3.6. 2018-01-09-练习pam,自动化安装¶

3.6.1. 练习1-pam¶

1、使用pam_nologin,pam_security,pam_limit,pam_shell

pam_shell

vim /etc/pam.d/login 第一行添加如下行
auth      required  pam_shells.so

pam_nologin

[root@centos74 pam.d]$ man pam_nologin
[root@centos74 pam.d]$ grep nologin ./*
./gdm-autologin:account    required    pam_nologin.so
./gdm-fingerprint:account     required      pam_nologin.so
./gdm-password:account     required      pam_nologin.so
./gdm-pin:account     required      pam_nologin.so
./gdm-smartcard:account     required      pam_nologin.so
./login:account    required     pam_nologin.so
./pluto:account required pam_nologin.so
./ppp:account    required   pam_nologin.so
./remote:account    required     pam_nologin.so
./sshd:account    required     pam_nologin.so
[root@centos74 pam.d]$ touch /etc/nologin
[root@centos74 pam.d]$ ssh zhao@localhost
zhao@localhost's password:
Authentication failed.

pam_limit

[root@centos74 limits.d]$ man 5 limits.conf
[root@centos74 limits.d]$ ulimit  -a
core file size          (blocks, -c) 0
data seg size           (kbytes, -d) unlimited
scheduling priority             (-e) 0
file size               (blocks, -f) unlimited
pending signals                 (-i) 7823
max locked memory       (kbytes, -l) 64
max memory size         (kbytes, -m) unlimited
open files                      (-n) 1024
pipe size            (512 bytes, -p) 8
POSIX message queues     (bytes, -q) 819200
real-time priority              (-r) 0
stack size              (kbytes, -s) 8192
cpu time               (seconds, -t) unlimited
max user processes              (-u) 7823
virtual memory          (kbytes, -v) unlimited
file locks                      (-x) unlimited

[root@centos74 limits.d]$ vim 20-nproc.conf
[root@centos74 limits.d]$ cat 20-nproc.conf
# Default limit for number of user's processes to prevent
# accidental fork bombs.
# See rhbz #432903 for reasoning.

*          soft    nproc     4096
root       soft    nproc     unlimited
zhao           hard    nproc     5

ulimit: ulimit [-SHacdefilmnpqrstuvx] [limit]
    Modify shell resource limits.

    Provides control over the resources available to the shell and processes
    it creates, on systems that allow such control.

    Options:
    -S      use the 'soft' resource limit               # 软限制
    -H      use the 'hard' resource limit               # 硬限制
    -a      all current limits are reported             # 列出限制
    -b      the socket buffer size                      # socket 缓冲大小
    -c      the maximum size of core files created      # 最大核心文件创建
    -d      the maximum size of a process's data segment# 最大进程数据段大小
    -e      the maximum scheduling priority ('nice')    # 最大nice值
    -f      the maximum size of files written by the shell and its children # 最大的文件大小
    -i      the maximum number of pending signals       # 最大的暂停信号
    -l      the maximum size a process may lock into memory # 最大的锁到内存的进程数
    -m      the maximum resident set size                   #
    -n      the maximum number of open file descriptors     # 最大打开的文件数量
    -p      the pipe buffer size                            # 管道缓冲区大小
    -q      the maximum number of bytes in POSIX message queues # 最大字节关于post消息队列
    -r      the maximum real-time scheduling priority           # 实时调度优先级最大值
    -s      the maximum stack size                              # 最大栈大小
    -t      the maximum amount of cpu time in seconds           # 最大cpu用时
    -u      the maximum number of user processes                # 最大用户进程数量
    -v      the size of virtual memory                          # 虚拟内存大小
    -x      the maximum number of file locks                    # 最大文件锁定个数

2、编写脚本/root/bin/checkip.sh，每5分钟检查一次，如果发现通过ssh登录失败次数超过10次，自动将此远程IP放入Tcp Wrapper的黑名单中予以禁止防问

#!/bin/awk -f
/sshd.*Failed password/{ip=$(NF-3); ips[ip]++}
END{
        for (i in ips){
                if(ips[i]>4){
                        cmd="echo sshd:"i">>/etc/hosts.deny"; system(cmd)
                }
        }
}

# crontab -e
*/5 * * * *  /root/bin/checkip.awk /var/log/secure

3、限制centos用户只能够在工作时间通过ssh远程连接本机

# vim /etc/pam.d/sshd  # 添加如下行
account  required  pam_time.so
# vim /etc/security/time.conf # 添加行
sshd;*;test1;Wd0800-1800

4、限制只有admins组内的用户可ssh到本机

# 编辑 /etc/ssh/sshd_config 文件，添加AllowGroups admins
# 重启sshd服务。

3.6.2. 练习2-自动化安装¶

1、通过光盘启动，安装局域网的系统

linux askmethod ip=172.18.46.105 netmask=255.255.0.0

2、不使用大光盘，直接自制一个小光盘，然后安装网络的系统

linux ks=http://172.18.46.6/pub/ks/ks7-mini.cfg ip=172.18.46.105 netmask=255.255.0.0

3、制作可启动U盘，自动安装系统

[root@station /]# find /centos6/ -name TRANS.TBL -exec rm -rf {} \;
[root@centos66 centos6]$ rm -rf repodata/*
[root@centos66 centos6]$ cp /mnt/cdrom/repodata/43d8fd068164b0f042845474d6a22262798b9f0d1f49ad1bf9f95b953089777d-c6-x86_64-comps.xml repodata/

[root@station centos6]# createrepo  -g repodata/38b60f66d52704cffb8696750b2b6552438c1ace283bc2cf22408b0ba0e4cbfa-c7-x86_64-comps.xml  .
[root@station centos6]# mkisofs -R -J -T -v --no-emul-boot --boot-load-size 4 --boot-info-table -V "centos 6 boot" -b isolinux/isolinux.bin -c isolinux/boot.cat -o /var/www/html/iso/c66.iso /centos6
#修改linuxiso下的linuxiso.cfg文件ks.cfg文件
#记得ks.cfg有reboot行

参考1

参考2