Tcp_wrapper, sudo, Nsswitch, Pam

Tcp_wrapper, sudo, nsswitch, Pam for service and security management are described below.

First, Tcp_wrapper

1. Tcp_wrapper Base--------------------TCP Wrapper

Tcp_wrapper Dependent library files: libwrap.so

(1), determine whether to be tcp_wrapper access control: Dynamic Link (libwrap.so library file), Static link (strings command)

Applications that are dynamically linked to the Libwrap.so library: # Ldd/path/to/app_file | grep libwrap

Static library file application: # Strings COMMAND

(2), common services based on Tcp_wrapper access control: SSHD,VSFTPD

Several services: OpenSSH, HTTP, MySQL, VSFTPD, NFS, Samba

2. tcp_wrappers configuration file----------------------/etc/hosts.allow,/etc/hosts.deny

Format: Daemon_list:client_list [[[: Option]: option] ...]

(1), daemon_list--------------application file name (/usr/sbin/*)

Three ways to Daemon_list: Single program file name, multiple program filename (comma separated), all applications (all)

(2), client_list------------3 kinds of ways

Single IP address or host name, network address, access control list

Client_list four types of access control lists: All, known, UNKNOWN, PARANOID

(3): Option--------------3 class options

Option's three types of options are: Deny, allow, spawn

Spawn:%c-------------------Client Information

%s-------------------Service-side information

Cases:

Daemon_list:all-------------all applications (processes)

client_list:172.16.0.0/255.255.0.0

172.16.

All------------of all hosts

Known----------a host that can be accessed normally

UNKNOWN---------hosts that cannot be accessed properly

: Option:deny: Deny access rule, Hosts.allow file

Allow: Allows access to the rule, in the Hosts.deny file

Spawn: Generate, Initiate, execute

Cases:

Vsftpd:172.16.0.0/16:allow---------------/etc/host.allow (default allowed)

Vsftpd:all EXCEPT 172.16. EXCEPT 172.16.67.1------------------/etc/hosts.deny (default deny)

Example: Recording for sshd, VSFTPD service

SSHD, Vsftpd:all:spawn/bin/echo $ (/bin/date)%c attempt login%s >>/var/log/tcpwrapper.log

Second, sudo

1, sudo basic---------------as root user execution

Sudo's authorization profile:/etc/sudoers

2. configuration file Content---------------/etc/sudoers

There are two types of/etc/sudoers content: alias definition, user specification (authorization)

(1), alias definition--------------alias all uppercase

Format: Alias_type aliasname = item1, item2, ...

Alias_type:user_alias, Host_alias, Runas_alias, Cmnd_alias:

Alias_type-------------Using hump type

AliasName-------------Use ALL caps

Example: User_alias useradminusers = Tom, Jerry, CentOS, SuSE,%myclass-----------------"%" in the alias definition, represents the group.

Cmnd_alias useradmincommands =/usr/sbin/useradd,/usr/sbin/userdel,/usr/bin/passwd [a-zA-Z0-9]*,! /USR/BIN/PASSWD Root,/usr/sbin/usermod

(2), user Specifications (Authorization):-----------------edit/etc/sudoers, only one license per line

Format: Who where= (whom)

The sections of the format are explained as follows:

Who----------authorized target users (5 ways)

Username---------------Single User name

#uid------------Single User uid

%groupname------------All accounts in the specified group

% #gid-----------Specify the group of known GID, all user accounts therein

User_alias--------------defined aliases

Where--------------authorized client host (3 types)

Ip/hostname------------a single host

Network address--------------Internet addresses

Host_alias--------------defined aliases

whom-----------------real identity, usually root

What-------------authorized to run the command

Command-------------individual commands

All commands in directory------------directories

Sudoedit---------------authorized user to execute the sudo command

Cmnd_alias-----------defined aliases

Example: Little all= (Root)/usr/sbin/useradd,/usr/sbin/userdel,/usr/bin/passwd [a-za-z0-9]*,! /USR/BIN/PASSWD Root

Example: Little all= (Root)/usr/sbin/useradd,/usr/sbin/userdel,/usr/bin/su! /USR/BIN/SU Root

Note: Visudo command:-----------------edit/etc/sudoers file, with "syntax correction" function

(3), sudo command:----------------user authorization

Format: sudo [option] ... command

Common options:

-u user--------------Specify user identity

-L[L] [command]------------------Show all commands that can be run with sudo

(4), the label in the authorization

PASSWD--------------need a password.

NOPASSWD-------------can have no password

Example: Cmnd_alias useradmincommands = nopasswd:/usr/sbin/useradd, PASSWD:/usr/sbin/userdel,/usr/bin/passwd [a-zA-Z0-9]*, ! /USR/BIN/PASSWD Root,/usr/sbin/usermod

Special commands for sudo: passwd, Su, sudo, sudoedit

Third, Nsswitch

1. Nsswitch Basic---------------Name Service switch

Name resolution: A natural language that resolves to a numeric symbol in machine language.

Resolution: Find the Repository based on the keyword to find information related to the keyword.

Universal framework: Calling interface for Applications

Common framework for name resolution in Linux: Libraries (/lib64/libnss*,/usr/lib64/libnss*)

2. Parsing the configuration file of the library application----------/etc/nsswitch.conf

Format: Db:store_format1 store_format2 ....

Lookup Key Return Status: (4 kinds) Success, NotFound, Unavail, Tryagain

Response of the status return value: Return, continue

3. getent command------------Get a response from the name server

Format: getent database [key]

Four, Pam

1, Pam Basic--------------Universal Certification Framework

Common framework for implementing PAM in Linux: Libraries (/lib64/security/*)

2. configuration file-------------/lib64/security/*

There are two types of Pam profiles: Global profile, private configuration file. Where the global configuration file is deprecated.

(1), Global authentication profile-------------------/etc/pam.conf

Format: Application type control Module-path module-arguments

(2), private configuration file------------------/etc/pam.d/*app_name*

Format: Type control Module-path module-arguments

Type

Auth---------------Certification, authorization

Accounts------------account management, independent of certification

Password------------The complexity of the password when the user modifies the password

Session-------------Additional Actions

Control

Required----------------not be satisfied, certification must fail, the certification process is not interrupted

Requisite---------------not be satisfied, authentication must fail, immediately interrupt

Sufficient------------conditions are met, authentication successful, immediate interruption

Optional-------------does not affect certification

Include----------------other configuration files to the current location, similar to the copy

Substack---------------Copy and run on the sub-stack without affecting the main stack

Module-path---------------can be a relative path, an absolute path

Module-arguments------------Default Module parameters

Example: Auth required pam_shells.so--------------------pam_shells.so module Certification

3. pam_limits.so module-------------Limit the use of various system resources during user session

Format: pam_limits.so [Change_uid] [conf=/path/to/limits.conf] [debug] [utmp_early] [Noaudit]

Configuration files:--------------/etc/security/limits.conf,/etc/security/limits.d/*

Format:<domain> <type> <item> <value>

Doemain:----------------User name/group name

Username---------------Single User name

%groupname/@groupname------------All accounts in the specified group

Type:----------------soft/hard limit, different from soft and hard limits in disk quotas

Hard:------------Rigid limit

Soft:------------Soft limit

-:--------------Any

Item

Core:-------------file Size (KB)

Date:--------------Maximum data size (KB)

Fsize:---------------Maximum file size (KB)

Memlock:-------------Maximum free memory space (KB)

Nofile:---------------The maximum number of files that can be opened

RSS:--------------maximum space to reside in kilobytes (KB)

Stack:-----------------Maximum stack space (KB)

CPU:-----------------Maximum CPU usage time (MIN)

Nproc:-----------------maximum number of running processes

As:--------------address space limitations

Locks:--------------Maximum number of locked files

Nice:--------------Nice value

Maxlogins:--------------The maximum number of times a user can log on to a system

Value:-----------------Specific value

Example:-------------/etc/security/limits.conf

@student Hard Nproc 20

@faculty Soft Nproc 20

@faculty Hard Nproc 50

FTP Hard Nproc 0

@student-maxlogins 4

4, pam_listfile.so module------------------------to achieve access control based on user/group, hostname/IP, terminal

Format: pam_listfile.so Item=[tty|user|rhost|ruser|group|shell] Sense=[allow|deny] File=/path/filename onerr=[succeed| Fail] [apply=[user| @group]] [quiet]

Common options:

Item=[tty|user|rhost|ruser|group|shell]:----------------rules for which targets or conditions are listed

Sense=[allow|deny]:----------How to control when a qualifying item is found in the configuration file. If a qualifying item is not found, the general validation will pass

File=/path/filename:--------------------Specifies the full path name of the configuration file

Onerr=[succeed|fail]:-------------------The default return value when an error occurs

apply=[user| @group]:----------------The type of user (user or group) to which the rule applies

Quiet

Example: Auth required pam_listfile.so \

Onerr=succeed Item=user Sense=deny file=/etc/ftpusers

Example: Auth required pam_listfile.so \

Onerr=fail Item=user Sense=allow file=/etc/loginusers

5, pam_time.so Module-------------------provide time-based control, the user can only be logged in a certain period of time

Format: pam_time.so [debug] [Noaudit]

Common options:

Debug

Noaudit:

Configuration file:/etc/security/time.conf

Format: Services;ttys;users;times

Example: login; Tty* &!ttyp*;!root;! al0000-2400

Example: games; *;!waster; wd0000-2400 | wk1800-0800

Cases:

# vim/etc/security/time.conf

login; Tty3; User1; al0100-0200 User1 1 to 2 to sign in.

login; Tty3; User1; All

sshd;  * ;  *  ; al0100-0200

Tcp_wrapper, sudo, Nsswitch, Pam