System Service Access Controls
*chkconfig控制服務在開機後是否自動啟動
(1)
#chkconfig --list
#chkconfig name {on|off}
#chkconfi vsftpd on
#chkconfig --level levels name {on|off}
#chkconfig --level 3 vsftpd on
(2) xinetd 大總管
%開啟telnet服務
#chkconfig telnet on
或 # vi /etc/xinetd.d/telnet
%xinetd access control
#白名單
only_from = host_pattern
#黑名單
no_access = host_pattern
#maximum instances
per_source = 2 (同一IP, 只允許2個連線)
Ex:
only from = 192.168.0.0/24
no access = 192.168.0.1
(3)Access control
%tcp_wrappers(libwrap.so)
Ex: xinetd
configuration: /etc/hosts.allow, /etc/hosts.deny
%daemons
Ex: httpd, smbd, squid
如何查詢service是使用那種安控
#ldd `which sshd`|grep libwrap
libwrap.so.0 => /usr/lib/libwrap.so.0 (0x00dc2000)
#ldd `which squid`|grep libwrap
(空白, 因為自己的安控daemon)
(4)Tcp_wrappers
#/etc/hosts.allow
vsftpd: 192.168.0.
in.telnetd, portmap: all | spawn echo "login attempt from %c to %s"
%c: client information (user@host)
%s: server information (server@host)
#/etc/hosts.deny
all: .cracker.org EXCEPT trusted.cracker.org
sshd: 192.168.0. EXCEPT 192.168.0.4
(5)SElinux
#ps -Z
#ls -Z
-rw------- root root root:object_r:user_home_t anaconda-ks.cfg
drwxr-xr-x root root root:object_r:user_home_t etc
-rw-r--r-- root root root:object_r:user_home_t install.log
-rw-r--r-- root root root:object_r:user_home_t install.log.syslog
*SElinux context
A:B:C:D:E
A:user : user_u, system_u
B:role : object_r, system_r
C:type
D:sensitivity : security classification
E:category : similar to group
*show modes
#getenfoce
*暫時調整為Permissive mode
#setenforce 0|1
0:disable(Permissive mode)
1:enable (Enforcing mode)
*policy adjustments
#semanage
#semanage [function] -l
function
--------------
login : assigns clearances to users at login
user : assigns roles transitions for users
port : allows confined daemons to bind to non-standard ports
interface : assign a security clearance to a network interface
fcontext : defines the file contexts user by restorecon
translation : translates sensitivity and catefories into names
Ex:
#semanage fcontext -l |grep ftp
#getsebool
#setsebool
#setsebool -P boolean value
*chkconfig控制服務在開機後是否自動啟動
(1)
#chkconfig --list
#chkconfig name {on|off}
#chkconfi vsftpd on
#chkconfig --level levels name {on|off}
#chkconfig --level 3 vsftpd on
(2) xinetd 大總管
%開啟telnet服務
#chkconfig telnet on
或 # vi /etc/xinetd.d/telnet
%xinetd access control
#白名單
only_from = host_pattern
#黑名單
no_access = host_pattern
#maximum instances
per_source = 2 (同一IP, 只允許2個連線)
Ex:
only from = 192.168.0.0/24
no access = 192.168.0.1
(3)Access control
%tcp_wrappers(libwrap.so)
Ex: xinetd
configuration: /etc/hosts.allow, /etc/hosts.deny
%daemons
Ex: httpd, smbd, squid
如何查詢service是使用那種安控
#ldd `which sshd`|grep libwrap
libwrap.so.0 => /usr/lib/libwrap.so.0 (0x00dc2000)
#ldd `which squid`|grep libwrap
(空白, 因為自己的安控daemon)
(4)Tcp_wrappers
#/etc/hosts.allow
vsftpd: 192.168.0.
in.telnetd, portmap: all | spawn echo "login attempt from %c to %s"
%c: client information (user@host)
%s: server information (server@host)
#/etc/hosts.deny
all: .cracker.org EXCEPT trusted.cracker.org
sshd: 192.168.0. EXCEPT 192.168.0.4
(5)SElinux
#ps -Z
#ls -Z
-rw------- root root root:object_r:user_home_t anaconda-ks.cfg
drwxr-xr-x root root root:object_r:user_home_t etc
-rw-r--r-- root root root:object_r:user_home_t install.log
-rw-r--r-- root root root:object_r:user_home_t install.log.syslog
*SElinux context
A:B:C:D:E
A:user : user_u, system_u
B:role : object_r, system_r
C:type
D:sensitivity : security classification
E:category : similar to group
*show modes
#getenfoce
*暫時調整為Permissive mode
#setenforce 0|1
0:disable(Permissive mode)
1:enable (Enforcing mode)
*policy adjustments
#semanage
#semanage [function] -l
function
--------------
login : assigns clearances to users at login
user : assigns roles transitions for users
port : allows confined daemons to bind to non-standard ports
interface : assign a security clearance to a network interface
fcontext : defines the file contexts user by restorecon
translation : translates sensitivity and catefories into names
Ex:
#semanage fcontext -l |grep ftp
#getsebool
#setsebool
#setsebool -P boolean value
全站熱搜
留言列表
學習 (2)