Installation and configuration of TCP WRAPPERS, DenyHosts software, and application of Pam identity authentication module

One. TCP WRAPPERS

What is the role of 1.TCP wrappers?

Some services that protect servers can restrict clients from accessing these services.

What services does TCP WRAPPERS support? What are the methods to determine if a service supports TCP WRAPPERS protection?

Check whether the service is loading Libwrap and see if the service is based on the XINETD service.

SSH, vsftpd,telnet,http (Wrap module not supported) IPOP3

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/74/0F/wKioL1YSamfC_qZJAAGArXH2kp4433.jpg "title=" Qq20151005201848.png "alt=" Wkiol1ysamfc_qzjaagarxh2kp4433.jpg "/>

2. Check whether the service supports being TCP WRAPPERS Protection

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/74/12/wKiom1YSa7TzNMFPAAHD3fv7xQE346.jpg "title=" Qq20151005202302.png "alt=" Wkiom1ysa7tznmfpaahd3fv7xqe346.jpg "/>

3. Protection rules are stored in

/etc/hosts.allow

/etc/hosts.deny

Policy Application Law

Check The Hosts.allow first, and a match will allow

Otherwise, check the Hosts.deny, and the match will be rejected.

If there are no matches in both files, the default is to allow

4, the format of the rules

Service List : client List

about client addresses

can I use a wildcard character ? and *

network segment address, such as 192.168.4.

or 192.168.4.0/255.255.255.0.

An area address, such as . tarena.com

5. Example:

allow only the following clients to access VSFTPD

Network segment:192.168.4.0/24

IP Range:192.168.7.1-192.168.7.20

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/74/12/wKiom1YSbr_xH-xmAAHDiF4_wX8354.jpg "title=" Qq20151005203721.png "alt=" wkiom1ysbr_xh-xmaahdif4_wx8354.jpg "/> Client for testing, The IP of the client is 192.168.1.0 network segment to see if the VSFTPD service can be accessed.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/74/0F/wKioL1YScuqjxtDgAAEx3IQjam8026.jpg "title=" Qq20151005205500.png "alt=" Wkiol1yscuqjxtdgaaex3iqjam8026.jpg "/>

Two. denyhosts
DenyHosts is a Python language program that borrows Tcp_wrapper programs for host protection. Role: To prevent brute force to crack the server user password.

1. Unpack the package, install the DenyHosts software, and install it to the/usr/share/denyhosts directory by default.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/74/0F/wKioL1YSe_6QEQAGAAE0RJTsOl0876.jpg "title=" Qq20151005213311.png "alt=" Wkiol1yse_6qeqagaae0rjtsol0876.jpg "/>

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/74/12/wKiom1YSfDDwCueeAADs81_D0Kc511.jpg "title=" Qq20151005213502.png "alt=" Wkiom1ysfddwcueeaads81_d0kc511.jpg "/>

2. Configuration

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/74/0F/wKioL1YSfp7zWSNRAADoSrffHSU916.jpg "title=" Qq20151005214358.png "alt=" Wkiol1ysfp7zwsnraadosrffhsu916.jpg "/>Explanation of relevant parameters:

############ These SETTINGS is REQUIRED ############

Secure_log =/var/log/secure
Hosts_deny =/etc/hosts.deny
Purge_deny = 1w #过多久后清除已经禁止的, where W represents week, D for Day, h for hour, s for seconds, M for minutes
Block_service = sshd
Deny_threshold_invalid = 3 #允许无效用户失败的次数
Deny_threshold_valid = 5 #允许普通用户登陆失败的次数
Deny_threshold_root = 5 #允许root登陆失败的次数
deny_threshold_restricted = 1
Work_dir =/usr/share/denyhosts/data
Suspicious_login_report_allowed_hosts=yes
Hostname_lookup=yes
Lock_file =/var/lock/subsys/denyhosts

############ These SETTINGS is OPTIONAL ############

Admin_email = [EMAIL protected] #若有ip被禁用发邮件通知
Smtp_host = localhost
Smtp_port = 25
Smtp_from = denyhosts <[email protected]>
Smtp_subject = denyhosts Report
AGE_RESET_VALID=1D #有效用户登录失败计数归零的时间
AGE_RESET_ROOT=1D #root用户登录失败计数归零的时间
age_reset_restricted=1d
age_reset_invalid=10d #无效用户登录失败计数归零的时间

######### these SETTINGS is specific to DAEMON MODE ##########

Daemon_log =/var/log/denyhosts
Daemon_sleep = 30s
Daemon_purge = 1h

Set Startup scripts

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/74/10/wKioL1YSf03xX-xTAAGpIUZFRJI808.jpg "title=" Qq20151005214742.png "alt=" Wkiol1ysf03xx-xtaagpiuzfrji808.jpg "/>

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/74/10/wKioL1YSf6ixa4FFAAFwEwPt6co728.jpg "title=" Qq20151005214924.png "alt=" Wkiol1ysf6ixa4ffaafwewpt6co728.jpg "/>

Set boot up

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/74/10/wKioL1YSgCWxz2oDAADaWM8APjw473.jpg "title=" Qq20151005215122.png "alt=" Wkiol1ysgcwxz2odaadawm8apjw473.jpg "/>

3. Start the service, there is an error, the solution.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/74/12/wKiom1YSgsWy3K6MAAF3ygFyQCM573.jpg "title=" Qq20151005220306.png "alt=" Wkiom1ysgswy3k6maaf3ygfyqcm573.jpg "/>

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/74/12/wKiom1YSgyOS2N2QAAE8oIvZ4wQ565.jpg "title=" Qq20151005220435.png "alt=" Wkiom1ysgyos2n2qaae8oivz4wq565.jpg "/>

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/74/13/wKiom1YShcXDPzaGAAD2NOx443A110.jpg "title=" Qq20151005221549.png "alt=" Wkiom1yshcxdpzagaad2nox443a110.jpg "/>

4. Denyhos use

If you do not want the host to reject an IP, the following sshd:192.168.1.40 #允许192.168.1.40 access to the host's SSH Service 650) this.width=650; "src=" http:/ S3.51cto.com/wyfs02/m00/74/10/wkiol1yshouqrtn-aais60awsoq297.jpg "title=" Qq20151005221851.png "alt=" Wkiol1yshouqrtn-aais60awsoq297.jpg "/>

Client for testing
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/74/13/wKiom1YSiHXDeqBsAACKxUK_J0Y372.jpg "title=" Qq20151005222722.png "alt=" Wkiom1ysihxdeqbsaackxuk_j0y372.jpg "/>

If you want to deny a certain IP also use vi/etc/hosts.deny add on OK

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/74/13/wKiom1YSiP_CwSRJAALna3BtTw0669.jpg "title=" Qq20151005222941.png "alt=" Wkiom1ysip_cwsrjaalna3bttw0669.jpg "/>

Client for testing

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/74/13/wKiom1YSiSLCp5qWAACrUIqQ3FE712.jpg "title=" Qq20151005223005.png "alt=" Wkiom1ysislcp5qwaacruiqq3fe712.jpg "/>

Three. PAM Pluggable identity authentication Module

The 1.PAM configuration file holds the directory location.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/74/1B/wKiom1YTlnqAHW45AAPxqGM64j0119.jpg "title=" Qq20151006173921.png "alt=" Wkiom1ytlnqahw45aapxqgm64j0119.jpg "/>

Directory location where 2.PAM modules are stored

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/74/1B/wKiom1YTlruhAE-KAAU1ChR-k44732.jpg "title=" Qq20151006174031.png "alt=" Wkiom1ytlruhae-kaau1chr-k44732.jpg "/>

3. The contents of the configuration file are as follows

The first column is the authentication type, and the available options are:

Account: performs a non-authentication behavior operation based on user management. Typically, it can limit the user's login time and the available system resources.

Auth: This module provides two aspects of validating a user. First, it authenticates the user to the person he claims to be (such as password Authentication), and secondly, it gives the user group membership or other permissions.

Password: This module is required when the user modifies the password.

Session: What to do before or after certain services are given to the user. For example, a user performs a write log operation when accessing data.

The second column is the control mode, and the available options are:

Required: Check results fail, will eventually fail, but still check for subsequent entries

Requisite: Similar to required . Except that the check failed and immediately stops the subsequent check.

Sufficient: the check succeeds, passes immediately, and no longer checks for subsequent entries. If the check fails, it does not mean that it will eventually fail.

Optional: Optional

Include: contains the contents of another file

The third column is the calling module, which is located in the/lib64/security/ directory

4. The module corresponds to the found document.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/74/1B/wKiom1YTo2vCPHd_AAD0F-oJo2k975.jpg "title=" Qq20151006183432.png "alt=" Wkiom1yto2vcphd_aad0f-ojo2k975.jpg "/>

5. Take Su as an example to analyze the PAM module

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/74/18/wKioL1YTl66gpR8GAAIA2V00y2M599.jpg "title=" Qq20151006174357.png "alt=" Wkiol1ytl66gpr8gaaia2v00y2m599.jpg "/>

(1)The root user can switch to other users without entering the password, because the pam_rootok.so module is to determine whether the current user uid is 0 ( that is, the root user), Then the direct return to success (sufficient is sufficient condition), to the pam_rootok.so module line after adding comments, test.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/74/18/wKioL1YTmF_xcyeAAAH9s_oDgwc621.jpg "title=" Qq20151006174603.png "alt=" Wkiol1ytmf_xcyeaaah9s_odgwc621.jpg "/>

After adding comments to the pam_rootok.so module line, the test finds that the root user also needs to enter a password when switching to another user, and can log in when the password is entered correctly.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/74/1B/wKiom1YTmX7x3wGGAAC0xkQZ7kM426.jpg "title=" Qq20151006175215.png "alt=" Wkiom1ytmx7x3wggaac0xkqz7km426.jpg "/>

(2) If a user is a member of the wheel group, the user can execute SU directly withoutentering a password: PAM_ The whell.so module is a condition that can be performed as long as the user enters the Whell group.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/74/1B/wKiom1YTndKjt5erAAEftsHc0LQ571.jpg "title=" Qq20151006180956.png "alt=" Wkiom1ytndkjt5eraaeftshc0lq571.jpg "/>

pam_whell.so module Lines Remove Comment lines

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/74/1B/wKiom1YTmeHBUw8TAAEBObWHMD4071.jpg "title=" Qq20151006175350.png "alt=" Wkiom1ytmehbuw8taaebobwhmd4071.jpg "/>

Test

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/74/1B/wKiom1YTn2nzg05YAAHXqcMheLE798.jpg "title=" Qq20151006181730.png "alt=" Wkiom1ytn2nzg05yaahxqcmhele798.jpg "/>

(3) only members of the wheel group can be switched to the root user

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/74/18/wKioL1YToVWA5JS4AAEgD3OVTbM997.jpg "title=" Qq20151006182524.png "alt=" Wkiol1ytovwa5js4aaegd3ovtbm997.jpg "/>

Required is a requirement, not a sufficient condition, LJ is a wheel group, but to switch to the root user or to enter a password.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/74/1B/wKiom1YTofGjABJdAABvMKwwDlE375.jpg "title=" Qq20151006182820.png "alt=" Wkiom1ytofgjabjdaabvmkwwdle375.jpg "/>

Tom is not a wheel group, and required is a necessary condition, so it is a mistake for Tom to switch to the root user even if the correct password hint is entered.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/74/18/wKioL1YTop6CsJARAACB4WZ1pqA098.jpg "title=" Qq20151006182918.png "alt=" Wkiol1ytop6csjaraacb4wz1pqa098.jpg "/>

6. Example two: Prohibit Tom from landing in Tty2

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/74/19/wKioL1YTqWiwVSZ3AABH1l2NQUE418.jpg "title=" Qq20151006185948.png "alt=" Wkiol1ytqwiwvsz3aabh1l2nque418.jpg "/>

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/74/1A/wKioL1YUdBCAyh74AAEIeLpaqPY819.jpg "title=" Qq20151007092421.png "alt=" Wkiol1yudbcayh74aaeielpaqpy819.jpg "/>

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/74/1D/wKiom1YUdFOR2xR2AABwqoCBs6I572.jpg "title=" Qq20151007092553.png "alt=" wkiom1yudfor2xr2aabwqocbs6i572.jpg "/> Whether to switch to Tomor to log in as Tom, is forbidden.

7. example three: Only Tom users are allowed to open two files

View /etc/pam.d/system-auth included in

Session Required Pam_limits.so

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/74/1D/wKiom1YUczbSOyhnAABxda1OYb0060.jpg "title=" Qq20151007092109.png "alt=" Wkiom1yuczbsoyhnaabxda1oyb0060.jpg "/>

# vim/etc/security/limits.conf , tail increase

Tom Hard Nofile 2

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/74/1A/wKioL1YUc7WiC9BLAAByuqI5pWw410.jpg "title=" Qq20151007092253.png "alt=" Wkiol1yuc7wic9blaabyuqi5pww410.jpg "/>

Test

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/74/1D/wKiom1YUeNfhzurFAABiONK2-nM994.jpg "title=" Qq20151007094459.png "alt=" Wkiom1yuenfhzurfaabionk2-nm994.jpg "/>

8. example Four: Create a file /etc/vsftpd/ftpgrps, the group in the file cannot access the FTP

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/74/1A/wKioL1YUhFmhlYwJAAD5BpPPOtQ682.jpg "title=" Qq20151007103309.png "alt=" Wkiol1yuhfmhlywjaad5bpppotq682.jpg "/>

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/74/1D/wKiom1YUhDTT9r4YAAH4drdvJqE300.jpg "title=" Qq20151007103325.png "alt=" Wkiom1yuhdtt9r4yaah4drdvjqe300.jpg "/>

verification,Tom login ftp, login unsuccessful, check /var/log/secure log

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/74/1A/wKioL1YUhQrTW-ayAAEvvKZfaKo512.jpg "title=" Qq20151007103652.png "alt=" Wkiol1yuhqrtw-ayaaevvkzfako512.jpg "/>

View Logs

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/74/1D/wKiom1YUhTXgiBFMAARe0z1UQmc481.jpg "title=" Qq20151007103749.png "alt=" Wkiom1yuhtxgibfmaare0z1uqmc481.jpg "/>

This article is from the "Down to earth" blog, make sure to keep this source http://343614597.blog.51cto.com/7056394/1700565

Installation and configuration of TCP WRAPPERS, DenyHosts software, and application of Pam identity authentication module