RH413企业安全加固第10章第二节管理 PAM

来源：互联网发布：大数据对日常生活影响编辑：程序博客网时间：2024/04/30 15:07

第10章第二节管理 PAM (注意：红字)

1、如何限制sshd 的student其他用户远程登录

1)写入access.conf配置文件

[root@student pam.d]# cat /etc/security/access.conf |grep student

-:ALL EXCEPT student:ALL

修改/etc/pam.d/sshd配置文件

[root@student pam.d]# cat /etc/pam.d/sshd |grep access*

auth required pam_access.so

使用strom远程登录

[root@student ~]# ssh strom@10.10.10.223

strom@10.10.10.223's password:

Permission denied, please try again.

2、pam_listfile.so使用

1)设置用户管理

[root@student ~]# cat /etc/pam.d/password-auth |grep pam_access.so

account required pam_listfile.so item=user sense=deny file=/etc/denyuser

以上这个写到account pam_unix.so上面一行

2) 配置/etc/denyuser 文件

[root@student ~]# cat /etc/denyuser

student

3) 使用student用户远程链接10.10.10.223机子

[root@student ~]# ssh student@10.10.10.223

student@10.10.10.223's password:

Connection closed by 10.10.10.223

3、pam_time.so使用

1)设置用户管理

[root@student ~]# cat /etc/pam.d/password-auth|grep pam_time.so

account required pam_time.so

2)配置/etc/security/time.conf文件

[root@student ~]# cat /etc/security/time.conf |grep sshd*

sshd;*;student;!Al0000-2400

以上限制student每天0点到24点不允许使用sshd服务远程登录

3)使用student用户远程链接10.10.10.223机子

[root@student ~]# ssh student@10.10.10.223

student@10.10.10.223's password:

Connection closed by 10.10.10.223

4、pam_tally2.so本地限制使用

1)设置认证身份管理

auth required pam_env.so

auth sufficient pam_fprintd.so

auth required pam_tally2.so deny=3 unlock_time=120

auth sufficient pam_unix.so nullok try_first_pass

auth requisite pam_succeed_if.so uid >= 500 quiet

auth required pam_deny.so

2)设置用户管理

account required pam_tally2.so

account required pam_unix.so

account sufficient pam_localuser.so

account sufficient pam_succeed_if.so uid < 500 quiet

account required pam_permit.so

3)使用student用户登录3次错误

[student@student ~]$ su - student

Password:

su: incorrect password

[student@student ~]$ su - student

Password:

su: incorrect password

[student@student ~]$ su - student

Password:

su: incorrect password

[student@student ~]$ su - student

Account locked due to 4 failed logins

4)查看pam_tally2命令

[root@student ~]# pam_tally2

student 4 01/21/16 08:06:30 pts/0

5)使用pam_tally2解锁

[root@student ~]# pam_tally2 --reset=0 -u student

student 4 01/21/16 08:07:54 pts/0

5、查看/etc/security/limits.conf文件控制CPU使用时间

student hard cpu 1

加入以上这行

6、通过student用户dd命令来测试cpu 超出1分钟的情况

[student@student ~]$ dd if=/dev/zero of=/dev/null

Killed

7、ulimit命令使用

[root@student ~]# ulimit -a

core file size (blocks, -c) 0

data seg size (kbytes, -d) unlimited

scheduling priority (-e) 0

file size (blocks, -f) unlimited

pending signals (-i) 7692

max locked memory (kbytes, -l) 64

max memory size (kbytes, -m) unlimited

open files (-n) 1024

pipe size (512 bytes, -p) 8

POSIX message queues (bytes, -q) 819200

real-time priority (-r) 0

stack size (kbytes, -s) 10240

cpu time (seconds, -t) unlimited

max user processes (-u) 7692

virtual memory (kbytes, -v) unlimited

file locks (-x) unlimited

修改CPU的软限制的时间

[root@student ~]# ulimit -t 60

[root@student ~]# ulimit -a

core file size (blocks, -c) 0

data seg size (kbytes, -d) unlimited

scheduling priority (-e) 0

file size (blocks, -f) unlimited

pending signals (-i) 7692

max locked memory (kbytes, -l) 64

max memory size (kbytes, -m) unlimited

open files (-n) 1024

pipe size (512 bytes, -p) 8

POSIX message queues (bytes, -q) 819200

real-time priority (-r) 0

stack size (kbytes, -s) 10240

cpu time (seconds, -t) 60

max user processes (-u) 7692

virtual memory (kbytes, -v) unlimited

file locks (-x) unlimited

0 0

RH413企业安全加固 第10章 第二节 管理 PAM

RH413企业安全加固第10章第二节管理 PAM