linux 防火牆
LINUX TASKS: |
|||
THE PROJECTTo document some of the basic Linux tasks I completed. X CONFIGThe configuration files X.org-X11 is called xorg.conf and located in /etc/X11. Binaries and libraries are stored under /etc/X11R6. You may configure the file manually or use a X Configuration tool. The easiest approach in Fedora is to run the GUI tool. # system-config-display Another approach to getting X working is entering a mode where X is not started, modify the configuration file and test the config. If everything works return to the desired run level. # telinit 3 # vi /etc/X11/xorg.conf # startx # telnet 5 To restart X while maintaining a X-enabled runlevel you need to kill the X server. The X server can be killed with Ctrl+Alt+Backspace or issuing the kill command. # ps ax | grep X 2644 tty7 SLs+ 15:18 /usr/bin/Xorg :0 -audit 0 -auth /var/gdm/:0.Xauth vt7 # kill 2644 To allow other uses access to X Server run gdmsetup. Select the security tab and uncheck the "Deny TCP connections to X Server. # gdmsetup From remote connections when running IP Tables allow port 6000. On Fedora run system-config-securitylevel, click other ports add 6000. # system-config-securitylevel # iptables -L -t filter Chain RH-Firewall-1-INPUT (2 references) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere icmp any ACCEPT ipv6-crypt-- anywhere anywhere ACCEPT ipv6-auth-- anywhere anywhere ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns ACCEPT udp -- anywhere anywhere udp dpt:ipp ACCEPT tcp -- anywhere anywhere tcp dpt:ipp ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh ACCEPT udp -- anywhere anywhere state NEW udp dpt:netbios-ns ACCEPT udp -- anywhere anywhere state NEW udp dpt:netbios-dgm ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:netbios-ssn ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:microsoft-ds ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:telnet ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:x11 REJECT all -- anywhere anywhere reject-with icmp-host-prohibited For remote X Server access you may need to update the .Xauthority file. Running "xauth add" creates a cookie in the .Xauthority file which is basically the password to your local X server. linux% xhost + linux% /usr/bin/xauth list d1de0199.cpships.com:0 MIT-MAGIC-COOKIE-1 d700206a15452c64d6c471f82da78f83 sun1# /usr/openwin/bin/xauth add $DISPLAY MIT-MAGIC-COOKIE-1 d700206a15452c64d6c471f82da78f83 sun1# ls -l /.Xauthority -rw------- 1 root other 49 Aug 11 18:17 /.Xauthority VIRTUAL TERMINALSLinux supports multiple X logins sessions via virtual terminals. By default the first X session runs on VT7. Press Ctrl+Alt+F1 switches you from X to the first text-mode VT. If you login into the text mode session you can start another X session running a startx command. You can then switch back and forth between X sessions via Ctrl+Alt+F7 and Ctrl+Alt+F8. See steps below. Ctrl+Alt+F1 Returns you a text based console login prompt Virtual Terminal number 1. $ startx -- :1 vt8 Another X Session is started on Virtual Terminal number 8. PAM ACCESSYou can use PAM to control access to your system via the pam_access.so module. This allows you to prevent users from logging in. On Fedora you modify the system-auth file to include the pam_access.so module and update the /etc/security/access.conf file. The access.conf has three fields - first + or - to allow or restrict access, second contains the user, third hostname or domain name. For ssh ensure that "UsePam yes" is set in /etc/ssh/sshd_config file. See an example below for file configurations (extract) and response from telnet or ssh. # cat /etc/pam.d/system-auth account required pam_unix.so account sufficient pam_succeed_if.so uid < 500 quiet account required pam_permit.so account required pam_access.so # cat /etc/security/access.conf + : drstemp : ALL - : ALL : ALL # grep UsePAM /etc/ssh/sshd_config UsePAM yes $ ssh -l drstemp d1de0199 drstemp@d1de0199's password: Connection closed by 10.152.30.50 $ telnet d1de0199 login: drstemp Password: Permission denied Connection to d1de0199.cpships.com closed by foreign host. ROOT ACCESSThe user root is denied access by default to remote login server that uses the login program. The file /etc/securetty contains a list of terminals from which root is permitted to log in. The appropriate entries are tty1 through tty6 and vc/1 through vc/6. To use a serial connect terminal add ttyS0 to /etc/securetty and /etc/inittab. To allow access via SSH modify the /etc/ssh/sshd_config file to include PermitRootLogin yes. NFS STARTModify the /etc/exports file. See example of format that contains share, client and options. The main options are read only ("ro"), read write ("rw"), and ("no_root_squash") that allows root user on the client to have root access on the NFS server. The default access for root user on the client is user "nobody" on the NFS server. # cat /etc/exports /media/CXSERIES 10.70.80.164(ro) Prevent hosts for accessing your shares. # vi /etc/hosts.deny portmap:ALL lockd:ALL mountd:ALL rquotad:ALL statd:ALL Modify the hosts that are allowed access. # vi /etc/hosts.allow portmap: 10.70.80.164 lockd: 10.70.80.164 rquotad: 10.70.80.164 mountd: 10.70.80.164 statd: 10.70.80.164 Set the ports that NFS will use. # vi /etc/sysconfig/nfs LOCKD_TCPPORT=48620 LOCKD_UDPPORT=48620 MOUNTD_PORT=48621 STATD_PORT=48622 RQUOTAD=no RQUOTAD_PORT=48623 Open the firewall to allow access for NFS and portmap. /sbin/iptables -I RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 111 -j ACCEPT /sbin/iptables -I RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 2049 -j ACCEPT /sbin/iptables -I RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 48620 -j ACCEPT /sbin/iptables -I RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 48621 -j ACCEPT /sbin/iptables -I RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 48622 -j ACCEPT /sbin/iptables -I RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 48623 -j ACCEPT /sbin/iptables -I RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 111 -j ACCEPT /sbin/iptables -I RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 2049 -j ACCEPT /sbin/iptables -I RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 48620 -j ACCEPT /sbin/iptables -I RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 48621 -j ACCEPT /sbin/iptables -I RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 48622 -j ACCEPT /sbin/iptables -I RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 48623 -j ACCEPT Start the NFS services. # /etc/init.d/portmap start Starting portmap: [ OK ] # /etc/init.d/nfs start Starting NFS services: [ OK ] Starting NFS daemon: [ OK ] Starting NFS mountd: [ OK ] See list of NFS shares available. # showmount -e localhost Export list for localhost: /media/CXSERIES 10.70.80.164 Connect client. # mount 10.152.3.236:/media/CXSERIES /mnt Close the firewall after NFS access completed. /sbin/iptables -I RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 111 -j REJECT /sbin/iptables -I RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 2049 -j REJECT /sbin/iptables -I RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 48620 -j REJECT /sbin/iptables -I RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 48621 -j REJECT /sbin/iptables -I RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 48622 -j REJECT /sbin/iptables -I RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 48623 -j REJECT /sbin/iptables -I RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 111 -j REJECT /sbin/iptables -I RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 2049 -j REJECT /sbin/iptables -I RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 48620 -j REJECT /sbin/iptables -I RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 48621 -j REJECT /sbin/iptables -I RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 48622 -j REJECT /sbin/iptables -I RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 48623 -j REJECT Stop the NFS services. # /etc/init.d/portmap stop Stopping portmap: [ OK ] # /etc/init.d/nfs stop Shutting down NFS mountd: [ OK ] Shutting down NFS daemon: [ OK ] Shutting down NFS services: [ OK ] NFS MOUNTGeneral NAS Example # mount -t nfs -o rw,bg,hard,nointr,rsize=1048576,wsize=1048576,tcp,nfsvers=3,timeo=600 ivan-ar:/export/testnfs /mnt Single Instance Linux Mount Point Options Datafiles rw,bg,hard,rsize=1048576,wsize=1048576,vers=3,nointr,timeo=600,tcp,actimeo=0 Binaries rw,bg,hard,rsize=1048576,wsize=1048576,vers=3,nointr,timeo=600,tcp SAMBASamba provides services for Server Message Block/Common Internet File System (SMB/CIFS). Security on SAMBA is contained within the applications own password database as the program does not use PAM for authentication. Controls similar to that provided by PAM are contained within the samba smb.conf file. # cat /etc/samba/smbpasswd spi0004:500:ADD06A7E537F719AC2265B23734E0DAC:314FE31A3785CE5F626E21CE7E15942A: # smbpasswd -a drstemp New SMB password: Retype new SMB password: Added user drstemp. # smbpasswd -x drstemp Deleted user drstemp. To mount a cifs share via /etc/fstab file and protect the username and password. # cat /etc/fstab //tpaunixdev/temp /test cifs rw,credentials=/etc/creds 0 0 # cat /etc/creds username=adcpscorp/dspink password=fhdkdlla QUOTASTo enable quotas per file system you first need to modify the /etc/fstab file to include the mount option usrquota and grpquota. If no process is using the file system run umount / mount, else reboot. # cat /etc/fstab /dev/sda2 / ext3 rw,acl,usrquota,grpquota 1 1 Once this is complete you have a file system capable of supporting quotas. Next run the quotacheck command (with the create option) to examine and build a table of current disk usage per file system. For the root file system you may receive the following error "quotacheck: Cannot remount filesystem mounted on / read-only so counted values might not be right. Please stop all programs writing to filesystem or use -m flag to force checking.". Hence use the -m option. # quotacheck -cugm / The remaining task is to assign disk quotas for the user. The command edquota creates a temporary asci file that allows you to modify the quotas per user. # edquota spi0004 Disk quotas for user spi0004 (uid 500): Filesystem blocks soft hard inodes soft hard /dev/sda2 6175696 0 0 117793 0 0 You may set limits via the number of blocks and or the number of inodes. The hard limit is as the names suggests, while the soft limit lets the user continue although issues warnings. You set a grace period for these soft limit warnings via edquota -t command. # edquota -t Grace period before enforcing soft limits for users: Time units may be: days, hours, minutes, or seconds Filesystem Block grace period Inode grace period /dev/sda2 7days 7days Verify user quotas are working. # quota spi0004 You may also assign quotas based on group. The concept is similar to that described for users above. # edquota -g ecommgp # quota -g ecommgp Check what file systems have quotas enabled. # quotacheck -avug quotacheck: Quota for users is enabled on mountpoint / so quotacheck might damage the file. Please turn quotas off or use -f to force checking. Turn quotas off and on if needed # quotaoff -vaug /dev/mapper/VolGroup00-LogVol00 [/]: group quotas turned off /dev/mapper/VolGroup00-LogVol00 [/]: user quotas turned off # quotaon -vaug /dev/mapper/VolGroup00-LogVol00 [/]: group quotas turned on /dev/mapper/VolGroup00-LogVol00 [/]: user quotas turned on Report on quota usage for all file systems. # repquota -a | more *** Report for user quotas on device /dev/sda2 Block grace time: 7days; Inode grace time: 7days Block limits File limits User used soft hard grace used soft hard grace ---------------------------------------------------------------------- root -- 6444140 0 0 193501 0 0 daemon -- 24 0 0 3 0 0 adm -- 8 0 0 1 0 0 lp -- 16 0 0 2 0 0 ADD SWAP
Adding Swap File # dd if=/dev/zero of=/swap.swp bs=1024 count=100000 Initialise the swap file for use. This writes data structures to the file that allow it to have memory stored. # mkswap /swap.swp Start using the swap file. # swapon /swap.swp To make permanent update the /etc/fstab file. /swap.swp swap swap defaults 0 0 To turn off swap and turn back on once fstab updated. # swapoff /swap.swp # swapon -a To disable all swap used by the system. # swapoff -a
Adding Swap Partition Prepare the swap partition for usage. # mkswap /dev/sdb3 Start using the swap file. # swapon /dev/sdb3 OPTICALCollect your source files into a single location. Create a ISO-9660 filesystem in an image file of your source directory. The -J and -r are for Joliet and Rock Ridge extensions. # mkisofs -J -r -V "vacation photos" -o ../image.iso /mysource Burn the disc by copying the image file to the optical disk device. # cdrecord dev=0,4,0 speed=2 ../image.iso CRONSystem cron jobs are located in /etc/crontab. The directories, for example cron.daily contains scripts that are run once a day. # cat /etc/crontab MAILTO=root HOME=/ 01 * * * * root run-parts /etc/cron.hourly 02 4 * * * root run-parts /etc/cron.daily 22 4 * * 0 root run-parts /etc/cron.weekly 42 4 1 * * root run-parts /etc/cron.monthly # ls /etc/cron.daily 00webalizer 0logwatch cups makewhatis.cron my.cron rpm tmpwatch 0anacron certwatch logrotate mlocate.cron prelink tetex.cron yum.cron Every minute cron wakes up and checks entries /var/spool/cron, /etc/cron.d directory and /etc/crontab file. # cat /var/spool/cron/root 05 * * * * /home/spi0004/test.sh # cat /etc/cron.d/sysstat */10 * * * * root /usr/lib64/sa/sa1 1 1 PERFORMANCEDisk (block) access. # iostat -x 5 NFS access. # nfsstat 5 RPC statisitics. # mountstat 5 CPU consumption. # mpstat -P ALL Network interface. # sar -n DEV 5 TCP send/receive queue. # netstat -a 5 or netstat -a 5 | grep NFS |
來自 “ ITPUB部落格 ” ,連結:http://blog.itpub.net/90618/viewspace-1063537/,如需轉載,請註明出處,否則將追究法律責任。
相關文章
- LINUX 防火牆 firewalldLinux防火牆
- linux防火牆iptablesLinux防火牆
- linux 防火牆配置Linux防火牆
- Linux 配置防火牆Linux防火牆
- Linux防火牆命令Linux防火牆
- Linux 防火牆配置使用Linux防火牆
- linux 7 防火牆操作Linux防火牆
- linux下的防火牆Linux防火牆
- linux 關閉防火牆Linux防火牆
- iptables 配置LINUX防火牆Linux防火牆
- linux關閉防火牆命令 linux防火牆關閉和開啟命令Linux防火牆
- Linux防火牆入門教程Linux防火牆
- Linux設定防火牆iptablesLinux防火牆
- Linux 7新增防火牆埠Linux防火牆
- Linux中關閉防火牆Linux防火牆
- Linux 防火牆 學習 iptablesLinux防火牆
- linux關閉防火牆命令是什麼 linux永久關閉防火牆命令分享Linux防火牆
- WAb防火牆與傳統防火牆防火牆
- Linux基礎命令---iptables防火牆Linux防火牆
- Linux 7關閉防火牆方法Linux防火牆
- linux防火牆使用以及配置Linux防火牆
- Linux——防火牆、SELinux規則Linux防火牆
- 【OS】Linux如何關閉防火牆Linux防火牆
- Linux防火牆程式設計(轉)Linux防火牆程式設計
- 用FWTK配置Linux防火牆(轉)Linux防火牆
- linux下如何關閉防火牆?如何檢視防火牆當前的狀態Linux防火牆
- 防火牆(firewall)防火牆
- SQL防火牆SQL防火牆
- 防火牆IPTABLES防火牆
- RouterOS防火牆ROS防火牆
- 防火牆入侵於檢測——————3、思科 PIX 防火牆和 ASA 防火牆產品線防火牆
- linux apf 防火牆安裝與配置Linux防火牆
- Linux防火牆之netfilter/ptablesLinux防火牆Filter
- Linux防火牆iptables實用設定Linux防火牆
- Linux 防火牆開放特定埠 (iptables)Linux防火牆
- linux下配置vncserver 防火牆 本地映象LinuxVNCServer防火牆
- Linux 自帶防火牆 Iptables 基本配置Linux防火牆
- 軟盤裡的Linux防火牆(轉)Linux防火牆