Enterprise requirements:
1. Configure ssh to allow access by sisi users and deny access to the remote.com domain
2. Configure ftp to allow anonymous download from the/var/ftp/pub directory and reject access from the remote.com domain
3. Mount/root/cdrom. iso to/opt/data and set it to automatic mounting upon startup
Implementation steps:
1. Configure ssh to allow access by sisi users and deny access to the remote.com domain.
1. By default, sshd is installed and started upon startup. For insurance: you can rewrite it! The same is true for iptables!
[Root @ www.linuxidc.com ~] # Chkconfig sshd on
[Root @ www.linuxidc.com ~] # Service sshd restart
[Root @ www.linuxidc.com ~] # ChkconfigIptables on
[Root @ www.linuxidc.com ~] # ServiceIptables restart
2. The default firewall policy is ACCEPT.Clear it first!
[Root @ www.linuxidc.com ~] # Iptables-L
[Root @ www.linuxidc.com ~] # Iptables-F
[Root @ www.linuxidc.com ~] # Iptables-X
[Root @ www.linuxidc.com ~] # Iptables-Z
[Root @ www.linuxidc.com ~] # Iptables-t nat-F
[Root @ www.linuxidc.com ~] # Iptables-t nat-X
[Root @ www.linuxidc.com ~] # Iptables-t nat-Z
3. Add control entries. This is because the service is rejected for 172.25.0.0/16. So a command will get everything done. 2. iptables & autofs_iso "alt =" RHCE_RHEL6 _ excellent products2. iptables & autofs_iso "src =" http://www.sinaimg.cn/uc/myshow/blog/misc/gif/E___6724EN00SIGG.gif "TYPE =" face "real_src =" http://www.sinaimg.cn/uc/myshow/blog/misc/gif/E___6724EN00SIGG.gif ">
Note: The CIDR Block mask is "16"
[Root @ www.linuxidc.com ~] # Iptables-a input-s 172.25.0.0/16-j REJECT Note: Only REJECT can be used here.
[Root @ www.linuxidc.com ~] # Service iptables save Do not forget to save Qiancheng!
[Root @ www.linuxidc.com ~] # Iptables-nvL View configuration results!
You can also write them one by one as required!
Iptables-F
Iptables-X
Iptables-Z
Iptables-a ipput-s 172.16.0.0/16-p tcp -- dport 22-j REJECT
Iptables-a ipput-s 172.16.0.0/16-p tcp -- dport 21-j REJECT
Iptables-a ipput-s 172.16.0.0/16-p udp -- dport 21-j REJECT
Service iptables save
Iptables-nvL
2. Configure ftp to allow anonymous download from the/var/ftp/pub directory and reject access from the remote.com domain.
Note: anonymous users may also be required to have the upload permission.
1. Install vsftpd and start it at startup.
[Root @ www.linuxidc.com ~] # Yum-y install vsftpd
[Root @ www.linuxidc.com ~] # Chkconfig vsftpd on
[Root @ www.linuxidc.com ~] # Service vsftpd start
2. Edit the vsftpd service.
[Root @ www.linuxidc.com ~] # Vim/etc/vsftpd. conf
Anonymous_enable = YES Row 3: anonymous user access.DefaultYes.
Anon_upload_enable = YES Row 3: anonymous user upload.
Anon_mkdir_write_enable = YES Row 3: anonymous users can write data. Upload must have this write function!
3. The service has the inbound function, and the folder also has the write permission!
[Root @ www.linuxidc.com ~] # Chmod o + w/var/ftp/pub/
4. the ftp service is also protected by selinux, so you must enable the corresponding functions!
[Root @ www.linuxidc.com ~] # Getsebool-a | grep ftpd
[Root @ www.linuxidc.com ~] # Setsebool-P allow_ftpd_full_access on Note: uppercase "P"
5. test:
[Root @ www.linuxidc.com ~] # Service vsftpd restart
[Root @ www.linuxidc.com ~] # Lftp localhost
Localhost: ~> Cd pub
6.Deny Access to the remote.com domain.We have already done this with sshd in the previous step!
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
