系统的INPUT和OUTPUT默认策略为DROP,请完成以下关于iptables的题目;
iptables -A INPUT -d 10.18.11.13 -p tcp --dport 22 -j ACCEPT #允许ssh端口 iptables -A OUTPUT -s 10.18.11.13 -p tcp --sport 22 -j ACCEPT iptables -P OUTPUT DROP #设置OUTPUT的默认策略为DROP iptables -P INPUT DROP #设置INPUT的默认策略为DROP iptables -L Chain INPUT (policy DROP) target prot opt source destination ACCEPT tcp -- anywhere 10.18.11.13 tcp dpt:ssh Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy DROP) target prot opt source destination ACCEPT tcp -- 10.18.11.13 anywhere tcp spt:ssh
一、限制本地主机的web服务器在周一不允许访问;新请求的速率不能超过100个每秒;web服务器包含了admin字符串的页面不允许访问;web服务器仅允许响应报文离开本机;
iptables -A INPUT -p tcp -d 10.18.11.13 --dport 80 -m string --algo kmp --string "admin" -j DROP
#拒绝所有访问包含admin字符串页面的请求
iptables -A INPUT -d 10.18.11.13 -p tcp --dport 80 -m time ! --weekdays Mon -m limit --limit 100/second -m string --algo kmp --string "admin" -j ACCEPT
#允许周一除外时间访问web服务器,新请求的速率不能超过100个每秒
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
二、在工作时间,即周一到周五的8:30-18:00,开放本机的ftp服务给172.16.0.0网络中的主机访问;数据下载请求的次数每分钟不得超过5个;
iptables -A INPUT -s 172.16.0.0/16 -p tcp -m multiport --dport 20,21 -m time --weekdays 1,2,3,4,5 --timestart 8:30 --timestop 18:00 -m limit --limit 5/minute -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -d 172.16.0.0/16 -p tcp -m multiport --dport 20,21 -m time --weekdays 1,2,3,4,5 --timestart 8:30 --timestop 18:00 -m limit --limit 5/minute -m state --state NEW,ESTABLISHED -j ACCEPT
三、开放本机的ssh服务给172.16.x.1-172.16.x.100中的主机,x为你的座位号,新请求建立的速率一分钟不得超过2个;仅允许响应报文通过其服务端口离开本机;
iptables -I INPUT -m iprange --src-range 172.16.11.0-172.168.11.255 -m limit --limit 2/minute -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
四、拒绝TCP标志位全部为1及全部为0的报文访问本机;
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
五、允许本机ping别的主机;但不开放别的主机ping本机;
iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type 8 -j ACCEPT
六、判断下述规则的意义:
iptables -N clean_in
#新建自定义链clean_in
iptables -A clean_in -d 255.255.255.255 -p icmp -j DROP
#丢弃icmp广播包
iptables -A clean_in -d 172.16.255.255 -p icmp -j DROP
#丢弃到172.16.0.0/16网段的icmp广播包
iptables -A clean_in -p tcp ! --syn -m state --state NEW -j DROP
#丢弃syn标志位不为1且状态为new的包
iptables -A clean_in -p tcp --tcp-flags ALL ALL -j DROP
#丢弃tcp标志位全为1的包
iptables -A clean_in -p tcp --tcp-flags ALL NONE -j DROP
#丢弃tcp标志位全为0的包
iptables -A clean_in -d 172.16.100.7 -j RETURN
#把目标为172.16.100.7的请求返回主链匹配
iptables -A INPUT -d 172.16.100.7 -j clean_in
#把目标为172.16.100.7的请求用clean_in链匹配
iptables -A INPUT -i lo -j ACCEPT
#允许来自于lo接口的数据包
iptables -A OUTPUT -o lo -j ACCEPT
#允许向lo接口发送数据包
iptables -A INPUT -i eth0 -m multiport -p tcp --dports 53,113,135,137,139,445 -j DROP
#丢弃指定接口为eth0, 协议为tcp,目标端口为53,113,135,137,139,445的包
iptables -A INPUT -i eth0 -m multiport -p udp --dports 53,113,135,137,139,445 -j DROP
#丢弃指定接口为eth0, 协议为udp,目标端口为53,113,135,137,139,445的包
iptables -A INPUT -i eth0 -p udp --dport 1026 -j DROP
#丢弃指定接口为eth0, 协议为udp,目标端口为1026的包
iptables -A INPUT -i eth0 -m multiport -p tcp --dports 1433,4899 -j DROP
#丢弃指定接口为eth0, 协议为tcp,目标端口为1433,4899的包
iptables -A INPUT -p icmp -m limit --limit 10/second -j ACCEPT
#限定icmp包的速率为10个每秒
七、通过tcp_wrapper控制vsftpd仅允许172.16.0.0/255.255.0.0网络中的主机访问,但172.16.100.3除外;对所被被拒绝的访问尝试都记录在/var/log/tcp_wrapper.log日志文件中;
[root@localhost /]# vim /etc/hosts.allow vsftpd:172.16.0.0/255.255.0.0 EXCEPT 172.16.100.3 [root@localhost /]# vim /etc/hosts.deny vsftpd:ALL :spawn /bin/echo `date` login attempt from %c to %s, %d >> /var/log/tcp_wrapper.log
八、删除/boot/grub/grub.conf文件中所有行的行首的空白字符;
[root@localhost ~]# sed s/^[[:space:]]*//g /boot/grub/grub.conf # grub.conf generated by anaconda # # Note that you do not have to rerun grub after making changes to this file # NOTICE: You have a /boot partition. This means that # all kernel and initrd paths are relative to /boot/, eg. # root (hd0,0) # kernel /vmlinuz-version ro root=/dev/sda3 # initrd /initrd-[generic-]version.img #boot=/dev/sda default=0 timeout=5 splashp_w_picpath=(hd0,0)/grub/splash.xpm.gz hiddenmenu title CentOS (2.6.32-431.el6.x86_64) root (hd0,0) kernel /vmlinuz-2.6.32-431.el6.x86_64 ro root=UUID=10cca036-87a5-4646-9bdb-88f252f589be rd_NO_LUKS KEYBOARDTYPE=pc KEYTABLE=us rd_NO_MD crashkernel=auto LANG=zh_CN.UTF-8 rd_NO_LVM rd_NO_DM rhgb quiet initrd /initramfs-2.6.32-431.el6.x86_64.img
九、删除/etc/fstab文件中所有以#开头,后跟至少一个空白字符的行的行首的#和空白字符;
[root@localhost ~]# sed s/^#[[:space:]+]//g /etc/fstab # /etc/fstab Created by anaconda on Mon Aug 15 10:39:56 2016 # Accessible filesystems, by reference, are maintained under '/dev/disk' See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info # UUID=a540e0d8-e8be-4cdb-b70c-835d1bda5b95 / ext4 defaults 1 1 UUID=b034f272-a4eb-41e1-bb51-d0995fb56644 /boot ext4 defaults 1 2 UUID=6283d75d-5d6c-4f17-9124-c731fe075663 swap swap defaults 0 0 /dev/vgdata/mylv /users ext4 defaults,acl 0 0
十、把/etc/fstab文件的奇数行另存为/tmp/fstab.3;
[root@localhost ~]# awk 'NR%2==1' /etc/fstab > /tmp/fstab.3 [root@localhost ~]# cat /tmp/fstab.3 # /etc/fstab # # See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info UUID=a540e0d8-e8be-4cdb-b70c-835d1bda5b95 / ext4 defaults 1 1 UUID=6283d75d-5d6c-4f17-9124-c731fe075663 swap swap defaults 0 0
[root@localhost ~]# sed -n "p;n" /etc/fstab > /tmp/fstab.3 [root@localhost ~]# cat /tmp/fstab.3 # /etc/fstab # # See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info UUID=a540e0d8-e8be-4cdb-b70c-835d1bda5b95 / ext4 defaults 1 1 UUID=6283d75d-5d6c-4f17-9124-c731fe075663 swap swap defaults 0 0
十一、echo一个文件路径给sed命令,取出其基名;进一步地,取出其路径名;
[root@localhost ~]# echo "/etc/sysconfig/network" | sed 's#^\(/.*/\)[^/]*#\1#g' /etc/sysconfig/ [root@localhost ~]# echo "/etc/sysconfig/network" | sed 's#^/.*/##g' network
十二、统计当前系统上所有tcp连接的各种状态的个数;
[17:49:36 root@qa36 /data/nginx/html/static]#netstat -tan | awk '/^tcp/{state[$NF]++}END{for(i in state) { print i,state[i]}}'
TIME_WAIT 331
FIN_WAIT2 5
ESTABLISHED 316
LISTEN 23
十三、统计指定的web访问日志中各ip的资源访问次数:
[root@localhost /]# more access.log
59.56.78.124 - - [01/Nov/2016:03:48:04 +0800] "POST /noticeData.htm HTTP/1.1" 200 71061 "http://www.ztrong.com/recruit.htm" "Mozilla/4.0 (compatible; MSIE 8.0; Windows
NT 5.1; Trident/4.0; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; QIHU 360EE) ; .NET CLR 2.0.50727)" "101.201.68.23"
59.56.78.124 - - [01/Nov/2016:03:48:10 +0800] "POST /checkUserIsLogin.htm HTTP/1.1" 200 28 "http://www.ztrong.com/" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1;
Trident/4.0; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; QIHU 360EE) ; .NET CLR 2.0.50727)" "101.201.68.23"
59.56.78.124 - - [01/Nov/2016:03:48:12 +0800] "GET /itemList.htm HTTP/1.1" 200 5872 "http://www.ztrong.com/" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Triden
t/4.0; .NET CLR 2.0.50727; doyo 2.6.1)" "124.72.233.225"
59.56.78.124 - - [01/Nov/2016:03:48:14 +0800] "POST /checkUserIsLogin.htm HTTP/1.1" 200 28 "http://www.ztrong.com/itemList.htm" "Mozilla/4.0 (compatible; MSIE 8.0; Win
dows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; doyo 2.6.1)" "124.72.233.225"
59.56.78.124 - - [01/Nov/2016:03:48:17 +0800] "POST /noticeData.htm HTTP/1.1" 200 71054 "http://www.ztrong.com/itemList.htm" "Mozilla/4.0 (compatible; MSIE 8.0; Window
s NT 5.1; Trident/4.0; .NET CLR 2.0.50727; doyo 2.6.1)" "124.72.233.225"
59.56.78.124 - - [01/Nov/2016:03:48:18 +0800] "POST /itemListAjax.htm HTTP/1.1" 200 44804 "http://www.ztrong.com/itemList.htm" "Mozilla/4.0 (compatible; MSIE 8.0; Wind
ows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; doyo 2.6.1)" "124.72.233.225"
59.56.78.124 - - [01/Nov/2016:03:48:24 +0800] "POST /index/indexInit.htm HTTP/1.1" 200 95753 "http://www.ztrong.com/" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.
1; Trident/4.0; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; QIHU 360EE) ; .NET CLR 2.0.50727)" "101.201.68.23"
59.56.78.124 - - [01/Nov/2016:03:48:26 +0800] "POST /checkUserIsLogin.htm HTTP/1.1" 200 28 "http://www.ztrong.com/" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1;
Trident/4.0; .NET CLR 2.0.50727; doyo 2.6.1)" "124.72.233.225"
59.56.78.124 - - [01/Nov/2016:03:48:28 +0800] "POST /index/indexInit.htm HTTP/1.1" 200 95753 "http://www.ztrong.com/" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.
1; Trident/4.0; .NET CLR 2.0.50727; doyo 2.6.1)" "124.72.233.225"
59.56.78.124 - - [01/Nov/2016:03:48:29 +0800] "GET /newFriend.htm HTTP/1.1" 200 5019 "http://www.ztrong.com/" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Tride
nt/4.0; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; QIHU 360EE) ; .NET CLR 2.0.50727)" "101.201.68.23"
59.56.78.124 - - [01/Nov/2016:03:48:32 +0800] "POST /checkUserIsLogin.htm HTTP/1.1" 200 28 "http://www.ztrong.com/newFriend.htm" "Mozilla/4.0 (compatible; MSIE 8.0; Wi
ndows NT 5.1; Trident/4.0; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; QIHU 360EE) ; .NET CLR 2.0.50727)" "101.201.68.23"
59.56.78.124 - - [01/Nov/2016:03:48:34 +0800] "POST /checkUserIsLogin.htm HTTP/1.1" 200 28 "http://www.ztrong.com/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1;
Trident/4.0; Sicent; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" "61.145.60.234"
59.56.78.124 - - [01/Nov/2016:03:48:34 +0800] "POST /index/indexInit.htm HTTP/1.1" 200 95768 "http://www.ztrong.com/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.
1; Trident/4.0; Sicent; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" "61.145.60.234"
[root@localhost /]# awk '{ip[$NF]++}END{for(i in ip) {print i,ip[i]}}' access.log | sort -nrk 2 | more
"124.91.66.72" 8266
"180.167.69.202" 5754
"60.190.202.84" 2582
"112.124.127.44" 1421
"120.27.47.144" 1419
"123.151.153.35" 756
"58.217.246.43" 455
"183.167.211.95" 418
"125.95.73.60" 372
"210.13.195.34" 367
"1.191.224.132" 349
"61.159.186.206" 302
"223.220.144.254" 281
"121.8.98.40" 261
"183.63.34.14" 250
"218.59.187.52" 238
"42.228.225.190" 210
"114.86.22.68" 200
"218.66.59.169" 187
"220.250.18.170" 181
"1.180.203.223" 174
"180.109.38.90" 173
"117.24.92.170" 171
"61.167.167.172" 162
十四、授权centos用户可以运行fdisk命令完成磁盘管理,以及使用mkfs或mke2fs实现文件系统管理;
[root@localhost /]# chmod +w /etc/sudoers #添加修改权限 [root@localhost /]# vim /etc/sudoers #修改配置文件添加如下一行 centos ALL=(root) /sbin/mkfs, /sbin/mke2fs, /sbin/ifconfig [root@localhost /]# chmod -w /etc/sudoers #改回文件原来权限
十五、授权gentoo用户可以运行逻辑卷管理的相关命令;
[root@localhost /]# vim /etc/sudoers centos ALL=(root) /sbin/*create, /sbin/*reduce, /sbin/*display,/sbin/mkfs*,/sbin/*extend
十六、基于pam_time.so模块,限制用户通过sshd服务远程登录只能在工作时间进行;
[root@localhost /]# vim /etc/pam.d/sshd #%PAM-1.0 auth required pam_sepermit.so auth substack password-auth auth include postlogin # Used with polkit to reauthorize users in remote sessions -auth optional pam_reauthorize.so prepare account required pam_time.so #添加pam_time.so模块 account required pam_nologin.so account include password-auth password include password-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session required pam_namespace.so session optional pam_keyinit.so force revoke session include password-auth session include postlogin # Used with polkit to reauthorize users in remote sessions -session optional pam_reauthorize.so prepare [root@localhost /]# vim /etc/security/time.conf #修改配置文件定义具体时间 sshd;*;*;MoTuWeThFr0900-1800
十七、基于pam_listfile.so模块,定义仅某些用户,或某些组内的用户可登录系统;
[root@localhost /]# vim /etc/pam.d/sshd #添加如下一行 auth required pam_listfile.so item=user sense=allow file=/etc/sshd_user onerr=succeed [root@localhost /]# vim /etc/sshd_user #自定义可以登陆的用户 centos gentoo
转载于:https://blog.51cto.com/hiqiwang/1871189
344
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
