作者 主題: Lpi 102 Task Oriented (1)Topic 114:Security  (閱讀 4282 次)

0 會員 與 1 訪客 正在閱讀本文。

小徒兒

  • 區域板主
  • 鑽研的研究生
  • *****
  • 文章數: 622
    • 檢視個人資料
Lpi 102 Task Oriented (1)Topic 114:Security
« 於: 2004-09-16 17:43 »
1.114.1 Perform security administration tasks

find / -perm \(-u+s -o -perm -g+s \)

find /  \
      -path '/proc' -prune  \
      -or  \
      -perm -u+s  \
      -exec ls -l {} \;  \
      >  /usr/local/etc/suid_list &

find / -perm +6000


***how to configure TCP wrappers,
vi /etc/host.allow
vi /etc/host.denyy
代碼: [選擇]


ALL: ALL


代碼: [選擇]

#,daemon_list> : <IP/network>
in.ftpd: 192.168.1.2, 192.168.1.10, xxx.yyy.zzz
in.telnetd: 192.168.1.0/255.255.255.0


vi /etc/inetd.conf
vi /etc/xinetd.d/*


***find files with SUID/SGID bit set

find / \
-path 'proc' -prune \
-or \
-perm -u+s \
-exec ls -l {} \; \
> /usr/local/etc/suid_list &


-perm -g+s #sgid

***verify packages
rpm -Va

D -device
S-size
M-mode
T-time
U-owner/user
G-group
?-unknown
L-link
5-checksum

rpm --checksig --nopgp filetil-xxx.rpm


***set or change user passwords and password aging information
passwd sysop
chage user -d lastdate -E expiredate -I inactive days -m mindays -M maxdays -W warndays

chage user
minimu password days #equal to -m



***update binaries as recommended by CERT, BUGTRAQ

http://www.cert.org
BUGTRAQ : mailing list
http://www.securityfocus.com


***distribution's security alerts https://www.redhat.com/apps/support/errata/


***basic knowledge of ipchains and iptables
packet type: input, output, forward

every packet from other pcs to the kernel of your pc is an input packet
every packet from the kernel to your pc is an output packet
every packet from your pc to other pc is a forward packet


the pattern of a packet can be judged by:
1. interface eth0 eth1 -i  
2. port -p
3. source ip -s
4. destination ip -d
5. jump to what chain -j

the handling of qualified packet:
ACCEPT
DENY
REJECT
MASQ
REDIRECT
RETURN


1.114.3 Setup user level security

***limits on user logins, processes, and memory usage
ulimit -Hu 50 限制使用者最多可以執行的 Process 數量
ulimit -m 20480 限制可使用記憶體的上線為20480 kb

ulimit -a 显示用户可以使用的资源限制

ulimit -n 8192 设置用户可以同时打开的最大文件数,如果本参数设置过小,对于并发访问量大的网站,可能会出现too many open files的错误


usermod -s /sbin/nologin user #limits on user login

limits on user logins???

usermod -e 2002-01-01 user     #user這個帳號會在2002年1月1號過期     
usermod -s /bin/true -G group1,group2 user  #將user這個帳號的shell換成/bin/true同時加入group1和group2兩個群組中usermod

usermod -L username  假如密碼已經被啟用,請使用下列指令鎖定它
chage -d 0 username  強迫密碼立即失效
usermod -p "encrypted-password" username 剪貼整個加密的密碼輸出到以下的指令中

usermod -p "" username 除了指定一個初始的密碼外,也可以使用下列指令來指定一個空的密碼


***quota
#vi /etc/fstab

LABEL=/home /home ext3 defaults,usrquota,grpquota 1 2

#reboot
#touch /home/aquota.user /home/aquota.group
#chmod 600 /home/quota.user /home/quota.group

#edquota -u test


[used block][block hard limit] [block soft limit] [used i-node][inode hard limit] [i-node soft limit]
#edquota -g test
#edquota -p test test2
#edquota -ut #gracetime


# quotacheck -uvgm /home
# quotaon -ugv /home

vi /etc/crontab.weekly/quota.week

#!/bin/bash
/sbin/quotacheck -avug

#repquota
$quota

#quotaoff -ugv /home

quotaon<--quotacheck(action)<--quotaoff <--quotaon (status)



1.114.3 Setup user level security

***limits on user logins
usermod -s /sbin/nologin mary
touch /etc/nologin #勿讓一般權限者 shell 登入主機,不管是 telnet 或 ssh/ssh2


lab to test the cpu time
resource from http://www2.tw.ibm.com/developerWorks/tutorial/content/linux/t20031121.html
代碼: [選擇]

# time bash
# ulimit -t 1
# while true; do true; done
Killed

real    0m28.941s
user    0m1.990s
sys     0m0.017s


***memory usage
***processes

vi /etc/skel/.bash_profile

代碼: [選擇]

ulimit -m 20480 #limit the memory usage
ulimit -u 1024 #limit the processes
ulimit -t 3600 #limit the cpu time









補充 su & sudo:
$su - root -c "/sbin/poweroff"
#gpasswd -a wheel sysop
$sudo cat /etc/passwd
$sudo -u yazza ls ~yazza
$sudo -u www vi ~www/htdocs/index.html
$sudo shutdown -r +15 "quick reboot"


#visudo 等於  #vi /etc/sudoers

user host =(as-user) (command) -option argument
 %wheel        ALL=(ALL)       NOPASSWD: ALL

every in the group of wheel can do anything as root and don't need any password

ray    rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
ray    rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm

User_Alias OPERATORS = tux1
OPERATORS ALL = (root) /sbin/ifdown eth0
OPERATORS ALL = (root) /sbin/ifup eth0


User_Alias     FULLTIMERS = millert, mikef, dowdy
User_Alias     PARTTIMERS = bostley, jwfox, crawl
User_Alias     WEBMASTERS = will, wendy, wim

***quota
***usermod