1、编写脚本/root/bin/checkip.sh,每5分钟检查一次,如果发现通过ssh登录失败 次数超过10次,自动将此远程IP放入Tcp Wrapper的黑名单中予以禁止防问
[root@test ~]#cat checkip.sh
#!/bin/bash
[ $UID -ne 0 ]&&echo "this script must root run it " && exit 1
if [[ ! -e "/work" ]]; then
mkdir /work
fi
cmd=`cat /var/log/secure|grep "Failed password for qiuhom"|awk '{print $(NF-3)}'|sort|uniq -c|awk '{print $2"==>"$1}'`
echo "$cmd">/work/ip.txt
for i in `cat /work/ip.txt`
do
ip=`echo "$i"|awk -F "==>" '{print $1}'`
count=`echo "$i"|awk -F "==>" '{print $2}'`
if [ $count -gt 10 ];then
xx=`grep $ip /etc/hosts.deny |wc -l`
if [ $xx == 0 ];then
echo "ALL:$ip" >> /etc/hosts.deny
fi
fi
done
[root@test ~]#
2、配置magedu用户的sudo权限,允许magedu用户拥有root权限
(1)、安装chrony服务
yum install chrony -y
说明:ntp作为时间同步的服务器软件和客户端软件它都必须运行成守护进程,用ntp作为服务器软件有个缺陷就是同步时间周期很长,所以此实验是chrony作为客户端软件和服务器软件,它比ntp更加精准,其同步周期较短。
(2)、配置chrony.conf 允许其运行为时间服务器并允许内网网段来同步时间并启动服务
[root@test ~]#cat /etc/chrony.conf
# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
#server 0.centos.pool.ntp.org iburst
#server 1.centos.pool.ntp.org iburst
#server 2.centos.pool.ntp.org iburst
server 3.centos.pool.ntp.org iburst
# Record the rate at which the system clock gains/losses time.
driftfile /var/lib/chrony/drift
# Allow the system clock to be stepped in the first three updates
# if its offset is larger than 1 second.
makestep 1.0 3
# Enable kernel synchronization of the real-time clock (RTC).
rtcsync
# Enable hardware timestamping on all interfaces that support it.
#hwtimestamp *
# Increase the minimum number of selectable sources required to adjust
# the system clock.
#minsources 2
# Allow NTP client access from local network.
allow 192.168.0.0/16
# Serve time even if not synchronized to a time source.
#local stratum 10
# Specify file containing keys for NTP authentication.
#keyfile /etc/chrony.keys
# Specify directory for log files.
logdir /var/log/chrony
# Select which information is logged.
#log measurements statistics tracking
[root@test ~]#
说明:server:时间服务器地址 ,allow后面跟允许客户端地址/子网掩码 或者直接配置成allow all 则表示允许所有客户端来同步时间
systemctl start chronyd
说明:启动chronyd服务后,此时就可以用该服务器作为时间同步服务器,我们可以用chronyc这个工具来查看当前的时间服务器上从那个服务器同步时间的;chronyd默认监听在UDP的123端口和323端口
[root@test ~]#ss -nulp
State Recv-Q Send-Q Local Address:Port Peer Address:Port
UNCONN 0 0 *:123 *:* users:(("chronyd",pid=17074,fd=7))
UNCONN 0 0 127.0.0.1:323 *:* users:(("chronyd",pid=17074,fd=5))
UNCONN 0 0 ::1:323 :::* users:(("chronyd",pid=17074,fd=6))
[root@test ~]#
[root@test ~]#chronyc sources -v
210 Number of sources = 1
.-- Source mode '^' = server, '=' = peer, '#' = local clock.
/ .- Source state '*' = current synced, '+' = combined , '-' = not combined,
| / '?' = unreachable, 'x' = time may be in error, '~' = time too variable.
|| .- xxxx [ yyyy ] +/- zzzz
|| Reachability register (octal) -. | xxxx = adjusted offset,
|| Log2(Polling interval) --. | | yyyy = measured offset,
|| \ | | zzzz = estimated error.
|| | | \
MS Name/IP address Stratum Poll Reach LastRx Last sample
===============================================================================
^* sv1.ggsrv.de 2 7 377 10 -361us[ -538us] +/- 128ms
[root@test ~]#chronyc sourcestats -v
210 Number of sources = 1
.- Number of sample points in measurement set.
/ .- Number of residual runs with same sign.
| / .- Length of measurement set (time).
| | / .- Est. clock freq error (ppm).
| | | / .- Est. error in freq.
| | | | / .- Est. offset.
| | | | | | On the -.
| | | | | | samples. \
| | | | | | |
Name/IP Address NP NR Span Frequency Freq Skew Offset Std Dev
==============================================================================
sv1.ggsrv.de 22 12 22m -0.040 2.784 -937ns 1441us
[root@test ~]#
说明:可以看到当前chrony作为客户端是从互联网sv1.ggsrv.de服务器上同步时间的;chronyc 是一个交互工具,它可查看时间服务器的状态以及管理实践服务器,它有很多子命令,其帮助信息可以通过chronyc help 命令查看
(3)、配置客户端,并指定其服务器地址为刚才我们搭建的时间服务器地址
[root@test ~]#yum info chrony
Loaded plugins: fastestmirror, security
Determining fastest mirrors
* base: mirrors.aliyun.com
* extras: mirrors.aliyun.com
* updates: mirrors.aliyun.com
base | 3.7 kB 00:00
epel | 5.3 kB 00:00
epel/primary_db | 6.1 MB 00:01
extras | 3.4 kB 00:00
extras/primary_db | 29 kB 00:00
updates | 3.4 kB 00:00
updates/primary_db | 7.5 MB 00:02
Available Packages
Name : chrony
Arch : x86_64
Version : 2.1.1
Release : 2.el6_8
Size : 266 k
Repo : base
Summary : An NTP client/server
URL : http://chrony.tuxfamily.org
License : GPLv2
Description : A client/server for the Network Time Protocol, this program keeps your
: computer's clock accurate. It was specially designed to support
: systems with intermittent internet connections, but it also works well
: in permanently connected environments. It can use also hardware reference
: clocks, system real-time clock or manual input as time references.
[root@test ~]#yum install chrony -y
Loaded plugins: fastestmirror, security
Setting up Install Process
Loading mirror speeds from cached hostfile
base: mirrors.aliyun.com
* extras: mirrors.aliyun.com
* updates: mirrors.aliyun.com
Resolving Dependencies
There are unfinished transactions remaining. You might consider running yum-complete-transaction first to finish them.
--> Running transaction check
---> Package chrony.x86_64 0:2.1.1-2.el6_8 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
=====================================================================================================================
Package Arch Version Repository Size
=====================================================================================================================
Installing:
chrony x86_64 2.1.1-2.el6_8 base 266 k
Transaction Summary
=====================================================================================================================
Install 1 Package(s)
Total download size: 266 k
Installed size: 453 k
Downloading Packages:
chrony-2.1.1-2.el6_8.x86_64.rpm | 266 kB 00:00
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : chrony-2.1.1-2.el6_8.x86_64 1/1
Verifying : chrony-2.1.1-2.el6_8.x86_64 1/1
Installed:
chrony.x86_64 0:2.1.1-2.el6_8
Complete!
[root@test ~]#vim /etc/chrony.conf
# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
#server 0.rhel.pool.ntp.org iburst
#server 1.rhel.pool.ntp.org iburst
#server 2.rhel.pool.ntp.org iburst
#server 3.rhel.pool.ntp.org iburst
server 192.168.0.99
# Ignore stratum in source selection.
stratumweight 0
# Record the rate at which the system clock gains/losses time.
driftfile /var/lib/chrony/drift
# In first three updates step the system clock instead of slew
# if the adjustment is larger than 10 seconds.
makestep 10 3
# Enable kernel synchronization of the real-time clock (RTC).
rtcsync
# Allow NTP client access from local network.
#allow 192.168/16
# Serve time even if not synchronized to any NTP server.
#local stratum 10
# Specify file containing keys for NTP and command authentication.
keyfile /etc/chrony.keys
# Specify key number for command authentication.
commandkey 1
# Generate new command key on start if missing.
generatecommandkey
# Disable logging of client accesses.
noclientlog
# Send message to syslog when clock adjustment is larger than 0.5 seconds.
"/etc/chrony.conf" 46L, 1272C written
[root@test ~]#
说明:客户机上也需要安装chrony软件和运行其服务,当然客户端也可以安装ntp软件包,用ntpdate 加时间服务器地址来同步时间;用ntpdate + 时间服务器地址同步时间简单粗暴,这种方式同步时间实际上是将服务器时间跳到当前时间,中间有一段空白段,强烈不建议这样同步时间。
[root@test ~]#date
Thu Dec 12 12:14:08 CST 2019
[root@test ~]#chronyc sources
210 Number of sources = 1
MS Name/IP address Stratum Poll Reach LastRx Last sample
===============================================================================
^* 192.168.0.99 3 6 17 3 -21us[-14582m] +/- 131ms
[root@test ~]#date
Sun Dec 22 15:16:15 CST 2019
[root@test ~]#date -s "20191212 12:12:00"
Thu Dec 12 12:12:00 CST 2019
[root@test ~]#date
Thu Dec 12 12:12:02 CST 2019
[root@test ~]#ntpdate 192.168.0.99
22 Dec 15:18:15 ntpdate[3911]: step time server 192.168.0.99 offset 875161.922491 sec
[root@test ~]#date
Sun Dec 22 15:18:17 CST 2019
[root@test ~]#