UNIX系统中,计算机安全系统建立在身份验证机制上。 UNIX systems, computer security system based on the authentication mechanism. 如果root口令失密,系统将会受到侵害,尤其在网络环境中,后果更不堪设想。 If the root password has been compromised, the system will be compromised, especially in the network environment, the consequences even more disastrous. 因此限制用户root 远程登录,对保证计算机系统的安全,具有实际意义。 Thus limiting the user root remote login, to ensure the security of computer systems, has practical significance. 本文向大家介绍一些方法,能达到限制root 远程登录的目的。 This article shows you some ways to achieve the purpose of restricted root remote login.
方法一:在/etc/default/login 文件,增加一行设置命令: Method 1: In / etc / default / login file, add a line to set the command:
CONSOLE = /dev/tty01 CONSOLE = / dev/tty01
设置后立即生效,无需重新引导。 Setting takes effect immediately without rebooting. 以后,用户只能在控制台(/dev/tty01)root登录,从而达到限制root远程登录,不过,同时也限制了局域网用户root登录,给管理员的日常维护工作带来诸多不便。 Later, the user can only console (/ dev/tty01) root login to remote root login limit is reached, however, also limits the local area network users log in as root to the administrator of the routine maintenance work inconvenience.
方法二:1.为了达到限制root远程登录,首先要分清哪些用户是远程用户(即是否通过另一台Windows 系统或UNIX 系统进行telnet 登录),哪些用户是局域网用户。 Method Two: 1. To restrict remote root login, we must first distinguish what the user is the remote user (that is, whether through another Windows system or UNIX system to telnet), which users are LAN users. 通过以下shell程序能达到此目的。 Shell by the following procedure to achieve this purpose.
TY=`tty | cut -b 9-12` TY = `tty | cut-b 9-12`
WH=`finger | cut -b 32-79 | grep "$TY " | cut -b 29-39` WH = `finger | cut-b 32-79 | grep" $ TY "| cut-b 29-39`
KK=` tty | cut -b 6-9` KK = `tty | cut-b 6-9`
If [ "$KK" = "ttyp" ] If ["$ KK" = "ttyp"]
Then Then
WH=$WH WH = $ WH
Else Else
WH="local" WH = "local"
Fi Fi
以上Shell命令程序中,WH为登录用户的主机IP地址,但如果在/etc/hosts 文件中,定义了IP 地址和机器名之间的对应关系,则WH 为用户登录的主机名。 Shell command in the above procedure, WH for the logged-on user's host IP address, but if the / etc / hosts file, define the IP address and machine name of the correspondence between, the WH to host the user login name. 假设连接到局域网中的终端服务器的IP 地址为:99.57.32.18, 那么应在/etc/hosts 文件中加入一行: Assuming the terminal connects to the LAN server IP address: 99.57.32.18, then they should be in / etc / hosts file to add the line:
99.57.32.18 terminal_server 99.57.32.18 terminal_server
所有通过99.57.32.18终端服务器登录到主机的终端中,WH 是同一个值,即为终端服务器名terminal_server。 All through 99.57.32.18 terminal server to the host terminal, WH is the same value, namely, the terminal server name terminal_server.
2.在root的.profile文件中,根据WH 值进行不同的处理,从而实现限制root远程登录。 2 in the root. Profile file, according to WH values for different treatment, in order to achieve restrict remote root login.
Trap 1 2 3 9 15 Trap 1 2 3 9 15
If [ "$WH" = "local" -o "$WH" = "terminal_server" ] If ["$ WH" = "local"-o "$ WH" = "terminal_server"]
Then Then
Echo "Welcome......" Echo "Welcome ......"
Else Else
Exit Exit
Fi Fi
方法三:有时为了工作的方便,允许局域网中部分电脑root登录,例如,允许局域网中IP 地址为99.57.32.58 的电脑root登录,要实现这一点,需要在前述方法中,作两点补充: Method three: Sometimes, in order to facilitate the work, allowing the LAN part of the computer log in as root, for example, to allow the LAN IP address is 99.57.32.58 computer log in as root to do this, you need the aforementioned method, for two points to add:
1.在/etc/hosts 文件中,加入一行:99.57.32.58 xmh。 1 in / etc / hosts file, add a line: 99.57.32.58 xmh.
2.在上述Shell 程序段中,将下述内容: 2 block in the Shell, the following:
If [ "$WH" = "local" -o "$WH" = "terminal_server" ] If ["$ WH" = "local"-o "$ WH" = "terminal_server"]
修改为: Amended as follows:
If [ "$WH" = "local" -o "$WH" = "terminal_server" -o "$WH"= "xmh" ] If ["$ WH" = "local"-o "$ WH" = "terminal_server"-o "$ WH" = "xmh"]
方法四:经过以上处理后,仍存在普通用户登录后用su命令变成root 用户的可能,从而达到root 远程登录的目的。 Method Four: After the above treatment, there are still a regular user with the su command to become root after the user the possibility to achieve the purpose of root remote login. 为了防止用这种方法实现root 远程登录,需要限制普通用户不能执行su 命令: To use this method to prevent remote root login, need to restrict normal users can not execute the su command:
1.将su命令属主改为root; 1 will be the owner of the su command to root;
2.将su命令的权限改为700。 (2) the su command to change the permissions 700.
方法五:在上述方法中,虽限制了普通用户执行su 命令,但“精明”的用户可以用ftp 命令上载一个用户可以执行的su命令,从而实现root 远程登录。 Method five: In the above method, although the limit ordinary users to run the su command, but "smart" users can use the ftp command to upload a user can execute the su command, in order to achieve root remote login. 为了防止这一点,需要在路由器上设立防火墙,限制用户执行ftp协议,这里不再赘述。 To prevent this, the need to set up a firewall on the router to restrict users to perform ftp protocol, not repeat them here.
Tidak ada komentar:
Posting Komentar