Config mutil ipaddr automatic by network service
[root@] ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE="eth0"
BOOTPROTO=none
BROADCAST="192.168.8.255"
DNS1="202.103.24.68"
GATEWAY="192.168.8.8"
IPADDR="192.168.8.199"
NETMASK="255.255.255.0"
NM_CONTROLLED="yes"
ONBOOT="yes"
HWADDR="00:0C:29:F3:9B:59"
TYPE=Ethernet
PREFIX=24
DEFROUTE=yes
IPV4_FAILURE_FATAL=yes
IPV6INIT=no
NAME="System eth0"
[root@] ~]#
[root@] ~]#
[root@] ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0:1
DEVICE="eth0:1"
BOOTPROTO=none
IPADDR="192.168.200.199"
NETMASK="255.255.255.0"
NM_CONTROLLED="yes"
ONBOOT="yes"
TYPE=Ethernet
PREFIX=24
DEFROUTE=yes
IPV4_FAILURE_FATAL=yes
IPV6INIT=no
NAME="System eth0:1"
[root@] ~]#
[root@] ~]#
[root@] ~]# chkconfig --list | grep "3:on"
mysqld 0:off 1:off 2:on 3:on 4:off 5:on 6:off
network 0:off 1:off 2:off 3:on 4:off 5:off 6:off
sshd 0:off 1:off 2:off 3:on 4:off 5:off 6:off
xinetd 0:off 1:off 2:off 3:on 4:off 5:off 6:off
Security tcp connection protect
reference:
http://wiki.centos.org/HowTos/Network/SecuringSSH?highlight=%28hosts.deny%29#head-a296ec93e31637aa349538be07b37f67d836688a
%28hosts.deny%29#head-c6bf533e4f6de1ff3e13d556053fc40bc121e5cc
Using TCP Wrappers
TCP wrappers can provide a quick and easy method for controlling access to applications linked to them. Examples of TCP Wrapper aware applications are sshd, and portmap. A restrictive example is below. This example blocks everything but ssh.
echo "ALL:ALL" >> /etc/hosts.deny
echo "sshd:ALL" >> /etc/hosts.allow
[root@] ~]# cat /etc/hosts.deny
#
# hosts.deny This file contains access rules which are used to
# deny connections to network services that either use
# the tcp_wrappers library or that have been
# started through a tcp_wrappers-enabled xinetd.
#
# The rules in this file can also be set up in
# /etc/hosts.allow with a 'deny' option instead.
#
# See 'man 5 hosts_options' and 'man 5 hosts_access'
# for information on rule syntax.
# See 'man tcpd' for information on tcp_wrappers
#
ALL:ALL
[root@] ~]#
[root@] ~]#
[root@] ~]# cat /etc/hosts.allow
#
# hosts.allow This file contains access rules which are used to
# allow or deny connections to network services that
# either use the tcp_wrappers library or that have been
# started through a tcp_wrappers-enabled xinetd.
#
# See 'man 5 hosts_options' and 'man 5 hosts_access'
# for information on rule syntax.
# See 'man tcpd' for information on tcp_wrappers
#
#sshd:ALL # it works
#in.sshd:192.168.18.0/24:allow # cannot work
#sshd:192.168.18.0/24 # cannot work
sshd:192.168.8.*
sshd:192.168.200.0/24
Disable IPV6(why?)
refer:
recommend:
[root@] ~]# cat /etc/modprobe.d/disable-ipv6.conf
install ipv6 /bin/true
OR
Upstream employee Daniel Walsh recommends not disabling the ipv6 module, as that can cause issues with SELinux and other components, but adding the following to /etc/sysctl.conf:
net.ipv6.conf.all.disable_ipv6 = 1
[root@] ~]# // Then after reboot u system will no such driver module
[root@] ~]# lsmod | grep "ipv6"
[root@] ~]#
阅读(777) | 评论(1) | 转发(2) |
