Linux訪問權限及時間同步實踐

一、編寫腳本/root/bin/checkip.sh，每5分鐘檢查一次，若是發現經過ssh登陸失敗 次數超過10次，自動將此遠程IP放入Tcp Wrapper的黑名單中予以禁止防問

[root@test ~]#cat checkip.sh 
#!/bin/bash
#
#************************************************************************
#Author:                qiuhom
#QQ:                    467697313
#mail:                  qiuhom467697313@qq.com
#Date:                  2019-12-22
#FileName：             checkip.sh
#URL:                   https://www.cnblogs.com/qiuhom-1874/
#Description：         
#Copyright (C):        2019 All rights reserved
#************************************************************************

[ $UID -ne 0 ]&&echo "this script must root run it " && exit 1

cmd=`cat /var/log/secure|grep "Failed password for qiuhom"|awk '{print $(NF-3)}'|sort|uniq -c|awk '{print $2"==>"$1}'`

if [[ ! -e "/work" ]]; then
        mkdir /work
fi

echo "$cmd">/work/ip.txt
for i in `cat /work/ip.txt`
    do
        ip=`echo "$i"|awk -F "==>" '{print $1}'`
        count=`echo "$i"|awk -F "==>" '{print $2}'`
        if [ $count -gt 10 ];then
           xx=`grep $ip /etc/hosts.deny |wc -l`
           if [ $xx == 0 ];then
               echo "ALL:$ip" >> /etc/hosts.deny
           fi
        fi
    done

[root@test ~]#

 說明：此腳本主要思想是經過日誌來過濾出登陸失敗的用戶，而後取出其ip地址，統計其ip出現的次數，若是登陸失敗10次，則把其ip放入/etc/hosts.deny（TCP Warpper的黑名單）中將其ip禁用。
二、配置magedu用戶的sudo權限，容許magedu用戶擁有root權限

方式一：將magedu用戶加入到wheel組中，不改動其/etc/visudo文件

[root@test ~]#id magedu
uid=1004(magedu) gid=1004(magedu) 組=1004(magedu)
[root@test ~]#
[root@test ~]#id magedu
uid=1004(magedu) gid=1004(magedu) 組=1004(magedu)
[root@test ~]#su - magedu
上一次登陸：日 12月 22 13:52:50 CST 2019pts/0 上
[magedu@test ~]$cat /etc/sudoers
cat: /etc/sudoers: 權限不夠
[magedu@test ~]$su -
密碼：
上一次登陸：日 12月 22 13:26:01 CST 2019pts/0 上
[root@test ~]#usermod -aG wheel magedu
[root@test ~]#id magedu
uid=1004(magedu) gid=1004(magedu) 組=1004(magedu),10(wheel)
[root@test ~]#su - magedu
上一次登陸：日 12月 22 13:55:04 CST 2019pts/0 上
[magedu@test ~]$cat /etc/sudoers
cat: /etc/sudoers: 權限不夠
[magedu@test ~]$sudo cat /etc/sudoers
## Sudoers allows particular users to run various commands as
## the root user, without needing the root password.
##
## Examples are provided at the bottom of the file for collections
## of related commands, which can then be delegated out to particular
## users or groups.
## 
## This file must be edited with the 'visudo' command.

## Host Aliases
## Groups of machines. You may prefer to use hostnames (perhaps using 
## wildcards for entire domains) or IP addresses instead.
# Host_Alias     FILESERVERS = fs1, fs2
# Host_Alias     MAILSERVERS = smtp, smtp2

## User Aliases
## These aren't often necessary, as you can use regular groups
## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname 
## rather than USERALIAS
# User_Alias ADMINS = jsmith, mikem


## Command Aliases
## These are groups of related commands...

## Networking
# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool

## Installation and management of software
# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum

## Services
# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable

## Updating the locate database
# Cmnd_Alias LOCATE = /usr/bin/updatedb

## Storage
# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount

## Delegating permissions
# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp 

## Processes
# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall

## Drivers
# Cmnd_Alias DRIVERS = /sbin/modprobe

# Defaults specification

#
# Refuse to run if unable to disable echo on the tty.
#
Defaults   !visiblepw

#
# Preserving HOME has security implications since many programs
# use it when searching for configuration files. Note that HOME
# is already set when the the env_reset option is enabled, so
# this option is only effective for configurations where either
# env_reset is disabled or HOME is present in the env_keep list.
#
Defaults    always_set_home
Defaults    match_group_by_gid

# Prior to version 1.8.15, groups listed in sudoers that were not
# found in the system group database were passed to the group
# plugin, if any. Starting with 1.8.15, only groups of the form
# %:group are resolved via the group plugin by default.
# We enable always_query_group_plugin to restore old behavior.
# Disable this option for new behavior.
Defaults    always_query_group_plugin

Defaults    env_reset
Defaults    env_keep =  "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS"
Defaults    env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
Defaults    env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
Defaults    env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
Defaults    env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"

#
# Adding HOME to env_keep may enable a user to run unrestricted
# commands via sudo.
#
# Defaults   env_keep += "HOME"

Defaults    secure_path = /sbin:/bin:/usr/sbin:/usr/bin

## Next comes the main part: which users can run what software on 
## which machines (the sudoers file can be shared between multiple
## systems).
## Syntax:
##
##      user    MACHINE=COMMANDS
##
## The COMMANDS section may have other options added to it.
##
## Allow root to run any commands anywhere 
root    ALL=(ALL)       ALL
qiuhom  ALL=(ALL)        ALL

## Allows members of the 'sys' group to run networking, software, 
## service management apps and more.
# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS

## Allows people in group wheel to run all commands
%wheel  ALL=(ALL)       ALL

## Same thing without a password
# %wheel        ALL=(ALL)       NOPASSWD: ALL

## Allows members of the users group to mount and unmount the 
## cdrom as root
# %users  ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom

## Allows members of the users group to shutdown this system
# %users  localhost=/sbin/shutdown -h now

## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
#includedir /etc/sudoers.d
[magedu@test ~]$

 說明：此方式能行的緣由是/etc/sudoers文件中配置了wheel組容許在其組裏的成員運行全部命令

方式二：將magedu用戶配置成可以代替root用戶作任何事情

[magedu@test ~]$su -
密碼：
上一次登陸：日 12月 22 13:55:26 CST 2019pts/0 上
[root@test ~]#usermod  -G magedu magedu
[root@test ~]#id magedu
uid=1004(magedu) gid=1004(magedu) 組=1004(magedu)
[root@test ~]#echo "magedu ALL=(root) ALL" >> /etc/sudoers
[root@test ~]#tail /etc/sudoers
## Allows members of the users group to mount and unmount the 
## cdrom as root
# %users  ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom

## Allows members of the users group to shutdown this system
# %users  localhost=/sbin/shutdown -h now

## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
#includedir /etc/sudoers.d
magedu ALL=(root) ALL
[root@test ~]#su - magedu
上一次登陸：日 12月 22 13:55:49 CST 2019pts/0 上
[magedu@test ~]$cat /etc/sudoers
cat: /etc/sudoers: 權限不夠
[magedu@test ~]$sudo cat /etc/sudoers
[sudo] magedu 的密碼：
## Sudoers allows particular users to run various commands as
## the root user, without needing the root password.
##
## Examples are provided at the bottom of the file for collections
## of related commands, which can then be delegated out to particular
## users or groups.
## 
## This file must be edited with the 'visudo' command.

## Host Aliases
## Groups of machines. You may prefer to use hostnames (perhaps using 
## wildcards for entire domains) or IP addresses instead.
# Host_Alias     FILESERVERS = fs1, fs2
# Host_Alias     MAILSERVERS = smtp, smtp2

## User Aliases
## These aren't often necessary, as you can use regular groups
## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname 
## rather than USERALIAS
# User_Alias ADMINS = jsmith, mikem


## Command Aliases
## These are groups of related commands...

## Networking
# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool

## Installation and management of software
# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum

## Services
# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable

## Updating the locate database
# Cmnd_Alias LOCATE = /usr/bin/updatedb

## Storage
# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount

## Delegating permissions
# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp 

## Processes
# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall

## Drivers
# Cmnd_Alias DRIVERS = /sbin/modprobe

# Defaults specification

#
# Refuse to run if unable to disable echo on the tty.
#
Defaults   !visiblepw

#
# Preserving HOME has security implications since many programs
# use it when searching for configuration files. Note that HOME
# is already set when the the env_reset option is enabled, so
# this option is only effective for configurations where either
# env_reset is disabled or HOME is present in the env_keep list.
#
Defaults    always_set_home
Defaults    match_group_by_gid

# Prior to version 1.8.15, groups listed in sudoers that were not
# found in the system group database were passed to the group
# plugin, if any. Starting with 1.8.15, only groups of the form
# %:group are resolved via the group plugin by default.
# We enable always_query_group_plugin to restore old behavior.
# Disable this option for new behavior.
Defaults    always_query_group_plugin

Defaults    env_reset
Defaults    env_keep =  "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS"
Defaults    env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
Defaults    env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
Defaults    env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
Defaults    env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"

#
# Adding HOME to env_keep may enable a user to run unrestricted
# commands via sudo.
#
# Defaults   env_keep += "HOME"

Defaults    secure_path = /sbin:/bin:/usr/sbin:/usr/bin

## Next comes the main part: which users can run what software on 
## which machines (the sudoers file can be shared between multiple
## systems).
## Syntax:
##
##      user    MACHINE=COMMANDS
##
## The COMMANDS section may have other options added to it.
##
## Allow root to run any commands anywhere 
root    ALL=(ALL)       ALL
qiuhom  ALL=(ALL)        ALL

## Allows members of the 'sys' group to run networking, software, 
## service management apps and more.
# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS

## Allows people in group wheel to run all commands
%wheel  ALL=(ALL)       ALL

## Same thing without a password
# %wheel        ALL=(ALL)       NOPASSWD: ALL

## Allows members of the users group to mount and unmount the 
## cdrom as root
# %users  ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom

## Allows members of the users group to shutdown this system
# %users  localhost=/sbin/shutdown -h now

## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
#includedir /etc/sudoers.d
magedu ALL=(root) ALL
[magedu@test ~]$

 說明：以上方式就是把magedu用戶配置成可以以root身份執行全部命令
四、配置chrony服務，實現服務器時間自動同步

 　　1）安裝chrony服務

yum install chrony -y

 說明：ntp做爲時間同步的服務器軟件和客戶端軟件它都必須運行成守護進程，用ntp做爲服務器軟件有個缺陷就是同步時間週期很長，因此此實驗是chrony做爲客戶端軟件和服務器軟件，它比ntp更加精準，其同步週期較短。

　　2）配置chrony.conf 容許其運行爲時間服務器並容許內網網段來同步時間並啓動服務

[root@test ~]#cat /etc/chrony.conf 
# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
#server 0.centos.pool.ntp.org iburst
#server 1.centos.pool.ntp.org iburst
#server 2.centos.pool.ntp.org iburst
server 3.centos.pool.ntp.org iburst

# Record the rate at which the system clock gains/losses time.
driftfile /var/lib/chrony/drift

# Allow the system clock to be stepped in the first three updates
# if its offset is larger than 1 second.
makestep 1.0 3

# Enable kernel synchronization of the real-time clock (RTC).
rtcsync

# Enable hardware timestamping on all interfaces that support it.
#hwtimestamp *

# Increase the minimum number of selectable sources required to adjust
# the system clock.
#minsources 2

# Allow NTP client access from local network.
allow 192.168.0.0/16

# Serve time even if not synchronized to a time source.
#local stratum 10

# Specify file containing keys for NTP authentication.
#keyfile /etc/chrony.keys

# Specify directory for log files.
logdir /var/log/chrony

# Select which information is logged.
#log measurements statistics tracking
[root@test ~]#

說明：server：時間服務器地址 ，allow後面跟容許客戶端地址/子網掩碼  或者直接配置成allow all 則表示容許全部客戶端來同步時間

systemctl start chronyd

 說明：啓動chronyd服務後，此時就能夠用該服務器做爲時間同步服務器，咱們能夠用chronyc這個工具來查看當前的時間服務器上從那個服務器同步時間的；chronyd默認監聽在tcp的123端口和udp的323端口

[root@test ~]#ss -nulp
State       Recv-Q Send-Q             Local Address:Port                            Peer Address:Port              
UNCONN      0      0                              *:123                                        *:*                   users:(("chronyd",pid=17074,fd=7))
UNCONN      0      0                      127.0.0.1:323                                        *:*                   users:(("chronyd",pid=17074,fd=5))
UNCONN      0      0                            ::1:323                                       :::*                   users:(("chronyd",pid=17074,fd=6))
[root@test ~]#

[root@test ~]#chronyc sources -v
210 Number of sources = 1

  .-- Source mode  '^' = server, '=' = peer, '#' = local clock.
 / .- Source state '*' = current synced, '+' = combined , '-' = not combined,
| /   '?' = unreachable, 'x' = time may be in error, '~' = time too variable.
||                                                 .- xxxx [ yyyy ] +/- zzzz
||      Reachability register (octal) -.           |  xxxx = adjusted offset,
||      Log2(Polling interval) --.      |          |  yyyy = measured offset,
||                                \     |          |  zzzz = estimated error.
||                                 |    |           \
MS Name/IP address         Stratum Poll Reach LastRx Last sample               
===============================================================================
^* sv1.ggsrv.de                  2   7   377    10   -361us[ -538us] +/-  128ms
[root@test ~]#chronyc sourcestats -v
210 Number of sources = 1
                             .- Number of sample points in measurement set.
                            /    .- Number of residual runs with same sign.
                           |    /    .- Length of measurement set (time).
                           |   |    /      .- Est. clock freq error (ppm).
                           |   |   |      /           .- Est. error in freq.
                           |   |   |     |           /         .- Est. offset.
                           |   |   |     |          |          |   On the -.
                           |   |   |     |          |          |   samples. \
                           |   |   |     |          |          |             |
Name/IP Address            NP  NR  Span  Frequency  Freq Skew  Offset  Std Dev
==============================================================================
sv1.ggsrv.de               22  12   22m     -0.040      2.784   -937ns  1441us
[root@test ~]#

 說明：能夠看到當前chrony做爲客戶端是從互聯網sv1.ggsrv.de服務器上同步時間的；chronyc 是一個交互工具，它可查看時間服務器的狀態以及管理實踐服務器，它有不少子命令，其幫助信息能夠經過chronyc help 命令查看

　　3）配置客戶端，並指定其服務器地址爲剛纔咱們搭建的時間服務器地址

[root@test ~]#yum info chrony
Loaded plugins: fastestmirror, security
Determining fastest mirrors
 * base: mirrors.aliyun.com
 * extras: mirrors.aliyun.com
 * updates: mirrors.aliyun.com
base                                                                                          | 3.7 kB     00:00     
epel                                                                                          | 5.3 kB     00:00     
epel/primary_db                                                                               | 6.1 MB     00:01     
extras                                                                                        | 3.4 kB     00:00     
extras/primary_db                                                                             |  29 kB     00:00     
updates                                                                                       | 3.4 kB     00:00     
updates/primary_db                                                                            | 7.5 MB     00:02     
Available Packages
Name        : chrony
Arch        : x86_64
Version     : 2.1.1
Release     : 2.el6_8
Size        : 266 k
Repo        : base
Summary     : An NTP client/server
URL         : http://chrony.tuxfamily.org
License     : GPLv2
Description : A client/server for the Network Time Protocol, this program keeps your
            : computer's clock accurate. It was specially designed to support
            : systems with intermittent internet connections, but it also works well
            : in permanently connected environments. It can use also hardware reference
            : clocks, system real-time clock or manual input as time references.

[root@test ~]#yum install chrony -y
Loaded plugins: fastestmirror, security
Setting up Install Process
Loading mirror speeds from cached hostfile
   base: mirrors.aliyun.com
 * extras: mirrors.aliyun.com
 * updates: mirrors.aliyun.com
Resolving Dependencies
There are unfinished transactions remaining. You might consider running yum-complete-transaction first to finish them.
--> Running transaction check
---> Package chrony.x86_64 0:2.1.1-2.el6_8 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

=====================================================================================================================
 Package                   Arch                      Version                           Repository               Size
=====================================================================================================================
Installing:
 chrony                    x86_64                    2.1.1-2.el6_8                     base                    266 k

Transaction Summary
=====================================================================================================================
Install       1 Package(s)

Total download size: 266 k
Installed size: 453 k
Downloading Packages:
chrony-2.1.1-2.el6_8.x86_64.rpm                                                               | 266 kB     00:00     
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing : chrony-2.1.1-2.el6_8.x86_64                                                                       1/1 
  Verifying  : chrony-2.1.1-2.el6_8.x86_64                                                                       1/1 

Installed:
  chrony.x86_64 0:2.1.1-2.el6_8                                                                                      

Complete!
[root@test ~]#vim /etc/chrony.conf 
# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
#server 0.rhel.pool.ntp.org iburst
#server 1.rhel.pool.ntp.org iburst
#server 2.rhel.pool.ntp.org iburst
#server 3.rhel.pool.ntp.org iburst
server 192.168.0.99
# Ignore stratum in source selection.
stratumweight 0

# Record the rate at which the system clock gains/losses time.
driftfile /var/lib/chrony/drift

# In first three updates step the system clock instead of slew
# if the adjustment is larger than 10 seconds.
makestep 10 3

# Enable kernel synchronization of the real-time clock (RTC).
rtcsync

# Allow NTP client access from local network.
#allow 192.168/16

# Serve time even if not synchronized to any NTP server.
#local stratum 10

# Specify file containing keys for NTP and command authentication.
keyfile /etc/chrony.keys

# Specify key number for command authentication.
commandkey 1

# Generate new command key on start if missing.
generatecommandkey

# Disable logging of client accesses.
noclientlog

# Send message to syslog when clock adjustment is larger than 0.5 seconds.
"/etc/chrony.conf" 46L, 1272C written                                                              
[root@test ~]#

 說明：客戶機上也須要安裝chrony軟件和運行其服務，固然客戶端也能夠安裝ntp軟件包，用ntpdate 加時間服務器地址來同步時間；用ntpdate + 時間服務器地址同步時間簡單粗暴，這種方式同步時間其實是將服務器時間跳到當前時間，中間有一段空白段，強烈不建議這樣同步時間。

[root@test ~]#date 
Thu Dec 12 12:14:08 CST 2019
[root@test ~]#chronyc sources
210 Number of sources = 1
MS Name/IP address         Stratum Poll Reach LastRx Last sample
===============================================================================
^* 192.168.0.99                  3   6    17     3    -21us[-14582m] +/-  131ms
[root@test ~]#date
Sun Dec 22 15:16:15 CST 2019

[root@test ~]#date -s "20191212 12:12:00"
Thu Dec 12 12:12:00 CST 2019
[root@test ~]#date
Thu Dec 12 12:12:02 CST 2019
[root@test ~]#ntpdate 192.168.0.99
22 Dec 15:18:15 ntpdate[3911]: step time server 192.168.0.99 offset 875161.922491 sec
[root@test ~]#date
Sun Dec 22 15:18:17 CST 2019
[root@test ~]#

五、實現cobbler+pxe自動化裝機

詳情請參考本人博客http://www.javashuo.com/article/p-aqozhipw-m.html