系統的INPUT和OUTPUT默認策略為DROP，請完成以下關于iptables的題目；iptables -A INPUT -d 10.18.11.13 -p tcp --dport 22 -j ACCEPT #允許ssh端口

iptables -A OUTPUT -s 10.18.11.13 -p tcp --sport 22 -j ACCEPT

iptables -P OUTPUT DROP #設置OUTPUT的默認策略為DROP

iptables -P INPUT DROP #設置INPUT的默認策略為DROP

iptables -L

Chain INPUT (policy DROP)

target prot opt source destination

ACCEPT tcp -- anywhere 10.18.11.13 tcp dpt:ssh

Chain FORWARD (policy ACCEPT)

target prot opt source destination

Chain OUTPUT (policy DROP)

target prot opt source destination

ACCEPT tcp -- 10.18.11.13 anywhere tcp spt:ssh

一、限制本地主機的web服務器在周一不允許訪問；新請求的速率不能超過100個每秒；web服務器包含了admin字符串的頁面不允許訪問；web服務器僅允許響應報文離開本機；

iptables -A INPUT -p tcp -d 10.18.11.13 --dport 80 -m string --algo kmp --string "admin" -j DROP

#拒絕所有訪問包含admin字符串頁面的請求

iptables -A INPUT -d 10.18.11.13 -p tcp --dport 80 -m time ! --weekdays Mon -m limit --limit 100/second -m string --algo kmp --string "admin" -j ACCEPT

#允許周一除外時間訪問web服務器，新請求的速率不能超過100個每秒

iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

二、在工作時間，即周一到周五的8:30-18:00，開放本機的ftp服務給172.16.0.0網絡中的主機訪問；數據下載請求的次數每分鐘不得超過5個；

iptables -A INPUT -s 172.16.0.0/16 -p tcp -m multiport --dport 20,21 -m time --weekdays 1,2,3,4,5 --timestart 8:30 --timestop 18:00 -m limit --limit 5/minute -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -d 172.16.0.0/16 -p tcp -m multiport --dport 20,21 -m time --weekdays 1,2,3,4,5 --timestart 8:30 --timestop 18:00 -m limit --limit 5/minute -m state --state NEW,ESTABLISHED -j ACCEPT

三、開放本機的ssh服務給172.16.x.1-172.16.x.100中的主機，x為你的座位號，新請求建立的速率一分鐘不得超過2個；僅允許響應報文通過其服務端口離開本機；

iptables -I INPUT -m iprange --src-range 172.16.11.0-172.168.11.255 -m limit --limit 2/minute -p tcp --dport 22 -j ACCEPT

iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

四、拒絕TCP標志位全部為1及全部為0的報文訪問本機；

iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP

iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

五、允許本機ping別的主機；但不開放別的主機ping本機；

iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT

iptables -A OUTPUT -p icmp --icmp-type 8 -j ACCEPT

六、判斷下述規則的意義：

iptables -N clean_in

#新建自定義鏈clean_in

iptables -A clean_in -d 255.255.255.255 -p icmp -j DROP

#丟棄icmp廣播包

iptables -A clean_in -d 172.16.255.255 -p icmp -j DROP

#丟棄到172.16.0.0/16網段的icmp廣播包

iptables -A clean_in -p tcp ! --syn -m state --state NEW -j DROP

#丟棄syn標志位不為1且狀態為new的包

iptables -A clean_in -p tcp --tcp-flags ALL ALL -j DROP

#丟棄tcp標志位全為1的包

iptables -A clean_in -p tcp --tcp-flags ALL NONE -j DROP

#丟棄tcp標志位全為0的包

iptables -A clean_in -d 172.16.100.7 -j RETURN

#把目標為172.16.100.7的請求返回主鏈匹配

iptables -A INPUT -d 172.16.100.7 -j clean_in

#把目標為172.16.100.7的請求用clean_in鏈匹配

iptables -A INPUT -i lo -j ACCEPT

#允許來自于lo接口的數據包

iptables -A OUTPUT -o lo -j ACCEPT

#允許向lo接口發送數據包

iptables -A INPUT -i eth0 -m multiport -p tcp --dports 53,113,135,137,139,445 -j DROP

#丟棄指定接口為eth0， 協議為tcp，目標端口為53,113,135,137,139,445的包

iptables -A INPUT -i eth0 -m multiport -p udp --dports 53,113,135,137,139,445 -j DROP

#丟棄指定接口為eth0， 協議為udp，目標端口為53,113,135,137,139,445的包

iptables -A INPUT -i eth0 -p udp --dport 1026 -j DROP

#丟棄指定接口為eth0， 協議為udp，目標端口為1026的包

iptables -A INPUT -i eth0 -m multiport -p tcp --dports 1433,4899 -j DROP

#丟棄指定接口為eth0， 協議為tcp，目標端口為1433,4899的包

iptables -A INPUT -p icmp -m limit --limit 10/second -j ACCEPT

#限定icmp包的速率為10個每秒

七、通過tcp_wrapper控制vsftpd僅允許172.16.0.0/255.255.0.0網絡中的主機訪問，但172.16.100.3除外；對所被被拒絕的訪問嘗試都記錄在/var/log/tcp_wrapper.log日志文件中；[root@localhost /]# vim /etc/hosts.allow

vsftpd:172.16.0.0/255.255.0.0 EXCEPT 172.16.100.3

[root@localhost /]# vim /etc/hosts.deny

vsftpd:ALL :spawn /bin/echo `date` login attempt from %c to %s, %d >> /var/log/tcp_wrapper.log

八、刪除/boot/grub/grub.conf文件中所有行的行首的空白字符；[root@localhost ~]# sed s/^[[:space:]]*//g /boot/grub/grub.conf

# grub.conf generated by anaconda

#

# Note that you do not have to rerun grub after making changes to this file

# NOTICE: You have a /boot partition. This means that

# all kernel and initrd paths are relative to /boot/, eg.

# root (hd0,0)

# kernel /vmlinuz-version ro root=/dev/sda3

# initrd /initrd-[generic-]version.img

#boot=/dev/sda

default=0

timeout=5

splashp_w_picpath=(hd0,0)/grub/splash.xpm.gz

hiddenmenu

title CentOS (2.6.32-431.el6.x86_64)

root (hd0,0)

kernel /vmlinuz-2.6.32-431.el6.x86_64 ro root=UUID=10cca036-87a5-4646-9bdb-88f252f589be rd_NO_LUKS KEYBOARDTYPE=pc KEYTABLE=us rd_NO_MD crashkernel=auto LANG=zh_CN.UTF-8 rd_NO_LVM rd_NO_DM rhgb quiet

initrd /initramfs-2.6.32-431.el6.x86_64.img

九、刪除/etc/fstab文件中所有以#開頭，后跟至少一個空白字符的行的行首的#和空白字符；[root@localhost ~]# sed s/^#[[:space:]+]//g /etc/fstab

#

/etc/fstab

Created by anaconda on Mon Aug 15 10:39:56 2016

#

Accessible filesystems, by reference, are maintained under '/dev/disk'

See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info

#

UUID=a540e0d8-e8be-4cdb-b70c-835d1bda5b95 / ext4 defaults 1 1

UUID=b034f272-a4eb-41e1-bb51-d0995fb56644 /boot ext4 defaults 1 2

UUID=6283d75d-5d6c-4f17-9124-c731fe075663 swap swap defaults 0 0

/dev/vgdata/mylv /users ext4 defaults,acl 0 0

十、把/etc/fstab文件的奇數行另存為/tmp/fstab.3；[root@localhost ~]# awk 'NR%2==1' /etc/fstab > /tmp/fstab.3

[root@localhost ~]# cat /tmp/fstab.3

# /etc/fstab

#

# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info

UUID=a540e0d8-e8be-4cdb-b70c-835d1bda5b95 / ext4 defaults 1 1

UUID=6283d75d-5d6c-4f17-9124-c731fe075663 swap swap defaults 0 0

[root@localhost ~]# sed -n "p;n" /etc/fstab > /tmp/fstab.3

[root@localhost ~]# cat /tmp/fstab.3

# /etc/fstab

#

# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info

UUID=a540e0d8-e8be-4cdb-b70c-835d1bda5b95 / ext4 defaults 1 1

UUID=6283d75d-5d6c-4f17-9124-c731fe075663 swap swap defaults 0 0

十一、echo一個文件路徑給sed命令，取出其基名；進一步地，取出其路徑名；[root@localhost ~]# echo "/etc/sysconfig/network" | sed 's#^\(/.*/\)[^/]*#\1#g'

/etc/sysconfig/

[root@localhost ~]# echo "/etc/sysconfig/network" | sed 's#^/.*/##g'

network

十二、統計當前系統上所有tcp連接的各種狀態的個數；[17:49:36 root@qa36 /data/nginx/html/static]#netstat -tan | awk '/^tcp/{state[$NF]++}END{for(i in state) { print i,state[i]}}'

TIME_WAIT 331

FIN_WAIT2 5

ESTABLISHED 316

LISTEN 23

十三、統計指定的web訪問日志中各ip的資源訪問次數：[root@localhost /]# more access.log

59.56.78.124 - - [01/Nov/2016:03:48:04 +0800] "POST /noticeData.htm HTTP/1.1" 200 71061 "http://www.ztrong.com/recruit.htm" "Mozilla/4.0 (compatible; MSIE 8.0; Windows

NT 5.1; Trident/4.0; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; QIHU 360EE) ; .NET CLR 2.0.50727)" "101.201.68.23"

59.56.78.124 - - [01/Nov/2016:03:48:10 +0800] "POST /checkUserIsLogin.htm HTTP/1.1" 200 28 "http://www.ztrong.com/" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1;

Trident/4.0; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; QIHU 360EE) ; .NET CLR 2.0.50727)" "101.201.68.23"

59.56.78.124 - - [01/Nov/2016:03:48:12 +0800] "GET /itemList.htm HTTP/1.1" 200 5872 "http://www.ztrong.com/" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Triden

t/4.0; .NET CLR 2.0.50727; doyo 2.6.1)" "124.72.233.225"

59.56.78.124 - - [01/Nov/2016:03:48:14 +0800] "POST /checkUserIsLogin.htm HTTP/1.1" 200 28 "http://www.ztrong.com/itemList.htm" "Mozilla/4.0 (compatible; MSIE 8.0; Win

dows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; doyo 2.6.1)" "124.72.233.225"

59.56.78.124 - - [01/Nov/2016:03:48:17 +0800] "POST /noticeData.htm HTTP/1.1" 200 71054 "http://www.ztrong.com/itemList.htm" "Mozilla/4.0 (compatible; MSIE 8.0; Window

s NT 5.1; Trident/4.0; .NET CLR 2.0.50727; doyo 2.6.1)" "124.72.233.225"

59.56.78.124 - - [01/Nov/2016:03:48:18 +0800] "POST /itemListAjax.htm HTTP/1.1" 200 44804 "http://www.ztrong.com/itemList.htm" "Mozilla/4.0 (compatible; MSIE 8.0; Wind

ows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; doyo 2.6.1)" "124.72.233.225"

59.56.78.124 - - [01/Nov/2016:03:48:24 +0800] "POST /index/indexInit.htm HTTP/1.1" 200 95753 "http://www.ztrong.com/" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.

1; Trident/4.0; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; QIHU 360EE) ; .NET CLR 2.0.50727)" "101.201.68.23"

59.56.78.124 - - [01/Nov/2016:03:48:26 +0800] "POST /checkUserIsLogin.htm HTTP/1.1" 200 28 "http://www.ztrong.com/" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1;

Trident/4.0; .NET CLR 2.0.50727; doyo 2.6.1)" "124.72.233.225"

59.56.78.124 - - [01/Nov/2016:03:48:28 +0800] "POST /index/indexInit.htm HTTP/1.1" 200 95753 "http://www.ztrong.com/" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.

1; Trident/4.0; .NET CLR 2.0.50727; doyo 2.6.1)" "124.72.233.225"

59.56.78.124 - - [01/Nov/2016:03:48:29 +0800] "GET /newFriend.htm HTTP/1.1" 200 5019 "http://www.ztrong.com/" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Tride

nt/4.0; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; QIHU 360EE) ; .NET CLR 2.0.50727)" "101.201.68.23"

59.56.78.124 - - [01/Nov/2016:03:48:32 +0800] "POST /checkUserIsLogin.htm HTTP/1.1" 200 28 "http://www.ztrong.com/newFriend.htm" "Mozilla/4.0 (compatible; MSIE 8.0; Wi

ndows NT 5.1; Trident/4.0; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; QIHU 360EE) ; .NET CLR 2.0.50727)" "101.201.68.23"

59.56.78.124 - - [01/Nov/2016:03:48:34 +0800] "POST /checkUserIsLogin.htm HTTP/1.1" 200 28 "http://www.ztrong.com/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1;

Trident/4.0; Sicent; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" "61.145.60.234"

59.56.78.124 - - [01/Nov/2016:03:48:34 +0800] "POST /index/indexInit.htm HTTP/1.1" 200 95768 "http://www.ztrong.com/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.

1; Trident/4.0; Sicent; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" "61.145.60.234"

[root@localhost /]# awk '{ip[$NF]++}END{for(i in ip) {print i,ip[i]}}' access.log | sort -nrk 2 | more

"124.91.66.72" 8266

"180.167.69.202" 5754

"60.190.202.84" 2582

"112.124.127.44" 1421

"120.27.47.144" 1419

"123.151.153.35" 756

"58.217.246.43" 455

"183.167.211.95" 418

"125.95.73.60" 372

"210.13.195.34" 367

"1.191.224.132" 349

"61.159.186.206" 302

"223.220.144.254" 281

"121.8.98.40" 261

"183.63.34.14" 250

"218.59.187.52" 238

"42.228.225.190" 210

"114.86.22.68" 200

"218.66.59.169" 187

"220.250.18.170" 181

"1.180.203.223" 174

"180.109.38.90" 173

"117.24.92.170" 171

"61.167.167.172" 162

十四、授權centos用戶可以運行fdisk命令完成磁盤管理，以及使用mkfs或mke2fs實現文件系統管理；[root@localhost /]# chmod +w /etc/sudoers #添加修改權限

[root@localhost /]# vim /etc/sudoers #修改配置文件添加如下一行

centos ALL=(root) /sbin/mkfs, /sbin/mke2fs, /sbin/ifconfig

[root@localhost /]# chmod -w /etc/sudoers #改回文件原來權限

十五、授權gentoo用戶可以運行邏輯卷管理的相關命令；[root@localhost /]# vim /etc/sudoers

centos ALL=(root) /sbin/*create, /sbin/*reduce, /sbin/*display，/sbin/mkfs*，/sbin/*extend

十六、基于pam_time.so模塊，限制用戶通過sshd服務遠程登錄只能在工作時間進行；[root@localhost /]# vim /etc/pam.d/sshd

#%PAM-1.0

auth required pam_sepermit.so

auth substack password-auth

auth include postlogin

# Used with polkit to reauthorize users in remote sessions

-auth optional pam_reauthorize.so prepare

account required pam_time.so #添加pam_time.so模塊

account required pam_nologin.so

account include password-auth

password include password-auth

# pam_selinux.so close should be the first session rule

session required pam_selinux.so close

session required pam_loginuid.so

# pam_selinux.so open should only be followed by sessions to be executed in the user context

session required pam_selinux.so open env_params

session required pam_namespace.so

session optional pam_keyinit.so force revoke

session include password-auth

session include postlogin

# Used with polkit to reauthorize users in remote sessions

-session optional pam_reauthorize.so prepare

[root@localhost /]# vim /etc/security/time.conf #修改配置文件定義具體時間

sshd;*;*;MoTuWeThFr0900-1800

十七、基于pam_listfile.so模塊，定義僅某些用戶，或某些組內的用戶可登錄系統；[root@localhost /]# vim /etc/pam.d/sshd #添加如下一行

auth required pam_listfile.so item=user sense=allow file=/etc/sshd_user onerr=succeed

[root@localhost /]# vim /etc/sshd_user #自定義可以登陸的用戶

centos

gentoo

總結

以上是生活随笔為你收集整理的python123平台作业答案第十一周_马哥2016全新Linux+Python高端运维班第十次作业的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。