|
|
Telnet 服务器软件的安装 Telnet 采用明文传输用户名和密码,因此对系统的安全造成了很大的威胁,在一些
重要的系统中,一般不实用telnet进行远程管理
telnet 安装
客户端 yum -y install telnet
服务器端 yum -y install telnet telnet-server xine
selinux :
iptables :iptables -I INPUT -p tcp --dport 23 -j ACCEPT
默认root 不能远程访问 mv /etc/securetty /etc/securetty.back
若将/etc/xinetd.d/telnet中添加127.0.0.1,则无法telnet,只允许本机登录。(注意:telnet不支持root用户登录,普通用户登录后可切换到root用户)
bind=172.0.0.1
5. 1)独立守护进程是通过/etc/xinetd.conf(默认配置文件)/etc/xinetd.d/services运行的,在默认文件规定过的,在/etc/xinetd.d/services中仍能指定,若冲突时,以/etc/xinetd.d/services中规定的为准。
/etc/xinetd.conf的默认配置:
defaults
{
# The next two items are intended to be a quick access place to
# temporarily enable or disable services.
#
# enabled =
# disabled =
# Define general logging characteristics.
log_type = SYSLOG daemon info
log_on_failure = HOST
log_on_success = PID HOST DURATION EXIT
# Define access restriction defaults
#
# no_access =
# only_from =
# max_load = 0
cps = 50 10
instances = 50
per_source = 10
cps 单位时间内并发访问数,相当于软限制。限制时默认等待10秒钟,每秒的最大连接数为50
instance定义某个服务最多允许的并发连接数,相当于硬限制,超过了则不允许其他用户再访问。
per_source某个ip最多能发起几个连接到主机上来,及并发连接数
only_from后的地址类型:
网络地址 (192.168.1.0)
网络名 (from /etc/networks)
ip地址/子网掩码 (192.168.0.0/24)
vim /etc/xinetd.d/tftp
service tftp
{
disable = no
socket_type = dgram
protocol = udp
wait = yes
user = root
server = /usr/sbin/in.tftpd
server_args = -s /tftpboot
per_source = 11
cps = 100 2
flags = IPv4
}
2.)非独立守护进程
chkconfig SERVICE on/off 添加某项服务
service xinetd restart
********************************************************
在telnet前,需要确定/etc/sysconfig/network和/etc/hosts中的名字一致。
例子:【1.】若将/etc/xinetd.d/telnet中添加127.0.0.1,则无法telnet,只允许本机登录。(注意:telnet不支持root用户登录,普通用户登录后可切换到root用户)
yum install telnet-server
会在/etc/xinet.d/下出现telnet
chkconfig telnet on
service xinetd restart
*************************
chkconfig xinetd on(必须开启)
chkconfig --level 35 xinetd on
telnet 192.168.0.116
Red Hat Enterprise Linux Server release 5.4 (Tikanga)
Kernel 2.6.18-164.el5 on an i686
login: zhuying
Password:
Last login: Tue Feb 23 22:47:46 from server19
若将/etc/xinetd.d/telnet中添加bind =127.0.0.1,即只允许本地登录。
vim /etc/xinetd.d/telnet
# default: on
# description: The telnet server serves telnet sessions; it uses /
# unencrypted username/password pairs for authentication.
service telnet
{
disable = no
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.telnetd
log_on_failure += USERID
bind =127.0.0.1
}
Service xinetd restart(重启服务)
C:/>telnet 192.168.0.116
正在连接到192.168.0.116...不能打开到主机的连接, 在端口 23: 连接失败
【2.】基于ip地址拒绝访问
only_from=192.168.0.0/24
no_access=192.168.0.111
vim /etc/xinetd.d/telnet
# default: on
# description: The telnet server serves telnet sessions; it uses /
# unencrypted username/password pairs for authentication.
service telnet
{
disable = no
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.telnetd
log_on_failure += USERID
only_from=192.168.0.0/24
no_access=192.168.0.111
}
~
Service xinetd restart (每次修改过后,重启服务)
(实现最佳匹配,拒绝192.168.0.111)
显示登录失败的信息:
[zhuying@station30 ~]$ telnet 192.168.0.116
Trying 192.168.0.116...
telnet: connect to address 192.168.0.116: Connection refused
telnet: Unable to connect to remote host: Connection refused
[zhuying@station30 ~]$
【3.】基于访问时间拒绝服务
若不在这个时间段内,则被拒绝访问
vim /etc/xinetd.d/telnet
# default: on
# description: The telnet server serves telnet sessions; it uses /
# unencrypted username/password pairs for authentication.
service telnet
{
disable = no
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.telnetd
log_on_failure += USERID
access_times=9:00-12:00
}
Service xinetd restart (每次修改过后,不要忘了重启服务)
显示登录失败的信息:
[zhuying@station30 ~]$ telnet 192.168.0.116
Trying 192.168.0.116...
telnet: connect to address 192.168.0.116: Connection refused
telnet: Unable to connect to remote host: Connection refused
[zhuying@station30 ~]$
【4.】基于并发连接数
instance=2(该服务的并发连接数最多为2)
per_source=1(在某台主机上只能打开一个终端访问远程主机)
vim /etc/xinetd.d/telnet
# default: on
# description: The telnet server serves telnet sessions; it uses /
# unencrypted username/password pairs for authentication.
service telnet
{
disable = no
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.telnetd
log_on_failure += USERID
instances=2
per_source=1
}
Service xinetd restart (每次修改过后,不要忘了重启服务)
当在station30上第一次远程登录时,登录成功。
[zhuying@station30 ~]$ telnet 192.168.0.116
Trying 192.168.0.116...
Connected to server16.example.com (192.168.0.116).
Escape character is '^]'.
Red Hat Enterprise Linux Server release 5.4 (Tikanga)
Kernel 2.6.18-164.el5 on an i686
login: zhuying
Password:
Last login: Tue Feb 23 23:35:41 from server11
[zhuying@station116 ~]$
在不关闭第一个窗口的情况下再另外打开一个窗口,这时将会被拒绝。
[iyunv@station30 ~]# telnet 192.168.0.116
Trying 192.168.0.116...
Connected to server16.example.com (192.168.0.116).
Escape character is '^]'.
Connection closed by foreign host.
[iyunv@station30 ~]#
[iyunv@station30 ~]#
【5.】banner:当登录时,将某个文件的内容显示给用户
cd /usr/share
vim telnet.banner
**************************
Welcome to my station!!!
Hoho,bye...
**************************
保存退出~ .
vim /etc/xinetd.d/telnet
# default: on
# description: The telnet server serves telnet sessions; it uses /
# unencrypted username/password pairs for authentication.
service telnet
{
disable = no
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.telnetd
log_on_failure += USERID
banner =/usr/share/telnet.banner
}
~
Service xinetd restart (每次修改过后,不要忘了重启服务)
[iyunv@station30 ~]# telnet 192.168.0.116
Trying 192.168.0.116...
Connected to server16.example.com (192.168.0.116).
Escape character is '^]'.
**************************
Welcome to my station!!!
Hoho,bye...
**************************
Red Hat Enterprise Linux Server release 5.4 (Tikanga)login: zhuying
Password:
Last login: Wed Feb 24 00:02:06 from server11
[zhuying@station116 ~]$
6.TCP_Wrapper
语法规则:daemon_list: client_list [:opt1 :opt2...]
通过控制某些规则来限制主机的访问
允许规则:/etc/hosts.allow
拒绝规则:/etc/hosts.deny
IP address (192.168.0.1, 10.0.0.)
name (www.redhat.com, .example.com)
netmask (192.168.0.0/255.255.255.0)
network name
例子:
【1.】分别在两个文件中定义规则,通常会先去匹配/etc/hosts.allow中的内容,若不匹配再去匹配/etc/hosts.deny中的内容
vim /etc/hosts.allow
#
# hosts.allow This file describes the names of the hosts which are
# allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#
in.telnetd:192.168.0.0/255.255.255.0 EXCEPT 192.168.0.111
vim /etc/hosts.deny
#
# hosts.deny This file describes the names of the hosts which are
# *not* allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#
# The portmap line is redundant, but it is left to remind you that
# the new secure portmap uses hosts.deny and hosts.allow. In particular
# you should know that NFS uses portmap!
in.telnetd:ALL
service xinetd restart(重启服务)
登录将被拒绝:
[iyunv@station30 ~]# telnet 192.168.0.116
Trying 192.168.0.116...
Connected to server16.example.com (192.168.0.116).
Escape character is '^]'.
**************************
Welcome to my station!!!
Hoho,bye...
**************************
Connection closed by foreign host.
[iyunv@station30 ~]#
若将/etc/hosts.allow中的规则替换成:
in.telnetd:ALL EXCEPT 192.168.0.0/255.255.255.0 EXCEPT 192.168.0.111
/etc/hosts.deny中的规则不变,则192.168.0.111则能登录,另外除了192.168.0.0网段的其他所有主机也都能登录成功。
【2.】发送邮件:
vim /etc/hosts.allow
#
# hosts.allow This file describes the names of the hosts which are
# allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#
in.telnetd:192.168.0.0/255.255.255.0:spawn /bin/echo `date` %c %d | bin/mail -s "Somebody has telnetd our server." root
vim /etc/hosts.deny
# hosts.deny This file describes the names of the hosts which are
# *not* allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#
# The portmap line is redundant, but it is left to remind you that
# the new secure portmap uses hosts.deny and hosts.allow. In particular
# you should know that NFS uses portmap!
in.telnetd:ALL:spawn /bin/echo `date` %c %d | /bin/mail -s "Somebody has telnetd our server." root
service xinetd restart(重启服务)
此时192.168.0.网段内的主机都能登录成功:
[iyunv@station30 ~]# telnet 192.168.0.116
Trying 192.168.0.116...
Connected to server16.example.com (192.168.0.116).
Escape character is '^]'.
**************************
Welcome to my station!!!
Hoho,bye...
**************************
Red Hat Enterprise Linux Server release 5.4 (Tikanga)
Kernel 2.6.18-164.el5 on an i686
login: zhuying
Password:
Last login: Wed Feb 24 02:01:49 from server11
登录上后还可以切换到root用户,看是否有邮件:
[zhuying@station116 ~]$ su -
Password:
[iyunv@station116 ~]# mail
Mail version 8.1 6/6/93. Type ? for help.
"/var/spool/mail/root": 1 message 1 new
>N 1 root@station116.exam Wed Feb 24 02:12 16/733 "Somebody has telnetd "
& 1
Message 1:
From root@station116.example.com Wed Feb 24 02:12:25 2010
Date: Wed, 24 Feb 2010 02:12:25 +0800
From: root <root@station116.example.com>
To: root@station116.example.com
Subject: Somebody has telnetd our server.
Wed Feb 24 02:12:25 CST 2010 192.168.0.111 in.telnetd
&
【3.】在一个文件中编辑,实现访问控制:
1.)vim /etc/hosts.allow
#
# hosts.allow This file describes the names of the hosts which are
# allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#
in.telnetd:192.168.0.111:spawn /bin/echo `date` %c to %s is denied by %A > /var/log/tcpwrapper.log:DENY
in.telnet:192.168.0. 192.168.1. :ALLOW
service xinetd restart(重启服务)
此时,192.168.0.111登录失败:
[iyunv@station30 ~]# telnet 192.168.0.116
Trying 192.168.0.116...
Connected to server16.example.com (192.168.0.116).
Escape character is '^]'.
**************************
Welcome to my station!!!
Hoho,bye...
**************************
Connection closed by foreign host.
[iyunv@station30 ~]#
2.)twist的作用:移花接木,将会被拒绝登录。
vim /etc/hosts.allow
#
# hosts.allow This file describes the names of the hosts which are
# allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#
in.telnetd:192.168.0.0/255.255.255.0:twist /bin/echo `date` connection refused by %s
service xinetd restart(重启服务)
[iyunv@station30 ~]# telnet 192.168.0.116
Trying 192.168.0.116...
Connected to server16.example.com (192.168.0.116).
Escape character is '^]'.
**************************
Welcome to my station!!!
Hoho,bye...
**************************
Wed Feb 24 02:47:36 CST 2010 connection refused by in.telnetd@192.168.0.116
Connection closed by foreign host.
[iyunv@station30 ~]#
3.)结合上面两个例子:
vim /etc/hosts.allow
#
# hosts.allow This file describes the names of the hosts which are
# allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#
in.telnetd:192.168.0.111:pawn /bin/echo `date` %c to %s is denied.>> /var/log/tcpwrapper.log ;twist /bin/echo `date` Attemp log to %s failed.
in.telnetd:192.168.0. 192.168.1.:ALLOW
service xinetd restart(重启服务)
此时,192.168.0.111登录失败:
[iyunv@station30 ~]# telnet 192.168.0.116
Trying 192.168.0.116...
Connected to server16.example.com (192.168.0.116).
Escape character is '^]'.
**************************
Welcome to my station!!!
Hoho,bye...
**************************
Connection closed by foreign host.
[iyunv@station30 ~]
|
|
QQ群⑧:
窥视卡
雷达卡
发表于 2015-9-28 08:48:41
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡