Shulou(Shulou.com)06/01 Report--

1. Sudo

1) what can sudo do?

1. Restrict specified users from running specified administrative commands on specified hosts

2. Record in detail the relevant log information of commands executed by users based on sudo

3. "ticket checking system": users will be asked to enter a password when they execute sudo for the first time, and they will get a "ticket" with a fixed survival time. The default is 5 minutes.

Achieve the above functions through editing:

/ etc/sudoers: can only be edited by management to achieve authorization

Special editing command: visudo

/ etc/sudoers:

Authorization format:

Who whichhost dosomething

Who can be: user, group, Alias, that is, alias

Host can be: ip address, hostname, host_alias

Dosomething can be: executable command (absolute path), CMD_ALIAS

2) sudo command:

-l: view sudo commands that can be executed by the current user

-u user name command: run the following "command" as the specified user

-k: clear the "admission ticket"

-b command: runs the specified command in the background

-p prompt: you can change the prompt that asks for the password, which can be replaced with the user name with the% u variable and the host name with% h

-e file path: modify the specified file instead of executing the command

III) practice

1. Authorized centos users can run fdisk commands to complete disk management, and use mkfs or mke2fs to achieve file system management?

Centos ALL= (ALL) / sbin/mke2fs,/sbin/fdisk,/sbin/mkfs,/sbin/partx

2. Authorized gentoo users can run commands related to logical volume management.

Gentoo ALL= (ALL) / bin/mount,/bin/umount,/sbin/pvcreate,/sbin/pvdisplay,/sbin/vgcreate,/sbin/vgdisplay,/sbin/lvcreate,/sbin/lvdisplay,/bin/df

II. Tcp_wrapper

1) TCP_Wrapper software package is a kind of network firewall software based on TCP/IP protocol, running on UNIX/Linux system and based on access control technology.

Determine whether the service can be controlled by tcp_wrapper:

1. Dynamic compilation: ldd command to check whether the dependent library has libwrap

Libwrap.so.0 = > / lib64/libwrap.so.0

2. Static compilation: strings / path/to/program

In the display result, if there is something similar to the following:

Hosts.allow

Hosts.deny

3. Tcp_wrapper determines whether a service can be accessed by reading the rules in the configuration file:

/ etc/hosts.allow

/ etc/hosts.deny

The rules in the file are effective immediately.

4 、

5. Syntax of the configuration file:

Daemon_list: client_list [: options]

The daemon_list can be:

Application name

List of application names: separated by commas

For example, sshd, in.telnetd

ALL: all controlled processes

The client_list can be:

IP address

Hostnam

Network address: full format mask must be used, but length mask cannot be used. 172.16.0.0 Universe 16 is not suitable.

Short network address: 172.16. Expressed as 172.16.0.0amp 255.255.0.0

ALL: all client addresses

KNOWN: known ip address

UNKNOWN: unknown ip address

PARANOID: the positive and negative resolution results of hostname and IP address do not match

Special variables:

EXCEPT: except

[: options] can be:

Deny: rules commonly used to implement rejections in hosts.allow files

Allow: commonly used to implement allowed rules in hosts.deny files

Spawn: start an extra command

II) practice

The control vsftpd only allows access to hosts in the 172.16.0.0and255.255.0.0 network, with the exception of 172.16.100.3; denied access attempts are recorded in the / var/log/tcp_wrapper.log log file

Answer: 1) vim / etc/host.allow

Vsftpd: 192.168.3.20-192.168.3.120 EXCEPT 192.168.3.52

Vsftpd: 192.168.3.0/255.255.255.0 EXCEPT 192.168.3.50192.168.3.103

2) vsftpd: ALL: spawn / bin/echo `date` login attempt from% c to% s,% d > > / var/log/tcp_wrapper.log

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.