답변 정말 감사드립니다.
메일서버 관리하시는분인가봐요.
정말 많은 도움이 됐습니다.^^
[산이]님이 남기신 글:
>
>[ZEROCOOL]님이 남기신 글:
>
>>-----------------------------------------
>>답변자가 기본적으로 참고할 내용입니다.
>>- 배포판(옵션) :
>>- 커널버전(옵션)
:
>>- 데몬버전(예:apache
1.3.27) :
>>- 데몬설치유형(RPM/컴파일/기타)
:
>>-----------------------------------------
>> ################### LogWatch 5.2.2 (06/23/04) ####################
>> Processing Initiated: Tue Jul 18 04:03:11 2006
>> Date Range Processed: yesterday
>> Detail Level of Output: 0
>> Logfiles for Host: ns
>> ################################################################
>>
>> --------------------- IMAP Begin ------------------------
>>
>>[IMAPd] Logout stats:
>>====================
>> User | Logouts | Downloaded | Mbox
Size
>>--------------------------------------- | ------- | ---------- | ----------
<=IMAP 서비스를 이용한 접속을 보여주는 것으로
보입니다.
>> jh_park | 8 | |
왜 로그인이 아닌 로그아웃 횟수가
나오는건지는 모르겠습니다.
>>----------------------------------------------------------------------------
>> 8 | 0 |
0
>>
>>
>>
>>**Unmatched Entries**
>> Command stream end of file, while reading line user=??? host=[211.41.128.112]:
1 Time(s)
>>
>> ---------------------- IMAP End -------------------------
>>
>>
>> --------------------- ipop3d Begin ------------------------
>>
>>
>>**Unmatched Entries**
>> Mailbox vulnerable - directory /var/spool/mail must have 1777 protection: 752
Time(s) <=일종의 보안경고로 보여집니다. /var/spool/mail 의
퍼미션을 1777로 변경하라고합니다.
>>
>> ---------------------- ipop3d End -------------------------
>>
>>
>> --------------------- Named Begin ------------------------
>>
>>
>>Zone update refused:
>> 218.234.73.136 (kings.co.kr/IN): 52 Time(s)
<= Zone 파일의 로드된 횟수입니다.IN 은 인터넷을
의미하는 클래스라고 되어있습니다.
>>
>> ---------------------- Named End -------------------------
>>
>>
>> --------------------- pam_unix Begin ------------------------
<= 로그인에 관련된 로그입니다.
>>
>>crond:
>> Unknown Entries:
>> session closed for user root: 25 Time(s)
>> session opened for user root by (uid=0): 25 Time(s)
>>
>>sshd:
>> Authentication Failures:
>> unknown (61.134.1.11): 17 Time(s)
>> root (61.134.1.11): 3 Time(s)
>> root (202.143.134.178): 1 Time(s)
>> test (61.134.1.11): 1 Time(s)
>>
>>
>> ---------------------- pam_unix End -------------------------
>>
>>
>> --------------------- Connections (secure-log) Begin ------------------------
>>
>>
>>Connections:
>> Service pop3:
<= 해당 아이피에서 POP3 로 접속
>> 218.234.73.136: 394 Time(s)
접속한 횟수가 나옵니다.
>> 218.234.73.155: 288 Time(s)
>> Service imap:
<= 마찬가지로 imap 으로 접속한
기록입니다.
>> 127.0.0.1: 8 Time(s)
로컬에서 8번
>> 211.41.128.112: 1 Time(s)
>>
>> ---------------------- Connections (secure-log) End -------------------------
>>
>>
>> --------------------- sendmail Begin ------------------------
>>
>>
>>
>>Bytes Transferred: 6732072 <= 전체 보내진 메일의
용량입니다.
>>Messages Sent: 572 <= 전체 보낸 메일의
수입니다.
>>Total recipients: 685 <= 전체 받은 메일의 수입니다.
>>
>>4 messages returned after 2 hours <=
>>
>>82 User Unknown notifications
>>
>>Unknown local users: <= 알수없는 로컬유저의
수
>>
>> Total: 239 <= 총 239명
>>
>>
>>Top relays (recipients/connections - min 10 rcpts, max 50 lines):
>> 49/49: [211.229.226.126]
>> 33/33: [59.29.36.72]
>> 27/18: c-67-162-122-135.hsd1.il.comcast.net [67.162.122.135]
>> 26/17: 80-74-74-65.gci.net [65.74.74.80]
>> 20/20: [221.201.2.160]
>> 15/13: [220.64.48.61]
>> 14/2: [125.190.62.34]
>> 14/2: [125.190.63.190]
>> 14/2: [125.190.63.148]
>> 11/11: [219.241.207.109]
>> 11/11: [59.17.218.224]
>> 11/3: [222.235.223.70]
>> 11/11: [125.137.16.222]
>> 10/9: [221.201.0.26]
>>
>>
>>Relaying denied:
>> From [220.165.246.62] to bocks@gmx.net:
1 Time(s)
>> From [221.201.215.60] to silee@yurim.skku.ac.kr: 1
Time(s)
>> From [221.201.215.60] to sjkim@yurim.skku.ac.kr: 1
Time(s)
>> From [221.201.215.60] to sjklee@yurim.skku.ac.kr: 1
Time(s)
>> From [221.201.215.60] to skim@yurim.skku.ac.kr: 1
Time(s)
>> From [221.201.215.60] to skjeong@yurim.skku.ac.kr: 1
Time(s)
>> From [221.201.215.60] to skkwon@yurim.skku.ac.kr: 1
Time(s)
>> From [221.201.215.60] to smcho@yurim.skku.ac.kr: 1
Time(s)
>> From [221.201.215.60] to smhan@yurim.skku.ac.kr: 1
Time(s)
>> From [222.122.60.184] to charliem634@gmail.com: 1
Time(s)
>> From [60.51.132.169] to mohanif@lovemail.com: 1
Time(s)
>> From [61.34.46.144] to dnftks1156@hanmail.net: 1
Time(s)
>> From adsl-d7.87-197-195.telecom.sk [87.197.195.7] to mohanian@ucsd.edu: 1 Time(s)
>> From lns-bzn-58-82-251-253-175.adsl.proxad.net [82.251.253.175] to cgoh88@korea.com: 1 Time(s)
>> From mta.hanmail.net [211.233.30.68] to spambuster@ohora.hanmail.net: 1
Time(s)
>>
>> Total: 15
>>
>>
>>Rejected mail:
>> eunjeong.kwon@kor.ccamatil.com
(450 4.4.0 Relaying temporarily denied. Cannot resolve PTR record for 71.93.78.34):
1 Time(s)
>> eunsung.ra@kor.ccamatil.com (450
4.4.0 Relaying temporarily denied. Cannot resolve PTR record for 71.93.78.34): 1
Time(s)
>> eunjeong.kim@kor.ccamatil.com
(450 4.4.0 Relaying temporarily denied. Cannot resolve PTR record for 71.93.78.34):
1 Time(s)
>>
>> Total: 3
>>
>>
>>Client quit before communicating:
>> 125-228-87-124.dynamic.hinet.net : 2 Time(s)
>> 190.44.66.68 : 1 Time(s)
>> 200.92.229.163 : 1 Time(s)
>> 201.27.181.215 : 1 Time(s)
>> 201.58.251.158 : 1 Time(s)
>> 211.234.104.188 : 1 Time(s)
>> 217.132.105.213 : 1 Time(s)
>> 218.71.36.163 : 1 Time(s)
>> 222.122.60.184 : 1 Time(s)
>> 24.206.224.136 : 7 Time(s)
>> 36.Red-88-1-104.dynamicIP.rima-tde.net : 1 Time(s)
>> 59.10.78.15 : 1 Time(s)
>> 68.150.236.237 : 1 Time(s)
>> 83.15.18.2 : 1 Time(s)
>> 83.28.198.188 : 1 Time(s)
>> 84.100.76.83 : 1 Time(s)
>> 85.201.14.196 : 1 Time(s)
>> 85.68.129.94 : 1 Time(s)
>> 87.206.255.31 : 1 Time(s)
>> 88.241.252.52 : 1 Time(s)
>> actae.ath.forthnet.gr : 1 Time(s)
>> doc-24-206-224-136.doc-kw.tx.cebridge.net : 3 Time(s)
>>
>>
>>Authentication warnings:
>> [218.234.73.133] didn't use HELO protocol: 1 Time(s)
>>
>>**Unmatched Entries**
>> k6H6TT4U002456[2]: Contains an URL listed in the OB SURBL blocklist\n\t*
[URIs: weilfone.com]\n\t* 3.9 URIBL_SC_SURBL Contains an URL listed in the SC SURBL
blocklist\n\t* [URIs: weilfone.com]: 1 Time(s)
>> k6GK8gYq032733[2]: Contains an URL listed in the SC SURBL blocklist\n\t*
[URIs: autoomiaticcat.com]: 1 Time(s)
>> k6HDZ9Gk003721: return to sender: Cannot send message for 1 day: 1
Time(s)
>> k6H6Tp31002459[2]: SURBL blocklist\n\t* [URIs: pw2005893.com
aer23ret4.com]\n\t* 1.7 MSGID_RANDY Message-Id has pattern used in spam\n\t* 0.1
HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML tag\n\t* 0.0
MIME_HTML_ONLY_MULTI Multipart message only has text/html MIME parts\n\t* 1.4
FORGED_MUA_THEBAT_BOUN Mail pretending to be from The Bat! (boundary)\n\t* 1.1
FORGED_THEBAT_HTML The Bat! can't send HTML message only\n\t* 0.0
RCVD_DOUBLE_IP_LOOSE Received: by and from look like IP addresses: 1
Time(s)
>> k6GGZ8g9031578: return to sender: Cannot send message for 1 day: 1
Time(s)
>> k6H53nVp002138[2]: in this format\n\t* 1.3 FORGED_MUA_OIMO Forged mail
pretending to be from MS Outlook IMO: 1 Time(s)
>> k6H1SAND001390[2]: [URIs: arboursterile.com]: 1 Time(s)
>> k6HCTa2o003559[2]: Contains an URL listed in the SC SURBL blocklist\n\t*
[URIs: trollshouse.com]: 1 Time(s)
>> k6GIDHat031933[2]: fanbuild.com]\n\t* 3.9 URIBL_SC_SURBL Contains an URL
listed in the SC SURBL blocklist\n\t* [URIs: fanbuild.com]: 1
Time(s)
>> k6HDZ9Gj003721: return to sender: Cannot send message for 1 day: 1
Time(s)
>> k6H35qeD001580[2]: URL listed in the WS SURBL blocklist\n\t* [URIs:
miernitnebrebt.com ieruwu34h5.com]\n\t* 1.7 MSGID_RANDY Message-Id has pattern used
in spam\n\t* 0.0 FORGED_OUTLOOK_HTML Outlook can't send HTML message only\n\t* 0.1
HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML tag\n\t* 0.0
FORGED_OUTLOOK_TAGS Outlook can't send HTML in this format\n\t* 0.0
MIME_HTML_ONLY_MULTI Multipart message only has text/html MIME parts\n\t* 0.0
RCVD_DOUBLE_IP_LOOSE Received: by and from look like IP addresses\n\t* 3.0
FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook: 1
Time(s)
>> k6H3qHFg001775[2]: URL listed in the WS SURBL blocklist\n\t* [URIs:
miernitnebrebt.com ieruwu34h5.com]\n\t* 1.7 MSGID_RANDY Message-Id has pattern used
in spam\n\t* 0.1 HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML
tag\n\t* 0.2 FORGED_QUALCOMM_TAGS QUALCOMM mailers can't send HTML in this
format\n\t* 0.0 MIME_HTML_ONLY_MULTI Multipart message only has text/html MIME
parts\n\t* 0.1 FORGED_MUA_EUDORA Forged mail pretending to be from Eudora\n\t* 0.0
RCVD_DOUBLE_IP_LOOSE Received: by and from look like IP addresses: 1
Time(s)
>> k6GHZ8IT031830: return to sender: Cannot send message for 1 day: 1
Time(s)
>> k6H0LDPj001210[2]: HTML in this format\n\t* 1.3 FORGED_MUA_OIMO Forged mail
pretending to be from MS Outlook IMO: 1 Time(s)
>> k6GMEO6Y000881[2]: superaspect.com]\n\t* 3.9 URIBL_SC_SURBL Contains an URL
listed in the SC SURBL blocklist\n\t* [URIs: superaspect.com]: 1
Time(s)
>> k6H08nbn001161[2]: [URIs: healfs.com]\n\t* 3.9 URIBL_SC_SURBL Contains an URL
listed in the SC SURBL blocklist\n\t* [URIs: healfs.com]: 1 Time(s)
>> k6GJQUkS032641[2]: [URIs: fanbuild.com]\n\t* 3.9 URIBL_SC_SURBL Contains
an URL listed in the SC SURBL blocklist\n\t* [URIs: fanbuild.com]: 1
Time(s)
>> k6H3Uh0l001676[2]: listed in the WS SURBL blocklist\n\t* [URIs:
healfs.com]\n\t* 2.0 URIBL_OB_SURBL Contains an URL listed in the OB SURBL
blocklist\n\t* [URIs: healfs.com]\n\t* 3.9 URIBL_SC_SURBL Contains an URL
listed in the SC SURBL blocklist\n\t* [URIs: healfs.com]: 1 Time(s)
>>
>>
>>Summary:
>> Total Mail Rejected: 257
>>
>> ---------------------- sendmail End -------------------------
>>
>>
>> --------------------- SSHD Begin ------------------------
>>
>>
>>Failed logins from these:
>> root/password from ::ffff:202.143.134.178: 1 Time(s)
>> root/password from ::ffff:61.134.1.11: 3 Time(s)
>> test/password from ::ffff:61.134.1.11: 1 Time(s)
>>
>>**Unmatched Entries**
>>Invalid user scanner from ::ffff:61.134.1.11
>>Failed password for invalid user scanner from ::ffff:61.134.1.11 port 57970
ssh2
>>Invalid user billing from ::ffff:61.134.1.11
>>Failed password for invalid user billing from ::ffff:61.134.1.11 port 58322
ssh2
>>Invalid user ringo from ::ffff:61.134.1.11
>>Failed password for invalid user ringo from ::ffff:61.134.1.11 port 58496
ssh2
>>Invalid user cvsuser from ::ffff:61.134.1.11
>>Failed password for invalid user cvsuser from ::ffff:61.134.1.11 port 58675
ssh2
>>Invalid user nishida from ::ffff:61.134.1.11
>>Failed password for invalid user nishida from ::ffff:61.134.1.11 port 58815
ssh2
>>Invalid user jimu from ::ffff:61.134.1.11
>>Failed password for invalid user jimu from ::ffff:61.134.1.11 port 58966
ssh2
>>Invalid user cherry from ::ffff:61.134.1.11
>>Failed password for invalid user cherry from ::ffff:61.134.1.11 port 59117
ssh2
>>Invalid user sasaki from ::ffff:61.134.1.11
>>Failed password for invalid user sasaki from ::ffff:61.134.1.11 port 59217
ssh2
>>Invalid user simon from ::ffff:61.134.1.11
>>Failed password for invalid user simon from ::ffff:61.134.1.11 port 59462
ssh2
>>Invalid user angelique from ::ffff:61.134.1.11
>>Failed password for invalid user angelique from ::ffff:61.134.1.11 port 59833
ssh2
>>Invalid user admin from ::ffff:61.134.1.11
>>Failed password for invalid user admin from ::ffff:61.134.1.11 port 59962
ssh2
>>Invalid user vmware from ::ffff:61.134.1.11
>>Failed password for invalid user vmware from ::ffff:61.134.1.11 port 60111
ssh2
>>Invalid user ventas from ::ffff:61.134.1.11
>>Failed password for invalid user ventas from ::ffff:61.134.1.11 port 60314
ssh2
>>Invalid user yamada from ::ffff:61.134.1.11
>>Failed password for invalid user yamada from ::ffff:61.134.1.11 port 60447
ssh2
>>Invalid user nagios from ::ffff:61.134.1.11
>>Failed password for invalid user nagios from ::ffff:61.134.1.11 port 60575
ssh2
>>Invalid user svn from ::ffff:61.134.1.11
>>Failed password for invalid user svn from ::ffff:61.134.1.11 port 60734
ssh2
>>Invalid user temp from ::ffff:61.134.1.11
>>Failed password for invalid user temp from ::ffff:61.134.1.11 port 60818
ssh2
>>
>> ---------------------- SSHD End -------------------------
>>
>>
>>
>>------------------ Disk Space --------------------
>>
>>/dev/mapper/VolGroup00-LogVol00
>>/dev/hda1 99M 8.9M 85M 10% /boot
>>
>>
>> ###################### LogWatch End #########################
>>
>>
>>이런식으로 제가 어느 부분이 어떤 것을 알려주는지 여기저기
찾아서
>>조금 적어봤는데 나머지를 모르겠습니다. 간단하게라도
나머지 부문이
>>어떤 것을 나타내는지만 알려주시면 정말 감사드리겠습니다.
>>또 가능하시면 로그와치에서 메일이 왔을때 주의깊게
제일먼저
>>봐야할 부분을 좀 알려주시면 정말 감사드리겠습니다.
>>
>
>========================================
>
>와 부지런하십니다.
ㅎㅎ
>
>일단 logwatch 는 /var/log 의 messages, maillog, secure, crond
등등의
>로그를 LogWatch 가 나름대로(?) 분석해서 그 결과를 메일로
보내는
>구조를 갖습니다.
>
>따라서 위의 포맷을 보기 힘들면 직접 해당 로그를 보면
됩니다.
>(저 같은 경우)
>
>위의 내용을 하나 하나 주석(?) 다는 것은 솔직히 좀 힘듭니다.
ㅠㅠ
>
>주의 깊게 보아야 할 내용은
>
>sshd 관련 내용과 maillog 에서 스팸 정도입니다.
>나머지도 중요하나 그 중요성이 조금 떨어집니다.
>
>
>1. sshd
>
>ssh 는 특정 유저 그리고 특정 IP/network 에서만 접근하기
때문에
>이 부분만 접속을 허용하고 나머지는 모두 막습니다.(hosts.allow,
hosts.deny)
>
>또는 방화벽(iptables) 에서 설정하면 더 좋겠죠.
>
>위의 로그에서 보듯이 61.134.1.11 에서 로그인 할려고 기(?)를
쓰는
>모습이 보이네요.
>
>
>2. maillog
>
>위의 로그에서 스패머으로 의심되는 IP 주소(예:221.201.215.60)
>는 RELAY 를 모두 막습니다. iptables 이면 더 좋겠죠.
>
>막을 수 없는 어쩔 수 없는 스팸도 있는데 이 경우는 따로 MUA
에서
>필터링하면됩니다(메일서버에서
필터링 해도 됨).
>
>(참고로 제가 관리하는 메일서는 스팸이 있기는 하나 매우
작아서
>그냥 방치수준입니다.
ㅠㅠ)
>
>
>만약 위의 메일서버가 중소규모의 메일서버가 아닌 대용량
또는
>웹호스팅용 메일서버라면 사정이 다릅니다.
>
>이 경우는 메일 서버 보안 정책부터 수립(유저 권한, 포트별
접근 정책, 기타)하는 것이 급선무입니다.
>
>
>원론적인 얘기라서 많은 도움이 못 되었군요.
>
>
========================================
|
sun's longitude:241 54 33.42
/board/read.php:소스보기 
