RHCE考試的一些知識點
/etc/security/time.conf
=================================================
Networks often require access restrictions based on time. The system
administrator may not want a particular service to be accessed on
weekends, or a traveling user may need access to a filesystem when
he/she is working in another time zone. In this Daily Feature article,
I will discuss ways to use Pluggable Authentication Modules (PAM) to
allow and deny access to system services, based on time.
The pam_time module
The pam_time module is used as an account module-type. The pam_time
module does not accept arguments. It instead uses the
/etc/security/time.conf file to get information related to login time
and location restrictions. There are two important points concerning
the /etc/security/time.conf.
1. If the /etc/security file does not exist, there are no login restrictions related to login time or location.
2. The limitations set by /etc/security apply to all users, including root.
The /etc/security/time.conf file restricts access by time and location
when used with pam_time. Each line in /etc/security/time.conf file is
called a rule. Each rule uses the following syntax:
services;ttys;users;times
Table A describes the function of each of these entries.
Table A Entry Function
services Used to list services used with PAM. Several records may be
used with the same service.
ttys A list of devices that may be allowed or denied access.
users A list of users who are known to the system. This list may
include root.
times A list which determines the times when a specific rule applies
Logical operators
Logical operators are special characters used to apply conditions to
parameters in configuration files and scripts. Table B lists the
logical operators used in /etc/security/time.conf, and other
configuration files.
Table B Operator Function Typical Use Description
& Logical AND jack & jill. This rule applies to the
users jack and jill.
| Logical OR ftp | telnet. This rule applies to ftp or
telnet.
! Logical NOT ! ssh. This rule does not apply to
the secure shell.
* Wildcard This is used when a match
for any value is required.
Time codes
Time codes are used to establish the times when access rules are in
effect. Time codes may specify either the day of the week or the time
of day when a rule is in effect, or both.
When establishing time of day restrictions, time is measured using a
24-hour clock. If a restriction is required for 1:00 P.M., the time
used in the configuration file would be 1300, since 1:00 P.M. is the
thirteenth hour of the day. Table C lists the day codes used in
configuration files.
Table C Day code Function
Su, Mo, Tu, We These are the codes used for the days of the week,
beginning at Sunday, and ending with Saturday. These
codes may be used in a continuous text string to represent
multiple days. SuTuFr would indicate a restriction is in place on Sunday, Tuesday, and Friday.
Wk, Wd Wd signifies weekdays. Wk signifies weekends. The string
SuWk means all weekends except Sundays. The string
WeWd means all weekdays except Wednesdays.
A1 This term signifies all seven days of the week. The string
A1Th means all days of the week, except Thursdays.
Putting /etc/security/time.conf to work
Below you will see a sample /etc/security/time.conf file. Remember, the format for entries in this file is:
services; ttys; users; times
A simple /etc/security/time.conf file will look like:
*;tty1;jim;A10000-2300
login & ssh;*;jane | jim|bill|susan;A11200-2000
ftp;*;guest;MoTuFr0800-1700&!Wk0000-2400
finger;*;guestA10000-2400
Now, let's examine the contents of this file. The first line:
*;tty1;jim;A10000-2300
allows the user Jim access to all services from midnight until 11:00 P.M., as long as Jim is logging from tty1.
The second line:
login & ssh;*;jane | jim|bill|susan;A11200-2000
allows the users Jane, Jim, Bill, and Susan access to the system on any
day of the week—from 12:00 noon until 8:00 P.M.—as long as they are
accessing the system using /bin/login, or the secure shell, ssh.
The third line:
ftp; *;guest;Wk0000-2400
allows the user guest access to the system via FTP at any time during the weekend.
The last line:
finger;*;guestA10000-2400
prevents the user from obtaining finger information from the system at any time.
Test yourself
What would happen if I placed the following entry in /etc/security/time.conf?
*;*;*;!A10000-2400
If you guessed that this entry would deny access to all users,
including root, you're right. The point here is to be very careful when
making modifications to the time.conf file. Always make a backup copy
of this file before any modifications are made.
The purpose of the /etc/security/time.conf file is to restrict access.
If entries in this file contain overlapping times or locations, the
entry granting the least access is used. Place a pam_time entry in the
/etc/pam.d configuration file for each application requiring restricted
access.
Restricting access based on system resources
Setting limits on the system resources available to each user may also
restrict system access. Placing limits on system resources provides two
distinct advantages for the system administrator:
* No single user or service will consume available resources, avoiding bottlenecks.
* Limits on system resources are useful in preventing system-based DoS attacks.
PAM uses two components to establish limits on system resources: the
pam_limits module, and the /etc/security/limits.conf file. The
pam_limits module may be used as a session module-type only. The
pam_limits will accept only two arguments:
* debug—used to send information to syslog
* conf=path-to-config-file—The default for this argument is /etc/security/limits.conf.
The /etc/security/limits.conf file establishes system resource limits
on a per-user or per-group basis. All limits set by the limits.conf
file apply to a single session. Total limits are set on system
resources by restricting the maximum number of concurrent user logins.
Entries are made to /etc/security/limits.conf using the format:
Username or groupname, hard-or-soft limit, limited-resource, limit-value
Table D lists the special characters and syntax used in /etc/security/limits.conf.
Table D Character or syntax Function
# Used to specify comments
@groupname Groupnames are always preceded by the @ character
* Wildcard character. Used to represent all users or all
groups
Hard / soft Denotes a hard or soft limit on a specific resource. A
hard limit sets a fixed limit. A soft limit uses a default
limit.
- Used to establish limits for a specific user
Table E shows a typical /etc/security/time.conf file.
Table E User/group Limit-type Resource Limit-value
* hard stack 10000
@finance hard nofile 10
@accounting hard fsize 2000
jim -
ftp hard maxlogins 50
Now, let's examine the restrictions set by these entries. The first line:
*, hard, stack,10000
sets a stack limit of 10,000 kilobytes, or 10 MB, for all users.
The second line:
@finance, hard, nofile 10
specifies that users in the finance group may have a maximum of 10 open files.
The third line:
@accounting, hard, fsize, 2000
sets the maximum file size for users in the accounting group to 2 MB.
The fourth line:
jim -,
disables all restrictions for the user Jim.
The last line:
ftp, hard, maxlogins, 50
sets the maximum number of concurrent FTP logins to 50.
Restricting /etc/security/time.conf
Table F shows the resources that may be restricted using the
/etc/security/time.conf file. The only way to properly implement these,
or any restrictions, is to know the requirements of your network.
Remember, any security restrictions you apply to your system will
result in a user being unable to perform a task. Restrictions should
always be tested before being implemented on a production server.
Table F Resource Function
Core Limits the size of core files
Fsize Sets maximum file size
Data Maximum data size
Nofile Maximum number of open files
Cpu Maximum CPU time in minutes
Stack Maximum stack size
Nproc Maximum number of processes
As Used to limit address space
Maxlogins Maximum number of concurrent logins
Memlock Maximum locked-in memory address space
Rss Maximum resident set size
Summary
In this article, I discussed ways of using PAM to enforce a system
access policy based on time. I explained the PAM modules and
configuration files required to enforce this policy, and the procedures
required to modify these files. I also showed you some entries that
should not be used by administrators when establishing a time-based
system access policy.
Jim McIntyre, retired from the Canadian navy, has a total of 12 years
of IT training and experience, as well as extensive technical support
experience. Jim completed the Novell CNE program, the Adult Education
program at Saint Francis Xavier University, and the Webmaster Program
at Dalhousie University. His hobbies include golf and hiking.
The authors and editors have taken care in preparation of the content
contained herein but make no expressed or implied warranty of any kind
and assume no responsibility for errors or omissions. No liability is
assumed for any damages. Always have a verified backup before making
any changes.
====================================================
====================================================
auto.master:
A B C
A: 是 mount point 的上層目錄, 如果你要將某裝置掛在 /x/y/z , 那就填 /x/y
B: 你要掛載 A 下面時, 所用的設定檔案, 用絕對路徑, 常放在 /etc 下, 如 /etc/auto.xyz
C: 你可不寫, 指定閒置多少秒之後自動 umount, 如 --timeout=60 就是一分鐘
我這裡的 auto.xyz 跟 auto.misc :
A B C
A: 真的掛載點, 如果是 /x/y/z 的話, 就是 z
B: 可不寫, 是掛載時用的 option, 以 nfs 為例: -bg,soft,intr
C: 裝置所在, 如果是 nfs 的話, 類似這樣: nfs.server:/export/path
例子:
如果要將 192.168.1.1 這個 nfs server 輸出的 /home 掛進本地的 /import/home 的話:
/etc/auto.master:
/import /etc/auto.import --timout=600
/etc/auto.import:
home -bg,soft,intr 192.168.1.1:/home
然後:
mkdir /import
/etc/init.d/autofs restart
chkconfig autofs on
例子:
如果要將 192.168.1.1 這個 nfs server 輸出的 /home 掛進本地的 /home 的話:
請問這時怎樣修改。
那要這樣改:
auto.master:
/home /etc/auto.home --timeout=600
auto.home:
* -bg,soft,intr 192.168.1.1:/home/&
====================================================
APACHE
====================================================
- 一個(部分)域名
-
示例:
Allow from apache.org
Allow from .net example.edu主機名與給定字串匹配或者以給定字串結尾的主機允許訪問。只有完整的名字組成部分才被匹配,因此上述例子將匹配
foo.apache.org
但不能匹配fooapache.org
。這樣的配置將導致Apache不管指令是如何設定的,對一個對客戶IP地址都要執行兩次DNS查詢:一次正查詢保證IP沒有偽造,一次反查詢保證主機名沒有偽造。只有兩次查詢的結果都吻合,並且主機名能夠被匹配,訪問才被允許。
如果allow from 不起作用,檢查hosts檔案和DNS.
=============================================
SendMail
=============================================
出現錯誤:遭到退信。
----- Transcript of session follows -----
553 5.3.5 suzhouclark.3322.org. config error: mail loops back to me (MX problem?)
554 5.3.5 Local configuration error
辦法:
修改sendmail.mc中的為對應的域
LOCAL_DOMAIN(`suzhouclark.3322.org')dnl
修改hostname應該不起作用。修改sendmail.mc之前:[root@fff ~]# telnet localhost 25
Trying 127.0.0.1...
Connected to fff.suzhouclark.3322.org (127.0.0.1).
Escape character is '^]'.
220 localhost.localdomain ESMTP Sendmail 8.13.8/8.13.8; Thu, 1 Oct 2009 05:42:36修改sendmail.mc之後:
[root@fff ~]# telnet localhost 25
Trying 127.0.0.1...
Connected to fff.suzhouclark.3322.org (127.0.0.1).
Escape character is '^]'.
220 fff.suzhouclark.3322.org ESMTP Sendmail 8.13.8/8.13.8; Thu, 1 Oct 2009 05:43:51 +0800
=============================================遇到問題:退信
----- Transcript of session follows -----
550 5.1.2... Host unknown (Name server: suzhouclark.3322.org: no data known) 解決辦法:修改/etc/hosts檔案即可。
==============================================
命令列介面,執行下列命令,可以安裝成GUI介面。
#yum groupinstall "X Window System"
#yum groupinstall "gnome-desktop"
#reboot
來自 “ ITPUB部落格 ” ,連結:http://blog.itpub.net/9697/viewspace-1026471/,如需轉載,請註明出處,否則將追究法律責任。
相關文章
- 駕考知識點
- Redis常考的知識點Redis
- 關於集合中一些常考的知識點總結
- 前端知識點參考前端
- php 知識點參考PHP
- MHA知識點參考
- mysql的一些知識點MySql
- CGI的一些知識點
- Jquery的一些知識點jQuery
- PLSQL一些常用的知識點SQL
- 雜湊的一些知識點
- C/C++期末考試複習---知識點+習題C++
- ASQ備考重點知識分享
- RHCE認證考試分數計算(轉)
- 關於AP的一些知識點
- vue的一些基礎知識點Vue
- Java中類的一些知識點Java
- Vue常考知識點--元件通訊Vue元件
- 《馬克思主義》考試知識梳理
- Vue一些知識點總結Vue
- 關於網頁的一些小知識點網頁
- jQuery常用的一些知識點總結jQuery
- DIM中的一些知識點(慢更)
- Vue常考知識點--extend 能做什麼Vue
- 考試寶典——軟體過程與管理重點知識總結_01
- hadoop的一些知識點 配置步驟Hadoop
- 一些有點奇怪的知識(持續更新)
- java中的介面一些知識點———— 程式碼Java
- 關於Async、Await的一些知識點AI
- 收集一些有價值的前端知識點前端
- 筆試題知識點總結筆試
- SAP ABAP 字串變數容易疏忽和混淆的一些知識點試讀版字串變數
- vue-router 一些容易被忽略的知識點Vue
- java NIO和Concurrent包的一些知識點Java
- 一些知識點的整理以及面試題記錄面試題
- 簡歷表面的一些知識點(一)
- Vue常考知識點--computed 和 watch 區別Vue
- 大前端常見面試題:HTML常考知識點前端面試題HTML