Http: // 10.1.1.35/ule_basic/ule09.txt

--

SSH service

/Etc/init. d/sshd -- sshd service startup script

[Root @ Li ~] # Netstat-ntlup | grep sshd
TCP 0 0: 22: * Listen 2804/sshd

Vim/etc/ssh/sshd_config -- configuration file

CP/etc/ssh/sshd_config/etc/ssh/sshd_config.bak -- make a backup


# Port 22 -- the default port is 22.
# Protocol -- the Protocol version is now 2
Protocol 2
# Addressfamily any
# Listenaddress 0.0.0.0 -- the listening address range. The default value is all
# Listenaddress ::

# Hostkey for Protocol Version 1
# Hostkey/etc/ssh/ssh_host_key
# Hostkeys for Protocol Version 2
# Hostkey/etc/ssh/ssh_host_rsa_key
# Hostkey/etc/ssh/ssh_host_dsa_key -- equivalent to SSH, indicating SSH does not require a password

# Lifetime and size of ephemeral version 1 server key
# Keyregenerationinterval 1 h -- re-create a key every one hour by default
# Serverkeybits 768 -- server key length
# Logging
# Obsoletes quietmode and fascistlogging
# Syslogfacility auth
Syslogfacility local 7 -- Log Level
# Syslogfacility authpriv
# Loglevel info
# Authentication:

# Logingracetime 2 m -- the grace period is 2 minutes
# Permitrootlogin yes -- allow the root user to log on
# Strictmodes Yes
# Maxauthtries 6
........................................ .........



Example 1:

Modify the default port of the SSH service to increase security.
# Port 22
Port 222 -- modify the port

/Etc/init. d/sshd restart -- restart the service

[Root @ Li ~] # Netstat-ntlup | grep 222 -- the listening port number is 222 after the service is restarted.
TCP 0 0: 222: * Listen 3088/sshd


Vim/etc/services -- refer to this file. There are services and corresponding ports. Do not change the ports.

Port knowledge:
Value Range: 0-65535.
Registered port: 0-1024
Random port: 1025 ~ 65535


[Root @ snake ~] # SSH 10.1.1.35-p 222 -- add the-p parameter to connect to the port number



Example 2:

Allow empty passwords for SSH Login
Add

Permitemptypasswords Yes


Then remove the X in the second column of/etc/passwd from a user.

Try again using SSH

Example 3:

You can directly specify in the SSH service configuration file that a user is denied or some users are allowed to log on via ssh.
Add

Denyusers A -- specify to reject SSH login from user

Restart service to take effect


Example 4:

SSH equivalent
Principle: generate a pair of keys, hold a private key on your own, and send the public key to the other party. One key is required for decryption.

Ssh-keygen -- enter this command and press enter three times to generate an empty key pair

[Root @ Li ~] # Ssh-keygen
Generating public/private RSA key pair. -- The default value is RSA encryption.
Enter file in which to save the key (/root/. Ssh/id_rsa ):
/Root/. Ssh/id_rsa already exists.
Overwrite (y/n )? Y
Enter passphrase (empty for no passphrase ):
Enter same passphrase again:
Your identification has been saved in/root/. Ssh/id_rsa.
Your public key has been saved in/root/. Ssh/id_rsa.pub.
The key fingerprint is:
AD: 2D: F9: AF: 8A: C7: AB: 0b: 8e: de: 47: ED: 73: 68: F6: B3 root@li.cluster.com


SCP/root/. Ssh/id_rsa.pub 10.1.1.104:/root/. Ssh/authorized_keys -- after passing the public key to the 104 machine, run the command authorized_keys again.

SSH 10.1.1.104 -- no password is required for direct SSH

Ssh-keygen-t dsa -- the DSA encryption method can be used in this way.
Ssh-keygen-t rsa-default encryption method


-- How to configure SSH equivalence for multiple machines to the same machine
Because if the second server uses SCP as above, it will overwrite the authorized_keys file, open id_rsa.pub generated by the second server with VI and copy and paste it to the authorized_keys file of the other server, or Use APPEND (>)











-----------------------------------------------------------

Log Management in Linux

Ls/var/log/-- many system logs are stored in this directory
/Var/log/messages -- a very important log file, where almost all important system errors are recorded
/Var/log/secure -- ssh FTP Telnet POP3
/Var/log/dmesg -- information generated during core detection during startup
/Var/log/cron -- View logs related to time tasks
/Var/log/wtmp -- use the last command to check whether CAT is allowed.
/Var/log/btmp -- use lastb to check whether CAT is allowed.
/Var/log/boot -- boot related
/Var/log/rpmpkgs -- RPM related
/Var/log/maillog -- mail-related
/Var/log/Spooler -- news, uucp
/Var/log/acpid -- Advanced Power Management

Another type of log is the log saved by each service. The path varies depending on the service.
Usually under/var/log/service name/


/Etc/init. d/syslog-System Log service. You can enable it to record system logs.

Yum list | grep log
Sysklogd. i386 -- related software package
Logrotate. i386


Vim/etc/syslog. conf -- configuration file
Format: Log Device (Connection Symbol) Log Level


Device:
Logs generated by auth -- Pam
Authpriv -- including permissions and logon information
Cron -- information related to time tasks, crontab,
Mail-email-related information
Kern -- information generated by the kernel
Uucp -- UNIX to unxi copy refers to information related to the copy protocol between UNIX systems.
News-news group information
From local0 to local7 -- the Logging Device customized by the program
Mark-some information in the syslog service generates a time mark
User-information generated by the user program


Log Level:
Debug-debug, the most log generated is one level
Info -- General Information logs, most commonly used
Notice -- Information of the most important common condition
Warning or warn -- warning level
Err or error-error level, which indicates that a function or module cannot work normally.
Crit-critical level that prevents abnormal operation of the entire system or software
Alert -- Information to be modified immediately
Emerg or panic-critical errors such as kernel crash
None -- no record
-- The log level above, from top down to high, the recorded information is many to few, and the low-level record information includes high-level information


Connection Symbol
. Records greater than or equal to this level
. = Only records information equal to this level
.! It is not equal to this level, that is, the information beyond this level is recorded.


# Log all kernel messages to the console.
# Logging much else clutters up the screen.
# Kern. */dev/console
--/Dev/console refers to an external terminal device. Some closed hosts (without screen, keyboard, and mouse) may need external device connection.
# Log anything (could t mail) of level info or higher.
# Don't log private authentication messages!
*. Info; mail. None; authpriv. None; cron. None/var/log/messages
-- Records Info-level information of all log types to/var/log/messages, except mail, authpriv, and cron.
# The authpriv file has restricted access.
Authpriv. */var/log/secure
-- Record all levels of authpriv information to/var/log/secure
# Log all the mail messages in one place.
Mail. *-/var/log/maillog
-- Record all mail-level information to/var/log/maillog. The minus sign indicates that the mail Information is larger than others, therefore, the asynchronous method is used. It is first stored in the memory, and then triggered by a certain event, or written to the disk at a certain size, instead of like other logs, write the data to the disk immediately after it is generated.

# Log cron stuff
Cron. */var/log/cron
-- Record information of all levels of the time task to/var/log/cron

# Everybody gets emergency messages
*. Emerg *
-- Record the emerg information of all log devices and send it to everyone logging on to the system in wall mode.
# Save news errors of level crit and higher in a special file.
Uucp, news. crit/var/log/Spooler
-- Record the uucp and new crit information to/var/log/Spooler
# Save boot messages also to boot. Log
Local7. */var/log/boot. Log
-- Record boot messages to/var/log/boot. log.


There are two formats:
Uucp. crit; news. crit
Uucp, new. crit
-- The above two statements are consistent


Example 1:
Mail. = Info-/var/log/newmaillog
-- Only records Info-level information of mail to/var/log/newmaillog

Example 2:
Cron.info; cron .! Err/var/log/newcron
-- Record all information above info level of the time task (except ERR) to/var/log/newcron



Example 3:
To save the sshd service logs to/var/log/newsshd. Log

Vim/etc/sshd/sshd_config

Syslogfacility local5 -- change the log to local5


Vim/etc/syslog. conf -- Add the following sentence
Local5. */var/log/newsshd. Log

/Etc/init. d/sshd restart

/Etc/init. d/syslog restart



---------------------------------------



Remote System Log Management
Manage multiple hosts. For convenience, you can upload logs of multiple hosts to the management machine (only one). Then, the system administrator can view the logs of multiple hosts on the management machine.



Administrator operations:


[Root @ Li ~] # Vim/etc/sysconfig/syslog-related global configuration file
# Options to syslogd
#-M 0 disables 'mark' messages. -- Mark information is disabled by default.
#-R enables logging from remote machines -- added the-R parameter to enable remote log management.
#-X disables DNS lookups on messages recieved with-r -- when using remote log management, use the-x parameter to disable DNS lookup.
# See syslogd (8) For more details
Syslogd_options = "-M 0-R" -- add the-R parameter here to enable the remote log function. Note that-R can be added before or after it, do not add-M to the center of-M and 0-M 180 to generate a time message every 180 times.

/Etc/init. d/syslog restart -- restart the service

[Root @ Li ~] # Netstat-ntlup | grep sys -- after the-R parameter is added, the remote log function is enabled. A listening port is added, which is UDP port 514.
UDP 0 0 0.0.0.0: 514 0.0.0.0: * 4252/syslogd


Client Configuration:

Example 1:
Vim/etc/syslog. conf
Authpriv. * @ 10.1.1.35 -- send all authpriv. * logs to the Administrator 10.1.1.35.

/Etc/init. d/syslog restart -- After restarting the service, you can view the authpriv log information of the client on the management machine 10.1.1.35.


-- For remote logs, you must understand that the client only defines the log to which the log will be sent (the Administrator here), and the Administrator defines the log file (also/etc/syslog) to which the log is saved. defined in conf)
-- In the example above, we can see that the client definition is passed to the 35 server, and the 35 server's/etc/syslog. there is also authpriv in Conf. */var/log/secure indicates the authpriv of the client. * The information is transmitted to the/var/log/secure file of the Administrator.



Example 2:
Or client Configuration
Vim/etc/syslog. conf
Authpriv. * @ li.cluster.com -- use the domain name to define who to pass

Then the client needs to make a correspondence between the IP address and the host name.
Vim/etc/hosts -- add
10.1.1.35li.cluster.com




--------------------------------------------------------------------------

About umask

[Root @ Li test] # umask
0022
By default, the permission for creating a directory in mkdir is 777-umask.
Touch: the default permission for creating a file is 666-umask.


----------------------------------------------------------------------------


Log rotation rotate

Common rotation logs include:
/Var/log/messages
/Var/log/cron
/Var/log/boot. Log
/Var/log/maillog
/Var/log/secure

Vim/etc/logrotate. conf -- configuration file


# See "Man logrotate" For details
# Rotate log files weekly
Weekly -- rotate once a week by default

# Keep 4 weeks worth of backlogs
Rotate 4 -- retain four by default

# Create new (empty) log files after rotating old ones
Create -- roate, create a new replacement

# Uncomment this if you want your log files compressed
# Compress -- the log compression function is disabled by default.

# Rpm packages drop log rotation information into this directory
Include/etc/logrotate. d -- this indicates that all configuration files under the/etc/logrotate. d directory take effect

# No packages own wtmp -- We'll rotate them here
/Var/log/wtmp {-- separate configuration for wtmp. Here is the absolute path.
Monthly -- rotate once a month to replace Monday in the global configuration above
Minsize 1 m -- rotate only when the minimum size is 1 M. If the time is reached, the rotate will not be rotate if the size is not 1 m.
Create 0664 root utmp -- defines that the property created is 0664, the owner is root, and the group is utmp.
Rotate 1 -- retain one
}


Logrotate-VF/etc/logrotate. conf -- view the rotation process



Vim/etc/logrotate. d/syslog


/Var/log/messages/var/log/secure/var/log/maillog/var/log/Spooler/var/log/boot. log/var/log/cron {-- defines which log files
Sharedscripts -- script starts
Postrotate -- indicates that rotate has ended
/Bin/kill-HUP 'cat/var/run/syslogd. PID 2>/dev/null' 2>/dev/null | true
/Bin/kill-HUP 'cat/var/run/rsyslogd. PID 2>/dev/null' 2>/dev/null | true
Endscript -- end of script
}


Sharedscripts
Presrotate

Postrotate
Endscript


Logger-T 'A' BB '-- add a flag to the log file
[Root @ Li test] # tail-N 1/var/log/messages
May 8 15:33:02 Li AA: BB -- you can see the added tag



Logrotate-VF/etc/logrotate. d/syslog -- force rotate, and then view the log file rename process during rotation

-F force rotate
-V display process


--&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& &&&&

Man logrotate help

/Var/log/messages {
Rotate 5
Weekly
Postrotate
/Sbin/killall-hup syslogd
Endscript
}

"/Var/log/httpd/access. log"/var/log/httpd/error. Log {
Rotate 5
Mail www@my.org
Size 100 K
Sharedscripts
Postrotate
/Sbin/killall-hup httpd
Endscript
}

/Var/log/news /*{
Monthly
Rotate 2
Olddir/var/log/news/old
Missingok
Postrotate
Kill-HUP 'cat/var/run/Inn. Pi'
Endscript
Nocompress
}

--&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& &&&&&&&&&&&&&&&&&&


--@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

Super daemon

Chkconfig -- list | grep xinetd

Daemon can be divided:
Stand alone -- refers to services that are not in the xinet.
Super daemon -- refers to the services in Xinetd.


Super daemon is equivalent to the Management Program of all the services under it, which makes it more secure.


Take the rsync service as an Example
Vim/etc/xinetd. d/rsync

Service rsync -- service name
{
Disable = yes -- disable is equal to yes, indicating that this service is disabled
Socket_type = stream -- TCP Connection Mechanism
Wait = No -- do not wait. A large number of connections can be performed simultaneously.
User = root -- start the service as root
Server =/usr/bin/rsync -- defines the location of your rsync Service Execution File
Server_args = -- daemon -- service parameters
Log_on_failure + = userid -- when a logon error occurs, your user ID is recorded.
}
~

Example 1:
Drag SSH to super daemon for management

Man xinetd. conf -- enter here for help

Vim/etc/xinetd. d/ssh -- create a file and write the content above


Service SSH {
Disable = No
Socket_type = stream
Protocol = TCP
Wait = No
User = root
Server =/usr/sbin/sshd
Server_args =-I
}


/Etc/init. d/xinetd restart
/Etc/init. d/sshd restart

Netstat-ntlup
TCP 0 0 0.0.0.0: 22 0.0.0.0: * Listen 8182/xinetd -- check your port and you will find that the daemon process is Xinetd, not the previous sshd.




Example 2:
Add access control based on the above example
Service SSH {
Disable = No
Socket_type = stream
Protocol = TCP
Wait = No
User = root
Server =/usr/sbin/sshd
Server_args =-I
Only_from = 10.1.1.0/24 -- allow 10.1.1.0/24 network segment access
No_access = 10.1.1.104 -- access 10.1.1.104 is denied.
}

Example 3:
This article introduces a time synchronization method for a super daemon instance.
[Root @ Li test] # Vim/etc/xinetd. d/time-dgram
Disable = No
[Root @ Li test] # Vim/etc/xinetd. d/time-stream
Disable = No

/Etc/init. d/xinetd restart

The client uses rdate-s 10.1.1.35 to synchronize the time.




--------------------------------------

Tcpwrapper


Check whether the program supports tcpwrapper.

For example
[Root @ Li test] # Which sshd
/Usr/sbin/sshd

[Root @ Li test] # LDD/usr/sbin/sshd | grep wrap
Libwrap. so.0 =>/lib/libwrap. so.0 (0x00d39000) -- support this module


Controlled by two files
/Etc/hosts. Allow
/Etc/hosts. Deny
The access control mechanism first matches/etc/hosts. allow, and then matches/etc/hosts. Deny. If none of them exist, all allow



Vim/etc/hosts. Deny

Sshd: 10.1.1.0/255.255.255.0 255.t 10.1.1.104 -- rejects SSH access from users in the 10.1.1.0 network segment, except for 104. Note that the subnet mask does not support/24.

Sshd: all instances t 10.1.1.104