SELinux
1. 系统资源是通过init来管理的
主配置文件:/etc/inittab
co:23:respawn:/sbin/agetty -f /etc/issue.serial 19200 ttyS1
2. 服务是通过调用/etc/init.d/下的脚本执行的
ldd `whichxinetd`用于查看xinetd所有链接的文件
[root@station116 ~]# ldd `which xinetd`
linux-gate.so.1 => (0x00f23000)
libselinux.so.1 => /lib/libselinux.so.1 (0x00110000)
libwrap.so.0 => /lib/libwrap.so.0 (0x0056c000)
libnsl.so.1 => /lib/libnsl.so.1 (0x00c3d000)
libm.so.6 => /lib/libm.so.6 (0x00a36000)
libcrypt.so.1 => /lib/libcrypt.so.1 (0x00942000)
libc.so.6 => /lib/libc.so.6 (0x001b4000)
libdl.so.2 => /lib/libdl.so.2 (0x00580000)
libsepol.so.1 => /lib/libsepol.so.1 (0x009d9000)
/lib/ld-linux.so.2 (0x00d87000)
[root@station116 ~]#
可以看到xinetd 链接到libwrap.so中
重启服务:
/etc/init.d/network status
service network status
3.chkconfig查询,更改运行级别信息
chkconfig --list [name] 列出某个服务,若没有服务名,则列举所有
chkconfig --add [name] 添加某项服务
chkconfig --del [name] 删除某项服务
chkconfig --list | grep “y”列举出以y开头的服务
chkconfig --level LEVEL[2-5] on|start|reset(恢复默认设置)
独立守护进程中,chkconfig的默认级别为2345
非独立守护进程中,不可指定级别
/etc/init.d下的服务,默认并没有添加到chkconfig列表中
另外:也可通过system-config-services打开图形窗口指定级别,开启服务
ntsysv 也可设置开机时即开启某项服务
4. /etc/sysconfig文件配置某些服务是如何运行的
named
sendmail
dhcpd
samba
init
syslog
5. 1)独立守护进程是通过/etc/xinetd.conf(默认配置文件)/etc/xinetd.d/services运行的,在默认文件规定过的,在/etc/xinetd.d/services中仍能指定,若冲突时,以/etc/xinetd.d/services中规定的为准。
/etc/xinetd.conf的默认配置:
defaults
{
# The next two items are intended to be a quick access place to
# temporarily enable or disable services.
#
# enabled =
# disabled =
# Define general logging characteristics.
log_type = SYSLOG daemon info
log_on_failure = HOST
log_on_success = PID HOST DURATION EXIT
# Define access restriction defaults
#
# no_access =
# only_from =
# max_load = 0
cps = 50 10
instances = 50
per_source = 10
cps 单位时间内并发访问数,相当于软限制。限制时默认等待10秒钟,每秒的最大连接数为50
instance定义某个服务最多允许的并发连接数,相当于硬限制,超过了则不允许其他用户再访问。
per_source某个ip最多能发起几个连接到主机上来,及并发连接数
only_from后的地址类型:
网络地址 (192.168.1.0)
网络名 (from /etc/networks)
ip地址/子网掩码 (192.168.0.0/24)
vim /etc/xinetd.d/tftp
service tftp
{
disable = no
socket_type = dgram
protocol = udp
wait = yes
user = root
server = /usr/sbin/in.tftpd
server_args = -s /tftpboot
per_source = 11
cps = 100 2
flags = IPv4
}
2.)非独立守护进程
chkconfig SERVICE on/off 添加某项服务
service xinetd restart
********************************************************
在telnet前,需要确定/etc/sysconfig/network和/etc/hosts中的名字一致。
例子:【1.】若将/etc/xinetd.d/telnet中添加127.0.0.1,则无法telnet,只允许本机登录。(注意:telnet不支持root用户登录,普通用户登录后可切换到root用户)
yum install telnet-server
会在/etc/xinet.d/下出现telnet
chkconfig telnet on
service xinetd restart
*************************
chkconfig xinetd on(必须开启)
chkconfig --level 35 xinetd on
telnet 192.168.0.116
Red Hat Enterprise Linux Server release 5.4 (Tikanga)
Kernel 2.6.18-164.el5 on an i686
login: zhuying
Password:
Last login: Tue Feb 23 22:47:46 from server19
若将/etc/xinetd.d/telnet中添加bind =127.0.0.1,即只允许本地登录。
vim /etc/xinetd.d/telnet
# default: on
# description: The telnet server serves telnet sessions; it uses /
# unencrypted username/password pairs for authentication.
service telnet
{
disable = no
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.telnetd
log_on_failure += USERID
bind =127.0.0.1
}
Service xinetd restart(重启服务)
C:/>telnet 192.168.0.116
正在连接到192.168.0.116...不能打开到主机的连接, 在端口 23: 连接失败
【2.】基于ip地址拒绝访问
only_from=192.168.0.0/24
no_access=192.168.0.111
vim /etc/xinetd.d/telnet
# default: on
# description: The telnet server serves telnet sessions; it uses /
# unencrypted username/password pairs for authentication.
service telnet
{
disable = no
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.telnetd
log_on_failure += USERID
only_from=192.168.0.0/24
no_access=192.168.0.111
}
~
Service xinetd restart (每次修改过后,重启服务)
(实现最佳匹配,拒绝192.168.0.111)
显示登录失败的信息:
[zhuying@station30 ~]$ telnet 192.168.0.116
Trying 192.168.0.116...
telnet: connect to address 192.168.0.116: Connection refused
telnet: Unable to connect to remote host: Connection refused
[zhuying@station30 ~]$
【3.】基于访问时间拒绝服务
若不在这个时间段内,则被拒绝访问
vim /etc/xinetd.d/telnet
# default: on
# description: The telnet server serves telnet sessions; it uses /
# unencrypted username/password pairs for authentication.
service telnet
{
disable = no
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.telnetd
log_on_failure += USERID
access_times=9:00-12:00
}
Service xinetd restart (每次修改过后,不要忘了重启服务)
显示登录失败的信息:
[zhuying@station30 ~]$ telnet 192.168.0.116
Trying 192.168.0.116...
telnet: connect to address 192.168.0.116: Connection refused
telnet: Unable to connect to remote host: Connection refused
[zhuying@station30 ~]$
【4.】基于并发连接数
instance=2(该服务的并发连接数最多为2)
per_source=1(在某台主机上只能打开一个终端访问远程主机)
vim /etc/xinetd.d/telnet
# default: on
# description: The telnet server serves telnet sessions; it uses /
# unencrypted username/password pairs for authentication.
service telnet
{
disable = no
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.telnetd
log_on_failure += USERID
instances=2
per_source=1
}
Service xinetd restart (每次修改过后,不要忘了重启服务)
当在station30上第一次远程登录时,登录成功。
[zhuying@station30 ~]$ telnet 192.168.0.116
Trying 192.168.0.116...
Connected to server16.example.com (192.168.0.116).
Escape character is '^]'.
Red Hat Enterprise Linux Server release 5.4 (Tikanga)
Kernel 2.6.18-164.el5 on an i686
login: zhuying
Password:
Last login: Tue Feb 23 23:35:41 from server11
[zhuying@station116 ~]$
在不关闭第一个窗口的情况下再另外打开一个窗口,这时将会被拒绝。
[root@station30 ~]# telnet 192.168.0.116
Trying 192.168.0.116...
Connected to server16.example.com (192.168.0.116).
Escape character is '^]'.
Connection closed by foreign host.
[root@station30 ~]#
[root@station30 ~]#
【5.】banner:当登录时,将某个文件的内容显示给用户
cd /usr/share
vim telnet.banner
**************************
Welcome to my station!!!
Hoho,bye...
**************************
保存退出~ .
vim /etc/xinetd.d/telnet
# default: on
# description: The telnet server serves telnet sessions; it uses /
# unencrypted username/password pairs for authentication.
service telnet
{
disable = no
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.telnetd
log_on_failure += USERID
banner =/usr/share/telnet.banner
}
~
Service xinetd restart (每次修改过后,不要忘了重启服务)
[root@station30 ~]# telnet 192.168.0.116
Trying 192.168.0.116...
Connected to server16.example.com (192.168.0.116).
Escape character is '^]'.
**************************
Welcome to my station!!!
Hoho,bye...
**************************
Red Hat Enterprise Linux Server release 5.4 (Tikanga)login: zhuying
Password:
Last login: Wed Feb 24 00:02:06 from server11
[zhuying@station116 ~]$
6.TCP_Wrapper
语法规则:daemon_list: client_list [:opt1 :opt2...]
通过控制某些规则来限制主机的访问
允许规则:/etc/hosts.allow
拒绝规则:/etc/hosts.deny
IP address (192.168.0.1, 10.0.0.)
name (www.redhat.com, .example.com)
netmask (192.168.0.0/255.255.255.0)
network name
例子:
【1.】分别在两个文件中定义规则,通常会先去匹配/etc/hosts.allow中的内容,若不匹配再去匹配/etc/hosts.deny中的内容
vim /etc/hosts.allow
#
# hosts.allow This file describes the names of the hosts which are
# allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#
in.telnetd:192.168.0.0/255.255.255.0 EXCEPT 192.168.0.111
vim /etc/hosts.deny
#
# hosts.deny This file describes the names of the hosts which are
# *not* allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#
# The portmap line is redundant, but it is left to remind you that
# the new secure portmap uses hosts.deny and hosts.allow. In particular
# you should know that NFS uses portmap!
in.telnetd:ALL
service xinetd restart(重启服务)
登录将被拒绝:
[root@station30 ~]# telnet 192.168.0.116
Trying 192.168.0.116...
Connected to server16.example.com (192.168.0.116).
Escape character is '^]'.
**************************
Welcome to my station!!!
Hoho,bye...
**************************
Connection closed by foreign host.
[root@station30 ~]#
若将/etc/hosts.allow中的规则替换成:
in.telnetd:ALL EXCEPT 192.168.0.0/255.255.255.0 EXCEPT 192.168.0.111
/etc/hosts.deny中的规则不变,则192.168.0.111则能登录,另外除了192.168.0.0网段的其他所有主机也都能登录成功。
【2.】发送邮件:
vim /etc/hosts.allow
#
# hosts.allow This file describes the names of the hosts which are
# allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#
in.telnetd:192.168.0.0/255.255.255.0:spawn /bin/echo `date` %c %d | bin/mail -s "Somebody has telnetd our server." root
vim /etc/hosts.deny
# hosts.deny This file describes the names of the hosts which are
# *not* allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#
# The portmap line is redundant, but it is left to remind you that
# the new secure portmap uses hosts.deny and hosts.allow. In particular
# you should know that NFS uses portmap!
in.telnetd:ALL:spawn /bin/echo `date` %c %d | /bin/mail -s "Somebody has telnetd our server." root
service xinetd restart(重启服务)
此时192.168.0.网段内的主机都能登录成功:
[root@station30 ~]# telnet 192.168.0.116
Trying 192.168.0.116...
Connected to server16.example.com (192.168.0.116).
Escape character is '^]'.
**************************
Welcome to my station!!!
Hoho,bye...
**************************
Red Hat Enterprise Linux Server release 5.4 (Tikanga)
Kernel 2.6.18-164.el5 on an i686
login: zhuying
Password:
Last login: Wed Feb 24 02:01:49 from server11
登录上后还可以切换到root用户,看是否有邮件:
[zhuying@station116 ~]$ su -
Password:
[root@station116 ~]# mail
Mail version 8.1 6/6/93. Type ? for help.
"/var/spool/mail/root": 1 message 1 new
>N 1 root@station116.exam Wed Feb 24 02:12 16/733 "Somebody has telnetd "
& 1
Message 1:
From root@station116.example.com Wed Feb 24 02:12:25 2010
Date: Wed, 24 Feb 2010 02:12:25 +0800
From: root <root@station116.example.com>
To: root@station116.example.com
Subject: Somebody has telnetd our server.
Wed Feb 24 02:12:25 CST 2010 192.168.0.111 in.telnetd
&
【3.】在一个文件中编辑,实现访问控制:
1.)vim /etc/hosts.allow
#
# hosts.allow This file describes the names of the hosts which are
# allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#
in.telnetd:192.168.0.111:spawn /bin/echo `date` %c to %s is denied by %A > /var/log/tcpwrapper.log:DENY
in.telnet:192.168.0. 192.168.1. :ALLOW
service xinetd restart(重启服务)
此时,192.168.0.111登录失败:
[root@station30 ~]# telnet 192.168.0.116
Trying 192.168.0.116...
Connected to server16.example.com (192.168.0.116).
Escape character is '^]'.
**************************
Welcome to my station!!!
Hoho,bye...
**************************
Connection closed by foreign host.
[root@station30 ~]#
2.)twist的作用:移花接木,将会被拒绝登录。
vim /etc/hosts.allow
#
# hosts.allow This file describes the names of the hosts which are
# allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#
in.telnetd:192.168.0.0/255.255.255.0:twist /bin/echo `date` connection refused by %s
service xinetd restart(重启服务)
[root@station30 ~]# telnet 192.168.0.116
Trying 192.168.0.116...
Connected to server16.example.com (192.168.0.116).
Escape character is '^]'.
**************************
Welcome to my station!!!
Hoho,bye...
**************************
Wed Feb 24 02:47:36 CST 2010 connection refused by in.telnetd@192.168.0.116
Connection closed by foreign host.
[root@station30 ~]#
3.)结合上面两个例子:
vim /etc/hosts.allow
#
# hosts.allow This file describes the names of the hosts which are
# allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#
in.telnetd:192.168.0.111:pawn /bin/echo `date` %c to %s is denied.>> /var/log/tcpwrapper.log ;twist /bin/echo `date` Attemp log to %s failed.
in.telnetd:192.168.0. 192.168.1.:ALLOW
service xinetd restart(重启服务)
此时,192.168.0.111登录失败:
[root@station30 ~]# telnet 192.168.0.116
Trying 192.168.0.116...
Connected to server16.example.com (192.168.0.116).
Escape character is '^]'.
**************************
Welcome to my station!!!
Hoho,bye...
**************************
Connection closed by foreign host.
[root@station30 ~]
************************************
+++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++
*****************************
1. 选项“-Z”可对文件安全上下文进行特殊处理。如:ls -Z可以显示文件的安全上下文,ps -Z可以查看进程的安全上下文
[root@station116 ~]# ls -Z
-rw------- root root system_u:object_r:user_home_t:s0 anaconda-ks.cfg
drwxr-xr-x root root bin
drwxr-xr-x root root Desktop
-rwxr--r-- root root getid.sh
-rw-r--r-- root root root:object_r:user_home_t:s0 install.log
-rw-r--r-- root root root:object_r:user_home_t:s0 install.log.syslog
drwxr-xr-x root root lvm1snap
-rw-r--r-- root root nano-1.3.12-1.1.1.gls.i386.rpm
[root@station116 ~]#
显示标签:
[root@station116 ~]# ps -Z
LABEL PID TTY TIME CMD
- 12181 pts/2 00:00:00 bash
- 15897 pts/2 00:00:00 ps
[root@station116 ~]#
2.getsebool
[root@station116 ~]# getsebool -a|grep ftp
allow_ftpd_anon_write --> off
allow_ftpd_full_access --> off
allow_ftpd_use_cifs --> off
allow_ftpd_use_nfs --> off
allow_tftp_anon_write --> off
ftp_home_dir --> off
ftpd_connect_db --> off
ftpd_disable_trans --> off
ftpd_is_daemon --> on
httpd_enable_ftp_server --> off
tftpd_disable_trans --> off
[root@station116 ~]#
修改标签:chcon
查看标签:
[root@station116 home]# ls -Z
-rw------- root root system_u:object_r:file_t aquota.user
drwx------ cracker cracker user_u:object_r:user_home_dir_t cracker
drwxr-xr-x root root system_u:object_r:autofs_t guests
drwx------ root root system_u:object_r:lost_found_t lost+found
drwx------ natasha natasha user_u:object_r:user_home_dir_t natasha
drwx------ wendy wendy user_u:object_r:user_home_dir_t wendy
drwx------ zhuying zhuying user_u:object_r:user_home_dir_t zhuying
修改标签,并查看之:
[root@station116 home]# chcon -t file_t zhuying
[root@station116 home]# ls -Z
-rw------- root root system_u:object_r:file_t aquota.user
drwx------ cracker cracker user_u:object_r:user_home_dir_t cracker
drwxr-xr-x root root system_u:object_r:autofs_t guests
drwx------ root root system_u:object_r:lost_found_t lost+found
drwx------ natasha natasha user_u:object_r:user_home_dir_t natasha
drwx------ wendy wendy user_u:object_r:user_home_dir_t wendy
drwx------ zhuying zhuying user_u:object_r:file_t zhuying
[root@station116 home]#
撤销修改:restorecon
[root@station116 home]# restorecon zhuying
[root@station116 home]# ls -Z
-rw------- root root system_u:object_r:file_t aquota.user
drwx------ cracker cracker user_u:object_r:user_home_dir_t cracker
drwxr-xr-x root root system_u:object_r:autofs_t guests
drwx------ root root system_u:object_r:lost_found_t lost+found
drwx------ natasha natasha user_u:object_r:user_home_dir_t natasha
drwx------ wendy wendy user_u:object_r:user_home_dir_t wendy
drwx------ zhuying zhuying user_u:object_r:user_home_dir_t zhuying
[root@station116 home]#
[root@station116 home]# cd zhuying/
[root@station116 zhuying]# ls -Z
drwxr-xr-x root root root:object_r:file_t file1
drwxr-xr-x root root root:object_r:file_t file2
drwxr-xr-x root root root:object_r:file_t test
可以发现-R可以将其目录下的所有文件的标签都递归改变:
[root@station116 home]# chcon -R -t user_home_dir_t zhuying
[root@station116 home]#
[root@station116 home]# cd zhuying/
[root@station116 zhuying]# ls -Z
drwxr-xr-x root root user_u:object_r:user_home_t file1
drwxr-xr-x root root user_u:object_r:user_home_t file2
drwxr-xr-x root root user_u:object_r:user_home_t test
[root@station116 zhuying]#
152
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
