AIX下如何通过IP限制用户远程登录
2012-05-19 21:49
1031 查看
AIX操作系统支持静态的IP包过滤功能,可以利用这一功能来保护连接在网络上的服务器。但是与HP-UX不同,缺省安装是不具备此功能的,在使用这一功能之前,需要安装以下文件集(filesets),如果文件集不存在,请安装这些文件集,然后重新启动机器。
# lslpp -l bos.net.ipsec.rte
Fileset Level State Description
----------------------------------------------------------------------------
Path: /usr/lib/objrepos
bos.net.ipsec.rte 5.3.0.20 COMMITTED IP Security
# lslpp -l bos.net.ipsec.keymgt
Fileset Level State Description
----------------------------------------------------------------------------
Path: /usr/lib/objrepos
bos.net.ipsec.keymgt 5.3.0.20 COMMITTED IP Security Key Management
下面开始对IP security进行配置(以FTP服务为例,TELNET等其他端口的服务类似)
1. 启动IP安全(IPSec):
# smitty ipsec4-> Start/Stop IP Security----> Start IP Security ->Start IP Security
2. 检查ipsec是否可用:
# lsdev -Cc ipsec
ipsec_v4 Available IP Version 4 Security Extension
3. 现在系统中应创建了两个过滤规则。使用下面的命令检查这两个过滤规则:
# lsfilt -v4
正常情况下可以看到2条规则,如果提示无任何缺省规则,请参考本节的注解。
4. 增加一个过滤规则以允许接受从10.152.129.49发来的ftp请求:
# smitty ipsec4---> Advanced IP Security Configuration------> Configure IP Security Filter Rules---------> Add an IP Security Filter Rule ->Add an IP Security Filter Rule
* Rule Action -----------------------------------[permit] +
* IP Source Address -----------------------------[10.152.129.49]
* IP Source Mask --------------------------------[255.255.255.255]
IP Destination Address --------------------------[]
IP Destination Mask ---------------------------- []
* Apply to Source Routing? (PERMIT/inbound only) [yes]+
* Protocol --------------------------------------[all]+
* Source Port / ICMP Type Operation -------------[any]+
* Source Port Number / ICMP Type ----------------[0] #
* Destination Port / ICMP Code Operation --------[eq]+
* Destination Port Number / ICMP Type -----------[21] #
* Routing ---------------------------------------[both] +
* Direction -------------------------------------[both]+
* Log Control -----------------------------------[no]+
* Fragmentation Control -------------------------[0]+
* Interface -------------------------------------[all] +
其他缺省值
5. 增加另一个过滤规则以拒绝其它所有向10.110.157.151发出的ftp请求:
Add an IP Security Filter Rule
* Rule Action -----------------------------------[deny]+
* IP Source Address -----------------------------[0.0.0.0]
* IP Source Mask --------------------------------[0.0.0.0]—
IP Destination Address ------------------------[10.110.157.151]—
IP Destination Mask ---------------------------[255.255.255.255] *
Apply to Source Routing? (PERMIT/inbound only) [yes] +
* Protocol --------------------------------------[all]+
* Source Port / ICMP Type Operation -------------[any] +
* Source Port Number / ICMP Type ----------------[0] #
* Destination Port / ICMP Code Operation --------[eq]+
* Destination Port Number / ICMP Type -----------[21]#
* Routing ---------------------------------------[both]+
* Direction -------------------------------------[both]+
* Log Control -----------------------------------[no] +
* Fragmentation Control ------------------------ [all packets]+
* Interface ------------------------------------ [all] +
6. 激活设置的过滤规则:
# smitty ipsec4---> Advanced IP Security Configuration----> Activate/Update/Deactivate IP ---->Security Filter Rule ---------> Activate / Update
7. 上面的操作进行完后,用户将只能从10.152.129.49 ftp至 10.110.157.151,任何其它机器试图ftp至10.110.157.151的操作将失败。
注:步骤3所涉及的,任何机器都有这两条默认规则。规则1是允许IPSec跟其他设备通讯的一个规则。NewOak公司制订了IPSec的规则,利用4001端口和别的利用IPSec的设备通信,现在保留这个通信信息,是为了历史兼容。 规则2保证默认情况下,所有网络传输可以正常进行。当安装完操作系统后是肯定存在的。但是部分局点执行lsdev-Cc ipsec发现
ipsec_v4 Available
Cannot get IPv4 default filter rule.
Cannot change default rule for IPv4 in ODM.
Cannot get IPv4 default filter rule
可能是因为在smitty ipsec4菜单当中,这两条规则是被当作普通规则,可能安装后被认为删除了。出现这种情况,你是无法进行设置任何新的规则的。如果希望修复该规则并回到缺省状态,可以使用smitty remove 删除对应的文件包,然后从安装光盘安装该包。并且打补丁到最新就可以解决。
# lslpp -l bos.net.ipsec.rte
Fileset Level State Description
----------------------------------------------------------------------------
Path: /usr/lib/objrepos
bos.net.ipsec.rte 5.3.0.20 COMMITTED IP Security
# lslpp -l bos.net.ipsec.keymgt
Fileset Level State Description
----------------------------------------------------------------------------
Path: /usr/lib/objrepos
bos.net.ipsec.keymgt 5.3.0.20 COMMITTED IP Security Key Management
下面开始对IP security进行配置(以FTP服务为例,TELNET等其他端口的服务类似)
1. 启动IP安全(IPSec):
# smitty ipsec4-> Start/Stop IP Security----> Start IP Security ->Start IP Security
2. 检查ipsec是否可用:
# lsdev -Cc ipsec
ipsec_v4 Available IP Version 4 Security Extension
3. 现在系统中应创建了两个过滤规则。使用下面的命令检查这两个过滤规则:
# lsfilt -v4
正常情况下可以看到2条规则,如果提示无任何缺省规则,请参考本节的注解。
4. 增加一个过滤规则以允许接受从10.152.129.49发来的ftp请求:
# smitty ipsec4---> Advanced IP Security Configuration------> Configure IP Security Filter Rules---------> Add an IP Security Filter Rule ->Add an IP Security Filter Rule
* Rule Action -----------------------------------[permit] +
* IP Source Address -----------------------------[10.152.129.49]
* IP Source Mask --------------------------------[255.255.255.255]
IP Destination Address --------------------------[]
IP Destination Mask ---------------------------- []
* Apply to Source Routing? (PERMIT/inbound only) [yes]+
* Protocol --------------------------------------[all]+
* Source Port / ICMP Type Operation -------------[any]+
* Source Port Number / ICMP Type ----------------[0] #
* Destination Port / ICMP Code Operation --------[eq]+
* Destination Port Number / ICMP Type -----------[21] #
* Routing ---------------------------------------[both] +
* Direction -------------------------------------[both]+
* Log Control -----------------------------------[no]+
* Fragmentation Control -------------------------[0]+
* Interface -------------------------------------[all] +
其他缺省值
5. 增加另一个过滤规则以拒绝其它所有向10.110.157.151发出的ftp请求:
Add an IP Security Filter Rule
* Rule Action -----------------------------------[deny]+
* IP Source Address -----------------------------[0.0.0.0]
* IP Source Mask --------------------------------[0.0.0.0]—
IP Destination Address ------------------------[10.110.157.151]—
IP Destination Mask ---------------------------[255.255.255.255] *
Apply to Source Routing? (PERMIT/inbound only) [yes] +
* Protocol --------------------------------------[all]+
* Source Port / ICMP Type Operation -------------[any] +
* Source Port Number / ICMP Type ----------------[0] #
* Destination Port / ICMP Code Operation --------[eq]+
* Destination Port Number / ICMP Type -----------[21]#
* Routing ---------------------------------------[both]+
* Direction -------------------------------------[both]+
* Log Control -----------------------------------[no] +
* Fragmentation Control ------------------------ [all packets]+
* Interface ------------------------------------ [all] +
6. 激活设置的过滤规则:
# smitty ipsec4---> Advanced IP Security Configuration----> Activate/Update/Deactivate IP ---->Security Filter Rule ---------> Activate / Update
7. 上面的操作进行完后,用户将只能从10.152.129.49 ftp至 10.110.157.151,任何其它机器试图ftp至10.110.157.151的操作将失败。
注:步骤3所涉及的,任何机器都有这两条默认规则。规则1是允许IPSec跟其他设备通讯的一个规则。NewOak公司制订了IPSec的规则,利用4001端口和别的利用IPSec的设备通信,现在保留这个通信信息,是为了历史兼容。 规则2保证默认情况下,所有网络传输可以正常进行。当安装完操作系统后是肯定存在的。但是部分局点执行lsdev-Cc ipsec发现
ipsec_v4 Available
Cannot get IPv4 default filter rule.
Cannot change default rule for IPv4 in ODM.
Cannot get IPv4 default filter rule
可能是因为在smitty ipsec4菜单当中,这两条规则是被当作普通规则,可能安装后被认为删除了。出现这种情况,你是无法进行设置任何新的规则的。如果希望修复该规则并回到缺省状态,可以使用smitty remove 删除对应的文件包,然后从安装光盘安装该包。并且打补丁到最新就可以解决。
相关文章推荐
- UNIX下如何通过IP限制用户远程登录
- UNIX下如何通过IP限制用户远程登录
- 如何使用触发器实现IP限制用户登录
- 禁止root通过SSH远程登录访问与限制某些用户远程登录
- 如何限制IP和指定用户,通过SSH登陆linux服务器
- linux系统如何限制远程登录ip
- Linux如何通过PAM限制用户登录失败次数
- Linux如何通过PAM限制用户登录失败次数
- [Oracle] 如何使用触发器实现IP限制用户登录
- 局域网如何通过SSH 2连接上VMware 10虚拟机新装的centOS系统远程登录
- su命令,sudo命令,限制root用户的远程登录
- 普通域用户如何远程登录server 2008域服务器
- ubuntu用户如何打开root用户并允许远程登录
- su,sudo,限制使用root用户远程登录
- 如何限制IP,通过SSH登陆linux服务器
- python 使用socket通过用户自定义输入获得远程设备IP
- 如何设置win7多用户远程控制登录