- 论坛徽章:
- 0
|
系统安装好了,默认情况下除root用户外的其他用户ftp/telnet是可用的,如果需要对ftp/telnet做一些调整,需要修改配置文件,ftp/telnet涉及到的文件有下面一些。
首先,控制能否telnet/ftp的配置文件是/etc/inetd.conf,下面两句是允许ftp/telnet,如果注释掉,则所有用户都不能ftp/telnet.修改了inetd.conf文件需kill -HUP pid对inetd进程重启(pid用命令查看ps -ef|grep inetd)。ftp/telnet端口是在/etc/services文件配置的。
ftp stream tcp6 nowait root /usr/sbin/in.ftpd in.ftpd
telnet stream tcp6 nowait root /usr/sbin/in.telnetd in.telnetd
附:配置文件inetd.conf的内容如下
#ident "@(#)inetd.conf 1.45 02/11/05 SMI" /* SVr4.0 1.5 */
#
# Copyright 1989-2002 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
#
#
#
# Configuration file for inetd(1M). See inetd.conf(4).
#
# To re-configure the running inetd process, edit this file, then
# send the inetd process a SIGHUP.
#
# Syntax for socket-based Internet services:
#
#
# Syntax for TLI-based Internet services:
#
# tli
#
# IPv6 and inetd.conf
# By specifying a value of tcp6 or udp6 for a service, inetd will
# pass the given daemon an AF_INET6 socket. The following daemons have
# been modified to be able to accept AF_INET6 sockets
#
# ftp telnet shell login exec tftp finger printer
#
# and service connection requests coming from either IPv4 or IPv6-based
# transports. Such modified services do not normally require separate
# configuration lines for tcp or udp. For documentation on how to do this
# for other services, see the Solaris System Administration Guide.
#
# You must verify that a service supports IPv6 before specifying as
# tcp6 or udp6. Also, all inetd built-in commands (time, echo, discard,
# daytime, chargen) require the specification of as tcp6 or udp6
#
# The remote shell server (shell) and the remote execution server
# (exec) must have an entry for both the "tcp" and "tcp6" values.
#
# Ftp and telnet are standard Internet services.
#
ftp stream tcp6 nowait root /usr/sbin/in.ftpd in.ftpd
telnet stream tcp6 nowait root /usr/sbin/in.telnetd in.telnetd
#
# Tnamed serves the obsolete IEN-116 name server protocol.
#
name dgram udp wait root /usr/sbin/in.tnamed in.tnamed
#
# Shell, login, exec, comsat and talk are BSD protocols.
#
shell stream tcp nowait root /usr/sbin/in.rshd in.rshd
#shell stream tcp6 nowait root /usr/sbin/in.rshd in.rshd
login stream tcp6 nowait root /usr/sbin/in.rlogind in.rlogind
exec stream tcp nowait root /usr/sbin/in.rexecd in.rexecd
exec stream tcp6 nowait root /usr/sbin/in.rexecd in.rexecd
comsat dgram udp wait root /usr/sbin/in.comsat in.comsat
talk dgram udp wait root /usr/sbin/in.talkd in.talkd
#
# Must run as root (to read /etc/shadow); "-n" turns off logging in utmp/wtmp.
#
uucp stream tcp nowait root /usr/sbin/in.uucpd in.uucpd
#
# Tftp service is provided primarily for booting. Most sites run this
# only on machines acting as "boot servers."
#
tftp dgram udp6 wait root /usr/sbin/in.tftpd in.tftpd -s /tftpboot
#
# Finger, systat and netstat give out user information which may be
# valuable to potential "system crackers." Many sites choose to disable
# some or all of these services to improve security.
#
finger stream tcp6 nowait nobody /usr/sbin/in.fingerd in.fingerd
#systat stream tcp nowait root /usr/bin/ps ps -ef
#netstat stream tcp nowait root /usr/bin/netstat netstat -f inet
#
# Time service is used for clock synchronization.
#
time stream tcp6 nowait root internal
time dgram udp6 wait root internal
#
# Echo, discard, daytime, and chargen are used primarily for testing.
#
echo stream tcp6 nowait root internal
echo dgram udp6 wait root internal
discard stream tcp6 nowait root internal
discard dgram udp6 wait root internal
daytime stream tcp6 nowait root internal
daytime dgram udp6 wait root internal
chargen stream tcp6 nowait root internal
chargen dgram udp6 wait root internal
#
#
# RPC services syntax:
# / rpc/ \
#
#
# can be either "tli" or "stream" or "dgram".
# For "stream" and "dgram" assume that the endpoint is a socket descriptor.
# can be either a nettype or a netid or a "*". The value is
# first treated as a nettype. If it is not a valid nettype then it is
# treated as a netid. The "*" is a short-hand way of saying all the
# transports supported by this system, ie. it equates to the "visible"
# nettype. The syntax for is:
# *||{[,]}
# For example:
# dummy/1 tli rpc/circuit_v,udp wait root /tmp/test_svc test_svc
#
# Solstice system and network administration class agent server
100232/10 tli rpc/udp wait root /usr/sbin/sadmind sadmind
#
# Rquotad supports UFS disk quotas for NFS clients
#
rquotad/1 tli rpc/datagram_v wait root /usr/lib/nfs/rquotad rquotad
#
# The rusers service gives out user information. Sites concerned
# with security may choose to disable it.
#
rusersd/2-3 tli rpc/datagram_v,circuit_v wait root /usr/lib/netsvc/rusers/rpc.rusersd rpc.rusersd
#
# The spray server is used primarily for testing.
#
sprayd/1 tli rpc/datagram_v wait root /usr/lib/netsvc/spray/rpc.sprayd rpc.sprayd
#
# The rwall server allows others to post messages to users on this machine.
#
walld/1 tli rpc/datagram_v wait root /usr/lib/netsvc/rwall/rpc.rwalld rpc.rwalld
#
# Rstatd is used by programs such as perfmeter.
#
rstatd/2-4 tli rpc/datagram_v wait root /usr/lib/netsvc/rstat/rpc.rstatd rpc.rstatd
#
# The rexd server provides only minimal authentication and is often not run
#
#rexd/1 tli rpc/tcp wait root /usr/sbin/rpc.rexd rpc.rexd
#
# rpc.cmsd is a data base daemon which manages calendar data backed
# by files in /var/spool/calendar
#
#
# Sun ToolTalk Database Server
#
100083/1 tli rpc/tcp wait root /usr/dt/bin/rpc.ttdbserverd rpc.ttdbserverd
#
# UFS-aware service daemon
#
#ufsd/1 tli rpc/* wait root /usr/lib/fs/ufs/ufsd ufsd -p
#
# Sun KCMS Profile Server
#
100221/1 tli rpc/tcp wait root /usr/openwin/bin/kcms_server kcms_server
#
# Sun Font Server
#
fs stream tcp wait nobody /usr/openwin/lib/fs.auto fs
#
# CacheFS Daemon
#
100235/1 tli rpc/ticotsord wait root /usr/lib/fs/cachefs/cachefsd cachefsd
#
# Kerberos V5 Warning Message Daemon
#
100134/1 tli rpc/ticotsord wait root /usr/lib/krb5/ktkt_warnd ktkt_warnd
#
# Print Protocol Adaptor - BSD listener
#
printer stream tcp6 nowait root /usr/lib/print/in.lpd in.lpd
#
# GSS Daemon
#
100234/1 tli rpc/ticotsord wait root /usr/lib/gss/gssd gssd
#
# AMI Daemon
#
100146/1 tli rpc/ticotsord wait root /usr/lib/security/amiserv amiserv
100147/1 tli rpc/ticotsord wait root /usr/lib/security/amiserv amiserv
#
# OCF (Smart card) Daemon
#
100150/1 tli rpc/ticotsord wait root /usr/sbin/ocfserv ocfserv
dtspc stream tcp nowait root /usr/dt/bin/dtspcd /usr/dt/bin/dtspcd
100068/2-5 dgram rpc/udp wait root /usr/dt/bin/rpc.cmsd rpc.cmsd
sun-dr stream tcp wait root /usr/lib/dcs dcs
sun-dr stream tcp6 wait root /usr/lib/dcs dcs
300326/4 tli rpc/tcp wait root /platform/SUNW,Ultra-Enterprise-10000/lib/dr_daemon dr_daemon
第二,root用户的ftp/telnet,默认情况下root用户是不允许ftp/telnet的,修改/etc/ftpusers配置文件,将root用户注释掉,则root用户才可以ftp,如果想让某个用户不能ftp,可以将其加到这个文件中来。
ftpusers文件内容如下
#root
daemon
bin
sys
adm
lp
uucp
nuucp
listen
nobody
noaccess
nobody4
修改/etc/default/login配置文件,找到CONSOLE=/dev/console,将其注释掉,就可以用root用户telnet了。
附:/etc/default/login配置文件
# ident "@(#)login.dfl 1.13 03/01/10 SMI"
#
# Copyright 1989-2002 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
#
# Set the TZ environment variable of the shell.
#
#TIMEZONE=EST5EDT
# ULIMIT sets the file size limit for the login. Units are disk blocks.
# The default of zero means no limit.
#
#ULIMIT=0
# If CONSOLE is set, root can only login on that device.
# Comment this line out to allow remote login by root.
#
# CONSOLE=/dev/console
# PASSREQ determines if login requires a password.
#
PASSREQ=YES
# ALTSHELL determines if the SHELL environment variable should be set
#
ALTSHELL=YES
# PATH sets the initial shell PATH variable
#
#PATH=/usr/bin:
# SUPATH sets the initial shell PATH variable for root
#
#SUPATH=/usr/sbin:/usr/bin
# TIMEOUT sets the number of seconds (between 0 and 900) to wait before
# abandoning a login session.
#
#TIMEOUT=300
# UMASK sets the initial shell file creation mode mask. See umask(1).
#
#UMASK=022
# SYSLOG determines whether the syslog(3) LOG_AUTH facility should be used
# to log all root logins at level LOG_NOTICE and multiple failed login
# attempts at LOG_CRIT.
#
SYSLOG=YES
# SLEEPTIME controls the number of seconds that the command should
# wait before printing the "login incorrect" message when a
# bad password is provided. The range is limited from
# 0 to 5 seconds.
#
#SLEEPTIME=4
# DISABLETIME If present, and greater than zero, the number of seconds
# login will wait after RETRIES failed attempts or the PAM framework returns
# PAM_ABORT. Default is 20. Minimum is 0. No maximum is imposed.
#
#DISABLETIME=20
# RETRIES determines the number of failed logins that will be
# allowed before login exits.
#
#RETRIES=5
#
# The SYSLOG_FAILED_LOGINS variable is used to determine how many failed
# login attempts will be allowed by the system before a failed login
# message is logged, using the syslog(3) LOG_NOTICE facility. For example,
# if the variable is set to 0, login will log -all- failed login attempts.
#
#SYSLOG_FAILED_LOGINS=5
第三,如果想让某个用户只能ftp,不能telnet。可以先把/etc/passwd文件中该用户的shell改成/usr/sbin/nologin,然后再在/etc目录下建一个shells文件,里面加入/usr/sbin/nologin。
附:/etc/passwd文件
root:x:0:1:Super-User:/:/sbin/sh
daemon:x:1:1::/:
bin:x:2:2::/usr/bin:
sys:x:3:3::/:
adm:x:4:4:Admin:/var/adm:
lp:x:71:8:Line Printer Admin:/usr/spool/lp:
uucp:x:5:5:uucp Admin:/usr/lib/uucp:
nuucp:x:9:9:uucp Admin:/var/spool/uucppublic:/usr/lib/uucp/uucico
listen:x:37:4:Network Admin:/usr/net/nls:
nobody:x:60001:60001:Nobody:/:
noaccess:x:60002:60002:No Access User:/:
nobody4:x:65534:65534:SunOS 4.x Nobody:/:
ssmon:x:60000:60001:Sun StorEdge(tm) Configuration Service Monitor:/:/bin/false
ssadmin:x:59999:60001:Sun StorEdge(tm) Configuration Service Admin:/:/bin/false
ssconfig:x:59998:60001:Sun StorEdge(tm) Configuration Service Config:/:/bin/false
informix:x:1001:100::/usr/informix:/bin/csh
oracle:x:1002:102::/opt/oracle:/bin/csh
learn:x:1007:104::/export/home/learn:/bin/csh
转载请注明详细出处,谢谢合作^_^
本文来自ChinaUnix博客,如果查看原文请点:http://blog.chinaunix.net/u/20228/showart_213146.html |
|
免费注册
发表于 2006-12-10 23:32