NIS Client
Configurations in rc.conf
nisdomainname="savpn.nctu.me"
# NIS domain name ≠ DNS domain name
nis_client_enable="YES"
nis_client_flags="-s -m -S savpn.nctu.me,nis server"
Maps between IP and hostname
Configure in /etc/hosts
# 140.113.17.155 nisserver
10.113.0.254 nisserver
# 連wg vpn
NIS Users
在NIS Server(savpn.nctu.me)中有三個users
- nisuser1
- nisuser2
- nisuser3
要注意的地方:
- passwd同username
- home directory要在
/net/home/<username> - share: hosts, passwd, group, netgroup, ypservers
Accounts and Groups
NIS user can login to your server
-
User account information
vipw到
/etc/master.passwd
加在最後一行+:::::::::: -
UNIX group definitions
vigr到
/etc/group
加在最後一行+:*:: -
排優先順序 When an user with an identical name in both NIS and local, then query NIS first.
/etc/nsswitch.confgroup: nis files net group: nis files passwd: nis files
Restart ypbind daemon
sudo service ypbind restart
檢查:
ypcat passwd
sudo ypcat master.passwd
NFS Client
要當NFS Client之前,自己要先是NFS Server
Server configurations in /etc/rc.conf
# enable
nfs_server_enable="YES"
nfs_server_flags="-u -t -n 10"
# -u 表示我們提供 UDP 方式連線,# -t 表示以 TCP 方式連線
# 如果您所要使用 NFS 的 client 都是 FreeBSD
# 可以只以 TCP 連線
# 可以有較佳的效能
# -n 10 表示我們一次打開10個 nfsd 的 daemon
# NFSv4 Server settings
nfsv4_server_enable="YES"
# NFSv4 Client settings
nfscbd_enable="YES"
# enable mountd
# 若reboot會卡死 可以先註解 再手動開daemon
mountd_enable="YES"
mountd_flags="-r"
# 為了增增系統的安全
# 讓 nfsd 執行時只使用 reserved port(小於 1024 的 ports)
nfs_reserved_port_only="YES"
Client configurations in /etc/rc.conf
# enable
nfs_client_enable="YES"
Mount
Mount file from savpn.nctu.me
Create dirs
mkdir /net/home /net/data
Start nfsclient
sudo service nfsclient start
mount dirs
mount 10.113.0.254:/net/data /net/data
mount 10.113.0.254:/net/home /net/home
Do NOT allow setuid or setgid bits to take effect
Auto Mount (autofs)
Will be mounted automatically when needed
開機的時候不掛載他,而是直到我存取他(cd)的瞬間
autofs才會檢查那台server有無存在?能不能掛載?
Enable in rc.conf
autofs_enable="YES"
Three kinds of configuration files (map)
會寫你要掛載的根目錄的位置mountpoint、要去對應哪一張map
- Direct map
幾乎和fstab一樣 - Indirect map
裡面所有的indirect資料夾 都會掛載在同一個目錄底下 - Master map
List which direct and indirect maps that automount should pay attention to
Master Map
/etc/auto_master
mountpoint map_name [-option]
/- /etc/auto.map -intr,nosuid,rw
# auto.map是一個direct map
Direct Map
/etc/auto.map
/net/home -rw 10.113.0.254:/net/home
/net/data -ro 10.113.0.254:/net/data
NFS Server
Exports
- /net/alpha (access as their own UID GID)
- /net/share (UID=user, GID=users)
- /net/admin (read-only)
Create directories
要出口的地方
mkdir /exports/admin /exports/alpha /exports/share
Create user
sudo pw groupadd users
sudo add user
/etc/fstab
# Device Mountpoint FStype Option
/exports/admin /net/admin nullfs rw
/exports/alpha /net/alpha nullfs rw
/exports/share /net/share nullfs rw
NFSv4 with nfsuserd for mapping UID and username
/etc/exports
V4: /
/net/admin -ro -maproot=nobody
/net/share -maproot=nobody -mapall=user
/net/alpha -maproot=nobody
Firewall
Packet Filter (PF)
啟用
/etc/rc.conf
pf_enable="YES"
pflog_enable="YES"
pfsync_enable="YES"
PF rules防火牆設置
The last matching rule decides what action is taken
If no rule matches the packet, the default action is to pass
/etc/pf.conf
#macro definitions
extdev="em0"
intdev="em1"
myhost="192.168.56.1"
#option
set loginterface $extdev
set block-policy drop
set skip on lo0
#table
table <BadHost> persist file "/etc/badhost.list"
table <BadGuy> persist file "/etc/badguy.list"
#filtering rules
# Blacklistd要用
anchor "blacklistd/*" in
pass out all
#antispoof for $extdev
#deny all connections from <BadHost>
block quick from <BadHost> to any
#Accept packets from 10.113.0.0/16
block in proto tcp from !10.113.0.0/16 to any port {80,443}
#All IP can't send ICMP echo request packets to server
block return in proto icmp from any to any
pass proto icmp from 10.113.0.254 to any
#response TCP RST/ICMP unreachable
block return proto { tcp,udp } from <BadGuy> to any
#Drop packets from <BadGuy> to access FTP,SSH
block drop in proto tcp from <BadGuy> to any port {21,22}
Blacklistd
To find who is the bad guy?
enable daemon
sysrc blacklistd_enable=yes
start the service manually
service blacklistd start
If someone attempts to login via SSH but failed for 5 times in 1 hour,
then their IP will be banned from SSH for 1 day automatically
/etc/blacklistd.conf
# $FreeBSD: releng/12.0/usr.sbin/blacklistd/blacklistd.conf 336977 2018-07-31 16:39:38Z brd $
#
# Blacklist rule
# adr/mask:port type proto owner name nfail disable
[local]
ssh stream * * * 5 24h
ftp stream * * * 5 24h
#smtp stream * * * 3 24h
#submission stream * * * 3 24h
#6161 stream tcp6 christos * 2 10m
* * * * * 3 60
# adr/mask:port type proto owner name nfail disable
[remote]
#ssh stream * * -ssh 5 24h
#129.168.0.0/16 * * * = * *
#6161 = = = =/24 = =
#* stream tcp * = = =
被擋下來的log在
/var/log/auth.log
寫一個/usr/local/bin/badguy
會去抓
Jan 8 20:47:16 yilianwu-sa sshd[3579]: error: PAM: Authentication error for illegal user austin from 10.113.0.64
的ERROR log
#!/bin/sh
hour=$(date '+%H')
min=$(date '+%M')
if [ $min == '00' ]
then
hour=$(($hour-1))
min='59'
else
if [ $min -gt "10" ]
then
min=$(($min-1))
else
min="0$(($min-1))"
fi
fi
#echo "$hour:$min"
cat /var/log/auth.log | grep -E "sshd|sudo" | grep "$hour:$min:" | grep -E "PAM|iamagoodguy" | grep -E "Authentication|[0-9]+.[0-9]+.[0-9]+.[0-9]+" | awk 'BEGIN{i=0}{ \
if($15){ \
while($i != "COMMAND=/home/c0846101/bin/iamagoodguy"){ \
i++; \
if(i > NF) \
break; \
} \
if(i >= NF) \
printf($1 " " $2 " " $3 " " $15 " is a bad guy, 5 attempts\n");
else \
printf($1 " " $2 " " $3 " " $(i+1) " is pardoned by " $6 "\n");
} \
else \
printf($1 " " $2 " " $3 " " $13 " is a bad guy, 5 attempts\n"); \
}'
Write a shell script ‘iamagoodguy’ to unban an IP
/home/c0846101/bin/iamagoodguy
#!/bin/sh
pfctl -a blacklistd/22 -t port22 -T delete $1
執行指令
sudo iamagoodguy 10.113.0.64
/etc/crontab
每分鐘執行一次/usr/local/bin/badguy
Log when some IP is banned/unbanned in
/net/admin/ssh/badguy.log
Use newsyslog for log rotation
- Separated by day, store 10 days.
- Compressed to ‘.xz’.
# logfilename [owner:group] mode count size when flags [/pid_file] [sig_num]
/net/admin/ssh/badguy.log 640 10 * @T00 X