Сервер Red Hat Linux 7.3
Настройка (ограничение) доступа к серверу elis.it.ru
Конфигурационный файл /etc/hosts.deny
[root@elis /root]# less /etc/hosts.deny # # hosts.deny This file describes the names of the hosts which are # *not* allowed to use the local INET services, as decided # by the '/usr/sbin/tcpd' server. # # The portmap line is redundant, but it is left to remind you that # the new secure portmap uses hosts.deny and hosts.allow. In particular # you should know that NFS uses portmap! ALL: ALL EXCEPT 172.18.11.17, \ 172.18.14.2, 172.18.14.5, 172.18.14.19, \ 172.18.17.27, \ 172.18.34.101, \ 172.18.64.100, 172.18.64.197, \ 172.18.65.1, \ 172.18.84.5, \ 172.18.92.16, 172.18.92.17, \ 172.18.93.64, 172.18.93.86, 172.18.93.92, \ 172.18.94.1, 172.18.94.2, 172.18.94.3, 172.18.94.4, \ 172.18.94.5, 172.18.94.6, 172.18.94.7, \ 172.18.94.10, 172.18.94.11, \ 172.18.94.14, 172.18.94.15, 172.18.94.17, 172.18.94.18, \ 172.18.94.19, 172.18.94.20, 172.18.94.21, 172.18.94.22, \ 172.18.94.23, \ 172.18.94.24, 172.18.94.25, 172.18.94.26, 172.18.94.27, \ 172.18.94.28, 172.18.94.31, 172.18.94.35, \ 172.18.157.2, 172.18.157.3, 172.18.157.40, \ 172.18.159.3, \ 172.18.209.60
exports - NFS file systems being exported (for Kernel based NFS) Конфигурационный файл /etc/exports
[root@elis /root]# less /etc/exports /usr 172.18.94.4(rw) /data 172.18.94.5(rw) 172.18.94.7(rw) 172.18.157.2(rw,anonuid=505,anongid=505) \ 172.18.84.5(rw) 172.18.209.60(rw) 172.18.93.62(ro) 172.18.93.40(ro) \ 172.18.93.4(rw,anonuid=505,anongid=505) 172.18.93.24(ro) 172.18.94.4(rw) \ 172.18.93.25(ro) 172.18.93.11(ro) 172.18.93.36(ro) 172.18.34.101(ro) \ 172.18.94.27(ro) 172.18.93.5(ro) 172.18.94.7(ro) 172.18.94.1(ro) \ 172.18.157.40(ro,anonuid=505,anongid=505) \ 172.18.157.3(ro,anonuid=505,anongid=505) \ 172.18.94.6(ro) /usr/rh62 172.18.94.6(ro) 172.18.157.2(ro) 172.18.34.101(ro) /tmp/bill 172.18.94.7(rw,all_squash,anonuid=505,anongid=505)
Конфигурационный файл /etc/ipchains (elis)
[root@elis /root]# less /etc/sysconfig/ipchains # Firewall configuration written by lokkit # Manual customization of this file is not recommended. # Note: ifup-post will punch the current nameservers through the # firewall; such entries will *not* be listed here. :input ACCEPT :forward ACCEPT :output ACCEPT -A input -s 0/0 -d 0/0 2049 -p udp -j ACCEPT -A input -s 0/0 -d 0/0 80 -p tcp -y -j ACCEPT -A input -s 0/0 -d 0/0 21 -p tcp -y -j ACCEPT -A input -s 0/0 -d 0/0 22 -p tcp -y -j ACCEPT -A input -s 0/0 -d 0/0 -i lo -j ACCEPT -A input -s 0/0 -d 0/0 -i eth0 -j ACCEPT -A input -p tcp -s 0/0 -d 0/0 0:1023 -y -j REJECT -A input -p tcp -s 0/0 -d 0/0 2049 -y -j REJECT -A input -p udp -s 0/0 -d 0/0 0:1023 -j REJECT -A input -p udp -s 0/0 -d 0/0 2049 -j REJECT -A input -p tcp -s 0/0 -d 0/0 6000:6009 -y -j REJECT -A input -p tcp -s 0/0 -d 0/0 7100 -y -j REJECT
Конфигурационный файл /etc/iptables (labuch)
[root@grossb /root]# less /etc/sysconfig/iptables # Firewall configuration written by lokkit # Manual customization of this file is not recommended. # Note: ifup-post will punch the current nameservers through the # firewall; such entries will *not* be listed here. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Lokkit-0-50-INPUT - [0:0] -A INPUT -j RH-Lokkit-0-50-INPUT -A FORWARD -j RH-Lokkit-0-50-INPUT -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 2049 --syn -j ACCEPT -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 119 --syn -j ACCEPT -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 80 --syn -j ACCEPT -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 21 --syn -j ACCEPT -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 25 --syn -j ACCEPT -A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT -A RH-Lokkit-0-50-INPUT -i eth0 -j ACCEPT -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 0:1023 --syn -j REJECT -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 2049 --syn -j REJECT -A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 0:1023 -j REJECT -A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 2049 -j REJECT -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 6000:6009 --syn -j REJECT -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 7100 --syn -j REJECT COMMIT
Конфигурационный файл /etc/iptables (shrek.technet)
[root@shrek /root]# less /etc/sysconfig/iptables # Firewall configuration written by lokkit # Manual customization of this file is not recommended. # Note: ifup-post will punch the current nameservers through the # firewall; such entries will *not* be listed here. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Lokkit-0-50-INPUT - [0:0] -A INPUT -j RH-Lokkit-0-50-INPUT -A FORWARD -j RH-Lokkit-0-50-INPUT -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 80 --syn -j ACCEPT -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 21 --syn -j ACCEPT -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 25 --syn -j ACCEPT -A RH-Lokkit-0-50-INPUT -p udp -m udp -s 0/0 --sport 67:68 -d 0/0 --dport 67:68 -i eth0 -j ACCEPT -A RH-Lokkit-0-50-INPUT -p udp -m udp -s 0/0 --sport 67:68 -d 0/0 --dport 67:68 -i eth1 -j ACCEPT -A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT -A RH-Lokkit-0-50-INPUT -i eth0 -j ACCEPT -A RH-Lokkit-0-50-INPUT -i eth1 -j ACCEPT -A RH-Lokkit-0-50-INPUT -p udp -m udp -s 81.176.142.129 --sport 53 -d 0/0 -j ACCEPT -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --syn -j REJECT -A RH-Lokkit-0-50-INPUT -p udp -m udp -j REJECT COMMIT *nat :OUTPUT ACCEPT [0:0] :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] #:RH-SunTechnic-0-50-OUTPUT - [0:0] #-A OUTPUT -j RH-SunTechnic-0-50-OUTPUT #-A PREROUTING -j RH-SunTechnic-0-50-OUTPUT #-A POSTROUTING -j RH-SunTechnic-0-50-OUTPUT #-A RH-SunTechnic-0-50-OUTPUT -s 172.18.1.0/24 -j SNAT --to-source 81.176.142.134 -A POSTROUTING -s 172.18.1.201 -j SNAT --to-source 81.176.142.134 -A POSTROUTING -s 172.18.1.40 -j SNAT --to-source 81.176.142.134 #-A POSTROUTING -s 172.18.1.0/24 -j SNAT --to-source 81.176.142.134 #-A POSTROUTING -s 172.18.1.0/24 -j SNAT --to-source 81.176.142.134 -c PKTS BYTES COMMIT
Конфигурационный файл /etc/passwd (shrek.technet)
[root@shrek /root]# less /etc/passwd root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown +1 -h halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/etc/news: uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin gopher:x:13:30:gopher:/var/gopher:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin rpm:x:37:37::/var/lib/rpm:/bin/bash vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin nscd:x:28:28:NSCD Daemon:/:/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin pcap:x:77:77::/var/arpwatch:/sbin/nologin apache:x:48:48:Apache:/var/www:/sbin/nologin squid:x:23:23::/usr/local/squid:/sbin/nologin webalizer:x:67:67:Webalizer:/var/www/html/usage:/sbin/nologin xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin named:x:25:25:Named:/var/named:/sbin/nologin ntp:x:38:38::/etc/ntp:/sbin/nologin gdm:x:42:42::/var/gdm:/sbin/nologin postfix:x:89:89::/var/spool/postfix:/sbin/nologin mailman:x:41:41:GNU Mailing List Manager:/var/mailman:/bin/false desktop:x:80:80:desktop:/var/lib/menu/kde:/sbin/nologin radvd:x:75:75:radvd user:/:/sbin/nologin suntechnic:x:500:500::/home/suntechnic:/bin/bash usernet:x:501:501::/home/usernet:/bin/bash cvb:x:502:502::/home/cvb:/bin/bash i36start:x:503:505::/home/internet:/usr/local/bin/class36_up i36stop:x:504:505::/home/internet:/usr/local/bin/class36_down i37start:x:506:505::/home/internet:/usr/local/bin/class37_up i37stop:x:507:505::/home/internet:/usr/local/bin/class37_down i38start:x:508:505::/home/internet:/usr/local/bin/class38_up i38stop:x:509:505::/home/internet:/usr/local/bin/class38_down ws10:x:510:501::/home/ws10:/sbin/nologin ws11:x:511:501::/home/ws11:/sbin/nologin ws12:x:512:501::/home/ws12:/sbin/nologin ws13:x:513:501::/home/ws13:/sbin/nologin ws14:x:514:501::/home/ws14:/sbin/nologin ws15:x:515:501::/home/ws15:/sbin/nologin ws16:x:516:501::/home/ws16:/sbin/nologin ws17:x:517:501::/home/ws17:/sbin/nologin ws18:x:518:501::/home/ws18:/sbin/nologin ws19:x:519:501::/home/ws19:/sbin/nologin ws20:x:520:501::/home/ws20:/sbin/nologin ws21:x:521:501::/home/ws21:/sbin/nologin ws22:x:522:501::/home/ws22:/sbin/nologin ws23:x:523:501::/home/ws23:/sbin/nologin ws24:x:524:501::/home/ws24:/sbin/nologin ws25:x:525:501::/home/ws25:/sbin/nologin ws26:x:526:501::/home/ws26:/sbin/nologin ws27:x:527:501::/home/ws27:/sbin/nologin ws28:x:528:501::/home/ws28:/sbin/nologin ws29:x:529:501::/home/ws29:/sbin/nologin ws30:x:530:501::/home/ws30:/sbin/nologin ws31:x:531:501::/home/ws31:/sbin/nologin ws32:x:532:501::/home/ws32:/sbin/nologin ws33:x:533:501::/home/ws33:/sbin/nologin ws34:x:534:501::/home/ws34:/sbin/nologin ws35:x:535:501::/home/ws35:/sbin/nologin ws36:x:536:501::/home/ws36:/sbin/nologin ws37:x:537:501::/home/ws37:/sbin/nologin ws38:x:538:501::/home/ws38:/sbin/nologin ws39:x:539:501::/home/ws39:/sbin/nologin ws40:x:540:501::/home/ws40:/sbin/nologin ws41:x:541:501::/home/ws41:/sbin/nologin ws42:x:542:501::/home/ws42:/sbin/nologin ws43:x:543:501::/home/ws43:/sbin/nologin ws44:x:544:501::/home/ws44:/sbin/nologin ws45:x:545:501::/home/ws45:/sbin/nologin luda:x:546:501::/home/luda:/sbin/nologin mattis:x:547:501::/home/mattis:/sbin/nologin nataly:x:548:501::/home/nataly:/sbin/nologin irina:x:549:501::/home/irina:/sbin/nologin