Ich bin yiwen.
Posts Tags Categories
Ich bin yiwen.

Contents

Lesson 05: Linux 筆記 - Log Server, MariaDB, nmap

 included in StudyNote
   1710 words   9 minutes    views  

Log Server 實作

MariaDB 權限與加密, nmap 檢測工具介紹

User ID Report

aureport -u -i --failed | less

1.Write message to syslog

BIOS/UEF ➡ grub2 ➡ kernel ➡ systemd ➡ journalctl

  • rsyslog : 如果選 minimal installation,err不會由rsyslog接,改由journalctl接error接收

將訊息寫入系統紀錄中

@Server

1

root# logger hello World

1

root# tail /var/log/messages

1

root# journalctl

1

root# journalctl --since "2023-04-15"

1

root# reboot

journalctl紀錄持久化

推書時間: 實戰Linux系統數位鑑識 (江湖海) (Practical Linux Forensics: A guide for digital investigators, by Bruce Nikkel)

1

root# journalctl

尋找 “hello World”,會發現找不到

1

root# grep hello /var/log/messages

找得到 hello World

1

root# mkdir /var/log/journal

1

root# logger hello world

1

root# journalctl

1

root# reboot

1

root# journalctl

找出"hello World"

自訂記錄等級與標籤

@Server 在紀錄中設定classTag

1
2

root# logger -t class "hello myapp log"
root# logger -t class -p 'user.err' "[Error] hello myapp log"

root# grep class /var/log/messages
root# journalctl -t class

在紀錄中,設定嚴重等級

root# logger -t class -p 'user.info' "Test log messages"
root# grep class /var/log/messages

使用journalctl找出tag為class的記錄

1

root# journalctl -t class

(screen1)

使用 journalctl 找出tag為class 且嚴重性為’err’的記錄

1

root# journalctl -t class -p err

(screen2)

2. 建立簡單 Rsyslog Server

安裝 rsyslog 套件

@Desktop, @Server

1

root# dnf install -y rsyslog

@Desktop

1

root# cd /etc/rsyslog.d

設定接收 rsyslog 資訊

1

root# vi server.conf

module(load="imudp") # needs to be done just once
input(type="imudp" port="514")

module(load="imtcp") # needs to be done just once
input(type="imtcp" 
port="514")

1

root# systemctl restart rsyslog

1
2
3
4

root# firewall-cmd --permanent --add-port=514/tcp
root# firewall-cmd --permanent --add-port=514/udp

root# firewall-cmd --reload

@Server 設定 sysrlog client

1

root# cd /etc/rsyslog.d

設定將 log 使用 TCP 協定傳送到 Desktop

root# vi client.conf

*.* @@172.16.1.X:514

(screenshot3)

1

root# systemctl restart rsyslog

1

root# logger "Test message from Server"

@Desktop, @Server

1
2

root# less /var/log/messages
Apr 15 14:19:08 serverb root[5228]: Test message from Server
sudo su -/-isudo su 的差別:

少了減號就不會登入(真正變成)那個user DigitalOcean: How To Use Journalctl to View and Manipulate Systemd Logs NXLog

3. Syslog 應用

建主 syslog Server

@Desktop

1

root# dnf install -y rsyslog

1

root# cd /etc/rsyslog.d/

1

root# vi server.conf

module(load="imudp") # needs to be done just once
input(type="imudp" port="514")

module(load="imtcp") # needs to be done just once
input(type="imtcp" port="514")

$template RemoteLogs,"/var/log/%FROMHOST-IP%/%HOSTNAME%-%$NOW%/%PROGRAMNAME%.log" 
*.* ?RemoteLogs

Ref: https://www.rsyslog.com/doc/master/configuration/properties.html

1
2
3
4

root# firewall-cmd --permanent --add-port=514/tcp
root# firewall-cmd --permanent --add-port=514/udp

root# firewall-cmd --reload

1

root# systemctl restart rsyslog

設定用戶端 Client

@Server

1

root# dnf install -y rsyslog

1

root# cd /etc/rsyslog.d/

1

root# vi client.conf

#*.* @172.16.1.58:514 # Use @ for UDP protocol 
*.* @@172.16.1.58:514 # Use @@ for TCP protocol

& ~

1

root# systemctl restart rsyslog

測試

@Server

1

root# logger -t linuxclass "test message from root"

1

student$ logger -t linuxclass "test message from server"

@Desktop

1

root# ls -lR /var/log/172.16.2.58/

讀取指定檔案內容

@Server

1

root# cd /etc/rsyslog.d/

設定 log 檔案,位於 /tmp/applog.txt

root# touch /tmp/applog.txt

root# vi 01_watch_log.conf

module(load="imfile")

input(type="imfile"
      File="/tmp/applog.txt"
      Tag="mytag:"
      Facility="local0")

取消 STOP

1

root# vi client.conf

#*.* @172.16.1.X:514 # Use @ for UDP protocol 
*.* @@172.16.1.X:514 # Use @@ for TCP protocol

測試寫入檔案到 log

1
2
3
4

root# echo Hello 1 >> /tmp/applog.txt
root# echo Hello 2 >> /tmp/applog.txt
root# echo Hello 3 >> /tmp/applog.txt
root# echo Hello 4 >> /tmp/applog.txt

查看 Log 是否寫入

1

root# ls -lR /var/log/172.16.2.58/
💤允許特定網段/IP通過
1

sudo firewall-cmd --add-rich-rule='rule family="ipv4" service name="ssh" source address="10.10.1.125" accept'
firewall-cmd 的小史💥
           [firewalld]
                 ↓
         [firewall-cmd]
                ↙↘
          (EL7)    (EL8/9)
          ↙          ↘
      [iptables]   [nftables]
          ↘          ↙
        [kernel+notfilter]

4. MariaDB 帳號管理

MariaDB/MySQL 資料庫實體檔位置 ➡ /var/lib/mysql/

@Desktop

安裝資料庫

1
2
3
4
5
6
7
8
9

root# dnf install -y chrony
root# systemctl enable --now chronyd
root# timedatectl set-timezone Asia/Taipei

root# dnf install -y mariadb-server
root# systemctl enable --now mariadb

root# firewall-cmd --permanent --add-service=mysql
root# firewall-cmd --reload

1

root# mysql_secure_installation

密碼設為 rocky

連線資料庫

1

root# mysql -u root -p -h localhost

建立資料庫

1

MariaDB> create database classdb;

建立使用者

MariaDB> GRANT ALL ON classdb.* TO 'dbuser'@'172.16.2.58' IDENTIFIED BY 'rocky' REQUIRE SSL;
MariaDB> GRANT ALL ON classdb.* TO 'user1'@'172.16.2.58' IDENTIFIED BY 'rocky';

列出帳號與資庫資訊

MariaDB> SELECT User, Db, Host from mysql.db;
+--------+---------+---------------+
| User   | Db      | Host          |
+--------+---------+---------------+
| dbuser | classdb | 172.16.2.58  |
+--------+---------+---------------+
1 row in set (0.004 sec)

列出使用者權限

show grants for 'dbuser'@'172.16.2.58';
+-------------------------------------------------------------------------------------------------------------------------------+
| Grants for [email protected]                                                                                               |
+-------------------------------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO `dbuser`@`172.16.2.58` IDENTIFIED BY PASSWORD '*128977E278358FF80A246B5046F51043A2B1FCED' REQUIRE SSL  |
| GRANT ALL PRIVILEGES ON `classdb`.* TO `dbuser`@`172.16.2.58`                                                                |
+-------------------------------------------------------------------------------------------------------------------------------+
2 rows in set (0.002 sec)

@Server

1

root# dnf install -y mariadb

1
2

student$ mysql -u dbuser -p -h desktop58
FAIL!

1

student$ mysql -u user1 -p -h desktop58

@Desktop

產生稽核語法

1

student$ mysql -u root -p -h localhost

MariaDB> select distinct concat('SHOW GRANTS FOR ', QUOTE(user), '@', QUOTE(host), ';') as query from mysql.user;
+-------------------------------------------+
| query                                     |
+-------------------------------------------+
| SHOW GRANTS FOR 'root'@'127.0.0.1';       |
| SHOW GRANTS FOR 'dbuser'@'172.16.2.58';    |
| SHOW GRANTS FOR 'root'@'::1';             |
| SHOW GRANTS FOR 'root'@'localhost';       |
+-------------------------------------------+
4 rows in set (0.001 sec)

5. MariaDB packet interception

從 Server 查看封包

Server

@Terminal-1

1

root# dnf install -y tcpdump

1

root# tcpdump host 172.16.1.58 and port 3306 -X
Desktop
1
2

root# dnf install -y tcpdump
root# tcpdump port 3306 -X

連線資料庫

@Server @Terminal-2

1

root# dnf install -y mariadb

@Terminal-2

1
2
3
4
5

root# mysql -u user1 -h 172.16.1.58 -p
MariaDB> show databases;

MariaDB> use information_schema;
MariaDB> show tables;

@Desktop

查看 tcpdump 結果

6. MariaDB SSL連線加密

@Desktop

1
2

root# mkdir mariadb-ssl; cd mariadb-ssl
root# mkdir ca server client

Build CA

建立 RootCA

1
2
3
4
5
6
7

root# cd ca
root# ls -lh

root# openssl genrsa 4096 > ca.key
root# openssl req -new -x509 -nodes -days 365000 -key ca.key -out ca.crt

root# root# ls -lh

Common Name 設為 DB CA

Build server certificate

建立 Server 用憑證

1
2

root# openssl req -newkey rsa:2048 -days 3650 -nodes -keyout server.key -out server.csr
root# openssl rsa -in server.key -out server.key

Common Name 設為 DB Server

簽署憑證

1

root# openssl x509 -req -in server.csr -days 3650 -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt

Build client certificate

建立用戶端憑證

1
2

root# openssl req -newkey rsa:2048 -days 3650 -nodes -keyout client.key -out client.csr
root# openssl rsa -in client.key -out client.key

Common Name 設為 DB Client

簽署憑證

root# openssl x509 -req -in client.csr -days 3650 -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt

驗證

將簽好的憑證複製到相關目錄

1

root# openssl verify -CAfile ca.crt server.crt client.crt

1
2
3
4
5

root# cp ca.crt ../server
root# cp ca.crt ../client

root# mv server* ../server
root# mv client* ../client

設定 MariaDB 憑證

@Desktop

1
2
3
4

root# cd /root/mariadb-ssl

root# cp -R server /etc/my.cnf.d/ssl/
root# chown -R mysql /etc/my.cnf.d/ssl/

套用 Server 憑證

1
2
3
4
5
6

root# cat > /etc/my.cnf.d/50-server.cnf <<EOF
[mysqld]
ssl-ca=/etc/my.cnf.d/ssl/ca.crt
ssl-cert=/etc/my.cnf.d/ssl/server.crt
ssl-key=/etc/my.cnf.d/ssl/server.key
EOF

重新啟動 MariaDB

1

root# systemctl restart mariadb

檢查憑證套用成功

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

root# mysql -u root -p -h localhost

MariaDB> show variables like '%ssl%';
+---------------------+----------------------------------+
| Variable_name       | Value                            |
+---------------------+----------------------------------+
| have_openssl        | YES                              |
| have_ssl            | YES                              |
| ssl_ca              | /etc/my.cnf.d/ssl/ca.crt         |
| ssl_capath          |                                  |
| ssl_cert            | /etc/my.cnf.d/ssl/server.crt     |
| ssl_cipher          |                                  |
| ssl_crl             |                                  |
| ssl_crlpath         |                                  |
| ssl_key             | /etc/my.cnf.d/ssl/server.key     |
| version_ssl_library | OpenSSL 1.1.1g FIPS  21 Apr 2020 |
+---------------------+----------------------------------+
10 rows in set (0.003 sec)

MariaDB> create database classdb;

MariaDB> GRANT ALL ON classdb.* TO 'dbuser'@'172.16.2.X' IDENTIFIED BY 'rocky' REQUIRE SSL;
MariaDB> GRANT ALL ON classdb.* TO 'dbuser2'@'172.16.2.X' IDENTIFIED BY 'rocky';

MariaDB> exit;

Client 端連線

@Server

1

root# mkdir ~/client/

@Desktop

1
2
3

root# cd /root/mariadb-ssl/client

root# echo "PUT * " | sftp root@server58:/root/client

@Server

1
2

root# cd
root# ls -lh client

1
2
3

root# dnf install -y chrony
root# systemctl enable --now chronyd
root# timedatectl set-timezone Asia/Taipei

1

root# cp -R client /etc/my.cnf.d/ssl/

1

root# vi /etc/my.cnf.d/client.cnf

在 [client] 區段中新增

...
[client]
ssl-ca=/etc/my.cnf.d/ssl/ca.crt
ssl-cert=/etc/my.cnf.d/ssl/client.crt
ssl-key=/etc/my.cnf.d/ssl/client.key

root# mysql -u dbuser -h 172.16.1.X -p 

MariaDB> status;
--------------
mysql  Ver 15.1 Distrib 10.3.28-MariaDB, for Linux (x86_64) using readline 5.1

Connection id:		14
Current database:	
Current user:		[email protected]
SSL:			Cipher in use is TLS_AES_256_GCM_SHA384
Current pager:		stdout
Using outfile:		''
Using delimiter:	;
Server:			MariaDB
Server version:		10.3.28-MariaDB MariaDB Server
Protocol version:	10
Connection:		172.16.62.5 via TCP/IP
Server characterset:	latin1
Db     characterset:	latin1
Client characterset:	utf8
Conn.  characterset:	utf8
TCP port:		3306
Uptime:			24 min 23 sec

Threads: 6  Questions: 18  Slow queries: 0  Opens: 18  Flush tables: 1  Open tables: 11  Queries per second avg: 0.012
--------------

連線時指定憑證位置

1

root# vi /etc/my.cnf.d/client.cnf

在 [client] 區段中移除

...
[client]
#ssl-ca=/etc/my.cnf.d/ssl/ca.crt
#ssl-cert=/etc/my.cnf.d/ssl/client.crt
#ssl-key=/etc/my.cnf.d/ssl/client.key

1

root# cd client

1

root# mysql -u dbuser -h 172.16.1.58 -p --ssl-ca=ca.crt --ssl-cert=client.crt --ssl-key=client.key

參考 5.MariaDB 封包截取 驗證加密後結果。

7. MariaDB 密碼原則

參考文件

Simple Password Check Plugin

Desktop

啟用模組

修改 /etc/my.cnf.d/mariadb-server.cnf,在 [mysqld] 區段中,填入

plugin_load_add = simple_password_check

(screen_shot)

查看規則

@Desktop

1

root# mysql -u root -p -h localhost

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

MariaDB [(none)]> show variables like '%simple_password%';
+-----------------------------------------+-------+
| Variable_name                           | Value |
+-----------------------------------------+-------+
| simple_password_check_digits            | 1     |
| simple_password_check_letters_same_case | 1     |
| simple_password_check_minimal_length    | 8     |
| simple_password_check_other_characters  | 1     |
+-----------------------------------------+-------+
4 rows in set (0.001 sec)
驗證規則
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17

MariaDB [(none)]> select user,host from mysql.user;
+---------+-------------+
| user    | host        |
+---------+-------------+
| root    | 127.0.0.1   |
| dbuser  | 172.16.2.X  |
| dbuser2 | 172.16.2.X  |
| user1   | 172.16.2.X  |
| root    | ::1         |
| root    | localhost   |
+---------+-------------+
6 rows in set (0.001 sec)

MariaDB [(none)]> SET PASSWORD FOR 'user1'@'172.16.2.X' = PASSWORD('abc');
ERROR 1819 (HY000): Your password does not satisfy the current policy requirements
MariaDB [(none)]> SET PASSWORD FOR 'user1'@'172.16.2.X' = PASSWORD('rocky');
ERROR 1819 (HY000): Your password does not satisfy the current policy requirements

8. MariaDB 稽核

參考文件

MariaDB Audit Plugin

啟用稽核模組與設定

@Desktop

root# cp -a /etc/my.cnf.d/mariadb-server.cnf{,_backup}

root# vi /etc/my.cnf.d/mariadb-server.cnf

在 mysqld 區段加入
...

plugin_load_add = server_audit
server_audit_logging = ON
server_audit=FORCE_PLUS_PERMANENT
server_audit_events=connect,query
server_audit_file_path=/var/lib/mysql/server_audit.log

1

root# systemctl restart mariadb

測試

@Server

1
2

root# cd ~/client
root# mysql -u dbuser -h 172.16.1.38 -p --ssl-ca=ca.crt --ssl-cert=client.crt --ssl-key=client.key

@Desktop

1

root# /var/lib/mysql/server_audit.log

9. Port 掃描

  1. 掃描 TCP

    root# nmap -p- server58

  2. 掃描 UDP

    root# nmap -sU -p- server58

    這個掃描會很久

  3. 猜測作業系統版本

    root# nmap -O server58

    (…Nmap scan report..)

  4. 掃描 server58 中開了哪些 1024 以下的 TCP Port,並列出作業系統

    1

    root# nmap -p0-1024 -O server58

Teleport服務_跳板機

Teleport(https://goteleport.com)

comments powered by Disqus
Updated on 2023-04-15
 linuxSecurity
Back | Home