt
Comment: It is allocated for communication between hosts
Comment: on a single link. Hosts obtain these addresses
Comment: by auto-configuration, such as when a DHCP
Comment: server cannot be found.
Comment: A router MUST NOT forward a packet with an IPv4
Comment: Link-Local source or destination address,
Comment: irrespective of the router’s default route configuration
Comment: or routes obtained from dynamic routing protocols.
Comment: A router which receives a packet with an IPv4
Comment: Link-Local source or destination address MUST NOT
Comment: forward the packet. This prevents forwarding of
Comment: packets back onto the network segment from which
Comment: they originated, or to any other segment.
RegDate: 1998-01-27
Updated: 2010-03-15<\/p>\nOrgAbuseHandle: IANA-IP-ARIN
OrgAbuseName: Internet Corporation for Assigned Names and Number
OrgAbusePhone: +1-310-301-5820
OrgAbuseEmail: abuse@iana.org<\/p>\nOrgTechHandle: IANA-IP-ARIN
OrgTechName: Internet Corporation for Assigned Names and Number
OrgTechPhone: +1-310-301-5820
OrgTechEmail: abuse@iana.org<\/p>\n# ARIN WHOIS database, last updated 2010-06-30 20:00
# Enter ? for additional hints on searching ARIN’s WHOIS database.
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at https:\/\/www.arin.net\/whois_tou.html
#
# Attention! Changes are coming to ARIN’s Whois service on June 26.
# See https:\/\/www.arin.net\/features\/whois for details on the improvements.<\/p><\/blockquote>\n* psad syslog \ubcf4\uace0.<\/p>\n
\uba54\uc77c \uacbd\uace0\uc640 \ud568\uaed8 syslog\ub3c4 psad\uc758 \uc911\uc694\ud55c \ubcf4\uace0 \uae30\ubc95\uc774\ub2e4. \ubcf4\ud1b5 psad\ub294 \ub3d9\uc791\ud558\ub294 \ub3d9\uc548 \uc138 \uc885\ub958\uc758 syslog \uacbd\uace0\ub97c \uc0dd\uc131\ud55c\ub2e4.<\/p>\n
– \uc815\ubcf4 \uba54\uc2dc\uc9c0<\/p>\n
psad\ub294 \uc8fc\uae30\uc801\uc73c\ub85c psad\uac00 \uc218\ud589\ud55c \uad00\ub9ac \ub3d9\uc791\uc744 \uad00\ub9ac\uc790\uc5d0\uac8c \uc54c\ub824\uc8fc\uae30 \uc704\ud574 \uc124\uacc4\ub41c \uc815\ubcf4 syslog \uba54\uc2dc\uc9c0\ub97c \uc0dd\uc131\ud558\uba70, \uc774\uc5d0\ub294 \uc124\uc815 \ud30c\uc77c \uc77d\uc5b4\uc624\uae30\uc640 \uc774\uc804 psad \uc2e4\ud589\uc73c\ub85c\ubd80\ud130\uc758 \uc2a4\uce94 \uc815\ubcf4 \ub4f1\uc774 \uc788\ub2e4.<\/p>\n
\uc608\ub97c \ub4e4\uc5b4 psad\ub294 \uc2dc\uc791\ud560\ub54c \ub2e4\uc74c\uacfc \uac19\uc740 syslog \uba54\uc2dc\uc9c0\ub97c \uc0dd\uc131\ud55c\ub2e4.<\/p>\n
Jul 1 23:50:13 seclab psad: imported valid icmp types and codes
Jul 1 23:50:13 seclab psad: imported p0f-based passive OS fingerprinting signatures
Jul 1 23:50:13 seclab psad: imported TOS-based passive OS fingerprinting signatures
Jul 1 23:50:13 seclab psad: imported auto_dl, got 0 IP addresses and 1 networks
Jul 1 23:50:14 seclab psad: imported original Snort rules in \/etc\/psad\/snort_rules\/ for reference info
Jul 1 23:50:14 seclab psad: imported 205 psad Snort signatures from \/etc\/psad\/signatures
Jul 1 23:50:16 seclab psad: imported 239 scanning IP addresses from previous psad instance<\/p><\/blockquote>\n– \uc2a4\uce94\uacfc \uc11c\uba85 \ub9e4\uce6d \uba54\uc2dc\uc9c0<\/p>\n
syslog \uba54\uc2dc\uc9c0\uc758 \uac00\uc7a5 \uc911\uc694\ud55c \ubd80\ubd84\uc740 \uc2a4\uce94\uacfc \uae30\ud0c0 \uc218\uc0c1\ud55c \ud2b8\ub798\ud53d\uc5d0 \ub300\ud574 \uc54c\ub824\uc900\ub2e4. \uc774\ub7ec\ud55c \uba54\uc2dc\uc9c0\ub294 \ucd9c\ubc1c\uc9c0 IP \uc8fc\uc18c\uc5d0\uc11c \ud3ec\ud2b8, \ud504\ub85c\ud1a0\ucf5c, \uc2a4\ub178\ud2b8 \uaddc\uce59 \ub9e4\uce6d\uc5d0 \uc774\ub974\ub294 \ubaa8\ub4e0 \uac83\uc744 \ud3ec\ud568\ud558\uba70, \ub2e4\uc74c\uacfc \uac19\uc740 syslog \uba54\uc2dc\uc9c0\ub294 psad \uc2a4\uce94 \uacbd\uace0\ub97c \ubcf4\uc5ec\uc900\ub2e4. \uc774 \uba54\uc2dc\uc9c0\ub294 psad\uac00 \ud0d0\uc9c0\ud55c \uc2a4\uce94 \uc720\ud615\uc744 \uc0ac\uc6a9\uc790\uac00 \uc2dd\ubcc4\ud560 \uc218 \uc788\uac8c TCP \ud50c\ub798\uadf8 \uc815\ubcf4\ub3c4 \ud3ec\ud568\ud55c\ub2e4.<\/p>\n
Jul 1 23:50:25 seclab kernel: [3742102.777745] DROP IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:25:11:48:00:69:08:00 SRC=X.X.X.X DST=255.255.255.255 LEN=68 TOS=0x00 PREC=0x00 TTL=128 ID=10689 PROTO=UDP SPT=1037 DPT=1947 LEN=48
Jul 1 23:50:41 seclab kernel: [3742118.698007] DROP IN=eth0 OUT= MAC=00:21:5e:4e:bb:da:00:11:88:42:99:43:08:00 SRC=X.X.X.X DST=Y.Y.Y.Y LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=42913 DF PROTO=TCP SPT=50650 DPT=1453 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A240A475B0000000001030304)<\/p>\n<\/blockquote>\n– \uc790\ub3d9 \uc751\ub2f5 \uba54\uc2dc\uc9c0
\ud2b8\ub798\ud53d \ucd9c\ubc1c\uc9c0 IP \uc8fc\uc18c\uc5d0 \ub300\ud574 iptables \ucc28\ub2e8 \uaddc\uce59\uc744 \uc801\uc6a9\ud568\uc73c\ub85c\uc368 psad\ub97c \uc0ac\uc6a9\ud574\uc11c \uc218\uc0c1\ud55c \ud2b8\ub798\ud53d\uc5d0 \uc751\ub2f5\ud560 \uc218 \uc788\ub2e4. \uc774 \uae30\ub2a5\uc740 \uae30\ubcf8\uc801\uc73c\ub85c \ube44\ud65c\uc131\ud654\ub3fc \uc788\ub2e4.<\/p>\n* \uc815\ub9ac<\/p>\n
6\uc7a5\uc5d0\uc11c\ub294 Nmap\uc744 \uc774\uc6a9\ud574\uc11c iptablesfw \uc2dc\uc2a4\ud15c\uc5d0 \uc218\ud589\ud55c \ud3ec\ud2b8 \uc2a4\uce94\uc744 psad\uac00 \ud0d0\uc9c0\ud558\uace0 \ubcf4\uace0\ud558\ub294 \uac83\uacfc \uac19\uc740 psad \ub3d9\uc791 \uce21\uba74\uc744 \uc18c\uac1c\ud588\ub2e4. \uba54\uc77c \uacbd\uace0\uac00 psad\uc758 \uc81c1\ucc28 \uacbd\uace0 \uae30\ubc95\uc774\uc9c0\ub9cc psad\ub294 syslog \uacbd\uace0\ub3c4 \uc81c\uacf5\ud55c\ub2e4. 7\uc7a5\uc5d0\uc11c\ub294 iptables \ub85c\uadf8 \uba54\uc2dc\uc9c0\ub97c \ud1b5\ud574 \uc2a4\ub178\ud2b8 \uaddc\uce59\uacfc \ub9e4\uce6d\ub418\ub294 \ud2b8\ub798\ud53d\uc758 \ud0d0\uc9c0\uc640 \uac19\uc774 \uc880 \ub354 \uc5b4\ub824\uc6b4 psad \uad00\ub828 \uc8fc\uc81c\ub97c \uc0b4\ud3b4\ubcf8\ub2e4.<\/p>\n","protected":false},"excerpt":{"rendered":"
* psad\ub97c \uc774\uc6a9\ud55c \ud3ec\ud2b8 \uc2a4\uce94 \ud0d0\uc9c0. TCP\/IP \uc288\ud2b8 \uc804\uccb4\ub97c \ubaa8\ub450 \uad6c\ud604\ud558\uba74 \ub300\uaddc\ubaa8\uc758 \ubcf5\uc7a1\ud55c \ucf54\ub4dc\uac00 \ub418\uba70, \uc774\ub7ec\ud55c \ubcf5\uc7a1\ub3c4\ub294 \uc815\ud0d0 \uc2dc\ub3c4\uc5d0\uc11c \uc11c\ube44\uc2a4 \uac70\ubd80 \uacf5\uaca9\uc5d0 \uc774\ub974\ub294 \ubaa8\ub4e0 \uacf5\uaca9\uc758 \uc88b\uc740 \ubaa9\ud45c\uac00 \ub41c\ub2e4. \ud3ec\ud2b8 \uc2a4\uce94\uc740 \uc6d0\uaca9 \ubaa9\ud45c\uc5d0\uc11c \uc815\ubcf4\ub97c \uc5bb\uae30 \uc704\ud55c \uc911\uc694\ud55c \uae30\uc220\ub85c psad\ub294 \uae30\ubcf8\uc801\uc73c\ub85c \ub9ac\ub205\uc2a4 … Continue reading