Tenth Week assignment

The system input and output default policy is drop, please complete the following questions about Iptables;

General policy

]# iptables-a input-m State--state related,established-j accept]# iptables-a input-p tcp--dport 22-j ACCEPT]# IPTA Bles-p INPUT drop]# iptables-a output-m State--state established-j accept]# iptables-p OUTPUT DROP

1. The Web server that restricts the local host is not allowed to access in Monday; the rate of new requests cannot exceed 100 per second; The Web server contains the admin string and the page is not allowed; The Web server only allows the response message to leave the unit;

]# iptables -a input -p tcp --dport 80 -m time ! -- Weekdays 1 -m limit --limit 100/second -j accept]# iptables -a  OUTPUT -p tcp --sport 80  -m  string --algo bm   --string  ' admin '  -j drop test Case modification Time]# date -s  ' 2016-11-28 12:00 ' Mon  nov 28 12:00:00 cst 2016 Modify Content]# vim /var/www/html/index.htmladmin Access Test]#  curl -I --connect-timeout 5 http://172.16.100.7            curl:  (+)  Connection timed out after 5007  Milliseconds correction time]# date -s  ' 2016-11-30 11:45 ' WED NOV 30 11:45:00 CST  2016 Fix content]# vim /var/www/html/index.htmltest access test]# curl -i --connect-timeout  5 http://172.16.100.7http/1.1 200 okdate: wed, 30 nov 2016 03:45:01 gmtserver: apache/2.4.6   (CentOS) last-modified: wed, 30 nov 2016 03:45:01 gmtetag: w/" 7-5427c8d23e8c7 "accept-ranges: bytescontent-length: 7content-type: text/html; charset= UTF-8

2, during the working hours, that is, Monday to Friday 8:30-18:00, open the local FTP service to the 172.16.0.0 network host access, the number of data download requests per minute not more than 5;

]# iptables -a input  -p tcp --dport 21 -s 172.16.0.0/16  -m limit --limit 5/minute -m time --timestart 08:30  -- Timestop 18:00 --weekdays 1,2,3,4,5 -j accept test Case Modification Time]# date -s  ' 2016-12-01 02:30 ' 2016  12 month  01 day   Thursday  02:30:00 CST access Test]# ftp  172.16.100.7ftp: can ' t connect to  ' 172.16.100.7 ':  operation timed outftp:  can ' t connect to  ' 172.16.100.7 ' correction time]# date -s  ' 2016-12-01 17:30 ' 2016  12 month  01 Day   Thursday  17:30:00 CST access Test]#  ftp 172.16.100.7connected to  172.16.100.7.220  (vsftpd 3.0.2) name  (172.16.100.7:fan):  anonymous331 please  specify the password. Password: 230 login successful. Remote system type is unix. Using binary moDe to transfer files.ftp> ls229 entering extended passive mode   (| | | | 13045|). 150 here comes the directory listing.drwxr-xr-x    2 0         0               22 dec 01  2016 pub226 directory send ok.

3, open the local SSH service to the host in 172.16.x.1-172.16.x.100, X is your seat number, the new request to establish the rate of one minute not more than 2, only allow the response message through its service port to leave the unit;

]# iptables-a input-p TCP--dport 22-m state--state new-m limit--limit 2/minute-m iprange--src-range 172.16.100.1 -172.16.100.100-j ACCEPT

4, reject the TCP flag bit all 1 and all 0 of the message access to the machine;

]# iptables-a input-p tcp--tcp-flags all all-j drop]# iptables-a input-p tcp--tcp-flags all none-j DROP

5, allow the native ping other host, but not open the other host ping this machine;

]# iptables-a input-p ICMP--icmp-type 0-j accept]# iptables-a output-p ICMP--icmp-type 8-j ACCEPT

6, judge the meaning of the following rules:

# iptables -n clean_in    Creating a custom chain clean_in# iptables -a clean_in  -d 255.255.255.255 -p icmp -j DROP    Discard broadcast Address pack # iptables  -A clean_in -d 172.16.255.255 -p icmp -j DROP     Discard 172.16.255.255 ICMP message # iptables -a clean_in -p tcp ! --syn -m  state --state new -j drop    Discard SYN flag is not 1, link state is new package # iptables -a  clean_in -p tcp --tcp-flags ALL ALL -j DROP              Discard the TCP flag for all 1 messages        #  iptables -a clean_in -p tcp --tcp-flags all none -j drop             Discard the TCP flag for all 0 messages # iptables -a  clean_in -d 172.16.100.7 -j return                       after the end of the clean_in filter country to the main chain # iptables -a input -d  172.16.100.7 -j clean_in  the message with the destination address 172.16.100.7 to clean_in chain processing # iptables -a input   -i lo -j ACCEPT                                    allow local loopback address packets to flow into # iptables -a output -o lo -j accept                                    allow local loopback address packets to flow out of #  Iptables -a input  -i eth0 -m multiport -p tcp --dports  53,113,135,137,139,445 -j&The nbsp;drop       refuses to flow into the tcp 53,113,135,137,139,445  port message on the eth0 NIC #  Iptables -a input  -i eth0 -m multiport -p udp --dports  53,113,135,137,139,445 -j DROP       deny flow to udp  on eth0 NIC 53,113,135,137,139,445  Port Message # iptables -a input  -i eth0 -p udp  --dport 1026 -j DROP      deny Ingress to udp 1026 port on eth0 Nic #  Iptables -a input  -i eth0 -m multiport -p tcp --dports  1433,4899 -j DROP     deny Ingress to tcp 1433,4899  port on eth0 Nic #  Iptables -a input  -p icmp -m limit --limit 10/second -j  ACCEPT     allow incoming ICMP packets and limit the network card rate to 10 packets per second

7, through the Tcp_wrapper control VSFTPD only allow the 172.16.0.0/255.255.0.0 network host access, but 172.16.100.3 except; the access attempts that were denied are recorded in the/VAR/LOG/TCP_ Wrapper.log the log file;

]# vim/etc/hosts.allow vsftpd:172.16.0.0/255.255.0.0 EXCEPT 172.16.100.3# vim/etc/hosts.denyvsftpd:all:spawn/bin/ echo ' Date ' login attenpt from%c to%s,%d >>/var/log/tcp_wrapper.log]# cat/var/log/tcp_wrapper.log Fri Dec 2 17:3 8:28 CST Login ATTENPT from 172.16.100.108 to [email protected],vsftpd

8. Delete whitespace characters from the beginning of all lines in the/boot/grub/grub.conf file;

]# sed-i ' [email protected]^[[:space:]]\[email protected]@g '/boot/grub/grub.conf

9. Delete all # and white space characters at the beginning of the line at the beginning of #, followed by at least one white-space character, in the/etc/fstab file;

]# sed-i ' s/^#[[:space:]]\+//p '/etc/fstab

10. Save the odd line of/etc/fstab file as/tmp/fstab.3;

]# sed-n ' 1~2p '/etc/fstab >/tmp/fstab.3

11. Echo a file path to the SED command, take out its base name, and further, take out its path name;

]# echo '/etc/sysconfig/network-scripts/ifcfg-lo ' | Sed-n ' [email protected]/.*/@@p ' ifcfg-lo]# echo '/etc/sysconfig/network-scripts/ifcfg-eno16777736 ' | Grep-o '/.*/'/etc/sysconfig/network-scripts/

12. Count the number of States of all TCP connections on the current system;

]# Netstat-an | awk '/^tcp/{tcp[$NF]++}end{for (i in TCP) {print I,tcp[i]}} ' LISTEN 6ESTABLISHED 1

13. Count the number of resource accesses for each IP in the specified Web Access log:

]# awk ' {ip[$1]++}end{for (i in IP) {print i,ip[i]}} '/var/log/httpd/access_log10.2.100.7 1810.2.100.108 4::1 6110.2.100.165 406

14, authorized CentOS users can run the FDISK command to complete Disk Management, and use MKFS or MKE2FS to achieve file system management;

]# Visudo CentOS all= (Root)/usr/sbin/mke2fs,/usr/sbin/mkfs

15, authorized Gentoo users can run the logical volume management of the relevant commands;

]# Visudogentoo all= (Root)/sbin/vgdisplay

16, based on the pam_time.so module, restrict the user through the SSHD service remote login only during working hours;

Insert a line on account required pam_nologin.so:]# vim/etc/pam.d/sshdaccount required pam_time.so]# vim/etc/security/time.conf *;*;*; motuwethfr0800-1700

17, based on the Pam_listfile.so module, define only some users, or some groups of users can log in the system

]# vim/etc/usersroot gentoo]# chmod 600/etc/users and edit the/etc/pam.d/sshd file, add the following line:]# Vim/etc/pam.d/sshdauth required Pam _listfile.so item=user Sense=allow file=/etc/users onerr=succeed

Tenth Week assignment