本文介绍SELinux的基本概念,并深入探讨了xinetd服务的配置细节,包括如何配置独立守护进程、非独立守护进程,以及如何通过xinetd进行基于IP地址、访问时间和服务并发连接数等条件下的访问控制。
SELinux2<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />
SELinux1续:
13. /etc/sysconfig文件配置某些服务是如何运行的
named
sendmail
dhcpd
samba
init
syslog
14.独立守护进程是通过/etc/xinetd.conf(默认配置文件)/etc/xinetd.d/services运行的,在/etc/xinetd.d/services中也可指定,若冲突时,以/etc/xinetd.d/services中规定的为准。
/etc/xinetd.conf的默认配置:
defaults
{
# The next two items are intended to be a quick access place to
# temporarily enable or disable services.
# enabled =
# disabled =
# Define general logging characteristics.
log_type = SYSLOG daemon info
log_on_failure = HOST
log_on_success = PID HOST DURATION EXIT
# Define access restriction defaults
# no_access =
# only_from =
# max_load = 0
cps = 50 10
instances = 50
per_source = 10
【cps 单位时间内并发访问数,相当于软限制。限制时默认等待10秒钟,每秒的最大连接数为50
【instance定义某个服务最多允许的并发连接数,相当于硬限制,超过了则不允许其他用户再访问。
【per_source某个ip最多能发起几个连接到主机上来,及并发连接数
【only_from后的地址类型: 网络地址 (192.168.1.0)网络名 (from /etc/networks)ip地址/子网掩码 (192.168.0.0/24)
vim /etc/xinetd.d/tftp
service tftp
{
disable = no
socket_type = dgram
protocol = udp
wait = yes
user = root
server = /usr/sbin/in.tftpd
server_args = -s /tftpboot
per_source = 11
cps = 100 2
flags = IPv4
}
2.)非独立守护进程
chkconfig SERVICE on/off (添加或删除某个服务为开机自启动或关闭)
service xinetd restart
用telent来实现以下实验,此前需先确保/etc/sysconfig/network和/etc/hosts中的主机名一致
例:【1.若将/etc/xinetd.d/telnet中添加127.0.0.1,则其他用户telnet被拒绝,只允许本机登录(注意:telnet不支持root用户登录,所以需创建普通用户来进行telent,当普通用户登录后也可切换到root用户)
yum install telnet-server
cd /etc/xinet.d/已经出现了telnet
chkconfig telnet on
service xinetd restart
chkconfig xinetd on(必须开启)
chkconfig --level 35 xinetd on
telnet 192.168.0.108
Red Hat Enterprise Linux Server release 5.4 (Tikanga)
Kernel <?xml:namespace prefix = st1 ns = "urn:schemas-microsoft-com:office:smarttags" />2.6.18-164.el5 on an i686
gin: thg
Password:
Last login: Tue Feb 24 24:47:46 from server19
若将/etc/xinetd.d/telnet中添加bind =127.0.0.1,即只允许本地登录。
vim /etc/xinetd.d/telnet
# default: on
# description: The telnet server serves telnet sessions; it uses \
# unencrypted username/password pairs for authentication.
service telnet
{
disable = no
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.telnetd
log_on_failure += USERID
bind =127.0.0.1 (绑定本机地址)
}
Service xinetd restart(重启服务)
C:\>telnet 192.168.0.108
正在连接到192.168.0.108...不能打开到主机的连接, 在端口 23: 连接失败
【2.基于ip地址的拒绝访问
vim /etc/xinetd.d/telnet
# default: on
# description: The telnet server serves telnet sessions; it uses \
# unencrypted username/password pairs for authentication.
service telnet
{
disable = no
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.telnetd
log_on_failure += USERID
only_from=192.168.0.0/24(允许来自192.168.0.0网段的地址访问)
no_access=192.168.0.106(但是不允许192.168.0.106主机进行访问)
}
Service xinetd restart (重启服务)
(这里实现最佳匹配,拒绝192.168.0.106)
显示登录失败信息:
$ telnet 192.168.0.108
Trying 192.168.0.108…
telnet: connect to address 192.168.0.108: Connection refused
telnet: Unable to connect to remote host: Connection refused
【3.基于访问时间拒绝服务,如果不在这个时间段内,则访问被拒绝
vim /etc/xinetd.d/telnet
# default: on
# description: The telnet server serves telnet sessions; it uses \
# unencrypted username/password pairs for authentication.
service telnet
{
disable = no
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.telnetd
log_on_failure += USERID
access_times=8:00-12:00
}
Service xinetd restart (重启服务)
显示登录失败的信息为:
$ telnet 192.168.0.108
Trying 192.168.0.108...
telnet: connect to address 192.168.0.108: Connection refused
telnet: Unable to connect to remote host: Connection refused
【4.基于并发连接数的控制
vim /etc/xinetd.d/telnet
# default: on
# description: The telnet server serves telnet sessions; it uses \
# unencrypted username/password pairs for authentica
service telnet
{
disable = no
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.telnet
log_on_failure += USERID
instances=2(表示该服务的并发连接数最多为2)
per_source=1(表示在某台主机上只能打开一个终端访问远程主机)
}
Service xinetd restart (重启服务)
当在station6上第一次远程登录时,登录成功。
$ telnet 192.168.0.108
Trying 192.168.0.108...
Connected to server8example.com (192.168.0.108).
Escape character is '^]'.
Red Hat Enterprise Linux Server release 5.4 (Tikanga)
Kernel 2.6.18-164.el5 on an i686
login: thg
Password:
Last login: Tue Feb 24 01:35:41 from server6
在不关闭第一个窗口的情况下再另外打开一个窗口,这时将会被拒绝。
# telnet 192.168.0.108
Trying 192.168.0.108...
Connected to server8.example.com (192.168.0.108).
Escape character is '^]'.
Connection closed by foreign host.
【5.banner:可设置在用户登录时,将把某个文件的内容显示给用户
cd /usr/share
vim telnet.banner
Welcome to come here!!!!!!
保存退出~ .
vim /etc/xinetd.d/telnet
# default: on
# description: The telnet server serves telnet sessions; it uses \
# unencrypted username/password pairs for authentication.
service telnet
{
disable = no
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.telnetd
log_on_failure += USERID
banner =/usr/share/telnet.banner
}~
Service xinetd restart (重启服务)
# telnet 192.168.0.108
Trying 192.168.0.108...
Connected to server8.example.com (192.168.0.108).
Escape character is '^]'.
Welcome to come here!!!!!!
Red Hat Enterprise Linux Server release 5.4 (Tikanga)login: thg
Password:
Last login: Wed Feb 24 01:37:06 from server6
转载于:https://blog.51cto.com/surpassdream/284428
扫一扫
1930
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
