redhat-secure network sevices- pam.d
ftp: 21
ssh:22
telnet: 23
smtp:25
http:80
https:443
cups: 631
works on lev3 not lev5 . if su from root account. there will no restirciton.
#limit xing to login between 09-17 everyday
vi /etc/security/time.conf
login;*;xing;Al0900-1700
vi /etc/pam.d/login
account required pam_time.so
#limit user1 and user2 can not login on Saturday
vi /etc/security/time.conf
login;*;user1|user2;!Sa0000-2400
vi /etc/pam.d/login
account required pam_time.so
#limit user1 and user2 can only login 1 at a time, user in example group can get total 3 logins
usermod -G example user1
vi /etc/security/time.conf
login;*;xing;Al0900-1700
vi /etc/pam.d/login
account required pam_time.so
#limit user1 and user2 can not login on Saturday
vi /etc/security/time.conf
login;*;user1|user2;!Sa0000-2400
vi /etc/pam.d/login
account required pam_time.so
#limit user1 and user2 can only login 1 at a time, user in example group can get total 3 logins
usermod -G example user1
usermod -G example user2
vi /etc/security/limits.conf
@example - maxlogin 3
vi /etc/pam.d/system-auth
session required /lib/security/pam_limits.so
@example - maxlogin 3
vi /etc/pam.d/system-auth
session required /lib/security/pam_limits.so
or
session required pam_limits.so
this one only works on lev3, when root account add into example group. seems no limit
#user1 can only have 7 processes
vi /etc/security/limits.conf
user1 hard nproc 7
vi /etc/pam.d/system-auth
session required /lib/security/pam_limits.so
this one only works on lv3, if su - xing on lv5 won't work
#deny to xing user login locally
vi /etc/security/access.conf
-: xing: LOCAL
vi /etc/pam.d/system-auth
account required /lib/security/pam_access.so
or
session required /lib/security/pam_access.so
or
vi /etc/pam.d/login
account required /lib/security/pam_access.so
or
session required /lib/security/pam_access.so
#limit jack user login to station1.example.com only
vi /etc/security/access.conf
-;jack;ALL EXCEPT station1.example.com
vi /etc/pam.d/system-auth
#deny to xing user login locally
vi /etc/security/access.conf
-: xing: LOCAL
vi /etc/pam.d/system-auth
account required /lib/security/pam_access.so
or
session required /lib/security/pam_access.so
or
vi /etc/pam.d/login
account required /lib/security/pam_access.so
or
session required /lib/security/pam_access.so
#limit jack user login to station1.example.com only
vi /etc/security/access.conf
-;jack;ALL EXCEPT station1.example.com
vi /etc/pam.d/system-auth
account required /lib/security/pam_access.so
#limit xing to access ssh remotely
vi /etc/pam.d/sshd
account required pam_listfile.so item=user sense=allow file=/etc/ssh/sshusers
onerr=succeed
vi /etc/ssh/sshusers
xing
test from remote : ssh 192.168.1.254 -l xing ok
if sense=deny. will fail
refer to /etc/pam.d/vsftpd when modi /etc/pam.d/sshd
#limit xing to access ssh remotely
vi /etc/pam.d/sshd
account required pam_listfile.so item=user sense=allow file=/etc/ssh/sshusers
onerr=succeed
vi /etc/ssh/sshusers
test from remote : ssh 192.168.1.254 -l xing ok
if sense=deny. will fail
refer to /etc/pam.d/vsftpd when modi /etc/pam.d/sshd
# another option to stop xing from access to vsftpd and sshd
vi /etc/securiyt/access.conf
-: xing: vsftpd: 192.168.1.
-: xing : sshd : 192.168.1.
vi /etc/pam.d/vsftpd
auth required pam_access.so
or
account requied pam_access.so
vi /etc/pam.d/sshd
session required pam_access.so
or
account required pam_access.so
# anothe option to stop xing from accessing to vsftpd and sshd
on server
vi /etc/security/time.conf
sshd;*;xing;!Al0000-2400
vsftpd;*;xing;!Al0000-2400
vi /etc/pam.d/sshd
account required pam_time.so
vi /etc/pam.d/vsftpd
account required pam_time.so
#deny local login to all normal users
touch /etc/nologin
#allow root to certain terminal
vi /etc/securetty