لینوکس و شبکه

لینوکس و شبکه
طبقه بندی موضوعی
آخرین مطالب
  • ۹۹/۱۱/۱۳
    java

۳ مطلب با کلمه‌ی کلیدی «Security» ثبت شده است

۱۴
اسفند

ماژول  pam_access.so  در لینوکس وجود دارد ولی به کرنل اضافه نشده است و باید برای ایجاد محدودیت آن را به کرنل اضافه نماییم

برای اینکار:

$ vim /etc/security/access.conf:
   #add role:
   + : root : ALL
$ vi /etc/pam.d/password-auth
   account <tab> required <tab> pam-access.so

نکته: می‌توان از syntax فایل login موجود در مسیر pam.d موجود در مسیر etc استفاده کرد

  • behrooz mohamadi nsasab
۰۲
دی

Basic Concepts in Firewalld

Zones: The firewalld daemon manages groups of rules using entities called “zones”

predefined zones:

drop: The lowest level of trust. All incoming connections are dropped without reply and only outgoing connections are possible.
block: Similar to the above, but instead of simply dropping connections, incoming requests are rejected with an icmp-host-prohibited or icmp6-adm-prohibited message.
public: Represents public, untrusted networks. You don’t trust other computers but may allow selected incoming connections on a case-by-case basis.
external: External networks in the event that you are using the firewall as your gateway. It is configured for NAT masquerading so that your internal network remains private but reachable.
internal: The other side of the external zone, used for the internal portion of a gateway. The computers are fairly trustworthy and some additional services are available.
dmz: Used for computers located in a DMZ (isolated computers that will not have access to the rest of your network). Only certain incoming connections are allowed.
work: Used for work machines. Trust most of the computers in the network. A few more services might be allowed.
home: A home environment. It generally implies that you trust most of the other computers and that a few more services will be accepted.
trusted: Trust all of the machines in the network. The most open of the available options and should be used sparingly.

Rule Permanence: In firewalld, rules can be designated as either permanent or immediate. Most firewall-cmd operations can take the "--permanent" flag

Commands

Install

Install and Enable Your Firewall to Start at Boot

$ sudoyum install firewalld  Install
$ sudo systemctl enable firewalld
$ sudo reboot

Show Status(Information)

verify the service is running and reachable by typing:

$ sudo firewall-cmd --state
output:  running

Current Firewall Rules( which zone is currently selected as the default)

firewall-cmd --get-default-zone
output:
   publicPrint currently active zones

Print currently active zones

firewall-cmd --get-active-zones
output:
 privateDNS
   interfaces: eth1
 publicweb
   interfaces: eth0

list of the available zone

$ sudo firewall-cmd --get-zones
output:
block dmz drop external home internal public trusted work

see the specific configuration associated with a zone

$ sudo firewall-cmd --zone=home --list-all
output :
home
  interfaces: 
  sources: 
  services: dhcpv6-client ipp-client mdns samba-client ssh
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules:

see the specific configuration associated with all zone

sudo firewall-cmd --list-all-zones

list of the available services

firewall-cmd --get-services
output
   RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc ceph ceph-mon cfengine condor-collector ctdb dhcp dhcpv6 dhcpv6-client dns docker-registry dropbox-lansync elasticsearch freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master high-availability http https imap imaps ipp ipp-client ipsec iscsi-target kadmin kerberos kibana klogin kpasswd kshell ldap ldaps libvirt libvirt-tls managesieve mdns mosh mountd ms-wbt mssql mysql nfs nrpe ntp openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster quassel radius rpc-bind rsh rsyncd samba samba-client sane sip sips smtp smtp-submission smtps snmp snmptrap spideroak-lansync squid ssh synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server

list services

sudo firewall-cmd --zone=public --list-all
sudo firewall-cmd --zone=public --list-services

List of ports

sudo firewall-cmd --zone=public --list-ports

 

Modify

Changing the Zone of an Interface

sudo firewall-cmd --zone=home --change-interface=eth0
output
success

Adjusting the Default Zone

sudo firewall-cmd --set-default-zone=home

allow http/https traffic in our “public” zone

sudo firewall-cmd --zone=public --add-service=http
sudo firewall-cmd --zone=public --add-service=http  --permanent
sudo firewall-cmd --zone=public --add-service=https
sudo firewall-cmd --zone=public --permanent --add-service=https

Opening a Port for your Zones

sudo firewall-cmd --zone=public --add-port=5000/tcp
sudo firewall-cmd --zone=public --add-port=4990-4999/udp
sudo firewall-cmd --zone=public --permanent --add-port=5000/tcp
sudo firewall-cmd --zone=public --permanent --add-port=4990-4999/udp
sudo firewall-cmd --zone=public --permanent --list-ports

change interface over zones

sudo firewall-cmd --zone=public --change-interface=eth0

 

URL

  • behrooz mohamadi nsasab
۲۱
اسفند

SELinux stands for Security-Enhanced Linux. It is a way to improve the server security.


cat /etc/selinux/config 
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of three two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected. 
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

Show state:

  • $ sestatus       #show state
  • $ getenforce   #show state]

change[not permanent]:

  • $ setenforce [enforcing] or [permissive]      

Change Permanently:

vim /etc/selinux/config
SELINUX=enforcing


  • behrooz mohamadi nsasab