首页 > 代码库 > 第十周
第十周
系统的INPUT和OUTPUT默认策略为DROP,请完成以下关于iptables的题目;
1、限制本地主机的web服务器在周一不允许访问;新请求的速率不能超过100个每秒;web服务器包含了admin字符串的页面不允许访问;web服务器仅允许响应报文离开本机;
iptables -A INPUT -d 192.168.11.111 -p tcp -dport 80 -m time ! --weekdays Mon -m limit --limit 100/second -m string ! --string “admin” --algo kmp -j ACCEPT iptables -A OUTPUT -s 192.168.11.111 -p tcp -sport 80 -m state --state ESTABLISHED -j APPECT
2、在工作时间,即周一到周五的8:30-18:00,开放本机的ftp服务给172.16.0.0网络中的主机访问;数据下载请求的次数每分钟不得超过5个;
iptables -A INPUT -s 172.16.0.0/16 -p tcp -dport 21 -m time --timestart 08:30 --timestop 18:00 --weekdays Mon,Tue,Wed,Thu,Fri -m limit --limit 5/minit -j ACCEPT iptables -A OUTPUT -d 172.16.0.0/16 -m state --state ESTABLISHED -j APPECT
3、开放本机的ssh服务给172.16.x.1-172.16.x.100中的主机,x为你的座位号,新请求建立的速率一分钟不得超过2个;仅允许响应报文通过其服务端口离开本机;
iptables -A INPUT -d 192.168.11.111 -p tcp -dport 22 -m iprange --src-range 172.16.48.1-172.16.48.100 -m limit --limit 2/minute -j ACCEPT iptables -A OUTPUT -s 192.168.11.111 -p tcp -sport 22 -m iprange --dst-range 172.16.48.1-172.16.48.100 -m state --state ESTABLISHED -j APPECT
4、拒绝TCP标志位全部为1及全部为0的报文访问本机;
iptables -A INPUT -d 192.168.11.111 -p tcp --tcp-flags ALL ALL -j DROP iptables -A INPUT -d 192.168.11.111 -p tcp --tcp-flags ALL NONE -j DROP
5、允许本机ping别的主机;但不开放别的主机ping本机;
iptables -A OUTPUT -s 192.168.11.111 -p icmp --icmp-types 8 -j ACCEPT iptables -A INPUT -d 192.168.11.111 -p icmp --icmp-types 0 -j DROP
6、判断下述规则的意义:
# iptables -N clean_in
自定义一个链
# iptables -A clean_in -d 255.255.255.255-p icmp -j DROP
丢弃广播包
# iptables -A clean_in -d 172.16.255.255 -picmp -j DROP
丢弃发往172.16.255.255的icmp报文
# iptables -A clean_in -p tcp ! --syn -mstate --state NEW -j DROP
丢弃syn的标志位不为1 且为新连接的报文
# iptables -A clean_in -p tcp --tcp-flagsALL ALL -j DROP
丢弃tcp标志全部为1的报文
# iptables -A clean_in -p tcp --tcp-flagsALL NONE -j DROP
丢弃tcp标志全部为0的报文
# iptables -A clean_in -d 172.16.100.7 -jRETURN
结束当前链下发往目的地址172.16.100.7的报文并返回调用链
# iptables -A INPUT -d 172.16.100.7 -jclean_in
调用clean_in链过滤目标地址是172.16.100.7的报文
# iptables -A INPUT -i lo -j ACCEPT
允许回环接口流入
# iptables -A OUTPUT -o lo -j ACCEPT
允许回环接口流出
# iptables -A INPUT -i eth0 -m multiport -ptcp --dports 53,113,135,137,139,445 -j DROP
丢弃从eth0接口进来的tcp协议的53,113,135,137,139,445端口报文
# iptables -A INPUT -i eth0 -m multiport -pudp --dports 53,113,135,137,139,445 -j DROP
丢弃从eth0接口进来的udp协议的53,113,135,137,139,445端口报文
# iptables -A INPUT -i eth0 -p udp --dport1026 -j DROP
丢弃从eth0接口进来的且目标端口为1026的udp协议报文
# iptables -A INPUT -i eth0 -m multiport -ptcp --dports 1433,4899 -j DROP
丢弃从eth0接口进来的且目标端口为1433,4899的tcp协议报文
# iptables -A INPUT -p icmp -m limit--limit 10/second -j ACCEPT
允许请求频率为每秒钟10个的icmp协议报文的访问
7、通过tcp_wrapper控制vsftpd仅允许172.16.0.0/255.255.0.0网络中的主机访问,但172.16.100.3除外;对所被被拒绝的访问尝试都记录在/var/log/tcp_wrapper.log日志文件中;
[root@centos7 ~]# vim /etc/hosts.allow [root@centos7 ~]# cat /etc/hosts.allow # # hosts.allow This file contains access rules which are used to # allow or deny connections to network services that # either use the tcp_wrappers library or that have been # started through a tcp_wrappers-enabled xinetd. # # See ‘man 5 hosts_options‘ and ‘man 5 hosts_access‘ # for information on rule syntax. # See ‘man tcpd‘ for information on tcp_wrappers # vsftpd:172.16.0.0/255.255.0.0 EXCEPT 172.16.100.3 [root@centos7 ~]# vim /etc/hosts.deny [root@centos7 ~]# cat /etc/hosts.deny # # hosts.deny This file contains access rules which are used to # deny connections to network services that either use # the tcp_wrappers library or that have been # started through a tcp_wrappers-enabled xinetd. # # The rules in this file can also be set up in # /etc/hosts.allow with a ‘deny‘ option instead. # # See ‘man 5 hosts_options‘ and ‘man 5 hosts_access‘ # for information on rule syntax. # See ‘man tcpd‘ for information on tcp_wrappers vsftpd:ALL :spawn /bin/echo `date` login attempt from %c to %s, %d >> /var/log/tcp_wrapper.log [root@centos7 ~]#
8、删除/boot/grub/grub.conf文件中所有行的行首的空白字符;
[root@centos6 ~]# cp /boot/grub/grub.conf /boot/grub/grub.conf.bak [root@centos6 ~]# sed -i ‘s@^[[:space:]]\+@@‘ /boot/grub/grub.conf
9、删除/etc/fstab文件中所有以#开头,后跟至少一个空白字符的行的行首的#和空白字符;
[root@centos7 ~]# cp /etc/fstab /etc/fstab.bak [root@centos7 ~]# sed -i ‘s@^#[[:space:]]\+@@‘ /etc/fstab [root@centos7 ~]# cat /etc/fstab # /etc/fstab Created by anaconda on Sat Sep 24 18:38:22 2016 # Accessible filesystems, by reference, are maintained under ‘/dev/disk‘ See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info # /dev/mapper/centos-root / xfs defaults 0 0 UUID=8eb79d1a-6732-4ec0-bb6c-9c00b7039658 /boot xfs defaults 0 0 /dev/mapper/centos-swap swap swap defaults 0 0 [root@centos7 ~]#
10、把/etc/fstab文件的奇数行另存为/tmp/fstab.3;
[root@centos7 ~]# sed ‘n;d‘ /etc/fstab > /tmp/fstab.3 [root@centos7 ~]# cat /tmp/fstab.3 /etc/fstab # See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info /dev/mapper/centos-root / xfs defaults 0 0 /dev/mapper/centos-swap swap swap defaults 0 0
11、echo一个文件路径给sed命令,取出其基名;进一步地,取出其路径名;
[root@centos7 ~]# echo "/etc/sysconfig/network/" | grep -Eo "[^/]+/?$" | cut -d"/" -f1 #取基名 network [root@centos7 ~]# echo "/etc/sysconfig/network/" | grep -Eo ".*/\<" | grep -Eo ".*[^/]\>" #取路径名 /etc/sysconfig
12、统计当前系统上所有tcp连接的各种状态的个数;
[root@centos7 ~]# ss -tnlup | grep tcp tcp LISTEN 0 128 *:22 *:* users:(("sshd",pid=1482,fd=3)) tcp LISTEN 0 100 127.0.0.1:25 *:* users:(("master",pid=2641,fd=13)) tcp LISTEN 0 128 :::22 :::* users:(("sshd",pid=1482,fd=4)) tcp LISTEN 0 100 ::1:25 :::* users:(("master",pid=2641,fd=14)) [root@centos7 ~]# ss -tnlup | grep tcp | awk -F‘ ‘ ‘{print $1,$2}‘ | uniq -c 4 tcp LISTEN [root@centos7 ~]#
13、统计指定的web访问日志中各ip的资源访问次数;
[root@centos7 httpd]# cat access_log | grep ^[0-9] | cut -d" " -f1 192.168.11.115 192.168.11.115 192.168.11.115 192.168.11.115 192.168.11.115 192.168.11.115 192.168.11.115 192.168.11.115 192.168.11.115 192.168.11.115 192.168.11.115 192.168.11.115 192.168.11.7 192.168.11.7 192.168.11.7 192.168.11.7 [root@centos7 httpd]# cat access_log | grep ^[0-9] | cut -d" " -f1 | uniq -c 12 192.168.11.115 4 192.168.11.7 [root@centos7 httpd]#
14、授权centos用户可以运行fdisk命令完成磁盘管理,以及使用mkfs或mke2fs实现文件系统管理;
[root@centos7 sbin]# useradd centos [root@centos7 sbin]# passwd centos Changing password for user centos. New password: BAD PASSWORD: The password is shorter than 8 characters Retype new password: passwd: all authentication tokens updated successfully. [root@centos7 etc]# vim sudoers #节选部分 centos ALL=(root) /sbin/fdisk,/sbin/mkfs, /sbin/mke2fs
15、授权gentoo用户可以运行逻辑卷管理的相关命令;
[root@centos7 etc]# useradd gentoo [root@centos7 etc]# passwd gentoo Changing password for user gentoo. New password: BAD PASSWORD: The password is shorter than 8 characters Retype new password: passwd: all authentication tokens updated successfully. [root@centos7 etc]# vim sudoers #同上 节选部分 gentoo ALL=(root) /sbin/lvm #这里这么写的原因是,在/sbin/中,可以明确地看到,诸如vgs,lvs等lvm相关命令都是/sbin/lvm的软链接
16、基于pam_time.so模块,限制户通过sshd服务远程登录只能在工作时间进行;
[root@centos7 sbin]# vim /etc/pam.d/sshd #%PAM-1.0 auth required pam_sepermit.so auth substack password-auth auth include postlogin # Used with polkit to reauthorize users in remote sessions -auth optional pam_reauthorize.so prepare account required pam_time.so #添加pam_time.so模块 需要注意的是 由于是自上而下优先级来读取的 所以位置不能调 account required pam_nologin.so account include password-auth password include password-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session required pam_namespace.so session optional pam_keyinit.so force revoke session include password-auth session include postlogin # Used with polkit to reauthorize users in remote sessions -session optional pam_reauthorize.so prepare ~ ~ -- INSERT -- [root@centos7 sbin]# vim /etc/security/time.conf *;*;*;MoTuWeThFr0900-1800 #指定在工作日的9-18点
17、基于pam_listfile.so模块,定义仅某些用户,或某些组内的用户可登录系统;
[root@centos7 sbin]# vim /etc/loginUsers [root@centos7 sbin]# cat /etc/loginUsers centos gentoo [root@centos7 sbin]# chmod 600 /etc/loginUsers [root@centos7 sbin]# chown root /etc/loginUsers [root@centos7 sbin]# vim /etc/pam.d/sshd #%PAM-1.0 auth required pam_sepermit.so auth substack password-auth auth include postlogin auth required pam_listfile.so item=user sense=allow file=/etc/loginUsers onerr=succeed #指定文件内的用户才可以访问 # Used with polkit to reauthorize users in remote sessions -auth optional pam_reauthorize.so prepare account required pam_time.so account required pam_nologin.so account include password-auth password include password-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session required pam_namespace.so session optional pam_keyinit.so force revoke session include password-auth session include postlogin # Used with polkit to reauthorize users in remote sessions -session optional pam_reauthorize.so prepare ~ -- INSERT --
本文出自 “果麦” 博客,转载请与作者联系!
第十周