User Management
Different users of the online server are responsible for different parts, such as architecture engineers need web-related permissions, and DBAs need database-related permissions. Coordinate availability and security, how do I manage it?
I'm using normal user rights +sudoer+facl+group+ app account
Web Maintenance Staff:
System General account +tomcat after configuring a complex password, disable remote login,
(see: http://blog.csdn.net/linghe301/article/details/8211305) The denyusers of SSH configuration files is very useful. Easy to manage Tomcat-related data and services.
Dba:
In addition to the need for master-slave database management account also need server account, ordinary users can both.
When he needs to view the database log, pull the data to the local, he needs to give him the permissions of the relevant directory.
You can let him switch to the MySQL account to perform the operation, but the risk is greater (here is more than the risk of Tomcat), if only need data, then only the data directory permissions to it can be. Like what:
Setfacl-r-M G:dba:rwx/data/mysql (this is the MySQL data directory, will encounter some error, followed by investigation)
Then add his account to the MySQL group and give the group RWX permissions.
At first the Web maintainer wanted to implement a normal user without a password switch to Tomcat, which seems to be possible
/etc/sudoers
%webgroup All=/bin/su nopasswd:/bin/su Tomcat
However, this command allows the user to automatically switch to another user. So it's unrealistic.
Security-related also:
Disable root telnet, change the default port, do log Analysis + blacklist.
Then Add.
This article is from the "Jude" blog, make sure to keep this source http://mingyu.blog.51cto.com/2097255/1438182