공룡호가 사는 세상 이야기

패키지를 깔려고 하는데 이상한 에러가 발생한다. 왠 황당한 경우인지?
기본적으로 패키지를 설치하기 위해서는 /var/sadm/install/admin/default 파일이 존재해야 한다. 이 파일은 패키지 설치에 관련된 파라미터들이 기술되어 있는 파일인데, 이 파일이 없거나 손상되었을 경우, 패키지가 올바로 설치될 수 없어서 오류가 발생한다.

해결은 간단하다. 위 경로에 default 파일을 생성하고 다음 내용을 복사해서 붙여넣자. 그리고 다시 pkgadd ~~~
확인결과 solaris9/10은 파일 내용이 동일하다. 상관 없다.

#
# Copyright 2003 Sun Microsystems, Inc.  All rights reserved.
# Use is subject to license terms.
#
#ident  "@(#)default    1.5     03/06/11 SMI"
#
mail=
instance=unique
partial=ask
runlevel=ask
idepend=ask
rdepend=ask
space=ask
setuid=ask
conflict=ask
action=ask
networktimeout=60
networkretries=3
authentication=quit
keystore=/var/sadm/security
proxy=
basedir=default

덧붙여 여기까지 본 김에 한가지 을 배워보자.
자세히 보면, 이 default 라는 파일은 package를 install 할 때의 파라미터들이라고 앞서 설명했다.
눈치 빠르신 분들은 대충 아시겠지만, 각종 파라미터들이 ask로 되어 있는 것을 보아하니, 패키지를 설치하다 충돌이 나거나 하는 기타 여러가지 사항에 대해서 interactive하게 설치를 하기 위함을 알 수 있다.
그럼, ask 를 뭔가로 대신하면 package를 원샷에 설치할 수 있다는 말이 된다.
ask를 모두 nocheck로 변경한다. basedir은 package의 설치 위치를 변경해 줄 수 있다. 그럼, 원샷에 설치할 수 있는 준비가 모두 되었다.

그런데, 여기서 또 하나 문제가 있다. Non-Interactive하게 설치하도록 변경하였는데, Interactive하게 설치해야 하는 상황이 되면, 그 때 마다, nocheck를 ask로 변경해야 한단 말인가? -_-
솔라리스가 그렇게 허접할리가 없다. 위에서 편집한 파일을 저장을 default로 하지 말고 non으로 하여 저장하자.(반드시 non일 필요는 없다.)
그리고 다음과 같이 명령어에 옵션을 주자.

# pkgadd -na non -d pkgfile [pkgname]
ex) # pkgadd -na ./non -d beautifulpkg all

조금 전에 nocheck로 설정한 파일을 이용하여 패키지를 설치하는 것을 확인할 수 있다.
검색해서 이 문서를 보신 분들은, 문제도 해결하고, 패키지도 잘 설치하셨을 것이고, 팁도 하나 배우셨고. ~~
오늘은 그만하고 퇴근들 하십쇼~ ^^




'유닉스' 카테고리의 다른 글

ZFS manual  (0) 2009.01.05
Solaris Disksuite simple manual  (0) 2008.11.24
SSH setting for solaris8  (0) 2008.08.26
Fixing read-only file system error  (0) 2008.08.13
Solaris10 sd.conf 동적으로 다시 읽기  (0) 2008.05.26

SSH setting for Solaris 8

Introduction:
Secure shell (SSH) is a protocol that provides a secure, remote connection to any device with ssh support. SSH is a substitute to Berkeley r-tools like telnet, rlogin, rsh and rcp which are not secure. SSH provides more security to any data that is being transported to the Internet by providing more authentication, encryption and authorization procedures. There are currently two versions of SSH available, SSH Version 1 and SSH Version 2

Required packages:
All of the required packages of this tutorial is available from http://www.sunfreeware.com

openssh
openssl (SSL)
prngd (Psuedo Random Generator Daemon)
zlib (Z library)

Installation:
#pkgadd -d openssl-0.9.6c-sol8-sparc-local

The following packages are available:
1 SMCosslc openssl
(sparc) 0.9.6c

Select package(s) you wish to process (or 'all' to process
all packages). (default: all) [?,??,q]:

#pkgadd -d prngd-0.9.23-sol8-sparc-local

The following packages are available:
1 SMCprngd prngd
(sparc) 0.9.23

Select package(s) you wish to process (or 'all' to process
all packages). (default: all) [?,??,q]:

#pkgadd -d zlib-1.1.4-sol8-sparc-local

The following packages are available:
1 SMCzlib zlib
(sparc) 1.1.4

Select package(s) you wish to process (or 'all' to process
all packages). (default: all) [?,??,q]:

#pkgadd -d openssh-3.1p1-sol8-sparc-local

The following packages are available:
1 SMCossh openssh
(sparc) 3.1p1

Select package(s) you wish to process (or 'all' to process
all packages). (default: all) [?,??,q]:

Startup Scripts:
Create a startup script for the ssh daemon.
/etc/init.d/ssh

#! /bin/sh
#
# start/stop the secure shell daemon

case "$1" in

'start')
     # Start the ssh daemon
     if [ -f /usr/local/sbin/sshd ]; then
          echo "starting SSHD daemon"
          /usr/local/sbin/sshd &
     fi
     ;;

'stop')
     # Stop the ssh deamon
     PID=`/usr/bin/ps -e -u 0 | /usr/bin/fgrep sshd | /usr/bin/awk '{print $1}'`
     if [ ! -z "$PID" ] ; then
          /usr/bin/kill ${PID} >/dev/null 2>&1
     fi
     ;;

*)
     echo "usage: /etc/init.d/sshd {start|stop}"
     ;;

esac

Make the script executable and create a startup script on run level 2.

#chmod +x /etc/init.d/sshd
#ln 뻮 /etc/init.d/sshd /etc/rc2.d/S99sshd

Create a startup script for the pseudo random generator daemon.
/etc/init.d/prngd

#! /bin/sh
#
# start/stop the pseudo random generator daemon

case "$1" in

'start')
     # Start the ssh daemon
     if [ -f /usr/local/bin/prngd ]; then
          echo "starting PRNG daemon"
          /usr/local/bin/prngd /var/spool/prngd/pool&
     fi
     ;;

'stop')
     # Stop the ssh deamon
     PID=`/usr/bin/ps -e -u 0 | /usr/bin/fgrep prngd | /usr/bin/awk '{print $1}'`
     if [ ! -z "$PID" ] ; then
          /usr/bin/kill ${PID} >/dev/null 2>&1
     fi
     ;;

*)
     echo "usage: /etc/init.d/prngd {start|stop}"
     ;;

esac

Make the script executable and create a startup script on run level 2.

#chmod +x /etc/init.d/prngd
#ln 뻮 /etc/init.d/prngd /etc/rc2.d/S99prngd

# /etc/init.d/prngd start
starting PRNG daemon
Info: Random pool not (yet) seeded
Could not bind socket to /var/spool/prngd/pool: No such file or directory
# mkdir -p /var/spool/prngd
#/etc/init.d/prngd start
starting PRNG daemon
# Info: Random pool not (yet) seeded
#
Next is to start the actual ssh daemon,
# /etc/init.d/sshd start
starting SSHD daemon
Could not load host key: /usr/local/etc/ssh_host_key
Could not load host key: /usr/local/etc/ssh_host_rsa_key
Could not load host key: /usr/local/etc/ssh_host_dsa_key
Disabling protocol version 1. Could not load host key
Disabling protocol version 2. Could not load host key
sshd: no hostkeys available -- exiting.
#

The errors above are due to the fact that we didn't create any key pairs for our ssh server.

Create a public key pair to support the new, DSA-based version 2 protocol

# /usr/local/bin/ssh-keygen -d -f /usr/local/etc/ssh_host_dsa_key -N ""

Generating public/private dsa key pair.
Your identification has been saved in /usr/local/etc/ssh_host_dsa_key.
Your public key has been saved in /usr/local/etc/ssh_host_dsa_key.pub.
The key fingerprint is:
00:91:f5:8a:55:7c:ac:ff:b7:08:1f:ce:23:aa:f2:79 root@solaris8

Create a public key pair to support the old, RSA-based version 1 protocol

# /usr/local/bin/ssh-keygen -b 1024 -f /usr/local/etc/ssh_host_rsa_key -t rsa -N ""
Generating public/private rsa1 key pair.
Your identification has been saved in /usr/local/etc/ssh_host_rsa_key.
Your public key has been saved in /usr/local/etc/ssh_host_rsa_key.pub.
The key fingerprint is:
8e:b0:1d:8a:22:f2:d2:37:1f:92:96:02:e8:74:ca:ea root@solaris8

Edit ssh daemon configuration file /usr/local/etc/sshd_config, enable protocol 2 and 1
Uncomment the line, that says

protocol 2,1

# /etc/init.d//sshd start
starting SSHD daemon
#

Your ssh server is now ready to accept a ssh session.

예상치 못한 종료 등의 경우로 솔라리스의 파일 시스템이 손상되었을 때, 재부팅시 "Read-only File system"이라는 에러가 발생하는 경우가 있다. 이럴 경우, 이미 마운트되어 있는 파일 시스템을 읽기/쓰기 권한으로 다시 마운트 해줘야 한다.

# umountall
# mount -F ufs -o rw,remount /

'유닉스' 카테고리의 다른 글

pkgadd 오류: admin 파일 <default>를 열 수 없습니다.  (0) 2008.11.11
SSH setting for solaris8  (0) 2008.08.26
Solaris10 sd.conf 동적으로 다시 읽기  (0) 2008.05.26
Dos Attack On UNIX  (0) 2008.05.08
디스크 Dump & Restore  (0) 2008.05.04

Solaris 시스템에서 외부 스토리지나 백업장치를 붙여서 사용하는 경우,
sd.conf 파일에 스토리지단에서 해당 서버로 던져준 볼륨에 대한 정의(target, lun)를 하게 되는데,
이것이 변경되거나 새로 추가된 경우 touch로 reconfigure 파일을 생성하고 -i6로 shutdown을 해야 했다.
동적으로 스토리지의 볼륨을 다시 읽어 올 수 있는 방법은 생각보다 간단하다.

#update_drv -f sd
#drvconfig;disks


이렇게 해 주면, 스토리지단의 볼륨을 동적으로 다시 물고 올라온다. 간단하고 쉽고 빠르다.
(주의) Solaris10 에서만 가능

'유닉스' 카테고리의 다른 글

pkgadd 오류: admin 파일 <default>를 열 수 없습니다.  (0) 2008.11.11
SSH setting for solaris8  (0) 2008.08.26
Fixing read-only file system error  (0) 2008.08.13
Dos Attack On UNIX  (0) 2008.05.08
디스크 Dump & Restore  (0) 2008.05.04

Dos Attack On UNIX

유닉스2008. 5. 8. 17:09
간만에 좋은 문서 발견. 요즘 고객들은 별걸 다 해달라고 한다 -_ -

The purpose of this document is to strengthen the UNIX IP stack against a variety of attack types prevalent on the Internet today. This document details the settings recommended for UNIX servers designed to provide network intensive services such as HTTP or routing (firewall services). You can find the most useful dos attack tutorial here in order to prevent the dos attacks on your servers.

General IP Stack Tuning Recommendations

1. TCP send and receive spaces

The TCP send and receive spaces directly effect the TCP window size parameter. An increased window size will allow for more efficient transfers, particularly bulk transfers such as FTP and HTTP. The default for each is not optimal, and should be increased to 32768 bytes. This value should not be increased above 64K bytes unless the implications of RFC1323 and RFC2018 are fully understood and support for both is enabled.
Do not enable RFC1323 without also enabling support for RFC2018. Remember, pipe drain is a Bad Thing[tm].
A. AIX
/usr/sbin/no -o tcp_sendspace=32768
/usr/sbin/no -o tcp_recvspace=32768
B. Solaris
/usr/sbin/ndd -set /dev/tcp tcp_xmit_hiwat 32768
/usr/sbin/ndd -set /dev/tcp tcp_recv_hiwat 32768
C. Tru64 UNIX
No tuning recommendations.
D. HP-UX
The TCP send and receive spaces are set to 32768 by default
E. Linux kernel 2.2

While Linux automagically assigns the TCP send and receive spaces, support for both RFC1323 (large window support, net.ipv4.tcp_window_scaling) and RFC2018 (SACK support, net.ipv4.tcp_sack) are enabled by default.
F. FreeBSD
sysctl -w net.inet.tcp.sendspace=32768
sysctl -w net.inet.tcp.recvspace=32768
G. IRIX
The default settings for IRIX are 64Kbytes for both the TCP send and receive spaces.

2. Socket queue defense against SYN attacks

While great effort is undertaken to defend any network from those with malicious intent, several ports (largely TCP) must remain open to conduct business. Internet vandals may attempt to exploit these ports to launch a denial of service attack. One of the most popular attacks remains the SYN flood, wherein the socket queue of the attacked host is overwhelmed with bogus connection requests. To defend against such attacks, certain UNIX variants maintain separate queues for inbound socket connection requests. One queue is for half-open sockets (SYN received, SYN|ACK sent), the other queue for fully-open sockets awaiting an accept() call from the application. These two queues should be increased so that an attack of low to moderate intensity will have little to no effect on the stability or availability of the server.

A. AIX
/usr/sbin/no -o clean_partial_conns=1
This setting will instruct the kernel to randomly remove half-open sockets from the q0 queue to make room for new sockets.
B. Solaris
/usr/sbin/ndd -set /dev/tcp tcp_conn_req_max_q 1024
The q queue holds sockets awaiting an accept() call from the application.
/usr/sbin/ndd -set /dev/tcp tcp_conn_req_max_q0 2
048
The q0 queue contains half-open sockets.
C. Tru64 UNIX
/sbin/sysconfig -r socket sominconn=65535
The value of sominconn determines how many simultaneous incoming SYN packets can be handled by the system.

/sbin/sysconfig -r socket somaxconn=65535
The value of somaxconn sets the maximum number of pending TCP connections.

D. HP-UX
/usr/sbin/ndd -set tcp_syn_rcvd_max 1024
/usr/sbin/ndd -set tcp_conn_request_max 200

E. Linux kernel 2.2
/sbin/sysctl -w net.ipv4.tcp_max_syn_backlog=1280
Increases the size of the socket queue (effectively, q0).
/sbin/sysctl -w net.ipv4.tcpsyn_cookies=1

Enables support for TCP SYN cookies, which mitigates the effectiveness of SYN floods. However, this may cause performance problems for large windows (see RFC1323 and RFC2018). To read more about SYN cookies, please review DJ Bernstein's paper here.

F. FreeBSD
sysctl -w kern.ipc.somaxconn=1024

G. IRIX
The listen() queue is hardcoded to 32. However, the system actually enforces the limit of pending connections as ((3 * backlog) / 2) + 1. This yields a maximum backlog of 49 connections.

3. Redirects

A miscreant can use IP redirects to modify the routing table on a remote host. In a well-designed network, redirects to the end stations should not be required. Both the sending and accepting of redirects should be disabled.

A. AIX
/usr/sbin/no -o ipignoreredirects=1
/usr/sbin/no -o ipsendredirects=0

B. Solaris
/usr/sbin/ndd -set /dev/ip ip_ignore_redirect 1
/usr/sbin/ndd -set /dev/ip ip_send_redirects 0

C. Tru64 UNIX
No tuning recommendations.

D. HP-UX
/usr/sbin/ndd -set /dev/ip ip_send_redirects 0

E. Linux kernel 2.2
/sbin/sysctl -w net.ipv4.conf.all.send_redirects=0
/sbin/sysctl -w net.ipv4.conf.all.accept_redirects=0

F. FreeBSD
sysctl -w net.inet.icmp.drop_redirect=1
sysctl -w net.inet.icmp.log_redirect=1
sysctl -w net.inet.ip.redirect=0
sysctl -w net.inet6.ip6.redirect=0

G. IRIX

/usr/sbin/systune icmp_dropredirects to 1

4. ARP cleanup

It is possible for a miscreant to create a resource exhaustion or performance degredation by filling the IP route cache with bogus ARP entries. In Solaris, there are two parameters that govern the cleanup interval for the IP route cache. For unsolicited ARP responses, the parameter to be tuned is arp_cleanup_interval. In AIX, the cleanup interval is governed by the value of arpt_killc. However, this parameter governs both solicited and unsolicited ARP entries. For this reason, it is likely best to leave the parameter at the default setting of 20 minutes.

A. AIX
/usr/sbin/no -o arpt_killc=20

B. Solaris
/usr/sbin/ndd -set /dev/arp arp_cleanup_interval 60000

C. Tru64 UNIX
No tuning recommendations.

D. HP-UX
By default set to five minutes.

E. Linux kernel 2.2
No tuning recommendations.

F. FreeBSD
sysctl -w net.link.ether.inet.max_age=1200

G. IRIX
No tuning recommendations.



5. Source routing

With source routing, an attacker can attempt to reach internal IP addresses - including RFC1918 addresses. It is important to disable the acceptance of source routed packets to prevent subtle probes of your internal networks.

A. AIX
/usr/sbin/no -o ipsrcroutesend=0
Disable the sending of source routed packets.
/usr/sbin/no -o ipsrcrouteforward=0
This is important if the box is routing, e.g. a firewall. Disable this feature to prevent the host from forwarding source routed packets.

B. Solaris
/usr/sbin/ndd -set /dev/ip ip_forward_src_routed 0
This is important if the box is routing, e.g. a firewall. Disable this feature to prevent the host from forwarding source routed packets.

C. Tru64 UNIX
No tuning recommendations.

D. HP-UX
ndd -set /dev/ip ip_forward_src_routed 0
Disable this feature to prevent the host from forwarding source routed packets.

E. Linux kernel 2.2
/sbin/sysctl -w net.ipv4.conf.all.accept_source_route=0
Drop all source route packets.
/sbin/sysctl -w net.ipv4.conf.all.forwarding=0
/sbin/sysctl -w net.ipv4.conf.all.mc_forwarding=0
Do not forward source routed frames.

F. FreeBSD
sysctl -w net.inet.ip.sourceroute=0
sysctl -w net.inet.ip.accept_sourceroute=0

G. IRIX
/usr/sbin/systune ipforward to 2

6. TIME_WAIT setting

On a busy web server, many sockets may linger in the TIME_WAIT state. This is caused by improperly coded client applications that do not properly shut down a socket. This can also be used as a type of DDoS attack.

A. AIX
No tuning recommendations.

B. Solaris
/usr/sbin/ndd -set /dev/tcp tcp_time_wait_interval 60000
This parameter effects the amount of time a TCP socket will remain in the TIME_WAIT state. The default is quite high for a busy web server, so it should be lowered to 60000 milliseconds (60 seconds). The parameter name was corrected in Solaris 7 and higher. Prior to Solaris 7, the parameter was incorrectly labeled as tcp_close_wait_interval.

C. Tru64 UNIX
No tuning recommendations.

D. HP-UX
ndd -set /dev/tcp tcp_time_wait_interval 60000
Sockets will linger in TIME_WAIT state no more than 60 seconds.

E. Linux kernel 2.2
/sbin/sysctl -w net.ipv4.vs.timeout_timewait=60
Sockets will linger in TIME_WAIT state for no more than 60 seconds.

F. FreeBSD
No tuning recommendations.

G. IRIX
/usr/sbin/systune tcp_2msl to 60



7. Broadcast ECHO response

Smurf attacks work by sending ICMP 8 0 (ECHO REQUEST) messages to a broadcast address from a spoofed address. Some IP stacks will respond, by default, to such messages. This should be disabled. Further, if the host is a firewall (router), it should not propogate directed broadcasts.

A. AIX
/usr/sbin/no -o directed_broadcast=0
Do not respond to directed broadcasts.

B. Solaris
/usr/sbin/ndd -set /dev/ip ip_respond_to_echo_broadcast 0
Do not respond to directed broadcasts.
/usr/sbin/ndd -set /dev/ip ip_forward_directed_broadcasts 0
Do not forward directed broadcasts.

C. Tru64 UNIX
No tuning recommendations.

D. HP-UX
ndd -set /dev/ip ip_respond_to_echo_broadcast 0
Do not respond to directed broadcasts.
ndd -set /dev/ip ip_forward_directed_broadcasts 0
Do not forward directed broadcasts.

E. Linux kernel 2.2
/sbin/sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
Do not respond to directed broadcasts.

F. FreeBSD
sysctl -w net.inet.icmp.bmcastecho=0

G. IRIX
/usr/sbin/systune allow_brdaddr_srcaddr to 0



8. Other broadcast probes

There are two other broadcast probes that a miscreant could utilize against a network. The address mask query can be used to map out the size of the netblock, and set a range for further probes. The timestamp broadcast is another means of mapping and fingerprinting hosts.

A. AIX
/usr/sbin/no -o icmpaddressmask=0
Prevent address mask queries.

B. Solaris
/usr/sbin/ndd -set /dev/ip ip_respond_to_address_mask_broadcast 0
Prevent address mask queries.
/usr/sbin/ndd -set /dev/ip ip_respond_to_timestamp_broadcast 0
Disable timestamp broadcast query response.

C. Tru64 UNIX
No tuning recomendations.

D. HP-UX
ndd -set /dev/ip ip_respond_to_address_mask_broadcast 0
Prevent the host from revealing the configured netmask.
ndd -set /dev/ip ip_respond_to_timestamp_broadcast 0
Disable timestamp broadcast query response.

E. Linux kernel 2.2
No tuning recommendations.

F. FreeBSD
sysctl -w net.inet.icmp.maskrepl=0

G. IRIX
Use ipfilterd to block unwanted ICMP types.



9. Support for RFC1948

This will utilize RFC1948 sequence number generation techniques to ensure that the initial sequence number for a given TCP socket is very difficult to guess. This tactic makes IP spoofing significantly more difficult to accomplish.

B. Solaris
Set TCP_STRONG_ISS=2 in /etc/default/inetinit.
This will require a reboot to take effect.

G. IRIX
/usr/sbin/systune tcpiss_md5 to 1

OS를 백업하는 방법은 여러가지가 있다. 그 중에서 일반적으로 많이 쓰는 방법은,
동일 스펙의 Internal Disk 2개를 이용하여 미러를 구성하는 방법,
특정 슬라이스에 Cron을 이용하여 주기적으로 Dump를 뜨는 방법이 있다.
Dump를 떠서 새로운 디스크에 넣고, 부트 블록을 심어줌으로 동일한 디스크를 만드는 법은 다음과 같다.

[가정]
현재 OS가 설치된 곳 : c0t0d0s2
새 디스크 : c0t1d0s2

[수순]
1. prtvtoc을 이용, 원본 디스크와 동일한 파티션 구성을 대상 디스크 복제한다.
#prtvtoc /dev/rdsk/c0t0d0s2 | fmthard -s - /dev/rdsk/c0t1d0s2

2. 대상 디스크(새 디스크)의 파일 시스템을 새로 구성한다
#newfs /dev/dsk/c0t1d0s2

3. 대상 디스크를 사용하기 위해서는 마운트를 해야 한다.
#mount /dev/dsk/c0t1d0s2 /mnt

4. 원본 디스크에서 Dump를 떠서 대상 디스크에 Restore한다. (시간이 좀 걸린다)
#ufsdump 0f - /dev/dsk/c0t0d0s2 | (cd /mnt; ufsrestore rf -)

5. 마운트 해제
#umount /mnt

6. 대상 디스크에는 부트 블록이 없으므로 부팅이 불가능하다. 부트 블록을 심는다
#installboot /usr/platform/`uname -i`/lib/fs/ufs/bootblk/dev/rdsk/c0t1d0s2


Solaris에서 Disk Suite를 이용하여 미러를 구성하는 방법은 다음에~