완성되지 않은 페이지 입니다.
목차
자료 정리 겸 우분투(Ubuntu) 16.04 기본서버 설정 방법에 대해서 정리 할 예정입니다.- Ubuntu 설치
- 기본 설정
- OpenSSH 설치
- SSL 관련 설정
- VS FTP 설정
- LAMP Stack
- Apache2 설정
- MySQL 설정
- PHP 설정
- Wordpress 설정
- Mail 설정
- Postfix 설정
- Dovecot 설정
- Squirrelmail 설정
- 보안설정
- sshguard 설정
- Denyhosts 설정
- Rkhunter 설정
- logwatch 설정
- syslog 설정
1. Ubuntu 설치
Ubuntu 16.04 서버 설정의 하위 글 입니다.- 언어 선택 후 "Ubuntu 설치" 버튼을 눌러 설치를 진행 합니다.
- Ubuntu 설치 준비 중
- 설치 형식
- 바뀐 점을 디스크에 쓰시겠습니까?
- 어디에 살고 계신가요?
- 키보드 배치
- 당신은 누구십니까? (초기 계정 설정)
- 우분투를 사용해주셔서 감사합니다. 파일 복사 중
- 우분투를 사용해주셔서 감사합니다. 설치 중
- 설치 완료 새로 설치한 프로그램을 사용하려면 컴퓨터를 다시 시작해야 합니다.
sudo apt-get clean
및sudo apt-get update
실행sudo apt-get upgrade
실행sudo reboot now
실행
2. 기본 설정
vim 설치
sudo apt-get install vim
명령으로 vim을 설치합니다.
deios@ubt16:~$ sudo apt-get install vim 패키지 목록을 읽는 중입니다... 완료 의존성 트리를 만드는 중입니다 상태 정보를 읽는 중입니다... 완료 The following additional packages will be installed: vim-runtime 제안하는 패키지: ctags vim-doc vim-scripts vim-gnome-py2 | vim-gtk-py2 | vim-gtk3-py2 | vim-athena-py2 | vim-nox-py2 다음 새 패키지를 설치할 것입니다: vim vim-runtime 0개 업그레이드, 2개 새로 설치, 0개 제거 및 3개 업그레이드 안 함. 6,210 k바이트 아카이브를 받아야 합니다. 이 작업 후 30.0 M바이트의 디스크 공간을 더 사용하게 됩니다. 계속 하시겠습니까? [Y/n] Y
locale 변경
sudo locale-gen ko_KR.UTF-8
명령으로 한국어 locale을 설치합니다.
deios@ubt16:~$ sudo locale-gen ko_KR.UTF-8 Generating locales (this might take a while)... ko_KR.UTF-8... done Generation complete.
sudo dpkg-reconfigure locales
명령으로 locale을 재설정합니다.
NTP 설정
서버가 위치한 지역에 맞는 인터넷 시간을 서버에 자동으로 동기화 하는 방법입니다. 서버는 항상 정확한 시간을 보유할 필요가 있기 때문에, 필수적인 과정입니다.sudo apt-get install ntp
명령으로 ntp(network time protocal) client를 설치합니다.
대한민국 시간을 서버의 기준 시간으로 설정하기 위하여 다음과 같은 명령을 수행합니다.
sudo cp /usr/share/zoneinfo/Asia/Seoul /etc/localtime
보다 빠른 시간 동기화를 위하여 ntp server의 주소를 알려줍니다.
sudo vim /etc/ntp.conf
명령으로 파일의 끝에 다음과 같은 라인을 추가합니다.
server 1.asia.pool.ntp.org server 1.kr.pool.ntp.org server 2.asia.pool.ntp.org server 3.asia.pool.ntp.org server kr.pool.ntp.org server ntp.ewha.net server ntp.kornet.net server ntp1.epidc.co.kr server ntp2.epidc.co.kr server ticktock.ewha.net server time.bora.net #server time.kornet.net server time.kriss.re.kr server time.nist.gov server time.windows.com server time-a.nist.gov server time-b.nist.gov server time-nw.nist.gov
sudo service ntp restart
명령으로 ntp client를 재시작하고, 잠시 후 ntpq -p
명령으로 동기화가 정확하게 수행되는지 확인합니다.
deios@ubt16:~$ ntpq -p remote refid st t when poll reach delay offset jitter ============================================================================== 0.ubuntu.pool.n .POOL. 16 p - 64 0 0.000 0.000 0.000 1.ubuntu.pool.n .POOL. 16 p - 64 0 0.000 0.000 0.000 2.ubuntu.pool.n .POOL. 16 p - 64 0 0.000 0.000 0.000 3.ubuntu.pool.n .POOL. 16 p - 64 0 0.000 0.000 0.000 ntp.ubuntu.com .POOL. 16 p - 64 0 0.000 0.000 0.000 82.200.209.236 89.109.251.21 2 u 44 64 1 383.219 -3.543 0.000 +dadns.cdnetwork 131.107.13.100 2 u 49 64 1 2.194 0.505 0.000 time.iqnet.com 62.201.207.162 2 u 43 64 1 371.837 1.542 0.000 timpany.srv.jre 133.243.238.164 2 u 46 64 1 75.441 12.455 0.000 -send.mx.cdnetwo 131.107.13.100 2 u 47 64 1 2.633 -6.984 0.000 *114.207.245.175 141.223.182.106 2 u 47 64 1 10.180 0.436 0.000 168.126.3.6 .INIT. 16 u - 64 0 0.000 0.000 0.000 ntp1.sjtel.net ...... 16 u 44 64 0 0.000 0.000 0.000 ntp2.sjtel.net 129.6.15.29 2 u 44 64 1 2.988 30.824 0.000 +114.207.245.166 133.243.238.164 2 u 48 64 1 20.615 6.343 0.000 time.bora.net 211.181.136.34 3 u 45 64 1 5.415 50.485 0.000 210.98.16.100 .INIT. 16 u - 64 0 0.000 0.000 0.000 198.60.73.8 .ACTS. 1 u 45 64 1 199.448 -27.856 0.000 40.69.40.157 132.163.4.103 2 u 44 64 1 277.170 -9.447 0.000 time-a.nist.gov .ACTS. 1 u 45 64 1 261.382 28.959 0.000 time-b.nist.gov .ACTS. 1 u 45 64 1 261.745 31.618 0.000 131.107.13.100 .ACTS. 1 u 46 64 1 138.264 -0.733 0.000 mail.funix.net 128.199.84.169 3 u 34 64 1 2.860 -22.239 0.257 -106.247.248.106 203.248.240.140 3 u 38 64 1 4.263 5.543 0.089
3. OpenSSH 설치
sudo apt-get install openssh-server
명령으로 OpenSSH설치
sudo vim /etc/ssh/sshd_config
명령으로 설정파일 수정
LoginGraceTime 60 PermitRootLogin no
LoginGraceTime
로 로그인 대기 시간을 설정하고, PermitRootLogin
로 root 로그인을 제한합니다.
추가로 로그인시 배너를 출력해주려면 72번 라인의 주석을 해제합니다.
Banner /etc/issue.net해제 후
sudo vim /etc/issue.net
명령으로 배너를 수정합니다.
저의 경우에는 다음과 같은 배너를 사용합니다.
*************************************************************************** NOTICE TO USERS This computer system is the private property of its owner, whether individual, corporate or government. It is for authorized use only. Users (authorized or unauthorized) have no explicit or implicit expectation of privacy. Any or all uses of this system and all files on this system may be intercepted, monitored, recorded, copied, audited, inspected, and disclosed to your employer, to authorized site, government, and law enforcement personnel, as well as authorized officials of government agencies, both domestic and foreign. By using this system, the user consents to such interception, monitoring, recording, copying, auditing, inspection, and disclosure at the discretion of such personnel or officials. Unauthorized or improper use of this system may result in civil and criminal penalties and administrative or disciplinary action, as appropriate. By continuing to use this system you indicate your awareness of and consent to these terms and conditions of use. LOG OFF IMMEDIATELY if you do not agree to the conditions stated in this warning. ****************************************************************************
sudo service ssh restart
명령으로 OpenSSH 서버를 재시작합니다.
4. SSL 관련 설정
openssl x509 -in deios.kr.crt -out deios.kr.der -outform DER
openssl x509 -in deios.kr.der -inform DER -out deios.kr.pem -outform PEM
openssl x509 -in wosign.com.crt -out wosign.com.der -outform DER
openssl x509 -in wosign.com.der -inform DER -out wosign.com.pem -outform PEM
openssl x509 -in chain.wosign.com.crt -out chain.wosign.com.der -outform DER
openssl x509 -in chain.wosign.com.der -inform DER -out chain.wosign.com.pem -outform PEM
cat deios.kr.pem wosign.com.pem chain.wosign.com.pem > chain.deios.kr.pem
chmod 644 *.crt
chmod 644 *.csr
chmod 644 *.der
chmod 644 *.pem
chmod 600 *.key
chmod 660 *.key.secure
cp *.crt /etc/ssl/certs/
cp *.csr /etc/ssl/certs/
cp *.der /etc/ssl/certs/
cp *.pem /etc/ssl/certs/
cp *.key /etc/ssl/private/
cp *.key.secure /etc/ssl/private/
ln -s /etc/ssl/certs/deios.kr.crt /etc/ssl/certs/server.crt
ln -s /etc/ssl/certs/deios.kr.der /etc/ssl/certs/server.der
ln -s /etc/ssl/certs/deios.kr.pem /etc/ssl/certs/server.pem
ln -s /etc/ssl/certs/chain.deios.kr.pem /etc/ssl/certs/chain.pem
ln -s /etc/ssl/private/deios.kr.key /etc/ssl/private/server.key
a2enmod ssl
vim /etc/apache2/sites-enabled/000-dworld_ssl.conf
SSLCertificateChainFile /etc/ssl/certs/chain.wosign.com.crt
SSLCACertificateFile /etc/ssl/certs/wosign.com.crt
SSLCACertificatePath /etc/ssl/certs/
SSLCertificateFile /etc/ssl/certs/server.crt
SSLCertificateKeyFile /etc/ssl/private/server.key
vim /etc/vsftpd.conf
rsa_cert_file=/etc/ssl/certs/server.crt rsa_private_key_file=/etc/ssl/private/server.key ssl_enable=YESservice vsftpd restart
5. VS FTP 설정
apt-get install vsftpd
vim /etc/vsftpd.conf
write_enable=YES local_umask=022 chroot_local_user=YES allow_writeable_chroot=YES rsa_cert_file=/etc/ssl/certs/server.crt rsa_private_key_file=/etc/ssl/private/server.key ssl_enable=YESservice vsftpd restart
6. LAMP Stack
6-1. Apache2 설정
apt-get install apache2
apt-get install curl
a2enmod rewrite
a2enmod userdir
a2dismod autoindex
a2enmod ssl
vim /etc/apache2/conf-enabled/security.conf
ServerTokens Prod ServerSignature Off TraceEnable Offvim /etc/apache2/sites-enabled/000-dworld_ssl.conf
SSLCertificateChainFile /etc/ssl/certs/chain.wosign.com.crt
SSLCACertificateFile /etc/ssl/certs/wosign.com.crt
SSLCACertificatePath /etc/ssl/certs/
SSLCertificateFile /etc/ssl/certs/server.crt
SSLCertificateKeyFile /etc/ssl/private/server.key
systemctl restart apache2
6-2. MySQL 설정
apt-get install mysql-server
#vim /etc/mysql/debian.cnf [client] default-character-set = utf8mb4vim /etc/mysql/conf.d/mysql.cnf
[mysql] default-character-set = utf8mb4vim /etc/mysql/conf.d/mysqldump.cnf
[mysqldump] max_allowed_packet = 2048M default-character-set = utf8mb4vim /etc/mysql/mysql.conf.d/mysqld.cnf
[mysqld] character-set-client-handshake=FALSE init_connect="SET collation_connection = utf8mb4_unicode_ci" init_connect="SET NAMES utf8mb4" character-set-server = utf8mb4 collation-server = utf8mb4_unicode_ciservice mysql restart
6-3. PHP 설정
apt-get install php libapache2-mod-php php-mcrypt php-mysql
vim /etc/apache2/mods-enabled/dir.conf
systemctl restart apache2
systemctl status apache2
apt-get install php-cli
vim /etc/php/7.0/apache2/php.ini
short_open_tag = Onvim /var/www/html/index.php
rm -rf /var/www/html/index.php
apt-get install php-curl php-gd php-mbstring php-mcrypt php-xml php-xmlrpc
vim /etc/apache2/mods-enabled/php7.0.conf
apt-get install php-gd php-imap php-dev
6-4. WordPress 설정
chown -R deios:www-data /Home/deios/public_html/wp
chmod 660 .htaccess
chmod 660 wp-content/.htaccess
chown -R deios:www-data /Home/deios/public_html/wp
find /Home/deios/public_html/wp -type d -exec chmod g+s {} \;
chmod g+w wp-content
chmod -R g+w wp-content/themes
chmod -R g+w wp-content/plugins
chmod -R g+w wp-content/uploads
chmod 770 wordfence-waf.php
chmod 770 wp-content/advanced-cache.php
chmod 770 wp-content/wp-cache-config.php
chmod -R 770 wp-content/cache
chmod -R 770 wp-content/wfcache
chmod -R 770 wp-content/wflogs
curl -s https://api.wordpress.org/secret-key/1.1/salt/
mysqladmin -u root -p create [DB명]
mysql -u root -p
mysql> use mysql; mysql> grant all privileges on [DB명].* to [ID]@localhost identified by '[비밀번호]' with grant option; mysql> FLUSH PRIVILEGES; mysql> quit;mysql -u root -p [DB명] < [백업 SQL명]
7. Mail 설정
7-1. Postfix 설정
apt-get install postfix
dpkg-reconfigure postfix
vim /etc/postfix/main.cf
home_mailbox = Maildir/ smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth smtpd_sasl_local_domain = smtpd_sasl_security_options = noanonymous broken_sasl_auth_clients = yes smtpd_sasl_auth_enable = yes smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination smtp_tls_security_level = may smtpd_tls_security_level = may smtp_tls_note_starttls_offer = yes smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_cert_file=/etc/ssl/certs/server.pem smtpd_tls_key_file=/etc/ssl/private/server.key smtpd_tls_CAfile = /etc/ssl/certs/wosign.com.pem smtpd_tls_CApath = /etc/ssl/certs/vim /etc/postfix/master.cf
submission inet n - y - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING smtps inet n - y - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATINGservice postfix restart
7-2. Dovecot 설정
apt-get install dovecot-common
vim /etc/dovecot/conf.d/10-master.conf
unix_listener /var/spool/postfix/private/auth { mode = 0666 user = postfix group = postfix }vim /etc/dovecot/conf.d/10-auth.conf
auth_mechanisms = plain loginapt-get install dovecot-imapd dovecot-pop3d
vim /etc/dovecot/conf.d/10-mail.conf
mail_location = maildir:~/Maildirvim /etc/dovecot/conf.d/20-pop3.conf
pop3_uidl_format = %08Xu%08Xvvim /etc/dovecot/conf.d/10-ssl.conf
ssl = yes ssl_cert = ssl_key = ssl_ca =newaliases
service dovecot restart
7-3. Squirrelmail 설정
apt-get install squirrelmail
squirrelmail-configure
cp /etc/squirrelmail/apache.conf /etc/apache2/sites-available/squirrelmail.conf
a2ensite squirrelmail
service apache2 restart
8. 보안설정
8-1. sshguard 설정
apt-get install sshguard
8-2. Denyhosts 설정
apt-get install denyhosts
vim /etc/denyhosts.conf
PURGE_DENY = 1dservice denyhosts restart
8-3. Rkhunter 설정
apt-get install rkhunter
vim /etc/default/rkhunter
CRON_DAILY_RUN="true" CRON_DB_UPDATE="true" APT_AUTOGEN="true" DB_UPDATE_EMAIL="true" REPORT_EMAIL="[email protected]"rkhunter --propupd
rkhunter --checkall
8-4. logwatch 설정
apt-get install logwatch
mkdir /var/cache/logwatch
vim /usr/share/logwatch/default.conf/logwatch.conf
Output = mail Format = text MailTo = [email protected] Detail = Medcp /usr/share/logwatch/default.conf/logwatch.conf /etc/logwatch/conf/
cp /usr/share/logwatch/default.conf/logfiles/http.conf /etc/logwatch/conf/logfiles/
8-5. syslog 설정
sudo vim /etc/rsyslog.d/70-Remote.conf
*.warn @[원격지IP]
sudo service rsyslog restart