3.6. 2018-01-09-练习pam,自动化安装¶
3.6.1. 练习1-pam¶
1、使用pam_nologin,pam_security,pam_limit,pam_shell
pam_shell
vim /etc/pam.d/login 第一行添加如下行
auth required pam_shells.so
pam_nologin
[root@centos74 pam.d]$ man pam_nologin
[root@centos74 pam.d]$ grep nologin ./*
./gdm-autologin:account required pam_nologin.so
./gdm-fingerprint:account required pam_nologin.so
./gdm-password:account required pam_nologin.so
./gdm-pin:account required pam_nologin.so
./gdm-smartcard:account required pam_nologin.so
./login:account required pam_nologin.so
./pluto:account required pam_nologin.so
./ppp:account required pam_nologin.so
./remote:account required pam_nologin.so
./sshd:account required pam_nologin.so
[root@centos74 pam.d]$ touch /etc/nologin
[root@centos74 pam.d]$ ssh zhao@localhost
zhao@localhost's password:
Authentication failed.
pam_limit
[root@centos74 limits.d]$ man 5 limits.conf
[root@centos74 limits.d]$ ulimit -a
core file size (blocks, -c) 0
data seg size (kbytes, -d) unlimited
scheduling priority (-e) 0
file size (blocks, -f) unlimited
pending signals (-i) 7823
max locked memory (kbytes, -l) 64
max memory size (kbytes, -m) unlimited
open files (-n) 1024
pipe size (512 bytes, -p) 8
POSIX message queues (bytes, -q) 819200
real-time priority (-r) 0
stack size (kbytes, -s) 8192
cpu time (seconds, -t) unlimited
max user processes (-u) 7823
virtual memory (kbytes, -v) unlimited
file locks (-x) unlimited
[root@centos74 limits.d]$ vim 20-nproc.conf
[root@centos74 limits.d]$ cat 20-nproc.conf
# Default limit for number of user's processes to prevent
# accidental fork bombs.
# See rhbz #432903 for reasoning.
* soft nproc 4096
root soft nproc unlimited
zhao hard nproc 5
ulimit: ulimit [-SHacdefilmnpqrstuvx] [limit]
Modify shell resource limits.
Provides control over the resources available to the shell and processes
it creates, on systems that allow such control.
Options:
-S use the 'soft' resource limit # 软限制
-H use the 'hard' resource limit # 硬限制
-a all current limits are reported # 列出限制
-b the socket buffer size # socket 缓冲大小
-c the maximum size of core files created # 最大核心文件创建
-d the maximum size of a process's data segment# 最大进程数据段大小
-e the maximum scheduling priority ('nice') # 最大nice值
-f the maximum size of files written by the shell and its children # 最大的文件大小
-i the maximum number of pending signals # 最大的暂停信号
-l the maximum size a process may lock into memory # 最大的锁到内存的进程数
-m the maximum resident set size #
-n the maximum number of open file descriptors # 最大打开的文件数量
-p the pipe buffer size # 管道缓冲区大小
-q the maximum number of bytes in POSIX message queues # 最大字节关于post消息队列
-r the maximum real-time scheduling priority # 实时调度优先级最大值
-s the maximum stack size # 最大栈大小
-t the maximum amount of cpu time in seconds # 最大cpu用时
-u the maximum number of user processes # 最大用户进程数量
-v the size of virtual memory # 虚拟内存大小
-x the maximum number of file locks # 最大文件锁定个数
2、编写脚本/root/bin/checkip.sh,每5分钟检查一次,如果发现通过ssh登录失败次数超过10次,自动将此远程IP放入Tcp Wrapper的黑名单中予以禁止防问
#!/bin/awk -f
/sshd.*Failed password/{ip=$(NF-3); ips[ip]++}
END{
for (i in ips){
if(ips[i]>4){
cmd="echo sshd:"i">>/etc/hosts.deny"; system(cmd)
}
}
}
# crontab -e
*/5 * * * * /root/bin/checkip.awk /var/log/secure
3、限制centos用户只能够在工作时间通过ssh远程连接本机
# vim /etc/pam.d/sshd # 添加如下行
account required pam_time.so
# vim /etc/security/time.conf # 添加行
sshd;*;test1;Wd0800-1800
4、限制只有admins组内的用户可ssh到本机
# 编辑 /etc/ssh/sshd_config 文件,添加AllowGroups admins
# 重启sshd服务。
3.6.2. 练习2-自动化安装¶
1、通过光盘启动,安装局域网的系统
linux askmethod ip=172.18.46.105 netmask=255.255.0.0
2、不使用大光盘, 直接自制一个小光盘,然后安装网络的系统
linux ks=http://172.18.46.6/pub/ks/ks7-mini.cfg ip=172.18.46.105 netmask=255.255.0.0
3、制作可启动U盘,自动安装系统
[root@station /]# find /centos6/ -name TRANS.TBL -exec rm -rf {} \;
[root@centos66 centos6]$ rm -rf repodata/*
[root@centos66 centos6]$ cp /mnt/cdrom/repodata/43d8fd068164b0f042845474d6a22262798b9f0d1f49ad1bf9f95b953089777d-c6-x86_64-comps.xml repodata/
[root@station centos6]# createrepo -g repodata/38b60f66d52704cffb8696750b2b6552438c1ace283bc2cf22408b0ba0e4cbfa-c7-x86_64-comps.xml .
[root@station centos6]# mkisofs -R -J -T -v --no-emul-boot --boot-load-size 4 --boot-info-table -V "centos 6 boot" -b isolinux/isolinux.bin -c isolinux/boot.cat -o /var/www/html/iso/c66.iso /centos6
#修改linuxiso下的linuxiso.cfg文件ks.cfg文件
#记得ks.cfg有reboot行