2012年2月4日 星期六
設定Ubuntu文字介面登入
預設文字介面登入:
sudo update-rc.d gdm remove
改回預設圖形介面:
update-rc.d gdm defaults
或是在/etc/rc.local加:
"/etc/init.d/gdm stop"
開機掛載fstab設定簡介
檔案系統掛載限制:
根目錄 / 是必須且優先掛載。
其它 mount point 必須為已建立的目錄﹐可任意指定﹐但須遵守系統目錄架構原則
所有 mount point 在同時間內只能掛載一次。
所有 partition 在同時間之內只能掛載一次。
若進行卸載(umount)﹐須先將工作目錄移到 mount point(及其子目錄) 之外。
其它 mount point 必須為已建立的目錄﹐可任意指定﹐但須遵守系統目錄架構原則
所有 mount point 在同時間內只能掛載一次。
所有 partition 在同時間之內只能掛載一次。
若進行卸載(umount)﹐須先將工作目錄移到 mount point(及其子目錄) 之外。
fstab檔案格式:
#Device Mountpoint filesystem parameters dump fsckMountpoint:掛載點
filesystem:檔案系統
parameters:檔案系統参數
| 參數 | 內容意義 |
| async/sync 非同步/同步 | 設定磁碟是否以非同步方式運作!預設為 async(效能較佳) |
| auto/noauto 自動/非自動 | 當下達 mount -a 時,此檔案系統是否會被主動測試掛載。預設為 auto。 |
| rw/ro 可讀寫/唯讀 | 讓該分割槽以可讀寫或者是唯讀的型態掛載上來,如果你想要分享的資料是不給使用者隨意變更的, 這裡也能夠設定為唯讀。則不論在此檔案系統的檔案是否設定 w 權限,都無法寫入喔! |
| exec/noexec 可執行/不可執行 | 限制在此檔案系統內是否可以進行『執行』的工作?如果是純粹用來儲存資料的, 那麼可以設定為 noexec 會比較安全,相對的,會比較麻煩! |
| user/nouser 允許/不允許使用者掛載 | 是否允許使用者使用 mount 指令來掛載呢?一般而言,我們當然不希望一般身份的 user 能使用 mount 囉,因為太不安全了,因此這裡應該要設定為 nouser 囉! |
| suid/nosuid 具有/不具有 suid 權限 | 該檔案系統是否允許 SUID 的存在?如果不是執行檔放置目錄,也可以設定為 nosuid 來取消這個功能! |
| usrquota | 注意名稱是『 usrquota 』不要拼錯了!這個是在啟動 filesystem 支援磁碟配額模式,更多資料我們在第四篇再談。 |
| grpquota | 注意名稱是『grpquota』,啟動 filesystem 對群組磁碟配額模式的支援。 |
| defaults | 同時具有 rw, suid, dev, exec, auto, nouser, async 等參數。 基本上,預設情況使用 defaults 設定即可! |
dump:是否做dump備份,0:NO,1:每日dump
fsck:開機時系統是否以fsck檢查檔案系統,0:不檢查,1:檢查,2:檢查,但順序在1之後。fsck的檢查設定一般只有根目錄會設成1,其他要檢查的檔案系統設定2即可。swap、/proc、/sys等是不需要檢查的!
在linux下掛載windows分享資料夾
在/etc/fstab內設定要掛載資料夾的相關資訊,即可在開機後自動掛載。例如:
//winsrvIP/sharefolder /LinuxDir cifs user=username,password=password,iocharset=utf8,codepage=cp950,rw,file_mode=0774,dir_mode=0775,uid=1000,gid=1000 0 0
在Linux下手動變更網路卡連線速度
正常方法是由驅動程式提供參數,但也可以使用在 Linux 套件net-tools中的指令mii-tool
用法:
usage: mii-tool [-VvRrwl] [-A media,... | -F media] [interface ...]
-V, --version display version information
-v, --verbose more verbose output
-R, --reset reset MII to poweron state
-r, --restart restart autonegotiation
-w, --watch monitor for link status changes
-l, --log with -w, write events to syslog
-A, --advertise=media,... advertise only specified media
-F, --force=media force specified media technology
media: 1000baseTx-HD, 1000baseTx-FD,
100baseT4, 100baseTx-FD, 100baseTx-HD,
10baseT-FD, 10baseT-HD,
(to advertise both HD and FD) 1000baseTx, 100baseTx, 10baseT
用法:
usage: mii-tool [-VvRrwl] [-A media,... | -F media] [interface ...]
-V, --version display version information
-v, --verbose more verbose output
-R, --reset reset MII to poweron state
-r, --restart restart autonegotiation
-w, --watch monitor for link status changes
-l, --log with -w, write events to syslog
-A, --advertise=media,... advertise only specified media
-F, --force=media force specified media technology
media: 1000baseTx-HD, 1000baseTx-FD,
100baseT4, 100baseTx-FD, 100baseTx-HD,
10baseT-FD, 10baseT-HD,
(to advertise both HD and FD) 1000baseTx, 100baseTx, 10baseT
SSH Server 登入過慢處理
SSH Server預設會開啟DNS反查,常常導致在登入ssh連線時,會有停頓的狀況發生!可以修改ssh server的設定檔 ,取消DNS反查的功能,來加速登入系統的速度!
修改 /etc/ssh/sshd_config加入一行
UseDNS no
存檔後重新啟動SSH Server即可!
若設定完UseDNS no
登入緩慢的問題依舊存在,可以試著把
GSSAPIAuthentication 也指定成no試試!
若設定完UseDNS no
登入緩慢的問題依舊存在,可以試著把
GSSAPIAuthentication 也指定成no試試!
2012年2月3日 星期五
透過OpenSSH使用SFTP登入時將帳戶設為chroot
#不允許使用者登入 Shell 進行操作 (使用者只能使用 SFTP 傳輸檔案 )
#不允取使用者建立 SSH 通道 (SSH Tunnel 或稱 TCP Forwarding)
#不允取使用者建立 X11 Forwarding
#登入後透過 chroot 限制存取目錄
要達到以上需求,必須修改 OpenSSH 的設定檔,並建立一個擁有者為 root 的 Chroot 目錄,以下是設定步驟:
1. 新增一個 SFTP 專用的群組
在這裡我們先建立一個 sftponly 群組(也可以建立其他你想要的名稱)
addgroup sftponly
2. 修改 OpenSSH 的設定檔
編輯 "/etc/ssh/sshd_config" 檔案,找到 Subsystem 設定:
Subsystem sftp /usr/lib/openssh/sftp-server internal-sftp
修改成:
Subsystem sftp internal-sftp
然後在設定檔最後加上以下設定,其中 ChrootDirectory 設定的 %u 代表使用者帳號:
Match group sftponly
ChrootDirectory /home/%u
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
3. 建立新使用者,並加入 sftponly 群組,並指定的家目錄 (Home Directory)需和上述Chroot指定的家目錄相同。
adduser sftpuser
在 sshd_config 設定檔中有宣告只要符合 sftponly 群組的使用者都套用 ChrootDirectory 的設定,因此須將該使用者加入到 sftponly 群組中:
adduser sftpuser sftponly
4. 修正使用者帳戶的家目錄權限
由於 chroot() 的特殊限制,這個要 chroot() 目錄的擁有者必須為 root,該目錄的權限也必須設定為 755 :
chown root.root /home/sftpuser
chmod 755 /home/sftpuser
這裡沒有設定正確將無法成功登入,會出現如以下錯誤: ( /var/log/auth.log )
sshd[9326]: pam_unix(sshd:session): session opened for user sftpuser by (uid=0)
sshd[9433]: fatal: bad ownership or modes for chroot directory "/home/sftpuser"
sshd[9526]: pam_unix(sshd:session): session closed for user
5. 在使用者目錄下建立允許上傳檔案的目錄,並賦予適當的目錄權限
chroot() 過的目錄擁有者必須為 root 且目錄權限為 755,所以使用者登入後無法上傳任何檔案到這個目錄,若要讓使用者能上傳檔案,必須先幫使用者建立好適當的目錄與設定權限:
cd /home/sftpuser
mkdir upload
chown sftpuser.sftpuser upload
denyhosts 設定檔簡易說明
############ THESE SETTINGS ARE REQUIRED ############
########################################################################
#
# SECURE_LOG: the log file that contains sshd logging info
# if you are not sure, grep "sshd:" /var/log/*
#
# The file to process can be overridden with the --file command line
# argument
#
# Redhat or Fedora Core:
#SECURE_LOG = /var/log/secure
#
# Mandrake, FreeBSD or OpenBSD:
#SECURE_LOG = /var/log/auth.log
#
# SuSE:
#SECURE_LOG = /var/log/messages
#
# Mac OS X (v10.4 or greater -
# also refer to: http://www.denyhosts.net/faq.html#macos
#SECURE_LOG = /private/var/log/asl.log
#
# Mac OS X (v10.3 or earlier):
#SECURE_LOG=/private/var/log/system.log
#
# Debian:
SECURE_LOG = /var/log/auth.log
########################################################################
########################################################################
#
# HOSTS_DENY: the file which contains restricted host access information
#
# Most operating systems:
HOSTS_DENY = /etc/hosts.deny
#
# Some BSD (FreeBSD) Unixes:
#HOSTS_DENY = /etc/hosts.allow
#
# Another possibility (also see the next option):
#HOSTS_DENY = /etc/hosts.evil
#######################################################################
########################################################################
#
# PURGE_DENY: removed HOSTS_DENY entries that are older than this time
# when DenyHosts is invoked with the --purge flag
#
# format is: i[dhwmy]
# Where 'i' is an integer (eg. 7)
# 'm' = minutes
# 'h' = hours
# 'd' = days
# 'w' = weeks
# 'y' = years
#移除被登錄在hosts.deny紀錄的時間
# never purge:
PURGE_DENY =
#
# purge entries older than 1 week
#PURGE_DENY = 1w
#
# purge entries older than 5 days
#PURGE_DENY = 5d
#######################################################################
#######################################################################
#
# PURGE_THRESHOLD: defines the maximum times a host will be purged.
# Once this value has been exceeded then this host will not be purged.
# Setting this parameter to 0 (the default) disables this feature.
#
#定義一台主機在hosts.deny中被清除的最大次數
# default: a denied host can be purged/re-added indefinitely
#PURGE_THRESHOLD = 0
#
# a denied host will be purged at most 2 times.
#PURGE_THRESHOLD = 2
#
#######################################################################
#######################################################################
#
# BLOCK_SERVICE: the service name that should be blocked in HOSTS_DENY
#
# man 5 hosts_access for details
#
# eg. sshd: 127.0.0.1 # will block sshd logins from 127.0.0.1
#
# To block all services for the offending host:
#BLOCK_SERVICE = ALL
# To block only sshd:
BLOCK_SERVICE = ALL
# To only record the offending host and nothing else (if using
# an auxilary file to list the hosts). Refer to:
# http://denyhosts.sourceforge.net/faq.html#aux
#BLOCK_SERVICE =
#
#######################################################################
#######################################################################
#
# DENY_THRESHOLD_INVALID: block each host after the number of failed login
# attempts has exceeded this value. This value applies to invalid
# user login attempts (eg. non-existent user accounts)
#允許無效用戶失敗的登入次數
DENY_THRESHOLD_INVALID = 3
#
#######################################################################
#######################################################################
#
# DENY_THRESHOLD_VALID: block each host after the number of failed
# login attempts has exceeded this value. This value applies to valid
# user login attempts (eg. user accounts that exist in /etc/passwd) except
# for the "root" user
#允許有效用戶失敗的登入次數
DENY_THRESHOLD_VALID = 5
#
#######################################################################
#######################################################################
#
# DENY_THRESHOLD_ROOT: block each host after the number of failed
# login attempts has exceeded this value. This value applies to
# "root" user login attempts only.
#允許root失敗的登入次數
DENY_THRESHOLD_ROOT = 1
#
#######################################################################
#######################################################################
#
# DENY_THRESHOLD_RESTRICTED: block each host after the number of failed
# login attempts has exceeded this value. This value applies to
# usernames that appear in the WORK_DIR/restricted-usernames file only.
#允許受限制的用戶登入失敗的次數
DENY_THRESHOLD_RESTRICTED = 1
#
#######################################################################
#######################################################################
#
# WORK_DIR: the path that DenyHosts will use for writing data to
# (it will be created if it does not already exist).
#
# Note: it is recommended that you use an absolute pathname
# for this value (eg. /home/foo/denyhosts/data)
#
WORK_DIR = /var/lib/denyhosts
#
#######################################################################
#######################################################################
#
# SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS
#
# SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES|NO
# If set to YES, if a suspicious login attempt results from an allowed-host
# then it is considered suspicious. If this is NO, then suspicious logins
# from allowed-hosts will not be reported. All suspicious logins from
# ip addresses that are not in allowed-hosts will always be reported.
#對於被認為可疑的主機登入是否紀錄
SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES
######################################################################
######################################################################
#
# HOSTNAME_LOOKUP
#
# HOSTNAME_LOOKUP=YES|NO
# If set to YES, for each IP address that is reported by Denyhosts,
# the corresponding hostname will be looked up and reported as well
# (if available).
#是否做名稱反解
HOSTNAME_LOOKUP=YES
#
######################################################################
######################################################################
#
# LOCK_FILE
#
# LOCK_FILE=/path/denyhosts
# If this file exists when DenyHosts is run, then DenyHosts will exit
# immediately. Otherwise, this file will be created upon invocation
# and deleted upon exit. This ensures that only one instance is
# running at a time.
#
# Redhat/Fedora:
#LOCK_FILE = /var/lock/subsys/denyhosts
#
# Debian
LOCK_FILE = /var/run/denyhosts.pid
#
# Misc
#LOCK_FILE = /tmp/denyhosts.lock
#
######################################################################
############ THESE SETTINGS ARE OPTIONAL ############
#######################################################################
#
# ADMIN_EMAIL: if you would like to receive emails regarding newly
# restricted hosts and suspicious logins, set this address to
# match your email address. If you do not want to receive these reports
# leave this field blank (or run with the --noemail option)
#
# Multiple email addresses can be delimited by a comma, eg:
# ADMIN_EMAIL = foo@bar.com, bar@foo.com, etc@foobar.com
#
ADMIN_EMAIL = liaohaha@gmail.com
#
#######################################################################
#######################################################################
#
# SMTP_HOST and SMTP_PORT: if DenyHosts is configured to email
# reports (see ADMIN_EMAIL) then these settings specify the
# email server address (SMTP_HOST) and the server port (SMTP_PORT)
#
#
SMTP_HOST = liaohaha.tw
SMTP_PORT = 25
#
#######################################################################
#######################################################################
#
# SMTP_USERNAME and SMTP_PASSWORD: set these parameters if your
# smtp email server requires authentication
#
#SMTP_USERNAME=foo
#SMTP_PASSWORD=bar
#
######################################################################
#######################################################################
#
# SMTP_FROM: you can specify the "From:" address in messages sent
# from DenyHosts when it reports thwarted abuse attempts
#
SMTP_FROM = DenyHosts <haha@liaohaha.tw>
#
#######################################################################
#######################################################################
#
# SMTP_SUBJECT: you can specify the "Subject:" of messages sent
# by DenyHosts when it reports thwarted abuse attempts
SMTP_SUBJECT = DenyHosts Report
#
######################################################################
######################################################################
#
# SMTP_DATE_FORMAT: specifies the format used for the "Date:" header
# when sending email messages.
#
# for possible values for this parameter refer to: man strftime
#
# the default:
#
#SMTP_DATE_FORMAT = %a, %d %b %Y %H:%M:%S %z
#
######################################################################
######################################################################
#
# SYSLOG_REPORT
#
# SYSLOG_REPORT=YES|NO
# If set to yes, when denied hosts are recorded the report data
# will be sent to syslog (syslog must be present on your system).
# The default is: NO
#
#SYSLOG_REPORT=NO
#
#SYSLOG_REPORT=YES
#
######################################################################
######################################################################
#
# ALLOWED_HOSTS_HOSTNAME_LOOKUP
#
# ALLOWED_HOSTS_HOSTNAME_LOOKUP=YES|NO
# If set to YES, for each entry in the WORK_DIR/allowed-hosts file,
# the hostname will be looked up. If your versions of tcp_wrappers
# and sshd sometimes log hostnames in addition to ip addresses
# then you may wish to specify this option.
#
#ALLOWED_HOSTS_HOSTNAME_LOOKUP=NO
#
######################################################################
######################################################################
#
# AGE_RESET_VALID: Specifies the period of time between failed login
# attempts that, when exceeded will result in the failed count for
# this host to be reset to 0. This value applies to login attempts
# to all valid users (those within /etc/passwd) with the
# exception of root. If not defined, this count will never
# be reset.
#
# See the comments in the PURGE_DENY section (above)
# for details on specifying this value or for complete details
# refer to: http://denyhosts.sourceforge.net/faq.html#timespec
#合法使用者登入錯誤次數重置時間,不設定則永不重置
AGE_RESET_VALID=10m
#
######################################################################
######################################################################
#
# AGE_RESET_ROOT: Specifies the period of time between failed login
# attempts that, when exceeded will result in the failed count for
# this host to be reset to 0. This value applies to all login
# attempts to the "root" user account. If not defined,
# this count will never be reset.
#
# See the comments in the PURGE_DENY section (above)
# for details on specifying this value or for complete details
# refer to: http://denyhosts.sourceforge.net/faq.html#timespec
#root的登入錯誤次數重置時間,不設定則永不重置
#AGE_RESET_ROOT=30d
#
######################################################################
######################################################################
#
# AGE_RESET_RESTRICTED: Specifies the period of time between failed login
# attempts that, when exceeded will result in the failed count for
# this host to be reset to 0. This value applies to all login
# attempts to entries found in the WORK_DIR/restricted-usernames file.
# If not defined, the count will never be reset.
#
# See the comments in the PURGE_DENY section (above)
# for details on specifying this value or for complete details
# refer to: http://denyhosts.sourceforge.net/faq.html#timespec
#受限制的使用者登入錯誤次數重置時間,不設定則永不重置
#AGE_RESET_RESTRICTED=30d
#
######################################################################
######################################################################
#
# AGE_RESET_INVALID: Specifies the period of time between failed login
# attempts that, when exceeded will result in the failed count for
# this host to be reset to 0. This value applies to login attempts
# made to any invalid username (those that do not appear
# in /etc/passwd). If not defined, count will never be reset.
#
# See the comments in the PURGE_DENY section (above)
# for details on specifying this value or for complete details
# refer to: http://denyhosts.sourceforge.net/faq.html#timespec
#非法使用者登入錯誤次數重置時間,不設定則永不重置
#AGE_RESET_INVALID=10d
#
######################################################################
######################################################################
#
# RESET_ON_SUCCESS: If this parameter is set to "yes" then the
# failed count for the respective ip address will be reset to 0
# if the login is successful.
#
# The default is RESET_ON_SUCCESS = no
#若登入成功,登入失敗的次數重置
RESET_ON_SUCCESS = yes
#
#####################################################################
######################################################################
#
# PLUGIN_DENY: If set, this value should point to an executable
# program that will be invoked when a host is added to the
# HOSTS_DENY file. This executable will be passed the host
# that will be added as its only argument.
#
#PLUGIN_DENY=/usr/bin/true
#
######################################################################
######################################################################
#
# PLUGIN_PURGE: If set, this value should point to an executable
# program that will be invoked when a host is removed from the
# HOSTS_DENY file. This executable will be passed the host
# that is to be purged as its only argument.
#
#PLUGIN_PURGE=/usr/bin/true
#
######################################################################
######################################################################
#
# USERDEF_FAILED_ENTRY_REGEX: if set, this value should contain
# a regular expression that can be used to identify additional
# hackers for your particular ssh configuration. This functionality
# extends the built-in regular expressions that DenyHosts uses.
# This parameter can be specified multiple times.
# See this faq entry for more details:
# http://denyhosts.sf.net/faq.html#userdef_regex
#
#USERDEF_FAILED_ENTRY_REGEX=
#
#
######################################################################
######### THESE SETTINGS ARE SPECIFIC TO DAEMON MODE ##########
#######################################################################
#
# DAEMON_LOG: when DenyHosts is run in daemon mode (--daemon flag)
# this is the logfile that DenyHosts uses to report its status.
# To disable logging, leave blank. (default is: /var/log/denyhosts)
#
DAEMON_LOG = /var/log/denyhosts
#
# disable logging:
#DAEMON_LOG =
#
######################################################################
#######################################################################
#
# DAEMON_LOG_TIME_FORMAT: when DenyHosts is run in daemon mode
# (--daemon flag) this specifies the timestamp format of
# the DAEMON_LOG messages (default is the ISO8061 format:
# ie. 2005-07-22 10:38:01,745)
#
# for possible values for this parameter refer to: man strftime
#
# Jan 1 13:05:59
#DAEMON_LOG_TIME_FORMAT = %b %d %H:%M:%S
#
# Jan 1 01:05:59
#DAEMON_LOG_TIME_FORMAT = %b %d %I:%M:%S
#
######################################################################
#######################################################################
#
# DAEMON_LOG_MESSAGE_FORMAT: when DenyHosts is run in daemon mode
# (--daemon flag) this specifies the message format of each logged
# entry. By default the following format is used:
#
# %(asctime)s - %(name)-12s: %(levelname)-8s %(message)s
#
# Where the "%(asctime)s" portion is expanded to the format
# defined by DAEMON_LOG_TIME_FORMAT
#
# This string is passed to python's logging.Formatter contstuctor.
# For details on the possible format types please refer to:
# http://docs.python.org/lib/node357.html
#
# This is the default:
#DAEMON_LOG_MESSAGE_FORMAT = %(asctime)s - %(name)-12s: %(levelname)-8s %(message)s
#
#
######################################################################
#######################################################################
#
# DAEMON_SLEEP: when DenyHosts is run in daemon mode (--daemon flag)
# this is the amount of time DenyHosts will sleep between polling
# the SECURE_LOG. See the comments in the PURGE_DENY section (above)
# for details on specifying this value or for complete details
# refer to: http://denyhosts.sourceforge.net/faq.html#timespec
#
#
DAEMON_SLEEP = 30s
#
#######################################################################
#######################################################################
#
# DAEMON_PURGE: How often should DenyHosts, when run in daemon mode,
# run the purge mechanism to expire old entries in HOSTS_DENY
# This has no effect if PURGE_DENY is blank.
#
DAEMON_PURGE = 1h
#
#######################################################################
######### THESE SETTINGS ARE SPECIFIC TO ##########
######### DAEMON SYNCHRONIZATION ##########
#######################################################################
#
# Synchronization mode allows the DenyHosts daemon the ability
# to periodically send and receive denied host data such that
# DenyHosts daemons worldwide can automatically inform one
# another regarding banned hosts. This mode is disabled by
# default, you must uncomment SYNC_SERVER to enable this mode.
#
# for more information, please refer to:
# http:/denyhosts.sourceforge.net/faq.html#sync
#
#######################################################################
#######################################################################
#
# SYNC_SERVER: The central server that communicates with DenyHost
# daemons. Currently, denyhosts.net is the only available server
# however, in the future, it may be possible for organizations to
# install their own server for internal network synchronization
#
# To disable synchronization (the default), do nothing.
#
# To enable synchronization, you must uncomment the following line:
#SYNC_SERVER = http://xmlrpc.denyhosts.net:9911
#
#######################################################################
#######################################################################
#
# SYNC_INTERVAL: the interval of time to perform synchronizations if
# SYNC_SERVER has been uncommented. The default is 1 hour.
#
#SYNC_INTERVAL = 1h
#
#######################################################################
#######################################################################
#
# SYNC_UPLOAD: allow your DenyHosts daemon to transmit hosts that have
# been denied? This option only applies if SYNC_SERVER has
# been uncommented.
# The default is SYNC_UPLOAD = yes
#
#SYNC_UPLOAD = no
#SYNC_UPLOAD = yes
#
#######################################################################
#######################################################################
#
# SYNC_DOWNLOAD: allow your DenyHosts daemon to receive hosts that have
# been denied by others? This option only applies if SYNC_SERVER has
# been uncommented.
# The default is SYNC_DOWNLOAD = yes
#
#SYNC_DOWNLOAD = no
#SYNC_DOWNLOAD = yes
#
#
#
#######################################################################
#######################################################################
#
# SYNC_DOWNLOAD_THRESHOLD: If SYNC_DOWNLOAD is enabled this parameter
# filters the returned hosts to those that have been blocked this many
# times by others. That is, if set to 1, then if a single DenyHosts
# server has denied an ip address then you will receive the denied host.
#
# See also SYNC_DOWNLOAD_RESILIENCY
#
#SYNC_DOWNLOAD_THRESHOLD = 10
#
# The default is SYNC_DOWNLOAD_THRESHOLD = 3
#
#SYNC_DOWNLOAD_THRESHOLD = 3
#
#######################################################################
#######################################################################
#
# SYNC_DOWNLOAD_RESILIENCY: If SYNC_DOWNLOAD is enabled then the
# value specified for this option limits the downloaded data
# to this resiliency period or greater.
#
# Resiliency is defined as the timespan between a hackers first known
# attack and its most recent attack. Example:
#
# If the centralized denyhosts.net server records an attack at 2 PM
# and then again at 5 PM, specifying a SYNC_DOWNLOAD_RESILIENCY = 4h
# will not download this ip address.
#
# However, if the attacker is recorded again at 6:15 PM then the
# ip address will be downloaded by your DenyHosts instance.
#
# This value is used in conjunction with the SYNC_DOWNLOAD_THRESHOLD
# and only hosts that satisfy both values will be downloaded.
# This value has no effect if SYNC_DOWNLOAD_THRESHOLD = 1
#
# The default is SYNC_DOWNLOAD_RESILIENCY = 5h (5 hours)
#
# Only obtain hackers that have been at it for 2 days or more:
#SYNC_DOWNLOAD_RESILIENCY = 2d
#
# Only obtain hackers that have been at it for 5 hours or more:
#SYNC_DOWNLOAD_RESILIENCY = 5h
#
#######################################################################
另外,當denyhosts誤擋了正常的IP,要解除封鎖特定IP時,需先停用denthosts;
sudo service denyhosts stop
再至/var/lib/denyhosts目錄下,將
hosts、hosts-restricted、hosts-root、hosts-valid及/etc/hosts.deny檔案內,將包含誤擋IP的那一整行都移除!若要確保某IP不會被denyhosts阻擋,可在/var/lib/denyhosts/allowed-hosts內加入該IP;例如:
127.0.0.1
192.168.1.0/24
接著再重新啟動denyhosts,即可!
sudo service denyhosts start
另外,當denyhosts誤擋了正常的IP,要解除封鎖特定IP時,需先停用denthosts;
sudo service denyhosts stop
再至/var/lib/denyhosts目錄下,將
hosts、hosts-restricted、hosts-root、hosts-valid及/etc/hosts.deny檔案內,將包含誤擋IP的那一整行都移除!若要確保某IP不會被denyhosts阻擋,可在/var/lib/denyhosts/allowed-hosts內加入該IP;例如:
127.0.0.1
192.168.1.0/24
接著再重新啟動denyhosts,即可!
sudo service denyhosts start
ssh 設定範本
以下為OpenSSH的伺服器端設定檔sshd_config簡易說明
------------------------------------------------------------------------------------------------------------
# Package generated configuration file
# See the sshd_config(5) manpage for details
# What ports, IPs and protocols we listen for
# SSH 預設使用 22 這個port,也可以使用多個port,即重複使用 port 這個設定項目!
# 例如想要開放 sshd 在 22 與 443 ,則多加一行內容為:『 Port 443 』
# 然後重新啟動 sshd 這樣就好了!不過,不建議修改 port number 啦!
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
# 監聽的主機介面卡!舉個例子來說,如果你有兩個 IP,分別是 192.168.1.100 及
# 192.168.100.254,假設你只想要讓 192.168.1.100 可以監聽 sshd ,那就這樣寫:
# 『 ListenAddress 192.168.1.100 』預設值是監聽所有介面的 SSH 要求
#ListenAddress ::
#ListenAddress 0.0.0.0
# 選擇的 SSH 協定版本,可以是 1 也可以是 2 ,CentOS 5.x 預設是僅支援 V2。
# 如果想要支援舊版 V1 ,就得要使用『 Protocol 2,1 』才行。
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key # SSH version 2 使用的 RSA 私鑰
HostKey /etc/ssh/ssh_host_dsa_key # SSH version 2 使用的 DSA 私鑰
HostKey /etc/ssh/ssh_host_ecdsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768
# Logging
# 當有人使用 SSH 登入系統的時候,SSH 會記錄資訊,這個資訊要記錄在什麼 daemon name
# 底下?預設是以 AUTH 來設定的,即是 /var/log/secure 裡面!其他可用的 daemon name 為:DAEMON,USER,AUTH,LOCAL0,LOCAL1,LOCAL2,LOCAL3,LOCAL4,LOCAL5,
SyslogFacility AUTH
# 登錄記錄的等級
LogLevel INFO
# Authentication:
## 當使用者連上 SSH server 之後,會出現輸入密碼的畫面,在該畫面中,
# 在多久時間內沒有成功連上 SSH server 就強迫斷線!若無單位則預設時間為秒!
LoginGraceTime 120
# 是否允許 root 登入!預設是允許的
PermitRootLogin no
# 是否讓 sshd 去檢查使用者家目錄或相關檔案的權限資料,
# 這是為了擔心使用者將某些重要檔案的權限設錯,可能會導致一些問題所致。
# 例如使用者的 ~.ssh/ 權限設錯時,某些特殊情況下會不許用戶登入
StrictModes yes
# 是否允許用戶自行使用成對的金鑰系統進行登入行為,僅針對 version 2。
# 至於自製的公鑰資料就放置於使用者家目錄下的 .ssh/authorized_keys 內
RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
# 是否允許以空的密碼登入
PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes
# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
X11Forwarding yes
X11DisplayOffset 10
# 登入後是否顯示出一些資訊呢?例如上次登入的時間、地點等等,預設是 yes
# 亦即是列印出 /etc/motd 這個檔案的內容。但是,如果為了安全,可以考慮改為 no !
PrintMotd no
# 顯示上次登入的資訊!可以啊!預設也是 yes !
PrintLastLog yes
# 當達成連線後,伺服器會一直傳送 TCP 封包給用戶端藉以判斷對方式否一直存在連線。
# 不過,如果連線時中間的路由器暫時停止服務幾秒鐘,也會讓連線中斷喔!
# 在這個情況下,任何一端死掉後,SSH可以立刻知道!而不會有僵屍程序的發生!
# 但如果你的網路或路由器常常不穩定,那麼可以設定為 no 的啦!
TCPKeepAlive yes
#UseLogin no
#MaxStartups 10:30:60
#Banner /etc/issue.net
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
UseDNS no
訂閱:
文章 (Atom)